I just took the MailFrontier Phishing IQ Test II, and I didn’t do well. As a web developer, I consider myself very knowledgable in this area, and I’m pretty sure I’ve never been fooled by a phishing email. So why did I do so badly? Simple: I guessed "phishing" for everything.

There was one message that was simply "providing information", and therefore not considered dangerous. But consider such an email.. "Here’s some information about our new online bill payment service" with a link to a site that contains a bunch of information talking about the benefits of online bill payments, showing how easy it is, etc. Also on that site for customer convienence is a "add to my account now" button. If this is in fact a phishing site, that link is going to be a scam to collect your account data. If phishers aren’t doing an attack this "sophisticated" now, they will be soon.

So what is the solution? Well, since e-mail is fundamentally broken there really is no easy technological solution, besides outright replacing the SMTP protocol with something better.

One start would be to simply not include links in e-mail. Companies should generally make sure that anything they send in an email can be done manually by visting their site, and provide instructions on how to do so.

The catch here of course is that users need to be trained to recoginize (for example) their bank’s URLs. If your banking site is bankingsite.com and you get a request to go to bankingsite.com.ni or bankingsite1.com then that needs to set off alarm bells, and I’m not sure most users will recoginize that.

Another solution may be to develop a new specially-trusted high-security certificate authority that has very stringent requirements for granting certificates to companies. I remember the first certificate I got cost about $200 and required my driver’s licence, vendor permit, and some other official company documents (yes, this stuff can be spoofed too, but it is a bit more work). Those days are gone. Now it’s very simple to get a certificate that will be "trusted" in pratically every browser - it costs about $40US, and sends one email as a verification.

If all browsers displayed a site signed with one of these special certificates differently, then this would be a major way to stop phishing. Interestingly, the people working on Firefox, Internet Explorere, Opera and Konqueror are all working together on this. They’d show the address bar in green on one of these sites, and users would need to be trained to not enter any sensitive information on a page without a green address bar.

IE7 beta address bar (from arstechnica article, originally from MSN)

The special ceritficate authority could either be a root CA for current certificate authorities, or just be an organization that would publish a list of trusted root certificates. Either way, the organization would have to audit the people issuing certificates that showed up green to ensure the companies weren’t making things easier to gain an edge on their competition. The entire system is based on the trust of the root CA’s, so if those authorities violate the trust and issue a certificate to an illegitimate phisher that produced some phony documents, the whole system breaks down.

So until those smart folks at Mozilla, Microsoft, Opera and KDE save us, antiphishing.org has some useful tips to avoid being scammed.

I finally decided this morning that I had really squeezed everything I could out of my tube of toothpaste, after a couple of days of thinking the same thing. Finally today on my way home from work, I remembered and stopped to buy some more. I have to say, I just don’t understand the toothpaste industry.

As an example, here are the toothpastes Colgate offers:

• Total Advanced Fresh - anti-bacteria to fight tartar etc, and freshens breath
• Total - anti-bacterial, flouride for cavity protection (also available as gel).
• Total plus whitening
• Total Fresh Stripe
• Sensation Whitening (also available: tartar fighting, and baking soda and peroxide)
• Cavity Protection (green mint, winterfresh paste, or gel)
• 2-in-1 whitening (fresh mint or tartar fighting)
• Fresh Confidence with whitening - freshens breath, whitens teeth
• (plus some other children ones, bubble-gum flavoured, etc. that I won’t bother to list)

Now, when it gets down to it, there’s really one thing toothpaste has to do: clean your teeth. Freshening your breath, preventing cavities, fighting tartar, whitening teeth - these are all good goals, but what exactly makes them mutually exclusive?!? I seriously don’t get it. Is it that hard just to make one kind of toothpaste that: cleans teeth, freshens breath, prevents cavities, fights tartar and whitens teeth? Or even make two - one with whitening, one without (after all, you don’t want your teeth to be too white).

Instead, the toothpaste companies feel it is necessary to make about 16 different products - each - causing people trying to buy toothpaste to stand slack-jawed in front of the display for 10 minutes trying to figure out which of the 100 possible choices is the best.

Ok so maybe I was bit harsh earlier. Two kinds of toothpaste is perhaps a bit slim. Really, it’s not a bad thing to have choice. Some people like mint, some don’t. Some like gel, some like paste. So why don’t they make combinations of those? Well, they sort of do. Except they’re all sub-variations of the different combinations of breath freshening and tartar fighting types, which just complicates things even more. I’m a simple man, I just want a simple toothpaste.

Now it’s time to go brush my teeth so I can go to bed.

A few weeks ago, I took some interest in sleeping, sleep cycles, and things like polyphasic sleeping.

There are a ton of different theories out there as to what is the best way to get the highest quality sleep. This is of interest to me, as I’m someone that generally stays up late and hates getting up in the mornings. I seem to get a lot more work done at night, and maybe that’s just a mindset but it’s been true for a long time.

For many years, I’ve gotten just a little amount of sleep during the week (say, 5-6 hours), followed by a lot of sleep on the weekends (10-12 hours) - when I can, anyways. For the most part this seems to average out and work well, though apparently it’s not supposed to. I do notice that if I don’t get a lot of sleep on the weekend, I am tired all the next week and usually end up going to bed a lot earlier on one or two days.

So anyways, after deciding that I don’t want to become a polyphasic sleeper, or drastically change my lifestyle, my research led me to the conclusion that the best thing to do is try to live with sleep cycles.

Simply put, a sleep cycle consists of five stages of sleep. You go from a light stage, to a couple deeper stages, to the deepest stage 4 and stage 5 (REM) sleep. The whole cycle lasts approximately 90 minutes, and occurs constantly while you’re sleeping. If you wake up during the deepest stages, you feel groggy and tired, like you just want to go back to bed.

The best time to wake up is during the period where you’re in a light sleep between cycles, and in fact, if you were to not have an alarm clock or any other outside stimulus to wake you up, this is when you’d wake up naturally. Of course, most alarm clocks don’t know when you’re in this cycle, so they just wake you up with their .. ahem, pleasant .. noises whenever they are set to do so.

There are alarm clocks that actually monitor your sleeping, and I’d be interesting in trying one, though I’m a bit skeptical of how well they’d work. They all work on the basic idea that they go off during your last light sleep cycle before the time you’ve set to be waken up at. For example, if you set the alarm to get you up at 7:30 am, and you are in a light sleep phase at 6:20, it will wake you up then, as your next light phase should be at 7:40, which is past your wake time.

One of these devices is a watch that monitors temperature, body tension, etc, and statistically determines your cycle based on that. I’ve read complaints that the beeping is too quiet, and while the theory is you’ll be in a light sleep when it goes off (and thus easy to wake), if for whatever reason you aren’t, then it isn’t loud enough to really wake you up.

Another is a wireless headset that you wear, that connects to an alarm clock. The headset actually monitors your brainwaves to watch for the proper part of the cycle, and then the alarm goes off. This sounds a lot more reliable, but is apparently pretty uncomfortable.

It seems to me that the two would make a good combination - a watch to monitor your physiological functions, that connects wirelessly to an alarm clock that actually wakes you up.

So back to the sleep thing. I’ve been conscious of my sleep cycles for the past few weeks (though lately I’ve not been as diligent). I try to set my alarm to some multiple of 1.5 hours from when I’m going to bed (plus a bit, depending on how long I think it will take me to fall asleep). I have to say, I generally do feel better when I sleep 4.5 or 6 or 7.5 hours (note too, that the 8 hours that is supposed to be the proper amount of sleep is actually interrupting a cycle). I’ve even noticed that I feel better after getting 4.5 hours of sleep vs 5.5 hours (though, this could be concidental and caused by other outside factors - it’s not like I’m doing a controlled experiment here!).

Of course, when it all comes down to it, I really do enjoy my morning sleeping in and no amount of sleep research will change that :)