One of the problems with passwords is that they can be compromised relatively easily. While brute-force cracks are possible, it is much easier to convince users to willingly part with their passwords using social engineering. That’s how phishers operate, by tricking users into entering their passwords—along with other personal information—on convincing-looking but spoofed web pages. Once they have that information, bank balances shrink while credit card balances grow.
Two-factor authentication has been touted as a solution to the problem of users giving up their passwords too easily. One group of phishers is determined to prove otherwise, as a recent attack demonstrates.
On the surface, two-factor authentication is a relatively simple solution. In order to log in to a protected site, users must enter a password as well as a second bit of information. In the case of Citibank and a handful of other financial institutions, users are given a USB dongle which displays a passphrase or string of numbers that updates every 60 seconds. It is only when the correct password is paired with a valid passphrase generated by the token that the user is granted access to their account information.
A group of phishers operating out of a Russian website attempted to trick Citibank customers in the customary manner, by directing them to a lookalike website and asking for the usual personal information. As an added bonus, the phishers also asked for the passphrase generated by the token. Once they had both pieces of the authentication information, they would presumably then transmit it onto Citibank within a 60-second time period and go about their nefarious business. It’s a simple adaptation of existing methods: just add an additional field to existing forms and they are all set.
The phishing attacks demonstrates one of the weaknesses of two-factor authentication: it’s still quite vulnerable to "middleman" attacks. If a malicious site is able to pose as the genuine article, collect the necessary authentication from the unsuspecting user, and act on it quickly enough, it is not much safer than traditional password-only attacks.
Some banks and other institutions have already made substantial investments in developing and deploying two-factor authentication systems. The central theme in marketing the systems to customers is added security. Microsoft had even planned to natively support it in Vista, although that ultimately met the same fate as other features originally planned for its new OS. However, as the latest bit of phishing demonstrates, it’s not a cure-all. When used in conjunction with other antiphishing tools, it can be more effective. But as long as there are gullible users, no combination of security measures will be completely foolproof.
Sports fans always think they know more than the coach. Being one myself, I can vow for that. But what if I had the chance to run a professional team? Well, MSN wants to give me, and every other baseball fan, a chance with the launch of "Fan Club: Reality Baseball."
No, fans won't be giving take signs from the third base coach's box and kicking dirt on the umpire. Instead, they will be remotely running a Chicago-based, second year minor league baseball team known as the Schaumburg Flyers. Decisions that the fans will be able to make include selecting the roster, creating the daily lineup, making the pitching rotation, and handling some of the off-the-field duties such as trades and free agent signings. Tell me why the Flyers have a manager again?
The final decisions will be determined through a fan voting process. For instance, if Flyers' pitcher Dave Dobosz receives the most votes for being the team's go-to guy on the hill, then Dobosz it is. On the other hand, if Dobosz criticizes his "
fantasy reality fan club", the fans could vote to cut him from the team. That's kind of scary for the players, isn't it?
Since this is already the second half of the Flyers' season, Microsoft has posted a ton of information from the first half of the season as well as other personal data about the players on the Fan Club site. The kicker here is that players, players' family members, and even coaches will blog about the experience through the rest of the season using MSN Spaces.
Overall, I'm excited to see how this works out. It's an excellent chance for fans to once and for all show that they know more than the coaching staff. The biggest problem is that the fans can't make any mid-game decisions. Maybe next year Microsoft can add some in-game management features. Imagine not wanting the other team to steal your signs, hence the signals are sent from third using AES encryption.
A few months ago I tried out an up and coming open source operating system called ReactOS. At the time, I hadn't heard of the project but I thought it was worth checking out because it was said to be compatible with Windows XP. After playing with the Alpha release for a few hours and coming across several bugs, I gave up on it. Then today, as I'm reading through some of my e-mails, I find that the group has just released a new version of the OS, titled 0.3.0 RC1. After installing it, what I found was a project with promise, but still in desperate need of work.
I began by downloading the install image. The 14MB zip file unpacked to roughly 257MB. After that, the boot process took about 7 seconds and I was dropped straight into a desktop with an icon to a command prompt and another icon to My Computer. One nice built-in feature that I noticed right away was the multi-desktop capability, which is something that doesn't natively exist in Windows XP. The operating system also comes with a Windows Explorer of its own fittingly called ReactOS Explorer. Looking at ReactOS' screenshot gallery, I figured I could get some sort of Windows application installed. As it turns out, the only thing that I could get to successfully work was Firefox. Every time I tried to download an application from the 'Net, the OS would completely bomb. Nevertheless, Solitaire worked just fine, and I enjoyed a few games before scrapping the system.
While the Administrative Tools folder was empty, the Control Panel had a plethora of options. Things like Accessibility, Mouse, Add/Remove Programs, Display, and System were all there. Network Properties was also included, but it wasn't working. To my dismay, key items like Search and network browsing were not yet implemented in this release, but like I said before, Solitaire worked.
Even though I couldn't get ReactOS to do anything worthwhile except run Solitaire and Firefox, I still salute the project. Since ReactOS' developers are working closely with the Wine project, I could see it blossoming at some point. A lightweight, Windows-compatible operating system is a wonderful thing, and demand for such a project would be high if it ran smoothly. Right now, the project is only in Alpha, but it's reassuring to know that there are people out there working on this. Keep an eye on this operating system for the future.
As a final note, the source code for ReactOS consists solely of GNU GPL and GPL compatible code. You can download it in several different formats including Live CD, Install CD, Preloaded with Qemu, VMWare Image, and just the source.
As long ago as 1920 it was recognized that optical storage would potentially give the highest possible storage density. However, the realization of reliable optical storage systems had to wait for the development of the laser. Even then, it was not until the development of the compact disc that optical storage really penetrated the consumer market. Now technology has moved on and we are currently awaiting news of the split points decision in the fight between Blu-ray and HD DVD. Even as that fight rages on, researchers have been looking ahead and we are right there looking over their shoulders.
First, let's look at some of the basic, underlying information. For a single layer disc, the information capacity is limited by diffraction. This law governs how small a spot light can be focused to. Diffraction is governed by three factors; wavelength, numerical aperture, and the refractive index of the medium the lens is in. Blue light focuses tighter than red, thus, Blu-ray and HD DVD have benefited from the transition from red to blue lasers. However, going to shorter wavelengths means ultraviolet light and good bye to cheap optics. The numerical aperture can be thought of as a measure of the light-gathering power of a lens. Unfortunately, technology has run headlong into physics, making further improvements in the numerical aperture difficult. and this is also at the maximum physically possible in current systems.
Thus the question is "What next?" Part of the answer may lie in the medium between the lens and the disc. When lithography needed higher resolution, researchers effectively increased the numerical aperture of their lenses by putting them in liquid. However, placing a liquid between the disc and the lens is problematic, since no one wants their removable storage coming out of the player damp. The answer may lay in putting a solid between between the lens and the disc, as long as the solid can be placed to within a small fraction of a wavelength of the disc. This presents some mechanical engineering problems but nothing fundamental and could boost the single layer storage density up to 125GB.
At this point, resolution can take you no further, but encoding more than a single bit per location can. This has been tried with limited success before, but, technology has finally caught up with ideas and this may now be feasible. Instead of simply putting islands on the disc track, the information is encoded in a spiral staircase, which has the strange effect of adding angular momentum to the light, which can be detected by looking at the polarization. Thus the direction and step size of the staircase can change the information encoded, which means that somewhere between two and eight bits can be encoded per location. The initial demonstrations showed that the techniques for encoding multiple bits in the angular momentum of light are promising, though understandably noisy given the low numerical aperture used to collect the signal.
The paper presents a fascinating review of the past and an intriguing insight into the very next steps in optical data storage. Although they briefly mention more far-off possibilities, such as holographic storage, they have deliberately limited themselves to those techniques for which current mass production techniques will provide high volume content distribution.
As expected, the European Commission has decided to fine Microsoft for not fully complying with the 2004 finding that the company abused its monopoly position in the EU. It’s a big one, too: €280.5 million (roughly US$357.3 million at current exchange rates). In addition, the company will be fined an additional €3 million per day beginning on July 31 if it is not in full compliance by then.
In a statement, EC Competition Commissioner Neelie Kroes said that "The EU Commission cannot allow such illegal conduct to continue indefinitely. No company is above the law."
Despite the amount of the fine, Microsoft may have gotten off a bit light, as the EC had previously threatened it with a €2 million per day penalty back in mid-December. Instead, the Commission decided to fine the software giant €1.5 million per day for the period covering December 16, 2005 to June 20.
At issue is the state of Microsoft’s documentation and licensing terms for its workgroup servers. One of the stipulations of the original antitrust ruling in 2004 was that Microsoft had to open up the inner workings of its server software and allow competitors to license it so they could ship products that could fully interoperate with Microsoft’s lineup. Open source groups have criticized the company’s licensing terms while EU regulators and others who have worked on the case have said Microsoft’s documentation is abysmal.
"Microsoft did not even come close to providing adequate information," Kroes said.
Microsoft offered to license the source code in January, despite being explicitly told by the EC that it was not interested in the source code, just adequate documentation. In a statement of objections, the EC described the problems, including several hundred pages detailing how to handle errors, while failing to document how the errors happen. Another consultant spent 42 hours trying to perform relatively simple programming tasks using Microsoft-supplied tools and documentation, to no avail.
Faced with a new compliance deadline of July 18, Microsoft now has an army of 300 sweating over the details in an attempt to fully comply by then. The company alleges that it only received a "clear definition" of the documentation requirements in April and that it has hit the milestones on time. Therefore, it believes the fine is unjust. "We have great respect for the Commission and this process, but we do not believe any fine, let alone a fine of this magnitude, is appropriate given the lack of clarity in the Commission’s original decision and our good-faith efforts over the past two years. We will ask the European courts to determine whether our compliance efforts have been sufficient and whether the Commission’s unprecedented fine is justified."
Microsoft will appeal the ruling, while continuing its efforts to come into full compliance. With total fines in the case over €775 million at this point, the company has a powerful incentive to give the EC exactly what it wants.