Wondering where all that crap in your inbox is coming from?  It’s coming from people like this.

Here’s the full details on her “business”.

She claims that all of her lists are “opt-in”.  Given my experience with spammers, that’s usually a blatant lie.  It’s people like her who force the rest of us to take extreme measures to protect our email addresses and to eye everyone who asks for an email address with suspicion.

I create a new email address for each place that I do business with, which includes the business name and sometimes the promotion.  I examine privacy policies when I sign up for an account to see how they will use my email.  I make sure that all “opt-out” checkboxes are checked.  I don’t post my email address to newsgroups.  I mangle my email address for this web page (even before anyone knew this page existed I was getting crawled by spambots).

What I’ve found is that the majority of reputable companies are honoring my requests.  However, there are a few out there who conveniently decide to “forget” my settings and start sending me crap.  Maybe they’re thinking I’ll have forgotten about telling them not to send me stuff.  Anyway, I always tell them to stop.  If they don’t stop after a resonable amount of time I’ll stop doing business with them and then redirect all email to that address to someone in their customer service organization (or to their sales address).  When their own spam gets back to them, it seems to get their attention (or at least it worked with marketing -at- carparts.com—I’m not mean enough to post their unobfuscated address here ).

This is why you should be careful about what data you put out on your web site.  Just because there isn’t a link to it doesn’t mean that someone can’t find it.

…  Scan your company’s Web servers. Find the files that aren’t linked to your public Web site. Then track down their owners and remind them that whatever they put on a Web server is accessible to anyone on the Internet.

Point out that if someone on the Internet can guess the URL of a piece of business information, even if it’s not linked, it’s not safe. And that’s true whether the information is financial data, marketing plans or personnel records, and whether the guesser is a reporter, an employee, an investor or a competitor.

And if they think it can’t happen to them, tell them about Intentia. And remind them that your CEO probably isn’t desperate enough to call the cops if proprietary information leaks out by way of unnecessary, unlinked files on your company’s Web servers.

But he’ll probably know who’s guilty.

Here’s an interesting article on a security vulnerability (privilege escalation exploit) in Microsoft Windows (all versions that use the Win32 API).

The ability to send messages between windows in different processes is something I was familiar with, but I hadn’t given much thought to the security exploit implications of it (although I was well aware of memory protection issues, etc, given I’d played around some code like this when I was learning the Win32 API).  I had been viewing it as a feature that allowed a program to communicate with other windows.  In fact, some fairly handy tools probably use this feature (like WinRunner).

I found this section interesting, though:

This research was sparked by comments made by Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. He mentioned Message Queueing, and immediately regretted it. However, given the quantity of research currently taking place around the world after Mr Allchin’s comments, it is about time the white hat community saw what is actually possible.

At the time Allchin made those comments, I thought that they were a desperate ploy to avoid opening up the Windows source code.  I also thought that it was pretty arrogant to assume that Windows is that important.  But then I thought about the fact that NT (3.5 and 4.0) is C2 certified, so I just let it pass.

The exploit requires the ability for a user to run arbitrary code.  But that’s not as difficult as one might think, and it’s a privilege escalation exploit, so it could allow a guest user to gain system access.

Some more discussion on the topic from slashdot: Shattering Windows

This article at Fox News details the nefarious plan by Senator Fritz Hollings (D-S.C.) (who is bought and paid for by the recording industry) to require “digital rights management” in all digital devices.

Consider the following excerpt from the bill: “It is unlawful to manufacture, import, offer to the public, provide or otherwise traffic in any interactive digital device that does not include and utilize certified security technologies.”

To paraphrase Charleton Heston’s character in Planet of the Apes:

“Keep your grubby laws off my computer, you damn dirty senator.”

More background:

Slashdot article—“Senator from Disney”

Downloading can’t be stopped—Why the music (and film) industry will lose this battle.