Interview with a 419 Scammer

For those who haven’t seen it, scam-detectives.co.uk has a really interesting 3-part interview with a former Nigerian scammer.

Scam-Detective: A reader has asked me to talk to you about face to face scams. Were you ever involved in meeting a victim, or was all of your contact by email?

John: I never met a victim, but I was involved in a couple of Wash-Wash scams.

Scam-Detective: Wash Wash scams? What does that involve?

John: We would tell the victim that we had a trunk full of money, millions of dollars. One victim met some of my associates in a hotel in Amsterdam, where he was shown a box full of black paper. He was told that the money had been dyed black to get through customs, and that it could be cleaned with a special chemical that was very expensive. My associates showed him how this worked with a couple of $100 bills from the top of the box, which they rinsed with some liquid to remove the black dye. Of course the rest of the bills were only black paper, but the victim saw real money. He handed over $27,000 (about Â£17,000) to buy the chemicals and was told to return to the hotel later that day to pick up the cash. Of course when he came back, there was nobody there. He couldnâ€™t report it to anybody because if it had been real it would have been illegal, so he would have gotten himself into trouble.

Part 1, Part 2, Part 3.

We build tools in Firefox like stale-plugin warnings and malware blocking to help protect our users, to neuter the technological attacks they may encounter on the web. But we also try, and need to keep trying, to build tools that inform our users so that they can make better decisions. Our phishing warnings and certificate errors try to do this, but mostly by scaring users away from specific attack situations. I hope we’ll continue to build tools like Larry which try to give people some affirmative context as well, to lend some nuance to their sense of place online. I want us to help our users know when they’re on Main Street, and when they’re in an alley.

I know: People get conned in the real world, too, and certainly no browser UI is going to save you from an email-based scam. Stories like this, though, are just specific instances of what I believe to be a more universal principle:

the biggest security risk most people face is misplaced trust

John: Some of the blame has to go to the victims. They wanted the money too because they were greedy. Lots of times I would get emails telling me that they wanted more money than I was offering because of the money they were having to send. They could afford to lose the money.

Scam-Detective: John, I think you have been basically honest with me so far. Please donâ€™t stop that now. You know as well as I do that not all of your victims were motivated by greed. I have seen plenty of scam emails that talk about dying widows who want to give their money to charity, or young people who are in refugee camps and need help to get out. You targetted vulnerable, charitable people as well as greedy businessmen, didnâ€™t you? You didnâ€™t care whether they could afford it or not, did you?

John: Ok, you are right. I am not proud of it but I had to feed my family.

If you have ideas for how we can help users place their trust online more deliberately and carefully: please comment here, or build an addon, or file a bug.

Bugzilla for Humans

Bugzilla is the devil we know. It’s more complicated than we’d like it to be (albeit mostly by our own hand), it’s pretty intimidating to new users (though I recognize the efforts to improve that), and adding the features we want can be a slog (I’m looking at you, multi-state flags).

It’s also essential to the way we manage our project at scale, though, and enough of our project’s history and daily activity lives there that understanding it is not really optional. Certain edge cases aside, you can’t really be effective in the Mozilla project without at least a passing ability to wade through Bugzilla.

I put together this video to help people who don’t really live in Bugzilla learn how to at least manage themselves. If you’re inclined to thank me for it, thank Deb and Dan instead – they’re the ones that actually made me sit down and finish the job.

Until wordpress stops eating my video tags, you can get the open-web, flash-free, unencumbered-codec goodness here.

If you’re using a browser that doesn’t understand ogg, I’ve put a copy on Vimeo as well:

http://vimeo.com/moogaloop.swf?clip_id=9205730&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=00ADEF&fullscreen=1

Mozilla’s EU Browser Choice Submission

And so it came to pass, after months of watching and opining and speculating, that in mid-December we got the letter from Microsoft’s attorneys. The European Commission had adopted a decision settling its current tying case with Microsoft. Among other things, this decision introduced a mandatory browser choice screen for Microsoft Windows users. Would we like to participate?

(Yes, we would.)

Our deliverables had to be submitted by January 15. Others in our (amazing, amazing) community did all the real work, but since I was asked to pick up the coordination and delivery of those pieces, I wanted to talk about them a little.

In broad strokes, Microsoft asked us for 3 things: Continue reading “Mozilla’s EU Browser Choice Submission” →

4 More Hacks

Last week was a Mozilla Corporation all-hands, which is typically an exhaustingly generative time. Some of these bits fell out, in the interstices between working and sleeping; the drinking times.

Bugzilla History Jetpack

I put together a jetpack to annotate show_bug output with the bug’s activity, so that you can track flag changes, state changes, reviews, &c. The idea was all beltzner‘s originally, but I’ll take credit for the half-assed implementation, anyhow.

If you don’t yet have the jetpack engine installed, go get that first. Once you’ve got that, you can grab the bugzilla jetpack itself.

[N.B. Since that’s just my generic bugzilla tweaks jetpack, you will get, for no extra charge, the one-liner that removes “Bug ” from the start of bug titles, so that the bug number fits better in your tab strip. At some point I’ll probably add it to the jetpack gallery without the ride along, but you want it NOW.]

Flic.kr Jetpack

I also fixed flickr so that photo pages which have a flic.kr shortform URL have that URL added just below the photo, for easy copying. It’s also a jetpack. This one I actually added to the gallery, grab it here.

EXIF in Flickr

One more jetpack. I wanted to play with flickr’s awesome, awesome API, and I want EXIF data for flickr photos without a separate page load and I didn’t want it to look very nice. Presto.

Jury-rigged IRC

On the flight home, we had an adhoc wifi network running, which enables 1-on-1 iChat but is no good for multi-party. None of us had an ircd kicking around, so I knocked this together. It mostly works, but I bet you can offer improvements. (yes, nc would have worked here too, but ncat is neat, and does SSL).

Server:
tail -f log1 | ncat -lk 2000 >> log1

Client:
cat - | sed -l "s/^/[`date +%H:%M`] < @johnath> /" | ncat 2000

Extra Credit

Before making the history jetpack, I had it mostly working as a bookmarklet in 498 characters. Can you make it tweetable (140 chars)?
The history jetpack is scraping the show_activity content instead of using the new REST API. Patches accepted?
The EXIF jetpack should do a nicer job of highlighting what matters.
Local echo on the chatroom was kind of annoying, we ended up opening two “clients” each – one for typing into, and the other for seeing the unmunged chat stream. Got a better one liner?

Three Stupid Scripts I Find Useful

SATTAP

If I told you you could have one-click mac screenshots with automatic scp to a host of your choice and it could have a reasonably bad user experience and no keyboard bindings, well you’d just be all over that, wouldn’t you?

Yes, I know about grabup (and their recent departure), and tinygrab, and all the rest. I’ve used several of them, in fact. What can I say, I wrote this way back when, and still find it gets the job done. If you don’t want to hitch your cart to someone else’s image hosting horse (and associated ad spam/image expiry blah), you’re welcome to it.

It’s a shell script. It takes the screencap, does the scp, and then puts the URL on your clipboard. You’ll need to edit some bits. I find it irksome to run from the command line, so I wrapped it in a 1-liner applescript (do shell script "~/bin/sattap") that I can just click from the dock.

Rob wrote one of these, too. [UPDATE: And now catlee has “ported” sattap to linux.]

Migrate.app

My macbook has the irksome habit, when I disconnect it from the external display and then reconnect it, of leaving all my windows on the tiny little 13″ display and not the hulking 24″ display I just connected, presumably for displaying things.

I borrowed a script from Dudehey on macosxhints to do the heavy lifting and then tweaked it to my particular preferences about which windows stay where. You will disagree with me, and hate this script; in fact, it won’t even work for you. But maybe you can make it work for you, if you care to?

Here it is. Open this in Script Editor – change it however you like, and then Save it somewhere as an Application, throw it on the dock, and hooray.

Rotate Page Bookmarklet

Okay, I don’t actually find this one useful, but it amuses. And you need some amusement.

javascript:document.body.style.MozTransform="rotate(90deg)";void(0);

Go on, try it. (Yes, in Firefox.)

Deletion

To a first approximation, I think you can gauge how much people think about software quality by how highly they value deletion. While most rookie developers are chiefly interested in building rather than in tearing down (for what I hope are obvious reasons), great throbbing brains like Graydon speak about deletion with the kind of reverence that I presume cardinals reserve for only the coolest of popes.

In what history will likely judge as a vain attempt to impress him, then, I recently landed bug 513147, deletion of the now antiquated “Properties” dialog that used to be available on right-clicking things like images and links. Not because it was useless (every feature is someone’s baby, and is added for a reason) but because it wasn’t useful enough, to enough people, to justify the cost.

50kb of code in our product that is poorly understood, not often used, and not covered by unit tests is not free. When bugs show up, it takes longer than it should to fix them. If a security bug were to show up (which is always a risk when content mixes with chrome, however remote it may seem) it would be particularly expensive for us to reload that context into our brains to fix it.

Deleting it isn’t free either, of course – there are 4 extensions that build off that dialog that will need to be updated, and there may be some who use it regularly who will be disappointed. But the forces of software (inertia, squeaky wheels, cynicism and inertia) bias so heavily towards keeping code in the tree that we should all try to take clear deletion opportunities when they come up. Not capriciously, not without sensitivity to the impact it can have, but with recognition that the hidden cost to keeping them is also large and… hidden.

It is in the spirit of this sensitivity that we, on the Firefox team, have tagged this bug and others like it: [killthem].Â What else do you think should go? (And please, be gentle. Remember, every feature is someone’s baby.)

[Update: Geoff Lankow has taken the code that used to be built in, and made it into an add-on, which is think is fantastic. As I said to him, and as I said above, my assertion has never been that the code was useless, just that it wasn’t useful enough to justify its cost in the core product. An add-on is a great place for functionality like that, and I thank Geoff for his work.]

Privacy Features in Firefox 3.5

While talking to press in North America and Europe about Firefox 3.5 (you’re already running it, right?) one topic that really resonated with people was the way we pushed on privacy in this release.

I think, initially, some people viewed our private browsing mode as a checklist feature. Even though we’d been working on it since before Firefox 3, it wasn’t strong enough for us to ship until 3.5 and in the interim other browsers have implemented versions of the same functionality. I really like the way we’ve done it, and there seem to be significant differences between the various browsers’ implementations, but regardless of all that I also don’t think that any private browsing mode is a complete solution.

Private browsing mode assumes that you will always know ahead of time that you’re about to do privacy-sensitive things. In Firefox 3.5, we tried to match more closely the way people actually use the browser, and sometimes that means they need to clean up after the fact – forgetting a slice of time, or a particular site. It also means that sometimes they want their browser to remember things, sensitive bookmarks for example, but not publicize those in the location bar. People’s use of a web browser in 2009 is more nuanced than:

Public Private

Alex Faaborg has done a fantastic job detailing many of the privacy features in the latest release of Firefox. I’d encourage you all to check it out.

Google Maps Geolocation Bookmarklet

I’ve been in Europe this week talking to French and German press about Firefox 3.5, and it’s been great to see all the excitement there is over here for the upcoming release.

One feature I’ve been talking a lot about is our support for Geolocation. I think that once Firefox 3.5 gets out there and sites realize they have a (privacy- and user-control-respecting) way to ask their users for their location in the world, all kinds of great services will show up. Flickr already has a photos-near-you feature, for instance, and I imagine mapping sites, restaurant reviews, and others are hot on their tails.

So I’m sure, in short order, that this won’t be necessary. In the meantime, if you’re running one of the Firefox 3.5 Release Candidates, you can use this bookmarklet to inject your current location into the google maps search box, so that you can base searches off your current location:

javascript:function sv(s){document.querySelector("#q_d").value=s};sv("Checking...");navigator.geolocation.getCurrentPosition(function(a){c=a.coords;sv(c.latitude+"%20"+c.longitude);document.forms.q_form.submit();},function(){sv("Rejected!")});

If you haven’t used a bookmarklet before, it’s easy. Open up your bookmark manager, decide where you want to put this (I like to have them on my bookmarks toolbar, since I use them a lot), and create a new bookmark. When it asks for a location, put in the code pasted above. Now, when you’re on the google maps site, click the bookmark to jump to your current location (after, of course, giving your consent).

This bookmarklet is specific to google maps (but I bet you can hack it!), and it certainly requires you to be using a modern browser with support for these features.Â If you don’t have the latest Firefox yet, you can become part of our early testing community by downloading a copy now.

[Update: Changed the bookmarklet code a little to give some feedback immediately by letting you know it’s checking. I bet someone out there has already made a version of this that’s half as long, and twice as powerful. Comment!]

Google Ads: Did You Know You Could Do This?

A couple weeks ago I was attending a panel discussion at the Computers, Freedom and Privacy conference in DC (featuring our very own Mike “Gillette Mach 3” Shaver) when Betsy, from Google Economics, started talking about their behaviour-based advertising.

She was making a point about how Google gives users control over the kind of ads they see, and she mentioned this:

I think I always knew that the “Ads by Google” text at the bottom of ads was clickable – I’ve probably even clicked it. Historically though, it’s just been a sales pitch for would-be advertisers and content authors.Â Now, when you click on it (go on, there’s one at the bottom of this post), there’s a link to your very own “Ad Preferences Manager.”

This page tells you what Google thinks you’re interested in based on the browsing habits it’s observed, and hence what kinds of ads it wants to show you (seriously, go check it out).Â It also gives you the option to add/remove interests, or opt out entirely.

Betsy, from Google, was talking about how they had been trying to really get the word out to people about this interface, so that people could control their ad experience. I wasn’t sure whether that message was reaching people – even people who might care about the information advertisers collect.

A couple of questions, then:

Did you know about this page?
Do the contents there surprise you?Â How accurate are they?
How does it all make you feel? Are you more comfortable, knowing that you have some control? Or are you less comfortable, seeing the profile laid out like that?
Did you make any changes while you were there?

Updated SSL Certificate Database

When I blogged about my database of SSL certs from the top 1M alexa sites, it got much more reaction than I expected. It’s nice to have peers in this microcosm of nerdspace.

Easily the most often requested improvement was to include intermediates in the database. People wanted to see which issuers had a bunch of subordinate CAs and which issued right from the root. They wanted to see what kind of key sizes and algorithms CAs chose, and how they compared to the key sizes and algorithms used in regular site certs.

I’ve gone and re-crawled to gather that information now, and you can download the zipped db (509M). It’s still an SQLite3 database, though I’ve changed the schema a bit, with certificates now stored in their own table.Â Let me know in the comments/email if you need help working with the data.

The schema, if you can call it that, was 100% expediency over forethought, so I would welcome any suggestions on DB organization/performance tweaking. I have done no optimizing so low-hanging fruit abounds, and a complicated query can take more than a day right now, so your suggestions will have visible effects!