This particularly ghoulish scene from the movie Security Scenarios from Hell has three actors: WiFi, Zombies, and Spyware.

Perils of WiFi are well known and well publicized (i.e. Wireless Networks are in Big Trouble, a classic Wired from 2001).  If you are a geek, here is a more technical version of the same from Security-Forums.com.  While the perils were preached before their subjects have, WiFi is now commonly available which means those perils are now common as well.

Zombies are also well publicized.  Typically, they are poorly protected servers or home PCs with broadbands which are hijacked by hackers, supposedly even traded like Yu-Ki-Oh cards in the hacker community, and used to increase scalability to their attacks and to reduce likelyness of capture.

Spyware is software running on desktops that monitors user activities and report back to it's master.  Most of them are just privacy violators, some are used for more sinister purpose and are called trojans.  Earthlink recently claimed that PCs had, on the average, 28 spyware installed.  While I think the claim is over-hyped to fit their agenda, spyware is nonetheless common place and it's not difficult to place one on anyone's compure.  If your PC is more than six months old, chances are that there were plenty of opportunities for hackers to seed it with spyware.

So here is the scene: imagine a new class of spyware that monitors wireless network packets using code from these open source wiretapping tools.  AirSnort and one of the ARP poisoning packages should be enough.  Now imagine this spyware being delivered to laptops with WiFi cards that supports features AirSnort needs.  The laptop just became a new kind of zombie, which I call wireless zombie, that only wakes up when the WiFi card is used.

All that is missing from the scene is the stage: a WiFi hotspot like Starbucks.  The laptop owner sits in a corner and access the Net through the WiFi, it could even be someone like me writing this very blog post.  The spyware wakes up and starts monitoring the wireless traffic looking for passwords and credit card numbers.  If very strong encryption is used, wireless zombies can form a global grid and split up the work of cracking encryption keys.  Once a month, the zombies reports back to their master via USENET posts.

This Zombies at Starbucks scenario is particularly nasty because the potential number of compromises is just staggering.  Maybe the FCC will have to dictate higher level of standards and send out a warning that helps WiFi users detect wireless zombies by the unusual fan activities triggered by the zombie grid working overtime.

Just in case you are wondering, I am still alive and kicking.  I have been busy with a project for a client and I have barely managed to get enough sleep in the last six days because I have to deliver by this Sunday something that will wow people into opening their pocket next week.

As usual, it's a lonewolf project because there is neither the time nor resources to pull together a team.  I am trying to slip in some fancy design features for flexibility but it's mostly wham-bam-stay-out-of-my-way-fool and I'll-fix-that-later going on.

Yeah, it's Silicon Valley at its best since crash projects like these are impossible to outsource.  Days of milking fat mega-corporations on multi-year projects are gone and lean mean shoot-from-the-hip or work-for-nickles days are here.

Hackers are like germs.  You throw equivalents of antibiotics at them, they'll mutate into superbugs.  For example, I doubt phishers will be tempted to hack Google to take advantage of AdSense Voluntary XSS vulnerability because they are getting enough loot from stupid phishing attacks to keep them happy.  Once Microsoft Outlook, the main phishing delivery vehicle, is plugged and their gravytrain runs out, they will turn into superbugs to find other means of getting their phishing lures in front of the user's eyeballs.

Oops.  I am out of tea for now.

Online security industry is a sprawling mad hatter's party.  Blackhats moving about silently, whitehats screaming their lungs out, everyone having their tea and then racing to the next set of chairs and tea set.  It all started as a  nice tea party but money started pouring in and it has never been the same since.

It used to be that blackhats did most of pulling rabbit of their hats and whitehats did most of the clapping and finger pointing.  Now whitehats can't wait so they started pulling rabbits of their hats themselves and do all the clapping as well.  Meanwhile, blackhats are getting lazier because they can just watch whitehats do all the rabbit pulling instead of doing the work themselves.  Rabbit pulling is fun if it's a hobby, but is hard work when it's a job.

At this tea set, the rabbit's name is Phish which is turning out to be a big hit at the party.  More tea?

Discover the world of obscure URLs made possible by absent minded engineers.  Really disgusting.

Meanwhile, IE is not being too friendly to extensions that attempt to prevent toolbars and status bars from being hidden.  All legit calls I can find to force them to be visible are being ignored.  There are sneaky ways to get the job done, but I would rather not dance around behind IE's back.  If anyone has a legit solution, let me know.