First Impressions

First off, lets look at the envelope it came in. You'll notice a few things:

The postage:

1. Its presorted, there's no postage stamp, or postmark.
2. That it came from 46206 (Indianapolis), assuming that zip code in the upper right is correct.

Through the top window we see:

1. That it uses an Indiana BMV titlehead that includes a zip code different from where the letter was mailed.
2. There is a very poor seal on the titlehead, its low quality on the original as well.
3. All of the information (including seal) on the titlehead comes from the BMV Homepage. Not just on the web... but on their front page, real easy to get at.

In the second window we see some more information:

1. My name and address (blacked out here, please don't subvert the censoring, I was lazy, and yea, its bypassable) as I see on any amount of junk mail I get each week.
2. Some nice tracking/payment information. Not know too much about the mail system, I'd guess that's how they know where to route/who to bill for the letter.
3. Random Barcodes that one assumes go along with the name and address.

Already some things to think about. No postmark means we have to assume that zip in the upper right is correct and it isn't some fool in Nevada mailing these out. The fact that there's no stamp means these were probably sent legitimately, or that the mailer had access to the mail system. There is nothing on this envelope that even remotely suggests it came from who it supposedly came from.

The Information

Upon opening the envelope and seeing the letter, my suspicions grew deeper.

1. Dear Valued Customer.... uh oh... they "know" my name, yet don't put it in here? Yea, studies have shown that users don't care how they're addressed, but I'd like to see this clearly directed at me.
2. Recently modernized its databases.... geek speak that any user will accept, and comply with. Who wouldn't its making the BMV a better place to be! Oh, but what if they didn't?
3. To ensure we can complete... holy crap, a threat! If I don't send this in I can't register my car by mail! Yes, phishers usually use veiled threats to prompt users into making a fast decision. It should be noted that the date they give (the 31st of January) was impossible, as I received the letter on the 2nd of Feburary. This would instill fear in the reader, and make them jump to send it in immediately.
4. Customer Service Number... yes, it turns out if I look on their website this is a number listed to them, but not being near Indianapolis or from around there, I don't know those area codes. I assume this number was fake at first. Real customers want 1-800 numbers.
5. Sincerely.... Note, there's no name here, just the Bureau as a whole. That bugs me as I can't call up and say "X person sent me Y letter.
6. The expiration date... is wrong. Unless my hard copy documentation is wrong, this date is actually three days after my real expiration. Very interesting.

Also, there's some nice fancy numbers on there. I'd like to point out they ask for payment twice, and both places its bold. Sure they've got my correct information on there, but these values can be guessed!

1. Make: If you see my car, you can read the make.
2. Color: Same for color
3. Township: Indiana uses the first two digits of each license to denote the county, so I can just pick the biggest township in that county as a safe bet. Better, you already KNOW MY ADDRESS. Just figure out the township from the full zip code.
4. VIN: Ok, this one is harder to get, but I don't know my VIN offhand, and chances are good that I won't run out in the freezing weather to check each digit if the rest of this looks fine to me. Why should I? Its the BMV, and they already know it!. I linked to the VIN page though to show that one can guess a fair bit of the VIN and hope the victim stops checking after the first 5-10 digits.
5. Money: Some nice figures on here, totaling $85.75... but where do they come from? If you got a bill for $85 from someone claiming to be your electric company, would you pay it?

It should be noted here that the only field of the registration NOT present on this letter is the social security number. Quite interesting, I think. Mainly because most people know their social right off the bat, and you'd have to get it absolutely correct for any credibility. Makese sene to me that crooks would leave it off, and good guys would put it on.

The back of the letter is where you actually fill in your credit card information. Also another warning of "you'll have to pay more money" if you don't send it in before the time limit. And that you're a criminal if you don't do this. Geez, its like card swiping, but the slow version! That phone number's on the back again, as well as a form identification number. That's funny, I googled for a few minutes and that didn't form number show up. I checked the BMV website, it didn't show up... Approved by the State Board of Accounts, sure, but how do I verify that without calling them up?

The Analysis
Where to begin...

1. There's some nice discrepancies in here. Three different zip codes used. Form numbers that are fake. Phone numbers that appear fake.
2. How could the real DMV get my expiration date wrong? (I actually found why this would be thought of as my renewal date, doesn't change the fact that my registration says otherwise).
3. This letter uses many of the technique a phisher uses, and we're trying to train people to be wary of those techniques, so why should I assume this is legitimate?
4. Any letterhead that low quality does not seem to be from the real company. I'm willing to bet that graphic was downloaded (in color) from the website, and just turned greyscale.
5. All information regarding the BMV on here can be found on their website. On the front page, in fact.
6. In addition I could *not* find much regarding mailings for renewals, besides in passing reference. They hype up their online system much more than this mailing.

Over all this letter, to a security researcher, looks completely fake. Sure, they got my VIN but that's one piece of information. When dealing with my real identity, the burdon of proof is on you to convince me I should give you information, not on me to prove that you're fake.

The Conslusion
Well, I found out today when I drove to the closest BMV to me that these are legit. Indiana decided to outsource their mailings, and this company that's doing them just has no clue what their doing.

But who cares? Well, for one, if a company can do this with Indiana's approval, what's to stop them from doing it without? They've already got the means, and it'd yield at least $85 per person that mails it in. You have the usual problems of laundering the money, so you'd probably want to only accept checks, as a credit card takes 60 days to clear. Due to the fact that until a very short number of years ago many drivers license databases were open to the world, it would not be hard to grab a bunch of records, and assume anyone over 25 is at the same address. If they're not, its no real cost to the attacker.

Grabbing vehicle information seems to be the hardest, but I'm willing to bet someone can social engineer that information from a DMV or police station quite easily. I'm really tempted to see if I can put together this letter for a random person, just to prove its possible. Of course, if that's illegal I'm going on record as saying I would never think of doing it.

I guess what I'm rying to roundaboutly say is this. Indiana is making its BMV customers used to getting mail from random third parties with no advance warning, and having them conduct what should be secure transactions via open mail.

The Solution
in order to fix this, the BMV (and any companies that outsource their mail) should do the following. Look at snail mail like email.

1. If you wouldn't send mail from a domain other than your root domain, why are you sending mail from an address other than your company HQ? If you wouldn't have a random domain in the reply to field, why are you having me ship my mail to a different TOWN than your HQ is in? I want to see consistancy.
2. Why even have people pay this way at all? You wouldn't give a link for people to click on in email, you'd say "Go to our website, then do X". Ok, why not say "Hey, its time to renew your plates, please go to your local BMV."
3. If you say something in your email, you'll want it to be true, as users can just google the datum in question. Likewise, make sure everything in your mailing is correct, or verifiable. Now, sure this MAY be legitimate form 46741, but I have no easy way of verifying that. Which to me says "fake".
4. Make sure everything looks legitimate. You have a TLD so your customers know its you, right? You wouldn't want to tell people to go to chase.freehosting.com, it'd just look bad, not to mention fake. So when I see a phone number, I expect it to be a toll free number since those seem more legitimate.

The Fine Print
Yes, it did turn out this was a legitimate mail. Ok, rather it turned out that the BMV does contract out their mailing, so there's a chance this is legitimate mail. I have not, nor do I plan to scam anyone out of money, or credentials using a scam based off the details above. I have a tendency of being paranoid, so perhaps I read too much into the above, let me know what you think.

Some History
The domain was registered while taking one of my patented Long Thanksgiving Breaks. That was ThanksGaming 2005, and I grabbed the domain one night while talking to that coder I always mention, Malaprop of Cambrian House. Malaprop kindly put the domain on his site, installed WordPress, and away I went. My first actual post (I believe) was on the 20th of 2005, but it was accidentally deleted, so the first surviving post is from the 21st.

Some Stats
Over the past year, I've had (what I consider seeing as its just another random blog in the Internet where a new one opens every second) to be some pretty nice stats.

• Over 20,000 page hits
• Over 10,000 "users" you can figure out how Stattraq defines a user
• Two search engines that have over 100% of my website indexed! (Again, you can go figure out how they have more pages indexed than I have pages).
• Two pages selected by spambots for spam! They think I'm populart (I guess) and spam half-year old posts to sell viagra! An annoyance I took care of by using Akismet

Of course, the above ignores such fun ones as 100 posts means roughly one post every 3-4 days.

Big posts
I believe I created the blog to talk about the Sony BMG Fiasco. This was my first serious post, and it got some decent reads by a variety of people. Unfortunately for the world, this has pretty much blown over in a year. Heck, it had blown over within 6 months. What a shame a company got away with this when non-malicious citizens are thrown into court for downloading one song to the tune of $2,000. Had Sony gotten such treatment, it would be out of business (I refer to the fact that Sony included source code that was licensed. In addition they took it from a man whom the music industry tried to have thrown in jail.)

The next significant thing I talk about was my beliefs with regards to software, and the fact that I buy into a communist view of software. I tied this in with one of my favorite pieces of code, Linux.

I had a run in with the law last Spring that was kind of interesting. I'll leave it up to you to decide what to make of the encounter. The three ways I tried to write it here just... made Law Enforcement seem incompetent, and I don't want to say that.

While I may the only one laughing about it, I think I came up with a good argument in favor of single geeks on Inyragvarf Day.

Then we saw a public official fly off the handle when presented with a problem he didn't know. Great lesson to be learned about politicians and technical stuff. I rather dislike politicians so won't be going downt hat road, however.

One of my favorite posts was how to legally and ethically hack your GPA. This might also be the one I'm most torn about, as I get tons of hits from search engines with kids looking to actually hack their GPA. Meaning, maliciously break into a grade server, and screw with stuff they don't own. My idea is a lot more elegant, and completely legal. Which is why I enjoy it.

Wrap Up
It occurs to me this post is rambling and self serving... Plus I'm running out of time for posting right at midnight. So, I will end it now. You can browse back through my posts and see if there's anything decent. I'd like to wrap up b y reiterating my purpose of this blog. That is, simply put, to generate thoughtful discussion (or just thought on your own) and get people to thank more about the world around them. View everything from a different perspective, because that's how you find holes in a system. It may be that some of what I post is controversial. I may accidentally post something that's considered "illegal" by some form of law. Anything up here is not meant maliciously, and is purely for the sake of expanding the minds of my generation.

It's been a fun year for me, hopefully I've kept you (whomever my readers are... [Ok, i can see IPs... so I know who you are]) interested, and made you think a little more about some subject, I don't care what. See you next year.

First off, I changed my layout back to what it was when I started the blog. Mainly because that other one I used had some quirks to it I didn't like. I hope to come up with a new one somewhat soon as well as adding a domain (Note, domain is empty as of right now not even a server for it) that I've always wanted which *just* became available.

Really busy this semester with research. Have an indepent research class with a professor I absolutely love. The guy's pretty smart when it comes to security, systems, and computer science in general. I'm in another of his courses and have to do a project (thankfully related) for that class as well. On top of that there's some ideas I want to flesh out on my own that could lead to papers. Finally, ya'll know I program for fun as well, and I barely have time for that. Hence, this blog is gonna be sorely ignored for most of the semester.

My love for Arabic is finally starting to take a back seat to security issues, so I might be able to finally make a decision about where I want my life to head. However, as with all things in my life that decision's going to be quite complicated and will not end with a definitive one or the other answer.

I may have an awesome opportunity for an internship in the spring. Don't want to say any more than that for fear of jinxing it, as I'm fairly certain I won't get it, but it'd be amazing if I did.

I'm always looking forward to entertaining so anyone interested in seeing the research I'm working on, or just coming for a college visit that can find me in real-life, make sure to drop me a line, this school is gorgeous in the fall.

Finally I'm being hit hard by spam posts. Most for porn, the others for cheap sex pills. Sorry for the misspelling... s3x p1lls. Akismet catches most of it (about 200 a week) but about 4 have been getting through a week, annoying.

Around December of last [My first year of college] year I got an email, it said that my school parking pass had come in. It interested me because it had my name on it, but was for a campus that I don't attend. I did some research and found out that, surprise surprise, there's another person with my name, and an almost identical username. He just attends a different campus. I emailed back the parking operations people, and informed them of their mistake, told them who to contact, and thought nothing of it.

Earlier this semester I was "hired" by a professor as a research assistant at roughly enough to pay my internet bill each month [Edit: It turned out that this was actually substantially more than I had anticipated...]. Now, even though I emailed the lady who should have my contract, she never got back to me. I heard no more about it, and assumed things had fallen through, and I wasn't really "hired".

Yesterday I got a forwarded email from her saying "Does he [me] work for you [professor I'm working with]"? I promptly replied saying I'd like to, but that I wasn't yet, as I hadn't been able to sign a contract. So, I talked with her today, and she explained the whole deal to me:

After she filed my paperwork she looked "me" up in the system (when she already had my email, I don't know why) and sent "me" an email telling me to get the contract. I never responded (obviously, as it was the other me's email, in case you haven't caught on). She repeatedly emailed "me" trying to get "me" to come in and pick up my (not in quotes as it is my money) contract/pay stubs (pay goes out even without a signed contract). Well, this guy ignored it. He must have known what it was about, as he got paid for three months, all the while ignoring her emails. Finally, just now, he came forward and said he wasn't me.

So, I signed my contract finally, and hopefully things'll work out for the rest of the semester. But lets take a look at this.

He never claimed to be me. So, its not identity theft. But he knew he was getting someone else's money (or thought he had a job he never attended at a campus he doesn't live near) and never reported it. He also didn't respond to the lady telling him where the money was coming from. Now, he did in the end, but he owes the school 3 months pay since he accepted it. I consider that identity theft. I'm calling it passive because he did nothing more then sit back, and watch the checks roll in. Thankfully, I'm not a petty man, because I have his user id,full name, and student number. If I anted to... gee... I could phish him for his identity and use it. But I'm a bigger man then that.

So, remember, you can hurt people by not doing anything just as much as by stealing their identity. If you're in the situation I described above, do the right thing and report it, as I did in the first case, don't ignore it.

First, I have to tell you a little bit about myself.

See, hacking, in its purest form, is not what the government, hollywood, or the media want you to believe. Hacking is merely finding a creative solution to a problem. You might remember my post about Hacking Your GPA. I never once talk about actually cracking a system, except to say it's illegal, instead I focus on how an individual can get the GPA they want with a whole lot less work. I want to make a clear difference right now between "hacking" meaning a creative solution and the "media hacking" meaning click a button, and make a botnet (we call them script kiddies).

I'm a big fan of 2600, the hacker magazine (side note, I love the google impersenation they have up right now) and buy every new issue when it comes out. I do, however, pay cash, just in case it is tracked. Every time I buy it, I end up in the same conversation with the cashier.

"So, this is a hacking magazine?"
"Yea."
"So, you're a hacker?"
"Yea."
"Isn't that illegal?"
"Nope, I hack my own systems, do security audits, anything when I have permission beforehand."
"Oh."
"Why are you a hacker?"
"Because its how I think. I like information, knowing how things work, and it drives me crazy if I can't figure it out. have a nice day."

Some things change, others remain the same. There's always an incredulence to their voice when I admit I'm a hacker, as if I should be scared. At first this scared me. What if they recorded who buys this? What if the media gets the government to go on a hacker witch hunt? Then it pissed me off. These people judge what I do. Assume I'm a no talent script-kiddie, and that I only look to hurt people. Now, I enjoy it. Every conversation I get to enlighten one more person that hackers aren't evil. We're normal people, blessed with an inquiring mind. So, after my last conversation, no one was in line, and I opened up to the cashier. Told her about hacking. Pretty much all of the above. Her response?

"Oh, I never knew that's what hacking was. Thank's for telling me."

It was a good feeling, standing up for a whole culture that gets a bad rap. So, that's what I think of when I say "hacker". I know people assume we're script-kiddies, just looking to hurt people. Dirty guys sitting in dark rooms laughing as they take down government systems. But I have to say I'm a hacker because I have the questioning mentality of needing to know how stuff works, and I'm proud of it.

Background aside, yesterday in my phishing class a guy stood up, and told us of a phishing email his sistere got. How he'd now have to talk to his family about Phishing, and all that. I decided to check out this company (name not mentioned to protect them, and me). Here's how I was thinking.

Reasons
The entire reason I did this was to find out if my classmate's sister was in trouble from these

Recon
First I did a dig on the domain name. Found who's it was registered to, and where it was located. Turns out, it was off shore. later I found an IP on one of their pages, did both a dig, as well as a traceroute on it, to find out where it was located, and how it got into the country.

Next I visited the website, and found it was a gambling site. Interesting.

Cracking
While I was trying to get into the page, I ran into the problem that they actually verified credit card info. Since falsifying that is a crime in this country, I had to find a work around. First thing I did was check the source of the page. It normally yields at least the next place to check, if not the answer. Sure enough they had a poor coding scheme, intro page was 1.asp... I was on 3.asp... so I tried 4.asp. Bingo, it welcomed me, and sent me to their main page. This yielded the IP I tracked down later.

Where to go?
So, you're into the site, where do I go from here? So far everything's looked like it's legit, and I wasn't sure if I needed to poke around more. But, all their gambling programs were flash programs. I like messing with that, so I grepped the source again, and found the name of the files. They were fairly decent in security, in the fact that I couldn't use wget to traverse their file structure. Kinda a setback, but I got around it. The goal here was to prove the flash files were fakes. Turns out, after decompiling, they weren't. This was a legit site.

So what?
Well, I got out of the site, and thought about what I'd learned. As an aside, every hacker should learn something from everything. If its the millionth time you've played this game, look at the one spot you never look at. Analyze your own game play. You'll find something to learn. Anyways, I came to the conclusion that this site had some tricks to it... they made it look like it was secure when it wasn't, and had some nasty stuff in the EULA but was legit. So, it wasn't a phishing scam, the guy's sister and family had no reason to worry, but regular users, if they didn't read the EULA, would get screwed out of a ton of money. Well, if you're frequenting off shore gambling sites, you're probably already losing money.

I realize I mention a lot of UNIX command tools, and general network stuff, so if you're unsure of something, feel free to ask. If anyone wants to learn how to hack, feel free to ask, but I can't teach the thought process, so if you're not naturally inquisitive, forget about it. I feel I should say I didn't break any laws doing the above, and I don't support illegal actions (gotta say that to not get sued/arrested).

First off, I've picked up a job doing the website for a grad student in the Fine Arts School here, specifically a portfolio website, as he's a photographer. This'll be interesting, and I trust I can put out something of high enough caliber for what he needs. I randomly met this guy at my church, and it turns out that he grew up Virginia also, about two towns over!

Next I've just been asked by a professor of mine, and a P.H.D. student to join them on a business venture. I can't go into specifics right now, but they're looking to patent an idea, so after the patent's filed, I could talk about it. It turns out that I'm going to be programming most of it, yippe. The post-doc's job is to make sure I stay on track, and the professor came up with the idea, and will secure our patents. We'd split the proceeds with my school, as that way we can get the school to file the patent for us. The goal is, in a year this'll be a self-sustaining revenue generator, and the school will use it as an example to encourage ore entrepreneurship. Very ironic, the post-doc is ALSO from Virginia, and his mother now lives one town over from me.

Once I can say more (heck, once I understand the project better), I'll let ya'll know.

I had the great opportunity to have both a really informal breakfast (only 5 students, and the speaker) with a CMU professor who is looking at Social networks and privacy issues. Before I go further I should stress there's no such thing as privacy online. At least, not for the average user.

Facebook, after I started using it, really bugged me. There is no way to turn off displaying your email at all. Yes, it's displayed as an image, but it's not CAPCHA text, so can be "decrypted" on the fly in Perl. Using a Perl module called WWW::Mechanize, you can mine whatever you want from any profile. You can even do batches of profiles. Here's my findings so far.

Groups
Facebook numbers groups, starting from 0, and working up. Since not every number is a group, I assume that deleted groups just have their number removed. However, you can still "join" that group. Very fun. How could this be improved? Get a random number for each group, and set the upper bound several orders of magnitude higher then the expected number of groups. Then, if a bad group number is given, log the user out, and return them to a login page. So, if you expect 35,000 groups, make the random numbers be between 0 and 3 million. You only need a few more bits, and there is the same number of numbers actually used. Oh, and Facebook limits you to 101 groups at any time.

Profiles
My major bone of contention. Each profile is indexed by a number, that is sequential for the school. Indiana's start is 680001, and the profile is "The Creator". Interesting, huh? Count up from there, and they're almost all correct profiles. How can you fix that? Do what they do with email. Have a random number tacked onto the profile. So, instead of following php?user=######, you'd have to follow php?user=######&rand=######. If the random number doesn't match what's on file, you do the same as if they guess a bad group. Yes, you can still easily get that number by visiting every page, but it would make it so you actually have to spider every profile, not just start a counter, and view every profile. Also, these user ids are easily stolen through the search feature. It's the same as used by the message page, so, even if you can't view someone's profile, you can still get their user id. That's a problem, in my mind, and could be fixed by having a seperate mail ID, such that you can't link one to the other without actually being able to view the users profile anyways. Again, MAKE the attacker spider the whole site, its easier to see.

Details
By default Facebook makes everything completely open. Ok, anyne from your school can see anything on your profile. Let the fun begin. Have a phone number? It can be sold to telemarketers. Email? Sold to spammers (and that's on every sngle profile, some have multiple ones). Address? Snail-mail spam, stalking, fake pizza orders. Combine all the info given, DOB, address, etc, and you could even get access to bank accounts, or forge an ID. How can that be fixed without people realizing this is all open info to anyone in the world? By simply making the default level be to NOT show up in searches, NOT display information, etc. Make the users turn on everything, and give them a warning that "Hey, your information can be stolen, this is not secure". Even Facebook's privacy statement says that! Also, the email should *never* be shown, unless specified by the user. Yes, its handy for emaling people, but why not just ask them for their email? Its no where near essential to post this in the open.

Well... it turns out that all Social networks can be exploited, even real life ones... go figure. So, those of you on a MySpace account are even more vulnerable, as this great guy shows. Yes, he wrote a worm for MySpace profiles, sheer genious. But MySpace also uses the numbered profile system. In fact, every social network I've found does. Very interesting. A few alternatives occured to me, which I have to flesh out a little, but they result from work that's been done at IU. Assuming you require a login, and a good system for authenticating registration, I think Online Social Networks could be made much more secure.

But until then, Im systematically trying to delete myself from the Internet. Public offices I hold, such as Sexy Webmaster for NRHH will remain, as I believe in higher accountability for those in public office, but others... well... we'll see. I have to keep the Facebook account to keep playing with it, but I'd like to see it die by the years end. All of 'em (If you don't know how many I have... well... bully to you). That's the main reason I keep this blog anonymous. Yea, you could figure out who I was if you correlate enough data, and do some facial analysis on the pictures I have, or just know me anyways, but a script won't pick it up. That's also why I don't publish other's names here unless they specifically tell me to.

Right now I'm playing around with DNS poisoning, first I'll be testing it on my home network, and then, again if I get approval, on the IU network.

Also, due to major insecurities in wireless networks, and the facts:

1. America seems fascinated by them, and demand wireless internet whereever they go. Even Indianapolis is going to offer wireless anywhere you go in the city. Officials are hesitant to do it, not due to security, but they want to know who should pay for it.
2. Most wireless networks are *not* a wireless ntwork, merely a wireless access point *to* a real network. As such you give up all security on your physical network when you attach a wireless access point. They are vulnerable, I'm not kidding.

I plan on pursuing a line of action to demonstrate just how vulnerable these networks are to phishing, and why wireless internet should not be the norm, but a special case, such that if you *were* to find it in the open, you'd know something was wrong.

The fun part of this is unsecured wifi portals, that let you set DNS, aka every frickin wireless router on a college campus, just about. You could set an admin password, and change the DNS server to point bank sites to a fake page. I won't go into any more detail, as it's an easy attack, and I don't want anyone to get good ideas from it. Hopefully I'll be able to get a paper on that subject as well.

Now, how can one stop rogue access points? My solution is quite clever, and after I talk it through with a professor here, I might even go looking for a patent, I'm not sure. So, it remains a secret for now.

• Monday/Wednesday/Friday classes:
  1. Arabic 350: 9:30am-10:45am. This looks to be a fun (if hard) class.
  2. Iraqi Part 2: 12:20pm-1:10pm. Again, fun, but I need to learn a bunch of vocab to catch up.
  3. Symbolic Logic 2:30pm-3:45pm: This is gonna be my boring class of the semester, and possibly the hardest, since I took Intro first semester of last year, a year and a half ago.
  4. Honors Seminar for CS: 7pm-9pm. This is a seminar where IU professors come in and talk about their research. Hey, free dinner...
• Tuesday/Thursday classes:
  1. Applied Cryptography 350: 9:30am-10:45am. This is gonna be great. lets just say the teacher has hands on experience... We're encouraged to Phish our classmates, and he might test us. Only problem, two 30-minute presentations of graduate level material...
  2. Arabic Linguistics: 1pm-2:15pm. Not a clue what this will be like yet, but the teacher seems nice.
  3. Multimedia Arabic 4pm-5:15pm: Same teacher of the above, this looks to be real fun, reading news papers and watching TV!.

I also decided monday to pick up another grad independant study on Virii and Malware, but dropped that earlier today so I'd be able to spend more time on Arabic. Mainly because I'm currently writing software for the NELC department, that will soon appear on the Three Planets Software webpage. Note, the previous link is heavily work in progress... in fact, at the time of writing it's just a placeholder.