Interesting, I was reading a Bruce Scheier article about bank security. The recommendation was two fold: users need to know something and need to have something. Very simple, very secure. For example, they would need to know their user id and would need to have a secure id token.

However, the banks balked at the cost (not that unreasonable, a token for every bank account would be a phenomenal cost that they would have to bear) and implemented their own two-step: you need to know your user id and you need to know your password. Less secure but, as far as they were concerned, it's the best security at the right price.

So when your CIO points out that your security uses the same standard as the banks you can ask "is it the recommended standard or the implemented standard?"

There is a web site where they scam the scammers. They persuaded some nigerian scammers to submitted their rendition of the Monty Python Parrot sketch. Then they posted the submitted sketch. Apparently the scammers don't know the difference between a parrot and a duck.

http://www.youtube.com/watch?v=LvyrzQldOKE

You mean www.419eater.com or similar I guess.

I believe that I've received at least one email that said something about updating my password in a bank I've never used. Of course I've deleted it.

I think that attempts to steal password are moderately rare, when compared to attempts to steal money. I mostly receive following emails:
1) Uk lottery board winning notice. This thing is really annoying (subject is "DEAR WINNER"), and always have different reply address, other names, etc. Since I didn't buy lottery ticket, I can't win it. This was a most frequent letter until recently. I had at least several dozens of those.
2) A letter from some high-rank bank personnel /*sometimes located in africa no, it's not a princess*/ who asks for help with moving funds somewhere.
3) A "security update" or a "firewall update" with a Windows virus inside.

There are also some things that should be avoided on the internet:
1) flashing "you have won" banners. (I've zapped most of them with squid/adzapper, though). Most of them lead to a same scammers site.
2) Similar-looking, but different domain names (see Wikipedia article http://en.wikipedia.org/wiki/PayPai ,for explanation)
3) anything that asks about any password from any other service.

There are a lot of sites about scams and phishing on the internet, they can be easily found using google.

I also recommend reading this: http://www.pacifier.com/~stopspam/email/headers.html (article about reading email headers)

At least you get all the interesting spam . Most of my spam consists of blank emails. No subject title, and either little or nothing in the body. I guess I am getting misconfigured spam.

I miss being on Comcast. There, I could setup a whitelist and have only the emails I allowed to come through configured on the server side, Verizon doesn't really do that.

I do open most of my spam, just to take a peek at the headers. I know I shouldn't even open it, but I do this under Linux, and I always take myself offline, that way the email can't 'call home' with some kind of loaded image if it is html(which 99% are), and I delete them before bringing myself back online.

Anyways, I was hoping someone would have some kind of opinion about my suggestion of giving out useless info to these phishers that try to steal passwords, http://www.linuxquestions.org/questi...97#post3107597

*Writing that down..*

I've also "won" a few times in the UK lottery thing. Interesting, as I didn't even know for sure there existed one (with that name; I know there's gambling of some sort everywhere) before that.

Now that the banners have been mentioned that say that you should upgrade [some Windows component name here], I have to say I wonder who bothers writing them. In the past they used to be just ugly-looking messages saying you should install some piece of software..not very convincing. Then pop-ups. After pop-up blockers they (or those I saw) were graphical elements of the web pages again, but this time with a "window decoration" of Windows - XP, when it came really popular. Funny to look at an "XP warning message" while surfing on a Mac or a Linux machine.. But I think I have now seen some banners, or then it's just been too much "luck", that read the information (from browser?) that tells, or tries to tell, which browser version and operating system you're on, and try to make the ads to fit better into the desktop the browsing user might have. Part of them are some sort of sniffers, I take it, but what amazes me is that some folks really take the time to write some web stuff that tries to guess what the user's desktop looks like, to fit in better; the ugly ones probably don't take much time to do, but what about the "good" ones? I mean, couldn't the folks just go to work instead of writing those, or are they perhaps doing them at work?

I've seen at least two sites (one of them advertised to put it's URL in emails and web pages somewhere to trick some spam bots to visit the site) that did something like it. Not for phishing folks, but for spam bots; basically the site had some nonsense email-looking urls, and in the end a recursive link back to the page (and if I'm not mistaken, it somehow generated more or less randomly the garbage addresses), the idea being to have an automatic email-address collector bot visit the site and eat up endless amounts of nonsense addresses, hoping that it would become too heavy for the spammer program to deal with that amount of addresses. Not sure if it worked, or if anybody interested..personally I don't think that's the solution, and in addition some countries' laws say it's illegal to give false information to other people - even if they were phishers or spammers

Otherwise a nice idea, try to exhaust the bad folks by feeding them false information, but in the end it doesn't help much. Machine power grows every day, so I don't think the amount of false information is of any use; the problem persists as long as they have at least a few real targets.

Thats kind of dumb. What if I want to still download a file on a site, that wants my email address (e.g. CDRwin from goldenhawk.com). I am not about to give them my email address, I just give out a jibberish address like, uselessinfo@aslkjd.net, then I get my file. What are they going to do about it? Trace my ip? Then what? Like I give a shit. If they are not going to verify and I can still get my file, I am going to keep giving out false information to sites that I feel don't need to know my address. LQ and the Slackware mailing lists are the ONLY exceptions though.

I don't see how these countries that have these laws on the books can really do much about it if persons like myself do this all the time.