Fugato

When you hear from software people (e.g. from yourself) things like “I don’t have time” or “it’s too much work”, there is a single-word slapdown response.

Ayende.

2.07 posts a day on average over the last three years, mostly high-value software stuff. At the same time, he spews out useful, robust software. That’s all on top of his day job. And apparently he reads a lot.

Personally I suspect Ayende is a five-person software company masquerading as a single person. Even then he is not doing too badly.

The obvious question: how does he do this?

The useful question: why aren’t you doing it?

(Ouch.)

It’s winter quarter 2000. I’m the TA for EE183, sitting alone in a lab in the brand-spanking new Packard building of EE at Stanford, preparing assignments for tomorrow’s lab session. It’s around midnight and the building is empty-ish.

Enter a somewhat unkempt man in his early forties, medium build, in overalls with a little paint on them. He wanders around the lab for a bit, contemplating the oscilloscopes.

The essence of our conversation is paraphrased here to the best of my ability, G representing me and D the Designer.

G: “Hi, uh, can I help you?”

D: “Yeah, I’m just taking a look around. I designed this building, you know.”

G: “Really?”

D: “Yeah, I did, my company did. I designed the Mac interface, too.” [gestures at my PC display]

G: “Wow. So you’re here to see how your creations turned out?” [still not sure whether he's joking]

D: “Yeah, well, I’m also having trouble with the department, they still haven’t paid for the design work.”

G: “Really? One would think they’d have that kind of thing in order.”

D: “Apple, too. They haven’t paid me for the Mac design work. These people owe me a lot of money, it’s pretty lousy, and I’ve had to take action about it.”

G: “Action?”

D: “Yeah, I’ve just sent this fax out, to the EE department, and to Apple, and several other places in the valley.”

He shows me a hand-written sheet, memorably ending with the words “Pay or be punished!”

I measure him out, as inconspicuously as I can. He has me a little worried, but he’s not that much bigger than me, and hasn’t seemed aggressive.

G: “Wow. You’re not mincing words there!”

D: “Heh, no. Can’t go too easy on these guys, or you just get them walking all over you.”

G: “I’ll bet. Well, best of luck with that. I hope they come around.”

D: “Hey thanks. It’s good talking to you.”

G: “See ya.”

He leaves the lab. Later that night, when leaving, I walk around and see D in the lunch area on the second floor, eating out of the common fridge. I nod to him, shrug and leave.

In the morning I mention this to Ed, the labs manager, and in about ten minutes a policeman arrives. I describe D as best I can, and then it hits me that he told me his name.

Policeman: “Oh, that guy, okay. He pops up around campus every few years, I think he was a student here once. He’s never gotten violent, but he hasn’t said anything threatening like this before either. I’ll have a little chat with him.”

That day, I notice copies of D’s handwritten fax posted on doors and flyer boards around campus. Never heard of him again.

I wonder if he ever got paid.

The only kind of transplant never hindered by a shortage of either donors or recipients.

I sit, engrossed in flow, that exquisite state of mind where time and space cease to exist and the consciousness contains only my work, in sharp focus.

A knock on my shoulder. Guy from the department next door.

I disengross myself, switch to the media player, pause the music, take off my headphones, turn around, say hi with a question mark.

He says: “Oh, nothing, just, hi. How are you?”

I say: “Er, fine. And you?”

It turns out that he is fine as well. He absconds. I start working again, and eventually I’ll get into flow again. But I’m not in it now.

I feel like David Brent dropped by.

“Here you go sweetie” says the waitress at Glo’s, a Seattle breakfast diner.

She looked about 19.

I take that to mean I don’t look about 30.

It’s April. I’m travelling in North Cyprus with Tuğberk, who knows every square inch of his island. In a remote clearing at Akdeniz we find clay pottery shards. Tuğberk inspects them for a while, and then:

Tuğberk: “2000 years old.”

Gulli: “How can you tell?”

Tuğberk: “From the sign.”

[Points to a sign saying the site is 2000 years old.]

Gulli: “Oh.”

Update: if you got the Irreal dating sms and are wondering about what to do: do nothing. The sms is garbage; ignore it and forget about it. Definitely don’t do what the website tells you. There is no mess to get out of. You are not going to be billed. Do not enter your phone number, and do not run that program. Generally, do not run any program coming off the internet unless you know what it is, know that it is useful to you, and are very sure it comes from somewhere trustworthy.

Update 2: They are using the name SMS True Date Service now. That makes sense: when the top result in a google search for your name identifies you as a scam, it’s time to change your name. :)

Most significant breaches of computer security are achieved by perfectly non-technical means, i.e. by tricking people, not computers. This is called social engineering, at least when the trick is to get someone to divulge their password by casual trustworthy-sounding conversation (“Hi, I’m Bill in tech support, haya doin’? I need your password real quick for this fix …”)

The key is to divert attention away from what’s really going on, disguising it as something else. The friendly, casual, innocent voice is one way to do that. Another way is to get people hurried and worried about some different (and fake) nuisance or danger. A friend of mine saw such an attempt tonight.

She got an SMS from a weird phone number like +2783 or such, welcoming her to Irreal Dating at www.irrealhost.com, and noting that her phone will be charged $2 per day “only.” Whoops!

Going to that site, sure enough, there is a form for signing up, with just a text field for a phone number, and a checkbox (already checked, for your convenience). “Somebody must have signed up my phone number,” you think! But there is also a way to unsubscribe. Phew! Hurry! All you have to do is enter your mobile number and click confirm to start … the program.

Oh.

The page helpfully describes what you must then do to start that crucial unsubscription program:

with a convenient blur to distract you from Microsoft’s warnings that you may be about to install spyware or trojans or other malicious software. Forget all that, just run it without thinking please!

And your computer gets infected with their trojan.

“Once you have finished you will be removed from our system and you will no longer be charged for anything.” Isn’t that a nice dangling carrot?

It’s a clever scheme. They probably obtain phone numbers by spidering the web for patterns like “Cell: XXX XXX XXXX”, perhaps with country-specific variants like “s. XXX XXXX” for *.is domains (for Iceland) … that particular one would turn up my friend’s phone number, for instance, since it appears in a used-books forum somewhere. Then they find a way to send this SMS to all of these phone numbers through open or misconfigured SMS gateways. Thousands of people are confused and in enough of a hurry to cancel their “subscriptions” that they don’t realize what it’s really about, and their computers end up infected.

Then our irreal friends use their trojan program to commandeer these thousands of computers as drones for spamming, or for distributed denial of service attacks, or for whatever anybody is willing to pay for.

It’s one way to make a living. And some of them get quite rich doing it.

An extra clever aspect of this scam is that people are used to filtering away or ignoring spam email … but are less suspicious of SMS. I wonder if we’re about to see a rise in SMS spam because of that.

Googling for “irrealhost” and “irreal dating” turns up nothing right now, so the trick (or at least this instantiation of it) must be brand new. Their hosting provider will probably shut them down soon, but not before they’ve gotten their little trojan onto plenty of computers. And their business churns on.

Sigh. With just a little more ingenuity and a little less moral fiber, I could have been a rich man …

Overheard from an enthusiastic salesman in Hamleys Toy Store in London:

Now this one, this uses ultra-violet light, and ultra-violet light is maybe eight times brighter …