greg hughes - dot net

The beginnings of putting some more bite behind the anti-phishing bark are in play. The Governor of California (you all know who he is) today signed a bill into law that makes phishing - the practice of using fake e-commerce web sites to try to trick people into submitting their personal information - punishable with civil penalties.

"Victims may seek to recover actual damages or $500,000 for each violation, depending upon which is greater. Phishing often involves the use of names of legitimate banks, retailers and financial institutions to convince recipients of bogus e-mail offers to respond."

This is a good thing, in theory. Federal anti-fraud investigations are driven - like it or not - by the dollar amount associated with the loss. If it's not $100,000 you can't expect a lot of federal action, which makes sense when you consider that there are limited resources ad you have to focus on the biggest crimes.

Only thing I want to know is this: How are we going to recover judgments from bad guys in Romania and other foreign countries? Fact of the matter is that most all phishers are not in the United States. That's something to think about.

Brian Jones posted an item about the announcement this weekend of the fact that Office 12 applications will all support PDF as an output format natively. This might not seem like much to some, but in reality it's a big deal:

"The PDF support will be built into Word, Excel, PowerPoint, Access, Publisher, OneNote, Visio, and InfoPath! I love how well this new functionality will work in combination with the new Open XML formats in Word, Excel, and PowerPoint. We've really heard the feedback that sharing documents across multiple platforms and long term archiving are really important. People now have a couple options here, with the existing support for HTML and RTF, and now the new support for Open XML formats and PDF!"

More here.

Earlier today, Alex Scoble wrote about an IM conversation he and I had regarding VPNs and solving the nagging issue of firewall and other network roadblocks that tend to wreak havoc for people who need to connect to a remote private network. If your VPN client forces you to use some random or uncommon port, you're bound to get frustrated when you try to connect from many business networks, not to mention when you try from the hotel on the road. Now, maybe you shouldn't be plugged into that business network, but blocked by the hotel? Come on, give me a break.

There's no one perfect solution to this problem. There are lots of ideas, though. Many companies (most or all of the big players in the space) are coming out with VPN over SSL options, which is great. But what if you have a need to run a VPN software client, and it doesn't (yet) support SSL tunnels?

Here's one way to skin that cat, a la Cisco: Use TCP 443 in the Cisco VPN client to connect via an IP Sec tunnel to your VPN endpoint. Note that you'll need to specify this in the connection settings. Typically the Cisco client uses the UDP protocol to do it's thing (click to enlarge):

But as you can see, you can also set it up to use the TCP protocol and whatever port(s) your VPN concentrator is configured allow. For example, you could choose to use TCP over port 80, or port 443, since both of those are commonly open from any network. Note that port 80 might be proxied in some cases, but that's probably not a problem with 443, so it's a good one to try (click to enlarge):

If you set up a couple or few profiles in your VPN client software sufficient to cover the bases (like, say one using UDP and one or two using common TCP ports), you'll pretty much always be able to connect from the road. Again, there's no guarantees and there's no 100% perfect solution, but this gets you better than 95% of the way there, I am confident. Just make sure your VPN host/endpoint is configured to support the ports and protocols you specify. In the past year or two, I have yet to come across a network while traveling (except for a couple of highly-secure ones at business locations, but hey...) that I could not successfully connect through with at least one of the settings I have available to me.

And while we're on the subject, there are some interesting and promising SSL options out there, with more undoubtedly coming. As far as other brands of VPN software clients, well - I've used most of them and let me tell ya, you're better off going with Cisco and looking at the PIX firewalls and the 3000-series VPN concentrators. Trust me, I've dealt with most of them, and there's a reason Cisco's such a prolific Internet company.

But tell me - what do you use and how have you solved this type of problem?

I'm gonna have to go buy me up some of these bad boys:

   

Yep, that's right - the Muppets have their own stamps now. Sweeeeeet...

Ever wish you could hammer on one of those celebs that you love to hate so much? Are you one of those people (like me) who gets a little excited when you hear someone yell "Body blow! Body blow!" in a crowd?

Here ya go then: CELEBRITY PUNCH OUT!

 

Go for it. You know you want to.

 

Research in Motion's Blackberry brand is (I'm saying it out loud right here) the de facto standard for business wireless email/PIM/phone communications. One of these days Microsoft's Mobile platform may overtake the Blackberry line, but hey - it hasn't happened yet, and fact is Blackberry's got the form factor down pat. Windows Mobile on a Treo? Cool, yes - but I'm not confident it will make a good RIM replacement. My Palm-based Treo that I used earlier this year got returned after about a month, and not only because of the software. The device itself was nice and all, but not very practical or friendly. I hated that keyboard.

The latest Blackberry model to hit the "coming soon" list is the 8700, which has been confirmed to exist (but not yet announced) and which is slated to hit the street later this year in a GSM/GPRS/EDGE model (you can likely expect Cingular to get it first). The specs are pretty cool and it makes me wonder what all this device will actually do (check out the list from pinstack.com):

- Quad-band GSM/GPRS/EDGE
- Speaker Phone
- Bluetooth
- Memory: 16MB RAM / 64MB Flash
- Polyphonic Ring tones
- Support MP3 ring tones
- Updated Form Factor
- Full QWERTY keypad
- Dedicated Send & End Keys
- Mute Key
- On/Off Key
- 2 User-Definable Keys
- This blackberry should come with a 320x240 VGA Color LCD and should feature a 312Mhz processor

So, if it supports MP3 ring tones and has 64MB flash... maybe there's a slot on this thing we can't see in the pics that would allow a flash card of some type? MP3 player capability maybe? Hey, I can dream, right?

Is this the one that gets an Intel processor, or no?

Looking forward to this one, for sure. EDGE data service will be terrific. From the RIM quarterly call this week, I would not be too surprised if there are other interesting and new devices coming this fall and winter, too. Lots to look forward to.

Microsoft today released SP2 for Office 2003, which can be downloaded via Office Update, or you can grab it here and you can read about it here.

In addition, OneNote 2003 SP2 was also released today - read about it here, and download it here.

One of the notable features in my book is the Phishing protection update for Outlook:

Microsoft Office Outlook® 2003 Phishing Protection and Junk E-mail Filter

SP2 contains a new Phishing Protection feature to be used with the Outlook Junk Email Filter. Phishing is the luring of sensitive information through e-mail, such as passwords and other personal information, by an attacker masquerading as someone trustworthy. Phishing attacks can result in a user divulging sensitive information, including financial information, that can result in a loss of privacy or money. Phishing e-mail is hard to identify, because attackers make their e-mail appear genuine and often mimic recognizable e-mail sent out routinely by legitimate organizations such as banks and credit card companies.

To enable phishing protection, you need both Office 2003 SP2 and the latest Outlook 2003 Junk E-mail Filter Update. Once both are installed, Office 2003 SP2 has phishing protection turned on by default.

For best results, we recommend you regularly download the latest version of the Outlook 2003 Junk E-mail Filter Update. To determine whether you need this update, see the Microsoft Knowledge Base article (872976): How to obtain the latest Outlook 2003 Junk E-mail Filter.

I've become a bit of a flag-at-half-staff resource on the Internet it seems. I get lots of emails on the subject, and just this morning received one from a FOX affiliate asking if I send out emails announcing when the flag should be flown at half-staff. Well, uhh - no. Really, I'm not an authority on much of anything.

But, Mark Peterson at the Peterson Flag Company does have such an email list, so for those who want to be notified every time a proclamation is issued to fly the American Flag at half staff, here you go:

• PetersonFlags.com - Half Staff Notification

I've recently started a little research project, through which I am hoping to figure out the best option for replacing four disparate old-skool PBX systems with a single, unified VoIP/SIP-based system. I've amassed more than a few Internet resources and have been doing research for a number of weeks, and figured someone else out there might have some ideas, as well. Plus, I need a place to catalog my thoughts and discoveries, so here we go...

I have specific needs that must be met, and probably the most complicated of them is that I have people who work in multiple locations, but who need to be logically grouped together as a team. So, there's a need for an Automated Call Distribution (ACD) capability, with full management monitoring, sign-in and sign-out, etc.

Whatever I come up with, it must be SIP-based (duh), and should integrate with/leverage the existing Windows 2003 Active Directory, as well as the communication and presence capabilities of Live Communication Server 2005 (which is highly SIP-aware, of course). A feature-rich unified messaging voice mail, FAX, etc. system is a must, with the full compliment of delivery methods. End user self-service is important - In this day and age, it's hard to imagine putting in a system that doesn't allow its users to self-manage those settings that are safe to expose.

And it needs to work. All the time. None of this random glitch, dropped call, nasty audio quality stuff. VoIP has come a long way in the past few years, and my expectations are very high. I use Vonage at home and have watched it grow from mediocre to pretty darn good over the past 18 months. But I don't want to (read: can't) do that with a business-critical PBX system, and my expectations are that the IP-PBX system will be a better experience than I've had with Vonage.

It should be enabled to integrate tightly with Microsoft Business Solutions and the Office System servers and software - like Microsoft CRM, for example. And Outlook. SharePoint integration would be a huge plus, too. Web-based chat for the customer service folks would be terrific.

What else? Well, easy to setup and maintain is a plus, and web-based administration is a no-brainer.

And it needs to be something a medium-sized business can swallow, cost-wise. The days of high-priced telephony systems and proprietary solutions are practically over, and so is my involvement with them. Good riddance.

So, here's a partial list of what I have looked at so far. I guess if it's on the list, it stands out enough in my mind enough to merit a mention:

• Asterisk - Open source (some commercial packages of it), in use all over, has matured somewhat. I know people who have deployed it and swear by it, and others who cuss its name daily. I'll let you guess which group tends to use a strict change management process...
• Vonexus - A commercial, Microsoft-platform-cased IP PBX system from Vonexus and parent company Interactive Intelligence, geared for and targeted at small and mid-sized businesses. The more I read about Vonexus, the more I drool. I need to contact these people and find out more. It looks almost too good to be true. We'll see what it costs.
• Other standard players - mostly hardware specific systems from Cisco, 3Com, Avaya, etc. All are great, but all are expensive and fairly proprietary. Not sure I want to go that route.

Anyone done this before and care to share experience? Know of something I am missing out on? Let me know, especially if you're familiar with Vonexus - I'd like to speak with people who use their systems (in addition to talking to their sales people).

A few online resources that are good to watch for VoIP:

• http://www.sipthat.com/ - VoIP blog and podcast
• http://technorati.com/tag/VoIP - Technorati listing for VoIP
• http://voip.weblogsinc.com/ - Weblogs, Inc.'s VoIP weblog
• http://voip-blog.tmcnet.com/blog/rich-tehrani/ - Rick Tehrani's VoIP blog - good one
• http://www.voipnow.org/ - VoIP Now blog

And there's many more. Send me yours and if I like 'em I'll post them, too.

In the course of trying to save some time and make things a little more streamlined at work, I've been looking for Microsoft RSS feeds for security patch releases with sufficient detail in them to be able to do some automation of our internal patch tracking. I am already aware of the RSS feed at TechNet, since I have been subscribed to it since day-one:

http://www.microsoft.com/technet/security/bulletin/secrss.aspx

But unfortunately it munges multiple pieces of discreet information into one data element (specifically the title) and also leaves a bunch of stuff completely out, since it's just a list of summaries, really:

   <item>

  <title>MS05-043: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)</title>

  <link>http://www.microsoft.com/technet/security/Bulletin/MS05-043.mspx</link>

  <description>This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exists in the Print Spooler service that could allow remote code execution. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</description>

  <guid isPermaLink="false">http://www.microsoft.com/technet/security/Bulletin/MS05-043.mspx</guid>

  <pubDate>Tue, 9 Aug 2005 00:00:00 GMT</pubDate>

</item>

Maybe this is a good example of where RSS extensions could or should come into play, or maybe what I need instead is a more generic (non-RSS for all I care) XML feed that has a schema that supports keeping the patch number, KB article title, bulletin name and long description as separate data points. Plus, where's the rest of the info for each bulletin? I'd also like to see what platforms each bulletin applies to (in a yes-or-no format for each one), the intricate details about the vulnerability, and other stuff like that.

Is there an XML feed that does that already? Maybe there is but I've just not found it. There's the old MSSecure.XML from the HFNetChk command line tool (not updated since 2004 on the MS Downloads site, it appears), but even that's much more verbose than what I need. I've looked around here and here, and I have done some searching, just no luck. I figure they have the data available to build all those services, but I can't find a good detailed source to build my own lists.

I did three minutes worth of Excel work to play with the feed (and I suck at Excel so my formatting in it is poor, but it basically works) and came up with a working spreadsheet from the TechNet feed. I definitely need to be able to do more with it though. You can see my l33t Excel skiilz (um, not) here:

• File Attachment: MSFT_Patches_RSS.zip (8 KB)

What I really want is to be able to automatically pull the details of each released security bulletin into a list or Excel spreadsheet, add my own metadata to each one, and have that list/spreadsheet live over time. I'm trying to avoid a whole lot of cut/paste activity and need to find a way to speed this process up. Before you say I should just use Excel and VBA to parse through the available data, let me ask you - What if Microsoft changes their formatting on their bulletins?

So - my biggest obstacle right now is a data feed. If anyone knows of one, drop me a line and let me know.

Every now and then some random person or event comes along that deserves memorialization. Such is the case with Lt. Gen. Russel Honore and his words this past week when confronted with a gaggle of reporters. Honore and others (including the Mayor of New Orleans, who was having a hard time with the media crowd) were at a press conference (called by the mayor) in order to immediately get out the important word about the government's plan to evacuate people from the city of New Orleans in the face of yet another hurricane - this time, it was Rita.

But some of the reporters at the press conference were apparently still stuck on Katrina. The General was there to make sure they clearly understood their role in the situation. There's a time and a place for everything, to be sure - and that means there's a time for the media to ask questions, and there are other times when the message needs to be immediate, clear and loud in order to save lives and ensure peoples' safety. Unfortunately, there are many in the media who are all about conflict, not about helping people (regardless of what they say their motivations are). It's makes the former journalist in me scream at the TV. I hate it.

So - Thank God for people like Lt. Gen. Russel Honore. Here's his words, an audio file and a partial video of the interaction between him and the media:

Audio Attachment: 0920honorestuckonstupid.mp3 (1685 KB)

Video Attachment: stuckonstupid2.wmv (2957 KB)

Gen. Honore: And Mr. Mayor, let's go back, because I can see right now, we're setting this up as he said, he said, we said. All right? We are not going to go, by order of the mayor and the governor, and open the convention center for people to come in. There are buses there. Is that clear to you? Buses parked. There are 4,000 troops there. People come, they get on a bus, they get on a truck, they move on. Is that clear? Is that clear to the public?

Reporter: Where do they move on --

Gen. Honore: That's not your business.

Reporter: But General, that didn't work the first time --

Gen. Honore: Wait a minute. It didn't work the first time. This ain't the first time. Okay? If...we don't control Rita, you understand? So there are a lot of pieces of it that's going to be worked out. You got good public servants working through it. Let's get a little trust here, because you're starting to act like this is your problem. You are carrying the message, okay? What we're going to do is have the buses staged. The initial place is at the convention center. We're not going to announce other places at this time, until we get a plan set, and we'll let people know where those locations are, through the government, and through public announcements. Right now, to handle the number of people that want to leave, we've got the capacity. You will come to the convention center. There are soldiers there from the 82nd Airborne, and from the Louisiana National Guard. People will be told to get on the bus, and we will take care of them. And where they go will be dependent on the capacity in this state. We've got our communications up. And we'll tell them where to go. And when they get there, they'll be able to get a chance, an opportunity to get registered, and so they can let their families know where they are. But don't start panic here. Okay? We've got a location. It is in the front of the convention center, and that's where we will use to migrate people from it, into the system.

Reporter: General Honore, we were told that Berman Stadium on the west bank would be another staging area --

Gen. Honore: Not to my knowledge. Again, the current place, I just told you one time, is the convention center. Once we complete the plan with the mayor, and is approved by the governor, then we'll start that in the next 12-24 hours. And we understand that there's a problem in getting communications out. That's where we need your help. But let's not confuse the questions with the answers. Buses at the convention center will move our citizens, for whom we have sworn that we will support and defend...and we'll move them on. Let's not get stuck on the last storm. You're asking last storm questions for people who are concerned about the future storm. Don't get stuck on stupid, reporters. We are moving forward. And don't confuse the people please. You are part of the public message. So help us get the message straight. And if you don't understand, maybe you'll confuse it to the people. That's why we like follow-up questions. But right now, it's the convention center, and move on.

Reporter: General, a little bit more about why that's happening this time, though, and did not have that last time --

Gen. Honore: You are stuck on stupid. I'm not going to answer that question. We are going to deal with Rita. This is public information that people are depending on the government to put out. This is the way we've got to do it. So please. I apologize to you, but let's talk about the future. Rita is happening. And right now, we need to get good, clean information out to the people that they can use. And we can have a conversation on the side about the past, in a couple of months.

Time to print some bumper stickers... "Don't get stuck on stupid." Heh. It's not a new phrase - more like old made new again. But it's great, and appropriate.

Update: The Stuck on Stupid Blog. Heh...

(via RadioBlogger and The Political Teen)

A long, long time ago, I ripped apart my Series 1 TiVo PVR and put in a couple 120GB hard drives. In the end I got an obscenely huge number of hours of recording time, plus I added an ethernet card so a phone line's not needed to get programming info, and then I did some other fun "hacking."

Anyhow, I woke up this morning and found out my trusty modified TiVo was misbehaving badly. Or maybe it's just sick - It had a choppy image and sound on both live TV and recordings, even on the menu systems you can hear the drive inside moving between glitchy animation pauses on the screen, and it's exhibiting generally sluggish, choppy behavior. So, I figured I'd sacrifice everything on it (it's practically full - maybe another cause of the problem, who knows?) and I did a delete and reset through the TiVo's menu system.

That was at about 7am. The system restarted and the screen read, "Clearing and deleting everything. This will take an hour." It's after 2pm now and the screen hasn't changed. Seem like either the system assumed it has a 20GB hard drive in it still, or the hard drive(s) are having problems. But, it sounds like it's still methodically plugging away, so I'll let it go for a while longer and just see what happens.

Anyone else been through this? Any ideas? I've had this TiVo since they first came out, and it's served me well, but I'm also thinking maybe it's time to pick up a Series 2 TiVo and open it up and do some more PVR hacking.

Waking up to views like this from the front porch makes the commute worthwhile:

(Mt. Hood - Oregon - click for a larger image)

Overheard on United Airlines flight 955 to San Diego (insert Will Farrell comment here) yesterday:

"For those of you on the left side of the aircraft, you have an unusually clear and spectacular view of the city of Los Angeles, Dodgers stadium, and the downtown LA area. For those of you on the right side of the plane, you have a great view of the backs of the heads of the people who are looking at Los Angeles out the left side of the aircraft..."

Heh...

Scoble posted something that's had my attention all evening (well, off and on anyhow - I'm easily distracted). Have you seen the Slingbox from Sling Media? It's may just be the perfect gadget for me. Think something along the lines of a Media Center extender (note: it's not one of those, just try to think along those lines), only instead it extends any TV image to pretty much any computer anywhere you have a fast connection to the Internet.

"The Slingbox is a compact and elegantly designed, state-of-the-art electronic device that connects to the back of your TV. It redirects, or “placeshifts,” the TV signal from your cable box, satellite receiver, or digital video recorder (DVR) to your computer or laptop of choice, no matter your location — so long as you have a high-speed Internet connection."

It's something close to pure simplicity, too: Plug it in, hook it up, install the SlingPlayer software on your PC, and BAM! You're controlling and watching your TV, DVR, set top box or whatever you use from your computer, wherever you may be.

It's for PCs now, but more is coming very soon:

"In the coming months, SlingPlayer software will be available for select PDAs, smart phones, and Macintosh computers and will be fully compatible with the Slingbox."

You can check it out at:

http://www.slingmedia.com

And then, of course, there's Orb, for some of the same people who are interested in Slingbox (the geeky ones who are not looking for a plug-and-go solution since Orb uses your home PC and a tuner card), and it's especially nice for those who have Windows MediaCenter Edition):

http://www.orb.com