Dissecting a virtual world phishing attack

An interesting development in the latest cybercrime trends has been a marked increase in attacks against online games and virtual worlds, as I have posted previously. One element that I have missed in the discussion about game hacking has been the methods with which cyber-criminals obtain login details and passwords in order to empty the virtual coffers of gamers around the world. I had generally assumed that hackers obtained passwords through a combination of means, including keylogger software, social hacking, guesswork and bad security on the part of the user. I was not aware of large-scale phishing attacks, so when I received my first WoW phishing message, I was both taken aback by its realism, and also in awe of how many people must be falling for this.

First some background. Last year I opened a US World of Warcraft account for occasionally playing when I am back in Costa Rica. I generally do not use this account, so it would be ripe for hijacking. Yesterday I received this message from what looked like a legitimate Blizzard account. I will reproduce it in its entirety only removing the actual link for obvious reasons:

------------------

Subject: Blizzard Account Administration
From: Blizzard [donotreply@blizzard.com]
Reply-To: Blizzard [donotreply@blizzard.com]

Greetings,

An investigation of your World of Warcraft account has found strong evidence that the account in question is being sold or traded. As you may not be aware of, this conflicts with Blizzards EULA under section 4 Paragraph B which can be found here:
WoW -> Legal -> End User License Agreement

And Section 8 of the Terms of Use found here:
WoW -> Legal -> Terms of Use

The investigation will be continued by Blizzard administration to determine the action to be taken against your account. If your account is found violating the EULA and Terms of Use, your account can, and will be suspended/closed/or terminated. In order to keep this from occurring, you should immediately verify that you are the original owner of the account.

To verify your identity please visit the following webpage:
[HTTPS link removed]

Only Account Administration will be able to assist with account retrieval issues. Thank you for your time and attention to this matter, and your continued interest in World of Warcraft.

Sincerely,
Account Administration
Blizzard Entertainment

------------

This was a short and concise message that actually seems plausible, as it arrived to the email account with which my US WoW account is registered. It reads well, with no suspiciously dodgy English or ludicrous made-up names; it also points to the relevant legal documents and articles. Thankfully, I immediately checked the links, and rightly enough, the most important one did not direct to Blizzard, it led to ripside.com, which is a small website hosting service. I visited using Google Chrome (which is new enough not to have developed exploits), and this is what I found:

Which looks exactly like the Blizzard's own account management screen found here. Once I entered some meaningless login and password, I got a large page asking for all sorts of details, including name, address, email, and interestingly, the following:

In short, this is all that is needed for anyone to hijack an account, take all the money and items with them, and run. Every guild has stories of members who have been compromised, and from time to time one can hear the desperate cry of a poor sod in Trade chat who shouts "I'VE BEEN HACKED!"

It is important to stress that Blizzard seems to be taking this very seriously, so they have initiated a campaign to make sure users are aware of the security risks involving their account. There is also a procedure in place in order to reinstate money and items to the victims. However, what is not mentioned anywhere is that these actions constitute a crime, and I am concerned that this is precisely the reason why there is such an increase in hacking activities against gamers. As I have mentioned before, there seems to be some reluctance from crime enforcement agencies to respond to cybercrime in general, and game account hacking would seem to be even at the lowest end of priorities. So, a geek had his magic sword stolen? Who cares?

If hackers have moved towards sophisticated phishing attacks, then we are talking about an entirely new level of engagement. Banking phishing sites are usually taken down within hours of the attack through action from anti-phishing organisations. However, the offending site in this specific attack is still up and running 24 hours after the message was received. This seems to indicate that cyber-criminals are catching up to efforts to curb their scams, and are moving to easier pickings in the shape of virtual worlds. The fact is that virtual goods are worth real money, so the temptation for criminals to make some quick earnings through hacking must be the drive behind the growing number of hijacks. While a criminal will certainly get more money from hacking a bank account, it seems that they realise that hacking a virtual world account is less likely to result in prosecution.

The last element in the line of attacks is that according to the email headers, this message came from New Zealand and what appears to be a compromised Hotmail account. Hotmail seems to be a favourite of phishers and spammers, with Youtube videos explaining how to create fake Hotmail accounts.

Much as with bank phishing, there seems to be a toxic triangle that allows some of this to happen. Firstly, email services like Hotmail seem to make it easy for hackers to exploit the system to send fake emails. Secondly, law enforcement and anti-phishing authorities seem unaware and/or uninterested about the phenomenon. Thirdly, users are still falling for many of these attacks due to lack of care and lack of education.

I'm now off to install some anti-keylogger software. I don't want to lose my enchanted knives.

Why all computer security is flawed...

xkcd once more manages to distil complex issues in an understandable and undeniable manner.

The weakest point in any computer security system is the carbon-based element managing the keys.

New Windows virus infects millions of computers

Some years ago, headlines describing global virus infections were commonplace. Does anyone remember the ILOVEYOU virus, the Melissa worm, and Code Red? Lately, while virus and worm threats have not diminished, their reporting has become less prominent. Have you heard about Nyxem, XSS and Sotrm? Neither had I.

The less prominent reportage may have several causes. Viruses and worms have become so widespread as to lose their newsworthiness, the first shell in a war makes headlines, but the 1,000th does not. Similarly, the big spectacular infections are no longer possible; with more and more people protected by firewalls and anti-virus, infections tend to be spread over time rather than one spectacular burst of activity. The other reason of course is that nowadays worms and viruses tend to be less destructive and more pervasive. Probably there is a higher number of infected machines than in earlier years of the Internet, but modern worms tend to have mostly two functions: serve spam and enslave a machine for future use.

These trends have been broken by Conficker, the latest worm spectacular affecting 9 million computers around the world.This worm affects mostly a Windows Server 2003 vulnerability that was first discovered back in October, which "could allow remote code execution if an affected system received a specially crafted RPC request". Although the bug was fixed and an update made available, millions of computers have not installed it, making it a prime target for clever worm coders. The virulence of the worm has taken experts by surprise, the infection is still going on, particularly hitting machines in emerging economies quite badly.

I will once again apply my better nature and I will refrain from gloating about Mac vs PC security, but there are several interesting issues unearthed by this latest attack. Firstly, computer security has become one of the most important Cyberlaw issues in recent years because most of us rely heavily on computers for our daily tasks. There is a direct proportional correlation between vulnerability and the number of users online; as more people become wired and the digital divide diminishes, more systems are available to hackers. Moreover, I strongly feel that there are some practices at Microsoft that enhance vulnerability for everyone.

Allow me to illustrate the point with an anecdote. My MacBook Pro has dual boot because I still have need Windows for various tasks, particularly when I am remotely editing SCRIPTed. For that purpose I purchased and installed a valid yet cheap OEM copy of Windows XP on my Mac. Back in December I logged into the Windows portion of the hard drive, and because I had not logged in for a while it downloaded a large number of updates, amongst them the much maligned Windows Genuine Advantage (WGA). This wretched upgrade turns your machine into a snitch, and it somehow did not like that I was running an OEM copy of Windows on a Mac, so it turned on several nagging notices, as well as changing the Windows background and logging splash screens with annoying messages. While getting rid of WGA is relatively easy for someone who knows what they're doing, this got me thinking that WGA acts as a potent disincentive for people without valid copies of Windows to download updates in fear that their computer will stop working properly. It should be no coincidence that large number of computers in India, Brazil, China and Russia. It is my contention that the reason for such prevalence in emerging economies is not the lack of expertise, but actually the lack of updates because people have stopped trusting them due to WGA.

Internet security is as good as its weakest systems, and as things stand, there are millions of vulnerable PCs. While Windows Vista came with some robust protection preinstalled, many of its features were removed by the user as soon as possible. Computer security must be both non-intrusive and easily scalable. At the moment, Microsoft does not have either.

IE security flaws

The BBC is reporting that there is a new fatal flaw with Internet Explorer that allows hackers to gain access to a computer and steal passwords. In other news water is wet, politicians lie and Windows Vista is a huge disappointment.

Seriously though, this is usually the perfect opportunity for the blogger to pontificate about the evils of Microsoft and recommend readers to switch to Firefox/Safari/Opera/Chrome as of yesterday. Another tactic is to smugly admonish poor sods still using Internet Explorer to realise the folly of their ways and learn to love open source development. And then there is even a chance for Apple-heads to unleash a wave of self-righteousness and claim that this would not happen on a Mac. I will forego the temptation to fall into the aforementioned stereotypical actions, although I am truly fighting the urge to utter the predictable "I told you so", or the always-satisfying Nelsonian "HA HA!"

Instead of any unbecoming haughty displays, I notice that this exploit was designed to steal game passwords. As I've mentioned earlier, one of the fastest growing areas of cybercrime is the theft of virtual goods on games like WoW, where the in-game gold has acquired real currency value. It should be quite telling that this exploit is not being used to purchase things on eBay or Amazon, but to steal virtual goods. Perhaps the payout is not as big, but the risks seem much less. I don't think a cop is going to prosecute a hacker for stealing magic items on WoW.

Hacking Palin

An interesting cybercrime and politics story came out this week. Sarah Palin's Yahoo email account was hacked by a group called Anonymous and screenshots were posted in WikiLeaks. Hacking may be too strong a word, what seems to have occurred is more akin to social engineering, as the hackers admitted that they simply guessed correctly Palin's Yahoo security questions. The hacker reset the password by answering Palin's date of birth, postcode and where she met her husband (Wasila High), all easily obtainable facts.

Now the FBI has become involved, as it is a federal offence to have unauthorised access to someone else's email through the Stored Communications Act. The Act makes it a criminal offence to "intentionally accesses without authorization a facility through which an electronic communication service is provided". The perpetrator faces a fine or up to five years in jail if the access was done for "commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or any State". For any other case, the penalty is one year or a fine. However, the EFF has stated that prosecution may be difficult in case of accessing viewed or opened emails.

While I confess to feeling a pinch of schadenfreude at this case, there is something deeply wrong about accessing another person's email. What seems clear is that privacy settings for famous people are clearly inadequate, as the security questions are anything but.

The hackers strike back

Hacking is back in the news. The BBC reports that hackers in the U.S. infiltrated the computer networks of several companies and stole over forty million credit and debit card numbers. What is unusual about the case is that the hackers targeted their victim's secure wireless access points, and therefore gained access to the internal network.

This case highlights the problems posed by wireless networks. We have know for a while that wi-fi is a convenient yet insecure technology, as it opens systems to any passer-by with the know-how. There is not only the problem of piggybacking, but leaving computer systems and transactions open to interception.

The law already protects such type of hacking adequately, be it through "traditional" anti-hacking legislation, or normal fraud law. The issue then becomes one of law enforcement, evidence and cyber-security. Firms with large wireless networks should be aware that it opens their systems, and therefore the security should take into account that a hacker in the parking lot may have access to sensitive files.

And to top up hacking news, the Beeb also reports also that hackers are targetting Twitter by including trojans in viral video links. As a smug Mac user, I have to point out that this vulnerability only affects Microsoft machines.

Users liable for phishing and hacking

(via Out-Law) Who should be liable if a consumer is the subject of a phishing attack? At least in the UK, the common banking practice has been to assume some or all of the losses incurred by the customer. This is about to change with the new Banking Code. The Banking Code is a financial services self-regulating document which institutes a number of best practices and rules for financial services, and it is offered by the British Bankers' Association, the British Building Societies Association, and the UK Payments Association (APACS).

One of the recommendations to consumers set out by the Banking Code is to maintain one's computer secure by using updated anti-virus software. Seems like sound advice. However, this one comes with a barb. If the consumer does not fulfil this requirement, he/she may be liable for losses arising from fraud, phishing or other online scams or attacks.

The issue stems from the follwing articles:

10.3 "If we confirm a transaction is unauthorised, we will refund any interest charged, unless you have acted fraudulently or without reasonable care. [...]
12.11 "If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)"

What does section 12.9 looks like? It contains the following advice:

• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
• Keep your passwords and PINs secret.
• We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
• Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
• Always access internet banking sites by typing the bank or building society’s address into your web browser. Never go to an internet banking site from a link in an e-mail and then enter personal details.
• Follow our advice – our websites are usually a good place to get help and guidance on how to stay safe online.
• Visit www.banksafeonline.org.uk for useful information.

I am confused about the last two. Are those recommendations or requirements? Similarly, how would a bank determine that your anti-virus was out of date? How will a financial institution determine that your PIN and password are secure? Similarly, I receive an email from my credit card provider every month with a link to their website. Does that violate the requirement for accessing the website only by typing the address into the browser?

While I agree that users should be proactive in protecting their data and avoiding scams, I am not sure that this list can be enforced. Thankfully, the Banking Code is only soft law.

The bots are at the gates

(via Slashdot) We would like to think that the internet is for humans. Nothing could be further from the truth, the internet is inhabited by millions of little robots which fetch feeds, index the web, trawl through content looking for patterns, browse blogs, search e-commerce sites and compare prices. While most bots are benign in nature (e.g. Googlebot), there are malicious artificial entities pouncing on your protections, or trying to log into blogs and leave spam, or attempt to setup email accounts in order to send spam to the unsuspecting masses. There is only one thing standing between this army of bots and their human overlords from you and me, the mighty CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart).

CAPTCHAs are designed to test that the person filling the web form is indeed a member of the human species. This is done by displaying twisted and/or hard to read text as a picture, under the assumption that only a real human can make out the real letters behind the gibberish. The problem has been that there is an arms race between bot handlers and CAPTCHA designers.

The latest victim of CAPTCHA vulnerability is Gmail. According to Websense, a new spambot has been able to succesfully create a Gmail account 1 out of 5 times, which is pretty impressive.

It is time we gave robots some form of personality right, and also we should make them accountable. I don't know, bring back gladiatorial combat for bots?

Australian teenager cracks porn filter

An Australian teenager took forty minutes to crack the pornography filter provided by the Australian government, according to news.com.au. This will hopefully blow up in John Howard's face, as he seems keen to be seen as taking tough action against the evils of the Internet.

A teenager interested in porn? Colour me surprised!

Cyberwar 1.0

The mainstream press has been reporting on what could very well be the world's first cyberwar. A diplomatic conflict between Estonia and Russia over a bronze statute has resulted in what seems to be a series of coordinated attacks against Estonian institutions. Denial-of-service attacks have brought down websites belonging to news sources, the parliament and presidency, political parties, banks and telecomms firms. The sites were overwhelmed by requests from Russia, which prompted the blocking of foreign IP addresses to the affected sites. There has not been any indication that the attacks come from the Russian government, after all, Russia has a long-standing hacker tradition, but it is interesting to witness the disruptive power of concerted attacks against a national target.

No word as to how many bits have lost their lives in the conflict.

Top 10 passwords

Everyone is going to be blogging this in the next few days, so I might as well share it.

This is the list of Top 10 passwords according to PC Magazine:

1. password
2. 123456
3. qwerty
4. abc123
5. letmein
6. monkey
7. myspace1
8. password1
9. link182
10. (your first name)

password? myspace1? link182? Some people do deserve to have their data stolen.

HD-DVD brought down by Web 2.0

Back in January I had reported on the hacking of HD-DVD protection by improper key management. AACS, makers of the DRM protecting the new format, vowed to try to shut down BackupHDDDVD, which is instrumental to some part of the cracking process. At the time I thought it was likely to be the last we would hear about this topic, after all, cracked protection is hardly news, is it? Once the how-to had been posted in Ed Felten's blog, the game was up. Or so I thought...

In order to understand the cracking process, we need to understand keys. Felten explains it best, so here he goes:

"In AACS, each player device is assigned a DeviceID (which might not be unique to that device), and is given decryption keys that correspond to its DeviceID. When a disc is made, a random “title key” is generated and the video content on the disc is encrypted under the title key. The title key is encrypted in a special way that specifies exactly which devices’ decryption keys are able to extract the title key, and the result is then written into a header field on the disc.
When a player device wants to read a disc, the player first uses its own decryption keys (which, remember, are specific to the player’s DeviceID) to extract the title key from the disc’s header; then it uses the title key to unlock the content."

However, January's vulnerability was limited, as it could not decrypt the title's key, it was only a player key, which would be useless by itself. Suggestions were made to have a title key database that cracking software could access, but as far as I know it was not implemented. That was the state of play until yesterday, when a key was released to the public which allegedly can be used to decrypt most existing titles. Apparently, this is a processing key, something akin to a master key. I have not been able to find the first source of the key, although some sites have posted a link to a removed WordPress blog here. The earliest post I could find in this meme is here. Perhaps in the days of Web 2.0, it is impossible to find sources. Anyway, what we know for sure is that someone posted this somewhere (vagueness is also very web 2.0):

"Spread this number. Now.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. It's the HD-DVD processing key you can use to decrypt and play most HD-DVD movies in Linux. Movie studios are going ballistic over this leak, so Digg the story up and make it reach the front page."

This was like DeCSS all over again, but this time with blogs, YouTube, Digg and the whole force of a meme-churning machine. In other words, AACS does not stand a chance. That doesn't mean they did not try! Apparently the number made front page of Digg, who then received a Cease & Desist letter and decided to remove the stories and even cancel user's accounts. Needless to say, the slightest whiff of censorship sent the copyfight warriors on overdrive, and we had a t-shirt (pictured), replication in countless blogs, and even a song uploaded on YouTube. Some of the discussions in Slashdot and Wired have been worth reading as sociological examples of slighted self-righteous geekdom. I can imagine this repeated in chat-rooms across the world:

"Replicate this number, it allows you to copy your HD-DVDs"
"But, I don't own any"
"Doesn't matter man, they're trying to censor us!"

Digg realised they were losing the good will of geekdom, so they posted a "we hear ya", together with the dreaded number on the title. They have decided to "go down fighting" and side with the rebelling masses.

I may be forgiven for being my cynical self, but I must admit that I'm getting slightly suspicious about this whole affair, I'm missing some very basic information in order to make sure that this is a legitimate issue. Here are some problems that I have with the news:

1. Where is the original post? Has it really been taken down?
2. The earliest key replication seems to come from a meme post designed to anger the masses. No, you cannot copyright numbers, but keys may be protected as part of an effective technological protection measure.
3. AACS has not made any official declaration that it's pursuing infringers, something that they have done in the past.
4. I would like to see Digg's cease-and-desist letter, it seems to me like lawyers for the industry moved incredibly fast.
5. There's something about the whole story that smells like urban legend to me. The meme has spread too fast in order to get accurate information.
6. Has anyone actually tried to use the key?

It's possible that my suspicions are misplaced. If that is the case, AACS may have committed the biggest blunder by trying to suppress the key; the level of dissemination is such that it will be impossible to recall it. This may prove to be a case study of how useless cease-and-desist may become in the Web 2.0 era. Even if the story proves to be a clever hoax, copyright owners should heed the lesson.

Update. Some interesting replication strategies from David Berry:

• Doom9 original thread.
  
• Saved version of the original Digg post and discussion here.
  
• Domain names here, here, and here.
  
• A techno song here.
  
• Wired blog post here.
  
• More madness here.
  

But I still haven't seen any first-hand report that anyone has actually used the key to crack an HD-DVD.

Update 2: Chilling effects has posted the AACS C&D letter to Google, so I guess that makes it official, the key seems legit. If AACS wants to take it down, there must be a reason.
"Ladran Sancho, señal que caminamos".

Update 3: Fred von Lohmann from EFF has posted a warning against posting the key.

WiFi thieves?

(via Trey Roberts) Reuters and the BBC are reporting on two arrests made in Worcestershire for wi-fi piggybacking, but where released under caution.

Wi-fi leechers are a growing phenomenon, as more and more houses have wireless devices and routers, the number of unprotected networks also increases. A leecher will conduct wardriving to find unprotected hotspots, and then connect to the unsecured network. The intentions of the piggybacker may be honest, the person may just want to get a free wireless connection to check his/her email. But there is a more sinister side to wardriving. For example, it has been reported that some people are using piggybacking in order to engage in illegal activities, such as infringing file-sharing, or child pornography. One can see this as an attractive proposition for criminals, as it would lay the burden of proof entirely on the person with an open access point.

The solution to the problem is to make wardriving and piggybacking illegal. In the UK there is enough legislation to prevent piggybacking and to allow the police to intervene. Firstly, the Computer Misuse Act 1990 could be applied, as section 1 reads:

"1.—(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case."

However, this would be subject to interpretation, as a wardriver may not fulfil the type. The Communications Act 2003 is clear with regards to the prohibition, as it establishes an offence of up to five years for dishonestly obtaining electronic communications services. Section 125 reads:

"(1) A person who-
(a) dishonestly obtains an electronic communications service, and
(b) does so with intent to avoid payment of a charge applicable to the provision of that service,
is guilty of an offence."

Other legislation that could apply is the Regulation of Investigatory Powers, as it establishes an offence for intercepting communications.

The dangerous and wild Internet

Security firm Symantec has released it's 11th Internet Security Threat Report, and if accurate (no reason to doubt that it is), it makes for some very grim reading indeed. I have taken some key findings from the summary which warrant highlighting:

• Symantec recorded an average of 5,213 denial of service (DoS) attacks per day, down from 6,110 in the first half of the year.
• Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers.
• Symantec observed an average of 63,912 active bot-infected computers per day, an 11 percent increase from the previous period.
• China had 26 percent of the world’s bot-infected computers, more than any other country.
• Israel was the highest ranked country for malicious activity per Internet user, followed by Taiwan and Poland.
• Seventy-eight percent of malicious code that propagated did so over SMTP, making it the most commonly used propagation mechanism.
• Malicious code using peer-to-peer to propagate rose from 23 percent of all propagating malicious code in the first six months of 2006 to 29 percent in the last half of the year.
• The Symantec Probe Network detected a total of 166,248 unique phishing messages, a six percent increase over the first six months of 2006. This equates to an average of 904 unique phishing messages per day for the second half of 2006.
• Between July 1 and December 31, 2006, spam made up 59 percent of all monitored email traffic. This is an increase over the first six months of 2006 when 54 percent of email was classified as spam.
  

These are worrying figures indeed, but they serve to make the case that the Internet is becoming a huge financial and security threat. To me the most worrying data from the report has to do with the volume of spam, and with the amount of zombie computers online. When more than half of the world's email is spam, and when most viruses spread this way, you know that there is a serious problem and that something needs to be done. So far, the regulatory solution has been to legislate, but the efforts have been rather useless due to the international nature of the Internet.

Most worrying, the report calculates that during the period of study, they counted more than 6 million machines infected by bots. This is particularly tied to the problem of spam, as infected machines are taken over to serve unsolicited messages. A global army of six million zombies can do a lot of damage, and guess what? It is doing a lot of damage! The report does not call for regulatory solutions, but for technical ones. The proposed solution to the bot problem could be for ISPs to filter known bot traffic, which would considerably hinder the network. One problem with this is that the bot-owners will start changing their traffic patterns, and maybe even encrypting communications.

I may be feeling bleak today, but this report depressed me. *Think happy thoughts, think happy thoughts*

Computers in movies

I've just read an excellent article about cinematic depiction of computer use in The Guardian. This is a topic of endless derision from techies and geeks all over the world. The article mentions that the balance can be tricky. In one hand we have the most realistic depiction of computers in film, Antitrust, which is a stinker of a movie. I mean, open source is not really the stuff of emotionally charged thrillers, is it? (to be fair, Revolution OS is a pretty good documentary).

On the other hand, the most ludicrous computer plot device in history, Independence Day, did very well at the box office. I mean, who in their right mind could believe that we would ever devise a computer virus that could infect an alien computer system? From a Mac? Try opening Mac or Linux files with your Windows OS and see your PC explode! Hey, maybe the aliens were using Macs. That would explain a lot... but I digress.

Computer expert Jakob Nielsen has come up with the top ten computer usability bloopers in film (the links are mine):

1. The Hero Can Immediately Use Any UI. "Break into a company -- possibly in a foreign country or on an alien planet -- and step up to the computer. How long does it take you to figure out the UI and use the new applications for the first time? Less than a minute if you're a movie star."

2. Time Travelers Can Use Current Designs. "An even worse flaw is the assumption that time travelers from the past could use today's computer systems. In fact, they'd have no conception of any of modern technology's basic concepts, and so would be dramatically more stumped than the novice users we observe in user testing. Even someone who's never used Excel at least understands the general idea of computers and screens."

3. The 3D UI. "3D is for demos. 2D is for work."

4. Integration is Easy, Data Interoperates. "In movieland, users have no trouble connecting different computer systems. Macintosh users live in a world of PCs without ever noticing it (and there were disproportionally more Macs than PCs in films a decade ago, when Apple had the bigger product-placement budget)."

5. Access Denied / Access Granted. "Countless scenes involve unauthorized access to some system. Invariably, several passwords are tried, resulting in a giant "Access Denied" dialog box. Finally, a few seconds before disaster strikes, the hero enters the correct password and is greeted by an equally huge "Access Granted" dialog box."

6. Big Fonts. "In addition to the immense font used for "Access Denied" messages, most computer screens in the movies feature big, easily readable text. In real life, users often suffer under tiny text and websites that add insult to injury by not letting users resize the words."

7. Star Trek's Talking Computer. "The voice-operated computer in Star Trek is an even more egregious example of designing an audience interface rather than a user interface. Spoken commands and spoken responses make it easy for the audience to follow the action, but it's a very inefficient way of controlling a complex system."

8. Remote Manipulators (Waldo Controls). "In practice, there's a reason we use steering wheels to drive cars instead of joysticks, touchpads, or push-buttons. The steering wheel is an excellent input device for fast and accurate specification of directionality."

9. You've Got Mail is Always Good News. "In the movies, checking your mail is a matter of picking out the one or two messages that are important to the plot. No information pollution or swamp of spam. No ever-changing client requests in the face of impending deadlines. And you never overlook information because a message's subject line violated the email usability guidelines."

10. "This is Unix, It's Easy". "In the film Jurassic Park, a 12-year-old girl has to use the park's security system to keep everyone from being eaten by dinosaurs. She walks up to the control terminal and utters the immortal words, "This is a Unix system. I know this." And proceeds to (temporarily) save the day."

Any other examples?

UK denies Denial of Service attacks

(via Out-Law) The Police And Justice Act 2006 has been passed yesterday. This new Act contains criminal sanctions for those who access a computer with the intent of impairing its operation, to prevent or hinder access to any program or data held on it, or to impair the operation of any program or data.

This is obviously intended to attack the implementation of technological attacks to a computer in order to criple it, and includes Denial of Service attcks, because they will hinder the operation of an internet server.

Malware installation email

We should all now be aware of messages with requests to input your bank details. But what about messages asking you to install updates? I have received the following from support@microsoft.com (links removed to protect the innocent):

Internet Explorer 7 downloads
Get downloads for Internet Explorer 7, including recommended updates as they become available. To download Internet Explorer 7 Release Candidate 1 in the language of your choice, please visit the Internet Explorer 7 worldwide page.
Internet Explorer 7 Release Candidate 1 is pre-release software. Please view the support page for troubleshooting and feedback options.

When you click on the links, it takes you to this page (click to enlarge)


The page looks like the real thing, but it's located in a .info domain. I did not try to download the application, but it's very likely that it will try to install a trojan or keylogger.

Hack NASA, hunt for UFOs

Some people may remember Gary McKinnon, the British system administrator who was arrested in 2002 for hacking into NASA, the American Department of Defense and the U.S. Airforce. McKinnon has been convicted in absentia in the United States for those offenses, and he is back in the news as he is fighting his extradition and wants to be tried in the UK under the Computer Misuse Act. However, reports at the time failed to disclose his motives, why would anyone hack into NASA? In a new interview for the BBC, McKinnon finally answers the question: he was looking for evidence of the existence of UFOs.

Perhaps the most serious point of the interview is the fact that McKinnon was not that much of a hacker, he simply designed a PERL script that hunted for systems in NASA and the military that had blank administrator passwords, and allowed him to gain control over those machines. He claims to have found thousands of compromised machines in this way. It seems like this is a common vulnerability, and Windows XP Pro users are particularly open to certain attacks. After watching the interview, I checked my services, and lo and behold, my administrator password was blank, and my Remote Registry service was indeed turned on! My system could be a zombie and I would not know it.

Besides the interesting issues of computer security and defense intelligence, what we all really wanted to know was if he did find any evidence for UFOs. McKinnon claims he did find pictures of artifacts that could not be human (I never know how UFO believers can identify what is human and what is not). He claimed that he could not obtain any evidence of this because he was caught while downloading an image, and he did not think of hitting the PrintScreen button. Yes, you heard correctly, this masterful hacker is going to jail, and he forgot to printout his evidence.