Decoding the Pizzini

From the pages of the International Herald Tribune comes a glimpse of a world where clandestine communication retains the old and tested methods of hand to hand. When a godfather becomes expendable  is a piece by Andrea Camilleri, the author of “The Smell of the Night” and other novels in the Inspector Montalbano series. In it he describes the way that captured Mafia boss communicated with his subordinates while on the run:

The authorities said that Provenzano would transmit his orders – regarding such matters as who should be rewarded with government contracts, whom one should vote for in local and national elections, how one should act on specific occasions – by means of pizzini, little scraps of paper folded several times over, which his trusty couriers (mostly peasants with spotless records) would pass from hand to hand along lengthy and seemingly random routes.

These were necessary precautions to reduce, as much as possible, the risk of interception. One pizzino, for example, took more than 48 hours to travel the mile between the boss’s cottage and Corleone. Others could take weeks to reach a nearby destination. The telephone was out of the question.

Amazing that such methods are still in use today — and a sober reminder of several things.

  • Not much the Internet, or police forces, or intelligence agencies, can do to monitor this kind of thing unless they get off their heinies;
  • Is it just the Mafia using this kind of thing? Or are other underground organisations doing it? The organisation I know a little about — Jemaah Islamiyah, the al Qaeda-linked Indonesian terrorist group — use a combination, and while their technical skills have grown quickly, far more quickly than the people monitoring them, they still retain networks that don’t use any form of modern communication;
  • This ageless form of communication may yet be around for a lot longer than our beloved Internet.

Anyway, I find this whole ‘pizzini’ thing fascinating. It has more to do with The Da Vinci Code than with Mafia-watching, but technology could offer some clues to deciphering them. Some 350 of these encoded messages exist, apparently, mostly in the form of numbers. Other messages were left in a bible, with certain passages underlined.

Some notes, according to The Guardian, have been deciphered, illustrating recruitment problems and that Bernardo Provenzano was addressed as “vossia”, the deeply respectful and indeed archaic, form of “you”. What it doesn’t say is how they were decoded, and whether that breaks the code for the others.

If it doesn’t I call on the Italian police to release them to on the Internet and let us have a crack at them. I’ll never manage it, being useless at this kind of thing, but now everyone does Sudoku puzzles in the bath, I suspect your average commuter will make short work of decoding them.


InspectorBrown Responds

Here’s what Rick Brown said of his Inspector Brown anti-phishing toolbar in response to my questions about its failure to catch the cross scripting phish mentioned here:

Our software works to protect our community of users and allow each user the ability to fight back against spam, phishers and online fraud.

Yes, its true, not all smart people will care to report bad links or websites, but a percentage of users will gladly do so.

The idea is simple, when a member of our community gets an email from a known spammer or phisher, they report it, either by sending an email to or clicking on the “Report a Site” button from the Inspector Brown toolbar. Immediately, once the site is reported, our software goes to work analyzing the site for clues. How long has the site been active/registered online? Is it IP based, does it show certain patterns that make it stand out?

The toolbar was also designed as a marketing tool. Financial institutions and any large corporation wanting to protect and promote their image can benefit from a branded toolbar that shares a common database with other businesses. If certain smart employees or users report to our system every user using our software gets the same protection. The toolbar was designed to allow additions such as links to certain departments within a company, information tickers for stocks or weather, the options are endless.

Our software differs from spam blockers as they are what we call “band aid” approaches. Spam is still sent to the users and may end up in spam folders, however some emails such as your message to me, was sent inadvertently to my spam folder even though it was legitimate email. All this traffic affects the ISPs and corporations and users who rely so heavily on email.

What if you went to the grocery store and bought 100 dollars worth of food, brought it home only to find out that $70 of the food was bad? You would be pretty upset. However, ISPs constantly send all of us unwanted e-mail that makes up the majority of traffic sent via our Internet connections.

Our software intends to weed out the bad traffic. If users can’t access the websites of spammers and phishers, they can’t purchase their goods or fall victim to their crime. The criminals will have to resort to other methods. The more users who become part of our community increases the chance of a percentage of users who will be vigilantes and want to fight back, stopping the bad guys from invading our lives. The more users who join our community increases the speed at which the sits are reported. Each user is given a score to determine the trust level we have with each user. This prevents the bad guys from using our software to “punish” their competition.

There is no perfect method to stop spam and phishing scams, but our software adds one more layer of protection in a unique way.

Thanks, Rick.

Will Inspector Brown Save Us From The Phishers?

Combatting phishing ain’t easy. So how does a new weapon, Inspector Brown, mentioned in a comment to an earlier posting here on phishing, shape up?

Inspector Brown is a program that sits between you and your browser (IE, only, I think, but the documentation is minimalist, to put it mildly) and warns you if a site you are visiting is a suspected phishing site: “The page you tried to access is a potential dangerous and fraudulent website,” you will be told. “You may be at risk for identity theft and financial loss if you continue with this website.” You can then choose to proceed or not.

Not a bad idea, but of course it relies entirely on the software knowing what sites are fraudulent, and this is where the system fails. The software checks a library of ‘known’ fraudulent websites updated by Inspector Brown, a bit like anti-virus software checks an internal library of known virus patterns. Unfortunately there are several problems with this:

  • The list depends on users submitting fraudulent websites, raising the question: Why would a user who is smart enough to recognise a fraudulent website need Inspector Brown?
  • Phishing sites are notoriously short term. Some are up only for a few hours before they are taken down, often after already doing serious damage. In this sense combatting phishing by a library of known phishing sites is as flawed as anti-virus software maintaining libraries of viruses. Unless the libraries move very quickly to not only update themselves, but update users, such tools arrive too late to help users. Indeed, phishing is even less suited to this approach, because phishing sites are no longer active after a few hours, whereas old viruses may still be floating around the Internet months, even years, after their creation.
  • The list itself is short and suspect: It includes, for example, legitimate commercial websites like, a Shenzhen-based manufacturer of computer and mobile phone accessories, and, the home of celebrated anti-phisher Sam Greenhalgh. I’m sure he would be amused to find he is, according to Inspector Brown, ‘a Known Fraud’. Other peculiarities in the list are, the website of VisualSoft Technologies, ‘a leading software solutions and product development company catering to diverse industry segments’ based in Hyderabad. InspectorBrown’s library calls it a ‘Bad Company’. Lawsuits, anyone?

Lastly, we just don’t know enough about Inspector Brown and how it appraises websites to trust its judgement. In this regard the company has got to be more open about what it’s doing and how it does it. All we know from the website is that the program is the work of Inspector Brown Software, based in Scottsdale, Arizona. There’s no registry data to work with. No support pages or help pages.That’s about it. Of course, they could argue it’s early days but as it stands I think Inspector Brown, with its poor documentation, eccentric library of fraudulent sites and quirky interface, only adds to the noise instead of reducing it.