The article starts off with chest beating about how revolutionary the article is since there is a lack of information on the efficacy of spam. But, in their background section, they mention the previous work on pump and dump spam which is relatively easy to study. Wikipedia links to 3 studies that show that pump and dump spamming drove up prices of the touted stocks by 6% between 2005-6. This is a pedantic point but distracts from the strength of their argument right away.

The deconstruction of Corman’s remarks is just outright weird. No telling why they didn’t just ask him what he meant and what numbers he was adding up. My guess is that instead of profit, he may have said or meant millions of dollars in damages, but I haven’t asked him either. The site that they link to doesn’t quote him, rather it attributes a paraphrased statement to him. This paraphrased statement is then put into quotes in the article, but the text in quotes doesn’t actually show up on the linked-to site. (Note, although we both work for the same company, I have never met nor talked to Corman.)

Gathering statistics by parasitic infiltration is ethically questionable. Counter attack is becoming more acceptable from a cyber war perspective, but it is not a generally acceptable security practice. I definitely do not consider it an ethical research practice. The paper extensively discusses the ethics of this practice and decides that since no one is left worse off than before that it must be ethically correct to allow it. I think this is disingenuous and disregards all of the arguments about why it is not an ethically sound security practice, primarily the argument that you might get it wrong and actually damage an innocent bystander inadvertently.

The spamalytics system alters the entity that they are studying and thus their statistics although interesting become questionable. The backend fulfilment or trojan delivery server is often quickly shut down in a real attack. They address this point in Figure 6, but don’t discount their conversion rate in any way nor do they site statistics about how quickly fulfilment servers are shut down to defend not discounting their conversion rate.

They wound up with 28 conversions for the pharmacy spam, but they didn’t allow the site to accept personal information. How many of the 28 users would actually have completed the transaction. How many of them were participants in the scam the scammers movement? Regardless, their conversion rate is amazingly low, as they state too low to sustain profitability for the spamming operation.

The researchers performed analysis on only one type of spammer – the ones motivated by money. The quality of the average spam clearly indicates that not every spammer is in it for the money. They are griefers, just like the griefers in online games who show up to “spoil it for the rest of us”. It would be worth running a similar research project on non-email spammers who are motivated by money to see if they are more profitable. Wired had an article about Craigslist in a recent issue and it included a paragraph on the problems that they have with spam. They manually remove spam from their listings. Captchas didn’t work because the spammers hired cheap labor to break the captcha. You can see this in Amazon’s Mechanical Turk where spammers offer users $0.01 to perform a spam like activity.

Because of these quibbles, I would not bet the house that spammers are unprofitable (or barely profitable) just based on these results. Despite these quibbles, I really enjoyed the time that I put in to reading this article and so I recommend that you go take a look too. Enjoy!

94% of Fedora 8 installs have SELinux enabled

in Fedora Weekly News Issue 121 (Feb. 18, 2008). Now if you read the article, the number I selected to highlight is the raw number that James got off-list. 47%, 50%, and 74% were also tossed out there. Dan Walsh said that the statistics are misleading but being improved and Yaakov Nemoy says that smolt only measures 10% of Fedora machines. So, they are still working out the details. Even so, what they have measured so far is a quite a bit different from the statistics that we see about enterprise customers. I expect it is probably because Fedora users are satisfied with a completely open source stack and do not install as many 3rd party ISV applications which are not as integrated and do not have application specific SELinux policy. Still, this is an incredibly encouraging statistic. Once the Fedora community has been collecting the statistics a little longer, collects whether SELinux is enforcing or not, and starts publicizing these statistics widely, they may be able to help drive ISV adoption (or at least tolerance) of SELinux which will encourage commercial customers to follow the Fedora wave of early adopters on short order.

P.S. Yes, the title is tongue in cheek with a nod to the guys who participated in the discussion.

http://fedoraproject.org/wiki/FWN/Issue121

Note to Charles Babcock: software has bugs, even security bugs. If you want to drive down the number of bugs in the software that you are using, use open source.

This type of crappy response comes up almost every time Coverity announces a significant improvement. See this similar news story from ZDNet back in October 2006: Most open source is better.

http://scan.coverity.com/

http://www.news.com/8301-10784_3-9843682-7.html?tag=nefd.top

http://scan.coverity.com/rung2.html

[1] Dan Geer, Measuring Security