Schneier on Security

I wonder how long it will be before someone sends a spoofed email claiming that the country is at the highest level of alert... Panic buying would commence. I wonder if a leading supermarket chain would create such an email to clear their shelves.

Spoofing?

I did a trial subscription usnig pookmail. Want to see what happens first. The subscription confirmation came from yoho-common.wc09.net which is owned by:
OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

because they're using www.whatcounts.com to manage their mailing list.

Just how many ways is this a bad idea?

Rich

So when all the terrorists will be subscribing to these terrorist alert emails ... will they strike then the terrorist threat is at high or at low? Somehow I think there will be the green ever "go out and enjoy your life".

I thinks it's a good idea. At the moment the threat level is Severe, which is reassuring, because recent terrorist attacks have only happened when there was supposed to be no threat.

"including speeches made by the director general and links to relevant websites."

That's a brilliant idea, seeing as how we can all see how accurate the DG's speeches are!!

http://www.guardian.co.uk/attackonlondon/story/...

Take a look at SpyBlog's analysis of how they manage the mailing list:

http://p10.hostingprod.com/@spyblog.org.uk/blog/...

Off topic but hopefully helpful.

Just for those who have not discovered a good way to post long urls in post here is TinyUrl

http://tinyurl.com/

I do not work for TinyUrl, just think it helps post look neater and organized.

@ben: The current level is "Severe" meaning "an attack is highly likely". The next (and also the highest) level is "Critical" meaning "an attack is expected imminently". If it gets that far, you might want to avoid crowded places like supermarkets.

So if you want to fill up your stock in a panic, the right moment would be now...

Bac, tinyurl is not for the paranoid. It is not readily apparent where you'll end up when clicking the link and the target may not be 'work safe'. That said I use it quite a bit and they have a preview feature on thier site.

regards,

Fin

sdfdsfdsfds

Best terror alert system ever:

http://www.geekandproud.net/terror/

Today we are at Ernie for all commercial flights, and at Bert for everything else.

@Fin

so use http://preview.tinyurl.com/ , or add the 'preview.' before any tinyurls you come across. At the least, you can preview the actual link. Your NSFW comment applies to *any* link - do you trust the word of someone random on a public message board about whether their long link is SFW?

Maybe they should use color codes instead. :)

Anyone who actually believes in the MI5 threat level probably deserves whatever they get in terms of spoof email alerts.

The Home Secretary, John Reid, stated in December that an attempted terrorist attack in the UK over Christmas was "highly likely": http://www.google.com/search?...

Since there wasn't one, I think Bayes' Theorem tells us that it is "highly likely" that Reid, and hence also MI5, either don't know what they're talking about, or else were lying.

All those terror alert levels etc. remind me of a mother trying to get her child to bed/school/etc.
Like:
"Johnny, I will count to 3 now, and then you'll do it !
One...... Two .... Two and a half .... 2,75 .... "
Basically everyone wants to raise the alert level so when something happens they could say "I told you", but since raising it to maximum too often is not a good idea, it kind of fluctuates somewhere near the top.
I wonder when new levels are invented .... like "Very Critical", "Extremely Critical", "Critical, and I do mean it ! "....

Do they increase the terror alert level before the director makes a speech?

I can see how that might be useful.

Everything else, bleh.

surely a vista machine running nsa code can stop an mi5-spoof email. coming soon to your box: spy versus spy!

If I get an email, what should I do?

Pointless wolf crying.

There's got to be some sort of math formula here...

It would have to include something about stupidity approaching infinity and multiplied by FUD equals waste times hysteria, so that hysteria becomes infinite given a limit on waste. I need to spend some time working this out - the proof alone could be great.

Many office workers in NYC were hysterical about the stink the other day. People are no longer just afraid of being blown up - they're now afraid of being "stunk to death." This is how far it's come: a sad state of affairs indeed.

Presumably, when the 'Terrist' color code went to red, the system would flood the internet with identical messages bound for all IP address in the UK.

Hopefully, antispam software would intercept all of these and scram the spam.

Still, it would cause a general DoS, would it not?

Why on earth *email*? What's wrong with RSS, apart from the fact it's already been done by someone else?

"...not necessarily that much information on the website about how you should act and how you should respond..."

Therein lies the real issue. MI5 should be trying to answer the "difficult question" of what to do with information about threats, and resist the easy path of spreading FUD.

While this may well be security theatre from the perspective of "being seen to be doing something", it does give MI5 a database of the email addresses of the folk who are most paranoid about terror alerts. I have no idea how useful such a thing might be, but..

If I was a terrorist, I'd subscribe to that list.

MI5 e-mail alert signup shambles - all email subscription web forms sent to the USA, without encryption

See Spyblog:

http://p10.hostingprod.com/@spyblog.org.uk/blog/...

"Astonishingly, MI5, the Security Service, part of whose remit is supposed to be giving protection advice against electronic attacks over the internet, is sending all our personal details (forename, surname and email address) unencrypted to commercial third party e-mail marketing and tracking companies which are physically and legally in the jurisdiction of the United States of America, and is even not bothering to make use of the SSL / TLS encrypted web forms and processing scripts which are already available to them."

Considering the overwhelmingly humongous number of terrorist attacks we've had in the US since 9/11/01, this one seems to work:
http://www.claybennett.com/pages/advisory.html

MY NAME IS SARAH , I EXPORT TRUCKS ALL OVER THE WORLD,, i do get alot of those check from nigeria you all now that scam, i just throw them away
but today, i got a large check ,, and
it came from london the directions said to wire this money to a forien group in san fransisco, which is not typcle, money
scam, makes me wonder if this foriegn group in san fransisco is planing something, i'm going to turn the info to FBI WHAT DO YOU THINK,, I THINK SOMETHINGS UPP