Forgot your password?
typodupeerror

BlackFrog to Take up BlueFrog's Flag 178

Posted by Zonk
from the internet-routes-around-stupidity dept.
Runefox writes "ZDNet UK has a story about a new SPAM defense mechanism called BlackFrog, a response to the demise of Blue Security's BlueFrog. According to the article, the new service is based on a P2P network of clients, called the 'Frognet', which allows the opt-out service to continue functioning even after a server has gone down, making a DDoS attack like that which crippled BlueFrog ineffective against the new service."
This discussion has been archived. No new comments can be posted.

BlackFrog to Take up BlueFrog's Flag

Comments Filter:
  • Link (Score:4, Informative)

    by Anonymous Coward on Friday May 26, 2006 @08:58AM (#15409348)
    • Re:Link (Score:3, Interesting)

      by WhiplashII (542766)
      To get the same effect in a perfectly legal and unstoppable way, alter Mozilla and other email clients so that when you click on the junk button it automatically goes and fills out form, etc - without accessing a separate server. That way, they get a response from each person solicited or spammed (prefectly reasonable) and they have to sort through the responses to find the ones that fell for the scam.

      Many people will say that if you do this the spammers will know your address. My response: 1) they obviou
      • Re:Link (Score:3, Interesting)

        by Smidge204 (605297)
        1) they obviously already know your address

        Maybe, maybe not. They have your e-mail in a list somewhere, but they don't know if it's still valid. Sending a real response proves that it IS valid and IS checked actively, which increases its value when sold to advertisers or sold/traded to other spammers.

        NOT replying puts a little "?" on the message, because they know the address is probably still valid (didn't bounce) but there was no reply (maybe nobody checks it)?

        I think the better solution would be to send
        • Then you want Mailwasher, which has used the 'bounce spam as if the address is invalid' for years. I doubt it has helped, but you never know.. layers of defence and all that.
      • To get the same effect in a perfectly legal and unstoppable way, alter Mozilla and other email clients so that when you click on the junk button it automatically goes and fills out form, etc

        Then the spammers will start adding captchas to their opt-out pages.

        Oh, the irony.

  • Poisonous frogs? (Score:5, Insightful)

    by RingDev (879105) on Friday May 26, 2006 @08:58AM (#15409350) Homepage Journal
    How long until some hacker poisons the peer system into spamming a legitimate site?

    -Rick
    • by Paran (28208)
      FTA:
      Participants will send reports of spam emails to Okopipi, which will use "handlers", including dedicated servers, to analyse it. To avoid suffering the same fate as Blue Security, Okopipi's staff will not disclose information about its servers.

      Sounds like the same idea as Blue Security, only they're hiding. Probably will result in the same outcome. Massive DDoS on their "hidden" servers.
    • Re:Poisonous frogs? (Score:3, Informative)

      by lhorn (528432)
      That's the whole point of an analysis before sending opt-out messages from all members. I am not familiar with Black Frog intended function, but if a certain percentage of their members gets similar messages it's a fair bet it is spam. A FrogHerder must look at the message to ensure it is sufficently spammy, before action - this may even be legal somewhere in the world.
      • by Jac_no_k (5957)

        You can't trust the "members". Say that a savvy black hat creates many "tainted-members". What happens if the "tainted-members" all report that a legitimate site is spamming?

        I think one method for this to work is for each suggested target be evaluated by each member. The member has to agree that this is a valid target before his account participates in the attack.

        • by sk8king (573108) on Friday May 26, 2006 @10:20AM (#15409928)
          >I think one method for this to work is for each suggested target be evaluated by each member. The >member has to agree that this is a valid target before his account participates in the attack.

          With a certain threshold of participants required before the attack even takes place. If there are 100 members, perhaps 20 would need to agree on the item in question being spam. 15 wouldn't be enough to initiate a retaliatory opt-out.

          I wonder how much of the "background" noise on the internet is this sort of crap floating around....DNS requests for viruses, port scanning for viruses, traffic in the form of spam, spam responses, systems to deal with spam....probably more than anyone realizes.
    • Re:Poisonous frogs? (Score:2, Informative)

      by mybootorg (975440)
      I think it might be helpful for you to go back and read up on what Blue Frog was initially about. Their FAQ is undoubtedly cached somewhere. Many of the people posting here -- and nearly all of the media in past weeks -- have missed the point entirely. Because of the deliciously newsworthy "angle" of using spam vs. spam, most reporters have molded Frog to fit that news story, but not to represent what it actually was.

      Blue Frog didn't automatically focus on every Spam that was submitted. It focused on t
  • seems insecure (Score:3, Insightful)

    by robinesque (977170) on Friday May 26, 2006 @08:59AM (#15409360)
    Sounds sort of insecure for a project like this to be openly editable to the public via a wiki and p2p network.
    • The network is P2P, but authority is hierarchical. We'll use anonymous routing to prevent DDOS on the high authority nodes. And the network will require a validated login.

      On the remote case we suffer a complete P2P blackout, the frogs can still opt out - the network will only be used as a regulation mechanism.

    • Sounds sort of insecure for a project like this to be openly editable to the public via a wiki and p2p network.

      The P2P network will almost certainly include some sort of authentication system so that peers cannot fake messages from other peers. A voting system means that the number of 'bad' peers must be very high to cause any damage to the network as a whole. The system will have to be able to identify the bad peers and remove them from the network as soon as possible. A difficult challenge, but given that
  • good idea (Score:3, Insightful)

    by Amouth (879122) on Friday May 26, 2006 @09:00AM (#15409361)
    just too bad that someone couldn't get this into the BlueFrog stuff before it died.. atleast then they would have a large userbase.. but if the Blue peps are the ones that look at the e-mails to make sure someone isn't being evil and submitting normal HAM - how is that going to work without master to authorize the clients???
  • by DigDuality (918867) on Friday May 26, 2006 @09:02AM (#15409370)
    Just as a correction folks, it's not called "Black Frog" this is a mix up. There was two projects. Black Frog and Okopipi aiming for the same goal. Black Frog stopped and the people joined Okopipi.
  • I hope that people from bluefrog will release source of their utility. This new initiative could surely benefit from their sourcecode.
  • by ScouseMouse (690083) on Friday May 26, 2006 @09:10AM (#15409436) Homepage
    Hmm, wont it be amusing for user's PCs to be spamming as part of an hidden botnet and running this at the same time. Hope their not on dialup.
    • by forghy (749877)
      The goal is to spam the spammer *sponsors*, not the spammers themselves. This is the exact reason why the blue frog was so successfull.
      Once you receive a mail advertizing pills or wrist ornaments , the Blue/Black frog client sends an opt-out message to the advertized mailbox.
      Let say this online shop sends a million spam messages by means of a spammer, he (the shop owner) receveives 1 million opt-out messages back !


      Days are counted for the spammers ! MUahAhahAHhaHAh
      • Ah this makes more sense now.

        Must go away and read the original bluefrog article again.

        Actually i wouldnt count on the days of spammers being numbered.
        The sneaky little bugg@rs have been getting round new antu-spam systems for years, and the more unscrupulous will start doing things like providing opt out locations that look different when you view then. (IE, providing two links, a link thats invisible for the anti spam engine to chew on, and one that isnt that may be obfuscated in some way)

        Unfortu
  • SpamCannibal (Score:1, Informative)

    by Anonymous Coward
    I think one of the most genial spamtools is SpamCannibal
    http://www.spamcannibal.org/cannibal.cgi [spamcannibal.org]
  • OMG vigilantes (Score:5, Insightful)

    by giorgiofr (887762) on Friday May 26, 2006 @09:14AM (#15409462)
    I can imagine the slew of whiners who will complain about such a vigilante approach to this problem.
    Well, remember Firefox, "We're taking back the web"? That's exactly what we're doing here. It's the only strategy that's going to work. Bitching and moaning won't get you a clean mailbox. Taking spammers down will.
    If you disagree with fighting fire with fire, I suggest you also criticize any and all law enforcement activities. They're simply state-sponsored vigilantes.
    • by joe 155 (937621) on Friday May 26, 2006 @09:17AM (#15409487) Journal
      couldn't we just send the spammers a sony music cd? That rootkit would take out their computers at the source instead of just spamming them
      • by op12 (830015)
        If it's a recent Sony music CD, you're going to have a hard time convincing them to put it in their computers as they'll likely be thinking, "Why do I want to listen to this garbage?"
      • I think we should solve this with a two tier internet!

        One "slow" tier would be for all the people who actually reply to spam (thus giving the spammers money) or get their computers infected with bots and fail to clean them.

        The other "fast" tier would be for poeple who know better than to click on everything in their email box and instead delete the spam / trojans.
      • ... like infecting the spammer with AIDS or Rabies - I'm sure they'll be the last customer of those "cureall" stores
    • Just remember this post when your local subnet gets knocked out when this new thing and some titan of a spammer start slamming each other and happen to be near you. I believe there is an old African proverb [thinkexist.com] about what happens when two elephants fight that is appropriate here.
    • Well, remember Firefox, "We're taking back the web"? That's exactly what we're doing here.

      I like Firefox and all, but I really don't see the connection between having a choice over your web browser and launching DoS attacks on possible spammers.

      If you disagree with fighting fire with fire, I suggest you also criticize any and all law enforcement activities. They're simply state-sponsored vigilantes.

      Once they are state sponsored, they rather stop being vigilantes. They also (hopefully) are held ac

    • I have no mod points, so I must respond...

      I'd like to hope Okopipi could make a positive difference, but it cannot, because it is open to exploitation by the very people it's trying to stop.

      Okopipi's greatest asset: people who are desparate to stop spam; is also it's greatest weakness, because their frustration sometimes leads them to take ill considered actions without first understanding the facts. Choosing to publish the statement below is a fairly pertinent example:

      If you disagree with fighting f

      • When a state sponsored law enforcement official does their work they are enacting the will of a democratically elected governement. It is a careful and methodical process designed to protect the innocent.

        Perhaps the GP was from the US, where that doesn't hold true anymore...
      • you seem to be labouring under the delusion that a law will actually work and that the spammers won't simply buy loopholes in the law.

        look at CANSPAM. it seems to be real effective.... >/sarcasm
      • The problem with Okopipi is that it amounts to an unelected and unrepresentative group that is appointing itself as police force, judge, jury and executioner.

        Unelected? Unrepresentative? We've received HUNDREDS of volunteers to help us. And with more than 700 diggs (yes, blasphemy! don't burn me), i doubt it's "unrepresentative".

        The problem with Okopipi is that it amounts to an unelected and unrepresentative group that is appointing itself as police force, judge, jury and executioner.

        It should be obvious by
        • Hi SpyDerMan, I appreciate that you're trying to make a positive difference, and I'm concerned that the project may be trying to solve the problem by entirely the wrong means...

          We've received HUNDREDS of volunteers to help us. And with more than 700 diggs, i doubt it's "unrepresentative".

          The number of volunteers is certainly promising, and although 700 is a good start its definitely not a representative sample of the 1 billion people who now use the internet [internetworldstats.com].

          I note that there are as yet no volunteers

    • > If you disagree with fighting fire with fire, I suggest you also criticize any and all law enforcement activities. They're simply state-
      > sponsored vigilantes.

      Actually, in any reasonable democracy law enforcement is more like "state-sponsered vigilantes, with an independent court system designed to prevent them from accidently screwing over the innocent in their zealous quest for justice."
    • That's exactly what we're doing here. It's the only strategy that's going to work. Bitching and moaning won't get you a clean mailbox. Taking spammers down will.

      And you think this is going to work? First, there is little or nothing stopping abuse of this system. I can compromise a machine and send out piles of offensive spam for my competitor, and the system will then fire what amounts to a DoS attack at him. Second, This sort of an attack can be filtered out by ISPs now (on premium accounts) and that ca

    • We'll use throttling techniques to let them live and breath.

      What we're going to do, is poison their purchase forms (as Blue Sec. did) with enough requests so they have to search in them before finding true customers.
  • by Paran (28208) on Friday May 26, 2006 @09:20AM (#15409511) Homepage
    I thought the reason Blue Security closed shop was because the spammers had diff'd their user database, identified quite a large amount of the participants, and then threatened virus attacks directed at them. Not because of the DDoS.

    Blue Security Gives up the Fight [slashdot.org]
    The spammer also sent another message: Cease operations or Blue Security customers will soon find themselves targeted with virus-filled attacks.
    ...
    "It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing."


    I'm guessing the only real difference is that users will know this time around.
    • by mikael_j (106439) on Friday May 26, 2006 @09:25AM (#15409540)
      You're getting things mixed up, I think most users were quite willing to get involved in the cyber-war, the problem was that the company didn't have the resources to fight it.

      I'll probably sign up for this blackfrog thing once I've checked it out. In fact, I'd probably consider giving money to someone collecting money to pay someone else to beat the shit out of the world's top spammers. I'm serious, they're scum..

      /Mikael

      • It's not that the company didn't have the resources to fight it (although it's true that they didn't), it's that it was causing so much collateral damage. Once the spammer had taken down the primary BlueSecurity site, he took down the third-party site hosting the blog on which BlueSecurity's response to the first takedown was posted, and showed every sign of being ready to take down any other site that overtly supported BlueSecurity. Faced with the choice of shutting down or being indirectly responsible for
        • Frankly, they should have let the spammers go for it then. If you give in to Terrorists, you can only expect more terror in the future. Or so all the western governments seem to keep telling us as they send in the special forces.

          If the spammer took out a public enough target, the authorities would have had to get involved. BlueSecurity wasn't doing anything illegal (or even immoral - they only filled in the webform once for each email a user received.) so its a pity they were hounded out.
          • If the spammer took out a public enough target, the authorities would have had to get involved.

            The spammer took out several public targets-- the Blue Security site and the LiveJournal blogger site, as well as the ISP which hosted them last. The authorities aren't going to do anything. The "good guys" in this case are a scrappy web software company in Israel. The "bad guys" are contract "advertisers" for some (probably shady but not proven so) corporations who clog up the internet with crap. Most of "the au

  • From their wiki:-

    Okopipi will automatically click the "opt-out" or "unsubscribe" links contained within the emails and/or report the spam to the appropriate authorities.

    I thought that it was generally a bad idea to click unsub or opt-out links in Spam messages since it only server to prove they have a valid email address and the receipient actually reads Spam messages.
    • Well, if you are trying to find spammers, and get more excuses to slam their websites, etc. then you want to click the unsubscribe links. The more spam they send you, the more they get slammed in response. Also, if this Black Frog stuff keeps track of this stuff, as part of the system, you then collect evidence of them sending you stuff even after you unsubscribed, which could be used to prosecute them in court as well as pounding their servers into the ground.

      So it makes sense for a system like this to

      • "so it can punish the people who hired the spammers"

        When the spammers' clients have to pay BIG TIME for MY inbox and everybody else's inboxes getting full of spam, that is when I expect spam to dry up.

        Until then its all just wanking.
    • A legitimate concern, but with the Blue Frog system at least, the way this was handled was that the system did not identify which email address was clicking the links. All the "clicking" was done by the Blue Security servers, it just added up to one opt-out/unsubscribe click per spam message sent.
      • If the links are put together by someone who is not a total fucking moron, the link either has the email address encoded within it, or it is a unique token that links to a specific email address. Either way, following the opt-out link will indeed confirm that the address was deliverable. Unless these guys are just generating web traffic to the same server but a wholly different URL, preferably not even accessing the server by name but by IP... Which I doubt.
    • It would be horribly logical for a spammer to supply an "opt-out" link which was an exploit for a browser bug, installing a remote access Trojan.

      Has anyone heard of that actually happening?
    • generally i've found that most of the unsubscribe addresses don't even work. i tried it on one of my spare email accounts and tried mailing some of the unsubscribe addresses. 15 out of 20 of them returned "delivery status notifacation : failure" messages.
  • isn't this really good botnet vs bad botnet? (With good being defined as "opt-in"?)

    The more successful it is, the more the Internet will be too bogged down to be useful to anybody.

    Also, if someone programs the botnet's to evolve to attack each other better, we're talking SkyNet right around the corner.

    • Re:Excuse me, but (Score:5, Interesting)

      by Billosaur (927319) * <wgrother AT optonline DOT net> on Friday May 26, 2006 @09:49AM (#15409700) Journal
      isn't this really good botnet vs bad botnet?

      More like Autobots vs Decepticons, but in the end it's the same thing. The "good" forces won't be a botnet per se, but a loosely aligned group of people doing the same thing, taking on a group with coordinated resources capable of wreaking terrible havok. It's vigilantism to be sure, but until the government of the world actually get their heads out of their butts and come up with a unified and mutually beneficial set of laws to deal with spammers wherever they live, this is the only tool anyone has to even try and slow the spammers down.

      • Asking to be taken off of a spammers list is definitely not vigilantism. Far too many people are talking here who have no idea how their service worked.

      • It's not vigilantism. I, the receiver of the email, an entitled to answer it if I choose. I am also entitled to use a piece of software to help decide which mails I'll answer to. If the business model of the sender depends on only 0.1% of his emails beeing answered, that's his problem. My problem is with the one and only email I got from him, to which I can decide to answer or not.
        This can be stretched quite broadly from here. I can answer anonymously, I can answer through a pr
        • 100% correct -- all this tool is doing is evening out the balance so that spam becomes more like a normal commercial interaction.

          If the spammers were willing to manually type out each spam message and type my address in by hand, THEN it would be balanced when, receiving the spam, I need to manually navigate to the advertised site, find a "remove me" page, and manually type in my address.

          Of course they aren't going to do that -- this is the computer age. Computers exist to rapidly accomplish these kind of t
  • by 1_brown_mouse (160511) on Friday May 26, 2006 @09:27AM (#15409550)
    Every spammer gets a "Spring Surprise."

    CrunchyFrog explined. http://orangecow.org/pythonet/sketches/crunchy.htm [orangecow.org]
  • by mybootorg (975440) on Friday May 26, 2006 @09:46AM (#15409675)
    Ok folks, let get a few things straight.

    Blue Frog was NOT effective not as a denial of service attack or distributed denial of service attack. It was never meant or designed to be. The Russian spammer said it himself - they never brought down our servers, they only served as "a daily nuisance". The nuisance was this: for every spam that the spammer sent to the some 500,000 Blue Frog members, an automated script (bot) visited the website advertised and filled out the form for snakeoil, home refinancing -- whatever was being hawked. But instead of filling it in with valid input from someone interested in what the website was hawking, it filled it in with a legitimate plea from a single person to Opt-out of being spammed further. With me so far?

    The spammer -- or worse, the spammer's client -- in turn, goes to check on their database of people or leads to which they can hawk their snakeoil and generic viagra and low and behold, instead of being filled with legitimate contacts of people they can do business with -- it's filled with hundreds upon thousands of opt-out requests.

    Undoubtedly there are real requests from potential business contacts in there. But first they have to filter out all the opt-out requests that Blue Frog has submitted.

    Sound familiar? It sure does. It's what we've been putting up with for years. We open our Inbox and instead of seeing email from friends and business associates, we first have to sift through and filter a few gazillion pieces of spam -- each with "Hi How are you?" and "Important Account Information" fake titles. Only then can we get down to the email that's actually sent to us. It's a nuisance.

    Blue Frog forced spammers to deal with the SAME NUISANCE they cause us. And the spammers didn't care for it too much. They don't care about opt-out requests, the Internet, what people think of them, possible prosecution --- all they care about is making money and they're making it by the truckload. The fact that Blue Frog actually bothered them enough to use their botnets to attack is VERY encouraging. It means we've found a way to kick them in the ass and make it hurt.

    Please don't compare Blue Frog or Black Frog to a DDOS or DOS. As the Russian Spammer demonstrated with his attack, what little network disturbance Blue or Black Frog causes for the spammer or spammer client server pales in comparison to a real attack. Mainly because it isn't meant to be an attack in the first place.

    If Black Frog ends up with 1,000,000 subscribers, then lets talk DDOS.
  • Security? (Score:3, Interesting)

    by Rob T Firefly (844560) on Friday May 26, 2006 @10:22AM (#15409941) Homepage Journal
    This does look promising (from TFA:)

    "It will be based on a P2P network (the frognet)," according to a posting on the wiki. "On failure to connect it could still opt out given email addresses."

    Participants will send reports of spam emails to Okopipi, which will use "handlers", including dedicated servers, to analyse it. To avoid suffering the same fate as Blue Security, Okopipi's staff will not disclose information about its servers.

    "Only the Okopipi administrators will know their locations," the group said on its wiki. This should make a DDoS attack "very difficult", it said.

    That seems solid, but I wonder how something so open can keep a secret like what and where its servers are. It's beyond me, anyone have more info?

  • Glad to know that annoying solutions are evolving as quickly as annoying intrusions. A weakness was discovered in the first system, and now an improved version is available. Clearly the first system was sufficiently annoying to be attacked, which means it was working. In the end it's all a question of who you want to annoy. I vote for annoying spammers since they've annoyed me for far too long.

    As far as "poisoning" the black list with a wrong target, who needs to? That would only be an overly complic

    • As far as "poisoning" the black list with a wrong target, who needs to? That would only be an overly complicated form of DDoS attack, which can be accomplished much more simply already. It's not something to worry about yet.

      Actually, it would accomplish a little more. It would not only attack a target with a DDoS, but also may train DDoS filters to automatically remove DDoS from the same hosts. Thus, it makes the system ineffective against spam for a company from the same link.

  • For me, this would work well with a Thunderbird plugin: Say an option to send the opt-out as a right-click.

    I have a catchall account for non-valid email addresses in my domain. Everything that goes there is junk. I could have t-bird's junk filter grab it (mostly it does correctly at this point.), and then when I manually delete stuff, perhaps there could be a right-click to mark as frog-food? (about two thousand a day. fun fun.)

    My $.02
  • Disclaimer: This is my personal opinion and does not reflect the viewpoints of other members of the Okopipi project.
    --

    Sheesh people! I hate to have to respond to 1,000 comments made by kneejerks who don't even RTFA, saying how terrible it's to DDOS and how the system could be abused.

    Do you think we're idiots to let something like this happen?

    1. The "attacks" on websites will be moderated. We want to make sure that the force is non-lethal to websites. We haven't discussed the implementations, but the decision has been taken: We will use throttling to PREVENT denial-of-service attacks.

    2. The P2P network does *NOT* control the clients, it'll only distribute opt-out scripts for websites. Also, the customer can log out ANY TIME they want. So, NO, it's NOT a botnet.

    3. Spammers Don't need P2P networks to initiate an attack. They already have their effective botnets in infected WinXP machines.

    4. There will be a reputation system AND a hierarchy system (so not everyone can mod someone down), people will have to earn their trust to classify scripts, those who report wrong sites will be modded down, and the usernames and reputations are permanent. The hierarchy system we're studying requires at least two people acting as an individual before taking any action, to prevent infiltrations.

    5. We're already considering infiltration of spammers in our model, we're researching papers written by experts in graph theory and computer science for this. A spammer could at most try to disable the network, but with the currently planned infrastructure, i doubt they can do it.

    6. We haven't started to code. We're still discussing (and will continue to discuss) the possible consequences, abuses, attacks and how to prevent them or at least minimize them. We cannot afford to have ANY point of failure.

    7. If any wants to cooperate, the google group is open to ideas.

    8. And I repeat: we will *NOT* DDOS websites. It's a decision the commitee has taken, and it's a final decision. There have been people who have proposed to DDOS the spammers to death, and we're already shutting them up.
  • ... But I use gmail almost exclusively and receive a ton of spam, but what little gets through their filter is caught by Thunderbird. Now, I know Google and Mozilla, Inc. are pretty innovative groups, but why can't others do what they're doing? Especially as Thunderbird is open source? Spam exists because it is profitable. If people saw very little spam it wouldn't be so profitable anymore.
  • Due to TradeMark conflict, I have closed the Black Frog project. Actually the project was just a nameholder, since Okopipi was a separate project which I joined later.

    So the official name of the P2P antispam software is now "Okopipi". Please stop naming it "Black Frog" or we could get sued for Trademark Infringement.

    Thank you.

    (More info on my journal) [slashdot.org]
    • Let's get this straight. Over one day a spammer sends 5 million invitations to go to a web site to buy a product. Over one day 5 million recipients visit the web site and in compliance with the CAN-SPAM Act request to be removed from the mailing list.

      A DDOS is an illegal act. 5 million responses to an invitation is a CAN-SPAM compliant act.

      Why do so many people not understand the difference? Is it from ignorance, or from vested interests in spreading spam?

      ---
      nostalgia ain't what it used to be
      • The term DDOS is used by the spammers to spread FUD. There are much more effective techniques to DDOS a website, that just send useless traffic.

        But an opt-out request is not useless in any way. It's valuable information. In this case, the spammer would see "500,000 people want me to remove them from my mailing list". It's not just traffic.

When you make your mark in the world, watch out for guys with erasers. -- The Wall Street Journal

Working...