shahine.com/omar/

For a long time I’ve searched the web looking for a great application launcher for Windows. Mac users have QuickSilver, the holy grail of application launchers. In fact I’ve never used QuickSilver, I always read about its awesomeness.

First there was SlickRun and I used it for many years. In fact I loved SlickRun (and still do). However, it’s not a general purpose launcher and will not index your hard drive for applications, folders and whatnot. It will let you define some great keywords though.

Then there was Launchy. A great launcher but it lacked the ability to create Keywords like SlickRun. The UX was slick though.

I’ve tried SkyLight (from the makers of AppRocket), a beautiful application, but dog slow. I mean painfully slow (it would take a few seconds before it would allow me to type a command. SkyLight is a WPF app and to be honest, I’ve found that all the WPF apps I’ve tried have similar performance problems (Witty and bTT).

Executor

At long last, Executor added support to index any folder you specify on your computer, allowing me to replace both Launchy and SlickRun. I tried Executor last year but the inability to customize it with your own search paths was limiting since I store little utilities in my roaming portable apps folder.

Executor has a lot of functionality. It took me a while to set up the UX and behavior the way I wanted. Here is a screen shot of what you’d see if you typed “ad” into Executor:

As you can see, I use the large 2 line icon view, which is helpful if you use Executor to index your Documents folder for Folders and you have more than 1 with the same name:

And of course you can use it as a general file system browser… much better than Start –> Run.

With Vista we all get a nice solution to the Start Menu Mess, as Jeff Atwood describes in his post Typing Trumps Pointing. While this is a great solution for my parents, I personally need the power of defining custom keywords and search paths (like my Portable Apps directory).

Executor has a lot of features, so I’d recommend you check out this page which lists some of the cool things you can do.

It appears that the iPhone 2.0.2 update came with two nice Exchange bug fixes. These two bugs were probably the worst that I would encounter.

Prior to 2.0.2 if either you or some one else canceled an event that was in a series of recurring events, that event would NOT get deleted from the iPhone.

This meant that the Calendar on my iPhone was not the same as my Exchange calendar.

Now, the iPhone supports exceptions to recurring events from Exchange AND you can delete an instance of a recurring event on the phone.

• (Fixed in 2.0.2) Cannot delete a single occurrence of a repeating appointment/meeting. Only option is to delete entire series.
• (Fixed in 2.0.2) Negative exceptions to recurring events are not handled (if an instance of a recurring event is deleted, it still appears)

I will continue to update my wiki as I see issues resolved.

Hot on the heels of my post on Two-Factor Authentication, it appears that Wells Fargo is getting into the Cloud Storage business.

Their product, Wells Fargo vSafe, is part of your Online Banking account. It is a for pay service with the following pricing:

• 1GB - $4.95 a month
• 3GB - $9.95 a month
• 6GB – $19.95 a month

Additionally, they are offering customers the option to sign into their vSafe accounts using what they call Advanced Access, aka Two-Factor Authentication using either:

• RSA SecurID tokens (similar to VeriSign VIP Credentials)
• One Time Passwords sent to your phone via SMS or Voice

vSafe has some nice features like:

• Your Wells Fargo statements can get automatically archived in vSafe
• Backup of your data
• Geo-Redundancy

The only downside to this is that I cannot use my VeriSign VIP Token with WellsFargo since RSA SecurID and VeriSign do not interop. Personally I don’t want two dongles. Meanwhile the VeriSign VIP Token seems more widely supported (PayPal, eBay etc).

I think this is great news, and I fully expect that security will start to play a larger role in the coming years as companies start to compete based on their security offerings.

I’ve always been skeptical of the usability of two-factor authentication. Specifically, Microsoft employs a form of Two-Factor authentication using a Smart Card. To get access to our corporate resources from outside our network you are required to enter your username + password and enter your Smart Card (which is our Badge) into a Smart Card Reader entering your PIN number. The Smart Card contains a certificate that is used to identify you to Microsoft (in addition to your username and password).

The problem with this is that each computer that you want to use to connect to corporate assets requires a Smart Card reader. Kind of a pain. Especially since laptops don’t have PCMCIA readers any more (replaced by Express Card).

When thinking about using two-factor authentication for securing non work assets, I just assumed this would be a hassle.

VeriSign Two-Factor Authentication

I knew that a while back PayPal started to offer a PayPal Security Key that you could use as an extra layer of security when signing into PayPal or eBay. This seems like a good idea after all, because PayPal is linked to my bank account and Credit Card, and eBay has one of my post important identities: my “seller reputation” is tied to it. An extra layer of security to sign into those sites seems like a good idea, but at what cost?

When I found out that VeriSign PIP (an OpenID provider among other things) started to offer extra security using a Security Token (and was compatible with the PayPal Security Key) I decided to give it a shot. After all, the entry price was $5. You can see the PayPal Security key below:

In addition to the PayPal Security Key, VeriSign offers two additional solutions:

1. VIP Security Card – a credit card sized Token
2. USB Memory Key from SanDisk – a traditional USB Key with special software.

Both solutions cost more than $5 so I started with the PayPal key. I’m not interested in #2 since I view it as more of a hassle to have to insert something into a computer.

I received my PayPal key the other day and immediately fell in love with it. It’s small, and easy to use and easily found a place on my key chain. For $5 it’s a steal.

However, I was wondering what the VIP Security Card was like.

Luckily I’ve been chatting with the folks at VeriSign over the past few days and they were kind enough to send me a VIP Security Card to play around with.

All I can say is WOW. This thing is awesome. It’s the exact same size and dimensions of a credit card. I assumed it would be thick because it appears to have some kind of LCD. But actually it’s a form of screen similar to the Amazon Kindle. It consumes no power to display the current code, only to change it. Your security code is only ever valid for 30 seconds and each one is unique (One Time Password).

Personally, I prefer this format better since I can just throw it in my wallet and my wallet is always with me, unlike my keys.

Other Two-Factor Authentication systems

I should point out that two-factor authentication does not have to be limited to physical tokens like the ones mentioned above. There are numerous other mechanisms that other OpenID providers utilize. VeriSign summaries a whole slew of then here.

SSL Certificates

VeriSign and myOpenID both support SSL Client Certificates, but they both implement them differently.

Most people are familiar with server based SSL certificates. These are the things that practically every single ecommerce or financial institution uses to encrypt the information between you and them. It makes is to that the bad guys cannot sniff your traffic and steal your credit card or other personal information. Generally speaking these have been adequate protection for hundreds of billions of dollars in transactions over the years. Since it’s hard for the bad guy to pretend to be the server you are interacting with, they tend to focus on things like Phishing and man in the middle attacks to steel your username and password (and now DNS exploits).

For years we have been trained to look for the “lock” icon when dealing with secure websites.

Over time this has evolved to include more prominent UI features as you can see below in IE 7

and FireFox 3

However little attention has ever been paid to client side SSL certificates. Well they work just like server side certificates except that the authentication is mutual. In other words, not only do you validate that the web site says who they are, but the website is validating who you say you are. This is done because the server and you share a secret, and SSL is a mechanism for verifying that you both know the secret, without exchanging that secret with each other. Sounds complicated? it might, but this is the basis upon which Public Key Infrastructure (PKI) is built.

At the end of the day, what you need to know is that the way this can be a two-factor authentication mechanism is that you install this SSL cert on each computer that you plan to login to the service (in this case the OpenID provider) and after you authenticate to the service using a username and password, the service has an addition layer of authentication via your client SSL certificates. It’s like a “Soft Token” (a software version of a hardware token, like those mentioned above).

VeriSign and myOpenID have two different uses for SSL Client certificates. For VeriSign they work much like a hardware token, meaning you have to posses the client certificate and your username and password to gain access. If you don’t have you client certificate installed you can have a temporary access code sent to your phone via SMS or your email account.

myOpenID uses the SSL as a way for you to login to the site without entering your username and password. So in a way, it’s a replacement for your password credential and works a bit like an Information Card.

Image Authentication

Some services like myVidoop.com (another OpenID provider) use images as a two-factor authentication. After you login you are presented with a series of images from categories that you pre-selected mixed with pictures from random categories. Since only you know the categories you picked, you enter special codes corresponding to those categories. There is no password per se, your selection of the right images from the right categories is your password. Clever.

These images work in conjunction with specialized code they have to “activate” a browser. In other words, you only get to go through the image identification once you’ve confirmed the browser to myVidoop. If you have not you can use SMS or email to temporarily activate your image authentication.

So in this case, your two-factors are 1) provide identity of browser to service and 2) authenticate using images.

I have to admit, I’m still getting my head wrapped around this one. I haven’t yet figured out how they “identify” a browser.

Phone Based Authentication

There are two forms of Phone authentication that I’ve run into. Voice authentication that myOpenID uses and SMS based authentication that a number of services use.

CalVerifID is a service myOpenID runs that allows you to use your plain old telephone to authenticate. When you signin to myOpenID and when you receive the phone call from them, press #. Very simple.

SMS verification is currently supported by VeriSign and myVidoop to allow authentication in the case where your primary two-factor mechanism is not available. This comes in very handy say if I am not near my hardware token or I’m too lazy to go get it from my wallet and my iPhone is right in front of me .

Final Thoughts

As you can see, there are numerous options today for two-factor authentication. You can immediately secure such assets as your PayPal and eBay account with any VeriSign VIP product. Furthermore as OpenID continues to gain in popularity, you’ll have more options for securing your Identity on other services.

I’d say this is progress.

Over the past few months I’ve been thinking A LOT about passwords and how broken the Internet is right now with respect to authentication. Expect a number of posts over the next few weeks about my thoughts on the matter (timely since this NYT piece came out this past weekend).

For the record, I have over 266 unique passwords for websites and currently use RoboForm to manage them all (I actually ran RoboForm for over a year so that I could capture every site I entered credentials into). I would like a solution that roams with me, but Dual Factor authentication and strong password reset mechanisms are a requirement.

Why is VeriSign’s role here important? For one thing, they have a fairly important role in how the Internet runs and have a distinguished history with respect to Internet security technology.

I’ve been playing around with VeriSign Personal Identity Portal (PIP) the last few days. VeriSign PIP is an OpenID provider with a number of novel features that make it far and away the best OpenID provider out there.

They support:

1. OpenID 2.0
2. SSL Client Certificates for authentication
3. VeriSign Identity Protection (VIP) security key products for dual-factor authentication
4. Information Cards
5. OneClick Sign-in access for over 80 popular websites (like Facebook, Google, Windows Live)

Item #5 competes directly with PassPack, which is a cool web based service for storing your usernames and passwords (secured by a password and a “packing key”). I haven’t moved over to them yet because I’m taking my time to understand the options out there.

VeriSign takes a similar approach to PassPack in that to get to your data you:

1. Login using your username and password or Information Card
2. Optionally enter your Security Code (if you don’t have your FOB you can fallback to SMS)
3. Use your encryption key to “unlock” your OneClick passwords.

This all seems good. It's important to note that all your username and password credentials for OneClick are encrypted using a key that only you know. If you lose this key, or someone managed to get access to your account, they will NOT be able to get to your OneClick passwords unless they also know this key. There is no mechanism to "reset" this key. If you lose it, then you lose all your passwords and need to start over.

This is why I believe that in the long run OpenID is far better than anything that has been proposed. For one thing OpenID is flexible enough to support multiple authentication mechanisms like Information Cards, Dual factor authentication, SSL certificates and are now backed by a number of big players in technology (Google, Microsoft, etc).

IMHO one of the best features of OpenID is that you are not generating some random password (or worse giving the same password you use on every website) and handing over to a stranger who for all you know doesn’t encrypt or secure your identity.

While there is still a long ways to go, I consider this progress. VeriSign’s product is something my family can understand and use.

So happy that Amazon now supports adding products from anywhere on the Internet to your wish list. Amazon has become my defacto place for storing things I want, or things I want people to buy for me!

This replaces Google Shopping List which wasn’t very good anyway.

Get your Amazon Wish list Bookmarklet.

Earlier this year I wrote:

2008 Will mark the end of Personal Finance Software. Quicken will de-emphasize being offered as a shrink wrapped/downloadable product and move to a subscription model.

Mint.com and Wesabe will continue to steal users away from the shackles of Microsoft Money and Quicken.

I look forward to this...

And this morning I read this:

“Microsoft Money Plus continues to be a valuable tool for our customers; however the feedback we are hearing is that the incremental updates to the software don’t merit a new product every year. Given this, we have decided against releasing a 2009 version of Money Plus. .. We are moving off of an annual release cycle for Microsoft Money Plus (no Money 2009 version in the fall), with future release dates TBD” (to be determined).

Good time to switch to Mint.com or Wesabe.

I’ve been using Mint.com for over a year now. Earlier this year I switched “full time” as it sort of crept up on me. They finally have all the features I required in a personal finance package:

• Budgeting
• Investment accounts (401K etc)
• SMS and Email alerts of transactions / balances
• Auto-Updating balances
• Amazing self correction of merchant names
• Cash Flow tools
• Accounts are always reconciled
• Zero Configuration Installation (no DRM).
• Mortgage and Loan accounts

I seriously love Mint. Now if they could just make an iPhone app!

Here are some very easy steps for how to tether your Vista laptop to your iPhone.

First you need to get the following pieces of software:

1. NetShare – this is an iPhone application that bridges your 3G and WiFi radio on the iPhone and creates a SOCKS proxy for your PC. Apple has been publishing and removing this application over the past day, so it might not be available in the Apple Store. Sorry!
2. Proxifier Standard – this is a Windows application that routs all internet traffic on your laptop to your iPhone via the ad-hoc wireless network.

Here is how it works:

[Internet] <-> [3G <-> iPhone running NetShare] <-> Wifi <-> [SOCKS PROXY <-> Vista]

Step 1: Install NetShare and Proxifier

This is easy, install NetShare on the iPhone, and install Proxifier on your laptop.

Step 2: Create an ad hoc wireless network

On your laptop go to the Network and Sharing Center and click Set up a connection or network

Select Set up a wireless ad hoc (computer to computer) network

Give it a Network name (I use iPhone) and set the Security type to No authentication (Open) and click Save this network

note: I plan to test this later using WPA2 Personal since that is far more secure.

Now you are connected to your ad hoc network. In the future you can re-connect to this network by going to the Start Menu and clicking Connect To and then selecting iPhone.

Step 3: Connect your iPhone to the ad hoc wireless network you just created

On your iPhone go to Settings select Wi-Fi and connect to iPhone (or whatever you called the ad hoc network in step 2). Your connection should look like this:

Don’t worry about the IP address , we are going to use a feature called Automatic Private IP Address or Zero Config Networking which will allow iPhone and Vista to talk to each other even though they don’t have a router.

Step 4: Launch NetShare

Now that you have connected your iPhone to the iPhone ad hoc network you should launch NetShare. When you’ve done that you will be greeted with this screen:

Step 5: Launch and configure Proxifier

You’re almost done!

1. Now launch Proxifier and select Proxy Settings… in the Options menu.
2. Click the Add button and type the Proxy IP address in the NetShare application on the iPhone (169.254.206.139 in my case)
3. Enter Port 1080
4. Select SOCKS Version 5
5. Click OK

Step 6: You are done!

If you want to make sure that it’s working you can select the proxy entry you just created and click Check

and go to speedtest.net and measure your performance!

Step 7: Cleanup

When you are done tethering, you should do the following:

1. Disconnect from the iPhone ad hoc network
2. Select Exit from the File menu in Proxifier. If you don’t do this it will continue to run preventing your normal Wifi connection from working.

Notes

• I found that Outlook would not connect to our corporate Exchange server via HTTPS, it was trying TCP/IP. I suspect this is some kind of problem with the SOCKS proxy server. To remedy the problem I forced Outlook to use HTTPS on Slow and Fast connection.
• The iPhone will go to sleep while the NetShare app is running. You need to periodically wake it up.
• the above wireless configuration is an Open network. I plan to test this using something more secure like WPA2.