Version 1.0 of libbt, an open source C library that implements the BitTorrent protocol, is released.  Get the bits here.  You'll need it if you want to add BitTorrent support in your news aggregator.

Two must-have features I am planning to add to PhishGuard are:

• Require the user to approve hyperlink activation from within e-mail clients using a security dialog that clearly displays destination URL.
• Disable all hyperlinks in e-mail clients

Implementing these two features for just Outlook and Outlook Express should stop most phishing attacks on Windows platforms.  It's a brutal solution, but I am sure there are plenty of IT guys who are dying to wield these two lovely hammers.

BTW, I somehow ended up as the top Google result for Phishing Toolbar.  I guess Phishing Hammer is next.

Anti-Phishing Working Group (APWG) is an industry group whose mission is to:

1. Share information and best practices
2. Identify the size and cost of the phishing problem
3. Promote visibility and adoption of industry solutions

I like what the group is about and what they are doing but it's not apparent how an independent consultant/developer like me can easily participate.  APWG membership is only available to eligible organizations without specifying who or what dictates eligibility.  Also, I don't like the idea of having to pay to contribute my time to the group activities.  It would be nice if they had something similar to W3C's Invited Expert status for membership.

Anyhow, APWG is meeting in San Francisco on April 5th.  I have asked them if I can attend the meeting but haven't heard from them yet.

This morning, I got a phishing e-mail pointing to:

http://www.securecitibank.us

It won't be long before domain name registars are forced to treat phishing target names specially to prevent this sort of things from happening.

PhishGuard TODO: If a link's textual content appears to be a URL yet differs from the link's URL, flag it as a possible phishing attempt.

Reusing passwords is common and many paranoid-yet-lazy engineers have adopted the habit of appending or prepending their 'universal' passwords with domain names.  In reality, such practice is not very secure because the password can be easily deduced if any of the machines are broken into.

Dan Boneh's Stanford Applied Crypto Group, which created SpoofGuard and Identify Based Encryption (the technology behind Voltage), is using an automated variation of the scheme to let users reuse passwords at multiple sites with arguably acceptable level of risk.  The idea is to detect password fields using a browser plugin and replace passwords entered with site-specific passwords calculated like this:

    site-pwd = hash(domain-name + reused-pwd + universal-pwd)

universal-pwd is needed for protecting against dictionary attacks.

I like the general idea but there are many implementation and usability issues yet to be solved, some listed in their PowerPoint presentation and some not such as password length limitation and password field spoofing.  Still, I think the idea is useful when combined with other ideas and am looking forward to their demo.

BTW, SpoofGuard also uses password hashing using server-provided salt to protect password reuse, but I don't think server-provided salt alone provides much value.  Also, I think they gave up on per-user salt too easily.  Anyhow, I am impressed with the work Stanford ACG is doing because they are not afraid to roam outside the crypto realm to find creative solutions.

Update:

One important side-effect of above password hashing scheme, which I neglected to mention, is that passwords cannot be 'phished' without DNS poisoning because the domain name will be different.  Neat, eh?

Eight milestone of Eclipse 3.0 is out.  Most notable among new features and changes in this release are public API for webform-like UI and UI style changes.  I love the webform UI but I am not too fond of some of the UI changes.  It's as if Eclipse team hired a new UI designer who is trying to turn Eclipse 3.0 into a proving ground of sort, using curves where none is needed, adding color accents to icons unevenly, etc.

One skill every artist and designers must have is knowing when to stop.  What the Eclipse 3.0 team is trying to do with these frivolous UI changes amounts to putting lace on jock straps.

In Payments News, Scott Loftesness points to a Stanford research project that does what I intended to with my PhishGuard project.  Similar in both name and form, SpoofGuard is an IE-only browser plugin that helps the user against phishing attacks.  They have also made open sourced SpoofGuard so many similar plugins are likely to appear soon.

Update 1:

While SpoofGuard is interesting, it is prototype quality.  If you are interested in a commercial quality solution, be sure to check out Trust Toolbar and Verification Engine from Comodo Group.

Update 2:

Upon closer examination of SpoofGuard, I have to conclude that SpoofGuard is only a temporary solution because it was designed against common phishing practices of today which are mostly sloppy and lazy works thinly covered with cleverly crafted words.  SpoofGuard, for the most part, detects common patterns of mistakes phishers are making today.  As I am expecting the level of sophistication and diligence to rise quickly as anti-phishing technology evolves and stakes rise, I am afraid this 'guard' won't be on guard duty for long unless it evolves as well.