Tuesday, October 31, 2006

I've been tagged...

Well, at least my luggage was... On my flight from Hong Kong to Tokyo, my checked luggage was tagged with RFID tags, presumable to track the bags through the luggage handling system and verify bags went with people.

What's interesting to me is that the RFID itself is but the tiny spec in the center of the tag. Most of the tape you see in the picture is simply the antenna laid out as a metal strip on the tape. I would presume with this much antenna, the tag could be read at a sizable distance.

This is the first time that I've noticed such a tag, but I wouldn't be surprised if this technology was incorporated into the typical baggage tag added to your bags when you check in. In fact, I'm surprised that it wasn't done that way in Hong Kong. Perhaps by taping it to the bag, the tag & antenna are more likely to stay flat rather than getting bent or otherwise deformed as it hangs off a baggage handle.

Tags : / / / /

Sunday, October 29, 2006

Knowing you've gone local...

You know when you've pretty much "gone local" by the fact that you don't have to think when using the local coins. Paper bills don't count as they are easily read and typically have the numbers on both sides of the bill (yeah, some people have trouble with bills as well, but they're just being slooooowwww :-)).

Coins are usually reused long enough to make them dirty and dented and thus hard to read and they typically only have the value on one side of the coin, so you have to look on both sides if you don't just know the value.

In addition, when you're using them you want to do so quickly because your in a line somewhere and there are people waiting behind you. So figuring out how many of each denomination fit into the others or add up to the total is not the time to look at each coin and spend time figuring it out.

Some people take the easy way out and just hold out a handful of coins hoping the cashier takes the right amount. Others just keep giving large enough bills so that they don't have to worry about counting, leaving the cashier to do all the heavy lifting.

I, on the other hand, am here in Japan on my last stop on my trip-around-the-world and I find myself just working in the local currency, including things like adding an extra 10 ¥ to a ¥1,000 bill when asked for a ¥160 fare for the metro. I'm proud of myself :-).

Tags : / / / /

Friday, October 27, 2006

Les Crayons

Je m'excuse Paul, Ceux-là ne sont pas "Les Crayons de Connard",... ceux-ci en sont:

Monday, October 23, 2006

Made it to Hong Kong

I made it through my longest single travel leg to date, from London to Hong Kong via Chicago. 11,746 miles. 23 hours of in-air flight time. 31 hours of door-to-door travel time. The one consolation I have is that I was able to upgrade to business class for the entire route using a single United Airlines Systemwide Upgrade Certificate (the result of which you can see in the latest posts to the widely acclaimed Traytable blog).

I slept (with the help of Ambien -- never slept on a plane till it came around) for the first 5 or 6 hours (for timing reasons and because I had stayed up the night before at a wedding reception that only ended for me when I looked at my watch and said "crap, I've gotta go pack up and leave").

The rest of the trip, I worked. Initially on my web site update with the wedding pictures (I took more than 400 pics) and later on the Liberty Alliance Advanced Client spec that I'll be presenting about next week at the Liberty Alliance Day in Tokyo.

This leg of the trip was also significant for me because I crossed the million mile mark on United on the LHR->ORD leg (I've now flown 1,009,082 but-in-the-seat air miles on United Airlines -- ¾ of them in the past 5 years). I even tried to use this fact as a way of getting a gratis upgrade to first class (out of business class) but that didn't help at all. I guess it will be a long time before I feel the comforts of first class again.

Anyway, I'm now a United Global Services Million Mile Flyer, about the top of the top of elites in United's program. All this really helps is with getting upgrades (I'm typically at or close to the top of the list and have only had to "put up with" coach twice so far in my 140,000 miles this year).

Of course, life would probably be a lot simpler for me if I just didn't fly so often. My kids would recognize me when I show up at home. I might even get one or two "honey-do" projects done.

Tags : / / / /

Good Relations

Paul was right to worry about when my relations get online.

I mentioned my web site to a few of my relations at a wedding on Sat and so far today have had over 2,500 hits from the UK and Ireland (normal traffic is around 150-200 hits per day).

Of course, most of the traffic was to look at pictures (from the wedding). If I could just get them to read, my blog hits would skyrocket and his lead would be in real trouble. :-)

Wednesday, October 18, 2006

Just Say NO!

One would think that in today's day and age, I wouldn't have to say this... Note to Security weenies (you know who you are):

DO NOT SEND PASSWORDS via EMAIL.

After changing my password at a site that shall remain nameless, I received a confirmation of password change with the new password sent to me via email. Just in case I was too stupid to remember the password that I just typed in twice in the change password screen ---- duh...

This fits into one of my pet peeves: we've all seen those login prompts that give us an option for "forgotten passwords":

Note the little "We'll email your password to you"... So, if I've "forgotten" my password, they will nicely email it my address of record. How nice...

This is BAD for many reasons including:

  • Someone who has access to my email (perhaps because I left my computer unlocked) gets to see my password when the email shows up moments later and I have no way of knowing that happened (as long as they delete the email). Then they can login as me whenever they want and I won't be the wiser.
  • If I were the typical user and used the same password in many places (which I'm not) this would be even more dangerous because the password obtained by the user would be usable in many locations. The user can protect themselves by limiting the number of places they use the same password, especially if the site has an email-the-password-to-me option.
  • Mail is sent in plain-text, so anyone along the mail delivery path can read the email (who's To: usually happens to be the login and includes the password (and usually has nice text about "Here's the password you requested")). This makes it easy to pick off as the email makes its way to the user

So, what should you do instead? The answer is pretty simple.... Give the user a way of resetting their password without showing them what the old password was. This can still be controlled by access to my email account (so email the reset link to me) and yes, this means that someone who gets control of my laptop/email could potentially change my password, but I would know that when I went to that site and they couldn't use that password on any other system.

When writing this note, I looked at several of my common sites (eBay, Amazon, Wachovia, etc. -- many of which I think used to have the email-the-password solution) and they all had substantially better solutions, including some level of account verification process and allowing the password reset rather than showing the password.

The username/password system is weak enough without having substantial holes in it like this. If your site does things this way, please fix it!!!

Tags : / / / / /

Tuesday, October 17, 2006

Dulles Security Screening Area Construction

The Security screening area at Dulles is under construction (they have made an announcement saying it has something to do with the work on the train)... They have what appears to be around 70% of the old security screening area blocked off and a newly opened security screening area down at the west end of the terminal (the opposite end from the United end).

They still have a Premium Line, but it didn't feel any where near as fast as the old premium lines (which have only been around since late July) as I had to wait in line for a while before getting through.

I would allow some additional time to get through security for any trips till they re-open the closed areas (and they had better get that done before Thanksgiving or there'll be a line out to the parking lot).

Tags : / / / /

iPass works well

iPass is a connectivity (wireless & wired) aggregator which simplifies the process of getting access to connectivity when traveling. My company recently started using it for people who travel a lot -- like me!

Today is the first time I tried it, sitting here at the United Red Carpet Club at Washington Dulles Airport and it worked like a charm.

Booted the laptop, started the iPass Connect application, it found the T-Mobile wireless and I simply selected connect.... Poof... I was connected and my boss is being billed directly :-).

So, after bashing iPass about their data requirements for downloading the offline hotspot locator, I'm happy to say that their product does seem to be working as designed. More testing in London, HKG and Tokyo after this.

Tags : / / / / / /

Sunday, October 15, 2006

New Gadget of the week

My new gadget of the week this week is a Canon Powershot SD800 IS compact digital camera.

I also own the Canon EOS 5D Digital SLR, but I like to have a compact lightweight camera to keep in my backpack or pocket all the time (the SLR is too much camera to carry around all the time unless you are a professional photographer).

I've been walking around with the Canon SD500 for a while now (and recently wrote about replacing the LCD). At the time the LCD cracked, I couldn't bring myself to upgrade as none of the newer cameras at that time seemed worth it.

So, what finally got me to jump to the new camera?

  • 7.1 MP images (so no loss in MP from the SD500)
  • 3.8x optical zoom (compared to 3x optical on the SD500)
  • Image stabilization (not available on the SD500)
  • Larger LCD Screen (not a major issue for me, but I don't mind it)
  • Probably most importantly, my daughters got an SD500 for their birthday and I have to have a better camera than they have :-).

There was also this feature referred to as "Face Detect" autofocus. I thought that was little more than a marketing gimmick at the time, but after starting to play with the camera, I think it's pretty cool. Look at this sequence of pictures of the LCD screen on my SD800 (taken by my SD500) of my daughter moving around:




Notice the little white brackets following her face around. I'm not sure what the exact technology involved is, but I expect that there's some serious processing going on to enable this feature which would likely be a drain on the battery. I'll probably do some playing with it to see if it has any measurable impact on battery life.

All in all, a very nice replacement camera for the SD500. Now I have to go sell the SD500 on ebay to help pay for the new one (if you're interested, check it out here).

I do realize that it's been less than a week since my last gadget, but I'm about to head out on a 2 week trip around the world (sort of) and so there won't be too many new gadgets in that time (plus the trip was another incentive for getting the camera now vs later, although I will probably take the 5D with me anyway)

Tags : / / / / / /

Saturday, October 14, 2006

Examples of Math Geniusness

A friend of mine sent me these examples of math geniusness (probably because I don't stop bragging about my son, the math genius who took the AP Calculus BC class last year as a high school freshman!) that I thought I would share:

First, an example of expanding an equation:

I don't know why they didn't get credit as the equation clearly is expanded from its previous writing each time

Now, onto some inventive trigonometry (the part of math I really don't like all that much either):

And, of course, math would be lost without some square roots:

And, finally, the old infamous 3-4-5 right triangle:

I don't know if any of these are real results from tests or not (I received them in the typical joke email distribution kind of thing) but they do seem to have a quality of realism to them. My wife, who teaches 7th grade Math, wouldn't be surprised if they were real (of course she's quick to point out that she would not give credit for such answers, no matter how inventive).

My son assures me that they were not his work, although he was impressed by them (I think he wishes he could claim at least one of them was his).

Tags : / / / /

Tooooo Much Information

I recently signed up for an iPass account to universally deal with broadband connectivity as I travel (I'm tired of having accounts and separate bills with T-Mobile, Boingo and the like -- plus, my company's paying for it :-)).

One of the tools they have is a hotspot finder that is available in both online and offline modes. The online mode is cool if you're the plan ahead kind of person and have mapped out all your options for each location that you plan to be in (and print/carry that information with you).

But I'm not that type of person most of the time and need something that I can use when I'm stuck without access and need to find it (hence the offline mode appealed to me).

So, I, a registered customer, go to download the offline search tool and get prompted with the following web form:

Which requires an awful lot of information... Much more than is reasonably necessary (see the required fields marked with a red asterisk).

This kind of requirement really bothers me, so if you look closely at the data that I filled in, I am "Junk Name", my job title is "Pain in the *ss" (well, that part may be true:-)), I live in Uganda with a Nebraska zip code, etc. etc.. I suggest that anytime you're faced with the same bull headedness, you do the same. Perhaps we can generate enough noise in their datasets so that they stop doing these insane requirements.

Tags : / / / / / / / / /

Friday, October 13, 2006

Another Potential Area for Identity Theft...

Conversation with my travel agency:

Conor: Hey, I need a reservation at xxx (a hotel in the UK)
Agent: (after searching for a while) I can't find that hotel, has someone else from your group stayed there?
Conor: Try so-and-so, he's stayed there before but I don't know how recently.
Agent: (finding so-and-so's records) Hmm... (mumbling stuff he's reading) Nope... Don't see that hotel in there.
Conor: I have the web URL do you want that?
Agent: (looks it up himself, and get's phone number) I'll have to call them can you hold for a few minutes?
Conor: Sure... (waiting patiently -- mostly because I'm off doing work while I wait)
Agent: OK, they have a room... Hmm.. you have a Discover card on file, but the don't accept that.
Conor: Don't you have an American Express Card on file for me?
Agent: No, but let me look at your other hotels for this trip... yes, I see it... Be right back (he's off to talk to the hotel again)
Agent: (coming back) Hmm, they need your signature ID
Conor: (knowing that he's talking about the CID) It's xxxx.
Agent: (after going to talk to the hotel again) OK, we have the room but they asked me to email the reservation request to them and then they will send the confirmation number.
Conor: OK.
Agent: (the next day, in email) Here's your confirmation email.

While this is my recollection of a recent conversation with my current travel agency, I have had almost the exact same conversations with previous agencies.

So, what's wrong with this conversation?

  • The agent has access to the complete, plain text, credit card number in each of my records (including pulling it up on completed reservations). A better solution would be to have some form of token that represents the credit card without allowing them to see the actual card number.
  • I'm guessing that the agent actually emailed my credit card info (hopefully not, but I couldn't tell from the conversation
  • Agents have easy access to anyone's records at the agency (hence the searching of my co-worker's records looking for the hotel) and I presume they too have plain text credit card numbers

Now, I have to admit that I've never had my identity stolen from a travel agency (and I've done a whole lot of traveling -- about to cross the one million miles mark with United when I leave the UK on that trip), so the risk is not tremendous.

However, I think that some work needs to be done to make this process a bit more secure. Agents should not be able to easily see the credit card numbers I've used on other records (and I wouldn't mind having to give it to them again when a case such as the above came up -- they are rare as 90% of my reservations are done without the need for phone calls to the hotel)

Note that I strongly prefer that they are able to make these reservations for me and so I will live with what I consider a relatively low risk in exchange for the benefit of them being able to make my reservations for me. It's also a much lower risk of theft than me reading aloud on the phone my credit card numbers every time I make a reservation.

Tags : / / / / / / /

Thursday, October 12, 2006

Profile it baby...

Scott Kveton (who's name seems to be miss-spelled even more often than Paul Madsen's, of you can believe that) responds to Paul's typically full of irony comments on OpenID's Data Transfer Protocol (DTP) proposal.

First off, the DTP specification is just a proposal. It is not a formal part of OpenID yet. Also, this is a really, really rough draft of the proposal that is constantly in motion right now. The fact that it ignores other standards may be true but one of the design goals is to do for data transfer what OpenID has done for single sign-on; light-weight, simple, easy-to-implement, etc. Think of the proposal as a best-of-breed of those heavier technologies. The same can be said of OpenID as it relates to SAML, Sxip and Passport.

I think everyone would be better served by a proposal that was a best-of-breed profile of other specs such as SOAP (which is exceedingly lightweight to begin with), WS-Security, and the like.

You get a much larger bang for the buck by profiling existing standards to meet your needs (and many of the so-called "heavyweight" specifications are heavyweight due to the need to support many different profiles, but you can restrict them to a much narrower, more useful for your environment profile).

Having written an open source liberty toolkit for clients from scratch that does SOAP, WS-Security, and the like, it ain't all that hard as long as you don't start out with "I want to handle every possible scenario in the world and beyond."

Tags : / / / / / /

Strangest user name requirements

When creating my 345th identity at our dental insurance company, I had problems creating a login ID (failed like the first 4 or 5 times until I looked at the rules:

Your user name must be at least 6 and no more than 31 characters. Both letters and numbers are acceptable, but no spaces or special characters may be used. Your username must not contain numbers only. If your user name is 8-character long, the first 6 must be letters and the last 2 must be numbers.
I happened to had chosen a name with 8 characters the first few were characters and the rest were numbers and then changed that to all alphabetic (thinking it was a rule against numerics, then changed it to all lower case and finally hit the help button to see the above rules.

Note the special rules for when the user name is exactly 8 character (sic) long. Strange, very strange.

Tags : / /

Voluntary Big Brotherism.....

Progressive Insurance, an auto insurer here in the US of A, is running a program where their customers can voluntarily install a device, called a TripSense in their car which plays the part of the well-known non-black airplane black box, but just in a vehicle.

The TripSense token hooks up to the OnBoard Diagnostics port (OBDII) (which is on every car manufactured for delivery in the US of A since 1996) and then periodically (perhaps once a year), the customer removes it from the car and hooks it (via USB) to their computer where an application processed the data and lets them review (but not modify, of course).

The device is available from Progressive under two different plans:

  • A plan for Minnesota residents where they can get a discount on their policy between 5% and 25% depending upon the data reported on their driving (the driver does get to look at the data and can choose to not report it, but gives up their discount if they don't send it in). They even have a discount calculator available so you can see what types of driving impact the discount (driving over 75 miles per hour one tenth of one percent of the time -- poof, there goes 5% of discount, 7.5 tenths of one percent (0.0075) of the time and poof there goes another 5% (in other words you now have a max of 15 percent discount). At least they do this using time, not distance, so you can drive like 200mph for a shorter time to cover the distance and still not loose the discount :-) ).
  • A plan for everyone else (who is a progressive customer, of course) that pays $50 per monitored vehicle per year and claims to disassociate the data from the vehicle info (and only use the vehicle info for study/analysis)

After looking at some of the sample reports, especially the report to the right which shows a lot of interesting data for each trip made with the vehicle and, in particular, the time spent above 75MPH while on the trip, I'm sure this isn't the right program for me.

However, my son, CJ, just obtained his driving permit and will one day (hopefully not too soon) be driving on his own and having a monitor for the vehicle may be useful. Davis Instruments makes what looks like the same device (without Progressive's branding, of course) called the CarChip and CarChip E/X (differing primarily on storage capability). These things are cool for a parent in that we log what the little brats... I mean wonderful children... have been doing with our vehicles while we weren't around.

From a privacy point of view, I'm OK with all this as long as it is not mandatory and people (including my son) know about it when they get in the car. I think that insurance companies may figure out a way to use it anyway, though (the users who won't use it are automatically treated as higher risk).

Tags : / / / / / /

Wednesday, October 11, 2006

New Gadget of the Week

I am definitely one of the gadget geeks who regularly tries and buys new gadgets (although it did take me a year or two to convince myself to start blogging -- mostly because the geek in me wanted to setup my own blogging server, which I did do only to change my mind and use blogger.com).

Anyway, this week my new toy is a Western Digital Passport 120GB Drive which I happened to notice as I roamed through the neighborhood Price Club (yeah, they're all Costco now and have been for like 10 years, but it will always be Price Club to me).

I already had one of the older 120GB passport drives where I keep all of my family photos and music collection as well as some backup data, but this new one was much smaller and sleeker, so I had to have it.

The difference in size is remarkable:

And even more so when they're inside their cases:

Between this drive and my new internal 160GB drive I now walk around with 280 billion bytes of data storage for my laptop!

I'm sure Paul will point out that WD has a 160GB version of the Passport, but that model was not available for instant gratification, so I made due with the 120GB version rather than wait a day for the 160GB version.

Tags : / / / / / / /

Tuesday, October 10, 2006

Anonymity, Pseudonymity, and Traceability

In the online identity world, the concepts of anonymity, pseudonymity and traceability all seem to be regularly confused with each other in one way or another. Whenever you here someone speak of anonymous transactions, they almost always bring up cash as an example of a real-world equivalent -- however cash isn't anonymous because you typically have to hand it to the relying party, thereby giving up some level of your anonymity.

So, I'd like to suggest we consider the following "definitions":

  • Identified transactions - transactions that take place under a public identity of the user (such as when I use my credit card which has a unique serial number and my name printed on it). Most online transactions which involve the exchange of money fall into this category.
  • pseudonymous transactions - transactions where the actual identity of the user is not provided to the relying party, but when the same user performs multiple transactions, the relying party can tie those transactions together under the same "pseudo" identity. Pseudonymous identity systems typically have requirements to protect against multiple relying parties from tying transactions together by using a different "pseudo" identity for the user at each relying party.
  • Traceable transactions - transactions where the user's identity is not provided, but there is some identifier included in the transaction such that if there was a need someone could eventually trace it back to the issuing party. Most real world transactions are at least traceable because they require that the person who wants to invoke the transaction (e.g. make a purchase) to interact with the relying party (the person at the cash register) and that interaction can lead to traceability (not to mention that the physical cash bills typically have unique serial numbers as well).

    An example of an online equivalent is the user of one-time-use credit card numbers which would never be used again and so can't be used to tie transactions together, but can be traced back to the user through the credit card issuer, if necessary and authorized

  • anonymous transactions - transactions where the identity of the user is not known and the transaction cannot be tied back to the user in any way.

    Access to most published/open web sites which don't require a login (such as google) would be considered anonymous (if you don't let them create cookies on your browser -- the cookies would make them pseudonymous).

    Most cost based services (high value transactions) require some level of identification and thus are not processed in an anonymous fashion.

When you listen to some privacy advocates (and to some people with a product to sell), you would think that the world can't operate without things being "anonymous". I disagree and think that the real and online world has to operate across a spectrum of transactions that span the types above (and probably have some in-between combinations).

Ultimately, the real driver should be towards "just enough" and not towards "none". Ensure that transactions have enough information such that the transaction can be completed, but don't ask for or give any more than is necessary. That is one of Kim Cameron's Laws of Identity (and I think, perhaps, the most important.

Tags : / / / / / /

Monday, October 09, 2006

Spam, Phish, or Legit... that is the question..

A while back, I received an email purportedly from Ebay that raised my automatic, anti-spoofing sheild and caused me to examine the message very closely and then communicate with the apparent issuer... This post discusses the message and the subsequent communications I've had with Ebay.

First, the message that started it all:

eBayeBay sent this message to Conor Cahill (xxxxxxx).
Your registered name is included to show this message originated from eBay. Learn more.

eBay Auction I64d Cancelled - Results Null and Void

Dear Conor P. Cahill (yyyy@zzzzzzzz.com),


Please be advised that the following auction:

4459053372 - Polaris 480 PRO FOR I/G GUNITE POOLS FAST SHIP!!

was ended early by eBay. The auction was ended due to the account suspension of the seller. All results for this auction are null and void.

Regards,
Customer Support (Trust and Safety Department)
eBay Inc
Learn how you can protect yourself from spoof (fake) emails at: http://pages.ebay.com/education/spooftutorial This administrative email was sent to ebay@cc.cahillfamily.com from eBay. Your account is registered on www.ebay.com. As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. If you would like to receive this email in text format, change your notification preferences. See our Privacy Policy and User Agreement if you have questions about eBay's communication policies. Privacy Policy: http://pages.ebay.com/help/policies/privacy-policy.html User Agreement: http://pages.ebay.com/help/policies/user-agreement.html

Now this email looks totally legit. All of the links are within Ebay's domain, the referenced auction is one that I participated in, the message was sent from one of Ebay's servers directly to my server with no intermediary, the message was sent to an email address that I use exclusively with Ebay. So everything in my anti-phishing arsenal says this is legit.

However, the auction that they say they ended was one that ended 2 months earlier and which was one that I actually won, paid for and had the item delivered (so the auction had already completed successfully). The seller was still alive and kicking on ebay, so he wasn't suspended either. So the content of the message wasn't legit.

I reported the email to Ebay and they responded with a boilerplate "how to recognize phishing attempts" email. To which, of course, I responded, that I knew what phishing was and that this looked like it really came from them.

About a month later, I get the following email from them:

Dear Conor,

Thank you for taking the time to write eBay with your concerns. My name 
is Nira, and I'm pleased to be of further assistance to you.

eBay is concerned about violations on our site. We'll investigate your 
report immediately and take appropriate actions based on our findings. 
Violations of eBay policies may result in a range of actions, including 
a warning, temporary or indefinite suspension, or account termination.

For the protection of all members, eBay can't provide details on any 
individual investigation or account. We hope you understand that this is
why we won't be able to share with you the outcome of our investigation.

If you are ever concerned about an email you receive from eBay, simply 
follow these steps:

1. Open a new Web browser and type www.ebay.com into your browser 
address field to go directly to the eBay site. 

2. On eBay, sign into your account and click the "My eBay" button at the
top of the page.

3. Check the My Messages section located at the top of the My eBay page.
If an email affects your eBay account, it's now in My Messages. Any 
email sent to your registered eBay email address from eBay or from 
another eBay member via eBay's member-to-member communication system 
will now appear in My Messages. 

We sincerely appreciate that you alerted us to this potential violation.
Your efforts help to keep eBay a safe place to trade.

To learn how to protect yourself and ensure a positive purchasing 
experience, check out these buyer tips:

 http://pages.ebay.com/help/confidence/isgw-buyer-tips.html

To learn how you can help fight spam, go to:

 http://www.spamcop.net

Thank you for being part of the eBay community.


Sincerely, 
Nira

So, they're gonna look into it, but can't tell me what they find for "our protection". Right...

My $.25 is that they probably had a bug in one of their systems which generated that email, but they surely ain't gonna tell me that.

Tags : / / /

Friday, October 06, 2006

Updated ID-WSF 2.0 Open Source Toolkits

With the release of ID-WSF 2.0, I have updated my open source toolkits to conform to the 2.0 final specifications.

These toolkits are a work in progress with the client toolkit being a fairly complete implementation of the protocols while the server toolkit has some basic functionality but is missing some capabilities (like the ability to sign messages or assertions). More information about what is included is available on the toolkit web page.

Of course, this is all provided as-is with no guarantees or representations as to its usefulness in any environment.

The new release is available from my server here.

I do have a running implementation of the server available for testing if you have a client you would like to test against. Just drop me a note when you like.

Tags : / / /

Liberty announces ID-WSF 2.0

This week, while I was off handling family issues, the Liberty Alliance announced the release of the IDentity Web Services Framework (ID-WSF) 2.0 Specifications. The Liberty Web Site has a pretty cool diagram showing how all the specs fit together which is also used as an index to the various specifications that document the protocols between the various parties.

For the first time, simultaneous with the release of the specifications, Liberty has also released the Marketing Requirements Documents (MRDs) which drove the creation of the features in the protocols. These should be an interesting read for anyone who plays an Identity Specialist on TV.

My elevator speech about what's special in ID-WSF 2.0 includes:

  • Support for multi-party transactions (where I access Paul's Blog to change the posts -- with his permission, of course :-))
  • Support for maintaining (the Liberty People Service) and using (ID-WSF) social networking data in web services transactions.
  • Fully leveraged the capabilities of WS-Addressing to support synchronous and asynchronous transactions
  • And (since I'm one of the editors), an updated Liberty Discovery Service which eases the maintenance burden for WSPs managing service metadata for a multitude of users.

This is good stuff... Check it out!

Tags : / / / / / /

Phishing Myspace?

Today I received the following email:

Subject: New message from Stephen on MySpace sent on Oct 06 08:10:01 -4 2006
From: New MySpace Message <rideable@crypterion.com>

You've got a new song from Stephen on MySpace!

Click here to hear your MySpace music:
http://myspace.mp3shest.com/?reloc.cfm=6&id=xxxxx


Click here to get 5-free songs downloaded to Your Space:
http://myspace.mp3shest.com/?reloc.cfm=6&id=xxxxxxxxxx_5free

-------------------------

At MySpace we care about your privacy. We have sent you this
notification to facilitate your use as a member of the MySpace service. If
you don't want to receive emails like this to your external email account
in the future, change your Account Settings to "Do not send me
notification emails"

Click here to change your Account Settings:
http://myspace.mp3shest.com/?account.settings=update=6&id=xxxxx

MySpace Inc. - 1900 Wilshire Blvd. 2109, Los Angeles, CA 90403-5400 USA

©2006 MySpace Inc. All Rights Reserved
What's interesting is:
  • I don't have a myspace account, so this is clearly some form of SPAM
  • The links in the mail all have a hostname that is within mp3shest.com, not myspace.com - a dead ringer for SPAM Attacks)
  • The domain (mp3shest.com) was registered yesterday (raises BIG red flags for me)

At first I thought this was a phishing attempt, but why would someone want to phish an account there? I understand attempts to phish ebay, paypal, my bank, etc. I don't understand phishing MySpace.

Another thought, since the message seems to be directed at getting me to download a song, perhaps the real attack is to get me to download a trojan. I poked at the site with care (with Mozilla, not IE, of course), but didn't get too far before I just closed the browser.

Moral of the story: If your kids are using email, talk to them about phishing, scams and trojans. If they are also using MySpace, mention this attack in particular.

UPDATE: 14 Oct 06 - I received a new one of these today, this time with the system name myspace.mp3vosem.com which again is in a domain (mp3vosem.com) that was only registered recently (11 Oct 06) and registered by the same guy (Alex Rodrigez) theoretically in Finland registred in a domain registrar in China (Capitol Networks PTY, LTD). - For those who don't know, you can use the whois program (available at man locations online including Network Solutions) and just enter the last two portions of the sytem name (mp3vosem.com in this case).

Another interesting tidbit is that they must be getting hit by SPAM filters because they are adding a whole bunch of random junk at the end of the mail to try to confuse the filters.

UPDATE 2: 14 Oct 06 - they must be having some level of success because now I'm getting songs from Debra and John in addition to Stephen and they've tried several addresses of mine including one that I use exclusively with Ebay (guess I've gotta change that one). I think the hope here is that one of the names will match one of my friends' first name and so I will be more likely to think it legit -- another thing to be careful with (messages that look like they are from a real friend).

Tags : / / / / /

Gerard "Jay" Cahill (1967-2006)

Yesterday, we laid to rest my brother of 39 years, Gerard (known to most people as "Jay"). I've spend the past week with my family dealing with his death and the pain it has caused everyone. It is hardest on my parents who have now lost the 2 youngest of their six children (my sister Colleen passed away just 18 months ago).

Jay had spent much of the summer with angie and I working on my deck and patio (well, he was working, I was paying and watching :-)). We grew quite close for the first time and he even planned to join me on a trip to London for one of our cousin's wedding -- that would have been his first ever trip outside of the US of A.

While there was much mourning going on this week, there was also much celebration of the man Jay was, the father Jay was, and the friend Jay was. Many stories were told and most of them brought some laughter to all who heard.

Gerard will be sorely missed by all.

Tags :