Phishing or Spamming?

I just got a HTML e-mail from email.bankofamerica1.com (notice the '1') asking me to sign-in at:

http://links.bankofamerica1.com:8082/Click?
q=c2-oXxLQUEyqThpeyRgVnmX3Fn0xOFR&a=1

Clicking on the link will peg me as a potential Bank of America customer, but I was curious to see if there was a phishing page at the other end so I went ahead and ended up at the real Bank of America login page.  Hmm.  Curious.

This is what their WHOIS record say:

Registrant:
Bank of America Corporation
1201 Main Street, 12th Floor
TX1-609-12-15
Dallas, TX 75202
US

Checking Google, I found that the domain name is on several spammer blacklists.

All this leaves me wondering whether these guys are crooks or just a corporate vehicle for spamming.  Fish or spam makes a terrible menu.

BTW, I am now receiving at least one genuine phishing e-mail everyday.  For me, at least, they are proving to be a good source of entertainment.

Atomizing RSS

Dave is making another effort to pull RSS and Atom together with an outline of a proposal that differs from past attempts including mine (see Making Atom Happen and Atom-Syntax Sin Tax).  These are the bulletpoints of his proposal:

1. The format would differ from RSS 2.0 as little as possible.

2. It would have the great spec that the Atom people are promising. A great validator, and lots of support from developers who evangelize the format. There wouldn't be many flames because everyone would be getting most of what they want.

3. It would be managed by an IETF working group that would be open to anyone who wants to participate, not just me, or Sam Ruby or Blogger and Movable Type, but anyone who wants to make the effort to contribute to furthering the art of syndication technology.

4. It would be backward compatible with RSS 2.0, so that any 2.0 feed could become an RSS/Atom feed by changing (fill in the blank, as little change as possible).

5. The top level item in the feed would be called rssAtom. It's a problem for at least one aggregator that the top level item in Atom is called "feed" — not such a problem today, but later when another format comes along that also calls its top level item "feed." Formats in general should use a distinctive name for their top-level element. (Prior art: HTML, RSS, SOAP, RDF.)

In essence, he is suggesting a common format that is backward compatible with RSS 2.0 at the data model level instead of the syntax level.  I like the proposal and sincerely hope it works out, but engineers are notoriously bad at finding the reverse gear…

Korean President Facing Impeachment Vote

With general election just weeks away, two major opposition parties united to start an impeachment motion against President Roh because the President refused to appologize for openly declaring his support for the budding pro-government party.  Their silly excuse aside, the two parties control enough votes to impeach the President so this is a serious turn of events.

The largest party was expected to win the last Presidential election and still has control of the Assembly but, thanks to staggering corruption charges that has surfaced since the Presidential election, they are expected to lose much of their Assembly seats to the pro-government party.

The other party involved used to be the President's party but it turned nasty when the young bloods supporting the President formed their own party after the established party members refused to overhaul the party.  They are also fighting for their existance because they are losing votes to the new party.

If I seem biased, you bet.  I like President Roh.  In fact, he is the first Korean President I like because he is uncorrupted, unassuming, and determined to cleanup Korean politics.  In comparison, last one sent half a billion dollars to North Korea to get the Nobel Prize and the one before that funnelled covert KCIA fund to his political party, the same one that is trying to drive President Roh out of office.

I am expecting Korean citizens to storm the Assembly if the impeachment goes through.

Related Google News Query

Idea Overflow

I got too many ideas and not enough resources to implement them all.  If there is a ready team of 10 top notch engineers whom I can point at will, I'll be in heaven.  I suppose I can split some of them off but the juiciest part is a set of interlocking ideas.  Argh.

Making a Living in Year 3004

I usually wake up with odd thoughts as if dream overflowed.  This morning it was what it would be like to make a living in year 3004.  Frankly, it wasn't specifically 3004, but some time far in the future when people no longer had bodies and lived entirely in the cyberspace.  Since it is difficult to predict when and if civillization would reach that state, I just added a 1000 to now.  Hey, it could happen.  😉

If I don't have a body, a lot of expenses disappear.  Will there still be reasons to work for a living in 3004?  Of course, you need to run somewhere which will cost money.  Rich folks will live on dedicated machines with layers of protections against failures and viruses. Poor folks will have to make do on cheap shared machines.

What about copyrights, privacy, and piracy in 3004?  I sure wouldn't want people copying me or reading my bits.  What about desirable experiences?  Taste of a perfect cup of coffee can be played over and over if I get a copy.  Will our coffee come with DRM to limit replays?  What about companionship and sex?  Will guys choose to buy the Perfect Wife 7.0 or turndown the lonelyness meter?

If people can change their mind or appearances at will, what will the impact be?  Hey, how much you want for that set of splines buddy?

Will morality become just a club?  What is the point if you are just bits?  If a copy of me sleeps around and then 'resync' with the original, is that cheating?  Isn't that more like watching a movie?  Will there be room for President Carter's dirty thoughts in the future?  I know what you played last night and I want it erased from your mind!

You see what I mean by 'odd'?  Heck, it's entertaining too.

Secure UI: Site Seals

In How Not to Get Hooked by a 'Phishing' Scam, the FTC offers this guidance:

Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.

Unfortunately, credibility of the "lock" icon is questionable (via Payments News).  Arguably, the "lock" icon is even harmful because, as users come to depend on it presence, they become more vulnerable when it's spoofed.

Trust is a double-edged sword.

With the "lock" icon undersiege, e-commerce companies are looking at other types of protections such as VeriSign Secure Site Seal and GeoTrust True Site which work by including a javascript fragment from a site seal server which inlines a site-specific image or an animation like the ones below.

    

Since these javascript fragments are executed inside the target page, they can examine domain the page was served from, ensure that they are being served from an approved site, and prominently display an attractive site-specific image that offer assures the users visually.  The image can also be click-on to display information about the SSL certificate used in the HTTPS session.

Do these services offer any real protection?  No.  Because they rely so heavily on the visual, they are wide open to Visual Spoofing.  Both the 'seal' image and the popup can be spoofed with a notepad and an image editor.  Clever tricks inside the included javascript fragment are useless because they are not included.

IMHO, they are more dangerous than the "lock" icon because they loudly invite the users to trust and depend on presence of images which can be easily spoofed.  The main problem is that those images are site-specific which appears to offer more protection than the generic "lock" icon.  But since hackers typically engineer site-specific phishing attacks, the appearance of improved protection turns into a liability that invites the hacker to leverage to their advantage.

I will post about possible ways to implement site seals with anti-phishing features in the near future.  Meanwhile, be sure to read my other posts on the subject of secure UI.