Saturday, July 21, 2007

How Perl Programmer Caught A Pedophile With A Script He Wrote

Yaphank, NY -- The computer crimes unit of New York's Suffolk County Police Department sits in a gloomy government office canopied by water-stained ceiling tiles and stuffed with battered Dell desktops. A mix of file folders, notes, mug shots and printouts form a loose topsoil on the desks, which jostle shoulder-to-shoulder for space on the scuffed and dented floor.

I've been invited here to witness the end-game of a police investigation that grew from 1,000 lines of computer code I wrote and executed some five months earlier. The automated script searched MySpace's 1 million-plus profiles for registered sex offenders -- and soon found one that was back on the prowl for seriously underage boys.

Andrew Lubrano's mug shot.

That's something that MySpace has said it cannot do. Rather, it is seeking new laws that would make it easier to ban sex offenders from the site through an e-mail registry.

MySpace busts are rare in this unit. About half the work done by the eight detectives here is aimed at online predators, but the networking site poses challenges that open chat rooms -- a dying social scene among today's youth -- never did. "It's a dangerous place for kids," says Frank Giardina, a good-natured, 49-year-old detective with salt-and-pepper hair and a matching mustache. "It's also difficult for law enforcement."

That's because much of what happens on MySpace unfolds outside public view. The computer crime unit has erected bait profiles registered to fake underage teens, but so far the tactic has netted only one arrest. Proactively scouring MySpace pages is futile: The smarter sexual predators stick to private messages, and diligently prune their public comment boards of any posts from young friends that hint at what's happening behind the scenes.

Today's investigatory target, 39-year-old Andrew Lubrano, has been less careful, and now he faces his fourth arrest for a sex crime. Lubrano was sentenced to three years probation in 1987 for sexual abuse against a 7-year-old boy, according to police. In 1988, he got another probation term for second-degree sex abuse. In 1995, he earned a 3 to 9 year prison term for sexually abusing two boys he'd been babysitting, one 11, the other 9.

The parole board turned Lubrano down three times, and he was cut loose in September 2004 largely unsupervised, having served every day of his nine-year max. By November 2005 he was on MySpace, making friends.

In the beginning, Lubrano seemed to use the site innocently. But in April, he began adding teenagers to his friends list. One of the first was Jacob, a gay 14-year-old high school student in Virginia, who reports his age as 16 in his profile. Lubrano starts calling him "sex toy" and asking him about his living situation. Lubrano thanks another Virginia boy for adding him to his friends list by writing "Thanks for the ass, I mean add."

Giardina has been posing as another 14-year-old boy in online chats with Lubrano, and he says he's received less nuanced communiqués from the offender discussing having oral sex with the fake teen. He shows me part of a chat log, Lubrano asking "u into hair? Like hary (sic) men? Where do you have hair at?"

Lately, Lubrano's been talking about meeting at a camp site or a movie theatre. Today the detective thinks his target is ready to firm up a tentative commitment to meet at a local bowling alley. A signed search warrant is burning a hole in Giardina's pocket.

Serial sex offender Andrew Lubrano's MySpace profile, in June, showed 93 friends, including 6 teenagers he met through the site.

But so far, Lubrano hasn't turned up online. The detective keeps one eye on his monitor as he talks, willing the appearance of the pop-up box that will announce that the predator has logged onto AIM for another chat. "He sent me an e-mail Saturday night, but nothing today," he sighs.

My road to this New York police unit began in Perl.

In May, I began an automated search of MySpace's membership rolls for 385,932 registered sex offenders in 46 states, mined from the Department of Justice's National Sex Offender Registry website -- a gateway to the state-run Megan's Law websites around the country. I searched on first and last names, limiting results to a five mile radius of the offender's registered ZIP code.

Wired News will publish the code under an open-source license later this week.

The code swept in a vast number of false or unverifiable matches. Working part time for several months, I sifted the data and manually compared photographs, ages and other data, until enhanced privacy features MySpace launched in June began frustrating the analysis.

Excluding a handful of obvious fakes, I confirmed 744 sex offenders with MySpace profiles, after an examination of about a third of the data. Of those, 497 are registered for sex crimes against children. In this group, six of them are listed as repeat offenders, though Lubrano's previous convictions were not in the registry, so this number may be low. At least 243 of the 497 have convictions in 2000 or later.

Five of the sex offenders are listed as "absconded" -- one of those still logs in regularly. Others are listed as "in custody," and last logged into MySpace shortly before their arrest. Some are fresh out of custody. One North Carolina user went to prison in 1999 for rape and "indecent liberties with a minor." When he got out this year, he was on MySpace within two months -- though so far his only friend is MySpace's Tom.

A 34-year-old former basketball coach uses MySpace to keep in touch with his one-time students; his sex offender registry entry says he had boys under 13 remove their clothes in front of him. A 33-year-old man who served 18 months for molesting a child under 13 in 1994 set his MySpace motto to "Love knows not age."

For every profile with warning signs, I found eight without. In many cases, the sex offender's MySpace profile is a window into a seemingly normal life: Their comment board is innocent; their image gallery contains a wedding photo or two; the underage friends on their list, if they have any, turn out to be relatives, or adults lying about their age to game MySpace's old security model -- in which only 14- and 15 year-olds enjoyed private profiles.

Lubrano stood out early in the results. His rap sheet was chilling, and by the time I found him, a half-a-dozen underage boys populated his friends list, many commenting on his message board. He lavishes particular attention on Jacob (not his real name), the 14-year-old in Virginia, lamenting the distance from his home on Long Island to the house Jacob shares with his grandparents near Washington D.C. -- about a six hour drive. "Damn," he writes, "it's a shame you don't live close by boy the things we can do."

I sent Lubrano a message through his MySpace account, asking about his conduct, and reached out to seven teenagers with whom he'd been corresponding. When no one replied, I contacted the Suffolk County police, which has jurisdiction over Lubrano's home in Centereach, New York, and was responsible for busting him in 1995. The computer crime unit opened an investigation, and I agreed to hold this story until that investigation was complete.

In my first phone call with Giardina, he was amazed that Lubrano was so easy to find. "He registered on MySpace using his real name? What a nitwit."

Parry Aftab, an internet privacy lawyer, says she's not surprised. "A lot of the bad guys use their real name, as you've seen. It's amazing to me how many. Look at (former-congressman Mark) Foley, the idiot, happy to use his real name and communicate with people who know who he is."

Aftab is executive director of WiredSafety.org, an online safety nonprofit group that works closely with MySpace. She thinks the MySpace offender search results are a chance to drum home to kids that predators are out there -- a reality she says teenagers aren't easily accepting. The Wired News project also illustrates something MySpace could do to make its community safer, she says: hunting down and banning sex offenders from its site. "I don't think they thought about it. But I think that once we bring it to their attention they will. This is a threshold moment in internet safety."

My search left me less convinced that targeting past offenders would be an effective way for MySpace to find current or future predators. By its nature, a search like mine is only going to produce people who use their real names and addresses, and who are perhaps the least likely of the offenders to be up to no good.

But Aftab believes MySpace's crush of young people eager to make friends, posting racy photos and sharing a slice of their daily lives is too strong a temptation to child predators; they simply don't belong on MySpace. Whether it is one, or a thousand, you should kick them off. "You can't take an alcoholic to a bar. You can't take a drug addict to a place where people are smoking grass or doing heroin," she says.

Last week, I told MySpace about my search, and Lubrano. The company's chief security officer, Hemanshu Nigam, responded that MySpace would like to ban sex offenders from the site, but is waiting for new laws that would make it easier to do so. He said the company is lobbying Congress for legislation that would require sex offenders to register their e-mail addresses with a central database. "By having such a database, MySpace and other sites would be able to access it in order to block these individuals from ever registering on the site," Nigam said, in a written statement.

The subject came up in a hearing before a House subcommittee in June. Michael Angus, executive general counsel of Fox Interactive Media, which owns MySpace, talked up the benefits of an e-mail registry at that time, suggesting that name matching against public registries, the very technique I was at the same time applying in the Wired News investigation of MySpace, simply wouldn't work. "The numerous registries aren't readily available to us, he said at one point. He also argued that predators could easily use false names.

That position drew a skeptical line of questioning from Congressman Greg Walden, R-Oregon

"If you're checking for the amount of skin in an image and that sort of thing, and however your logarithms work, you'd think you ought to check, you know, 'John Doe', who happens to be a sex offender, and weed them out," Walden said at the time.

"I believe some of these guys are stupid enough to use their real name. And if you weed out one?"

By Oct. 2, my simple script had brought me to the brink of just such an arrest.

Three hours into the stakeout, watching DrewWho26 fail to appear on AIM is getting tiring. The detectives suspect they've been stood up. It goes like that sometimes, says Giardina -- a perp will get cold feet ahead of the first planned meeting, the second. By the third time, blind hope usually overpowers the cool, rational voice telling the suspect he's being set up, and the day ends with handcuffs.

But with Lubrano, the detectives already have a search warrant. Giardina goes to a phone in a side room and calls Lubrano's house -- Lubrano delivers newspapers for a living, and sometimes sleeps in the afternoon, so a wrong number call might wake him. Someone answers after two rings, and Giardina hangs up. The voice didn't sound like Lubrano's though.

Two of the detectives head out to drive past Lubrano's house and look for his car.

I wander into the small office space. They have a rogue's gallery set up in the corner, three poster boards with 36 mug shots of sex offenders the computer crime unit has busted this year. It's an odd bunch. Some appear young and angry, most are middle-aged, despairing, sunken pale faces. "Some of these are sorry, sorry sacks," says Giardina.

The detectives perk up when I tell them how I found Lubrano. John Friberg, a slender, steel-haired man who looks like CNN's Anderson Cooper, has a degree in computer science, and he asks probing questions about the ins-and-outs of screen scraping MySpace and the DOJ. He's game to try it himself. "Right now we've got the whole big pool of MySpace to try and narrow it down to the sex offenders," he says.

At 2:15 p.m., a detective in the field calls in. "He just got home? Great," Giardina says into the phone. They'll keep watching the house, in case Lubrano leaves again, while back in the office DrewWho26's grayed-out name in the AIM window is eyed with new intensity.

"Send him an e-mail," suggests Friberg. "'Hey, I see you just got home.'" Everyone laughs.

At 2:25 Lubrano comes on. Giardina leans back, hands off the keyboard, waiting for Lubrano to come to him. Instead, the man's out of AIM almost instantly.

Six minutes later, the phone rings again. Lubrano has just left in his car, and the detectives on the scene want to know what to do: Should they pull him over?

No. They'll just tail Lubrano while a patrol car is radioed to make a traffic stop. The remaining cops at the office -- three of them -- pile into a unmarked car and head out, while I follow in my rental.

By the time we get there, Lubrano's in the back of an unmarked cop car and the detectives are doing paperwork and inventorying the contents of his SUV. The cruiser lit up Lubrano on busy street about a mile from his home, and he pulled into the parking lot of a small law practice next door to a motorcycle shop.

Two of Lubrano's five children were with him, and they're standing sullenly at the rear of the car. The eldest is 18, with a shock of bristly red hair; he's on his cell phone. The other is 14, and has Down's syndrome. He idly kicks at some fallen leaves, then wanders around to the side of the car, where one of the detectives is still crouched, searching the glove box.

His older brother grabs the boy's arm gently to stop him. Protecting him.

Firberg and another detective head over to Lubrano's home -- a pleasant, ranch-style house on a quiet, shady street. Down the block, kids are tossing a football in their front yard, while the police haul Lubrano's computers out the front door and put them in their hatchback.

Later, the detectives tell me that Lubrano claimed in the car that he didn't go any further with his online friends than some dirty talk. If true, that's good news for the kids, and for Lubrano. Under a July state appellate court decision, merely soliciting a minor for sex online in New York is no longer a felony, unless the perpetrator sends explicit photos as part of the enticement.

Lubrano's is one of the first cases under the new decision, and the next day, the police and the county district attorney hold a press conference to announce that they'd caught a repeat sex offender, and could only charge him with attempting to endanger the welfare of a child, a misdemeanor.

Giardina is optimistic that the local media attention over the light charge will spur a change in the law. Lubrano is being held on bail of $25,000 cash or a $50,000 property bond. He could simply stay in jail and serve out the maximum sentence of 90 days.

In the final analysis, I still believe MySpace is good for kids. Jacob, the boy Lubrano most flagrantly courted, provides a clear example of the site's benefits, as well as its flaws. When the teen recently got in trouble with homophobic bullies at his high school, he came home to MySpace, and quickly garnered an outpouring of sympathy and advice from his friends. Any reaction to the incidents of MySpace predation that would rob Jacob and other children of the promise of such self-expression and support is suspect.

But it's clear that MySpace could do more. It should more diligently employ its technical resources to look for the signs of predation, perhaps automatically scanning the contents of private and public messages between adults and children for sexual content, backed up by a manual inspection. It's difficult to imagine any scenario in which a 39-year-old man should be calling a teenager "sex toy."

It's all up to MySpace. We can't count on parental supervision; how many teenagers looking for a space to hang out in with friends will accept one occupied by parents? We can't count on peer policing; nobody reported Lubrano for his inappropriate comments.

We definitely can't count on teenage street-smarts. Swagger isn't judgment. Young Jacob is a smart guy, but even after he politely rebuked Lubrano for hitting on him, he made plans to meet the man at a Pennsylvania amusement park.

Lubrano didn't initiate the planned meeting; he'd already announced he would be there with his family when Jacob's school scheduled a field trip to the destination. Their plans fell through when Jacob's trip was cancelled.

"Thank Gosh I didn't go," says Jacob.

I'm chatting with Jacob in AIM the day after Lubrano's arrest. I found his screen name in a friend's comment board, and caught him online after school. He calls Lubrano a "friend," but quickly renounces him when he learns that his friend is a child molester. He says he's shocked by the news; but then incongruously explains that he just thought Lubrano was a 39-year-old man who likes young boys.

"I do think its kinda weird for that age to flirt with me and stuff," he writes. "Like, kinda desperate and kinda leading me to think that something's wrong. But I didn't really do anything. I love being complimented. So, I thought it was nice of him to say that he thought I was cute or whatever."

MySpace is a big part of Jacob's life, and his greatest fear is that this story, or the ongoing police investigation, will get him banned from the internet, or he'll lose his MySpace profile. I urge him to be more careful about adding friends -- he has 3,800 of them -- and to make his profile private. He says he will, but so far his MySpace page remains wide open.

Drug Calculation Competency Test Dcct

Thursday, July 19, 2007

US Courts Try To Shut Down SpamHaus

A US court has proposed an order to suspend the Web site of UK-based anti-spam organisation Spamhaus.

Spamhaus was found to be in contempt of court by a US district court in Illinois last Friday, after it failed to pay $11.7m compensation to an email marketing company and remove the company's name from its blacklist.

District judge Charles P Kocoras proposed that ICANN — the body that controls key parts of the Internet including the .org domain — be ordered to suspend spamhaus.org as a domain name "until such time as [the] defendant [Spamhaus] demonstrates to this Court why [it] should not be held in contempt for its failure to comply".

Spamhaus operates a blacklist of IP addresses of people it says are spammers. e360 Insight LLC, a mass-mailing firm, won the $11.7m compensation in September after a court battle against Spamhaus.

However, there is legal speculation as to whether the district court has the jurisdiction to order ICANN to suspend the Spamhaus domain name, as ICANN is an independent regulator.

"It's a tricky question," said IT law expert David Woods, associate at Pinsent Masons solicitors. "In theory ICANN is an independent body to regulate the use of domain names — but it's subject to US law. If it is ordered to, it is likely to take the safer option [and comply]."

Spamhaus has claimed that the Internet could be flooded with spam if it loses the domain. Woods acknowledged that this is a concern, but suggested that Spamhaus may be engaged in "a bit of self promotion by saying the world will be a less safe place" if it no longer occupies that domain.

If the spamhaus.org domain name were suspended, there would be no legal issues with the organisation rebranding using a different domain name such as spamhaus.co.uk.

"I'd be surprised if they didn't already have a range of domain names already registered," said Woods.

The US district court proposed the suspension after Spamhaus refused to pay the multi-million dollar compensation and remove e360 Insight LLC from its blacklist. Spamhaus also refused to publish an apology to the company and its head, David Lindhart, saying to do so would be a lie.

"The default judgement awards Linhardt, a one-man bulk email marketing outfit based in Chicago, compensatory damages totaling $11,715,000.00, orders Spamhaus to permanently remove Linhardt's ROKSO and spam evidence records, orders Spamhaus to lie by posting a notice stating that Linhardt is 'not a spammer' and orders Spamhaus to cease blocking spam sent by Linhardt's company e360 Insight LLC to Spamhaus' users," said Spamhaus on its Web site.

Spamhaus did not comply with this ruling, which was made on 13 September.

However, Woods said he doubted the US judge had the jurisdiction to make the initial ruling against a UK company.

"I don't think the court had jurisdiction to begin with. There may be scope to seek to enforce a foreign judgement through treaties, but the simple answer is no, it doesn't," said Woods.
e360 Insight said it was forced to take the initial action against Spamhaus as all other attempts to communicate with the organisation had failed.

"Spamhaus didn't seem to care that we are an opt-in email marketing company. They didn't seem to care that the only way to get on to our mailing list was to sign up for it. They didn't seem to care about the thousands of customers [who] would not receive order confirmation messages or other email messages they requested. They didn't care about the lost dollars in legitimate commerce or about the employees [who] lost their jobs as a result," said the e360 Web site.

Copyright © 2006 CNET Networks, Inc. All Rights Reserved.

Datare cinese

Tuesday, July 17, 2007

Wikipedia link led to virus site

The free-for-all nature of Wikipedia has not only left it open to plagiarism; it's also made the encyclopaedia a vehicle for spreading malware.

Recently, hackers edited an article on the German edition of Wikipedia to include a link to malicious code, disguising it as a fix for a supposedly new version of the notorious Blaster worm.

This was coupled with a spam email sent out to German computer users, claiming to come from Wikipedia. It directed those who wanted to find out more information on the new virus to the bogus entry.

This questionable activity was soon picked up by Wikipedia administrators, who have since edited the offending story to remove the malware link. The page was also removed from Wikipedia's archive.

Security firm Sophos said that the openness of Wikipedia is to blame, and urged users to ensure that they have appropriate defences in place to protect their computers.

"The very openness of websites like Wikipedia - which allow anyone to edit pages - makes them terrific, but can also make them less trustworthy," said Graham Cluley, senior technology consultant at Sophos.

"In this case, it wasn't just that the information posted in Wikipedia's articles was misleading, it was downright malicious."

The incident follows revelations last week that dozens of biographical articles published on Wikipedia contain passages copied from other sites.

Daniel Brandt, a Wikipedia critic, found the examples of suspected plagiarism by plugging a few sentences from 12,000 Wikipedia articles into Google. He ended with a list of 142 offending pieces, which he sent to Wikipedia.

Several of the stories have since been removed pending a review.

Brandt began his crusade against Wikipedia after an unflattering biography of himself was posted on the site.

"They present it as an encyclopedia," Brandt told the Associated Press on Friday.

"They go around claiming it's almost as good as Britannica. They are trying to be mainstream respectable," he said

Top 10 Pick Up Artists Of 2006 Announced

Sunday, July 15, 2007

Warning: Playstation Scams

Sony Corp issued a warning Tuesday against false promotional offers for its upcoming PlayStation 3 video game console.

A number of Web sites have been promoting pre-orders on discounted or bulk shipments of the game system — without the cooperation of Sony, the company stated.

Company representatives did not name the sites but suggested consumers can avoid potential scams by purchasing PlayStation products only from authorized retailers and resellers, which includes well-known stores such as GameStop, EB Games, Best Buy and Wal-Mart.

The PlayStation 3 system, with models priced between $500 and $600, is set to go on sale in the U.S. on Nov. 17, though only in limited quantities.

Some authorized stores began taking pre-orders on Oct. 10. At some GameStop and EB Game locations, the orders were snapped up within minutes.

Sony has said it plans to ship 6 million Playstation 3 machines in its fiscal year through March 2007.

Copyright © 2006 The Associated Press.

El estado del Internet
80s Song Lyrics