Thursday, November 30, 2006

My Personal Best Panoramic Picture

In fact, I should just call it my best picture ever:

This was taken back in 2001 on the coast of Ireland outside of belaha with a Canon EOS D30 (yes, the 3MP D30 as opposed to the current 8.2MP 30D). At the time, I had no clue about proper panoramic photography. I just happened to be standing along the western coast of Ireland about half way between Doonbeg and KilKee:

And the scenery looked so nice that I decided to take a series of pictures with the potential of patching them together. I didn't do any of the standard things one would do for a panoramic -- just held the camera and took a series of 9 individual shots (the original shots start here) that overlapped a bit.

This just happened to be a very lucky picture, taken on a great day with a great subject (the Ireland countryside). I've tried several times to do this again in different areas, but have never gotten one as good as this.

I printed it at EZprints (an approximately 9 foot long x 12 inches tall panoramic photograph). They did a great job. One of the prints is hanging in Igoe's Pub in Doonbeg (County Claire, Ireland). Another print is hanging in my office at Intel (I had to split it into two sections to get it to fit into my cube -- but then it gives it more of a panoramic feel sitting in the corner like that):

Tags : / / / / / / /

Wednesday, November 29, 2006

It's not courting...

Paul uses the analogy of marriage and courting to say that my comment about the new OpenID extension is essentially trying to shortcut a well known process. While I may have snuck the ring on my wife's finger while she wasn't looking, we did go through the normal courting process.

However, I would say the analogy doesn't apply here as the OpenID AQE effort is just getting started while Liberty's ID-FF was done in 2001 and SAML 2.0 was done in 2005. Not looking at those specs at this time is more like saying that my wife and I went back to the courting state when we decided to have our second child and had to wait to be married yet again before we could try. Luckily that wasn't the case as I'm not sure I would have made it through the process again (she had learned too much about me by then).

Again, I think that OpenID, or any other group working on some concept, should look at what's available and see how it can be profiled and/or adapted to the work at hand. The people involved in SAML are very open to helping figure out how their work can be adapted to meet the needs of any group, even to the point of working on new profiles (as evidenced by Jeff Hodges' & Scott Cantor's Simple SignOn profile).

Tags : / / / / / / /

OpenID's Assertion Quality Extension

Today, David Recordon announced the release of the first draft of the OpenID Assertion Quality Extension. This specification is directed at solving the question of "how did the user authenticate" both when they created their account and now for this particular authentication session.

Overall, as far as I can tell, there is nothing in this specification that is not easily handled using the SAML Authentication Context structure and so I don't understand why they didn't just adopt that model as-is (and the SAML model clearly handles much more than the limited cases supported currently by this proposal). At the minimum, this document should be a limited profile of what portions of the SAML model they want to use.

I also have some more specific feedback about things in the specification:

  • Section 4: Relation to SAML Authentication Context) contains the following:

    The Security Assertion Markup Language (SAML) Authentication Context ([SAMLAC] (Kemp, J., “SAML 2.0 Authentication Context,” 2005.) defines mechanisms by which SAML Service Providers and OpenID Providers can discuss the context of an authentication assertion.

    The authors acknowledge the similar motivation between SAML's Authentication Context and this extension. Where possible, we have attempted to stay aligned with the SAML Authentication Context model. Indeed, we see this topic as a likely area of convergence between OpenID and SAML. More work is needed here.

    This is all you hear from or about SAML in the entire specification. There are no other references to the SAML authentication context, nor any use of the structures or capabilities of the Authentication Context. I'm not sure why this is even mentioned here if they aren't going to make use of any of the SAML work in this area.

  • Section 5.1 ("Enrollment Properties") talks of 3 of the possible enrollment properties (captcha, email and telephone verification).
    • I don't think captcha belongs in the same list, as it's just a basic way to make it harder (but not impossible) to automate the login process by another computer) but that isn't my call.
    • I think that these enrollment properties require a date to make them useful (as in the verification was done 10 years ago or it was done yesterday). The point being that a verification done a long time ago has little value today.
    • I think the model should be more generalized to allow other verification tokens to be added without having to rev the specification again. One possible way would be for each enrollment to have two properties: a name and a value.
    • I would recommend changing "Did the OP present the End User with a CAPTCHA during the account creation process" to "Did the user complete a CAPTCHA prompt successfully during the account creation process".
  • Section 5.2 Supported Authentication Properties:
    • There's no definition of what the listed methods actually mean. Does a password mean that it was at least 3 characters long or are blanks allowed? Does a pin mean that it's an all-numeric password (so why is it different from a password), does a fingerbio mean that a fingerprint was validated (to what level of accuracy)?.

      I suggest that there be at least some clear definition of exactly what these mean (minimally).

  • Section 6.1 Request Parameters
    • I think that the RP should be able to specify desired enrollment properties rather than having to just get back data that it can't use in the response (in other words if the RP requires that email address be confirmed, getting back an authentication response that says it wasn't confirmed is pretty useless).
    • I think they should consider using authn as a shortcut for authentication rather than auth. It gets very confusion when you eventually also start talking about authorization.
    • I think the language around what to do when multiple auth_modes are specified is confusing and makes it hard for the RP to get exactly what they want. In Liberty (and then SAML) we took the view that the RP would typically give an exact OR'd list (so any in the list are valid) or would say something along the lines of "this or better" - meaning that they didn't care too much about the specific method as long as it was at least as "strong" as the specified method). I would suggest OpenID follow a similar model as it makes it much simpler for the RP.

  • Section 6.2 Response Parameters
    • I'm confused by the "comma-delimited list" of methods in openid.aqe.auth_mode while the paragraph after the bullets says that if more than one method was used you must post-fix the auth_mode and auth_age with sequenced numbers (1, 2, etc.).
    • For auth_age, it probably should be 'The number of seconds prior to this response' rather than request.
    • As I stated previously, enrollment_verified values should have an age and should be extensible.
  • Section 9 Examples

    It would be good to include some example authentication requests and responses here to show how the messages flow.

Again, I reiterate my earlier statement: Why not just use SAML Authentication Context. Lots of thought, energy and analysis went into this once already and as long as it isn't falling short of your needs, it would seem much simpler for everyone to adopt it.

Tags : / / / / / / /

Firefox 2.0

I've finally gotten around to installing and using Mozilla Firefox 2.0 and so far so good. It doesn't feel dramatically different from Firefox 1.5 (although I haven't done any stringent comparison testing).

The migration from 1.5 to 2.0 was just installing 2.0. All of my 1.5 configuration settings, passwords, bookmarks, etc. just flowed right into 2.0. Simply install 2.0 and startup the new browser and everything comes along for the ride.

One change that I did notice that perturbed me a bit (although I am sure there are others who will like this) is that the tabs in the tab bar now have a setting for a minimum width and automatically start scrolling when the tab bar is full. To me that takes away a lot of the value of tabs in that I can't immediately see the entire set of tabs I have (and I usually have many).

After looking at the preferences that are configurable through the Options screen (and finding nothing to help me), I was able to find the "about:config" screen which allows you to set what looks like billions of preferences. Setting the browser.tabs.tabMinWidth value to 0 disables tab scrolling. Of course, when the tabs get too small, I won't be able to see them either, but then I will probably notice them getting that small and start a second or third Firefox window (yeah, that sometimes happens).

Even with this little quirk (that was easily fixed), I like Firefox and it's my primary browser for most browser work.

Tags : / / / /

Monday, November 27, 2006

What about Sam?

I have to applaud Pam's response to CNET's 'Top Ten Girly Geeks'. It certainly seems like the real target of the list was not geekdom, but more likely some way of increasing page views.

For me, given that they chose to include at least one fictional character, I can't understand how they could have overlooked Major Samantha Carter of the SGC. She's as geeky as they come and she uses her geekdom to regularly save the world from the evil goa'uld. And Sam is much more pleasing to the eye than some 8 year old cartoon character.

Tags : / / / / /

Opt-ing out

Even though I feel that I tend to keep up well with things related to Identity and Identity Theft, there are always things that slip through the cracks (some, even after I have gotten wind of them).

In the case of opting out of all of those pre-screened credit card offers, I vaguely remember a friend sending me an email about it a year or two ago, but that never made it above the line to actually have me take a look at it.

However, yesterday, when I was logging into Paypal to pay for an eBay auction, Paypal told me I was pre-qualified for one of their credit cards and I noted that they had some stuff about opting out, so I started digging into it. At first I thought it was a way to opt out of the stupid offers they have following the login, but was disappointed to find out it was just some info about opting out of pre-screened credit card offers.

Since I get something like 10 to 20 of these every week, getting rid of them would still be a good thing, so I dug further including a visit to the Federal Trade Commission's web site and some poking around in other sites to verify the authenticity of what I had read.

The good news is that there is a web site ( where you can go and opt-out of prescreening at the 4 big credit agencies (Experian, Equifax, Innovis, and Trans Union).

You can opt-out for 5 years or permanently (depending upon whether you want to just fill in a form or also mail it in). The form does require all the information that one would need to steal your identity (name/address/DOB/SSAN, etc.) and so it did give me pause and caused me to do some secondary research, but everything I've found at a number of reputable sources convinced me they're on the up and up.

Update: As Pat pointed out in his comment, you don't have to enter the DOB/SSAN information. I'm not sure if this impacts how well the opt-out matches with the records in each system. I supplied it all as they have it all already.

If you're cautious about entering the data online (I wasn't), you can call toll-free 1-888-5-OPTOUT (1-888-567-8688).

I recommend that everyone opt out permanently (unless you like the idea of getting identity theft invitations in your mailbox every day).

Tags : / / / / / / / / /

Saturday, November 25, 2006

Thanksgiving Holiday Driving...

This week, we did the traditional drive-to-the-parents-house-for-Thanksgiving trip, driving up early (6AM) Wednesday morning and returning early (5AM) Saturday morning -- it was lots of fun getting the family up Saturday morning to head home, but being able to travel the 300 miles in just 4½ hours was well worth it, especially this weekend. One time in the past, the same trip took close to 12 hours when we chose to head home on the Sunday following thanksgiving.

The driving was mostly uneventful other than one guy who was driving slowly in the left lane until I went to pass him on the right. He then sped up to try to stop me from getting past him, but I got in ahead of him. He continued to sit on my bumper for a while and then flew up to pass us on the right, cut back in front of me and immediately slowed down to pace the next car in the right lane, thus blocking both lanes. He kept that up until he had to exit and then he had to rush up and cut off the guy he was pacing in order to make it over to the right lane to exit.

I guess every holiday brings some of them out of the woodwork. If I had thought about it I would have written down his plate to send him a flag on Platewire -- at least that would have allowed some venting (I couldn't curse him with the kids in the car).

Anyway, we're home-sweet-home now... No more worries about crazy drivers.

Tags : / / /

Vacation Photos

For the past few weeks, many people have been "leaving me song downloads on MySpace", but now I'm getting vacation photos from Bob, Anthony, Henry, Sally, Donald, etc.

It was interesting that I do know an Anthony who is on vacation and so the message below caught my attention:

Anthony has sent you a photo from Vacation!

Click here to view the photo Anthony has sent from vacation:

Click here to share your photos with a friend:

At Vacation Photos Online we care about your privacy. We have sent you this 
notification to facilitate your use as a member of our service. If 
you don't want to receive emails like this to your email account 
in the future, please click below:

Vacation Photos Online Inc. - 4598 River Glen Dr, Las Vegas, NV 89103 USA

©2006 VP Online Inc., All Rights Reserved.

o  3Com 3C507 Etherlink 16/TP
2.1.2.  Ethernet cards
The goal of the new ports collection is to make each port as `plug-
10.4.12.  * PCMCIA
0xd4 write  Single Mask Register Bit
... much more junk deleted here ....

The links in this email were within the domain. The Whois information for this domain includes:

   Domain name: TARRX.NET
   Registrar: PacNames
   Referral URL:
   Domain Registrant: TOTALNIC-128733 (XSALSA@GMAIL.COM)
      Alex Rodrigez
      Alex Rodrigez
      PO box 109 WP 1432
      Lappeenranta NA 53101
      Telephone: +358.207818027
      Fax: +358.207818027
   Domain creaton date: 2006-11-07 17:15:00.0
   Domain expiration date: 2007-11-07 22:34:13.0

Which is pretty much the same information returned for (the target site for the attack I wrote about earlier). It's also the same info for several other domains received with this and they myspace attack including:,,, etc.

I followed the link in a fairly safe environment to a page that was offering to sell common software packages at like 10 cents on the dollar. Clearly a deal that's too good to be true.

I'm not sure whether this is simply plain old SPAM trying to get you to buy their stuff, a SCAM trying to get you to pay for something you aren't really going to get (the fact that thesoftwaree they are selling is only available via download) or, much more likely if you ask me, an attempt to get your credit card information to use for other identity theft related attacks.

UPDATE: 11/26 - today he started using a new domain that was registered Thanksgiving day (11/23):

UPDATE: 11/28 - He just won't quit -- today he registered two more domains and has started using them for this scam: and

UPDATE: 11/30 - In another offer for vacation photos, the domain was (as opposed to the former and this time the domain was owned by:

   Wan-Fu China, Ltd. (TARRX-COM-DOM)
   P.O.Box CB-11901

   Domain Name: TARRX.COM
   Status: PROTECTED

..... duplicate info cut out here .....

   Record last updated on 27-Nov-2006.
   Record expires on 26-Nov-2007.
   Record created on 26-Nov-2006.

That site just throws up pop-up adds at you. I'm not sure if it's the same person doing this attack or is this another person using the same attack to get revenue from pushing pop-up adds.

In any case, beware... don't click on or follow links in these emails.

UPDATE: 12/20 - this attack seems to have picked up again given the junk in my inbox as well as the hits on this page. New domains being used include:, (which is also used in another attack I wrote about),, etc.

Tags : / / / / /

Tuesday, November 21, 2006

It's not just confusing..

Paul Madsen has been having an ongoing dialog about an OpenID sign-in with Paul Toal and Pamela Dingle.

Paul's most recent post includes:

Consequently, having the user provide both the IDP through a drop-down list as well as an i-name would seem to provide only opportunity for confusion.

I would say that it's not just confusing but also more information that is necessary for that transaction (the purpose for which is to identify the IdP so that the user can be referred to the IdP to authenticate). You don't need the user's identity to do that -- all you need is the identity of the IdP.

Providing the full identity to the relying party is giving them a portion of what turns out to be your login credential in most cases -- something that most security people would say is a bad thing because if they wanted to hack into your account, they are now half-way there.

Even if you don't agree with the security argument (and I won't comment on your sanity), I can still fall back on the just-enough-information argument -- don't ask for or give more information than is necessary for the task at hand.

Tags : / /

Backing up using SSH & Rsync

I run Fedora Linux inside of a VMWare Virtual Machine on my laptop and use it for web services development (see my Liberty open source toolkit) as well as a docbook document development system for working on the Liberty Alliance specifications (I edit the Discovery Service Specification and am working on their new Advanced Client Technologies spec).

I needed a regular way to back this data up regardless of my location. At home I have a Linux server that I use for this purpose. Of course, that server is behind a firewall, so getting to it while at home vs while remote can be interesting. The diagram below shows the general situation:

The tricky part being that my laptop may appear on the internal network and may appear out on the internet and I want the backup to magically work regardless of the location.

Rsync combined with SSH seemed an ideal solution to the problem. I had to configure things so that they would work in the following scenarios:

  • At home where the backup server is available via a local network connection. This is the most efficient since I'm on a local connection and the VPN status doesn't matter since the connection is to a local IP address which is excluded from the VPN traffic.
  • On the road with the corporate VPN running. In this case I have to go through one of the corporate SOCKS servers.
  • On the road without the VPN. In this case I just go directly through my firewall (so similar to the local connection but instead of a local IP address, I use the network visible IP address).

In order to handle these scenarios, I've developed a layered model that takes several steps:

  • Step 1: Create an SSH tunnel from my laptop to my internal firewall:

    This would go through our corporate SOCKS proxy if I'm at the office or on the VPN.
  • Step 2: Create an SSH Tunnel through the tunnel created in Step 1 to my backup server

  • Step 3: Run Rsync across the SSH tunnel created in Step 2.

When I'm home, I use the same layered model (probably because I'm too lazy to add the code to skip one of the layers) which looks like:

So, let's examine the code that I use to accomplish this....

  1. Determine connectivity status (home, away with VPN, away). I accomplish that cheaply (and somewhat riskly by simply using ping):
    if [ "x$1" == "x-local" -o "x$1" == "xlocal" ]; then
    elif [ "x$1" == "x-remote" -o "x$1" == "xremote" ]; then
    elif [ "x$1" == "x-proxy" -o "x$1" == "xproxy" ]; then
    elif ping -q -c 1 ${GatewayIP} > /dev/null 2>&1; then
    elif ping -q -c 1 ${HomePingName} > /dev/null 2>&1; then

    The first 3 options allow the location to be manually forced (useful in some situations where it looks like I have connectivity that I don't).

    The next option checks to see if I can ping the local address (${GatewayIP}) on the firewall (which would mean I am home or there just happens to be another system with the same IP address in my local network -- possible, but I haven't run into that problem often).

    The next option attempts to ping the external address on the gateway (which would mean that I'm away from home, but without the corporate VPN).

    And, of course, if none of them work, the assumption is that I'm behind the corporate firewall and have to use the corporate SOCKS proxy.

  2. Setup connection parameters appropriately:
    case "${CONNECT}" in
            echo "NOTE: Connecting locally"
            echo "NOTE: Connecting Direct to external gateway"
            GWCFG="-F $HOME/.ssh/ProxyConfig"
            echo "NOTE: Connecting remotely through Proxy"

    This sets up the Name or IP address of the initial SSH connection gateway (GATEWAY) and sets up whether or not I need to go through a proxy (GWCFG). The ProxyConfig file has the following contents:

    Host *
        ProxyCommand connect -S proxyhost %h %p

    Where proxyhost is the name of the proxy server and connect is a SOCKS4/5 compliant proxy client wrapper written by Shun-ichi Goto and available from his web site

  3. Establish the first SSH tunnel (to the firewall):
    echo "Setting up SSH connections..."
    echo "  ** base connection to home gateway..."
    ssh ${GWCFG} -2 -n -N -T -L 2222:${DESTIP}:22          -l username ${GATEWAY} < /dev/null &
    echo -n "     * waiting for ssh listener to start..."
    sleep 2
    until `netstat -a -n | grep -q 2222`; do
        echo -n "."
        sleep 2
    echo "done"

    This SSH command uses the proxy (if necessary) to connect to the internal firewall (${GATEWAY}) with the following options:

    • -2 - use SSH protocol version 2.
    • -n - don't ready anything from (needed if running SSH in background).
    • -N - don't execute a remote command. Normally SSH would startup a login shell on the remote system. In this case, we're just creating a tunnel so no need for a remote command.
    • -T - disable pseudo-ttys (again, we just want a tunnel so don't need ttys either.
    • -L 2222:${DESTIP}:22 - setup a port forward of local port 2222 to port 22 on ${DESTIP} (from the remote system). This means that any connections to port 2222 on the local system will be forwarded to connections to port 22 on ${DESTIP}. ${DESTIP} is the ip address of the backup server.
    • -l username - use username as the login on the gateway system.
    • ${GATEWAY} - the system that this SSH connects to.

    Since the SSH is started in the background, I have a small loop running waiting until a listerner starts up on port 2222 before we can proceed with the next step.

  4. Establish the 2nd SSH tunnel (through the firewall to the backup server):
    echo "  ** layered connection to backup server..."
    ssh -2 -n -C -N -T -p 2222 -L 1873:             -l ${DESTUSER} ${DESTHOST} < /dev/null &
    echo -n "     * waiting for rsync listener to start..."
    sleep 2
    until `netstat -a -n | grep -q 1873`; do
        echo -n "."
        sleep 2
    echo "done"

    This ssh command uses the tunnel established in the previous step to connect to the backup server (${DESTHOST}) with the following options:

    • -2 - use SSH protocol version 2.
    • -n - don't ready anything from (needed if running SSH in background).
    • -C - compress data on this connection. I didn't compress data on the outer SSH since you don't want to compress twice and this layer would see the original data while the outer layer would see encrypted (and likely less compressable) data.
    • -N - don't execute a remote command. Normally ssh would startup a login shell on the remote system. In this case, we're just creating a tunnel so no need for a remote command.
    • -T - disable pseudo-ttys (again, we just want a tunnel so don't need ttys either.
    • -p 2222 - connect to port 2222 (the port we have the listener configured for from the outer ssh layer).
    • -L 1873: - setup a port forward of local port 1873 to port 873 (the rsyncd port) on localhost(the remote system). This means that any connections to port 1873 on the local system will be forwarded to port 873 on the remote system.
    • -l ${DESTUSER} - use ${DESTUSER} as the login on the backup system.
    • ${DESTHOST} - this would normally be localhost since the listener from the outer layer ssh is listening on the local system. However, ssh really gets upset when you have remote entities that look like the same entity but have different private keys, so the host here will be an alias for localhost defined in the /etc/hosts file. So my local /etc/hosts file has a line that looks like:   mysystem localhost backupsys 
      And ${DESTHOST} has the value "backupsys".

    Since the SSH is started in the background, I have a small loop running waiting until a listerner starts up on port 1873 before we can proceed with the next step.

  5. Run the backup using rsync:
    cd ${SRCDIR}
    echo "Backing up ${SRCDIR}..."
    RSYNC_PASSWORD=mypass rsync --port=1873 --relative --recursive          --verbose --times --delete-after --archive --exclude */Cache/ . user@backupsys::data/home
    echo "Backup done!"

    This rsync command uses the tunnel established in the previous step to communicate securely with the rsyncd daemon running on the backup server. The options specified include:

    • --port=1873 - connect to the rsyncd running at port 1873 (which, because of the tunnel we setup in the previous step actually talks to the rsyncd running on port 873 on the backup server).
    • --relative - use relative pathnames (IMHO should almost always be used).
    • --recursive - include sub-directories recursively (so the entire directory tree)
    • --verbose - document what's going on (generates log records of files that were backed up and/or deleted
    • --times - keep the file access/modification times on the files on the remote system the same as those on the local system.
    • --delete-after - delete files that are not present on the local system after the backup is done (as opposed to first).
    • --archive - use archive mode (shortcut for specifying a series of other flags)
    • --exclude */Cache/ - exclude any cache files from the backup
    • . - backup starting in the current directory
    • user@backupsys::data/home - backup to the system backupsys using the user name "user" and into the data/home directory on the backup server. The rsync password for "user" is specified in the environment variable "RSYNC_PASSWORD" so that it isn't easily visible on the process list.
  6. Finally, now that the backup is complete, tear down the SSH tunnels that were started in the background:
    echo "Tearing down SSH connections..."
    kill ${SUB_PID2}
    kill ${SUB_PID1}
    sleep 2
    echo "DONE!!!"

    The PIDs for the ssh sessions were saved during the creation of the tunnels.

This system has worked for me for several years and does quite a good job of allowing me to backup my data where ever I am (and since I travel an awful lot, being able to do so on the road is extremely useful).

Tags : / / / / / / / / /

Sunday, November 19, 2006

Gadget of the week

Speaking of collections, my collection of DVDs has been getting out of hand. I used to hand-enter them into an Access database so I could generate lists for quick lookup. However, I haven't had the time/energy to add any new DVDs in the past year or two and the list of un-entered DVDs has just been too daunting to deal with.

To the rescue: The Collectorz Movie Collector program and the Collectors Barcode Scanner. With this setup, I've been able to scan my entire collection of close to 600 DVDs in a few hours while watching TV. Just scan the UPC code on the DVDs with the scanner (it's portable) and then plug it into my laptop... All the barcodes are automatically sucked into the program... press a button and the software pulls down lots of info from the internet (using Collectorz database, IMDB, Amazon and DVD Empire) and poof.. all the data is entered.

Most of the time was me printing the labels for the DVDs (1, 2, 3...). Scanning took almost zero time.

A very good investment, if you ask me!

Tags : / / / / / /

Thursday, November 16, 2006


Some people collect spoons... Some collect plates... other collect coins or stamps. Me... I collect Harley-Davidson T-Shirts (both long and short-sleeve).

There are H-D dealers all over the world and with all of my traveling this gives me something to do to help ensure the financial success of a great american company.

This week, I bought my latest T-Shirt in Columbia Harley Davidson in Vancouver, WA (just north of Portland). The design on the back of the shirt (why one buys these things) is below:

That is one of the "good kind" of dealer shirts. The back has a design that has something to do with the area (as opposed to the more boring kind that just list the name of the dealer and location -- such as the Vancouver, BC shirt that I'm wearing as I type this). I really like the local design shirts much, much better and wish all dealers had those.

Tags : / / /

Wednesday, November 15, 2006

Why Discovery?

As part of their Identity-based Web Services Framework (ID-WSF), the Liberty Alliance has defined a Discovery Service in their specifications and while there are hints of discovery type operations in other specifications there's nothing like the Liberty Discovery Service. Why is that?

To be honest, I don't know and I wouldn't mind hearing from those conversant in those protocols about how the missing piece is filled in.

Liberty developed the Discovery Service to answer some specific requirements that we had in our use cases. Those requirements included:

  • The system must support a model where there are multiple providers of the same service. So, the protocols must support an environment where there are multiple providers Banking Services or Profile Services or any other service for that matter. This means that at run-time the clients must be able to locate the list of providers.
  • The system must support, on a per-user basis, the specification of one or more particular providers of a given service. So, a user could have a single provider of Banking Services, but for each user that provider may be different.
  • A client developed to utilize a given service will work interchangeably in system environments where there are single or multiple providers of the same service. So a developer of a client can be confident that their client will be able to participate in the system whether the system has a single or multple providers of the same service and the set of providers can change without impacting the client.

The other discovery type protocols are available, such as WS-Discovery or UDDI, don't provide this type of functionality at all. Some say that UDDI could be extended to support it, but I still think that UDDI isn't/wasn't intended for this type of operation -- it was more intended to publish WSDLs for generally available services.

So Liberty created its own Discovery Service and in doing so, we have found that the Discovery Service also provides a very powerful service to Web Service Consumers (WSCs) - matching the capabilities and interests of the client to the capabilities and requirements of the service providers.

When a WSC invokes the Discovery Service, it provides the Discovery Service with a list of its capabilities (such as which service it wants to talk to, which versions of the service protocols the client can speak, which security mechanisms the client can support, etc., etc.) and the Discovery Service matches the specified capabilities with the registered requirements of the service provider(s) who provide that service for the user. The Discovery Service then returns to the WSC an Endpoint Reference which gives the WSC all it needs to know to directly invoke the Service Provider's interfaces without need for further negotiation.

This is probably the strongest benefit of the discovery service, dramatically reducing the number of messages sent by the WSC setup the first call to a service provider.

If you look at the other web services protocols out there, this process either requires a substantial amount of built-in knowledge in the client -- something we all know is bad -- or the process requires a substantial amount of negotiation between the WSC and the various providers of service until the WSC finds a match with its capabilities.

Tags : / / / / / / /

Saturday, November 11, 2006

Phishing List anyone?

In my inbox today:

Hello: We are offering an email database which allows to contact eBay members (both sellers and shoppers). These are individuals that buy and sell items on the eBay auction. Please notice that 90% of eBay customers are also customers of PayPal. This database will be perfect for selling your products/services, because we are providing you unique prospects who purchase and sell more than anybody else! The data contains 408,000 records, which include personal email addresses only. The records cover ALL categories listed on eBay The database will be delivered to you in any format of your choice (Excel, ASCII, CSV, etc.).By default it is provided in a 4.4MB TXT file. The data was collected in the period of last 2 months and will be updated quarterly. The price we are asking is $360. To place the order please fill out the form: http://www.???????.com/ebay_info.php To contact me please email to info@??????.com (THIS EMAIL ONLY! DO NOT 'REPLY'). Please notice that we also maintain a list of eGold sellers. Best, Alex

I blocked out the addresses as I don't feel the need to give them any free publicity.

At first one might think that this is just a scam itself (that the email addresses aren't really from ebay users, but just a generic list of email addresses). However, given that I've recieved a substantial number of scam/phish emails directed at my ebay-only email address, I would have to say that someone out there has gotten my ebay address onto one of those lists.

The note about many of them also likely being paypal users is again a clear invitation to phishers ("hey, if you want to phish paypal -- where the money is -- here's a good list to start with...").

There's just something wrong about them being able to sell lists like this... But I don't think it's illegal... Although, it is likely a violation of eBay terms of service.

Tags : / / / /

Friday, November 10, 2006

What does this tell us?

Virginia's vote earlier this week had some interesting results (notwithstanding the national issue of our senatorial race).

One issue that I was quite unhappy about was the lets-discriminate-against-the-little-guys marriage amendment. Something that I felt strongly enough about to actually contribute to some of the efforts at stopping it (a first for me).

As feared by many, that amendment passed by a non trivial margin: 1,328,183 votes for and 998,514 votes against. A sad day for Virginia if you ask me. One that we will look back on in the future shaking our heads.

What's interesting is the next issue on the ballot: Another amendment of the constitution. In this case to remove a clause in our state constitution that has already been struck down as unconstitutional (U.S. constitution) and the state itself has been ignoring for the past 5 years or so. You would have thought this would have had like unanimous approval.

This change, a seeming no-brainer "let's get rid of a part of the constitution that we don't pay attention to" amendment, also passed and with suprisingly similar results: 1,425,562 votes for and 761,045 votes against.

What were those 761,045 people thinking? Let's keep the clause that we don't pay attention to? Or, perhaps more likely, "who needs change.... things were so much simpler before".

Tags : / / / /

United's latest offer...

United has started a new offer on their site where purchases made with their branded credit card can earn up to 5,000 elite qualifying miles (not miles you can use, as the card already gets you those, but miles that count towards qualifying for one of the 25, 50 or 100 thousand mile elite levels).

Here's the offer:

Make every Mileage Plus Visa purchase count towards 2007 elite status.

Use your Mileage Plus® Visa® November 1 - December 13, 2006 to earn Elite Qualifying Miles (EQM) and Elite Qualifying Segments (EQS):

  • Earn 5,000 EQM and 5 EQS when you spend $10,000
  • Or, earn 2,500 EQM and 2.5 EQS when you spend $5,000
  • Or, earn 1,250 EQM and 1.25 EQS when you spend $2,500

To register for this Mileage Plus Visa promotion, please complete the form below. Your credit card will be charged a $99 fee for this transaction. All fields must be filled out to register.

Note: Offer only valid for U.S. Mileage Plus credit card; not valid for U.S. Mileage Plus debit card or non-U.S. Mileage Plus credit cards.

There are soooo many problems with this offer:

  • The period ends Dec 13, long before the final push for holiday spending for most of us procrastinators.
  • These miles don't go into your mileage account, they just count towards elite status
  • The earnings are driven bthresholdld rather than percentage... Spend $9,999.99 and you only get the 2,500 miles rather than the 5,000 miles -- so "every purchase" doesn't count towards elite status.
  • The max is at 5,000 miles -- this just isn't enough miles to mean all that much (about 10% of the 50K you need for Premier Executive -- where the elite status starts to really mean something)
  • You have to pay $99 for the privilege of participating (and that's above and beyond the annual fee you pay for the card itself).

If you really want extra miles for elite status, I suggest you wait till next October and then take United up on their double elite qualifying miles that they seem to be offering every year around that time.

Me, I don't even have a Mileage Plus Visa (even though United would pay my annual fee (because I'm at or above the Premier Executive 1K status)). I used to have one, but they kept putting a hold on the card every time I traveled internationally and told me I would have to call them before every trip to prevent the hold -- not a chance... Don't have the same problems with my AmEx, nor my Chase Visa (interesting since Chase handles Mileage Plus Visa now -- I wonder if they did when I had the problem).

Tags : / / / / /

Wednesday, November 08, 2006

SPAM, Scam, of Phish? - that is the question.

Today I received the email below. I'm not sure whether it was a Phish attempt (my first guess), some sort of scam or just plain old SPAM.

The email is questionable because:

  • I'm not concagirl so the message that I received wasn't "to" me -- a clear sign that things aren't as they seem
  • I don't have an account at AMSouth
  • The body of the message doesn't mention me by name or with any personal information about me -- clearly a generic letter sent to many people -- another sign of badness)
  • AMSouth (or any other bank) will never send an email asking you to confirm user details through some link.
  • The message was an image rather than text. Banks don't normally send text messages as an image -- the image model is used by scammers because it's harder to have efficient SPAM detection of image based messages (especially since they can change the image every so slightly which means the SPAM detection won't work while the change doesn't change how it looks to the user)
  • The entire image had a link on it (so, as you move the mouse over the text, the pointer stays with the pointing finger (meaning there's a link there) even though the message doesn't look like a link).
  • After the image there was a large white area that appeared to be blank. However, when you used the mouse to select the area, the hidden text below shows up:
    Please! coney dally Swallowing hurt. Like an idol, she gave only one thing: a feeling of unease deepening steadily toward terror. This time he tried looking out the window, where fresh snow was falling. Because I can, and it's not something to apologize for, goddammit. Never you. "Well, I guess it was something like that. Ten minutes later she came in with the syringe, the Betadine, and the electric knife. The limited vista now opening before him wag extremely unpleasant: six weeks of life which he would spend suffering with his broken bones and renewing his acquaintance with Misery Chastain, n?e Carmichael, followed by a hasty interment in the back yard. annual
    This is just random garbage added to the message in an attempt to bypass the SPAM recognition filters. Given that this message did get to my AOL account (which does have quite good SPAM recognition filters), it seems that they succeeded.
  • Interestingly, the link on the page did not go to a phishing site (which I had assumed it would). It went to what looks like on of those typical domain-for-sale pages ( Perhaps they were a phish site that was already shutdown.

Tags : / / / / / /

An active day...

Yesterday, I broke the century mark in blog hits for the first time. I ended the day with 157 hits, clearly in the range of Paul's best day and on my way to zoom ahead. (And yes, Paul, that excludes hits from my own browser).

Of course, when I told my son about this, his response was "Oh boy dad.... 157 hits out of the billions and billions of web hits yesterday"... Another clear sign that he is definately a Cahill.

Tuesday, November 07, 2006

I voted today...

Today I voted in our local election for one of our Sentators, a member of the House of Representatives, and a large number of local ballot measures including the "let's legalize discrimination in our consitution" marriage amendment (for the Virginia constitution).

As I mentioned earlier, I voted a loud resounding NO (as loud as I could on a paper ballot) on the constitutional amendment and hope that my fellow virginians have done the same -- bucking the trend we've seen in other states.

Tags : / / / / /

Sunday, November 05, 2006

Canon Powershot SD800 IS

A few weeks ago I bragged about my new gadget: the Canon Powershot SD800 IS camera. I had purchased the camera from for $362 and added a Patriot 4GB SD card from for $69 ($109 - $40 rebate).

My recent almost-trip-around-the-world presented me with a large number of opportunities to use the camera in a number of different environments, lighting conditions and settings. I have to say I am very happy with the results.

For this trip, I also brought along my Canon EOS 5D Digital SLR with a Canon EF 28-135 IS lens and the Canon Speedlite 580EX flash -- my "good camera" that I only bring along for special occasions or trips.

I used both cameras throughout the trip (you can tell which camera by the image number -- numbers > 4800 are the 5D) with the 5D brought out for the special occasions and the SD800 with me pretty much all the time. You can look at most of the photos on my web site in the following collections: a wedding in London, visit to Hong Kong, visit to Tokyo and visit to Kyoto.

I took many pictures with the SD800 in part because it was always with me (being small enough to comfortably carry in your pocket all day) while the 5D was frequently left back in the hotel room. The image stabilization helped take many pictures that I would not have otherwise gotten (including a hand-held macro picture of some Japanese coins at 1/15). The video feature worked well and had surprisingly good video (although I wouldn't recommend it for important videos as it's hard to do smooth panning with such a small camera). The zoom range was quite useful, especially the wide side.

All in all a good camera at a good price in a good package.

I even convinced two of my fellow traveling companions that they needed to get the SD800. Perhaps I should get a commission from Canon :-).

Tags : / / / / / /

Saturday, November 04, 2006

Backing up your digital life

As we all build our collections of digital content, from digital photos to multi-GB ripped music collections, we are placing a substantial burden on that little piece of hardware in our computer (the hard drive) that is one of the more likely components to fail. This failure, especially in the case of digital photos where you usually have but one copy of them on one drive, can lead to a substantial, irrecoverable loss of priceless moments of our lives.

What surprises me is that the subject of backing the data up is not heavily discussed in the documentation that comes along with those wonderful digital cameras, or those fancy MP3 players). Before you suffer from one of these losses, I strongly suggest that you take a few easy steps to protect your data.

When considering backup solutions you need to think in terms of normal day-to-day backup and recovery (such as getting back a file or directory that you accidentally deleted) and about disaster recovery (such as when your house burns down or when a power surge takes out all of your electronics -- both of these have happened to families I personally know in the past couple of years).

The backup options available today make this process much easier than it has been in the past and at a very low cost. These include:

  • External drive backup. Today you can buy external drives with automated and/or pushbutton backup which will backup your data directly to the external drive. Solutions include the Seagate Pusbutton Backup, Western Digital My Book and many others. This solution protects you from system failure, virus attack (as long as the virus doesn't also attack the external drive) but does not generally provide a good disaster recovery solution given that whatever damaged your computer will likely have damaged the external drive as well.
  • Online backup. There are many online solutions providing remote backup where the costs are extremely reasonable if not downright cheap. These include the likes of Xdrive (5GB for free, no clear option on more) AT&T Online Vault (2GB for $5.95/mo + $2/GB additional (to max of $17.95/mo)), Media Max (25GB for free, 100GB for $4.95/mo, 1TB for $29.95/mo). These are very cost effective, easy to use and once you get the initial data upload over, very efficient and automated. This is an excellent disaster recovery and a pretty good day-in/day-out recovery solution, but can be slow if you need to restore a substantial number of files.
  • Tape backup. For the most part, this isn't a necessary solution except for the enterprise (office) and even then, the diving cost of hard drive storage is making tape a think of the past.
  • Server Backup. Only for the geeks out there, but it is what I do. Backup of your data to a personal server. I've set my own server up such that I can backup my laptop from any location (home, office, on the road) but this solution isn't for the weary. In a future article, I'll explain my configuration and the software I use to support this model.

My recommendation is to use a combination of backup models. First a local backup to an external drive with disaster protection provided by one of the low cost online backup solutions.

My personal solution to date has been a local backup to a raid-5 drive that is mirrored to another drive (providing a very high reliability local storage) and I have the entire data set periodically backed up to an external drive that I keep in my office in Oregon (my disaster recovery solution). The research for this article has led me to decide to change over to using an online backup system for my disaster recovery solution.

Tags : / / / / / / / / / / /

Friday, November 03, 2006

VA Marriage amendment

Next Tuesday, November 7th, Virginia voters go to the polls to vote on a proposed amendment to the Virginia constitution that is referred to as the "Marriage Amendment". The primary purpose of the amendment is to define a marriage as a union of one man and one woman and to deny any marriage-like benefits to any other combination of partners including an unmarried man and woman.

While proponents claim that this is an affirmation of marriage, it does nothing to support, improve or otherwise effect a marriage of a man and a woman (including my own 17+ year marriage to my wife -- we aren't any more safely married with that act than we are without it).

In fact, the real purpose of the act is to deny rights to a group of people -- something that seems totally out of place in a constitution.

Our constitution should be protecting the rights of Virginia citizens, especially those of a minority group, rather than denying rights.

So, when you vote on Tuesday, I hope that you vote NO on the proposed amendment. I certainly will. Don't worry, your marriage will still be safe.

Tags : / / / / /

Thursday, November 02, 2006

Recognizing Malware email attacks

I all-too-frequently get emails which are attempting to install some form of malware on my system (in addition to the even-more-frequent phishing attempts). The vast majority of these seem to come from people I do not know. Some appear to come from companies I do know such as eBay, Walmart, or Amazon.

Some even come from friends -- not because my friends wanted to send them to me, but rather because they fell victim to the attack and the malware on their system used their address book to propagate itself to their friends. I once received such a piece of email from a very cute co-worker telling me "I love you"... Needless to say, she didn't.

So, how does one recognize when they receive such a piece of email?

Let's examine an email I received this am:

Subject: Confirmation for Order 37679041
Date: 2:20 AM
Dear Customer,

Thank you for ordering from our internet shop. If you paid with 
a credit card, the charge on your statement will be from name 
of our shop.

This email is to confirm the receipt of your order. Please do 
not reply as this email was sent from our automated confirmation 

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting 
archive with "37679041.pdf" file ).

Problems that I noted with this email include:

  • I haven't placed any recent orders with Walmart. Big red flags as this is the most common attack vector -- claiming something has happened that you would be upset about and hoping you act without thinking carefully. If you ever get one of these that does make you think something has happened, I suggest you open a new browser window and type in the sites address from memory (NOT using any of the information in the email as it is *all* suspect, including things like a mis-spelling of the site name).
  • The order summary is in an attached self-extracting archive -- this should set off big red flags for anyone. Be very careful about opening any attachment on an email, but especially self-extracting (.exe) archives.
  • The date of the order is "08 Oct 2006" -- almost a month ago. Most confirmations are sent the same day or just a few days later.
  • The email was sent to an address which I do not use with Walmart -- something that I recommend for everyone -- use unique addresses for different vendors to make this kind of thing much easier to detect
  • the order was summarized in text already, so there was no need to open the attached "order summary". They're hoping the "upset" factor discussed above gets you to open the attachment without thinking.

I could go on taking the email apart, but you get the picture. Lots of inconsistencies and a strong play on the emotion of getting ripped off

One thing to remember, if you get an attachment that you think might be OK, but you're not sure. Instead of running it to see if it's OK (and then you're hosed), use one of the online scanning tools such as VirusTotal. Just take the attachment and forward it in a new message to with the subject "SCAN".

I did that for the attachment in the email above and the report I received was:

Complete scanning result of "", processed in VirusTotal at 11/02/2006 12:07:33 (CET).

[ file data ]
* name:
* size: 24733
* md5.: e0f9839c326ec24eb5faccc48e02e06d
* sha1: 0085a9c1700602df06686620e40f57c862fe833c

[ scan result ]
 AntiVir found [TR/]
Authentium 4.93.8/20061102 found [W32/Agent.BMW]
Avast 4.7.892.0/20061102 found [Win32:Small-BMW]
AVG 386/20061102 found [Generic2.FQH Warning: Hidden extension .exe]
BitDefender 7.2/20061101 found [Trojan.Agent.AAV]
CAT-QuickHeal 8.00/20061101 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20061102 found [Trojan.Small-403]
DrWeb 4.33/20061102 found [Trojan.PWS.Pape]
eTrust-InoculateIT 23.73.43/20061102 found nothing
eTrust-Vet 30.3.3174/20061102 found [Win32/Ursnif.U]
Ewido 4.0/20061102 found nothing
F-Prot 3.16f/20061101 found [security risk named W32/Agent.BMW]
F-Prot4 found [W32/Agent.BMW]
Fortinet found [W32/ACN.BS!tr.pws]
Ikarus found nothing
Kaspersky found []
McAfee 4886/20061101 found [New Malware.j]
Microsoft 1.1609 /20061102 found [PWS:Win32/Agent.BB]
NOD32v2 1.1849/20061102 found [Win32/PSW.Small.BS]
Norman 5.80.02/20061101 found [W32/Suspicious_U.gen]
Panda found [Suspicious file]
Sophos 4.10.0/20061026 found [Troj/PWS-ACN]
TheHacker found [W32/Generic!zip-dobleextension]
UNA 1.83/20061101 found [Win32.virus]
VBA32 3.11.1/20061101 found [suspected of]
VirusBuster 4.3.15:9/20061102 found nothing

Note that most of the tests resulted in a virus/malware being found in the attachment. That means that it is bad stuff and you should delete it immediately.

If it all comes out OK (they all say "found nothing") you still might not be OK if it is a very new attack. I tend to wait a day or two after receiving something that is suspicious and checking it again... If it still is OK, you're probably OK.

The moral of the story is that you have to be suspicious of every incoming email. Start out with the assumption that it is an attack and only after convincing you that it isn't should you open it and let it in to your computer.

Tags : / / / / / /