Just in case you are wondering, I am still alive and kicking.  I have been busy with a project for a client and I have barely managed to get enough sleep in the last six days because I have to deliver by this Sunday something that will wow people into opening their pocket next week.

As usual, it's a lonewolf project because there is neither the time nor resources to pull together a team.  I am trying to slip in some fancy design features for flexibility but it's mostly wham-bam-stay-out-of-my-way-fool and I'll-fix-that-later going on.

Yeah, it's Silicon Valley at its best since crash projects like these are impossible to outsource.  Days of milking fat mega-corporations on multi-year projects are gone and lean mean shoot-from-the-hip or work-for-nickles days are here.

Superbug and Hackers

Hackers are like germs.  You throw equivalents of antibiotics at them, they'll mutate into superbugs.  For example, I doubt phishers will be tempted to hack Google to take advantage of AdSense Voluntary XSS vulnerability because they are getting enough loot from stupid phishing attacks to keep them happy.  Once Microsoft Outlook, the main phishing delivery vehicle, is plugged and their gravytrain runs out, they will turn into superbugs to find other means of getting their phishing lures in front of the user's eyeballs.

Oops.  I am out of tea for now.

Mad Hatter’s Party

Online security industry is a sprawling mad hatter's party.  Blackhats moving about silently, whitehats screaming their lungs out, everyone having their tea and then racing to the next set of chairs and tea set.  It all started as a  nice tea party but money started pouring in and it has never been the same since.

It used to be that blackhats did most of pulling rabbit of their hats and whitehats did most of the clapping and finger pointing.  Now whitehats can't wait so they started pulling rabbits of their hats themselves and do all the clapping as well.  Meanwhile, blackhats are getting lazier because they can just watch whitehats do all the rabbit pulling instead of doing the work themselves.  Rabbit pulling is fun if it's a hobby, but is hard work when it's a job.

At this tea set, the rabbit's name is Phish which is turning out to be a big hit at the party.  More tea?

Picasso the GUI Designer

Robert McLaws is working on Visual Blogger 2004, a blog editor client for Windows.

Nice, but am I the only one who think Office 2003 GUI looks crappy?  Why are smart developers mimicking madness?  Eye-candies that distracts more than enhances user experience are not eye-candies but eye-sores.  And what's with all those bright colors?  Most people don't live and work in Gap stores and the real world is definitely not Technicolor.  Are Windows GUI designers Lego fanatics?

Think of colors as emotions.  Splattering emotions carelessly is annoying to users just as talking seriously to a guy wearing a clown suit is.  Take it easy, tone it down, and think twice before you start ejaculating colors like Picasso on LSD.

Obscure URL

Discover the world of obscure URLs made possible by absent minded engineers.  Really disgusting.

Meanwhile, IE is not being too friendly to extensions that attempt to prevent toolbars and status bars from being hidden.  All legit calls I can find to force them to be visible are being ignored.  There are sneaky ways to get the job done, but I would rather not dance around behind IE's back.  If anyone has a legit solution, let me know.

IE Weekend

I didn't do anything except work this weekend on an IE toolbar for a client.  Much of the time was spent on pushing pixels around to try this look and that effect.  Still, it's not state of art GUI because Win32 alphablending functions are not supported on all the platforms.  I won't be doing much animation either.  Just no time and no room.

Thankfully, the visuals are mostly done and I can move on to messing with IE's COM objects and events.  Lots of joy there (eyeroll).  I would rather design new technologies and lead special teams on hot projects but being a consultant means having to do what clients ask for.  I sure hope rest of you had a better weekend than me.

Tits Flapping in Amsterdam

Elliotte Rusty Harold reports on a great looking pair of tits in Amsterdam.

I arrived in Amsterdam this morning around 8:00 A.M. local time and got to the hotel around 10:00. I had a few hours to kill before my room was ready so I wandered around to see what I could see. This being Amsterdam, there was quite a lot to see, but my absolute favorite was one pair of great tits. I even got a picture of one of them. We don't have tits like these in Brooklyn!

Perfect Corporate Weblogging Pitch Competition

As some of you know, I am a judge in Weblogs, Inc's 'Perfect' Corporate Weblogging 'Elevator Pitch' Contest which is now in the scoring phase.  I just spent an hour on the submissions and, frankly, it was difficult to judge because:

  1. I know too much about blogging to emulate clueless executives.
  2. There are too many unknowns about the audience.

Making a 'pitch' without knowing much about your audience is like pitching without knowing where the strikezone is.  Know who they are and what they are interested in so you can select the appropriate bait and dangle it where they are likely to bite.

Anyhow, I think such a contest should be held once a week with a specific target description.  For example, VP of Marketing at Nike, VP of Sales at Victoria Secret, or VP of Engineering at Sony.  Forget the judges too.  Instead let the readers cast their votes to select the Pitch of the Week.  Fast forward and I wouldn't be surprised if executives send in pitch requests to hear how blogging can help their particular company.  Heck, asking for help is a form of marketing after all as enterprising Nigerians have showed.

Phishing Blacklist Thoughts

These are some of the thoughts I had recently about phishing blacklists which is going to play a major role against phishing in the near future.

  1. False reports can be submitted by phishers and pranksters.  To prevent this, anonymous reports should not be allowed.  Unfortunately, the user is not likely to be logged in when a report is made.  Solution is to queue the report until the reporting user successfully logs in.  Once the user is identified and associated with the report, filters and weights can be applied to rate the report.

    Queueing reports with client-software is no problem.  For server-side only, file the report under a cookie which can be claimed when the user logs in.  Unclaimed reports are removed after a time limit.

  2. Maintenance, particularly the removal of entries, will be a big headache as domains are reused and websites are cleaned up.  Current maintainers are not equipped to handle this properly IMHO.
  3. Companies should also be able to prevent some domain names from being reused independent of domain name registrars.  Ultimately, domain name registrars and blacklist maintainers will have to work things out.  This will likely lead to registrars taking over maintenance of blacklists and extending the service to provide 'howis', 'whatis', and 'whereis' information as well as 'whois'.
  4. Beyond correlating reports, suspected URLs can be crawled to a) see if it is indeed a phishing site, b) warn the phisher into running and thus abandoning the phishing site, and possibly c) spoofback bogus information.