The Economics of Phishing Emails, and Corporate Logos

Disclaimer: This is all idle speculation. I have no inside info to support my claims.



This evening, I spent some time browsing through Phish Tank - A fantastic live reference for phishing websites.

A shockingly large number of the websites include images from Paypal, Ebay and other .com's own web servers. That is, instead of making a local copy of the image, and hosting it on the server which run the phishing site, they instead include the image directly off Ebay's webserver. Not only does Ebay get phished, but they have to pay the bandwidth costs for the graphics displayed to the victim.

It's almost like the tale of a twisted dictator shooting someone, and then sending the victim's family a bill for the bullet.

This got me thinking.

Paypal, Bank of America, and others know exactly where their graphics should be shown on the web. A general, and reasonable rule would be, anytime a website at Paypal.com loads our logo, let it happen. If someone at evilphisher.com tries to load our image, load up a big warning image instead. This could easily be done by checking the referrer passed by the browser.

This would be trivial to implement. The question then, is why isn't Paypal doing this already?

As crazy as it may be, the answer is probably something like this:

1. Bandwidth is cheap, at least in the huge quantities that Paypal is purchasing.
2. Phishers are often hosting their sites on zombie/hacked machines, so they don't pay for the bandwidth themselves.
3. If Paypal starts checking the referrer string sent by a browser, phishing website designers will simply save a local copy of the image, and host them on their own websites.

Simply put, Paypal doesn't really gain much by disallowing the phishers from using Paypal.com to host their images, and in fact, loses quite a bit.

As things stand right now, Paypal can analyze their logs, and see exactly which websites are causing people to load their images. Paypal probably has a team of people, or several scripts hitting each one of these websites to see if they are indeed a phishing site. If Paypal cuts off the flow of images, and forces phishers to host their own image files, they will immediately lose this valuable source of intelligence.

In this case - it seems that the enemy you know is far better than the enemy you've forced underground.

Is the Terrorist Surveillance Program exempt from FISA?

Bit by bit, I'm slowly learning to appreciate the law, and I'm learning how to read it. At times, I actually browse SSRN for pleasure...

For those of you who don't know what the Terrorist Surveillance Program is, go read about it elsewhere. It's old news now.

I read a few parts of the FISA statute this evening, and a couple things jumped out at me. Lets look at 50 U.S.C. § 1801 (f).

“Electronic surveillance” means—

(1) the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire or radio communication sent by or intended to be received by a particular, known United States person who is in the United States, if the contents are acquired by intentionally targeting that United States person, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes;

(2) the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication to or from a person in the United States, without the consent of any party thereto, if such acquisition occurs in the United States, but does not include the acquisition of those communications of computer trespassers that would be permissible under section 2511 (2)(i) of title 18;


(3) the intentional acquisition by an electronic, mechanical, or other surveillance device of the contents of any radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes, and if both the sender and all intended recipients are located within the United States;

From my reading of these 3 parts of section (f), it would seem like:

If the US governement/NSA performs a wiretap in international waters (i.e. splices the undersea fiber-optic cable or copies the satellite signal in space), does so on a wholesale basis (i.e. captures every single communication on that wire, and isn't attempting to target a particular citizen), and does it only for communications where one party is outside the USA, that they would be exempt from FISA.

I'm still rather new to the law here, but this seems like a fairly obvious loophole.

Am I missing something here?

How The RIAA and MPAA Unknowingly Assist Child Pornographers

Or: How the Media Companies did more to spread cryptography, anonymity preserving technology and general knowledge about good online privacy hygiene than an army of activist cypherpunks ever could have


[Ed: I have to admit, I'm pretty proud of the fact that I've managed to tar two of the great Satans in the world, the RIAA and MPAA, with the kiddie porn brush. It's about time, since they've been doing the same to anonymity researchers for years]

A few years back, after waiting all night outside the US Supreme Court, I saw a semi-familiar face walking towards the front of the court-house. Without thinking, I ran up to him, and asked if I could have my photo taken with him. True, he is an extremely evil and corrupt man. Not quite as bad as Pol Pot, or even Cheney, but still evil enough. His name is Jack Valenti, and this blog-post describes how, strangely enough, he and his cohorts make the lives of child pornographers far better, and far safer.

-------

Music and software piracy existed long before Napster. It took place on Internet news groups (usenet), bulletin board systems (BBS), ftp, and good old fashioned person-to-person exchange via floppy disks. The real threat that Napster posed, was that it was really easy to use. So simple, that a non-technical user could quickly figure it out. What Napster did, essentially, was make an entire generation of non-technical users into 'pirates'.

We all know the story: Napster was shut down by the record labels, and shortly afterwards, improved systems like Gnutella and Kazaa took its place. While Napster had been a centralized system (with verbose logging, should law enforcement ever need it), the new systems were extremely difficult to take down, and presented a significant problem for anyone who wished to do forensic analysis after the fact - since there were no centralized records of who downloaded and uploaded what files.

Whereas before, the FBI could have sent Napster a supoena stating "Tell us every user sharing these 5000 kiddie porn files", the new networks were purpose built to not be able to have that ability. Not because the designers wanted to help those sharing kiddie porn, but because the record labels used the very same techniques that the FBI used to combat child porn.

Fast forward a few years.

The record companies have their agents (like BayTSP) regularly trawling P2P networks looking for copyrighted content. The FBI and other parts of the government are either already using similar technologies, or surely have to be developing them....

In response, users have deployed technologies like PeerGuardian - which block network addresses known to be used by the record companies and their clients. And since DOJ has decided to begin, albeit slowly, prosecuting major P2P offenders, they will soon find themselves added to these blacklists - if they haven't been added already.

Let us now consider the case of encryption:

Shortly after the crypto-wars, the only people using encryption on their machines were paranoid crypto-geeks, or cypherpunks, as they called themselves. Systems were far too difficult to use to be deployed by the common man.

Fast forward a few years. The makers of Kazaa learned many lessons from their interactions with the record labels. When they developed their next program, Skype, they made sure to design cryptographic protocols into the core level of the program. Every single Skype call is encrypted - and if the call never leaves the skype network, then no one but the two callers can listen in. To make things even more difficult, just as with Kazaa, Skype was developed in eastern Europe, and owned in another country. This multi-jurisdictional separation makes subpoenas quite tricky.

Skype is now the most widely deployed cryptographic application, ever. It's easy to use, it is used by millions of Internet users around the world, and the government has no real way to tap voice data as it crosses the network - CALEA, or not.

The point that I am trying to make is the following:

By going after people for sharing movies and music online, the major media companies have essentially created a huge market for anonymous (or close to anonymous) technologies. Technologies such as Tor, Freenet, Gnutella, and Skype arguably wouldn't exist as they do today if the Media companies didn't go after 'pirates' with such vigor. And with the influx of millions of new users, these programs have become better - either through more financial support/advertising, or through new developers/open source coders who are finding bugs and adding features.

P2P enforcement forced anonymity and evasion technologies to evolve far faster than they ever would have if the FBI had been the only 'threat' to privacy online.

However, these technologies do not just make the task of detecting copyrighted works more difficult - they make the FBI's job of finding child pornographers more difficult. Far more people use encryption now. Far more people erase data, and turn off logging.

The mass publicity of the NSA lawsuits has only cemented the idea in the public consciousness that email can be read, and so, I would argue, that less and less sensitive information is sent by email. More, not all, but more, people know that their email is not secure.

And now with all the press relating to data loss/breaches by companies, we are finding that many Fortune 500 companies are demanding full disk encryption from their Operating System suppliers. This will roll downhill. Someone who gets comfortable with the idea of an encrypted filesystem at work will be far more likely to turn that option on when they install Windows Vista at home. This will of course, hugely frustrate the FBI. This isn't to say that they can't break it, but it makes their lives far far more difficult.


What is the moral to this story? The record companies have made an entire generation of college students into criminals, and as such, those college kids have resorted to technical means of avoiding detection - which create a gigantic crowd of encrypted and obfuscated data in which 'real' criminals can hide. These evasion methods are the very same techniques which can frustrate legitimate and useful law enforcement, which as an unintended side-effect, suffer. The ability to catch genuine terrorists and child pornographers is significantly limited through the short sighted actions of the major media companies.

And the thing is - it's too late to fix it. The genie is out of the bottle.

Just as the drug war has made an entire generation fear and mistrust the police, the P2P wars have given the Internet generation a reason to protect their privacy, or at least frustrate forensic analysis of their online activity.

So the next time you see an article describing a new tactic that the record labels are taking to stamp out piracy - Stop for a moment, and please, think of the children.


Note: I started coming up with the idea for this blog post a week ago over lunch with a colleague. However, I decided to hurry up and finish it after reading a recent law review article by Eric Stieglitz (ANONYMITY ON THE INTERNET: HOW DOES IT WORK, WHO NEEDS IT, AND WHAT ARE ITS POLICY IMPLICATIONS? ). You can find it on westlaw or lexis if you're lucky enough to have an account.