What follows is an overview of what's happening on the Internet right now, and what we expect to happen in the coming months.

I admire Schneier and all, but this article is a piece of self-serving shit.

We expect to see ever-more-complex worms and viruses in the wild

We expect to see more blended threats: exploit code that combines malicious code with vulnerabilities in order to launch an attack. We expect Microsoft's IIS (Internet Information Services) Web server to continue to be an attractive target

[Worms targeted at a specific entity] are another trend we're starting to see.

We expect to see more attacks against financial institutions, as criminals look for new ways to commit fraud. [...]

We also expect to see more politically motivated hacking, whether against countries, companies in "political" industries (petrochemicals, pharmaceuticals, etc.), or political organizations

Well, I predict that people will continue to make obvious predictions. These predictions (with slight modifications) could apply to any of the last 10-15 years or so.

Schneier on Security: Attack Trends

Nice archive of phishing emails and analysis of the methods used

-Email spoofing.
-URL encoding/mis-representation.
-Any validation of data entered by user.
-Suspicious parts to time people off.

Robert X Cringley has a neat article . In it he proposes the way to kill phishers is to taint their "take." The APWG provides a good data set to create an auto "anti-angler."

I'm not sure how well this would work, because I am not sure how the phishers validate the info they collect. It possible an automated attack flooding them with bogus data could quickly be filtered if I don't choose really good data.

hmmmmmmmmmmmm. [gears start turning]

Anti-Phishing Working Group: Phishing Archive

10 x 500mg Vitamin C (to improve taste of iodinated water)
20 x 5mg Valium (to rest on the train/bus to Dharmasala)
10 x 400mg Flagyl (Metronidazole, instestinal amoebic/bacterial infections)
10 x 500mg C-flox (Cipro, ciprofloxacin, intestinal bacterial infections)
20 x 2mg Loperamide (Immodium, for diahrea)
10 x 25mg Promethazine (Phenergan tablets, industrial strength anti-naseau, potentiates opiates)
10 x 0.5mg Dexamethasone (for severe Acute Mountain Sickness/edema)
10 x 10mg Cetrizine (Zyrtec antihistamine)

15g tube Miconazole Nitrate Ointment (Anti-fungal)
20g tube Soframycin ointment (Framycetin, antibiotic)

3 x Packs Oral Rehydration Salts (Why am I so thirsty? Oh...)

5 x Bandaids
1 compression bandage
1 roll medical tape
1 pack cotton bandages

Goan Price: 485 rupees, or about $11 US. Medical supplies in the US are too expensive. I heard the VA gets supplies from India, and its no wonder.

Things I must get in Delhi:

1) Diamox (Preventative treatment for Acute Mountain Sickness)
2) Codiene/Hydrocodone/Oxycodone ("Dude, you broke your leg! Now ride out of this valley to help.")
3) Iodine Tabelts (Water purification)
4) Ibuprofen (Muscle/joint injury/aches)
5) Sterile Alcohol (Prep for item 6)
6) "Sewing kit" (Stitch kit: pop a painkiller, then STOP THE BLEEDING!)

Things I already had:

10 x 500mg Chloroquine (Malaria prophylaxis/treatment)
20 x 500mg Paracetamol (Tylenol, Acetaminophin, fever/pain)

All told it will be less than $13. Even though I knew it would be cheap, I am amazed. Just thought I'd share.

The Making of an $11 Indian Himalayan Cycling Expedition Medical Kit

In Windows, it's possible to replace the standard Explorer shell with another shell program, such as the CMD prompt or a custom written shell. What is less commonly known is that there is potential to use Internet Explorer as your shell in an embedded system, by taking advantage of IE's "Kiosk Mode". Check out this article on the Microsoft Support site about enabling Kiosk Mode.

Finally getting around to a project Stankdawg and I have been talking about for a while: Hacking Kiosks

IE as the shell (in Kiosk Mode)

Paper about using HyperThreading to covertly monitor other threads

Cache Missing for Fun and Profit

Decius wrote:

Furthermore, I want to point out that ICANN is totally inept at choosing TLDs in general. I don't think that they should be allowed to do it. They have too much power to shape the internet, they are really not accountable to anyone, and they are terrible at it.

I agree. This adoption of new TLDs with little thought and no restrictions on registering inside them is causing some serious issues.

Look at .tv. No one uses it. I should be able to type in [anytvshowname].tv and get its website. I can't. Fox, ABC, and other stations already have websites. .TV does nothing for them. It just another thing for registrars to sell.

The owner of ford.tv might have a TV show on some local cable access channel. Ford Motor Company has ford.com. There is no reason for them to need ford.tv. However, companies don't see that .tv is another TLD that is supposed to logically seperate things. Instead, they see FORD. So they sue. ICANN and registrars not having requirements or restriction to register inside these new TLDs re-enforces the idea that the .tv TLD is nothing special. From their point of view ford.tv is not any different from ford.com.

I really, really wish I could go back in time and bitch-slap the person who decided that people other than ISPs can have .net and the people other than government recognized non-profits can have .org. Structure is gone, and ICANN is piling on more TLDs.

RE: CNN.com - Stage set for '.xxx' Internet addresses - Jun 2, 2005

Some interesting reading I've been doing for my new job with SPIDyanmics (Decius: SPEEEEEEEEEEEEEEE!!!!!). XSS, URL Encoding, and other typical web application hacking stuff. I was familiar with these attacks, but spent most of my time with my head in the layer 3/4 sand to investigate their full scope.

Web Application Security White Papers

SourceForge has their new stats system up, finally letting me see the effect of being Slashdotted in March, plus the traffic from my publication in Make Magazine.

The result: 955,517 hits in March 2005!

Recently I've been getting a lot of email from Korea of late, so I guess its making the rounds in Asia.

This link shows all the stats since the project started in July 2004.

Stripe Snoop: 1.4 Million hits, 14,000 downloads!

] According to a Yahoo! report (and yes, we've asked
] ourselves if they haven't got anything better to do down
] at Yahoo! - like cracking one off - instead of wasting
] everyone's time with these tiresome masturbation
] stories), the event was organised to "help raise funds
] for the Center for Sex and Culture, and, according to its
] organizer, provide an outlet for safe sex for those who
] enjoy pleasuring themselves in a semi-public setting".
]
] Jesus. No wonder Middle America is as we speak loading
] its semi-automatic rifle and flicking through the Bible
] for the bit where it says: "Ye verily, the Lord did smite
] down those who indulged in the trouser-snake monosamba."

I Love The Register

SF hosts 'Masturbate-a-thon'

] Yes, Christopher Nelson's new job, which comes with a
] $100,000 salary and a one-year contract, will be to watch
] reruns of "The Dukes of Hazzard" weeknights on the
] Country Music Television cable channel and write blog
] posts for the network's Website.

... ... This just seems so retarded. The whole reason people enjoy blogs is they are not contrived or corporate sponsered like this.

Then for some reason they included this in the article:

Before spending the $100,000 in salary, plus various other related costs, the most expensive promotion CMT had ever done for any show was the "Wizmark" talking urinal cake promotion for the network's "Outlaws" series, Hitchcock said.

"Don't miss Outlaws on CMT. You seem to miss everything else," the chemical-infused cakes said when moistened.

I don't know whether to laugh or cry.

Guy paid $100,000 a year to blog about Dukes of Hazzard