Yup. Today is my 44th birthday. 44 is a terrible number because Sa-Sa could be interpreted as death twice over.

I don't look old (when I am not tired) but my body feels old and my state of mind feels so tranquil yet rigid that I must have finally reached the much heralded Old Fart club. Here is the proof: toward the end of yesterday's Internet Identity Workshop, I felt sad that everyone seemed so optimistic.

I wanted to tell them that user-centric doesn't mean looking out for the users but learning to live with little or no interests from the users. Users don't really care about identities, guys. They do care about identity theft and phishing thanks to the constant bombardment of security news over the years. For users to care about identity, it'll take more than similar kind of bombardment over the years because fear is more compelling than convenience. And what about all the websites? Why would they adopt any of the identity schemes? I don't see any compelling incentives being discussed.

Am I sounding like an Old Fart yet? Anyhoo. Happy Birthday to Me. 😉

I'll be attending Internet Identity Workshop. I hope Phil and the gang are setup to catch late registrants (I registered today).

It's pretty funny that Google is whining about MSN being the default search engine for IE when both Firefox and Safari ships with Google search box built-in and my addiction to Google is as bad as my addiction to nicotin although search result quality has gotten pretty bad lately.

It seems many people feels that authentication is pretty much a dead space. I thought I should air some of my ideas which I think are new and different.

Very Large Key

This idea was conceived while I was looking at the picture of Rai stones. A Very Large Key is a key that is too big to be stolen or copied. There is nothing keyloggers can do against passwords too long to be captured or takes too long to be sent inconspicuously.

While the idea is kinda crazy, some practical implementations are possible. For example, one can fill a CD or DVD full of random data and use it like a one-time pad to log into protected websites. Instead of typing in a password, pop in a CD or DVD and you are in.

As to key validation, server-side must somehow know what values to expect. Fractal mathematics or evolutionary key technique can be used, for example.

Note that access limitations is what is being leveraged here which means slow access speed can make smaller storage mechanisms effective enough. For example, a really slow USB Flash drive full of random data or a network storage service with access speed/event choke. Parts of the secret (random data) can be stored in pieces, of course.

I just tried IE7 Beta 2 and all I can say is: eeeks!

I don't know if it was my machine or what but when I installed it, desktop froze for about 10 minutes after rebooting. While using it, the UI was rather awkward and links that opened new windows just refused to work, forcing me to open them in tabs. When I tried to close it. The damn thing froze again for another 5 minutes. Needless to say, it was uninstalled right after that.

Where the hell did they get the nerve to release this crap as beta 2?

On the other hand, this gang of open source thugs just makes me shake my head. How ironic that they are leveraging Google, another monopoly-in-the-making, to spit on Microsoft. To me, it's just naked hate and nothing more.

Like an old dog, I knew something was coming. I sniffed the air and smelled a buyout. RSA has been in a buyout mood lately which placed them on the top of the short list of suspects.

Well, the news came Friday and announced Monday which means that, for disclaimer sake, RSA Security is a client of mine and I own RSA stock. Size of the deal was rather disappointing but liquidity is always welcome.

It's funny how Cyota keeps popping up in my professional life. Cyota was the main competitor of PassMark. While I was with Arcot Systems, guess who it's main competitor was? Cyota got bought out by RSA and here we are in the same basket. Like Bill Harris commented this afternoon, authentication business is like a small neighborhood of sort. Desperate Housewives? LOL

Anyway, I am not sure I'll be with RSA for long though because I prefer fast little companies doing interesting things. Although I now prefer mini-vans over sports cars, I guess I am still a thrill seeker.

CNET reports that Cyoto is pumping bogus accounts and passwords to phishers, a technique they are calling dilution. The funny thing is that I proposed the same technique at the a APWG (Anti-Phishing Working Group) meeting almost two years ago which I called spoofback.

At the time, technology providers seem to like the idea but bankers seemed daunted by legal ramifications. Well, I am glad someone took the idea and ran with it although it took them two years to do so.

Anyway, the natural extension of the idea is to use the bogus information to catch phishers by trailing flow of bogus money, phishback of sort. IMHO, international regulations should require all financial services should support fake transactions, equivalent of marked greenbacks, to catch them them all.

Let me tell ya about what I think phishers will do next: storytelling. By storytelling, I mean they will send out a series of messages to each target that tells a coherent, memorable, and compelling story over time.

First one might start gently, a notice of sort without any hyperlink. Next one might get more alarming like recommending that password be changed. Again, no hyperlink. With each message, a thread of conversation grows and, because each message mentions contents of previous messages, a story develops. When the phisher feels he has built up enough shared knowledge with the reader to lure him or her into complacency, the trigger is pulled.

Just when I was getting used to not blogging, this hell storm of misunderstanding and confusion hits the fan to which I am compelled to respond. Like Dave said, you have to be clueless about programming to believe that 60% of Vista has to be rewritten. Yet David Richards, the reporter, wrote boldly in his first article:

Up to 60% of the code in the new consumer version of Microsoft new Vista operating system is set to be rewritten as the Company "scrambles" to fix internal problems a Microsoft insider has confirmed to SHN.

He is clearly saying that up to 60% of Vista code has to be rewritten. He then posted a followup report in which he wrote:

The marketing director of a key Microsoft partner has confirmed that key elements of Windows Vista are currently being re written.

Note the subtle difference here? Key elements? Where is the 60%? The Acer exec he quotes said:

The decision to delay Vista into the consumer market will have an impact on hardware sales particularly in the Media Centre market. We have been told that Microsoft has bought in programmers from the Xbox team to work on the problems. We have also been told that up to 60% of the code will have some form of re writing or changes made. We are told that Microsoft is concerned at the impact that the delay will have on hardware manufacturers. We have raised our concerns directly with Microsoft.

<

p dir=”ltr”>Put the bold parts together. The problems clearly refers to areas in the media centre related code, not the whole Vista. The code clearly refers to the area where the problems are. Instead of city-size crater covering millions of lines of code, we are probably talking about a handful of small craters each of which wiped out 60% of a city block. No big news there. Shit like that happens.

What I don't understand is why people are adding noise to noise and clamoring on top of clamoring. Don't we have better things to do? Is this what blogosphere has evolved into? Amplifier of irresponsible journalism?

What I've been doing for the past 6 months in my spare time has now become a new meme: New Golf.

• Learning from the New Golf – Diego Rodriguez (fellow 'researcher')
• Power lunching with wizards and warriors – CNet
• World of Warcraft is the new golf of the tech businesses – the Inquirer
• Is World of Warcraft the New Golf? – PC Magazine
• Are MMOs the New Golf? – Game Girl Advance / 1Up
• Slashdot

It doesn't matter if it is or not. What matters is that I am having fun and I know there are rich veins of ideas in there. For now, I managed to mine some good stuff that could become a keystone of the next generation group communication technologies. It's not about 3D graphics and it's not about immersion. It's not even about what WoW has but more about what it lacks.