I’ve just released a Perl interface to reCAPTCHA. You should be able to find it here:

http://search.cpan.org/dist/Captcha-reCAPTCHA

At the time of writing the US mirror of search.cpan.org doesn’t seem to have updated for a few days so if you need it in a hurry you can also get it here:

http://cpan.hexten.net/modules/by-authors/id/A/AN/ANDYA/

You just can’t keep a good company down, can you? I’m pretty sure that the inclusion of an analogue security hole in Vista is a first.

It just goes to show: all the DRM in the world can’t plug up the analogue hole.

I’m getting loads of comment spam in my moderation queue - just like when Akismet went down about a month ago. This time there’s nothing about it on the Akismet blog.

Is anyone else getting hit?

Update: I’ve just installed Spam Karma 2.2 and within fifteen seconds of activating it it caught three comment spams. As far as I can tell it works happily with Akismet to provide belt and braces spam trapping.

What we really need is a plugin that automatically makes a withdrawal from a shared spam fighting fund and uses it to pay for a hit man (or woman) to solve the problem at source. Of course that’d need a pretty strong AI; the collateral damage cost of any bugs might otherwise sit uneasily on the conscience.

The Register is running a largely unsurprising story that reveals that UK punters are still falling for phishers. I imagine susceptibility to phishing isn’t limited to the UK. If you have active items on eBay (for example) just how are you supposed to know that an email purporting to be about an item you have for sale is a fake? They tend to look pretty convincing these days.

The obvious solution would seem to be to give users the option of subscribing to an RSS feed instead of email notifications. Email is pushed; in spite of any appearance to the contrary RSS is a pulled - nobody can send you an RSS feed you haven’t subscribed to. It turns out that this isn’t an original thought: Will Pate beat me to it. So, what about it?

Michael Lang has made an RPM and SRPM for pam_abl available for Centos4 and RHEL4. More details here. Thanks Michael.

The folks over at Sory Electronics have taken my T shirt design and run with it. The result: soryelectronics.com - a call to boycott Sony. Just do it.

In related news Cory Doctorow is reporting over at BoingBoing that Sony have issued a ‘non-apology’ - way to go Sony. You know Sony really should be taking this a bit more seriously - after all Cory seems to be the hardest nerd.

Er, sory.

So the geeks are up in arms about Sony’s ill advised Root-Kit-as-DRM approach to hoarding their treasures. If by any chance you’ve missed any of the saga I’m not about to rehash it here - there’s a timeline of the whole debacle on Wilcohol.com.

Mighty though the geek hordes are we should really be thinking of a way to get everyone else - normal people fired up about this. Otherwise the danger is that it’ll all blow over in a couple of weeks and then before we know it they’ll be back with something equally intrusive along with a bunch of spin to explain how it reduces the risk of cancer, promotes democracy and involves no cruelty to animals.

To that end I’ve knocked up a T shirt design (find V1.0 on Cafepress) which I hope might prompt questions that will allow the wearer to explain why we shouldn’t be buying Sony’s products right now.

Disclosure: if you buy a shirt from that site I’ll get a couple of bucks. I’m quite happy though for people just to take the design and use it. The artwork is here if anyone wants it. Or better yet remix that design or produce one of your own. If you do tell me about it.

Update: Cory Doctorow has a piss boiling timeline of the whole thing over on BoingBoing.

I think this may be the best yet… I’ve just had to call my cellphone provider, O2, about a fault on the account. After ten calls to different numbers (I’m not kidding - I counted them) I finally got through to a human. It went like this:

Yup, that’s right he asked me for my password and when I couldn’t remember it he immediately told me what it was. I’m obviously getting really l33t at this social engineering thing. So here’s an experiment we can all try at home: next time you have to speak to your bank, your credit card company, the telephone company, whoever, do a little probing to find out just what you can get them to reveal. Forget (temporarily) any passwords or security questions and confine yourself to information about yourself that’s public - name, address, postcode, maybe your phone number. Bear in mind that it’s not hard to find your mother’s maiden name or your date of birth either - these being matters of public record. Let me know how far you get.

Hot on the heels of my phishing lession from Barclaycard I had a phone call yesterday from my bank. Well I’m pretty sure it was my bank. The guy on the phone said “Hello, this is whoever from Lloyds bank. To confirm your identity could you please give me your date of birth and your online banking password?”. The point is that he called me; he could have been anyone. The only credential he offered was that he knew who I banked with; not hard to find out. In fact I’ve just told you all that it’s Lloyds…

I explained to him that I had no way of knowing that he was who he claimed to be and - after a pause - he came back with some details from my bank account that presumably would only be known to me and the bank. At this stage I should have teased him: “Thanks for that; when Andy gets back I’ll let him know you’ve just divulged confidential details about his account to me”. I didn’t but if they call again I think I will - I feel obliged to find out what kind of reaction that produces.

You’d think the people who design these procedures for the banks would have enough security savvy not to actively encourage people to fall for such simple social engineering tricks though, wouldn’t you? I have to admit that I only just managed to stop myself from giving him my details without authenticating him - and I actually know a bit about this stuff.

I suppose the full exploit works like this: phone someone up posing as a marketeer and say “May I ask who you currently bank with?”. Make a note of their reply and then pretend to get cut off or follow up with some fake marketing guff. Then some time later phone up again and say “Hello, it’s Conman here from <insert name of bank recovered at stage one>. Before I continue please verify your identity by giving me your password”. That’s it - you now have all the information you need to take control of their account.

I just bought a new hard drive online. As part of the payment process I was redirected to a Barclaycard site that asked me for a few additional details and then signed me up for their new online payments security scheme. So far so good.

They then sent me an email. An HTML email containing a link I could follow to log on to their secure server. Actually the mail didn’t come from a Barclaycard domain but from securesuiteemail.com who I’ve never heard of. So basically they sent me a mail which, apart from the fact that the links really do go to their site, is indistinguishable from ten phising emails I get every day.

Maybe it’s just me but I’m not convinced that by encouraging people to trust this kind of mail they’re really doing their bit to educate hapless web users about the perils of phishing.