Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone's precise location once cooperative cell providers had given a general location.

This summer, however, the American Civil Liberties Union and Electronic Frontier Foundation sued the Justice Department, seeking documents related to the FBI's cell-phone tracking practices. Since August, they've received a stream of documents—the most recent batch on November 6—that were posted on the Internet last week. In a post on the progressive blog Daily Kos, ACLU spokesperson Rachel Myers drew attention to language in several of those documents implying that triggerfish have broader application than previously believed.

First, here is what my early endorsement for the book said (can be found on the inside cover of the book):

“Amazingly useful (and fun to read!) book that does justice to this  somewhat esoteric subject - and this is coming from a long-time  visualization skeptic! What is most impressive that  this book is  actually 'hands-on-useful," not conceptual, with examples usable by  readers in their daily jobs. Chapter 8 on insiders is my favorite!”

What else do I think of the book, apart from the fact that it is awesome? :-)

First, I have to admit that I used to argue with Raffy about usefulness of visualization. I was burned by having to look at bad “visualization” tools and would take an ugly, meaningful table over an ugly, meaningless picture any day now. Thus, I was a visualization skeptic. Buy you know what? The book does justice to visualization really well, and it explains when to use it and when not to use it.

The book gives just the right amount of visualization theory, which is not onerous to read at all (unlike some other books), as well as other visualization basics. The fun starts at Chapter 4, where he covers  the process from data to useful pictures. This actually explains why some visualization are useful and some are not; if you just jam data into a graphing program, there is a good chance that it would not be too useful. If you follow the ideas from Ch4, it is more likely to be useful.

Ch5 and 6 cover network data analysis: logs, packets, flows. This is what most people usually try to visualize; this book goes beyond “worms and scans” into nice visuals of email traffic, wireless and even vulnerability data (I found the latter slightly confusing). Ch7 covers “compliance”, which, in this case, covers all sorts of fun things, from risk assessment to database log visualization.  As I said, Ch8 is my favorite: I agree that insider tracking MAY be the area where visualization tools and approaches beat others. In Ch9, the book covers a few visualization tools; obviously, including the author’s AfterGlow.

So, to summarize, get the book if you have any connection to security AND data analysis. In fact, it is very likely that if you are doing security, you’d have to do data analysis at some point and so will benefit from reading the book. And, yes, it does come with a CD full of visualization tools (DAVIX).

BTW, I am posting it at Amazon as well.

After 26 days, and almost 350 million e-mail messages, only 28 sales resulted -- a conversion rate of well under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2,731.88 -- a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network -- we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm's pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.

Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than "millions of dollars every day," but certainly a healthy enterprise.

Of course, the authors point out that it's dangerous to make these sorts of generalizations:

We would be the first to admit that these results represent a single data point and are not necessarily representative of spam as a whole. Different campaigns, using different tactics and marketing different products will undoubtedly produce different outcomes. Indeed, we caution strongly against researchers using the conversion rates we have measured for these Storm-based campaigns to justify assumptions in any other context.

Spam is all about economics. When sending junk mail costs a dollar in paper, list rental, and postage, a marketer needs a reasonable conversion rate to make the campaign worthwhile. When sending junk mail is almost free, a one in ten million conversion rate is acceptable.

News articles.

That’s the question the Consumerist asked readers today, with a story about a Florida grand-dad whose gardener is supposedly fleecing him for over $10k / month, allegedly to help an ailing friend:

Shaun says his 80+-year old grandfather, Steve, is being scammed out of over $10,000 a month. It seems Steve recently hired a female gardener who introduced him to a “wealthy friend,” and now he’s loaning them money to pay for groceries, cable, home upkeep, and, get this, bodyguards to protect her from an ex-husband and son who to want to kill her. When the family tries to intervene, Steve says the family is trying to put him in a nursing home and steal his money. Shaun is at a loss. How can he help his grandfather, who doesn’t want to be helped?

Another question that might be relevant in the IT Security community is, are the elderly more prone to these scams, and if so why? In the tech world it’s widely assumed that the older generation just has a harder time learning and grasping how to use technology so may not understand what is risky and what isn’t.

But perhaps there’s a deeper problem, either with some form of dementia and paranoia in the older years, or just a purer vulnerability associated with being alienated from the new, cutting edge and modern world as we age, or some kind of unwillingness to be suspicious because of the need to have caring people around you?

We had an email recently from an observer "curious as to why the webcam that was inside the shop/bar is no longer there, or at least, functional". The email was from the Defense Threat Reduction Agency in the United States.

When we replied that it was simply a short term technical problem, we asked why on earth they could be interested in the comings and goings of a small Distillery off the West Coast of Scotland. Were there secret manoeuvres taking place in Loch Indaal, or even a threat of terrorists infiltrating the mainland via Islay?

The answer we received was even more surreal. Evidently the mission of the DTRA is to safeguard the US and its allies from weapons of mass destruction -chemical, biological, radiological, nuclear and high explosives. The department which contacted the Distillery deals with the implementation of the Chemical Weapons Convention, going to sites to verify treaty compliance. Funnily enough chemical weapon processes look very similar to the distilling process and as part of training there is a visit to a brewery for familiarization with reactors, batch processors and evaporators. As they said, it just goes to show how "tweaks" to the process flow or equipment, can create something very pleasant (whisky) or deadly (chemical weapons).

As they say: "In the post-Cold War environment, a unified, consistent approach to deterring, reducing and countering weapons of mass destruction is essential to maintaining our national security. Under DTRA, Department of Defense resources, expertise and capabilities are combined to ensure the United States remains ready and able to address the present and future WMD threat. We perform four essential functions to accomplish our mission: combat support, technology development, threat control and threat reduction. These functions form the basis for how we are organized and our daily activities. Together, they enable us to reduce the physical and psychological terror of weapons of mass destruction, thereby enhancing the security of the world's citizens. At the dawn of the 21st century, no other task is as challenging or demanding".

We'll see how well it works.

I'm not a crazy environmentalist, but waste makes me cringe. I make it a habit to contact companies that mail me catalogs that I don't read, telling them to take me off of their lists. I also do little things like bring a couple of bags to the grocery store every time I go in order to avoid generating more plastic waste.

The other day, I was buying my son a sweatshirt in T.J. Maxx, and the clerk popped it into a plastic bag. I said, "Thanks, but I really don't need that bag." He promptly balled it up and threw it in the trash. It makes me sad how so many people just don't get it. If everyone would just think a little bit about this in their daily lives, I think it'd make a big difference for the world we leave to our kids and grandkids.