You know the drill by now: educational institutions enjoy leaving their networks open to any would-be identity thief or research data saboteur:

Oregon State System of Higher Education
1225 Kincaid, UO Campus
Eugene, OR 97403

spammed us on Friday, 5 March 2010 - 6:54pm via IP 140.211.15.30

University of British Columbia
6356 Agricultural Road
Vancouver, BC V6T-1Z2
CA

spammed us on Friday, 5 March 2010 - 8:45pm via IP 198.162.52.23

Kilmarnock College
Lumen House
Library Avenue
Harwell Science and Innovation Campus
DIDCOT, Oxon
OX11 0SG UK

spammed us on Friday, 5 March 2010 - 8:32pm via IP 212.219.163.212

Technical University of Vienna
Technische Universitaet Wien
Zentraler Informatik Dienst
Wiedner Hauptstrasse 8-10/020
A-1040 VIenna
Austria

spammed us on Saturday, 6 March 2010 - 12:05am via IP 128.131.167.8

Nebo School District
350 S. Main
Spanish Fork, UT 84660

spammed us on Monday, 22 February 2010 - 1:30pm via IP 160.7.244.34

Here we have a insecure network that deals double damage by making vulnerable both educational and medical information:

Medical and Educational Data Network
P.O. Box 14466
Riyadh 11424
Saudi Arabia

spammed us on Saturday, 27 February 2010 - 1:19am via IP 213.230.18.244

Government agencies in general should be more secure than these:

State of Nebraska / Office of the CIO
501 South 14th street
Lincoln, NE 68508-2711

spammed us on Thursday, 4 March 2010 - 2:47pm via IP 205.202.121.244

Illinois Century Network
120 W Jefferson
Suite B
Springfield, IL 62702

spammed us on Wednesday, 24 February 2010 - 10:03pm via IP 64.107.146.21

And, of course, we always love to feature people who tout their security expertise:

M5 Computer Security
3368 Governor Drive #F-124
San Diego, CA 92122

spammed us on Thursday, 4 March 2010 - 9:00am and Friday, 5 March 2010 - 5:37pm via IP 206.251.255.61

To be fair, that appears to be a hosting service for ifountain.org. So, unless you use their software yourself, you probably only have to be concerned if someone else who uses RapidOSS is leaking your personal data because they've been compromised. I mean, we all know what operations management software is being used by people who store our personal information, right?

Simple minds like simple things. I guess that's why I like basic geometric shapes like circles, triangles, and squares so much. What could be easier than assembling millions of different colored squares to create everything from works of art to the words that you're reading on your computer monitor right now? A different pixel here, a different pixel there . . . nothing much . . . child's play, really.

Another thing a child's mind delights in, for the purposes of this post, is optical illusions. I certainly remember that I liked them as a kid, and still do. Around the web you'll find many great optical illusions. One in particular that I like on that page is "A bulge". I like it because it contains nothing but squares lined up on a grid, yet manages to produce the effect of curved lines.

Needless to say, rectangular shapes are easy to produce with the box model of web layout. That's certainly the foundation of how I developed the basic Town Square spatial content system. So on a particular slow day I got around to reproducing the image using only div elements and a little CSS. Enjoy:

As an added bonus, the HTML (15984 bytes) is quite a bit smaller than the original image (59287 bytes). There are many other variations on the same theme that it would be easy enough to reproduce with the style sheet I have, or I could possibly animate the bulge using JavaScript. Let me know if you'd like to see anything else interesting done with this.

I went to the United States Post Office the other day to do $1.56 of first class business. Much to my amused surprise, in the coins I got back was a Canadian cent. It isn't exactly rare to get Canadian money mixed in change, especially in a Northern state like Minnesota, but it was a bit odd for a US government office to be using it!

When I sorted it out back home, flipping it resulted in a characteristic ~12kHz ring like an older US penny makes. In case you weren't aware, the US penny changed composition in 1982 and the mainly-zinc newer ones ring flat (if at all) while the mainly-copper older ones have a nice sharp tone. This particular Canadian cent was from 1979, and so I naturally wondered how much copper it had in it.

The reason it matters is that a copper penny's metal value exceeds its face value. Although it is illegal to do so currently, melting them down would net you more money than spending them; roughly 2 cents for every penny. The same should be true if a 1979 Canadian penny contains enough copper, plus I should be able to melt foreign currency with impunity! My go-to site for data on this is Coinflation, and they even helpfully have a page that lists Canadian coin melt values. Metal prices fluctuate, but as of this writing that 1 cent Canadian is worth 2.3 cents US. Thanks, Post Office, for the extra 1.3 cents!

If you've surmised by this point that my main point wasn't going to be about netting a cool supra-cent profit, congratulations. No, my greater point hidden in there is that it is dumb to have laws against doing sensible things. It used to be that the metal value of our money was the value. We had currency backed by silver and gold, but for some reason we not only switched to fiat value, we went and outlawed actually using the metal value for the lowest denomination coin we have. As if that weren't bad enough, even the Nickel has a metal value that often floats above 5 cents.

And that leads us to the reason this is in the Kill It With Fire section. There have long been calls to eliminate the Penny, but I'm going to take it the extra step and say we might as well do the Impossibly Stupid thing and eliminate 5 cent coins as well. The difference in value for most business transactions in truncating the total to the nearest 10 cents is going to be less than a single percent, and that's only necessary for paying in cash! They can still price individual items down to the cent, or even the sub-cent pricing that gasoline has long been sold at. Charge a credit card for as exact an amount as you wish but, from a coinage perspective, why not set the baseline at a dime?

Compromised educational institutions have become both a staple and tiresome:

University of Hawaii Community College System
UH Computing Center 2565 The Mall
Honolulu, HI 96822

spammed us on Monday, 8 February 2010 - 7:15pm and Wednesday, 17 February 2010 - 12:07pm via IP 166.122.68.249

Zhejiang University Of Technology
Hangzhou, Zhejiang 310014
China

spammed us on Thursday, 11 February 2010 - 1:22pm via IP 210.32.200.95

Texas A&M University
Networking & Information Security
MS 3472
College Station, TX 77843-3472

spammed us on Friday, 19 February 2010 - 7:54am via IP 128.194.128.95

Moscow State University
Main building, Room 1012
Lenin's Hills
119899 Moscow
Russia

spammed us on Saturday, 20 February 2010 - 1:16pm via IP 193.232.117.77

New Mexico State University
Box 30001 MSC 3AT
Las Cruces, NM 88003

spammed us on Saturday, 20 February 2010 - 4:24pm via IP 128.123.166.204

And color me surprised that it took this long, but now we have some religious institutions who can't shepherd their servers. They'll claim to save your soul, but your money and identity are probably in the hands of thieves:

TMNET IP Administrators
TM Annexe 1,
Jalan Pantai Baru,
50672 Kuala Lumpur.
Malaysia

spammed us on Tuesday, 16 February 2010 - 2:50pm via IP 219.95.108.38

That's a generic IP owner, but it resolves to smtp.ibfim.com, or the mail server for the Islamic Banking and Finance Institute. I again sit amazed that botnets take over these sorts of critical servers, yet squander their ripe position by using them to openly spam low-grade blogs with low-grade drug links.

Family Stations Inc.
290 Hegenberger Road
OAKLAND, CA 94621

spammed us on Wednesday, 17 February 2010 - 6:05am via IP 69.25.105.76

For your reference, that resolves to fsiinternet.familyradio.org. Family Radio bills itself as "A Worldwide Christian Ministry". And because nothing says a happy and loving Christian family like death threats, they've set aside 21 May 2011 as the end of the world.

We begin today's journey with a Douglas Adams quote:

Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so.

I've always been a big fan of thinking about thinking. When you're thinking about what other people are thinking, it's called theory of mind. Humans are particularly notable for being able to think about what another person is thinking they're thinking about. Like Adams notes with learning, though, people seem disinclined to do so.

I bring this up as a result of Richard Wiseman's most recent Friday Puzzle. In the discussion, as has happened with previous puzzle answers, some people go to great lengths to explain why nobody should be able to solve the puzzle. It never occurs to them that they simply have an underdeveloped theory of mind.

That is, most people who get a word problem ("A train leaves New York traveling at 60mph...") understand that the person asking the question is after a particular answer, and that a toy situation is being set up by the questioner to make the math (or logic) a little more fun. If your theory of mind developed properly, you got past the particulars of the setup and solved the problem as posed. If it didn't, you were that annoying guy who wouldn't shut up about "Oh, but teacher! Wouldn't the train have to slow down around corners!?! Or stop for fuel!?!"

So, with a bit of irony, by trying so eagerly to show that they're oh-so-smart, they become Impossibly Stupid by showing they don't have a fully developed theory of mind. Instead of figuring out what the questioner is thinking of as an expected answer, they construct elaborate reasons why no answer can be correct. They think doing so makes them insightful, because they are open to all the possibilities, but what it really shows they've regressed into the mind of a 3 year old.

I think that kind of thinking is becoming more common. I think you know why I think that's a sad state of affairs.

As noted in my last post about email spidering, I changed the email contact for Impossibly Stupid to be a simple mailto: link. Here it is just over 12 days later, and I'm spammed already! Quite a bit sooner than the corporate email. Let's examine the data, starting with the important email headers:

Received: from mail.kz (frontend03n.mail.kz [92.46.53.18])
	by homiemail-mx7.g.dreamhost.com (Postfix) with ESMTP id 18F6CCF3EF
	for <info@waitingwatching.impossiblystupid.com>; Sat, 13 Feb 2010 04:54:54 -0800 (PST)
Received: from [213.154.94.76] (account mrszenila3@mail.kz)
  by backend01n.mail.kz (CommuniGate Pro WEBUSER 5.2.13)
  with HTTP id 2954844; Sat, 13 Feb 2010 18:54:56 +0600
From: "mrszenila" <mrszenila3@mail.kz>
Subject: I NEED YOUR  ASSISTANCE TO INVEST IN YOUR COUNTRY

Reading backwards, we have this mrszenila user account that is associated with an IP 213.154.94.76 which is, surprise, located in Africa (the Dakar, Senegal area). The actual mail server IP 92.46.53.18 looks to be out of Almaty, Kazakhstan, using what is likely a free email provider.

That's all good and fine, but it doesn't directly shine any light on how they got our email. A simple mailto: doesn't log anything on the server, so we have to dig at the logs a bit to find anything relevant to the above:


213.154.94.195 - - [12/Feb/2010:21:32:16 -0800] "GET / HTTP/1.1" 200 38080 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"


That's it. That's the only hit from the entire 213.154.0.0/16 since I made my previous post. No site referral, no images were loaded, no links were followed, no indication of any kind points to a human actually looking at the page. Just the index grabbed, and then the spam a few hours later.

The conclusion is that spammers are still spidering for email addresses, just not very deeply. At least this site, anyway, which is already an oddly large target for comment spammers. The results might be different if I had chosen to run this experiment on index page of the corporate site. I may still do that, but I don't suggest you do unless you use some of the same techniques I do (e.g., disposable addresses).

You didn't really think it'd stop, did you? We start off with another series of educational institutions:

Brisbane Boys' College
Kensington Tce
Toowong QLD 4066
AU

spammed us on Monday, 1 February 2010 - 7:25pm, 7:39pm, 7:50pm, 8:02pm, 8:03pm and 8:12pm via IP 203.57.147.3

Prince of Songkla University
Computer Center
Korhong, Hatyai, Songkhla, 90110

spammed us on Monday, 1 February 2010 - 5:28pm; Thursday, 4 February 2010 - 10:08am via IP 202.12.74.44

Polish Academy of Science
Institute of Bioorganic Chemistry
Poznan Supercomputing and Networking Center
ul. Noskowskiego 12/14
61-704 Poznan
Poland

spammed us on Friday, 5 February 2010 - 2:58pm via IP 150.254.161.3

That's right, the botnets even have access to a supercomputing center, and yet they haven't figured out anything better to do with it than spam dumb blogs like mine.

Next up with have an otherwise generic IP block owner:

Cox Communications
1400 Lake Hearn Dr
Atlanta, GA 30319

spammed us on Monday, 1 February 2010 - 5:26pm, 7:25pm, 7:30pm, 7:31pm, 7:39pm and 8:03pm; Thursday, 4 February 2010 - 2:35am; Friday, 5 February 2010 - 6:05pm, 8:00pm, and 8:05pm via IP 98.172.30.138

What is notable about that IP is that it resolves to nat-gw.productionadvantage.com. The Production Advantage, Inc. appears to be a direct marketing company, so if you've ever done business with them, it's a good bet that your data has been compromised. They even helpfully list their clients, so if you've ever given your personal information to any of those organizations, you might want to contact them regarding your pending identity theft.

Another generic IP block owner:

Savvis
1 SAVVIS Parkway
Town and Country, MO 63017

spammed us on Thursday, 4 February 2010 - 11:20am via IP 216.109.73.21

That IP resolves to dc3-pw-nat.ws.ag.com. I will helpfully point out that ag.com belongs to American Greetings. As though it weren't bad enough for your "friends" to give up your identity for a stupid eCard, welcome to their insecure system that gives it up to people that are probably even worse.

And it's always the most fun when someone selling security is insecure:

TREND MICRO INCORPORATED
10101 N. De Anza Blvd,
Cupertino, CA 95014

spammed us on Monday, 1 February 2010 - 8:08pm via IP 216.104.15.138

and in an odd twist, they also came in a half hour earlier from half way around the world, doing a scouting mission on Monday, 1 February 2010 - 7:33pm via IP 150.70.84.26

The slogan on their site is "Securing Your Web World". Since they can't secure their own, I have my doubts. Their traffic pattern is so strange, though, it makes me think that they themselves might be abusing network resources instead of being part of someone else's botnet.

Since there haven't been any new notable organizations spamming the blog comments here in the last couple weeks (although there have been quite a number of repeat offenders), I'm going to pass along some observations about the good ol' fashioned email variety of spam.

I have a long history of fighting spam emails. I won't get into the details, but I was onboard with all the mainstream anti-spam efforts from the early days. Then something happened in 2005, which I also won't get into, that made me realize that a lot of the anti-spam people weren't much more than power-hungry goons who themselves were more interested in profiting from spam than eliminating it.

At the time, my main address was getting 5000+ spam/day. So I did the Impossibly Stupid thing of taking a step back from all the filtering and blacklisting and reporting and all the other machinery that has been thrown at the problem of email spam, asking myself instead what I, as a lone individual, could do to keep my inbox clean.

I now get maybe 1 spam/week. I do no filtering. I maintain no blacklists. My server only sees that one email, so there isn't much need to do anything fancy after the fact. I'm not really hiding my contact info, either. I even provide a clickable email link on web pages without a hint of JavaScript obfuscation. I did think up and use some new techniques to choke the flow, but this post isn't really about detailing them.

Instead, because my inbox was essentially cleared of spam for over a year, I decided to start an experiment. In November of 2007, I put up a web page on the corporate site that had a unique email address link in the clear. The question in my mind at the time was "Is web spidering even done to collect email addresses anymore?"

You see, the trickle of spam I was getting in my "real" email was easily traced by my new techniques. 99% of it was from Usenet posts; if I started using an invalid address there I'd essentially get no spam at all. Nothing was coming in via any web site I was on, but I wasn't certain if that was directly due to things I had done. So I put up an email address free and clear. Very retro!

Just now, 2 years and 2 months later, I saw the first spam to that email address. A couple more came in after that, and I'm going to keep an eye on whether or not the volume starts to take off. But the conclusion is pretty clear: there seems to be very little need to make people browsing your web site jump through a lot of hoops to get your email, because that doesn't appear to be how spammers are finding you these days.

Caveats abound, to be sure, but that's what I'm seeing. One obvious factor is that the web has gotten so large that it no longer makes sense to spider it all just to scrape out a new email address or two. It may be that they just hit the index page of most sites (my test email address was buried at least 3 clicks deep). I'm even going to test that out by making my main contact to the right a clear email address. Stay tuned for progress reports. If they're not even doing that small amount of spidering, you might have a long wait . . .

As I have mentioned before, I'm a big fan of inversions. They seem to thrive along the fine line of things that are impossibly stupid. One of my favorite quotes related to that is by Neils Bohr:

The opposite of a correct statement is a false statement. But the opposite of a profound truth may well be another profound truth.

I was prompted to tip the hat again because Darwin has been getting a lot of attention over the last year, and a segment on a podcast (ABC Radio National's The Science Show Daniel Dennett - why are we here?) really hit home for me. It nicely ties together a number of inversions, and all sorts of other ideas in a way that makes me so much happier to know what I don't know (and possibly not even know that). You owe it to yourself to listen to or read the entire thing, but here's a particularly nice excerpt quoting a critic of Darwin:

who, by a strange inversion of reasoning, seems to think absolute ignorance fully qualified to take the place of absolute wisdom in all the achievements of creative skill

I like it most because it folds back into itself so well. Proclaiming yourself to be on the side of "absolute wisdom" is just about the boldest setup for circular reasoning you can get. Absolute ignorance, on the other hand, has nothing but an upside. Maybe Oscar Wilde said it better:

We are all in the gutter, but some of us are looking at the stars.

So here we have it: the last single digit spam call out is also the last "on demand" one and, as you will soon see, it's a great capper. I'll still be raking insecure hosts over the coals, of course, but not as they come in. To that end, anonymous comments must now be approved, and when that queue get cleaned is when you'll see new outings. (weekly? monthly? we'll see . . .)

In the ongoing theme of failed educational institutions, we have this decidedly-non-educational-institution IP owner:

Open Software Foundation
P.O. Box 7286
Nashua, NH 03060

spammed us on Sunday, 17 January 2010 - 6:59am via IP 130.105.36.54

Because it resolves to www.hudsonvalleyschool.org, though, I'm dumping it in with other educational institutions. With any luck, it's just a basic web host without any student records or other confidential information, but it still represents a machine that may be considered a trusted host, and it's now part of some botnet. I mainly only listed it to create a calm before the storm.

And here comes the big one! The insecurity to make all insecurity envious! If you had asked me to predict this day, I would have said "never in my wildest dreams", yet:

Microsoft Corp
One Microsoft Way
Redmond, WA 98052

spammed us on Sunday, 17 January 2010 - 4:09am, 4:19am, 5:17am, and 10:41am via IP 131.107.33.62

Color me both shocked and amused. They hit this site not just once, but four times! Sadly, this entry will likely be lost amongst all the other Microsoft insecurities that pop up all over the Internet on a daily basis. I wonder if I would be just as careless if I had billions of dollars. Would you?