imchris.org

The paper, “Click Trajectories: End-to-End Analysis of the Spam Value Chain”, got quite a bit of pres recently so there’s a number of great articles that summarize the paper content and have gone out to get quotes from banks and other security researchers and experts.

Newspaper, online news, and blogs:

• Study Sees Credit Cards as a “Choke Point” for Spam, New York Times
• Spammers and Their Bankers, New York Times Editorial
• How spam works, from end to end, boingboing
• Scientists Find ‘Choke Point’ Of Spam Email, Redorbit
• Anatomy of a Spam Viagra Purchase , Technology Review
• Researchers: Kill spam e-mails by choking off scammers’ cash, Consumer Reports
• Have Researchers Found a Cure for Spam?, ITBusinessEdge
• A True Final Ultimate Solution to the Spam Problem?, CircleID
• Banks Profit From Spam, F-Secure
• Secret to Stopping Spam: Follow the Money, Scientific American Blog
• Spam as a Business, Bruce Schneier
• A Way to Take Out Spammers? 3 banks process 95% of spam transactions, Ars Technica
• Credit Processors Targeted in Fight Against Spam, The Register
• Stopping Spam at the Bank, Internet Evolution

You can even watch a video!

• KTVU San Francisco

At the beginning of the year, in the middle of the project that led to the CCS paper on Twitter spam, I decided to try out Amazon Web Services. As I’ve slowly become familiar with the process, I’ve found that more and more I can make use of EC2, S3, Elastic Map Reduce, or even Virtual Private Cloud for what I’m working on.

Sometimes this is a mixed blessing – I spend a bunch of time working out how to use a certain AWS feature, when I could have just ran with something I baked myself. Other times, it’s awesome.

One of the current projects I’m working on is building a service that can quickly identify URLs as being spam, the target being a service that Facebook, Twitter, or anyone else could add into the line of fire and remove bad messages before they are seen a few thousand times (and reported as spam or phishing).

For the most part, our stuff is up and working –and even works at quite a large volume on relatively small amount of computers. What’s even better is that it’s currently operating on AWS, running a reduced volume (1 million URLs per day) on medium sized instances, for around $.00086/URL (works out to $860/month for 1 million URL capacity). We’ve also been testing to see if this scales, and it looks like it does! a little less than linearly with the number of URLs we need to handle per day. As we evaluate more of the system we’ve built and write the paper, I’ll post a few updates on how it’s built and what we are using to make it all work.

In the summer of 2007 I wrote a paper on the OP web browser that was published at Oakland in 2008. A few months afterward I was invited to submit it as a “fast tracked” paper in a journal. I thought it would be a easy way to add in some of the work we had done while working on and using OP since summer 2007.

If, or when, the journal paper actually gets published, security and systems researchers will have been using OP since November 2007 (3 years ago!), Chrome since Sept 2008 (2 years ago!), had the opportunity to read the Gazelle paper (summer 2009), use Firefox with out-of-process plugins (spring 2010), and possibly even try out a full multi-process Firefox (upcoming release?), not to mention LCIE in IE8 (spring 2009). And this list doesn’t even include the many other security improvements that have been made in these browsers by both researchers and industry.