greg hughes - dot net

Google has released an early version of Google Transit, a Google Maps internal mash-up that my fellow Portlanders can use to find public transportation to get from point A to Point B around the metro area. Once you search for your trip, you can compare the relative costs and time required to use public transportation or drive, and have complete instructions for each. Click here for a sample transit search from Hillsboro, Oregon to the Portland International Airport (PDX).

I mention that my fellow Portland residents can use it, because this is an early beta so (as of the time of this post) it contains information for public transit services in the Portland, Oregon metro area. But hey, it's a beta release, and Portland's a great place to try something like this. It's a large city but not huge, so it's manageable. the transit info is available electronically, and with the many bus and light rail options and all the interconnections, it's a good test bed. So those of us that live here can be very happy, and the rest of ya can learn more about Portland until your city is available. Just don't move here, heheh. Just kidding.

From the "About" page:

"Do you live in or near a city? Want to go someplace—to the airport, to dinner, to work every day—and not worry about the hassles and expense of driving and parking? Google Transit Trip Planner enables you to enter the specifics of your trip—where you're starting, where you're ending up, what time of day you'd like to leave and/or arrive—then uses all available public transportation schedules and information to plot out the most efficient possible step-by-step itinerary. You can even compare the cost of your trip with the cost of driving the same route!

"At the moment we're only offering this service for the Portland, Oregon metro area, but we plan to expand to cities throughout the United States and around the world."

One problem with the interface when I used it - no scroll bars. The directions pane is cut off at the bottom of the browser window and there's no way to scroll down to see more. The data is there, but it's not displayed. But I am sure they'll work on it. After all, it's a beta.

    

I've written before about FrontMotion's Firefox MSI installers and their Active Directory ADM policy templates, but with the recent release of Firefox v1.5 and the resultant updating of the installers by FrontMotion, I figured it's worth another mention. In a security-conscious IT environment, we all know how difficult it can be to exercise the necessary level of control over programs that are used to access the Internet - and the web browser is number one or two on the list of possible problem Internet apps (along with email programs). So being proactive whenever the tools are available to us is quite important.

Luckily, FrontMotion distributes MSI (Microsoft Installer) versions of the Firefox web browser for people to use (free of charge at this time) and there are two editions of the installers available. FrontMotion's Firefox Community Edition - which is the one that includes the Active Directory integration for centralized management and control - is slated to be updated shortly, and their stand-alone MSIs (which are not AD-integrated) have already been updated to incorporate Firefox v1.5.

• Download Firefox MSI installer files (stand-alone)
• Download FrontMotion Firefox Community Edition for use with Active Directory

The features of the Firefox Community Edition should be of interest to companies that centrally manage software for IT and security purposes, and the package allows you to upgrade non-MSI installations as well as those from other organizations. Features of the community edition include:

• Active Directory deployable and upgradeable.
• Active Directory management through Administrative Templates (*.adm).
• Desktop Icon similar to IE.
• Shell integration similar to IE.
• Set Default browser
• Macromedia Flash plug-in preinstalled
• Detect and upgrades non-MSI installs.
• Can upgrade 3rd party MSI's from MIT, Webheat.co.uk, and ZettaServe.
• Able to properly perform uninstalls and restores system associations

You can subscribe to the FrontMotion mailing list for occcasional announcements about updates at: http://www.frontmotion.com/mailinglist.php. I don't see a blog or RSS feed, but we can hope.

Kathy Sierra does her typically terrific job of distilling the Web 2.0 hype down to something meaningful in a post where she says:

"If I were a VC, the 'elevator pitch' I'd ask for would be simply: 'Tell me how this thing helps the user kick ass?' If you can't answer that, don't bother launching your power point."

Check the full post (with trademark cartoons and buzzword bingo) and find out why "engaging" and "inspiring" are what today's techies should be thinking (and talking) about.

Always wondered who that dude was talking to...

"The Worst Job Ever"
(Windows Media video - contains strong language, etc etc)

It takes a really gullible type to fall for one of my secret plans. Either that or someone who trusts me implicitly, misguided as that may be.

Along those lines, I didn't tell my friend David where we were going or what we were doing this weekend, just that I'd pick him up on Friday, that he should bring enough clothes for a couple days, and I'd have him back to his ship (he's in the U.S. Navy) in time for duty early Monday morning.

We try to do something crazy and insane once a year or so, and we were a bit overdue for this trip. I've actually been planning it for more than a year, at least in part. Without going into all the details, what matters the most if that Dave knew nothing of what we were doing on our trip (not even that we were flying to California) until we got to the location for each planned activity.

The plan included roller coasters, jousting dinner, visiting David's family in the area, and other fun stuff. But the real big event of the trip was on Sunday at the end of our stay in Orange County.

On Sunday afternoon, to end the Secret Plan trip, we went to Air Combat USA in Fullerton, California. There we suited up, were briefed by former military pilots, and climbed into two high-performance military training aircraft, which we flew with the instructors for about an hour in some training maneuvers and six real-live dogfights. Gunsights, smoke and all. It was - to say the least - a blast. I can now say I know what it feels like to fly 5.5-G turns and that I did just that. Wow.

It's not cheap, for sure, but if it's something you've ever wanted to do, check our Air Combat USA on the web - http://www.aircombatusa.com - and give it a try.

Just be sure to keep the yak-bag handy. Dave's new call-sign is "Ralph," if that tells ya anything.

Above is a pic of Dave and I in front of one of the planes before we took off. Good thing we took the pic before we left - no stains on Dave's flight suit. Heh.

Thomas Hawk wrote about a severe problem he had ordering a camera from an abusive online retailer that's really nothing but a major, unethical sales scam operation. The fact that he wrote about it and pointed to a number of other people's experience is great, and it brought to mind a number of other things that people need to know, especially this time of the year.

First of all, there ARE unethical, bad people out there trying to sell YOU their stuff. And there are some that will threaten, extort and otherwise manipulate their "customers." It doesn't just happen to other people - it can and will happen to you, too. Protect yourself and do your homework. While the vast majority of online retailers are good, solid companies, there are the few bad apples, just like in any community, that make it bad for everyone they can take advantage of. 

• If the price is too good to be true, it's probably not true. Seriously. Don't fool yourself.
• Do your homework if it's a company you have never head of or dealt with. You're trying to save money, so spend some time. That means getting information about the company. A good way to do this is to look for bad information online, by using Google or another search engine to search for "The Company Name"+scam (like this and this show some serious info). Look for the NEGATIVE information. Keep in mind that there are times when the bad guys will try to make themselves look good by posting positive information. It happens.
• Don't rely solely on the Better Business Bureau to tell you what you need to know, but do be sure to check information there. The company Thomas wrote about has a record with the New York BBB that's pretty terrible. Also be sure to use epinions.com's "Online Stores and Services" search and read through the whole lot. Again, there are bad guys that will post fake positive comments about themselves - so be a pessimist.
• Always use a reputable credit card, never use a check or debit card. If you ever need to reverse charges, a credit card with purchase and fraud protection is invaluable; You can't reverse cancel payment on a check that's already posted, and you fighting the debit card battle is painful if the money has already been pulled from your account. Credit cards provide lots of real protection, so use them for these purchases. That's why I have credit cards, really, is to protect myself if ever needed for major purchases. That and true emergencies. Other than that I think they are evil, heh.
• Did I mention "If the price is too good to be true, it's probably not true?" Okay, well it's worth repeating.

Finally, based on other people's experiences with the company Thomas had his problem with, I'd suggest you never, ever do business with Price Rite Photo, which also uses a number of other business names. Check the BBB for retailer names and aliases, and alway always always be careful and suspicious of the too-good-to-be-true deals.

It's a question many of us in the security field have been asking for some time. How is a user supposed to know they are on the correct web site when they enter their credentials or make an online purchase? How are they supposed to know when it's not the trusted site they're on?

I was having a side conversation about more ways to solve this problem with some coworkers today (common topic in our line of work), and this evening I ran across some details on the IEBlog discussing how Microsoft is dealing with it in IE7 (found via Mark Harrison). And other browser vendors are playing nicely, too. Ahh, solving problems is such a good thing to see... Nice!

IEBlog: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Here are some visuals that show what the user expeience looks and feels like in the dev versions. Visit the link above to get the complete details.

Fig 1, IE7 address bar for a known phishing website detected by the Phishing Filter 

 

Fig 2, IE7 address bar for a suspected phishing website detected by the Phishing Filter

Fig 3.1, IE7 address bar for a site with a high-assurance SSL certificate
(showing the identity of the site from the SSL certificate)

 

Fig 3.2, IE7 address bar for a site with a high-assurance SSL certificate
(alternating in the name of the Certification Authority who identified the site)

Because some things are truly worth repeating each year, and because sometimes people do things that are just so damn wrong... Everyone should have their own copy of this Christmas music classic:

• Download: holynight.mp3 (MP3, 861 KB)

Leave it to the Oregon Lottery to come up with the holiday marketing stunts to top all stupid holiday season marketing stunts. Thank God for the lottery people... And here we were starting to worry people might actually take Oregon seriously for a second...

So, here you have it: Scratch-and sniff lottery tickets in a beautiful fruitcake flavor. Yeah, seriously. Scratch the card, and it smells like f-r-u-i-t-c-a-k-e. Uhhh... Yuck.

People actually want to buy this crap? Wow.

To top it all off, be sure to check out the (actually somewhat amusing) MP3 files being used to promote the seasonal cash-collecting game.

It's all at http://spiritoffruitcake.com.

Sheez...

Over at VoIPSpeak, there's an article describing how to set up Asterisk@Home, a distribution of the Asterisk open source PBX software for Linux, in a virtual machine on a Windows box. It uses the recently-released (and free) VMWare Player for virtualization.

Note that Asterisk@Home is actually a bit of a misnomer - it's more like "Asterisk-Plus" - a package of the Asterisk PBX with many of the more common and popular add-ons and enhancements packaged up. Installation is simplified and the heavy lifting is mostly done for you. Running in a no-cost VM environment, it's really easy to mess with and learn from. Set up a couple soft-phones and you'll be able to try it out all you like.

(via Digg)

This one is perfect for students, who (we all know) spend way too much time on IM anyhow. So in the if-you-can't-beat-'em-join-'em department, have them add encarta@conversagent.com as a contact on their MSN IM people lists. Chris Sells pointed out this service - which ties into the Encarta online encyclopedia - the other day, and so I tried it out.

If you ever have to research things for classes or work and want a more accessible way to do so, you'll find it cool and useful.

Just open a conversation with the "Encarta Instant Answers" contact in your list and start asking questions. You'll get results right in the IM window. If there's information available from Encarta online (did you know you can use pretty much everything from Encarta online???), the agent will offer to share it with you in an expanded window (see below).

It works quite well, and has already tied up a bunch of my time. I'll be keeping this one in my IM contact list for sure.

(click above for a larger view)

Microsoft's Major Nelson, XBOX Live Director of Programming grand poobah, says they're cranking out new consoles and shipping XBOX 360s to stores weekly, so there' still a chance.

Microsoft yesterday announced a zero-day exploit that affects Internet Explorer. The Zero Day Security weblog describes it well:

"A UK group known as 'Computer Terrorism' has released a proof of concept zero day exploit for fully patched Windows systems running Internet Explorer 5.5 & 6.x that takes advantage of a previously known JavaScript vulnerability. Microsoft Security Advisory 911302 covers the essentials. The only Windows systems seeming not affected are Windows Server 2003 and Windows Server 2003 with SP1.

"Of course, to be compromised the user must first browse to a malicious web site. According to Computer Terrorism: Contrary to popular beliefs, the aforementioned security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user.

"Several informative sites include Microsoft, FrSIRT, MITRE, US-CERT, InfoWorld, eWeek and SANS (which suggests disabling Java or using another browser and has a BleedingSnort Rule on their site).

"Get ready for a patch blast from Microsoft on this one."

Microsoft's comments have been updated with the latest information. From their Security Advisory 911302 information page:

"...We have also been made aware of proof of concept code targeting the reported vulnerability but are not aware of any customer impact at this time. We will continue to investigate these public reports.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

"This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests..."

I was on the phone with a professional contact today, a guy who happens to do cybercrime and anti-fraud work in his job as a special agent for the FBI. That's a part of what I do in my day job, by the way - help chase down bad guys on the 'net and interact with law enforcement to shut them down. It's a fairly effective way to keep one foot in the door of my previous career (police work) and at the same time be firmly planted in the computer technology world. I also get to working with some really smart people who build great software that is used to prevent fraudsters from reaching victims.

Anyhow... So I was on the phone with my anti-fraud cohort, and he had that "FBI-agent-having-a-rough-day" sound in his voice. He's one of these guys who's always very positive, but it was clear quite a bit of work had been cut out for him and his coworkers over the past day or two.

It turns out there's a new set of fake emails running around that try to look like they came from the FBI or the CIA, and which have an attachment that is actually a virus.

Now, let's get one thing completely clear: If you ever get an unsolicited email that has a file attached, DO NOT OPEN THE ATTACHMENT. It doesn't matter if it's from the President of the United States or the Creator of of the Universe... Email is inherently insecure, and if it looks out of place, it probably is. You can read the FBI's press release about the situation here, which describes the fake emails in some detail.

This is just another example of social engineering and the fact that given the opportunity, people will fall for almost anything. Oh - and if you don't have antivirus protection at your email service provider, change providers now. Seriously. Get a GMail or Hotmail account or something.

I'll tell ya one thing... Whoever had cohones enough to construct that virus variety to send email pretending to be from the FBI is in for a rude awakening. Seriously, seriously stupid move. Heh.

Last night I contemplated waking up earlier than usual, getting in the car and going down to the local Wal Mart (well, as local as can be when you live in the sticks) to get in line to buy a XBOX 360 console. After doing some rough calculations in my head last night, I realized that between travel and work, I'll hardly be home between now and the end of the year, so maybe right now isn't the best time for me to buy one anyhow. Oh, but I will be buying one, no worries there.

Still, Wal Mart is on my drive to work, and so I decided to grab my standard morning coffee from the little store at the bottom of the hill, drive into town, and do some people watching. After all, I realized, it's more the excitement and the weirdness of the hype around the event than the console itself. An XBOX 360 today is the same box and hardware as you can buy later. But the launch fans? That only happens once.

So I headed out for the big ol' St. Helens, Oregon Wal Mart. I listened to the radio on the way there, and heard stories of gamers in places like Manhattan, NY, where apparently people had been lined up forever (like lots of places around the country) and Bellevue, Washington, where Bill Gates went to the local Best Buy and picked up his own console. Somehow I don't think he needed to do that, but hey - it was cool. 

Honestly, I was more interested in watching the people when they opened the store than I was in buying a console on Day One. I'm more interested, too, in how much they'll be selling for on eBay later today, and about when the day will be that they start dropping them off the backs of trucks at stores in huge numbers. One friend says he thinks it will be on Thursday night. Another person I know tells me the store he pre-ordered from called and let him know his delivery would be delayed, and that they were not sure if he would get his before Christmas. People are lining up everywhere. Clearly, the demand is high and the supply (either artificially or in actuality) is short.

Anyhow, back to the local Wal Mart. I wasn't sure what to expect in the Big Town of St Helens. I pulled into the parking lot and saw a small crowd of about 15-20 shivering people huddled right next to the front door of the store. A couple of people were (smartly) waiting in their vehicles with the heat on. I pulled up and deduced that the Wal Mart store has probably handed out numbers to the first people to show up, but that's where things got more interesting. Every employee that came anywhere near the front door was the target of sly, mean-sounding questioning. "Are they coming to open the door? Hurry up, it's f***n' cold out here! What?!? No?!?!? G*d d*mnit!"

When it came time to open the door and head for the counter - and keep in mind, everyone had a number - the race walk through the door turned into a jog, and then quickly into a sprint for the back of the store, where ten boxes sat stacked neatly behind a counter. I followed (at a walking pace, of course) to observe. A couple of people commented on the foot race and we all laughed a little. Mostly the people (at least those who didn't have a number) noticed how strange the whole thing was. All this for a video game console? Hey, for some it's what life is all about, I guess.

So, I started to think about the gamer personality. Some of the people were needlessly quiet and cagey, not really letting on as to who had what number, and some were not even providing information about whether numbers were even given out. It was amusing, really. There was this competitive hype attitude. The need to be first, to sneak around that metaphoric corner on the battle map and shoot your opponent in the back of the head.

It's really kinda interesting.

Fist fights, secrecy, celebration, celebrity, short supply, bright green boxes, launch hype, auction hype and even more random hype. Some will be upset they can't get one, others will be upset they pre-ordered and the kid down the street was first, and others will be holed up in their rooms for the next five days with lots of Mountain Dew, Red Bull, Doritos and Little Betty Snack Cakes turning a whole new shade of pasty white with a day-glow green tint brought on by the magical glow of the XBOX 360, only to emerge into a world where the colors are not quite as bright, the definition is not quite as high, and the people with guns in their hands are the ones you want to avoid. Ahhh, the life...

Merry Christmas and all that. Earlier and more bizarre every year. 

But hey, dude, it's a sweet console.