I’ve said it before, in all-caps and bold italics: DO NOT USE AN INSECURE FREAKIN’ CONSUMER OS LIKE WINDOWS ON VITAL CONTROL SYSTEMS!

At least a few of the higher-ups in the military seem to have learned to listen to what their technical people have likely been saying for years. With any luck it’ll filter out to the private sector too, and sooner rather than later.

EDIT, three hours later: in an ironic twist, it turns out that today is the tenth anniversary of the Bill Gates’ “trustworthy computing” memo. While the change in focus has been welcome, it hasn’t really hardened Windows, just elminiated the most blatant insecurities. Windows remains basically a single-user consumer OS, and still tries to be consumer-friendly at the expense of security. So long as Microsoft refuses to require people to learn anything in order to use Windows, it will never be secure.

This may sound strange, but that isn’t necessarily problem. A consumer OS should be easy to use, and shouldn’t require the user to learn any more than he could pick up by sitting at the keyboard and playing with it. At the same time, such an OS should never be used for anything vital — leave it to what it’s good for, which doesn’t include anything that requires security.

That was still more than I liked, so over last week or two I’ve been playing with a few settings. Using a plug-in called Register Plus Redux, I tried making the “About Yourself” field required. No luck — any spambot smart enough to get past my existing defenses was also programmed to handle such standard fields.

My second attempt was adding a new field to the registration page, one that’s labeled “I am a…” and has two choices, “human” and “spambot”. It’s a required field, you’ve got to choose one or the other or you can’t submit the form.

Since I added that, I haven’t had any new registrations. That’s pretty much what I wanted. I don’t require registration for anything, so there’s no reason for a human to register, but spambots are programmed to register just because some blogs require registration before someone can leave a comment and some anti-spam software is easier on logged-in users.

As a defense, it’s very weak. A human can beat it with less than a second’s thought. A spambot-writer could program his spambot to defeat it with five minutes of work. But it’s unique. No such person is going to bother adding that stuff if it’s only going to work on a single blog with a handful of readers. If enough blogs start using the same sort of defense, and spambots start getting adapted to it, I’ll change it to something else unique, like “how many legs does the average horse have?” or “what part of the human body contains the brain?”

That’s the trick: you just need to make something that is slightly different, just different enough that it would require a little extra work from a spambot-writer, and change it as necessary. It wouldn’t work for a very popular blog, but for most people — myself included — it’s sufficient.

I was surprised to note that they didn’t include any URLs with look-alike Unicode characters though. That’s practically impossible for end-users to detect, so they’d probably get howls of protest if they did, but I kept expecting to get tripped up by that.

In the late 1990s Robert Soloway made $20,000 a day as a spammer. He drove fancy cars. He wore Armani clothes. He was, by all accounts, one of the most successful spammers on the planet. But if he were starting out today, he’d find some other line of work. In 2011, spamming just won’t pay the bills.

It seems that spam filters have just gotten too good.

I, for one, am not going to complain.

Yup, more than a year after they started trying (and constantly failing) to spam that message, they’re still trying. Even though they can’t even get to the comment page from that one anymore.

I’d really like to know why they’re all pounding on that particular post. A quick Google search on its URL turns up more than three hundred pages listing the same invalid link from it, on what look almost exclusively like Japanese-language blogs that have been overrun with spam, with titles that translate like “OB Football Association Board Keio Medical” or “BBS car from the exchange of information” or “Jie said the new board more” (??). I’m assuming that those were all placed there by the same spambots (though what they thought they were doing, I have no idea), or copied from sources that were.

Oh well, maybe I’ll figure it out some day.

For the first one I was feeling kind, so I asked the woman if she knew that this was a scam — she might think that she was hired by a legitimate company, after all. Apparently she did, because she hung up. The second I was so ticked that I just asked the guy if he had any idea how many times that scam had been tried on me. He immediately hung up too.

I might play with the next one, if I’m at the computer and not busy at the time, and not so irritated that I immediately give the game away. We’ll see.

But the most interesting idea I saw was this comment:

Obfuscating your address gives may falsely convince you that your important address is safe. If it’s published, in any form (even in the firstname at lastname dot c0m form, or as some kind of puzzle), it is possible for a member of the public (including spammers) to get it. A much better method is to set up a disposable address which forwards to your sacred address. Once the disposable address is compromised and you start getting spam via it, just kill it off and replace it with a different disposable address. Once you trust a sender, you can give them your sacred address. I started using junk1@… in about 2000, and am now on junk7@… and my sacred address is mainly spam free.

That is such a simple answer that I can’t believe I didn’t think of it myself.

Of course, it wouldn’t be very useful for most people, the way e-mail is set up right now. But for a company’s public-facing e-mail address, which must be available on their website, it could be a very useful answer. (If you could refer people to a contact form, instead of publishing an address, that problem is pretty much solved — but if any significant fraction of people started doing that, spammers would figure it out too.)

That also gave me other ideas for stopping spam. I won’t go into them at present, because they need more thought and because I might well create a commercial solution out of them in the future. We’ll see.

(Other interesting comments there include this one and this one.)