What rolls out on day-one with more than 300 million users and nearly a BILLION authentications per day?

The new Windows Live ID, that's what. And that's exactly what happened, while you were using it and going about your daily business.

Microsoft's completed the roll-out of Windows LiveID to replace its Passport network infrastructure. It was all happening behind the scenes recently, and the next steps are for Microsoft and its partners to start rolling out some of the new technologies - some of which you can see and some of which is under the covers - to show off and leverage the new service.

"You'll start to see the new sign-in experience and all the goodness within a few weeks when we light up some partners," said Trevin Chow, Lead Program Manager on the Windows LiveID team.

So, what exactly is LiveID?

Well, you can read a whitepaper that was recently published to get all the salient details, but basically it's a new component in the Identity Metasystem that replaces Passport. It will eventually support both self-issued and third-party managed/issued InfoCards as credentials, and a SDK will be available.

What this all means is that Passport has grown up, and control of personal information will be more and more in the hands of the end users. In the future, Live ID will leverage InfoCards, which means more individual control of the claims used to identify users to online apps. Participation in the Identity Metasystem and following it's governing standards - the Laws of Identity - mean end users can leverage a centralized service but still maintain control over - and make decisions about - what specific information is sent to what services.

It's good news. Check out http://login.live.com - you'll notice the new footer on the signin section.

I've used Mike Singer's little SysSense tool to keep an eye on my Google AdSense for quite a while now. He keeps it up to date whenever Google changes their AdSense system, and I really appreciate that. Since I was over at his site upgrading the tool today to a new version he just released, I looked around at some of the other software he has built.

I downloaded one of the apps, called Weather Watcher, because it looks very cool and seems to be a great little app that displays things is a very usable and concise manner. Turns out it's really very cool, very configurable, and very free. Use it and if you like it, make a donation.

Victor Garza over at the InfoWorld Zero Day Security weblog wrote a bit about his experience with his Verizon EVDO card. He recently switched over to the Kyocera KPC650 PC card (which is the one I have) after complaining to Verizon about the performance of his older card, which had an integrated antenna, and says he has seen some real improvements.

What really caught my eye in his blog entry, though was this:

"I've also heard that several speed improvements are coming to Verizon's EVDO marketplace. Requiring only a firmware update to existing EVDO cards this update will kick speeds up to the megabit range..."

Hmmm - anyone heard about this? If this happens - and I sure hope it does - I will be one very happy Internet addict. Looks like the reference is to EVDO Rel. A, which promises upgraded speeds of up to 3.1mbps downstream and 1.8mbps downstream - much faster than today's EVDO networks speeds. Fingers crossed here that a firmware upgrade will be available, and we don't all have to buy new cards!

Also, you can read a bit more about the history and future of EVDO here.

If you have a Blackberry and want to make custom wallpapers for your device (for example, I have the 8700 and wanted to make my own backgrounds with a few image files I have on my computer), check out the Blackberry Wallpaper Generator on the Blackberry Cool web site.

Just upload an image, and the site will let you send the pic link in email to your BB device. Click on the link to view the image on the handheld, then save it and - if you like - make it your wallpaper.

Nothing too complicated, but this is a quick and easy way to get it done.

I thought this was just about the coolest thing ever when I saw it a couple weeks ago in Florida.

Many people park their boats in the water at a marina. But at the place where my aunt and uncle keep theirs in Florida, the boats are all stacked in these huge racks in a warehouse and are moved around by great big fork-lifts. Want to take your boat out on the water? No problem, they'll get it for ya. They drop it right in the water alongside the dock and pick it up from the same place. High, dry, and presumably safer from storms than if it was stored outside in the water. Sure keeps the boats nice and clean and secure. Pretty cool.

A couple weeks ago I visited my aunt and uncle, Gail and Scott, in St. Pete while I was in Florida for a work conference. We went out on the boat and hung out for a while on the beach. It was a great weekend.

Scott pilots the boat:

... and cleans it afterward:

Me and my aunt Gail on the beach - you can tell I'm not from Florida eh? I didn't pack any shorts.

Back before the iPod was in anyone's hands, Steve Jobs introduced the new product to the world. It's interesting to look back at his introductory speech, which was presented back in 2001, in the context of what's happened between then and now.

View the video here.

I'm glad we've been able to switch from FireWire to USB 2.0 though.

Apple had a powerful vision back then, and made it came true. It's returned them to the true center of the stage. The company is three times the size it was just a few years back  (and they're building a whole new campus in Cupertino - click for video) and - of course - it's once again the major household name it used to be back in the 80's. It will be interesting to see what else they come up with next in order to completely define an industry. And I mean define an industry and a market that does not exist yet, much like they did with the iPod.

(via Presentation Zen)

Chris Corio, a program manager on the Windows Security team, has put together an article for the May/June 2006 issue of TechNet Magazine that takes a first look at the new security features that will be included in Windows Vista. Items covered in the article are:

• User Account Control
• Consent and Credentials
• Code Integrity
• Data Encryption
• Application Isolation
• Data Redirection
• Cryptography
• Credential Providers
• Service Hardening
• Windows Defender
• Rights Management Services

It's a good summary all in one place of many of the security improvements that will be built into or will ship with the new OS. From reduced privileges to improved use of strong cryptography and other new features, Vista looks like it will be a major step forward in the Windows security world - a welcome set of core changes.

Read the article here.

If you run Firefox (or other Mozilla software based on the same codebase like Thunderbird) and have not upgraded it to the latest version (the latest Firefox - 1.5.0.2 - was released just last week), CERT says you really really need to.

From ZDNET:

"CERT advises people who use Mozilla's e-mail software, Thunderbird, and the Internet application suite Seamonkey to also upgrade to the latest versions (Thunderbird 1.5 and Seamonkey 1.0.1). CERT warned that any other products based on older Mozilla components, particularly the Gecko rendering engine, may also be affected.

"Firefox has traditionally been seen as being more secure than other Web browsers such as Microsoft's Internet Explorer. This is thought to be the first time that multiple vulnerabilities have been reported in Firefox and the Mozilla suite.

"Secunia warned that hackers could exploit the security holes to gain control of computer systems, conduct phishing attacks, and bypass security restrictions.

"One error that occurs in Firefox would allow arbitrary JavaScript code to be injected into Web pages as they load."

Users of Firefox can typically just click on the Firefox "Help" drop-down menu and then choose the "Check for Updates" option to see if they are running the latest version. If your version of Firefox does not have this option, you know you're way out of date and you should visit http://getfirefox.com right now and download the newest version ASAP.

Also, of use to corporate IT people is the Firefox Community Edition package from FrontMotion that includes features to do MSI installs and leverage associated Active Directory ADM files to manage Group Policy security functionality in Windows domains. Companies using this package can apply the patched versions in an automated, simpler and reliable fashion. Larger organizations that don't use such a package have to deal with either a more complicated update process or reliance on end users to perform the updates - which is never 100% successful, even in the smallest shops. Version-wise, it's important to note that FrontMotion's MSI installers tend to lag a bit behind the Firefox official releases (when a new FireFox release is issued, the FrontMotion crew uses it to create the new MSI installers and ADM files), so keep this in mind when deciding how to deploy.

I work in the security field (we build anti-fraud and authentication software and services for financial services and electronic commerce companies like banks, etc). Recently I've been asked by a significant number of people why certain banks are being phished in such large volumes. Now, while I don't write about specific financial institutions or security events (that would not be appropriate), I can tell you that any given bank has little to no control over whether or not it is made a target in the first place. All the big banks (and many tiny ones) get hit hard at some point. What they do have control over is their chosen prevention, mitigation and response plans and methodologies.

In the end, the most effective solution is the fairly simple one: Make it hard enough for the fraudsters and eventually they will move on to another bank. Stopping phishing and other online fraud is really just like everyday police work - It's not actually about ending crime, it's about making it go elsewhere. In the real world, the cops just push the burglars, drunks and drug dealers to someone else's town. We don't solve these problems, we just move them somewhere else.

So, eventually the scammers' targets and victims change. The real problem with online fraud is that we can't put an end to it with infrastructure technology they way it is now. We can get way out in front of it (where I work, we write software that can help prevent most phishing attacks from being launched in the first place, as well as strong authentication software to help stop bad guys from getting in the door even if they have a key). But it's way too easy to run a phishing scam, and prosecution is not an effective solution. Prevention is the way to go, and that means diligence on the part of financial institutions, using the right kinds of technology where needed, and a implementing a whole-community effort to stop the problem before it ever gets started. Tools are out there to let the bank get in front of the problem, and but it off at the knees before the crime occurs - a lot like stopping the bank robber well before he walks into the bank's branch office. Preventing the robbery is a lot less messy than cleaning up afterwards, explaining it to everyone, and trying to convince your customers that have just been held hostage not to leave your bank for another one.

Email is, as designed, one significant part of the problem we face. It's just too easy to abuse. Without getting too far into the whole "email-limitation" debate (Sidebar: When I spoke at a security conference last week one attendee tried to lure me into taking a political position on whether charging to send each email is a good idea... Heh, no I think not...), it's clear at least that there are many problems with the medium. Educating people not to respond and not to click on links will not solve the problem, as has been proven time and time again. Email is an  insecure method of information transport, and unless access can somehow be reasonably curtailed, this problem won't go away. The real question is, can email be restricted for bad guys while still keeping it free and in the spirit of the open Internet for everyone else? If so, how? Something tells me the debate and answers have not changed much over the years.

Ah, what the heck, let's just kill email completely. Block port 25 at the backbone routers. It's a counter-productive way to communicate much of the time anyhow. Imagine all the misunderstandings we'd avoid. The tangible and intangible benefits would be many. :)

But seriously, in the real world, there are three basic approaches to tackling this problem (phishing and cyber-fraud) if you're a financial institution. I'll mention them here briefly, and will likely dive into them in more detail in another post sometime soon:

• Option One - Purely Reactive Posture - Apologize to customers when they call and tell you there's a problem, refund their accounts, change their passwords for them, hope they don't leave you for another bank.
• Option Two - Hybrid Reactive Posture - Watch for phishing emails and when you see them, use technology to block them and see if the sites in the emails are real, and if so try to get them taken down, either on your own or through a professional take-down service. Apologize to less customers, and hopefully change their passwords before the bad guys get into the accounts.
• Option Three - Preemptive Approach - Prevent the fraud attack from being launched in the first place, shut down fraudulent sites before the victims receive an email, make it difficult for the attackers, and protect your customers from being victimized at all.

Which option do you think is best? Which posture do you expect your bank to adopt? For my part, I vote for leveraging all three options, with a strong primary emphasis on Option Three, where prevention is the main focus. That's the area where I spend the majority of my professional time, with a team of developers and forensic techies who build software that prevents attacks and gives banks what they need to protect customers from becoming victims. It's a worthwhile job.

Microsoft's Windows Live ID team has started a blog to communicate information about the new product, which is a replacement/upgrade for the Passport service. From the inaugural post:

"Windows Live ID is the upgrade/replacement for the Microsoft Passport service and is the identity and authentication gateway service for cross-device access to Microsoft online services, such as Windows Live, MSN, Office Live and Xbox Live.  Is this the authentication service for the world?  No   It's primarily designed for use with Microsoft online services and by Microsoft-affiliated close partners who integrate with Windows Live services to offer combined innovations to our mutual customers.  We will continue to support the Passport user base of 300+ Million accounts and seamlessly upgrade these accounts to Windows Live IDs.  Partners who have already implemented Passport are already compatible with Windows Live ID.
 
"Windows Live ID is being designed to be an identity provider among many within the Identity Metasystem.  In the future, we will support Federated identity scenarios via WS-* and support InfoCards.
 
"For developers we will be providing rich programmable interfaces via server and client SDKs to give third party application developers access to authenticated Microsoft Live services and APIs.
 
"Over the next few weeks as we complete our deployment, you will see the Windows Live ID service come alive through our respective partners sites and services.  The first thing you’ll notice as early as today is that the word Passport is being replaced by Windows Live ID.  But isn't a rebranding exercise -- there is stuff going on under the hood.  This will be more understandable in the coming weeks and months when you start seeing the new, exciting Windows Live sign-in UI.  Not only is the page load time significantly reduced, but you will see some really cool innovative features that we’re sure you’ll love :)"

I'll likely be writing here on this weblog about Infocard (which I have early some experience with), authentication and other related topics, since I have a professional connection to all of the above. Glad to see the Live ID team getting their blog start - this is the beginning of what should be a great phase of changes and improvements in the area.

Travel, travel and then some more travel... That's where I've been lately.

This week I'm in (well okay, near) Orlando, Florida at the Omni Orlando Resort (which is a very nice place), where I will be speaking on a panel Wednesday morning about operational security of online banking web sites and working with law enforcement. Then I will be hanging around for the rest of the conference through Thursday or Friday, learning and exchanging ideas.

Anyone in the area wanna grab coffee? Let me know. Comment, email or phone (it's in the menu bar at the right).

Wow - this is great news. MS Virtual Server Enterprise Edition for free, plus ability and support for running Linux as a guest OS. Look out, VMWare - the battle is on:

Today Microsoft announced that Virtual Server 2005 R2 is now available as a free download. This also will apply to the forthcoming service pack 1 of Virtual Server 2005 R2. In addition, Microsoft announced the availability of virtual machine add-ins for Linux and a technical product support model for Linux guest operating systems running on Virtual Server 2005 R2.

Read more here.

Matt points out that tonight is a special, won't happen again in our lifetimes event:

Tonight, at 123 seconds past 1 a.m. the time will be 1:02:03 04/05/06. Now if you take into account that we're only using two digits for the year this event won't happen again for another 1000 years in the year 3006. If you happen to be out and about at that time of the night you way wish to find a 7/11 and purchase a lottery ticket :)

Now I have to decide if I am going to stay up or not. Gah!

Are you staying up? One time chance!

It's been seven weeks since I underwent surgery on my lower back up near Seattle, Washington. I was the recipient of a Kineflex lumbar artificial disc, a three-part, all-metal mechanical replacement for the torn, herniated and collapsed (degenerated) disc between my L5 and S1 vertebrae. That's the lowest one in your spine.

This surgery has truly given me my life back.

Before the procedure, I was always - and I quite literally mean always - in pain. Real pain, the kind that wears you down every minute of every day. The kind of chronic pain that people can't fully understand until they've lived with it themselves. It wears you down, chews you up, and eventually spits you out. "Normal" for me was a lot like the "normal" road noise is for someone who lives right next to a freeway: Spend your whole life around it and your brain tunes it out just to cope, but it's always there. Sure, louder noises still annoy you, but the mind has a way of coping with whatever you throw at it, at least as best it can. But that background pain still has an effect, progressively more so over time. When the sound is gone, it's almost deafening. And when the pain is gone, you finally realize just how bad it's been.

I feel ten times better than I've felt in more than ten years. Seriously.

Yeah, I am a guinea pig of sorts - the artificial disc I was fortunate enough to receive was provided to me as part of an FDA trial - not very many people have this hardware in their bodies. I did more than a year of careful and critical research on artificial disc surgery before I decided to take the leap. I considered bone fusion (which is the classic and most common treatment for my condition) and I tried every other treatment that was available to me - physical therapy, exercise, medicine, cortisone injections, minimally invasive procedures, you name it. When it came down to it, it was a choice between bone fusion or ADR (artificial disc replacement) procedure. the ADR device allows the joint to remain mobile instead of locking it up permanently, and I am only 38 years old (well for a few days anyhow), so staying mobile is  important to me. Because I had a 50/50 chance of receiving either a Charite or Kineflex artificial disc (they split the patients randomly, half and half), I also had to become confident in both technologies (the Charite is two metal plates with a plastic core, while the Kineflex is the same basic idea, but with a different design and a metal core). I can tell you that I was lucky and got the one I really wanted (the Kineflex), but either would have been okay with me.

Not everyone is the same, and surgery is rough stuff. The procedure is a serious one with potential side effects that one has to be ready to accept. Everyone's body is different and surgery is in large part an art, which means they all go slightly differently. Many people benefit from the new technology, while some are not so fortunate. That said, I am so grateful for my decision and to my doctors and the staff that have given me so much back. I did not fully realize how bad off I was until now, and still each day I keep feeling better. It will likely be many months before I can say I am healed and recovered, but I can see and believe that day's coming, which is something I had almost given up hope on before.

I write this from what used to be one of the most painful places in my life: An airliner seat at 37,000 feet. And guess what?

It doesn't hurt anymore.

Ahh, movie weekends.

I went with a friend to watch Ice Age 2 yesterday afternoon. I had, I must admit, somewhat low expectations of this one just because the first one was well-done enough to be hard-to-follow. But regardless of what Roger Ebert says, I enjoyed it. Sure, it's not as original as the first one (it is a sequel to an animated feature after all), but it had me laughing out loud at times, so in my book that means success. It has the standard fare of little kids' stuff plus some funny, subtle adult stuff (right from the beginning). The scenes featuring Scrat, the little sabre-toothed squirrel, are terrific and the story itself is not too bad. As Ebert points out, none of the characters ever seem to eat, and how the meat eaters could possibly survive if everyone in the animal kingdom (with the exception of the fish) just gets along so swimmingly (pun intended) is a mystery. But hey, again it's an animated movie, and I can live with it. I own the first film on DVD, and I'll be buying this one, too when it comes out. If for no other reason, just because there's bound to be more Scrat scenes in the extras.

Before the feature film started, though, along came a surprise trailer (or "preview" for those of you who prefer that term) for "The Simpsons Movie, coming to the screen, July 27, 2007." Woah, cool. I had to do a second take - 2007? Okay, okay I can wait - but like Homer says, "Oh oh, we better get started!" Supposedly (according to The Hollywood Reporter, anyhow) the trailer will also air tonight prior to the Sunday evening Simpsons episode on FOX (which means it will be posted all over the Internet by the time the first commercial break is over). I just hope the hype doesn't create expectations that can't possibly be met. Note that "simpsonsmovie.com" is registered to 20th Century Fox but there's no web site attached to that address as of this writing. And by the way, on a related note, if you have not seen the "real-people" version of the Simpsons TV show intro you can go here - and you can compare the cartoon version and the live version side by side here. Rumor has it, too, that the live-action version will appear on the Simpsons TV show tonight. Either that or this is all one big April Fools joke. Hope not.

Finally, on Friday I bought a copy of King Kong on DVD and took it home, where we loaded it up and gave it a run at blowing out  the speakers in my home theater. The speakers survived that attack, but it sure is amazing what incredible sound and special visual effects we get from movie makers these days - and in our own homes too boot. I remember when Dolby ProLogic surround was way cool - and now it sounds like oatmeal. It makes me wonder what's next. And DVDs sure are coming out more and more quickly these days. Didn't we just watch King Kong in theaters? Anyhow, it's worth the purchase if you liked the movie or if you want something to stress test that audio system with heavy bass and loud growls with lots of dynamic range.