thewardour.com

*As is the norm,
Mac and Linux users would have been protected as the malicious software was Windows based.
**The message initially passed through an e-mail server run by servage.net, which was probably innocent in all this.

See a summary of all my Defensive Computing postings.

Civilians (meaning someone not involved in law enforcement) cannot reliably trace an IP address to a city, let alone an exact address. However, tracing it to a country is, I believe, reliable: the message came from Korea.**

I sent the EXE file to Virus Total and they had already seen it. Of the 36 anti-malware products they scanned it with, only 14 (39 percent) correctly flagged ups_invoice.exe as something to avoid. Among the free anti-malware programs, Avira’s AntiVir correctly flagged it as bad, but Avast and AVG did not. McAfee missed it, as did NOD32, Panda, PC Tools, Sunbelt and Trend Micro.

On the Internet people lie to you all the time. Back in April, I wrote that the most important aspect of Defensive Computing may very well be skepticism.

The interesting thing here is the constant struggle of anti-malware companies to keep up with the latest malicious software.

Yes, this message was amateurish and a number of things give it away as phony. However, the next one may not be so obvious and anti-malware software will always be imperfect. Thus, skepticism may be your best defense.

The attached file, ups_invoice.zip contained a single file, ups_invoice.exe.

Subject: Problems with delivery

Unfortunately we were not able to deliver postal package you sent on September the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

Thank you for your attention!
Your United Postal Service
http://www.ups.com

The first thing to be skeptical of is the From address. Never trust the From address in an e-mail message, it is easily forged. Digging into the e-mail headers showed that the message, shown below, actually came from a computer at IP address
121.139.93.144.

Update September 12, 2008: Two more of these came today. Neither even bothered hiding the EXE file inside a zip file. I sent one of them to VirusTotal and, again, they had seen it before, this time about 20 hours prior to my uploading it. Initially, 17 out of 37 anti-malware products (46%) detected it as suspicious. When I requested VirusTotal to scan it again, 17 out of 36 products (47%) detected it as malicious. Beats me what happened to that missing anti-malware product.

For the second time in the last few days, I received a phony e-mail message purporting to be from the package delivery company UPS. A skeptical person would have deleted the message, and good thing too, because odds are that anti-malware software on a Windows* computer would not have protected the trusting or inexperienced user that believed the scam.

iRobot’s PackBot 510 outfitted with the offered iRobot First Responder Kit

(Credit:
iRobot)

iRobot already offers a version of the PackBot 510 with a kit for first responders. While some municipalities have adopted it, the PackBot hasn’t exactly become a common sight at your local police station.

The Negotiator will be available in the fourth quarter of 2008 for about $20,000, according to iRobot.

(Credit:
iRobot)

Like the PackBot, the Negotiator can climb stairs, work by remote control, and be outfitted with tools for reconnaissance and chemical detection.

It seems that iRobot has finally realized that the PackBot, while fine for military units with large budgets, was just too expensive for local government agencies to adopt.

(Credit:
iRobot)

iRobot’s Negotiator.

The Negotiator, another tactical mobile robot that can climb stairs, seems to be a pared down, civilian version of the PackBot.

The Negotiator, iRobot's latest addition to its industrial robot line.

iRobot announced a new addition to its lineup of industrial robots Wednesday.

“We believe that the low entry price point for iRobot Negotiator will help make it accessible to local, state and federal agencies that would not have been able to afford a robot otherwise,” Joe Dyer, president of iRobot’s Government and Industrial Robots division, said in a statement.

CERT-US released its advisory on February 12, 2002, after word of the flaw leaked.

For the last week, I’ve written that Dan Kaminsky undertook unprecedented action in coordinating a variety of vendors in secret over the last six months. Ari Takanen, co-founder and chief technology officer of Codenomicon, wrote to challenge that notion.

In an e-mail on Thursday, Takanen cited his work on a Simple Network Management Protocol version 1 (SNMPv1) flaw back in 2002 as an example. Like Domain Name System, SNMP is a fundamental element of the Internet.

I wrote: “There have been other multiparty patch releases, but never has there been one on such a massive scale. It took someone with the gravitas and reputation of Kaminsky to pull together the affected parties.”

Takanen writes: “Well, actually that is not true. Our SNMP case was secret for nine months after reporting it to relevant vendors, and as far as I know it involved more than 100 vendors and other organizations (1,000+ people). We saw all possible attempts to disclose it, but even public disclosure lists appreciated the stand that CERT-US chose to take.”

Takanen goes on to say Codenomicon provides a commercial tool to defect the SNMPv1 flaw as part of its quality assessment process.

Takanen, who advocates nonpublic disclosure of security flaws, said, “This just proves that reporting individual bugs for fame and fortune does not motivate the vendors to improve their quality assurance processes.”

The funny thing is six years later, the tool still finds active systems vulnerable.

Back to the iPhone–the new model will effectively be “the 2G iPhone with 3G wireless.” It will also undoubtedly be running the 2.0 software that Apple previewed earlier this year. But to really confuse matters, that 2.0 software upgrade will certainly be available to first-gen iPhones–so we’ll likely have millions of 1G iPhones with 2.5G wireless (EDGE) running the 2.0 software, as well as a new crop of 2G/3G/2.0 iPhones as well. In other words: read the fine print on those eBay listings very carefully when you see a good deal on an “iPhone 2.0.”

The better question might be, “Why is the name of the keystone product from the company with the world’s best branding even subject to debate?” And we wish we had an answer. The real problem here is that Apple products are effectively named by the community. Apple generally sticks with the most generic name possible–iPod, MacBook, iMac–and leaves it to the collective wisdom of the Internet to delineate the new ones from the old. For instance, the bulbous original iMac–with a built-in CRT monitor–is commonly referred to as the “bondi blue iMac,” while today’s sleek flat-panel version is generally known by its processor and screen size (”Core 2 Duo 24-inch iMac”). But to Apple, both the 1998 and 2008 iMacs are simply known as “the Apple iMac.” Not very SEO-friendly, as we’d say–especially if you’re looking for support or repair info online.

There’s near universal agreement that Steve Jobs is going to unveil the next iPhone at next week’s Worldwide Developers’ Conference keynote in San Francisco. Whether it’s next week, next month, or next year, however, it raises a thorny semantic question: what will it be called? Most wags are dubbing it “the 3G iPhone,” as it’s certain to include the high-speed 3G (third-generation) wireless capabilities missing on the original model. But it’s still going to be the second-generation iteration of the product–thus, “the 2G
iPhone.” Which one’s correct?

The sequel is imminent–but what will it be called?

So, what will we call this thing? I think “3G iPhone” will probably be the most common terminology–it’s the term people are searching on Google. But it won’t really matter–for most people, the fact that it’s “the new iPhone” will be all the description that’s needed. Of course, things could get confusing once the third-generation iPhone eventually hits…but that’s a Wikipedia fight for another day.

(Credit:
Apple)

What do you think: should the next iPhone be called the “2G iPhone” or the “3G iPhone?” Or should Apple start using more descriptive model names and numbers for its products?

To be sure, the
iPod line is broken into specific model types–the Shuffle, the Nano, the Classic, and so forth–but within those lines, the confusion persists. As a result, we have the generational (”G”) designation. If you’re iPod Nano has a plastic enclosure, it’s a 1G model; the 2G iPod Nano has a metal casing, but the same basic design; and the 3G “fat Nano”–the current generation–was the first one with video playback support. It can get pretty confusing–especially when compared to Apple’s software, which is blessed with triple decimal specificity (iTunes 7.6.2.9).

If you’re going to go with an underdog like
Zune, you may as well let your freak flag fly high by getting your player engraved. The Zune Originals online store, which went live last year, allows you to order your Zune MP3 player directly and receive an engraving of artwork or custom text on the back of the device.

Here's a tip. If you want your Zune Originals etching to appear as silver on black, you'll need to grab a model with a black backplate like the black Zune 16 or Zune 120.

(Credit:
Microsoft)

There are new designs to select from, as well as new colors and capacities of third-generation Zune. While the Zune Originals engraving launched as a free service last year, the customization will now cost you an extra $10-$15 (depending on your design) on top of the retail price of your Zune.

It may be worth it, however, since Microsoft is stating that the only way for customers to currently get their hands on red, green, pink, and blue versions of the new 16GB Zune is to order directly through the Zune Originals online storefront. Brick and mortar stores will only be seeing the black versions of the new 16GB and 120GB third-generation Zunes (at least, for now).

TechForward has also started a trade association called Ownership 2.0 with other companies based on subscription-based services or temporary ownership models, like temporarily owning textbooks.

TechForward’s spin on electronic recycling is getting consumers to think ahead and plan on returning their gadgets for resale.

It makes most sense for people who expect to upgrade to a newer model within a year or two and want to see these goods recycled.

Since it’s trying to sell to purchasers of new products, TechForward will be reselling goods from its customers, rather than actually breaking them down into their component parts.

As people buy more electronic stuff, there’s growing concern over hazardous electronic waste. A number of new companies are trying to keep that gear from fouling up landfills–and make a buck while doing it.

To make its buy-back service available to consumers as they purchase electronics, the company is planning on announcing a partnership with a large regional retailer and a national retailer in the next two months, Van Doren said.

The TechForward buy-back program–like the electronics repurchasing service Gazelle–relies on the assumption that most consumers are not comfortable selling their individual gadgets themselves on eBay.

TechForward has devised algorithms that figure out how much a product will be worth. A consumer can decide to sell something back sooner for more money as well.

“If you’re just doing recycling, it’s a tough business to be in for profit. You’re not creating a tremendous amount of value and you’re moving around heavy devices with (big) shipping costs,” Lebovitz said.

The company has raised two rounds of venture funding in the past year and a half.

But extending the life of an electronic gadget, rather than having it lie in a drawer and eventually be thrown in the trash is a good outcome from an environmental point of view, said Van Doren and co-founder Marc Lebovitz who is vice president of operations.

If a product has no commercial value, then TechForward will recycle it in “an environmentally responsible way.”

“We saw an opportunity to help people be more environmentally responsible and still get the latest and greatest technology,” said Jade Van Doren, the CEO.

Also, making money in recycling is difficult, which means that there aren’t many businesses competing to offer ways to responsibly dispose of electronics.

The business model of the 3-year-old company, based in Los Angeles, is to sell consumers a buy-back deal at the point of sale. So when you buy a shiny new
iPod or digital camera, you can plan on selling it back in two years.

It was a story that hit close to home for me. I lived in Princeton, which lies roughly halfway between New York and Philadelphia, for roughly 15 years, from preadolescence into my early 20s. For a sizeable chunk of that time, I was a Record Exchange regular. I’d pick through the shelves, hunting for something that looked kind of cool or bugging the staff for recommendations. Plus, it was two blocks away from the ice cream shop where I worked in high school. It was a nice place to blow a paycheck on the way home.

“Book discovery” online is eons behind music discovery, perhaps because you can’t toss Hemingway and Hardy into an algorithm quite as easily as Hot Chip. But still, my offline-reading experience is migrating increasingly online; I’ve recently become a fan of Goodreads, and I subscribe to Flavorpill’s Boldtype newsletter. Then there’s the fact that my addiction to the contents of my Google Reader means I’m already reading fewer books and magazines (sad, I know). It’s made me start to wonder, in light of my Record Exchange realization, if one day I’d also feel like supporting a small bookstore, just to keep it alive.

Earlier this week, The New York Times had a nostalgic little piece about the Princeton Record Exchange, a music store in the eponymous New Jersey college town.

It was, as one might expect, the sort of narrative that could be written about any beloved indie-music haven these days: it’s a quirky anachronism in a world that really doesn’t need it anymore, but it keeps on trucking.

The notion of paying to keep something obsolete in business effectively makes it a museum. And the Times profile of the Princeton Record Exchange, with its quips about comically pretentious staffers and eccentric clientele who drive for hours just to get there, not to mention the decor (”early-dorm room with dorky posters, wood-plank ceiling, gray linoleum and an emaciated gray carpet”), reeks of a This American Life-worthy cultural vignette.

The digital-media revolution is all about efficiency, convenience, and accessibility, none of which apply to small-time music stores, where you have to flip through racks of CDs to find the one you want, only to learn that it’s sold out. But is that all bad? Perhaps one day, we’ll put that kind of musty inefficiency on a pedestal as a charming relic of the old days, an alternative to the everything-at-your-fingertips world that Larry and Sergey brought us.

Call me a terrible excuse for a music fan, but I don’t have any use for it; since I was never a vinyl collector (the story would be very different if I were a DJ), I welcomed the opportunity to free up bookshelf space by getting rid of all those darned CD cases.

Before Last.fm, Hype Machine, and Muxtape, this was how I defined “music discovery.” It was a lot more of a gamble. There were more than a few occasions when I picked something up at the Record Exchange just because the album art was cool. Bad idea. Now that I have the ability to preview something on Stereogum, read an appropriately convoluted review on Pitchfork, and stream it on Imeem
before opting to plunk down $.99 for it on Amazon MP3, I’m saving money in addition to space.

Would I do that now? No. Reading that Times article turned me on to the realization that music stores like the Record Exchange no longer have a place in my life. As a music fan who’s eagerly plunged into the Digital Age–I had an
iPod back when they were chubby!–this is somewhat of a disconcerting revelation. But I realized something else: I’d gladly fork over that $4.99 for a second-hand Pavement album, but I wouldn’t take the CD with me. I’d really just like to keep the store in business.

I didn’t live in a city, so I wasn’t surrounded by concert venues; I found new music by listening to a few good radio stations (Princeton’s indomitable WPRB, as well as a now-defunct indie-rock station from the Jersey Shore that I could get only by taping makeshift antenna wires to my bedroom wall) or poking around the Record Exchange.

And indeed, if I had the cash on hand, I’d support an independent record store for the same reason that some well-heeled philanthropists funnel money into historic-preservation funds for landmarks they’ll never see. We don’t necessarily need them for ourselves; for one reason or another, we just need to know that they exist.

I, for one, can’t remember the last time I bought a CD, since my entire music collection is now on a hard drive. I haven’t been to the Record Exchange in ages, nor do I poke my head into the scattered record shops that line the streets of the neighborhood where I now live in New York.

But the real reason I don’t go back to record stores isn’t because I can buy music online, it’s because I can discover it there. In my days of frequenting the Princeton Record Exchange, it was the late ’90s and early ’00s, before I owned a laptop or even a cell phone, when my house still had dial-up AOL. It was also the age of Clear Channel radio domination, rife with pre-bizarro Britney, ‘N Sync, and embarrassing excuses for “rock” (who remembers when Fred Durst was cool?)

I wonder if I was part of the last generation of teenagers to consider browsing through record store racks to be an essential pastime. The iTunes Store launched in 2003, when I was 18. Ten years from now, will the whole industry be digital, save for a few holdouts, retired hippies, and former indie-pop boys who don’t look so cute, now that they’re going bald?

Last year, a popular independent bookstore in Princeton (another frequent drain on my ice cream store paychecks, back in the day) succumbed to the Amazon juggernaut and shut its doors. Now, I still go to bookstores, namely the droolworthy Strand near Union Square in Manhattan. Most of the time, though, I don’t know what I’m looking for–I’m there for the search, not the retail. If I have a specific target, say, if my editor wants me to pick up The Complete Idiot’s Guide to Punctuation, I load up Amazon and order away.

But as the conversation went on, one got the impression that Williams actually has a plan. He revealed that the company is in talks with large consumer packaged good companies, and whether that’s to sell the company internal services or to help the company monetize its own Twitter feeds, it’s promising.

At a Churchill Club event in San Francisco on Tuesday, Twitter co-founder and CEO Evan Williams brushed off–again–criticisms that the company is slow to turn on its revenue-generating engines.

In other words, Twitter will get big by staying small–or at least by not expanding into new areas.

Williams co-founded Blogger, which Google bought in 2003. So it was interesting when Kevin Maney, who was interviewing Williams, asked him if he was worried about “Microsoft or Yahoo” launching a direct competitor to Twitter. Williams said, “I’m pretty sure they are (planning to), but we can’t worry about that. Focus is a really big deal. Even Google stumbles on the focus issue. It’s not as important as search and advertising. Innovator’s dilemma works against bigger companies.”

Evan Williams, godfather of Twitter.

Williams said, “We’re looking at Q1 for revenues.” This is a change from the original, pre-economic meltdown plan. “The original plan was to focus on revenues in 2010. That’s no longer the case, since I don’t want to raise money in 2009.”

Previously: 11 Twitter business models: Vote for the best.

At first, it sounded like Williams was a bit lost on the revenue front. “We will make money, and I can’t say exactly how because…we can’t predict how the businesses we’re in will work.” As he has before, he hinted at generating fees from sales-related Twitter content and from corporate users.

Google’s a big model for a small company (Twitter has 25 people), and Williams’ laid-back affect belies his ambition. He says, “I worked on Blogger for six years, and I don’t think that’s as big as Twitter. Twitter will dwarf that.”

The revenue plans aren’t just ads or sponsorships. “We want revenues to be product-based. Google built something that can really scale, and that’s our intention as well.”

And speaking of expansion, there are several projects on the books. Williams said that the top feature requested on Twitter is grouping, and that it’s in the works. This will enable users to segment their Twitter friends into sub-networks to send specific groups certain posts. It will also make Twitter a more useful tool in business.

(Credit:
Rafe Needleman / CNET)

Williams also said that the company is working on ways to make Twitter easier for newbies to get into. “It’s amazing anyone uses Twitter today,” he said. “It’s hard.”

I left the talk with more confidence in Williams than I had previously, although I’m still not convinced that Twitter can be as big as Williams says it will become. Not because the concept isn’t big–it is–but rather because I am not convinced that a natural monopoly will form in the space. Social services are tending toward interoperability. Also, it’s never a sure bet that the first company in a technology space will be the one that ends up dominating in it. Google wasn’t the first search engine, for example. MySpace wasn’t the first social network. The microblogging corner of the technology economy is extremely young, just as Twitter is.