Monday, April 21, 2008

A Real Expert Tangles with Wikipedia

Climate change is a "hot" issue right now (please pardon the pun), and as a result, the Internet world is abuzz with comments and commentary that covers all aspects of the issue. It is, in short, a controversial subject.

There is, of course, a lot of science surrounding climatology and the "greenhouse" effect that makes this planet a haven for life. There is also a lot of opinions about what the science is showing us. And, as Mark Twain said, "it is a difference of opinion that makes horse races."

As I noted in an earlier entry, if you want to know the controversy surrounding an issue, check out its entry (or entries) in Wikipedia. So it is with Climate Change.

Recently, a National Post writer named Lawrence Solomon wrote two articles about his experiences working in the world of Wikipedia, and how he ran into significant bias in the area of Climate Change. It is enlightened reading.

Friday, April 18, 2008

PayPal to Ban Safari?

According to ComputerWorld, PayPal is planning on limiting access to its site to users of Browsers that implement "anti-phishing" technologies, such as later versions of Firefox and Micrsosoft's Internet Explorer. ComputerWorld claims this would include a ban on Apple's Safari browser. This is ComputerWorld jumping to conclusions -- ComputerWorld is piecing together comments made by PayPal over the last few months.

Safari is perfectly fine, now that I have been using it for a while. I read PayPal's White Paper mentioned in the ComputerWorld article, and it is quite a good overview of the problems of Phishing, and PayPal's response to it.

PayPal is an online bank, really. Phishers have been targeting them just like any other bank. Phishing is the practice of someone mailing millions of emails that masquerade as a target bank's official email, luring the email recipient to click on an embedded link which goes to a fake site, where you then enter your logon information. Viola! Now they have your personal information, which the crooks use to steal money from you and from the target bank (since banks usually cover moneys stolen by fraud, which Phishing is).

PayPal's approach to Phishing is interesting. It is:

  1. Try to put in place verified email so that phishing emails can be stopped before they reach in-boxes.

  2. Have Phishing sites "Blocked" from the internet, by using anti-Phishing features of some browsers and law enforcement working with the Phisher's Internet provider. (The law enforcement piece here was listed separately on the white paper as an "Ancillary Strategy" but, really, it is part of the same thing. Block the site, and take it down through legal means).

  3. "Customer Education" -- get the customer to know more about the problem and act to avoid Phishers. (This smacks of "if only the customer would stop screwing up!").

  4. Better authentication methods.

  5. Finally, legal means via legislation preventing "spoofing" sites.
Their conclusion is that they want to move forward with the multi-pronged strategy, and they single out specifically the email authentication part (step 1).

Here's my take:

PayPal can do something that can nip this in the bud - and, as it turns out, they are almost already there.

They put "Authentication" as section 5.3 under "Ancillary Strategies". Four paragraphs in an eleven page document. And yet, authentication is the true answer to the problem. Phishers can phish all day long and die on the vine if PayPal puts in place a real authentication scheme.

I logged into my PayPal account. I used my email address and password -- this is the standard way. Email address and password. This is weak authentication. This is the kind of thing that is easily Phished for and gotten. PayPal, in their white paper, appears to be trying to "boil the ocean" with internet protocol changes, changes to laws in a hundred countries, law enforcement swat teams, and user re-education camps, and yet they still have this weak password scheme? Why don't they implement a real authentication scheme? One that proves that the person is who they say they are?

Guess what? They have! But not 100%.

After I logged in, I noticed that they have something called the "Pay Pal Security Key." This is a device that implements "dual factor" authentication. You have your ID and password. The device provides a six digit code that changes every thirty seconds. When you log in, you provide your user ID, password, and security code from the device. For whatever reason, this is optional, not required.

They are introducing this for $5. It also works for eBay, and they say it will be usable at other sites down the road. If you have PayPal or eBay, get one!

I used basically the same thing years ago at my prior job, and it works great. You no longer have to really worry about your password, and the company that issues it no longer has to worry about customers or employees that write their passwords down on post-its attached to their keyboard. This circumvents all that. A fraudster can have your name, user ID, password, mother's maiden name, social security number, etc., etc. They can even have the last six digit number you used. But if they don't have the device, they can't get in! Not unless they happen to guess a one-in-a-million number. In other words, they have to win the lottery, but all they get is your PayPal balance!

So, PayPal wants to stop fraud. They can stop fraud tomorrow if they require all their users to get one of these keys. This is an expensive solution, but, hey, banks have been known to give toasters away with new accounts, so why not security keys?

Everything else in their white paper is interesting, but at the end of the day will not eliminate fraud. It will reduce fraud, and that is good. But changing email protocols, forcing browsers to conform to some "anti-phishing" standard, changing laws, and finally getting users educated are all long term incremental actions that over a period of maybe ten to twenty years may yield some fruit. The internet, however, by its nature, is wide open. You can cordon off parts here and there using laws and protocols, but the openness will always be there, leaving room for crooks to maneuver.

In any event, I think it is important for companies like PayPal to know who it is they are dealing with - it is up to them to ensure you are who you say you are. I personally have no control over someone claiming to be me and logging into PayPal, even if some personal information was Phished out of me. It is someone else, knocking on PayPal's door, claiming to be me. PayPal is holding my money in trust. I expect them to keep someone else's mitts off my money! So, PayPal needs to implement a way that proves it is me doing business as me. This Security Key does that.

There are other methods to do this other than hardware keys. Vidoop was mentioned in an earlier blog entry. However, Vidoop is more for your piece of mind than for the place where you log in -- Vidoop authenticates your machine and you, to your satisfaction, so you know that no one else can fake you using a Vidoop ID. But since Vidoop is an "OpenID," sites that use OpenID are not forced to accept only Vidoop IDs.

As far as the threat of PayPal restricting site access to "safe" browsers, potentially banning Safari, I think it is a better bet for PayPal to push their Security Key than it is to restrict users based on what browser they choose to use. There are a lot of Apples out there. Yes, I know you can run Firefox on a Mac, but why force the issue? Lots of people will pay $5 for an access key/token, but not $1,000 for a new computer that can handle a pig like IE 7, especially when that $1,000 gets them a Mac!

Thursday, April 10, 2008

Gartner Catches On to Microsoft

Over a year ago, I predicted the end of Microsoft domination. Now, a year and a quarter later, Gartner is catching on and stating that Windows is "collapsing." The reasons stated are the obvious: Vista is seen as too incremental to warrant a migration off of Windows XP, and it has the reputation of being a resource pig.

I have been using a Mac now for a month. I am really, really happy with it. It is not perfect -- the Mac's reputation of being the PC that never crashes is overstated -- but it is a heck of a lot better than XP. 

I find it interesting to find my own mind-set changing, quite without thinking about it. When Google announced its Google App Engine two days ago, I noticed that the demonstrator was demoing it using a Mac. When I have been seeing developers show demos for whatever they are selling, I am seeing them done on a Mac. When you see pictures of a "generic laptop" in ads or in movies, they are always a Macbook. This has been trickling in over the years, but now it is ubiquitous. iTunes sells more music than everyone other that Wal-Mart, and they will overtake Wal-Mart this year. iPod has been the number one music device for years. iPhone is selling very well and has the cache of being the phone to have ("Blackberry or iPhone" is the question. No one else need apply). 

Regarding my mindset, I look at a PC app and think to myself "man, that looks old." When I look at a software provider and I see that it only runs on Windows, I think "man, that is old-school." All of a sudden, the future for applications that people use has only two platforms that matter: The Web (as in Gmail, Twitter, Basecamp, etc.), or Apple Mac. The movement to the web was no surprise. That is a no-brainer, as Google Apps,, and other "Software as a Service" offerings gain real traction. What surprised me was that Apple would surge back so strong. But, now that I am living the experience, it is no longer a surprise. I love this thing. I'll write more about that in a separate post, but I love this Mac.

Now, I can't ever see myself ever again saying "I love my Windows box." In fact, I can remember only one instance where I ever truly felt that I loved a Windows box, and that was my old 486 running Windows NT circa 1992 -- and then, it was the box I loved (faster that anything!) rather than Windows NT (Registry? What the heck is that? What was ever really wrong with Config.ini?). No, all Windows boxes I have had save the 486 were pains in the neck, but necessary evils, since there were no alternatives. Laptops in 1994, 1995 were Toshibas running Windows 3.1. Windows 95 beta fried my old Toshiba and forced me to swear off forever "beta testing" Microsoft products. Writing code for MS-DOS was quirky, but basically straightforward. Writing Windows code forced me to rely on their super-buggy Microsoft Foundation Classes. I had to debug their software! And pay for it, too! Oh, sure, I could have written my own library of Windows routines, but then about 90% of my code or better would girders and pillars, and only 10% or less would be actual functionality. 

The Mac was always a joy to write code for (although I didn't personally, because the money was not there... Mea Culpa on Windows domination to that degree.) I still have a t-shirt from the 1998 Software Development conference in Santa Clara for CodeWarrier ("Kicking Butt and Writing Code") which was the development tool of choice for many Mac developers and was a great platform, at least from the demo I saw and the people I spoke to.

Next Computer's NextStep operating system and Objective C were unbelievable! And, guess what? They live on in Mac OS X. 

In retrospect, it is surprising that I waited until 2008 to make the jump to Mac. I am not the only one -- it is happening all over. 

Macs are not 100%, yet. They don't fit very easily into a Windows Active Directory world, although they are better, much better, than they used to be. Businesses are still strongly incentivized to use Windows-based PCs and laptops, and general inertia will keep the platform alive in the business sector for several more years. But, it is dying. Businesses will, over time, move more and more to Linux and Open Source for back-office systems like databases, and web applications for user applications, leaving Microsoft in the lurch.

If Gates were still with Microsoft, I would not count Microsoft out. But, he is gone. Microsoft cannot pull off the big come-back without him. It looks like Microsoft's demise is getting obvious.