Gone Phishing


I got phished recently (I did not actually fall for the scam, I just got the e-mail).  I am a very careful person when it comes to e-mail (bordering on paranoid), so I get very little SPAM and this is the first Phishing attack I have ever received.


Note: I got this phishing e-mail about a month ago and I waited to create this post until the phishing site was shut down – I did not want anyone to visit the site and get attacked.  I wish (hind sight) that I had taken a screen shot of the site while it was up.  🙁


Quick Background on Phishing (Feel free to skip this section if you know all about it)


Phishing by e-mail relies upon the SPAM techniques to get you an e-mail.  They spoof SMTP Headers, they change the “from” address so it looks like it is legitimately from a company that you trust (the one that I got was from Western Union) and they try to get you to open the e-mail with a catchy subject.


The intent with phishing is (generally) to get you to click on a link in the e-mail that will take you to a phony web site.  They can do this with a number of techniques. This one uses a FUD style attack that makes you concerned that someone has compromised your account.  Others will tell you “sign in to see if you win a prize”.  Compare these 2 links:


https://wumt.westernunion.com/asp/regLogin.asp – the real Western Union login
http://wumt.westernunion.com.ref67.com/asp/regLogin.htm – the phishing site


If you just glance at the address it looks legit!  If you click on the link you go to a site that looks exactly like the Western Union site and it asks you to login.  If you do login, the phisher has your userid and password to the Western Union Site.


But I am not a Western Union customer
My first clue to the fact that this was a phishing attack was that I am not a Western Union customer.  But Western Union has a lot of customers and the phishing attack relies upon this.  Let’s assume that they send 1,000,000 of these e-mails and that 1/10 of them get through the spam filters and to a real e-mail address (that is a conservative estimate).  We are down to 100,000 potential victims.  Let’s assume that 1% of the population has a Western Union Account and that 10% of those will fall completely for the attack.  That is 100 accounts that will be compromised.   If the phisher can get $100 from each of those victims that is $10,000 collected.


How do we stop phishing?


User Education – One of the key reasons that I am writing this entry is to continue the dialog to educate people about phishing.  Most of the people who would find and read this blog are probably very technical, and they don’t need the information, but it might spur them to have the conversation with a family or friend who needs some education.  User education only goes so far (but it does help).


Services that detect Phishing – Kudos to both Internet Explorer and Firefox for building in technology to detect and warn the user of the potential phishing attacks.  Also Netcraft is an excellent source of research and detection of phishing sites.


Better password technology – Let’s suppose that web sites that are likely to be spoofed in phishing scams did not use plain text passwords.  Let’s assume that they used encrypted tokens that were only valid for the site that they were sent to.  So that if a phisher got a token for his spoofed site it was worthless on the real site.  This is the true long term solution for phishing – industry standards like SAML and implementations that use them like Windows Cardspace.


I will be blogging more about SAML and Cardspace in the future, because I think they are important technologies that address the security challenges we are facing on the Internet.

Spring Forward – are you ready?


Next Sunday is the return of daylight savings time for 2007 in the United States.  It is coming early this year due to the federal act called the Energy Policy Act of 2005.  Daylight Savings time has an interesting history, the idea can be traced back to Benjamin Franklin with his “Early to bed, early to rise….” quote.  It was first enacted by Germany in WWI and was first in use in the United States a couple years later.  Several times they have experimented with changes to Daylight Savings time, but there have been few changes since 1986 (unless you live in Indiana) :-).


These days we have more and more computer systems that are “time zone aware” or that rely upon sensitive time keeping.  I went through my house yesterday and found over 10 systems that have daylight savings time built into them (not just computers – TVs, light switches with timers in them and game consoles).


The 3 week early arrival period could cause disruption for systems that are not patched or properly modified.  For instance, many offices have timers on their security systems that automatically lock and unlock the doors to their businesses.  Also many systems have client and server components that both rely upon the correct time (Exchange and Outlook are an example of this).  Unless both systems are properly patched, you could experience issues (like showing up an hour late to a meeting).


Some Resources


Field Report from BarCamp Madison


Bar Camp
Originally uploaded by jodieandlarry.

I spent most of the afternoon on Saturday at BarCamp Madison (I would have spent more time but I had some family obligations to attend to).  I have to hand it to the organizers, they put on a great event.  The conference location was very scenic (it took place literally across the street from the Wisconsin state capitol) and the logistics went off really well.  There were well over 100 people who had signed in by Saturday afternoon.


I attended some really good sessions:



  • Sheila Thomas gave a talk on “The need for interpersonal skills specifically for IT professionals”.  One of the conclusions of her university research paper was that many of the IT projects that failed every year were at least partially caused by the lack of communications skills in IT professionals.
  • Sean Johnson gave a talk on “How To Burn Your Business Into The Ground – Lessons in Entrepreneurship”.  He identified 7 things that you should think about if you are starting your own business.
  • Brennan Stehling’s talk on “Creating a Custom Provider (Photo Album Provider)” became really interactive when I asked him to pull the photos I had taken of Gabe Gross the Milwaukee Brewers outfielder into his demo (I was pretty sure that I was the only person on Flickr with photos of Gabe Gross).  Worked like a charm!
  • Tony Duckles gave a talk on “Introduction to AJAX and Prototype.js” that was an overview of the Prototype Javascript Library.  Prototype is a client side JavaScript library that can be used to add AJAX to your site. There was great discussion about some of the issues surrounding AJAX development during this presentation (JSON vs. XML, security, design).

So where was my presentation? Unfortunately by the time that I got there all of the slots where taken, which is great for the BarCamp.

Must listen to

If you haven’t already, please take 45 minutes or so and give a listen to Episode 15 of Windows Weekly – “Office UI Team”.


I listen to a lot of the TWiT Podcasts Netcasts (Leo hates it when you call them Podcasts) from Leo Laporte.  I listen to regularly to Windows Weekly which features Paul Thurrott.  Paul gives a very fair and balanced view of the Windows platform.  He is also a great source of information from inside Microsoft.  He is very plugged into the product teams.  In this episode Leo and Paul interview 2 members of the Office team that worked on Office 2007 and also are working on Office vNext.  This was a fascinating insight into the development of the new UI for Office.


Some of the things that they pointed out should be applied to every software development project.  They were:



  • Do qualitative and quantitative research up front.  They gave insight into the studies that they did on how users “find” or “fail to find” features.
  • Develop tenants or guiding principles and constantly judge your decisions against them.  I learned this lessons from a CIO that I used to work for.  Nothing kills the emotional argument better than a guiding principal violation.
  • Plan for multiple Iterations.  The Office UI Guys half joked about Microsoft’s reputation on not getting anything right until the 3rd try.  So they built in 3 iterations.

  • Instrument your code. They were able to quantify the work that they had done as successful by looking at the instrumented data (you know that “share my experience data” dialog box).  They cited the example that watermarking your documents was seldom used in Office 2003 and in Office 2007 use of it has really taken off (without changing the feature).  Without well instrumented code they would never have known that.

ArcReady in Downers Grove

Next Wednesday (March 7th) marks the first ArcReady event in the Midwest District.  It will be from 9:00 – 12:00 at the Downers Grove, Illinois Office.  Microsoft has lots of great programs for developers such as the MSDN events and DevCares.  This is an in person training event that is focused on the role of the Architect (most specifically the solution architect).  It is also for lead developers who are looking to build their skills up to become solution architects.  One of the most exciting parts of the event will be the guest presenter: Tim Landgrave of Composable Systems, Inc.


Hope to see you there!  Register for the event by going to the ArcReady web site.

Barcamp Madison

This weekend I am planning on attending BarCamp Madison, which will take place at the Inn on the Park Hotel.  I would like to go for the entire event, but will probably only be there for Saturday afternoon.  This will be my first BarCamp and I could not be more excited about it.  I love the idea of the unconference.  It looks like there are going to be some exciting sessions, some of the ones that have caught my eye are:



I am considering giving a session of my own about ASP.NET AJAX.  I will respect the unconference format and not have any PowerPoint slides and I will also check my Microsoft badge at the door.  I have a personal project that I have been working on that I would like to demonstrate how to add AJAX to.  Also I think it is a great opportunity to get feedback on my design from the community as a whole.


I hope to see you there!

Happy Birthday to .NET!


Happy Birthday to .NET
Originally uploaded by jodieandlarry.

February 13th was the five year anniversary of the production release of the .NET Framework. It was also the 5th Anniversary of the founding of the Wisconsin .NET User group. The event was celebrated with a sheet cake courtesy of C & C Recruiting (thanks!).  In addition each attendee got a black t-shirt with “.NET” on front and “Since 2002” on the back.


I was the speaker at the user group last night and I was amazed at the turn out.  There was a snow storm and a winter storm warning hitting Milwaukee for most of the day.  I figured that there would be only a few people at the meeting, but there was at least 70 people in attendance.  The topic “ASP .NET AJAX” is a very hot one, so I think that motivated people to brave the winter weather.

Reverse Salients

Reverse Salient

Last week I saw a presentation by Chris Bernard the User Experience Evangelist for Microsoft’s Central Region.  During his presentation, which was a general presentation about UX (User Experience), he brought up a really interesting concept called a reverse salient.  A  is the term that the military uses for the troops that are leading the attack into enemy territory.  These are very important as they are “leading the charge” and you need to pay careful attention to them (if for no other reason than they take a lot of the casualties).


The reverse salient by contrast is the troops that are trailing in the attack (not to be confused with medical or supply units that are supposed to be behind the fighting troops).  Military study has shown that the many battles are lost because of the reverse salient.  The trailing troops create an opportunity for the enemy to “break your line” or outflank your units.  This article describes the reverse salient in a little more detail and sums them up as being your “weakest link”.


A real exampleI took the picture on the right at the Milwaukee Airport.It is an example of a reverse salient in the Transportation Safety Agency (TSA)’s fight to make airline security safe and convenient. It is a large kiosk that shows you the items that you cannot bring on in carry on and checked baggage. It is hard to tell from the photo, but it shows a gas can, a can of RAID, lighter fluid and a bunch of other dangerous products that clearly you should not bring on to the airplane. While the salient for TSA is the security checkpoints and thorough inspections with all sorts of technology, why do I consider this the reverse salient? Surely educating the passengers about the products that they are not supposed to bring is an important part of the TSA strategy! The problem is that this display is positioned >after the security check point.


Reverse salient in architecture
The concept of the reverse salient can be applied to architecture. You can use this concept to identify the weak points in your enterprise architecture. For example, if you are competing in the increasingly global economy, then having your core applications based on a nightly batch cycle is probably your reverse salient. If you are building web applications, then scalability is almost always going to be a reverse salient for you (unless you have spent lots of time and effort solving for that problem). Your reverse salient does not always have to be so technology focused. Chris pointed out during his talk that for many applications the user experience (not to be confused with user interface) is actually the reverse salient.

Upcoming presentation on ASP.NET AJAX

I will have the pleasure of presenting at the Wisconsin .NET Users Group this coming Tuesday (February 13th).  This will be a sort of sequel to the presentation that I gave on Web 2.0 technologies back in November.  That was an overview of all of the technologies, where this will be a deeper dive on the AJAX technologies.  I have a few specific tips that I picked up from the product teams in Seattle last week to share.  The meeting will be at the Northwoods office (click here for link):


Northwoods Software
4600 West Schroeder Drive
Brown Deer, Wisconsin 53223


Please go to the user group web site to register – http://wi-ineta.org/.  I think that Scott Isaacs has a few surprises in store for the meeting.  🙂