OpenID has been gaining traction recently with news of Yahoo!, Google, IBM, Verisign and others giving users OpenID accounts. That’s certainly only good news for OpenID. Coincidentally, I recently encountered two more sites that are using OpenID:

1) Blogger comments

I’m not exactly sure how new this is, but I don’t remember an OpenID option being there before. Either way it’s there now. If I didn’t already have a blogger account, I’d most definitely use OpenID here. There’s no need in creating a blogger account if you simply want to comment.

2) Twitter Feeds

I’ve recently started Twittering. This is yet another example of something I thought would be stupid, but has turned out to be pretty cool. Anyway, I’ve been looking at integrating my Twitter account into my Facebook account, my ‘about me’ site, and other places like that. Then I see a Tweet from Scott Hanselman himself telling us about TwitterFeed. Perfect. And look at that: it even supports OpenID. Even more perfect. This is truly a website where I have no need to create a full fledged account with stockpiles of my info. I just need my login mapped to my feeds and we’re good to go:

I’m glad to see OpenID starting to be used in some sites that I actually use, since they’ve actually been pretty sparse up til now. Hopefully that trend continues. So do you regularly use any OpenID sites or have you seen any other cool OpenID enabled sites out there?

It’s not a particularly new idea. Microsoft even got into some hot water a couple days ago for this very thing. Can something as inherently malicious (or eeeeevil) as an Internet worm be used for good? It’s kind of like the One Ring. The bearer of the worm would want to use the power to do good, but by the very nature of the worm it would simply compel the bearer to use the power to spread evil throughout the lands. Anyone with me on that?

Geeky comparison aside, could a worm really be used to hop from vulnerable machine to vulnerable machine patching up their holes along the way? Despite the fact that it’s still illegal no matter how virtuous your intent, is it a good idea?

It would definitely accomplish the goal. A worm going from machine to machine could easily spread in the same way that malicious worms spread and could patch them up to prevent any baddies from getting in. However, what this leaves out is the user. The user doesn’t get to give their consent or even notified that anything is going on as Bruce Schneier points out:

And that’s exactly why it’s a terrible idea. Patching other people’s machines without annoying them is good; patching other people’s machines without their consent is not. A worm is not “bad” or “good” depending on its payload. Viral propagation mechanisms are inherently bad, and giving them beneficial payloads doesn’t make things better.

I agree with him in principle. Not letting the user consent to the fix isn’t good no matter how you spin it. I wouldn’t want my system unwillingly (and unknowingly) patched. I wouldn’t know if the patch was good, if it came from a reputable source or even if the patch might introduce any other vulnerabilities, holes or simply any other functionality that I might not want…

But let’s get real.

Users just don’t patch their computers. Regular users don’t keep their systems up to date. They don’t regularly patch their machines. Heck, they don’t even maintain their systems well. How many times have you acted as the family IT guy and tried to fix a relative’s computer that had never been defragmented, had tons of unknown or never used applications installed and was last patched not weeks ago, and not months ago, but years ago? Most users either don’t know how to patch, don’t want to learn, don’t care or can’t keep up. Worms, viruses, trojans and lots of other malware are still floating around the web that exploit vulnerabilities that have been patched for years. Yes, years. These infected systems just aren’t being maintained.

So has the time come to force patches upon users?

We’ve been hearing about all those undersea cables that have been cut recently (and yes, that’s five) and all the conspiracy theories surrounding them. So here’s a map of all the Internet undersea communication cables to get some perspective of the situation:

And I thought that since I’ve already posted maps on late night bandwidth, root servers, Internet address space, and global bandwidth, one more shouldn’t hurt…

I don’t know why, but I just find a good social engineering story riveting. Maybe I actually enjoy the human aspect of security more than the technical aspect, or maybe it’s the whole secret agent thing of sneaking into places that you’re not supposed to be. Either way, I like it. And I just heard a good one in a letter to Steve Gibson on the Security Now! podcast.

Basically, a security penetration testing firm used a commercially available radio scanner to listen in on employees talking on wireless hands-free headsets. They sat across the street and could get good enough signal to hear and record the conversations. They then used what they heard to pose as a remote employee who came into town:

“I put on my best suit and then went to work. When I entered the building, I was greeted by security. I indicated I was an employee and was in town to work. I handed the security guard a business card and was welcomed with a smile. After escorting me to a cubicle, the guard showed me where the restroom was, where I could get a cup of coffee, and how to go about getting a building access card.”

It was just that easy. He goes on to tell about how he spent three whole days going into and out of the building, getting an access card, and getting into plenty of rooms he shouldn’t have been able to.

So what’s the problem here?

Was it that security guards didn’t check for a valid state issued ID instead of a simple business card? Was it that the security department didn’t investigate him further before issuing a key? Was it that the wireless headsets were being used in the first place? Probably every single one.

You should read (or preferably listen to) the whole story in episode 130. It really is fascinating. I’m also reading a book in the same vein called “The Art of Intrusion” by Kevin Mitnick of hacker fame. It documents a handful of real stories of hackers (or crackers depending on how you look at them) who used various techniques including social engineering to get into what they wanted. There’s stories about phreaking and getting Internet access from prison, being hired by terrorists, and cheating casinos out of a lot of money. Every story in there would make a great movie.

There’s countless other stories where social engineering is no harder than wearing the right clothes and saying the right things. Here’s a story of people sneaking almost a hundreds boxes of materials into the Super Bowl. Here’s one of a guy sneaking into a bank posing as a pest control inspector. And another of people easily getting through the security at the APEC Conference.

Why is this so easy?

Is it because we’re lazy, untrained or just plain stupid? Again, it’s probably every single one.

I created a new blog last week. That brings my count up to… well, a lot now. Anyway, the target audience is middle school to high school kids. (Don’t get any strange ideas here, this is for the youth group at my church, ok?) Anyway, so this is for teenagers which basically means it’s for people that have grown up never not knowing what a computer or the Internet was. So I put a post up on the blog which gave them links if they needed help with this or that and then at the end of it I put my email address up there for them as a last resort. At first I thought this was a pretty simple case of using a “mailto:” link in order to create an email when the user clicked on the link. But after a little thought, I quickly started questioning my decision.

If you have an email application installed on your computer, then mailto works perfectly well: it pops up a new mail with the “To:” field prepopulated, so that the user is all set to type in their life story and click “Send”. However, I don’t think that’s the common case anymore (and especially not for my user base).

Last year, I bought a couple copies of Office for the home computers. I got the version of Office that has Outlook just so I could have all the cool functionality that Outlook has nowadays. The only problem is I never use it. I always use the webmail interface provided by Yahoo and Gmail. What’s sad is that I actually love Outlook. All the nice folder capabilities, calendar views, task functionality… it’s just a great app. But I want the same experience on all computers I use. I don’t want my read email downloaded and available only on one of the three computers I use everyday. With POP email you definitely have that problem. With IMAP it’s a little better, but you can still have issues of folders created on the desktop not being available in the webmail and so on. I don’t want to be tied to always going to one computer to manage my email, so I just stopped using it.

I decided to strictly use webmail to manage my personal email and am pretty sure that that’s becoming the norm.

So what does that mean for good ol’ mailto? Well, there won’t be an application defined to handle “mailto”, so when the user clicks on a mailto link nothing happens… and that’s never good.

There are programs that will fix this for some webmail apps. For instance, G-Mailto and GMail Notifier make mailto work for GMail, but of course these are just one off fixes that you would have to find and install for your particular webmail on every computer that you use to check your email.

But either way, mailto doesn’t automatically work for webmail users. Worse yet, the user may right click on the link and select “Copy Shortcut” in IE or “Copy Link Location” in Firefox and paste that into their webmail app. That will include the “mailto:” part of it… and that won’t work either:

is from Yahoo and this one is from GMail:

And of course you have to be careful when putting email addresses in plain text on a website. You can obfuscate it using “[at]” instead the “@” sign, but that’s pretty low tech and bots probably check for that now anyway. Better yet you can encode it, so it won’t look right until it’s actually rendered, but that’s a little beside the point here….

So what’s the better of the two methods? Provide a “mailto:” link to foster an aging paradigm or just make it simple text that the user has to cut and paste? Cater to the crowd with desktop email clients installed all the while making the experience for the majority of email users a little more error prone?

Sad as it sounds, it looks like plain ol’ text may win…

The dialogs popped up via the common Windows APIs through either MFC or the .NET framework always put the buttons in the same place, whether it’s an OK, Yes/No, OK/Cancel, whatever. Having controls in same place is a good thing. It make use of the user’s spatial memory. The user remembers and automatically knows where the controls, or in this case buttons, reside.

The problem is that typically modal popup dialogs are modal and popup precisely because they require the user’s attention. They need to ask the user something, confirm something, or simply alert the user to something. And since popup modals are all the rage, users get very used to simply dismissing them since either the user already knows what they say or the user simply doesn’t care. A form of popup dialog dismissal habituation has set in and combined with spatial memory automatically being invoked… BAM! no one reads your popups anymore.

So how do we fix this?

Well, some applications randomly rearrange the buttons (and don’t set a default button), so that the user has to read the text. Well, they have to read the button text, but they still don’t have to read the text in the body of the popup itself. And I don’t know about you, but those popups just piss me off. “Ok, where’s the darn button now???”

So what options do we have left? I’ve seen some people spouting that modal popups should be banned completely. Great! …now what do we put in their place? I agree that getting rid of modal popups would be a big win, but doing that requires doing all the confirmation and alerting in the form itself which requires much more code than just MessageBox.Show(). For example, how do you make sure that the user saw your alert? How do you make the user confirm something if they can continue using the form?

I don’t know about you, but I don’t see getting away from modal popups any time soon… but maybe that’s just me. Has anyone else had success in this?

Aaron Lerch recently talked about not being able to keep up with new design technologies and programming techniques and everything else new that comes out each day. I definitely know what he’s talking about since I often feel that I need to use every free moment I have to read some technical book or blog post or listen to a podcast. Basically, I can’t waste any time so that I don’t fall any further behind.

But at the same time, is trying to learn everything just counterproductive? Will it make us all jack of all trades and master of none? Will it allow me to be able to shabbily program in just about any language from Javascript to C to F#, but not produce anything extremely cool like Google Earth or PageFlakes or a cool new IDS or the next great UI through Wii hacking?

Don’t get me wrong, I’m as guilty as anyone of this. I write about security, UI, Vista and programming all in the same blog. In the past couple weeks, I’ve been doing encryption schemes in Javascript and C#, I’ve looked at usability researching and I’ve been reading up on UML. Is that making me a more well rounded developer or just diluting my brain with non-important things?

What do you think? and do? Are you a master of all things C#? Do you only subscribe to .NET blogs? Or do you read Boing Boing and MSNBC and ASP.NET blogs and SecurityFocus?

When declaratively programming in ASP.NET (or even just plain ol’ HTML), always typing in those darn quotes can be pretty mind numbing. Luckily you can easily have the quotes automatically inserted for you like so:

…by just setting the “Insert attribute value quotes when typing” option:

Now since you don’t have to type in all those quotes, you’ll have more time to add in an extra update panel… or two… or three!