shahine.com/omar/

Once in a lifetime event I guess.

One thing I do a lot of on my iPhone is catch up on my RSS feeds. Doing so in Safari leaves a lot to be desired since Safari has a habit of crashing.

The iPhone is fundamentally an awesome device for reading blog posts and news. I can quickly scan through my unread items and read, process, share and star them… from the comfort of my bed or when waiting in line for lunch.

For the past few months I’ve been using an application called Byline from Phantom Phish. Byline is a fantastic RSS reader for Google Reader. It’s simple to use and it just got better. The latest 2.0 release adds many new features, but none more important to me than an integrated browsing experience so that I never have to leave the app to read blog posts and linked articles (which is pretty common).

You can also share, star and add notes when sharing.

To make things even better, it’s being offered right now for $4. I paid $10 for it so if you use Google Reader and have an iPhone I think it’s $4 well spent.

One of my pet peeves with Bootcamp, Apple’s software for letting you run Windows on a Mac, is that the default keymapping for Apple keyboards swaps the Alt and Windows keys.

This totally messed with my shortcuts.

I tried using one of my favorite scripting tools, AutoHotKey, to remap the keys but this ended up being flakey. I also didn’t like the idea of relying on a running application to do the swapping.

I ran into a program called SharpKeys that remaps the keys at the OS level. It’s a remarkable little program. You can configure how you want your keys remmaped and then it writes those changes to the registry. This ensures that all users of the computer have remapped keys and that the remapped keys work on non-user space like the Logon prompt.

To remap Alt to Windows you need to:

1. Get SharpKeys (download)
2. Create a mapping for Left Alt –> Left Windows
3. Create a mapping for Left Windows –> Left Alt
4. Logoff

Enjoy!

In traditional Microsoft parlance I’m “super excited” that we’ve started to ship a pretty significant update to the Hotmail service. The stuff I’ve been working on for the better part of a year is now rolling out to our site. It will take a few weeks to make it to all our users, but some folks will see the new bits today.

You can read about some of the new features on the Live Wire blog.

I should also point out that there are some features that will take a bit longer to roll out to all our users.

I plan to talk a bit more about what my team (People/Contacts) does and the features we’re shipping this year.

Here is a newsflash… the security of the majority of your online accounts is only as good as the security of your email address. As many of you know, Sarah Palin’s Yahoo account was recently compromised by taking advantage of public information to answer her secret question and take control of her account. You are at the mercy of the strength of the Password Reset Mechanism. Password Reset today is flawed.

Rule #1: Never ever ever enter your email address and username into any webpage on the Internet except that of your email provider. You are placing yourself at significant risk if you do so (there are some exceptions to this rule of course, like if your email provider is also an OpenID provider or supports delegated authentication).

Rule #2: The answer to your Secret Question should be a random string of gibberish. “Who is your best friend”? The answer should be: d8239d#5d. This way no one can guess it.

I learned the hard way just how vulnerable I was when I lost access to my Hotmail account. I cannot begin to describe what this felt like. It might feel like losing the keys to your house, arriving at home, finding a burglar in your house and getting a busy signal when calling 911.

Jeff Atwood wrote about this exact problem a few months ago:

1. Number one with a bullet: your email account is a de-facto master password for your online identity. Most -- if not all -- of your online accounts are secured through your email. Remember all those "forgot password" and "forgot account" links? Guess where they ultimately resolve to? If someone controls your email account, they have nearly unlimited access to every online identity you own across every website you visit.
2. If you're anything like me, your email is a treasure trove of highly sensitive financial and personal information. Consider all the email notifications you get in today's highly interconnected web world. It's like a one-stop-shop for comprehensive and systematic identity theft. How do I know Yelp isn't going to dip into other areas of my email?
3. Even if I trust Yelp absolutely, how do I know they're not going to store my email password, perhaps insecurely, in a place some disgruntled programmer or hacker can eventually get to it? Giving out your password puts the recipient in the highly unfortunate position of having to secure your password. Give that email password out enough, and you're now vulnerable in dozens of places spread across the face of the web. The odds start to look pretty dire.

You should re-read these words a few times and internalize just what they mean. #3 is exactly why you should generate a unique password for every single website you visit. You should manage this complexity using a tool such as RoboForm, PassPack, Verisign PIP, Keepass or LastPass.

I don’t know 95% of my passwords.

Almost every single account you have will have something called a Password Reset feature. You see, none of us can remember all the passwords we use for our different sites. Heaven forbid we actually try and use unique passwords and then forget a password. How do you get access?

Well in the case of many banks and such that store highly sensitive information, you have to get on the horn and talk to a human proving that you are who you are. Usually this is done by sharing something with them that only you know and that they can verify. Things like:

• The Credit Card Verification (CCV) code on your credit card
• Your “secret answer” to a question (most use Mother’s Maiden name)

And in some cases, they will physically mail you a new password to your registered address.

But what about the sites that don’t think they have highly sensitive information, or don’t want to incur the cost of such a human labor intensive process? Well they will do one of the following:

1. Email your actual password to your email address on file
2. Email you a new random password
3. Email you a new random password that you must change on login

Now lemme clue you into a little secret.

If the website you are using does either #1 or #2 then FAIL. That website is storing your password in the clear, or in the case of #2 transmitting it in the clear and not requiring you to change it. The only acceptable mechanism for resetting any password via email is #3, to Email you a new random password that you must change on login.

Since you have absolutely no idea how your passwords are being stored with the website (are they hashed, encrypted, in a cage at the data center) you should assume the worst. Some of the BigCos obviously understand the risk of storing such sensitive information and will do all the right things:

• Credentials are stored using a one way hash
• Machines that store such information are in a caged server environment
• Credentials never pass around in the clear, such as over HTTP or any unsecured protocol.

If you have access to an email account that has more protection than a webmail provider (like a work or university email address) I highly recommend you use that email address for your password reset. It’s likely that your business is an order of magnitude more secure if they manage their own email services.

Finally, for all the reasons I mention above, don’t EVER give your email username and password out to anyone or any website unless that website clearly belongs to your email provider. NEVER.

Beware of social networking websites that ask for your username and password to “import your contacts”, aka your Social Graph.

At long last, we have shipped To Dos. It’s been a long time since I worked on Windows Live Calendar and we were talking about building To Dos. The best part about To Dos is that they work with Shared Calendars. In other words, if you and your spouse have a “Family Calendar” you can now create and manage a shared task list… something Google Calendar still doesn’t have.

With the new release of Windows Live Calendar and the new Beta releases of the Windows Live Suite there is a ton of great end to end Calendar functionality.

1. Outlook Connector to sync all your Windows Live Calendars to Outlook, including your Birthday Calendar for all your Contacts.
2. Windows Live Mail now with Calendar Sync will also sync all your Windows Live Calendars
3. Shared Calendars that you can create, share and manage with other Windows Live Users
4. Calendar Subscriptions to public internet calendars that you can subscribe and sync to all the products above.

And of course now To Dos. Dare should be happy about this. He’ll need it when the baby comes .

I’ll also add that the new UI of Windows Live Calendar is awesome. Here is a picture of what To Dos look like when you have 2 calendars. You can see I have my personal calendar and my Family Calendar. You can create tasks in either calendar and they will show up depending on who you share with.

The other day I received a phone call from my wife on our Home Number.

On most other phones it would say:

Call from Omar Shahine (Home)

Cool, you mean I’m calling myself?

It’s always been a pet peeve of mine that this happened. I mean this is a pretty common scenario right?

Well this doesn't happen on the iPhone. If you have two contacts with the same phone number (pretty common for people that live together, like my parents, my wife, my sister and her husband) the iPhone displays a screen like this:

I have to say, this is great. I’d also note that they are smart enough to realize since we have the same last name, it just says “Lora or Omar Shahine”.

A few months ago the folks on the Photo Gallery team sent me a pointer to the new Publish SDK in Windows Live Photo Gallery. A few hours later I had put together a crude Plugin for uploading to SmugMug.

As some of you might know, long ago I created an application called Send to SmugMug. This was a very simple program that let you select photos in the Windows Shell and upload to SmugMug. Since then I have added many features, but I personally like to use Windows Live Photo Gallery to manage all my photos and videos. Switching back and forth from application to shell got annoying.

So I was ecstatic to write a plugin. Now I can just publish directly from Photo Gallery.

You can download the Publish to SmugMug Plugin and try for yourself. It requires the new beta of Photo Gallery.

The new beta has a ton of nifty features by the way. The User Experience is redesigned to make it easier to tag, view and edit metadata. The people tagging feature is super, and you can tag using contacts from your Windows Live Address Book. For most of you that means your Messenger or Hotmail contacts.

The plugin is very simple. You select a bunch of photos in the Photo Gallery and select Publish on SmugMug from the Publish Menu. You will see this dialog:

Select an existing Gallery or create a new Gallery and click Publish.

Anyway, it’s an awesome upgrade and I hope you enjoy the new Plugin I wrote.

For a long time I’ve searched the web looking for a great application launcher for Windows. Mac users have QuickSilver, the holy grail of application launchers. In fact I’ve never used QuickSilver, I always read about its awesomeness.

First there was SlickRun and I used it for many years. In fact I loved SlickRun (and still do). However, it’s not a general purpose launcher and will not index your hard drive for applications, folders and whatnot. It will let you define some great keywords though.

Then there was Launchy. A great launcher but it lacked the ability to create Keywords like SlickRun. The UX was slick though.

I’ve tried SkyLight (from the makers of AppRocket), a beautiful application, but dog slow. I mean painfully slow (it would take a few seconds before it would allow me to type a command. SkyLight is a WPF app and to be honest, I’ve found that all the WPF apps I’ve tried have similar performance problems (Witty and bTT).

Executor

At long last, Executor added support to index any folder you specify on your computer, allowing me to replace both Launchy and SlickRun. I tried Executor last year but the inability to customize it with your own search paths was limiting since I store little utilities in my roaming portable apps folder.

Executor has a lot of functionality. It took me a while to set up the UX and behavior the way I wanted. Here is a screen shot of what you’d see if you typed “ad” into Executor:

As you can see, I use the large 2 line icon view, which is helpful if you use Executor to index your Documents folder for Folders and you have more than 1 with the same name:

And of course you can use it as a general file system browser… much better than Start –> Run.

With Vista we all get a nice solution to the Start Menu Mess, as Jeff Atwood describes in his post Typing Trumps Pointing. While this is a great solution for my parents, I personally need the power of defining custom keywords and search paths (like my Portable Apps directory).

Executor has a lot of features, so I’d recommend you check out this page which lists some of the cool things you can do.

It appears that the iPhone 2.0.2 update came with two nice Exchange bug fixes. These two bugs were probably the worst that I would encounter.

Prior to 2.0.2 if either you or some one else canceled an event that was in a series of recurring events, that event would NOT get deleted from the iPhone.

This meant that the Calendar on my iPhone was not the same as my Exchange calendar.

Now, the iPhone supports exceptions to recurring events from Exchange AND you can delete an instance of a recurring event on the phone.

• (Fixed in 2.0.2) Cannot delete a single occurrence of a repeating appointment/meeting. Only option is to delete entire series.
• (Fixed in 2.0.2) Negative exceptions to recurring events are not handled (if an instance of a recurring event is deleted, it still appears)

I will continue to update my wiki as I see issues resolved.

Hot on the heels of my post on Two-Factor Authentication, it appears that Wells Fargo is getting into the Cloud Storage business.

Their product, Wells Fargo vSafe, is part of your Online Banking account. It is a for pay service with the following pricing:

• 1GB - $4.95 a month
• 3GB - $9.95 a month
• 6GB – $19.95 a month

Additionally, they are offering customers the option to sign into their vSafe accounts using what they call Advanced Access, aka Two-Factor Authentication using either:

• RSA SecurID tokens (similar to VeriSign VIP Credentials)
• One Time Passwords sent to your phone via SMS or Voice

vSafe has some nice features like:

• Your Wells Fargo statements can get automatically archived in vSafe
• Backup of your data
• Geo-Redundancy

The only downside to this is that I cannot use my VeriSign VIP Token with WellsFargo since RSA SecurID and VeriSign do not interop. Personally I don’t want two dongles. Meanwhile the VeriSign VIP Token seems more widely supported (PayPal, eBay etc).

I think this is great news, and I fully expect that security will start to play a larger role in the coming years as companies start to compete based on their security offerings.

I’ve always been skeptical of the usability of two-factor authentication. Specifically, Microsoft employs a form of Two-Factor authentication using a Smart Card. To get access to our corporate resources from outside our network you are required to enter your username + password and enter your Smart Card (which is our Badge) into a Smart Card Reader entering your PIN number. The Smart Card contains a certificate that is used to identify you to Microsoft (in addition to your username and password).

The problem with this is that each computer that you want to use to connect to corporate assets requires a Smart Card reader. Kind of a pain. Especially since laptops don’t have PCMCIA readers any more (replaced by Express Card).

When thinking about using two-factor authentication for securing non work assets, I just assumed this would be a hassle.

VeriSign Two-Factor Authentication

I knew that a while back PayPal started to offer a PayPal Security Key that you could use as an extra layer of security when signing into PayPal or eBay. This seems like a good idea after all, because PayPal is linked to my bank account and Credit Card, and eBay has one of my post important identities: my “seller reputation” is tied to it. An extra layer of security to sign into those sites seems like a good idea, but at what cost?

When I found out that VeriSign PIP (an OpenID provider among other things) started to offer extra security using a Security Token (and was compatible with the PayPal Security Key) I decided to give it a shot. After all, the entry price was $5. You can see the PayPal Security key below:

In addition to the PayPal Security Key, VeriSign offers two additional solutions:

1. VIP Security Card – a credit card sized Token
2. USB Memory Key from SanDisk – a traditional USB Key with special software.

Both solutions cost more than $5 so I started with the PayPal key. I’m not interested in #2 since I view it as more of a hassle to have to insert something into a computer.

I received my PayPal key the other day and immediately fell in love with it. It’s small, and easy to use and easily found a place on my key chain. For $5 it’s a steal.

However, I was wondering what the VIP Security Card was like.

Luckily I’ve been chatting with the folks at VeriSign over the past few days and they were kind enough to send me a VIP Security Card to play around with.

All I can say is WOW. This thing is awesome. It’s the exact same size and dimensions of a credit card. I assumed it would be thick because it appears to have some kind of LCD. But actually it’s a form of screen similar to the Amazon Kindle. It consumes no power to display the current code, only to change it. Your security code is only ever valid for 30 seconds and each one is unique (One Time Password).

Personally, I prefer this format better since I can just throw it in my wallet and my wallet is always with me, unlike my keys.

Other Two-Factor Authentication systems

I should point out that two-factor authentication does not have to be limited to physical tokens like the ones mentioned above. There are numerous other mechanisms that other OpenID providers utilize. VeriSign summaries a whole slew of then here.

SSL Certificates

VeriSign and myOpenID both support SSL Client Certificates, but they both implement them differently.

Most people are familiar with server based SSL certificates. These are the things that practically every single ecommerce or financial institution uses to encrypt the information between you and them. It makes is to that the bad guys cannot sniff your traffic and steal your credit card or other personal information. Generally speaking these have been adequate protection for hundreds of billions of dollars in transactions over the years. Since it’s hard for the bad guy to pretend to be the server you are interacting with, they tend to focus on things like Phishing and man in the middle attacks to steel your username and password (and now DNS exploits).

For years we have been trained to look for the “lock” icon when dealing with secure websites.

Over time this has evolved to include more prominent UI features as you can see below in IE 7

and FireFox 3

However little attention has ever been paid to client side SSL certificates. Well they work just like server side certificates except that the authentication is mutual. In other words, not only do you validate that the web site says who they are, but the website is validating who you say you are. This is done because the server and you share a secret, and SSL is a mechanism for verifying that you both know the secret, without exchanging that secret with each other. Sounds complicated? it might, but this is the basis upon which Public Key Infrastructure (PKI) is built.

At the end of the day, what you need to know is that the way this can be a two-factor authentication mechanism is that you install this SSL cert on each computer that you plan to login to the service (in this case the OpenID provider) and after you authenticate to the service using a username and password, the service has an addition layer of authentication via your client SSL certificates. It’s like a “Soft Token” (a software version of a hardware token, like those mentioned above).

VeriSign and myOpenID have two different uses for SSL Client certificates. For VeriSign they work much like a hardware token, meaning you have to posses the client certificate and your username and password to gain access. If you don’t have you client certificate installed you can have a temporary access code sent to your phone via SMS or your email account.

myOpenID uses the SSL as a way for you to login to the site without entering your username and password. So in a way, it’s a replacement for your password credential and works a bit like an Information Card.

Image Authentication

Some services like myVidoop.com (another OpenID provider) use images as a two-factor authentication. After you login you are presented with a series of images from categories that you pre-selected mixed with pictures from random categories. Since only you know the categories you picked, you enter special codes corresponding to those categories. There is no password per se, your selection of the right images from the right categories is your password. Clever.

These images work in conjunction with specialized code they have to “activate” a browser. In other words, you only get to go through the image identification once you’ve confirmed the browser to myVidoop. If you have not you can use SMS or email to temporarily activate your image authentication.

So in this case, your two-factors are 1) provide identity of browser to service and 2) authenticate using images.

I have to admit, I’m still getting my head wrapped around this one. I haven’t yet figured out how they “identify” a browser.

Phone Based Authentication

There are two forms of Phone authentication that I’ve run into. Voice authentication that myOpenID uses and SMS based authentication that a number of services use.

CalVerifID is a service myOpenID runs that allows you to use your plain old telephone to authenticate. When you signin to myOpenID and when you receive the phone call from them, press #. Very simple.

SMS verification is currently supported by VeriSign and myVidoop to allow authentication in the case where your primary two-factor mechanism is not available. This comes in very handy say if I am not near my hardware token or I’m too lazy to go get it from my wallet and my iPhone is right in front of me .

Final Thoughts

As you can see, there are numerous options today for two-factor authentication. You can immediately secure such assets as your PayPal and eBay account with any VeriSign VIP product. Furthermore as OpenID continues to gain in popularity, you’ll have more options for securing your Identity on other services.

I’d say this is progress.

Over the past few months I’ve been thinking A LOT about passwords and how broken the Internet is right now with respect to authentication. Expect a number of posts over the next few weeks about my thoughts on the matter (timely since this NYT piece came out this past weekend).

For the record, I have over 266 unique passwords for websites and currently use RoboForm to manage them all (I actually ran RoboForm for over a year so that I could capture every site I entered credentials into). I would like a solution that roams with me, but Dual Factor authentication and strong password reset mechanisms are a requirement.

Why is VeriSign’s role here important? For one thing, they have a fairly important role in how the Internet runs and have a distinguished history with respect to Internet security technology.

I’ve been playing around with VeriSign Personal Identity Portal (PIP) the last few days. VeriSign PIP is an OpenID provider with a number of novel features that make it far and away the best OpenID provider out there.

They support:

1. OpenID 2.0
2. SSL Client Certificates for authentication
3. VeriSign Identity Protection (VIP) security key products for dual-factor authentication
4. Information Cards
5. OneClick Sign-in access for over 80 popular websites (like Facebook, Google, Windows Live)

Item #5 competes directly with PassPack, which is a cool web based service for storing your usernames and passwords (secured by a password and a “packing key”). I haven’t moved over to them yet because I’m taking my time to understand the options out there.

VeriSign takes a similar approach to PassPack in that to get to your data you:

1. Login using your username and password or Information Card
2. Optionally enter your Security Code (if you don’t have your FOB you can fallback to SMS)
3. Use your encryption key to “unlock” your OneClick passwords.

This all seems good. It's important to note that all your username and password credentials for OneClick are encrypted using a key that only you know. If you lose this key, or someone managed to get access to your account, they will NOT be able to get to your OneClick passwords unless they also know this key. There is no mechanism to "reset" this key. If you lose it, then you lose all your passwords and need to start over.

This is why I believe that in the long run OpenID is far better than anything that has been proposed. For one thing OpenID is flexible enough to support multiple authentication mechanisms like Information Cards, Dual factor authentication, SSL certificates and are now backed by a number of big players in technology (Google, Microsoft, etc).

IMHO one of the best features of OpenID is that you are not generating some random password (or worse giving the same password you use on every website) and handing over to a stranger who for all you know doesn’t encrypt or secure your identity.

While there is still a long ways to go, I consider this progress. VeriSign’s product is something my family can understand and use.

So happy that Amazon now supports adding products from anywhere on the Internet to your wish list. Amazon has become my defacto place for storing things I want, or things I want people to buy for me!

This replaces Google Shopping List which wasn’t very good anyway.

Get your Amazon Wish list Bookmarklet.

Earlier this year I wrote:

2008 Will mark the end of Personal Finance Software. Quicken will de-emphasize being offered as a shrink wrapped/downloadable product and move to a subscription model.

Mint.com and Wesabe will continue to steal users away from the shackles of Microsoft Money and Quicken.

I look forward to this...

And this morning I read this:

“Microsoft Money Plus continues to be a valuable tool for our customers; however the feedback we are hearing is that the incremental updates to the software don’t merit a new product every year. Given this, we have decided against releasing a 2009 version of Money Plus. .. We are moving off of an annual release cycle for Microsoft Money Plus (no Money 2009 version in the fall), with future release dates TBD” (to be determined).

Good time to switch to Mint.com or Wesabe.

I’ve been using Mint.com for over a year now. Earlier this year I switched “full time” as it sort of crept up on me. They finally have all the features I required in a personal finance package:

• Budgeting
• Investment accounts (401K etc)
• SMS and Email alerts of transactions / balances
• Auto-Updating balances
• Amazing self correction of merchant names
• Cash Flow tools
• Accounts are always reconciled
• Zero Configuration Installation (no DRM).
• Mortgage and Loan accounts

I seriously love Mint. Now if they could just make an iPhone app!