Bin Laden’s Capture and the Election

Can Bin Laden's capture affect the outcome of the Presidential Election?  I think so.  Korean dictators used to arrange sensational events just prior to the election and they worked.  If Bush can snooker us into invading Iraq with misinformation, influencing the date of his capture should be easy.

Maybe we should start a betting pool on the date of Bin Laden's captured.  I'll pick October 28th.  Why? The moon will be full and people do get more emotional under full moon.

Disclaimer: John Kerry has my endorsement for the next Presidency.  I like the guy and what he stands for.  Only bad thing I could say about him is that he looks like he just swallowed a whole sourdough bread.  Somebody get him some water.


Since there has been attempts to brush aside this post as a looney rant, I felt a clarification was needed.  Here it is.

Suppose it's early October and Bush's election campaign is going pretty badly.  While Bush and his campaign advisers are looking for ways to turn the tide around and someone jokingly say how nice it would be if Osama Bin Laden was captured.  Bush starts showing more interest in the capture of OBL.  It could just be as innocent as asking about OBL more frequently.  Is this illegal?  No, he is just doing his job.

The surge of interest travels down the ranks and reaches those who are in charge of finding OBL and affects how intelligence reports are analyzed and judgements based on those reports are made.  Fast forward past some costly operations and OBL is captured.

Is this a conspiracy?  I don't think so but I think similar events probably took place when Bush became President and showed a strong interest in Iraq.  Are Democrats immune?  Definitely not.  Presidents should be more careful with what they show strong interests in.

Startling Picture of North Korea

I visit GlobalSecurity occasionally because I am interested in anything related to wars.  Maybe it was those seven green plastic soldiers my father gave me when all the hair I had was on my head.  Anyhow, I saw this Landsat picture of North Korea which startled me and thought you might be interested in being startled too.

The bright spot near the middle is Seoul.  Black area above that is North Korea.  The little cluster of light in the middle of the dark area is Pyung-yang, capital of North Korea.  I guess there aren't many nightclubs in North Korea.  If China can look that good in a couple of decades, North Korea can too.  I hope I can boogie in North Korea before I croak.

RSA Conference 2004

I am going to be loitering at the RSA Conference today (Wednesday) so flag me down if you see me in the exhibits area.  Assuming, of course, they won't force me to fill it out the same registration form as the one online.  I won't put up with nosy forms.


Just got back.  I was there from 3PM to 5PM, checking out the exhibits.  How was it?  Well, spending $50 for 2 hours of boredom is not exactly my idea of good spending, but I got some walking out of the deal.  Flat foot and conferences don't mix too well I am afraid.

USB secure token vendors were out in force along side identity management and intellectual property protection.  I think USB-based secure tokens will breakout into mainstream in the near future because they doesn't require a reader.  All you need is a USB slot which is commonly available.  Smartcards?  Smartcards are dead.  Actually, they never lived at all.

eBay Account Guard

eBay just announced the addition of Account Guard feature to the eBay Toolbar. [via Payments News]  While the announcement doesn't go too much into detail, there are some interesting information in the Account Guard section of the Toolbar FAQ.

These are its features:

  1. Site Indicator – Verified Site and Potential Spoof Site: Located prominently on the toolbar, this feature displays a distinct visual indication when you are on a verified eBay or PayPal Web site, and alerts you when you are on a potential spoof Web site. The Site Indicator turns GREEN if you are on a verified eBay or PayPal Web site; RED if you are on a potential spoof site; and GREY if you are visiting an unidentified Web site. Note: this will be the most frequent indication when you are not on eBay or PayPal.
  2. eBay Password Protection: This feature warns you when you are entering your eBay password into a an unverified site even if it looks like eBay or PayPal site. The eBay Password Protection function will block the password from being submitted to the Web site – displaying an educational message about password protection – unless you affirm that you want to proceed in entering the password into the site.
  3. Report a Spoof Site. If you suspect that you are on a fake eBay or PayPal site, eBay Toolbar enables you to report the site to eBay so that eBay can take action. As soon as the report has been verified – and we confirm that the site is fraudulent – all eBay Toolbar users will benefit from having the most current information automatically uploaded to their toolbar.

Site Indicator is an example of visual security which I like.  It's not safe from Visual Spoofing though since green light is just a bunch of green pixels.  Presence of eBay Toolbar is doesn't even have to be detectable from the server-side because all hackers care about are decent yields for their efforts.  More popular the toolbar is, more easily fooled.  Having both real and fake toolbar appearing at the same time won't be a problem because the hacker can easily distract sufficient number of users away from the real one.

eBay Password Protection is more interesting because it interrupts and warns the user with an alert dialog.  Following FAQ items provide more info:

How does eBay Toolbar detect spoof sites?

eBay Toolbar detects and verifies spoof sites through a combination of technology and reports from the eBay Community. With the tremendous volume of spoof reports, eBay Toolbar leverages the vigilance of our community to enable all eBay Toolbar users to protect themselves.

How does eBay Toolbar block my password from spoof sites?

Before a user submits a password into a Web site, Account Guard reviews the submission and scans for the user's eBay password. This is done instantly and locally (on the user's computer) and does not involve sending any information to eBay. If the Toolbar detects a password match, it displays a pop up indicating that the user is about to send an eBay password to a non-eBay verified site.

eBay Toolbar alerts me every time I enter my eBay password into a non-eBay site. Why is this happening?

eBay, like most other companies, strongly encourages its users to choose unique passwords for all of the accounts (both on and offline) that they hold. The pop-up message warns you when you are about to enter your eBay password into a non-eBay site. You can disable this warning either in the eBay Toolbar preferences page, or on a site-by-site basis.

So the eBay Toolbar knows what the user's eBay password is and prevents user from submitting the password to any site not on their list of verified sites which is presumeably downloaded from eBay and updated regularly.  It makes sense to discourage users from using their eBay password elsewhere, but it's bound to annoy quite a number of eBay users, many of whom will have to change their universal passwords used at many non-eBay sites.  If it's good for ya, it's usually bitter.

The feature I like the most is the easy spoof reporting although it could create a lot of mess to clean up if misreports flood in.  I hope eBay shares their experience with Account Guard.

Levitated: Awesome

I saw this great image at Jeneane Sessum's blog and thought it was a wonderful album cover (oops, still thinking in LP mode).

Then I found out that it was generated (click-through on the picture) at Levitated using Flash.  Cool!  Then I clicked on a link and found myself with a page full of Flash-based open source computational animations and interactive paintings.  They are perfect for creating eye-candy banners for geeky websites.  A Must See!


p align=”left”>Need more?  Visit Complexification's gallery of computation.  I particularly liked the Buddhabrot which shows Buddha as a fractal image.

Phishing News

Glenbrook Partners has updated their phishing analysis.  It's a must read for executives concerned about online fraud.

Meanwhile, PassMark has finally unveiled itself with an announcement (and demo) of new countermeasures against phishing attacks.  PassMark was founded by Bill Harris, former CEO of Intuit and PayPal.

The frog and the text in red are PassMarks.

Their solution is similar to Personal Assurance Message (PAM) used in 3D-Secure, the standard underlying Verified-by-Visa and MasterCard SecureCode programs.  PAM works by asking the cardholder to enter a text string during registration (aka enrollment) which is displayed on the PIN entry page.  For the card issuer to find the text string entered by the cardholder, the cardholder must provide a creditcard number to the merchant initiating a 3D-Secure transaction.

In addition to a text string, PassMark uses a picture selected or submitted by the user.  Like 3D-Secure, PassMark needs a way to identify the user.  The user enters their name in the demo, but there are other means although having a client-side component opens up the possibility even more.

While PassMark is not foolproof against phishing, it does minimize the scalability of phishing attacks drastically and provides visible security, an important feature that security experts often overlook or underestimate the importance of.

Re scalability of phishing attacks

Before a phishing attack can be made, user-specific images (aka PassMarks) must be scraped from the PassMark protected site with bogus login attempts.  Sudden spike in failed login attempts alert the site and appropriate defensive actions will be made before the attacker can build a substantial database of PassMarks.  The attacker can't trickle bogus login attempts over time either because PassMark is not displayed unless preliminary weak identification of the user is made (i.e. user name).

As to the defensive measures, one method is to ask the user to select/submit two pictures, one for immediate use and another for when an ongoing phishing attack voids the first picture.  I am sure if PassMark does this though.

Also See: Posts about Phishmarking.

Corporate Blogger’s Dinner

I am planning on having a Corporate Blogger's Dinner in San Francisco some time in March.  If you are interested in such an event, please let me know via comment or e-mail (click on my picture).  I also need suggestions on when and where.

If you are wondering why someone who is not a corporate blogger hosting such an event, I want to hear what they think.  Corporate bloggers don't get to talk about their views on their blogs because of the nature of their blogs.  So I want to create a setting where they can discuss their views and issues they see on corporate blogging.