Your e-mail inbox may be feeling a little less cramped than usual these days, like a commuter train on a weekend morning. That's because many of the unwanted commercial messages -- also known as spam -- that normally clog it probably aren't there.

After years of trying to combat the scourge through e-mail filters, blacklists, lawsuits and criminal charges, the spam tide finally turned this week (the fascinating story was first reported by Brian Krebs of the Washington Post). Internet security firms say that the volume of unsolicited e-mail has dropped markedly, somewhere in the neighborhood of 66%, in the past few days. As Joseph Menn explains in today's L.A. Times story about the spam decline:

The surprising respite had very little to do with the hundreds of millions of dollars that corporations and consumers have spent on anti-spam software or with the lawsuits and criminal cases brought against spammers in the last decade.

Instead, a ragtag band of researchers pulled off the unprecedented coup of drastically cutting the spam volume by adopting a new strategy: going after mainstream U.S. companies that can unknowingly help spammers, identity thieves and child porn purveyors by carrying their traffic on the Internet.

Researchers don't expect the slowdown to last. But this latest success has given hope to those who fight on behalf of our inboxes. Read Menn's full story for more details about how they slowed the spammers and how the e-mail cops may try to protect us in the future.

-- Chris Gaither

Three very big and very different computer security breaches that have dominated recent headlines did more than show how badly the Internet needs major repairs. They also exposed the huge rift between corporate America and the federal government over who should fix it, cyber-security experts say.

In the last few months, law enforcement officials cracked an international ring that tapped customer databases and trafficked in tens of millions of credit card numbers; a researcher uncovered a major flaw that permits hackers to steer some Web surfers to fake versions of popular websites filled with malicious software; and computer assaults, which some researchers said they had traced back to Russia's state-run telecommunications firms, crippled websites belonging to the country of Georgia.

Yet the episodes did little to boost cyber security higher on the agendas of the federal government or the two major presidential candidates.

"Nothing is happening," said Jerry Dixon, the former director of the National Cyber Security Division at the Department of Homeland Security. "This has got to be in the top five national security priorities."

Read the full story for details on why there has been such a rift between the public and private sectors over Internet security and what experts say the next president should do to tackle the problem.

-- Joseph Menn

Ever write a check while shopping and sweat over whether the check would clear? A growing number of banks are offering a new and fairly painless way to eliminate the guesswork.

The solution fits in your pocket.

Eight of the 10 biggest U.S. banks now provide at least basic services on cellphones, allowing account holders to check their balances by tapping away on their tiny keypads.

Millions of U.S. consumers have signed up for mobile banking as those services grow increasingly useful. Depending on your bank, your phone and your wireless plan, you might be able to approve bill payments, transfer money and receive alerts when balances get low, all while riding the bus.

"Most consumers aren't aware that it's out there yet, but the day is coming," said Mark Schwanhausser, an analyst with Javelin Strategy & Research in Pleasanton, Calif. "Phones are ever-ready, always on and always with you, and you can't match that with a computer."

Read the full mobile-banking story for more details about which banks offer which services, and where this all is heading.

-- Joseph Menn

Illustration: Doug Ross / For the Times

The number of U.S. breaches of personal information that could be used in identity fraud so far this year has already passed the total for 2007.

The nonprofit Identity Theft Resource Center, which compiles a list of incidents from media reports, privacy websites and official outlets, said this year's running total passed the 2007 mark of 446 on Friday, with more than four months to go.

Lucky No. 447 was Alaska Airlines. The center's co-founder, Linda Foley, said an airline insider had been accused of misusing payment card data supplied by customers. The matter came to light in a letter from the airline to the New Hampshire attorney general.

Of course, the real number of breaches is much higher. Many go unreported, and the ITRC counts only once some breaches that hit multiple sets of people.

For example, the May theft of computer equipment containing under-protected sensitive data from Colt Express Outsourcing Services Inc. counts as one breach. But letters sent to employees of various Colt clients, and to officials in states requiring notification when residents could be affected, reveal that workers at 20 employers have data at risk.

Among the companies whose staffers have been exposed by the Colt break-in in Walnut Creek, Calif.: Google, Bebe Stores, Alston & Bird, and the California Bankers Assn.

Attempts to reach Colt on Friday were unsuccessful, and the company's website is nearly empty.

"They disappeared off the face of the earth," Foley said. "I think I would too."

-- Joseph Menn

Photo illustration by Mikey G. Ottawa via Flickr

-- The FTC no longer has a problem with Electronic Arts buying Grand Theft Auto maker Take-Two Interactive. Take-Two, however, might still have a nit to pick. Reuters

-- Speaking of grand theft, the gaming industry has suddenly upgraded its weaponry and attacked file sharing in the U.K., threatening to sue 25,000 people it's accusing of peer-to-peer piracy. TimesOnline

-- One day soon, you will be able to cut-and-paste text on your iPhone! Probably! CNet

-- Palm (remember Palm?) has a newer and better not-an-iPhone. TechCrunch

-- The economy hasn't slowed Hewlett-Packard's growth, much. LAT

-- Yeah, you have to pay for checking a single bag, but American Airlines is letting you surf the Web, on some routes, for $12.95 a flight! Or so it was said -- the 9 a.m. live in-flight update from a blogger hasn't materialized yet. CrunchGear

-- The chief executive of British bank HBOS has account looted by identity thefters. The Register

-- Verified Identity Pass, Steve Brill's plan to speed people through airport security without them having to be O.J. Simpson, raises $44 million more in funding, recently stolen database or no. Silicon Alley Insider

-- EBay changes its selling fees again, and EBay sellers are upset again. AP via LAT

-- Joseph Menn

Photo: Grand Theft Auto's protagonist. Credit: Take-Two

Yahoo today named former Viacom chief Frank Biondi Jr. and ex-Nextel boss John Chapple to its board of directors, fulfilling a promise it made to settle the proxy fight with agitator-investor Carl Icahn.

Both men had been on a slate of candidates for the board Icahn put forward after Yahoo failed to sell itself to Microsoft. After it became likely that Icahn wouldn't win enough shareholder votes to get control of the board, he accepted a compromise that gave him one seat and Yahoo's pick of his allies two more.

"Frank's extensive experience in the entertainment and media industries, combined with John's deep management experience in telecommunications, will provide valuable perspectives to our already diverse board," Yahoo Chairman Roy Bostock said in a prepared statement. "We look forward to working with them as our board continues its ongoing efforts to enhance stockholder value."

Biondi was CEO of Universal Studios between 1996 and 1998; before that, he spent more than eight years as CEO of Viacom. Chapple was CEO of Nextel Partners from 1998 until 2006, when Sprint bought the company.

Former AOL Chief CEO Jonathan Miller, an ally of both Icahn and Yahoo CEO Jerry Yang, had been seen as a shoo-in for the board. But Miller's candidacy was derailed when AOL parent Time Warner invoked the noncompete clause he had signed.

-- Joseph Menn

Photo: Frank Biondi. Credit: Sam Mircovich / Reuters

The massive digital attacks that drove some of the government of Georgia's websites offline during the Russian invasion are being called the first overt act of "cyberwarfare" -- or at least the most overt to date. 

The Russian government denies responsibility, and it got some reputable defenders today. The ShadowServer Foundation, a nonprofit group that tracks criminal activity on the Net, said that ordinary Russian citizens were helping attack the Georgian government websites with the aid of programs distributed through friendly sites. Top security expert Gadi Evron went further, saying all of the blame might lie with a bunch of kids.

The most discussed of the recent technological assaults have been denial-of-service attacks that overwhelmed the government sites with constant requests for information and rendered them unavailable to people in Georgia seeking information. Researchers in touch with network administrators in Georgia said a lot of the malicious traffic has been coming from servers controlled by the Russian Business Network, a notorious group out of St. Petersburg that has been linked to child pornography and major phishing and identity-theft scams.

Some researchers have pointed out, correctly, that the Russian Business Network is not the Russian government. In fact, some say the network is just a hosting company that specializes in having criminal clients. Anyone can use its resources, the argument goes.

But researcher Don Jackson of SecureWorks has devoted a fair amount of time to the question, and in an interview he made a convincing argument that the Russian government, despite its denials, is indeed involved.

To begin with, whether the Russian Business Network is a major organization or merely a helper for a variety of other groups is beside the point. Criminals pay the bills: It is a criminal outfit.

On the main issue, the computers issuing commands to the computers that are, in turn, attacking Georgian sites aren't all on Russian Business Network servers. Some are better-hidden but reside on Internet addresses belonging to state-owned telecommunications companies in Russia. Both are using MachBot, which is a software attack tool favored by Russian Business Network clients.

And it's not just denial-of-service attacks: People are also infiltrating Georgia's government networks to steal information, and websites are being defaced with propaganda.

Most crucially, there is the question of where and when. Many of the most serious attacks began just as the tanks began to roll, although the networks had been set up beforehand. And the choice of targets is especially telling. Official sites in Gori, along with local news sites, were shut down by denial-of-service attacks before the Russian planes got there.

"How did they know that they were going to drop bombs on Gori and not the capital?" Jackson asked. "I would say that from what I've seen firsthand, there was at some level actual coordination and/or direction [by the Russian government], especially in regard to the timing and the targets of some of the attacks."

-- Joseph Menn

Image: A Georgia government site that was hacked and defaced with pro-Russian images. Courtesy of SecureWorks

-- Apple will let Best Buy become the first outside retailer to sell iPhones, so someone else can deal with all the crazies in line. That company is really on fire. LAT

-- No really, Apple is really actually on fire! CNet

-- Yahoo is close to naming ex-Viacom chief Frank Biondi and ex-Nextel Partners chief John Chapple as the remaining Carl Icahn-approved board members. WSJ

-- Georgia government websites are still being attacked from Russian servers, and they were under attack well before the shooting started. NYT

-- And if it's not the Russians or organized crime or both, then maybe it's kids. CNet

-- Many Apple users can't watch clips of the Olympics. Thanks, Microsoft and NBC! Web Scout

-- Facebook platform marketer Benjamin Ling is leaving the company for parts unknown, suggesting turmoil. VentureBeat

-- Yahoo will now let anybody write programs that take advantage of your physical location. ReadWriteWeb

-- L.A.-based TV ad agency Spot Runner is reorganizing, laying off 50 but hiring as well. PaidContent

-- Networking equipment maker Brocade Communications scoffs at alleged recession, tops earnings estimates. Associated Press via CNN

-- Joseph Menn

Photo: peasap via Flickr

MySpace bills itself as "a place for friends." But it and other social networking sites are becoming a place for enemies too. A couple of things happened today that reinforce the point that these sites, while being a terrific way to keep in touch with friends and throw sheep at them, are very much not the safe sandbox that many take them to be.

We have already pointed out that identity thieves have a pretty wide-open field on MySpace, Facebook and their ilk. Scammers find it fairly easy to pretend to be someone real, either by creating a profile page or by taking over an existing one. When they send messages to "friends" on the sites, they are far more apt than with ordinary spam to get victims to click on a link that installs password-stealing keyloggers.

Today, security firm Sophos warned that bad guys are writing on Facebook users' comment walls, urging them to watch a video that appears to be hosted by Google. But the displayed link actually asks users to download a program that surreptitiously opens a back door into their computers. Similar scams ...

Acclaimed Internet security researcher Dan Kaminsky detailed a flaw in the current architecture of the Internet today, firing the starting gun for a race between hackers who can now take advantage of the vulnerability and the big companies who have yet to patch their systems.

Speaking to hundreds of technology security professionals and enthusiasts at the annual Black Hat conference in Las Vegas, Kaminsky said that a majority of the Fortune 500 have protected their machines with a series of fixes developed in secret since March.

Kaminsky coordinated an industry-wide effort that brought out patches from Microsoft, Cisco, Sun Microsystems and other major technology vendors, and customers began applying them after he issued a public warning a month ago.

The hole lies in the Domain Name System, which steers Internet users seeking a site by title, such as www.google.com, to a numerical address. Kaminsky showed today how hackers could corrupt the process, taking users to an imitation site that could install malicious programs.

He called the problem the worst discovered since 1997. The standing-room only crowd gave Kaminsky two ovations, in part for the technical significance of the find and in part for his handling of the crisis. Microsoft, Google, Yahoo, Facebook, MySpace, EBay and many Internet service providers have secured their machines.

"We got lucky with this bug," Kaminsky said in his talk, saying other profound flaws are lurking that will be just as hard to resolve. "We have to have disaster-recovery planning. The 90-days-to-fix-it thing isn't going to fly."

Kaminsky also showed how the flaw could be used to attack places that some professionals had believed immune.

The Secure Sockets Layer, signified by "https://" at the beginning of a website address, could be circumvented, as one example. Impostors could fool the authentication companies, such as Verisign, and so get an approved digital certificate shown to site visitors, though Kaminsky said those companies have revamped their procedures. A large number of firms simply sign their own certificates, which an impostor could do, without dissuading consumers from continuing.

"Everywhere you look, SSL shoots itself in the face," Kaminsky said.

Corporate firewalls can likewise be thwarted through computers connecting to outside partners, such as payment processors.

Other scary scenarios include intercepted and manipulated e-mail coming from trusted parties and the fact that automatic software updates, which are a key way to get security fixes installed automatically, can easily be hijacked.

There are so many different ways for malicious actors to try to use the flaw that Kaminsky said it marked the start of a new era of hacking.

"DNS is the Achilles' heel of the Internet," agreed Joris Evers, a spokesman for security company McAfee Inc. "There's a lot of attention that's been focused on this -- and that's good."

In an interview, Kaminsky said that more than 120 million home broadband users have already been protected, and that workplace systems might be more at risk. Some attacks have already occurred, and Kaminsky said he was most worried about the tens of millions of sites that have a link to click on if users forget their passwords. A hacker could pretend to be specific users and get the passwords sent to them.

Ordinary computer users can't do much to patch their own machines, though they can prod their employers or Internet service providers to act. They can check to see if patches have been applied by visiting www.doxpara.com and clicking on "Check my DNS."

-- Joseph Menn

Black Hat company logo from richardmasoner via Flickr; photo of Kaminsky courtesy of the subject.