I almost fell victim to an identity-stealing scam

I got this email today, and I almost believed it. It’s a typical http://user:password@hostname/ trick. In this case, the user is tricked into thinking that http://www.paypal.com:secure-verifyaccount968ktz642@p9.da.ru/ is a PayPal URL when in fact it’s actually a website served up by http://p9.da.ru/

Here’s the full source of the email message:


Return-Path: <anonymous@m1.netfirms.com>

Received: from m1.netfirms.com (m1.netfirms.com [66.48.76.114])

by netspace.org (8.11.6/8.11.6) with SMTP id h410rTR11497

for <webmaster@hebcal.com>; Wed, 30 Apr 2003 20:53:29 -0400

Received: (qmail 48211 invoked from network); 1 May 2003 00:53:51 -0000

Received: from unknown (@192.168.60.10)

by m1.netfirms.com with QMQP; 1 May 2003 00:53:51 -0000

Date: 1 May 2003 00:53:51 -0000

Message-ID: <20030501005351.31268.qmail@cgi1>

To: "" <webmaster@hebcal.com>

From: "PayPal Staff" <staff@paypal.com>

Subject: PayPal System Update *Urgent Please Read*

Content-type: text/html

X-Spam-Status: No, hits=3.7 required=5.0

tests=CTYPE_JUST_HTML,DEAR_SOMEBODY,HTTP_USERNAME_USED,NO_FEE,

PLEASE_READ,SPAM_PHRASE_08_13

version=2.44

X-Spam-Level: ***

<P>Dear PayPal User,</P>

<P>Today we had some trouble with one of our computer systems. While

the trouble appears to be minor, we are not taking any chances. We decided to

take the troubled system offline and replace it with a new system. Unfortunately

this caused us to lose some member data. Please follow the link below and log

into your account to make sure your information is not affected. Account

balances have not been affected.</P>

<P>Because of the inconvenience this causes we are giving all users that

repair their missing data their next two incoming transfers for free! You will pay

no fees for your next two incoming transfers*. </P>

<P><A

href="http://www.paypal.com:secure-verifyaccount968ktz642@p9.da.ru/">

http://www.paypal.com:secure-verifyaccount968ktz642@p9.da.ru/</A></P>

<P>

Thank you for using PayPal!</P>

<P><BR>* - If fees would normally apply, you will not pay anything

for the next two incoming transfers you receive. </P>

<P>PayPal Security</P>

<P>PROTECT YOUR PASSWORD<BR>NEVER give your password to

anyone and ONLY log in at PayPal's website. If anyone asks for your

password, please follow the Security Tips instructions on the PayPal

website.<BR></P>

I don’t know who has the power to do this, but p9.da.ru should be shut down ASAP.

In the meantime, I’m going to crank up the score for HTTP_USERNAME_USED in my SpamAssassin user_prefs file.

Capturing Tribal Knowledge

Someone at work today mentioned the problem of capturing “Tribal Knowledge” in an electronic format and making it easily accessible to new or remote employees.

When some new engineer joins Yahoo!, how are they supposed to know that they should build a website using Apache and PHP on FreeBSD? How do they know to use Nagios and not Big Brother for monitoring? MySQL and not Postgres? (Not that there is anything wrong with Postgres, but our Network Operations Center folks have familiarity with MySQL, so sticking to similar technology makes their lives easier which means you gets paged less frequently.)

We’ve got all of this information in our heads or maybe even in an email archive, but we need to distill it out and come up with a website that can capture it so other folks don’t waste time and energy research options that aren’t a good fit for our environment.

What’s the right software for this job? Some sort of Wiki system? A message boards package? Blogging software? Maybe just a bunch of .txt and .html documents checked into some well-known place in CVS?

How to Be a Programmer

I stumbled across How to Be a Programmer, a 40-page paper by Robert L. Read, a principal engineer at Hire.com.

It’s a relatively good paper so I’d recommend it to anyone who’s new to the field or is a college student considering a career in Software Engineering. The distinction between Computer Science and Software Engineering, while subtle, is an important one. This paper focuses more on the Software Engineering side of things, spending a good 50% of the time discussing interpersonal skills and how to be effective working with your team.

The paper does need some polishing, however. A simple grammar checker would catch a bunch of the mistakes that interrupt the flow.

This reminds me a little bit of a great lecture I heard by Leslie Pack Kaelbling back in 1996 about why she loves programming. Like Read, Kaelbling belives that debugging is the most important part of programming, but she spins it slightly differently.

In short, debugging is like detective work. You’ve got a problem that you need to solve, but it’s not obvious what the solution is. There are little hints here and there, and you begin to investigate each one. Each clue brings you closer and closer to the solution, but sometimes you realize that you just spent the last 6 hours going down a path that led nowhere, and you need to start over again. But at each moment, you always feel like you’re making forward progress.

As a consequence, debugging becomes an all-engrossing activity. It’s impossible to walk away from your desk when you’re just 5 minutes away from solving the mystery and fixing the bug! Of course, 20 minutes later, you still feel like you’ll get it nailed in another five.

Court rules P2P networks are like VCRs

Looks like the courts are finally realizing that copyright owners shouldn’t have control over everything. They cornerstone of today’s decision is that P2P netoworks, like VCRs, have substantial noninfringing uses.

A federal court denied a request to shut down Internet song-swapping services Grokster and Morpheus on Friday, handing a stunning setback to the record labels and movie studios that have sought to curb unauthorized downloading of their works. U.S. District Court Judge Stephen Wilson said the two services should not be shut down because they cannot control what is traded over their systems. Like a videocassette recorder, the software in question could be used for legitimate purposes as well as illicit ones, he said. “It is undisputed that there are substantial noninfringing uses for (the) Defendants’ software,” wrote Wilson, who serves in Los Angeles. [Yahoo! News: Court Rejects Suit Against Web Song-Swappers]

Take that, RIAA! Next, we’ll repeal the DMCA!

On Kitniyot and Passover

With only 52 hours left in this year’s Passover holiday, I just got an email referencing Rabbi Golinkin’s teshuvah about Eating Kitniyot (Legumes) on Pesach.

It was written almost 15 years ago, yet people here in the Diaspora (outside of Israel) continue to discuss it year after year as if it’s breaking news.

Unfortunately for us, the teshuvah applies only to Jews living in Israel.

Back in the connected world

After two days of chag and a day of Shabbos, I’m back online again. That three day respite was great, even if it meant that I had 200 new messages in my Inbox.

We hosted a wonderful seder on the first night, enjoyed a relaxing first day of chag (and an impromptu lunch with a few friends), followed by a delicious (for the body and brain) second seder at Andrea and Aryeh’s that went until 2:30 in the morning. We slept in on Friday, had lunch with Rob & Lamelle, took a nap, and went to dinner at Cheryl’s house. Saturday felt like a normal Shabbos, except that Kiddush consisted of matzah and vegetables instead of the usual cookies, crackers and chummus.

It’s hard to believe, but Pesach is almost halfway over already!

Pesach Kashering

On the day before Erev Pesach, we kashered the kitchen and searched the house for chametz. Hannah came over to help clean the kitchen and cover the countertops with contact paper:

P4150109.jpg

Here we are “discovering” some challah and setting it aside for the next morning:

P4150118.jpg