Eight milestone of Eclipse 3.0 is out.  Most notable among new features and changes in this release are public API for webform-like UI and UI style changes.  I love the webform UI but I am not too fond of some of the UI changes.  It's as if Eclipse team hired a new UI designer who is trying to turn Eclipse 3.0 into a proving ground of sort, using curves where none is needed, adding color accents to icons unevenly, etc.

One skill every artist and designers must have is knowing when to stop.  What the Eclipse 3.0 team is trying to do with these frivolous UI changes amounts to putting lace on jock straps.

In Payments News, Scott Loftesness points to a Stanford research project that does what I intended to with my PhishGuard project.  Similar in both name and form, SpoofGuard is an IE-only browser plugin that helps the user against phishing attacks.  They have also made open sourced SpoofGuard so many similar plugins are likely to appear soon.

Update 1:

While SpoofGuard is interesting, it is prototype quality.  If you are interested in a commercial quality solution, be sure to check out Trust Toolbar and Verification Engine from Comodo Group.

Update 2:

Upon closer examination of SpoofGuard, I have to conclude that SpoofGuard is only a temporary solution because it was designed against common phishing practices of today which are mostly sloppy and lazy works thinly covered with cleverly crafted words.  SpoofGuard, for the most part, detects common patterns of mistakes phishers are making today.  As I am expecting the level of sophistication and diligence to rise quickly as anti-phishing technology evolves and stakes rise, I am afraid this 'guard' won't be on guard duty for long unless it evolves as well.

Showing another glimpse of maturity and open source abundance in Java land, Carlos lists open source personal proxy servers written in Java.  These lists are my favorite posts in his blog.

I played a bit with e4Graph early this morning to store some XML documents.  eGraph database files were about 1.5 times larger than the XML files.  Not bad although I suspect there is some room for improvements since XML files compresses well.  The good news is that every elements and attributes in the XML file are stored as nodes and vertices of a graph.  Cool.

The bad news was that it was somewhat slow in converting XML files into a graphs.  But it should be just fine for most client-side applications.  I am going to test node insert, query, and navigation performance later.

Robert Kaye, creatively-titled Mayhem & Chaos Coordinator of MusicBrainz, has an interesting article at OpenP2P.com titled 'Next-Generation File Sharing with Social Networks' in which he talks about social, legal, and technical issues of Darknets, private secure P2P network built around social networks.

He recommends SSH-based protocol with interesting techniques like Port Knocking (as in secret knocks) and media identifiers like Bitzi and MusicBrainz provides.  Port Knocking, in particular, got me chuckling.  The idea, described as a system for stealthy authentication across closed ports, is to use a series of secret pattern of connection attempts to a series of closed and logged ports.  Unless the right pattern is used, the server either refuses connection or act innocent by providing some bogus service.

Robert also analyzed the attack model using RIAA as the bad guys.

1. Server attack: The central server gets hacked, raided by legal attackers, or otherwise compromised. Since the server operates blindly with respect to what the clients are doing, the server contains no incriminating evidence. The attacker cannot tell a recipe-trading network from a movie-trading network. At worst, the IP addresses of the members can be exposed and those must be pursued with a John Doe lawsuit.
2. Client attack: A client gets hacked, raided by legal attackers, or otherwise compromised. The compromised client could potentially continue operating and collect the IP addresses of everyone in the network. Incriminating behavior could be observed.
3. Social client attack: An attacker gets invited to the network and starts participating in the network. Over time, the attacker can collect all of the IP addresses of the members and possibly observe incriminating behavior.

While the article was interesting, Darknets are doomed IMHO because of #3: social client attack.  All RIAA has to do is offer financial incentives to encourage people to infiltrate or betray Darknets.  His defense seems to be that Darknets are protected by being a more difficult or costly target to chase than easier targets like Kazaa.  I disagree because financial incentives are paid out only when results are delivered.

Wow.  Did you know WTL 7.1 was released back in December?  Sheesh.  I been hobbling along with a version of WTL 7.0 I hacked to get it working under VS.NET 2003 and I didn't know about WTL 7.1 until now.  It has a nice set of bug fixes, VS.NET 2003 compatibility, and works under CE too.  Nice!  Microsoft should either put more resources behind WTL or make it public domain so WTL developers like me can keep updating it.

FYI, WTL is an extension of ATL, a set of C++ templates for writing lean and mean Win32 software.

Six Apart is planning to introduce an authentication service called TypeKey to control comment spamming.  Not much detail hasn't been released yet, but I think such a service will be good for the blogosphere as long as it is done right.  A typical cause of failure for such schemes is unnecessary tight security.

Security is a relative word after all and I don't think security requirements for blogging is stringent enough to call for draconian measures that will surely discourage commenting.  Also, I feel that some room should be made for misbehaviors.

One such scheme is to separate the comments into two groups: good comments and unknown comments.  Unknown comments are displayed away from good comments and are decayed over time to avoid pileups.

When a comment is posted, the comment server checks to see if the commenter has a 'blogger-cookie' and whether it was given 'welcome' status by the blog.  If so, then the comment is considered good.  If the cookie is missing or is not granted 'welcome' status, then the comment is unknown.  'Welcome' status is granted by the blog owner while shifting through the unknown comments.  'Welcome' status can be revoked with a single click or via checkboxes.

Unfortunately, I think Six Apart's plan is more ambitious which could spell trouble ahead for Six Apart and MT users.  I hope they make the right decisions.

Update:

TypeKey seemed to have caused a firestorm of posts, mostly negative or skeptical.  Scott Loftesness, a mother lode of rich knowledge and experiences on consumer authentication, has a more positive opinion.  My experience with authentication is limited to design and implementation, but I also think privacy issue is overblown, particularly since search engines can find my comments anyway.  Yes, it take some effort to collect them all, but one doesn't need to read them all to form an opinion about me.

Here is a pseudo-code version of an alternate decentralized solution which I amusingly named TypoKey:

on comment submit:
   if has typokey cookie
      if typokey is valid and approved
         comment is good
      else
         comment is unknown
   else
      set typokey cookie
      comment is unknown

As I mentioned above, good comments differ from unknown comments in that they are displayed at more convenient location and persists longer.  If the commenter does not wish to use typokey, then they can choose not to by disabling cookie or by not checking 'check-me' checkbox although their comments will be classified as unknown.

Checking check-me checkbox?  Heehee.

With Ray Ozzie popping up seemingly everywhere to push Groove 3.0, I got a chance to test drive Groove 3.0 beta today.  Maybe my initial enthusiasm based on a few screenshots set too high an expectation because I was disappointed by the real stuff.  Groove 3.0 is less like Windows 3.0 and more like Clark Kent trying to change into his Superman outfit in a tight phonebooth.

I like its integration with Outlook, MSN Messenger and Explorer, but Workspaces and Tools are still trapped by the boxy pro-segregation UI which is irritating to both the users and the developers.  Why force the user to abandon the tools they already know how to use and relearn inferior tools?

Why not break open the box completely and let users use whatever tool they are using currently?  Groove 3.0's File Sharing is a good start but even more work is needed to help developers Groove-enable their existing applications.

Anyhow, I am going to play around with it some more and report back later.

Today's phishing e-mail targeted Wells Fargo customers.

This one gets a minus for not having any compelling stick or carrot.  I mean what is so compelling about viewing a bank account?  It also gets a minus for using a personal e-mail address as sender and rarely used e-mail address as destination.  Smarter crooks are more careful about what to put in the From field.

It seems that phishing crooks are also not shy about wasting target site's resources.  Not only are all the graphics pulled from the legit Wells Fargo site, but some of them are pulled using HTTPS.  Yikes.

Why am I posting these screenshots?  I am doing so because I believe they make more emotional impact than waving some figures.