Over the past few weeks, security experts around the globe have been bracing themselves for an April 1st display of intent by the Conficker worm.  Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system.

Today, Conficker-infected machines began downloading instruction payloads from "mother ship" domains whose names are computed as a function of the current date.  Once downloaded, those payload are interpreted as local windows executable programs and executed by the host computer, typically with administrative privilege.

While early tests show that Conficker continues to replicate itself by accessing the user's Outlook, Plaxo, and Linked-in contacts, it is also downloading what security experts are describing as "the most comprehensive anti-virus rule set ever seen."  Conficker is systematically cleaning infected machines of all other viruses, trojans, worms, and other malware--except for Conficker.

D.S. McGee, chief security science officer at True Stuff commented that "This is the only known example of what appears to be an altruistic worm."  D.S. quickly cautioned, however, that they are not relaxing and will continue to monitor Conficker behavior, "After all, this is April first, so this early behavior may just be part of a big joke."

Via PCWorld:

Skype is set to launch its iPhone application Tuesday bringing its much anticipated Net-based phone service to Apple's mobile platform.

Users will be able to place VOIP calls when connected via WI-FI but not when connected via a cellular network.  But, with the increasing availability of free and low-cost WI-FI access, this is still a great step forward.  (And another reason for me to excited about the Wireless Washtenaw initiative!)  So, while the news is not perfect, its still very good.

Other details:

• iPhone users can be invited to Skype conference calls but will not be able to initiate them.
• Skype will use phone numbers from your phones address book—no need to duplicate them in Skype.
• Skype chat will work over Edge and 3G networks.
• Skype can use the built-in camera to set an avatar (but for nothing else).

I recently posted about my surprise at not learning about Tear Drop Monument until years after it was donated by Russia to the United States in a show of solidarity against terrorism.  A few days later, I posted a simple, one question survey:

When did you first learn about Tear Drop Monument (a.k.a., Tsereteli Monument)?

As of today, the results are somewhat telling: 90% of respondents indicated that they just learned of it.  Nobody  indicated they learned of it earlier than 2009—despite the fact it was donated in 2006.

Take the survey and see the up-to-the-minute results.

I just read Damien Oh's blog post, How To Create Strong Passwords That You Can Remember Easily.  The post makes some excellent points, but in my opinion, the task of achieving comprehensive password security in the real world is a little thornier.

First, consistently using simple substitution rules, as suggested, to achieve memorable passwords is almost like not using them at all.  As others have pointed out, any serious crack attempt will run quickly through these simple substitution rules.

But there is an even more fundamental issue.  With so many sites asking for passwords, the first question to ask yourself is, "Should I use the same password in multiple places?"  E.g., should your Gmail account use the same password as your New York Times subscription, your brokerage accounts, your Windows login, your Twitter account, and your kid's school lunch money account?  IMO, the answer is no.  By using different passwords on different sites, you create natural security breach firewalls.

But, as soon as you start using different passwords on different sites, it quickly becomes impossible for you to remember all your passwords anyway, making the goal of memorable passwords less important.

The approach I recommend is to keep a "black book" and create genuinely strong passwords.  You may or may not elect to use a software password manager (if you do, use a secure one!) but it is critical that you keep a physical record of each password. I do use a software password manager, but I also keep a physical record of all passwords in a little black book--literally.

Password Management Tips

Here are a few tips that can save you from common password management headaches.

Easy-to-read passwords: When you record passwords in your black book, make sure you can read them.  This may sound silly, but believe me, its easy to mistake a hand-written zero for a letter 'o', an upper case 'W' from a lower case 'w', etc.  When writing down passwords:

• Put an underline under capital letters.
• Draw a slash through the digit zero.
• Draw a dash through the letter 'z'.
• Draw a space like a square bracket turned on its side opening upwards.

Easy-to-type passwords: While your passwords may not be easy to remember, there are tricks you can do to make them easy to type.  For example, this password is difficult to type: Tift#1doS!  But if you know that it is based on the phrase "Today is finally the number one day of Spring!" it becomes much easier to type.  For passwords I will use frequently, I try to base them on some type of phrase that makes them easier to type (and record that phrase in my black book.)

Critical passwords:  When security is vital—e.g., bank accounts, credit card access, etc.—use a genuinely strong password with no gimmicks.  You'll have to put up with typing the complex password from time to time without the help of memory aids, but a would be hacker will face a significant security challenge.  You can make up your own strong passwords, but I find it easier to use a password generator.  There are many good, free, password generators online. See the links below for two that I regularly use.

What are your favorite password security tips or suggestions?  Have any interesting password related success or failure stories to share?  Post a comment below.

If you are responsible for a commercial web site or web application, you understand too well that there are significant differences between web browsers.  Creating and maintaining a web site or web application that is truly cross-browser compatible is both a skill and and art.  And now there's a new browser on the scene:  Internet Explorer 8 ("IE8").

Just to keep web developers jumping, Microsoft decided to change the behavior of some extremely fundamental aspects of the browser.  For example, the "onresize" event is the notification event that applications rely on to determine when something in the browser changes size, e.g., when a user resizes the browser window, an application may need to do something to adjust for the new window size.  In its infinite wisdom, Microsoft decided to change the default behavior of this event.  Never mind that millions of web pages rely on the long established behavior as implemented by IE7 (and IE6, IE5, IE4, Firefox, Safari, Opera, Chrome, etc.).

Well, as it turns out, the new behavior could cause the MyST Blogsite editor to hang in an infinite loop.  (Technically, it was processing an infinite cascade of onresize events.)

Fortunately, Microsoft also added a "Compatibility View" feature to IE8 that forces IE8 to behave more like IE7—that is, to be compatible with the millions of web pages that were tested against IE7 but now break under IE8.  Unfortunately, they did not make Compatibility View the default.  In other words, the default is non-compatibility.  (Silly.)

After doing a little Googling, I ran across this article, by Aaron Gustafson, that provides a hint about how to force IE8 to use Compatibility View for a web page automatically, without requiring the user to mess with browser options.

X-UA-Compatible Header

Here's the magic.

IE8 recognizes a new HTTP response header that tells IE8 which browser(s) the web page has been tested against.  In other words, with which browser(s) the web page is compatible.  Specifying a value of "IE=7" means the web page is compatible with IE7 and causes IE8 to automatically process it using its Compatibility View.

Alternatively, you can specify the X-UA-Compatible details by placing an http-equiv meta element within the web page itself:

<meta http-equiv="X-UA-Compatible" content="IE=7" />

If you use the meta element approach, you must ensure that the tag appear early in the head section of the page.  Specifically, it can be preceded by other meta elements and the title element, but will need to be placed above any other elements—and you can’t add it into the DOM via JavaScript.

Once I added the meta element to the MyST Blogsite rendering framework (which is all XSL, so adding it was very simple), we were able to close all support issues related to IE8 compatibility issues.  And, I was able to stop pulling my hair out.

I just ran across today's Tear Drop Monument posting on snopes.com.  My initial reaction was, "Wow, this is really impressive."  My second was one of surprise that I had not known of this until now.   How did I miss this?

First, the monument itself very spectacular.  And the fact that it was donated by Russia, to me, is a significant example of how the vast majority of people around the world want a peaceful world, just like the vast majority of Americans do.

But then I started wondering why this wasn't bigger news.  I asked Carol and she said she did not recall hearing about it either.  I remember in 2006 the media observing the 5-year anniversary of 9/11, but I don't recall this monument.  No doubt it was mentioned, but there must have been something else sucking up much more media attention.

Oh yea, I remember: the war that Dubya and his accomplices started in Iraq.  I guess that sort of overshadowed Russia's show of solidarity for peace.

I've been a computer geek since the 1970's when I soldered together my first transistors to make a flip-flop circuit that could count to eight.  The first computer I made had 256 bytes (not Kbytes, bytes).  Today, the desktop computer I'm using to write this has roughly 16,000 times more memory than the University of Michigan mainframe system that ran the entire place when I was in school.  The iPhone in my pocket has twice that and the iPod I taking running has 7.5 times more than my iPhone.  I've see the evolution of storage devices, processing devices, pointing devices, motion sensors, image processing, speech recognition, graphical UIs, bionics, and more software and information science that I could begin to list.  But these have just been stepping stones.

Today I saw a demonstration of a coming technology that promises to change the way we think about the Internet, about the way we think about our own capabilities, indeed, the way we think about everything.

As you watch this short video, keep in mind that twenty years ago the Internet did not exists; ten years very few people had cell phones, laptops, or digital cameras.

In a few years, devices like the prototype in this video will be widely available.  Ten years from now, devices like this will not only be ubiquitous, they will be orders of magnitude more capable and dirt cheap.  Twenty years from now, well, its hard to imagine.