I work in the security field (we build anti-fraud and authentication software and services for financial services and electronic commerce companies like banks, etc). Recently I've been asked by a significant number of people why certain banks are being phished in such large volumes. Now, while I don't write about specific financial institutions or security events (that would not be appropriate), I can tell you that any given bank has little to no control over whether or not it is made a target in the first place. All the big banks (and many tiny ones) get hit hard at some point. What they do have control over is their chosen prevention, mitigation and response plans and methodologies.

In the end, the most effective solution is the fairly simple one: Make it hard enough for the fraudsters and eventually they will move on to another bank. Stopping phishing and other online fraud is really just like everyday police work - It's not actually about ending crime, it's about making it go elsewhere. In the real world, the cops just push the burglars, drunks and drug dealers to someone else's town. We don't solve these problems, we just move them somewhere else.

So, eventually the scammers' targets and victims change. The real problem with online fraud is that we can't put an end to it with infrastructure technology they way it is now. We can get way out in front of it (where I work, we write software that can help prevent most phishing attacks from being launched in the first place, as well as strong authentication software to help stop bad guys from getting in the door even if they have a key). But it's way too easy to run a phishing scam, and prosecution is not an effective solution. Prevention is the way to go, and that means diligence on the part of financial institutions, using the right kinds of technology where needed, and a implementing a whole-community effort to stop the problem before it ever gets started. Tools are out there to let the bank get in front of the problem, and but it off at the knees before the crime occurs - a lot like stopping the bank robber well before he walks into the bank's branch office. Preventing the robbery is a lot less messy than cleaning up afterwards, explaining it to everyone, and trying to convince your customers that have just been held hostage not to leave your bank for another one.

Email is, as designed, one significant part of the problem we face. It's just too easy to abuse. Without getting too far into the whole "email-limitation" debate (Sidebar: When I spoke at a security conference last week one attendee tried to lure me into taking a political position on whether charging to send each email is a good idea... Heh, no I think not...), it's clear at least that there are many problems with the medium. Educating people not to respond and not to click on links will not solve the problem, as has been proven time and time again. Email is an  insecure method of information transport, and unless access can somehow be reasonably curtailed, this problem won't go away. The real question is, can email be restricted for bad guys while still keeping it free and in the spirit of the open Internet for everyone else? If so, how? Something tells me the debate and answers have not changed much over the years.

Ah, what the heck, let's just kill email completely. Block port 25 at the backbone routers. It's a counter-productive way to communicate much of the time anyhow. Imagine all the misunderstandings we'd avoid. The tangible and intangible benefits would be many. :)

But seriously, in the real world, there are three basic approaches to tackling this problem (phishing and cyber-fraud) if you're a financial institution. I'll mention them here briefly, and will likely dive into them in more detail in another post sometime soon:

• Option One - Purely Reactive Posture - Apologize to customers when they call and tell you there's a problem, refund their accounts, change their passwords for them, hope they don't leave you for another bank.
• Option Two - Hybrid Reactive Posture - Watch for phishing emails and when you see them, use technology to block them and see if the sites in the emails are real, and if so try to get them taken down, either on your own or through a professional take-down service. Apologize to less customers, and hopefully change their passwords before the bad guys get into the accounts.
• Option Three - Preemptive Approach - Prevent the fraud attack from being launched in the first place, shut down fraudulent sites before the victims receive an email, make it difficult for the attackers, and protect your customers from being victimized at all.

Which option do you think is best? Which posture do you expect your bank to adopt? For my part, I vote for leveraging all three options, with a strong primary emphasis on Option Three, where prevention is the main focus. That's the area where I spend the majority of my professional time, with a team of developers and forensic techies who build software that prevents attacks and gives banks what they need to protect customers from becoming victims. It's a worthwhile job.

Microsoft's Windows Live ID team has started a blog to communicate information about the new product, which is a replacement/upgrade for the Passport service. From the inaugural post:

"Windows Live ID is the upgrade/replacement for the Microsoft Passport service and is the identity and authentication gateway service for cross-device access to Microsoft online services, such as Windows Live, MSN, Office Live and Xbox Live.  Is this the authentication service for the world?  No   It's primarily designed for use with Microsoft online services and by Microsoft-affiliated close partners who integrate with Windows Live services to offer combined innovations to our mutual customers.  We will continue to support the Passport user base of 300+ Million accounts and seamlessly upgrade these accounts to Windows Live IDs.  Partners who have already implemented Passport are already compatible with Windows Live ID.
 
"Windows Live ID is being designed to be an identity provider among many within the Identity Metasystem.  In the future, we will support Federated identity scenarios via WS-* and support InfoCards.
 
"For developers we will be providing rich programmable interfaces via server and client SDKs to give third party application developers access to authenticated Microsoft Live services and APIs.
 
"Over the next few weeks as we complete our deployment, you will see the Windows Live ID service come alive through our respective partners sites and services.  The first thing you’ll notice as early as today is that the word Passport is being replaced by Windows Live ID.  But isn't a rebranding exercise -- there is stuff going on under the hood.  This will be more understandable in the coming weeks and months when you start seeing the new, exciting Windows Live sign-in UI.  Not only is the page load time significantly reduced, but you will see some really cool innovative features that we’re sure you’ll love :)"

I'll likely be writing here on this weblog about Infocard (which I have early some experience with), authentication and other related topics, since I have a professional connection to all of the above. Glad to see the Live ID team getting their blog start - this is the beginning of what should be a great phase of changes and improvements in the area.

Travel, travel and then some more travel... That's where I've been lately.

This week I'm in (well okay, near) Orlando, Florida at the Omni Orlando Resort (which is a very nice place), where I will be speaking on a panel Wednesday morning about operational security of online banking web sites and working with law enforcement. Then I will be hanging around for the rest of the conference through Thursday or Friday, learning and exchanging ideas.

Anyone in the area wanna grab coffee? Let me know. Comment, email or phone (it's in the menu bar at the right).

Wow - this is great news. MS Virtual Server Enterprise Edition for free, plus ability and support for running Linux as a guest OS. Look out, VMWare - the battle is on:

Today Microsoft announced that Virtual Server 2005 R2 is now available as a free download. This also will apply to the forthcoming service pack 1 of Virtual Server 2005 R2. In addition, Microsoft announced the availability of virtual machine add-ins for Linux and a technical product support model for Linux guest operating systems running on Virtual Server 2005 R2.

Read more here.

Matt points out that tonight is a special, won't happen again in our lifetimes event:

Tonight, at 123 seconds past 1 a.m. the time will be 1:02:03 04/05/06. Now if you take into account that we're only using two digits for the year this event won't happen again for another 1000 years in the year 3006. If you happen to be out and about at that time of the night you way wish to find a 7/11 and purchase a lottery ticket :)

Now I have to decide if I am going to stay up or not. Gah!

Are you staying up? One time chance!

It's been seven weeks since I underwent surgery on my lower back up near Seattle, Washington. I was the recipient of a Kineflex lumbar artificial disc, a three-part, all-metal mechanical replacement for the torn, herniated and collapsed (degenerated) disc between my L5 and S1 vertebrae. That's the lowest one in your spine.

This surgery has truly given me my life back.

Before the procedure, I was always - and I quite literally mean always - in pain. Real pain, the kind that wears you down every minute of every day. The kind of chronic pain that people can't fully understand until they've lived with it themselves. It wears you down, chews you up, and eventually spits you out. "Normal" for me was a lot like the "normal" road noise is for someone who lives right next to a freeway: Spend your whole life around it and your brain tunes it out just to cope, but it's always there. Sure, louder noises still annoy you, but the mind has a way of coping with whatever you throw at it, at least as best it can. But that background pain still has an effect, progressively more so over time. When the sound is gone, it's almost deafening. And when the pain is gone, you finally realize just how bad it's been.

I feel ten times better than I've felt in more than ten years. Seriously.

Yeah, I am a guinea pig of sorts - the artificial disc I was fortunate enough to receive was provided to me as part of an FDA trial - not very many people have this hardware in their bodies. I did more than a year of careful and critical research on artificial disc surgery before I decided to take the leap. I considered bone fusion (which is the classic and most common treatment for my condition) and I tried every other treatment that was available to me - physical therapy, exercise, medicine, cortisone injections, minimally invasive procedures, you name it. When it came down to it, it was a choice between bone fusion or ADR (artificial disc replacement) procedure. the ADR device allows the joint to remain mobile instead of locking it up permanently, and I am only 38 years old (well for a few days anyhow), so staying mobile is  important to me. Because I had a 50/50 chance of receiving either a Charite or Kineflex artificial disc (they split the patients randomly, half and half), I also had to become confident in both technologies (the Charite is two metal plates with a plastic core, while the Kineflex is the same basic idea, but with a different design and a metal core). I can tell you that I was lucky and got the one I really wanted (the Kineflex), but either would have been okay with me.

Not everyone is the same, and surgery is rough stuff. The procedure is a serious one with potential side effects that one has to be ready to accept. Everyone's body is different and surgery is in large part an art, which means they all go slightly differently. Many people benefit from the new technology, while some are not so fortunate. That said, I am so grateful for my decision and to my doctors and the staff that have given me so much back. I did not fully realize how bad off I was until now, and still each day I keep feeling better. It will likely be many months before I can say I am healed and recovered, but I can see and believe that day's coming, which is something I had almost given up hope on before.

I write this from what used to be one of the most painful places in my life: An airliner seat at 37,000 feet. And guess what?

It doesn't hurt anymore.

Ahh, movie weekends.

I went with a friend to watch Ice Age 2 yesterday afternoon. I had, I must admit, somewhat low expectations of this one just because the first one was well-done enough to be hard-to-follow. But regardless of what Roger Ebert says, I enjoyed it. Sure, it's not as original as the first one (it is a sequel to an animated feature after all), but it had me laughing out loud at times, so in my book that means success. It has the standard fare of little kids' stuff plus some funny, subtle adult stuff (right from the beginning). The scenes featuring Scrat, the little sabre-toothed squirrel, are terrific and the story itself is not too bad. As Ebert points out, none of the characters ever seem to eat, and how the meat eaters could possibly survive if everyone in the animal kingdom (with the exception of the fish) just gets along so swimmingly (pun intended) is a mystery. But hey, again it's an animated movie, and I can live with it. I own the first film on DVD, and I'll be buying this one, too when it comes out. If for no other reason, just because there's bound to be more Scrat scenes in the extras.

Before the feature film started, though, along came a surprise trailer (or "preview" for those of you who prefer that term) for "The Simpsons Movie, coming to the screen, July 27, 2007." Woah, cool. I had to do a second take - 2007? Okay, okay I can wait - but like Homer says, "Oh oh, we better get started!" Supposedly (according to The Hollywood Reporter, anyhow) the trailer will also air tonight prior to the Sunday evening Simpsons episode on FOX (which means it will be posted all over the Internet by the time the first commercial break is over). I just hope the hype doesn't create expectations that can't possibly be met. Note that "simpsonsmovie.com" is registered to 20th Century Fox but there's no web site attached to that address as of this writing. And by the way, on a related note, if you have not seen the "real-people" version of the Simpsons TV show intro you can go here - and you can compare the cartoon version and the live version side by side here. Rumor has it, too, that the live-action version will appear on the Simpsons TV show tonight. Either that or this is all one big April Fools joke. Hope not.

Finally, on Friday I bought a copy of King Kong on DVD and took it home, where we loaded it up and gave it a run at blowing out  the speakers in my home theater. The speakers survived that attack, but it sure is amazing what incredible sound and special visual effects we get from movie makers these days - and in our own homes too boot. I remember when Dolby ProLogic surround was way cool - and now it sounds like oatmeal. It makes me wonder what's next. And DVDs sure are coming out more and more quickly these days. Didn't we just watch King Kong in theaters? Anyhow, it's worth the purchase if you liked the movie or if you want something to stress test that audio system with heavy bass and loud growls with lots of dynamic range.

Over on the Creating Passionate Users blog, Kathy writes about "Manager 2.0," which many would say is the desired role and style of effective managers in technology companies today. It's a good read. Once you get past the fact that anything with "2.0" attached to it is cliche hyped, click over and read a bit.

I have to agree that community is something that should be a part of every team in the tech world. It's not always easy to do. Professional managers are those who work not only for the company, but for the team as well. Not in a counter-productive, dysfunctional be their best friend kind of way. Rather, the idea is to empower the team to drive the ship, determine the routes to the destinations, and maybe even when the ship should arrive.

This, of course, flies in the face of traditional management (which is more dictatorial and doesn't always respect the ideas and input of the team members). So, it's not something everyone is comfortable with implementing. rely on others to do their part in my success? Give up control??? Huh?!?!?!?

It takes the strongest kind of manager to allow others so much control and influence, and to still effectively be the boss and manage. When it comes right down to it, the real value in management is in it's ability and willingness to stay out of the way and to enable and empower the people that create and do amazing stuff to - well - create and do their most amazing stuff. Let good, smart people be good, smart people. Quite a concept.

From Kathy's post, over to the right is a table comparing management styles. Which style would you rather work under? Which manager are you most comfortable being? Be honest... I can see a couple things here that I could improve on, but I'm glad to see that at least some of this I already buy into and try to execute on a daily basis. And if this is even remotely interesting to you, be sure to go read more at Creating Passionate Users (which is a great blog, by the way).

And her April 1 blog entry about a new book, "The Emo Programmer Book," is great.

Last week I was in Dallas, Texas for a conference. Typical of my way of doing things, I landed at the DFW airport and headed for the hotel and realized that somewhere in the back of my mind there was a lingering thought that was hinting that Dallas, Texas might have some importance, like maybe there was something (in addition to the conference) I needed to do since I was there. You know what I mean: One of those "seems to me there's something important I am supposed to do if I ever travel here, but I can't think of what it is..." kind of things.

Eventually it popped into my mind: My mom had told me that my Aunt Marsha and Uncle Mike had moved to Texas a couple years ago. Maybe it was Dallas? My memory was not helping me much. I called them up, and sure enough they're living in Richardson, which is northeast of the big city. So, I got to spend a couple fun evenings at their home catching up, eating dinner and meeting their dogs. It was a good time.

During one of my visits, my aunt brought out some old family photos and things that she thought I might be interested in seeing. It was fun and interesting to run through the old photos, but there was also one piece of paper in the stack of things that especially caught my eye. It looked to be a family tree reaching back many generations, showing a history of the family dating back several hundred years. Wow! I've always wondered if something like this existed, and have never really known where to look. Score!

What I found our really caught my interest - Thirteen generations back, on September 6, 1628, my ancestors arrived at "Naumking" on the Massachusetts Bay (which they would eventually rename to "Salem") with John Endicott, who would become the first governor of the Massachusetts colony. They were the first group of Puritan colonists in Salem, and had left from Weymouth, England June 20 of the same year.

Encouraged by one sheet of paper, a few names and some rough dates, I have once again personally discovered the truly awesome power of searching with Google.

My Great-Great-Great-Great-Great-Great-Great-Great-Great-Great-Great Grandfather was named Charles Gott. Charles and his first wife, Gift and their two young daughters sailed from Weymouth, England, on June 20, 1628, aboard the ship Abigail with Captain Endicott. They landed in Salem, Massachusetts, on September 6, 1628 and the sea voyage must have been harrowing ("the sea roared and the waves tossed us horridly ... it was fearful dark and the mariners made us afraid with their running here and there, and there was loud crying one to another to pull this or that rope."). The passengers of the Abigail were Salem's first settlers, and in 1635 Charles was made a deacon of the first Puritan church established in America. Gift apparently died in about 1636, and Charles then married Sarah Mansfield, with whom he had three children. One of those children was named Charles as well, and the line runs from there.

I've located on the web - again thanks to Google - several people who have traced the genealogy of their families back to the Gotts, and who's lines intersect mine. Distant relatives. I'll have to start sending some email to those people and say hi. I'll also have to finish this research and post it here so people can do the same with me.

On a loosely-related note (no pun intended), I read recently where Buzz Bruggeman sent a DNA sample off to Family Tree DNA, and the service found some relatives of his in their matching process. I ordered a kit and yesterday I completed my ritual cheek-scraping and will be sending the samples back to the DNA lab on Monday. The test focuses on the paternal side, so I wonder what I will find out about my dad's side of the family? My wild guess is Ireland, but hey who knows? I'm excited to possibly find out.

The other day one of my coworkers, Brent, asked me if I've given up blogging.

No, Mr. Sarcasm - I have not. But with the recent wholesale replacement of part of my spine, plus travel, work, a variety of stressors, the need to rest and a ton of other things, I have not been writing much here lately.

I have a lot to write about, though - eventually. I just need to get better caught up with life. Heck, we're losing an hour of sleep tonight. That doesn't help any!

So don't worry. I'm not dead yet.

Google's got some beta UI changes kicking around in the background, and you can check them out yourself if you like. Here's how:

1. Go to http://www.google.com

2. Copy and enter this line into your address bar:

javascript:document.cookie="PREF=ID=fb7740f107311e46:TM=1142683332:LM=1142683332:S=fNSw6ljXTzvL3dWu;path=/;domain=.google.com"

3. Do a Google search and see the difference

Of course, if and when Google implements thes new UI changes, this tweak becomes useless. But for now it's fun.

Thanks, Trevin.

If you ever end up at the Dallas-Fort Worth Airport, be sure to rent a car. Especially if you fly into Terminal B (which is pretty much every flight that's not American Airlines (which is the airline that RULES the Dallas-Fort Worth Metroplex)).

Board the bus that delivers you to the rental car complex, and if you're lucky, it is there that you will meet Stewart.

Stewart is to rental car shuttle bus driving as Texas is to the rest of the United States - one great-big personality. From the second you meet him, it's apparent that Stewart is here to welcome you to the place where Everything Is Bigger™. He doesn't have a think drawl, but you can tell where he's from, if in no other way, by his personality, which is Big and Friendly.

I boarded the bus for my ride from the B terminal to the Avis desk, along with some other people and a whole slew of college-age guys sporting "North Carolina State Ultimate" garb. Who knew Ultimate (a game played with a flying disc and seven men on the field (and often incorrectly called Frisbee™ Football)) was a college sport? Well, it is.

Anyhow, Stewart saw the jerseys, too. After launching into a friendly and boisterous rendition of Helpful Hints for Visitors to DFW (which was very useful, BTW), he started a friendly over-the-loudspeaker conversation with the Ultimate guys and the rest of the passengers. He asked if they thought they'd be champions (and they said yes, of course). "Hey," asked Stewart, "do you want to hear a true story about the man who was perhaps the greatest sharpshooter ever?" Everyone (of course) said yes, and so he started to tell the story, which was approximately seven minutes long (and which, he explained, also happens to the the amount of time it takes to drive from B terminal to the rental car facility). It was clear that Stewart has a knack for telling stories and captivating an audience.

So - about seven minutes later, we got to the rental car terminal and as I stood up to get off the bus, I realized (seriously) that I'd completely forgotten to go to the baggage claim to get my suitcase when I got off my flight. I guess umpteen hours of flying and time zone changes incurred while crossing the Atlantic twice had baked my brain or something. I told Stewart what I'd done and laughed at myself, and he smiled and looked a bit concerned about me having to go back for my bag. Maybe he thought I had to be somewhere or something. No big deal, I told him - I'd just stay on the bus and ride back around and get my bag at the terminal. He looked a bit pained when he had to tell me he wished he could do that, but that I would have to go up to the upper deck and take the out-bound bus from up there. That last time he tried to return someone to the terminal on his bus, he'd gotten into some trouble.

Not a problem, I told him, and thanked him. He told me where to go and I located the upper deck access and then rode the bus back to Terminal B. I retrieved my bag after some searching and speaking with the United baggage office, then went back out to the curb to catch one of the buses back to the Avis desk.

Along came one of the buses, and off came a zillion people. When I climbed on, there was Stewart, smile on his face. We were the only people on the bus. "NOW," he exclaimed, "now you're ready for a rental car!" I laughed and agreed. "You want to hear a story?" he asked. "Yeah, but not the one about the sharpshooter," I said. He laughed and turned to me. "I have a repertoire, you know," he said. "Three stories. They're all about seven minutes long." And then he told me the story of Goldsmith Mare, perhaps the greatest race horse that ever lived. If you want to know the details, you can either Google for it or you can fly to DFW Terminal B and jump on the bus to go to the Avis counter. Maybe you'll be lucky enough (as I was twice in a row) to get Stewart as your driver.

My point is, EVERY airport should have people like Stewart. Hell, I'd fly to Texas and rent a car once a year or so, just to enjoy the seven-minute ride on the bus, along with a good seven-minute story and a smile.

Welcome to Texas. Thanks, Stewart.

For the zillion of you who have asked me for Windows Live Messenger (note - this is for Live Messenger, not Mail!) invitations, Trevin says this link will let you sign up even without an invitation now.

Or, if you want to feel extra-special through personal treatment, email me (greg-at-greghughes-dot-net, you know) and tell me something about yourself - like where you are from and your name and something else interesting (not optional - seriously - share and share alike!) and I will hook you up personally.

My co-worker, Milind, recently posted a link to the web site of Julian Beever, who does 3D pavement art and some other cool artistic stuff such as his wall murals.

Check it out - these 3D sidewalk sketches are way cool. Below are a few examples - and he has many others that are just as amazing. Clicking each image takes you to the artist's web site.

Prior to my business meetings today, I was able to spend a short time with my friend Florian here in Germany. His parents hosted me at their home and shared a bit of real, small-town Germany with me, including some of the food and customs. Florian took me all over the countryside to a few places, including a few that most tourists never see - off the beaten path, as they say. It was a great weekend, one that I will remember for many, many years.

The Heidelberg Castle is a common tourist stop, but we went there anyhow, and I am glad we did. It was actually the second castle we visited (the first one, Hardenburg, I did not have a camera for). It's a pretty amazing place, and we first climbed the hill on the opposite side of the river from the castle (called the Philosopher's Walk), which has a great view of the old city and the castle. Then we crossed the old bridge and walked through the city, then up 315 steep steps to the castle. Given my recent condition, this was a healthy climb, to say the least. But I made it.

From the top one can walk through the castle and see all sorts of interesting things. There's a huge wine barrel in a lower level of the castle - like huge as in you have to see it to believe it. And of course the architecture is amazing.

Actually, the smaller castle we visited the day before, called Hardenburg (follow link for pics), while smaller and relatively hidden away at the far end of a valley in the town where we stayed (in an area called the Rhineland-Palatinate), was probably more fun to explore because it's not heavily visited and almost every nook and cranny is accessible, with the exception of part of the lower levels. It's interesting to learn about the history of the construction - and periodic destruction, typically by the French armies - of these castles. The Hardenburg Castle was built sometime shortly after 1200 A.D. That's some serious history.

Also in the same area is the Limburg Monastery, on top of another hill across from the Hardenburg Castle. It is a large and spectacular ruin, as well. It's been added on to recently, so some of the structure is a little too modern looking, but luckily you cannot see it while walking the grounds, at least once you leave the parking lot. This is a huge structure, and was built in the 9th century. It was first a castle of sorts and then was converted to a monastery for Benedictine monks. It's an interesting and rich history - the Hardenburg Castle was actually built illegally on Limburg land by the governors who were responsible for protecting it, but it seems that did not make the Limburg residents happy. Read more here. As is typical, the history is colorful and full of interesting stories over the years.

If you even get a chance to visit Germany, be sure to take some time to get off the common paths followed by tourists. While the Autobahn is fun (for us Americans with our annoying speed limits and all that), taking your time by taking the back roads through smaller German towns to get to your destination is worthwhile. It's there that you get to see Germany in it's full color, not on the superhighway.

We also visited a museum that has lots of aircraft (including an actual 747 you can walk though and a whole slew of military aircraft from around the world), a U-boat, and many fine cars on display. An amazing selection of very cool items.

Thanks to Florian and his parents for a terrific few days - I hope have the opportunity to visit again soon. Germany is a beautiful country.

I'll post a few more pictures and some details shortly from the other stops and things we did along the way.