Couple of month ago and after getting totally sick of all the spam in my mailboxes, so I changed the configuration and installed greylisting support on the mail server. So how does greylisting work? What happen is that each time a given mailbox receives an email from an unknown contact (ip), that mail is rejected with a “try again later”-message. This, in the short run, means that all mail gets delayed at least until the sender tries again - but this is where spam loses out! Most spam is not sent out using RFC compliant MTAs; the spamming software will not try again later. That did the trick for while… but now during the last couple of weeks I have noticed that MSN Hotmail accounts are being used as sender and by that avoiding getting blocked by the greylisting - highly annoying! Then again, it’s was just matter of time before this would happened.

Question remains if Microsoft is sleeping or what - since these activities can’t really pass by without any notice by MSN. They should now have quite a few high volume users that send quite a few e-mails. Sending abuse reports to Microsoft seems to work (slowly) even if I don’t get any feedback from them; then again I guess that I’m not the only one with this problem. Having an anti-spam policy isn’t enough and doesn’t do the trick of blocking spam. Microsoft has also admitted that up to 98 percent of messages sent to Hotmail addresses are spam. Question is if not 98 percent of messages sent from Hotmail addresses are spam as well.

According to Sarah Lefko, MSN product manager, MSN has been very aggressive and proactive in protecting MSN Hotmail users from spam and together with SenderID blocking 20 millions e-mails per day. Problem is that it just doesn’t work.

What would the solution be then? Well, I’m really tempted to block Hotmail and don’t accept any e-mails from hotmail.com domain. Then again, it’s just really a bad work around of the problem. Also, how can it be that Google’s Gmail account isn’t abused? So far I haven’t received a single spam from gmail account….. yet.

Kim Haverblad

Bookmark to:

As a frequent flyer within Europe one takes notice of the increased and changed security activities due to the unprecedented events of 11 September 2001. Although there has been an increase in the level of security at many airports, the question is still if all airports have made the proper changes.

Let’s take Sweden’s largest airport, Arlanda, Stockholm, as an example and compare it with for example Heathrow Airport, London, UK. The fist thing that one notice at Heathrow is that you are informed that it can take up to 30 minutes to pass through the security controls. At Arlanda the LFV Group Swedish Airports and Air Navigation Services has in their contract with G4S (former Falck Security) stated that the maximum time to pass through the security area should be 5 minutes.

I have often passed through Heathrow airport with my notebook during the last 10 years and I have been numerous times been asked to turn on the notebook so that the security personnel could verify that it’s working system I’m carrying around and not a dummy. At Arlanda the only ask you to open up the notebook so that they can check that there is a keyboard (or what ever they’re looking for), but nothing about turning on the system to see if it actually works. Actually I’ve never been asked to turn on the notebook at a Swedish airport at all.

Shoes and belts that usually have some kind of metal and of course usually trigger the metal detectors have to be removed and x-rayed at Heathrow. At Arlanda you might be asked to unbuckle the belt to check that you’re not hiding anything, but that is more an exception than a rule.

During 2005 there were a number of incidents at Arlanda where both knifes and bomb bags, IED (Improvised Explosive Device), where missed out in the security controls; controls made by LFV Group. Both LFV Group and G4S got loads of unwanted media cover due to that both organisations was proven not to take the security activities seriously enough. An anonymous employee with G4S Security also went out in the Swedish press and informed that they during one day made 20 random securities check of hand luggage but in their internal reports wrote that performed 130 security checks just to fulfil the contract with LFV Group. Other anonymous G4S employees has reported that they have been informed an hour before when security checks would be performed by LFV Group.

Either has LFV Group and G4S not learned anything from earlier negative media coverage or it’s just that they have tighten up the information that could leak out to the media really hard. Since when travelling via any of the Swedish airports the security checks sometimes feels a bit random. So far Sweden haven’t had any major incidents. But, there is clearly a need for improvements at the Swedish airports.

Kim Haverblad

Bookmark to:

Well, it’s time to update your WordPress installation to the latest release (2.3.1) if you haven’t done so yet. Janek Vind has posted a less critical cross-site scripting vulnerability that applies to version <2.3.0.

Input passed to the “posts_columns” parameter in wp-admin/edit-post-rows.php is not properly sanitised before being returned to the user. So this can be exploited to execute arbitrary HTML and script code in a user’s browser session in context.

Janek Vind’s original advisory can be found here and the latest version of WordPress can be found here.

If you want to speed up the upgrade of WordPress I also suggest that you take a look at Wordpress Automatic Upgrade that takes care of the upgrade for you. Wordpress Automatic Upgrade allows a user to automatically upgrade the wordpress installation to the latest one provided by wordpress.org using the 5 steps provided in the wordpress upgrade instructions.

Kim Haverblad

Bookmark to:

The Swedish tax authorities (IRS), Skatteverket, has lately started to look into home pages that they think generate revenue via banner income and now wants to force Swedish ISP:s to release their customers records.

Swedish ISP Bahnhof is one of several companies that received a request from Swedish IRS to release customer records between 2004-2006 and have specific been asked to release following:

• Name
• Address
• Personal code (identity) number
• Date for check-in
• Date for check-out
• Total billing amount
• Server type and IPs
• List of domains hosted
• Host configuration files

To be mentioned is that Swedish IRS is not asking for specific customers records that they believe have participated in any kind of criminal act - they are asking to get what ever they can get and then poke around until they stumble over something of interest.

Bahnhof:s CEO Jon Karlung says in an interview that they have no reason of releasing such information due to that it would be against the Swedish law (the law about electronic communication). Even if they will be fined 80 000 USD for not comply with the request made by the IRS. Jon Karlung also says that they don’t oppose to release specific information about customers if the IRS (or any other authorities for that matter) can show suspicion about ongoing criminal activities. This is not the case here since the IRS want to harvest ISP customer records for what they define as suspicious economical activities.

Swedish IRS spokesperson, Dag Hardyson, is confident that Bahnhof will release the requested information even if this case has to go to county administrative court and says that he has full confidence in the injunction made towards Bahnhof and that the injunction itself is according to the Swedish laws and don’t want to make any comments to Bahnhof:s legal interpretation and says that he has full confidence with their legal department interpretation and recommendations.

All in all it seems that our privacy is more and more compromised on a national and EC level and in the name of fighting terrorist and criminal activities. Don’t get me wrong here; I fully agree that we should fight activities that threaten our community. But it seems that all laws that wouldn’t be passed 10 years ago due to privacy intrusion gets fast tracked and passed.

To wrap it all up, the problem is also that we have two different laws that collide with each other and by that there is a deadlock regarding this entire story until it has been seattled in court. So I’m looking forward to see what happens next.

Kim Haverblad

Bookmark to:

Computer World, IDG and DN today writes that Microsoft has bought 1.6% of the shares in Facebook for the amount of 240 million dollars! I can just congratulate Mark Zuckerberg and Facebook. But, the questions remains if it’s in the best interest of the users to get Microsoft involved in Facebook due to the enormous wealth of information that the users has provided Facebook with - for free - about themselves!

So how many of the estimated 50 million users has actually given it a thought about the information that they have submitted to Facebook and of them how many have actually read the Terms of Use and the Privacy Policy? It can’t be that many of the existing users! Either people are very well aware of what they sign or they don’t care. But they should; since when they signed up at Facebook they give the company exclusive rights to the material submitted and to be used in what ever way that they like!

“You acknowledge and agree that any questions, comments, suggestions, ideas, feedback or other information about the Site or the Service (”Submissions”), provided by you to Company are non-confidential and shall become the sole property of Company. Company shall own exclusive rights, including all intellectual property rights, and shall be entitled to the unrestricted use and dissemination of these Submissions for any purpose, commercial or otherwise, without acknowledgment or compensation to you.”

Even if you as user have the possibility to delete your account, Facebook has following lines in the Privacy Policy to inform you that the user data may exist in backup copies for reasonable time:

“Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.”

My question to above is how short or long is their definition of reasonable period?

The Terms of Use has a few lines about what you as uses can do or not do when it comes to harvest or collect information about other users; it doesn’t really say anything about what Facebook rights to harvest or collect information about their users; so let’s check the Privacy Policy.

Facebooks Privacy Policy clearly states that they harvest and collect information about you as user and as well tries to figure out user patterns.

“When you use Facebook, you may set up your personal profile, form relationships, send messages, perform searches and queries, form groups, set up events, add applications, and transmit information through various channels. We collect this information so that we can provide you the service and offer personalized features.”

They actually say that they in most cases inform they user about prior activities so that you can choose or not to participate; I would say that they in most cases don’t inform you as user about how they plan to use the collected information.

Following next lines should indicate red flag by most people, when talking about aggregating user information that they’ve gathered and that you as user already given Facebook exclusive rights to, but it doesn’t, sadly:

“Facebook may use information in your profile without identifying you as an individual to third parties. We do this for purposes such as aggregating how many people in a network like a band or movie and personalizing advertisements and promotions so that we can provide you Facebook. We believe this benefits you.”

I’m fully aware of the Facebook is a corporation that wants to make money and that they provide a free service; but are people aware of what kind of spin off industry and products that might come out of this huge information that they’ve gathered? Working with business development at Facebook must be one of the greatest jobs around due to the huge potential they have with all the raw data. And I doubt that Facebook will aggregate more than just what kind of bands or movies that you or a group of users likes.

So think twice when you sign up with Facebook or similar community; you might just end up signing over your entire life story to company behind the community and by that ruin your future.

So when you in the future gets questions about activities that you you’ve done in the past and thought that they where harmless at that time. Think twice before answering; what does he or she knows about you that you forgotten?

Kim Haverblad

Bookmark to: