Wednesday, April 12, 2006

Searching for IM Phisher

Today I got a instant message from a friend that had a link to a geocities web page. On this page, there is a caption that says "View My Pics" and a box that appears to be a Yahoo! login form. If you type your username / password and click on Submit, guess what happens? You've been friggin' jacked! You have officially been introduced to the wild and wacky world of phishing.

There is nothing new about phishing. I have received dozens of emails trying to get me to enter my eBay or PayPal passwords. The only thing different about this scam is instant messenger based AND viral.

What is happening is this:
  • Someone sent out a bunch of IM's to a bunch of Yahoo! IM users.
  • The message contained a link to a page that has a fake Yahoo! login form.
  • When the victim enters their username/password and logs in, the username/password is captured and emailed to the perpetrator.
  • The phisher takes the list of usernames and passwords and sends it to a bot that logs in as each of the victims.
  • The bot downloads the victim's Yahoo! contact list.
  • The exact same IM message is sent to everyone in the hacked Yahoo user's contact list.
  • The phisher proceeds to "Rinse and repeat".
The golden rule is...
NEVER ENTER YOUR USERNAME AND PASSWORD ON A WEBSITE VIA A LINK THAT SOMEONE SENDS YOU! You should always follow the rules below when submitting your username and password to a web site:
  • Never click on a link in an IM or email and then login.
  • Never login from a URL that has a different web site address than the site you are trying to log in at. For example, do not log in from http://br.geocities.com when you are trying to log in at http://www.yahoo.com. It is possible that the www may be different, but be VERY weary of a site where the last two parts (following the last two periods) of the web site name are different.
  • If you are trying to log in to www.google.com, then the following urls may be ok:
    • www.google.com
    • login.google.com
    • user-login.google.com
    • authenticate.google.com
  • If you are trying to log in to www.google.com, then the following urls are probably phishers:
    • www.googlelogin.com
    • login.googlesite.com
    • www.blogspot.com
    • www.geocities.com
Phishers are getting more and more aggressive and you need to be on high alert before you type your username and password and click submit. Always make sure you know what site you are logging into before clicking that submit button. In this case, I did not fall victim to the phishing attempt, but two of my friends did. Luckily, the phishing bot did not change the victims' passwords.

I reported the phisher to Yahoo!'s phishing crew (phishing-abuse@cc.yahoo-inc.com). The link is now dead.

If you aren't familiar with phishing, then you can read more about it on Wikipedia:
http://en.wikipedia.org/wiki/Phishing



Thursday, April 06, 2006

Deal or No Deal Game Analysis

At the urging of a coworker, I TiVoed the new NBC game show, Deal or No Deal, hosted by Howie Mandel. The game show is probably the most brainless game show out there, but entertaining never the less.

The basics of the game are as follows:
  • The player is presented 26 briefcases to choose from, and he must select one of them. This is the player's prize (assuming that he keeps the briefcase until the end).
  • Each of these cases contains a different cash prize, randomly (?) determined from a fixed and constant field of prizes. The lowest prize is $0.01 and the highest prize is $1M. The sum of all 26 prizes is appx $3.4M.
  • The player is then allowed to reveal the contents of the non-selected briefcases one at a time. There is a "scoreboard" that everyone (players, host, and audience) can see which displays which prizes have been revealed and which remain. When the contents are revealed, the only thing that changes is that the player knows what prize he will not get.
  • At different intervals during the revealing process, the player is asked whether they want to make a deal. The options of the deal are
    • either accept a fixed amount of money (the "Deal") and walk away, or
    • continue revealing contents of the unselected cases
  • The deal that the banker offers is based on
    • the total amount of unrevealed money and
    • the total number of unrevealed cases
  • If the player uncovers prizes that are low in value, the next offer that the banker will make will generally be higher in value. If the player uncovers prizes that are high in value, the next offer that the banker will make will be lower in value.
  • There may be other factors that determine the value of the deal. If I were a gambling man (and I am), I would wager that the amount is also based on
    • How many unrevealed cases are valued higher than the EV
    • How many unrevealed cases are valued higher than the proposed offer
  • There are also posssible factors that may come in play, but these all assume that certain aspects of the game are not completely random.
    • The value of the case that the player initially selected
    • The number of the case (I would guess that most contestants pick cases numbered from 1 to 12...how often is 23 someone's lucky number?)
    • The hottie factor of the girl cradling the case - If there is a Jessica Simpson look-alike cradling a briefcase, I'm pretty sure I would pick her (and I'm sure the case would hold one red cent).
The game is mind-bogglingly simple. If there were no fanfare, each game could be over in a matter of seconds. However, since this is a TV game show, the 60 minutes are peppered with overly dramatic music, 26 Vanna White type models, a silhouetted "Banker" who calls Howie to announce the deal, and a glass-enclosed "Doomsday Button" that indicates whether the player wants to make the deal or not.

The analysis is easy as well. This is a simple "Expected Value" (EV) problem. Expected Value is the amount of money that you would expect per decision if you were to make this decision many times.

To calculate the EV, just divide the total amount of unrevealed money by the number of unrevealed suitcases (including the one you have claimed) and that is your expected value. If the offer that the banker makes is greater than the EV, then statisticians would tell you to take the deal.

Here are some interesting things that I have observed:
  • The EV of being a contestant is $131,477.54 before any briefcases are opened.
  • Every offer (I've only seen a handful) has been less than the EV.
  • As you reduce the number of unopened cases, the offer will converge (very slowly) with the EV.
  • The best strategy is to pick a suitcase, shut your eyes, stick your fingers in your ears and keep shouting "No Deal" until they kick you off the set. It really helps if you say "La-la-la" really loud if Howie tries to get your attention.
As far as I have seen, every offer has been under the expected value. This is reasonable because you should assume that there is some value to going with a "sure thing" as opposed to taking on some risk. The producers of the show also want to make sure they get maximum airtime with each contestant (they don't want people just pulling a "hit-and-run"), so this further lessens the value of the offer.

The suprising thing was how low the offers were compared to the EV. For example at the first decision making waypoint, a typical offer is $22,000. In both of the cases I have witnessed, the actual EV was appx $130k.

I have created an Excel spreadsheet that you can use to quickly determine your EV if you are following along on TV or trying to stratgize for an upcoming appearance on the show.

You can download the spreadsheet at
http://jackace.com/blog/Deal_or_No_Deal.xls

To use the spreadsheet, change the 1 to a 0 in the "Case Remains" column as the corresponding prize is revealed. As you do this, the EV cell will change. If you want to enter the banker's deal, you can update the "Offer" cell and the two cells to the right of it will show you the number of unopened cases that are of higher value and the percentage of cases that are greater than the offer.

There will likely be more analysis of this game in days to come. I will analyze data from the offers to see if there is any correlation between what the contestant is holding and their offers. I also plan cracking the Flash version of the game on NBC's web site to see how the web-based version of the game calculates the offer.

Stay tuned and enjoy!