Internet

Internet economics, technology and issues

Anti-Phishing -- warn if I send a password somewhere I've never sent it

There are many proposals out there for tools to stop Phishing. Web sites that display a custom photo you provide. "Pet names" given to web sites so you can confirm you're where you were before.

I think we have a good chunk of one anti-phishing technique already in place with the browser password vaults. Now I don't store my most important passwords (bank, etc.) in my password vault, but I do store most medium importance ones there (accounts at various billing entities etc.) I just use a simple common password for web boards, blogs and other places where the damage from compromise is nil to minimal.

So when I go to such a site, I expect the password vault to fill in the password. If it doesn't, that's a big warning flag for me. And so I can't easily be phished for those sites. Even skilled people can be fooled by clever phishes. For example, a test phish to bankofthevvest.com (Two "v"s intead of a w, looks identical in many fonts) fooled even skilled users who check the SSL lock icon, etc.

The browser should store passwords in the vault, and even the "don't store this" passwords should have a hash stored in the vault unless I really want to turn that off. Then, the browser should detect if I ever type a string into any box which matches the hash of one of my passwords. If my password for bankofthewest is "secretword" and I use it on bankofthewest.com, no problem. "secretword" isn't stored in my password vault, but the hash of it is. If I ever type in "secretword" to any other site at all, I should get an alert. If it really is another site of the bank, I will examine that and confirm to send the password. Hopefully I'll do a good job of examining -- it's still possible I'll be fooled by bankofthevvest.com, but other tricks won't fool me.

The key needs in any system like this is it warns you of a phish, and it rarely gives you a false warning. The latter is hard to do, but this comes decently close. However, since I suspect most people are like me and have a common password we use again and again at "who-cares" sites, we don't want to be warned all the time. The second time we use that password, we'll get a warning, and we need a box to say, "Don't warn me about re-use of this password."

Read on for subtleties...

No, senator Stevens was misquoted...

Everybody in the blogosphere has heard something about Alaska's Ted Stevens calling the internet a series of tubes.

They just heard him wrong. His porn filters got turned off and he discovered the internet was a series of pubes.

(And, BTW, I think we've been unfair to Stevens. While it wasn't high traffic that delayed his E-mail -- "an internet" -- a few days, his description wasn't really that bad... for a senator.)

Judge allows EFF's AT&T lawsuit to go forward

Big news today. Judge Walker has denied the motions -- particularly the one by the federal government -- to dismiss our case against AT&T for cooperative with the NSA on warrantless surveillance of phone traffic and records.

The federal government, including the heads of the major spy agencies, had filed a brief demanding the case be dismissed on "state secrets" grounds. This common law doctrine, which is often frighteningly successful, allows cases to be dismissed, even if they are of great merit, if following through would reveal state secrets.

On the refutation of Metcalfe's law

Recently IEEE Spectrum published a paper on a refutation of Metcalfe's law -- an observation (not really a law) by Bob Metcalfe -- that the "value" of a network incrased with the square of the number of people/nodes on it. I was asked to be a referee for this paper, and while they addressed some of my comments, I don't think they addressed the principle one, so I am posting my comments here now.

Topic: 

How only Google can pull off pay-to-perform ads

Bruce Schneier today compliments Google on trying out pay-to-perform ads as a means around click-fraud, but worries that this is risky because you become a partner with the advertiser. If their product doesn't sell, you don't make money.

And that's a reasonable fear for any small site accepting pay-to-perform ads. If the product isn't very good, you aren't going to get a cut of much. Many affiliate programs really perform poorly for the site, though a few rare ones do well.

Topic: 

PayPal should partner with UPS and other shippers

You've seen me write before of a proposal I call addresscrow to promote privacy when items are shipped to you. Today I'll propose something more modest, with non-privacy applications.

I would like PayPal, and other payment systems (Visa/MC/Google Checkout) to partner with the shipping companies such as UPS that ship the products bought with these payment systems.

Topic: 
Tags: 

EBay: Sniping good or bad or just a change of balance?

Ebayers are familiar with what is called bid "sniping." That's placing your one, real bid, just a few seconds before auction close. People sometimes do it manually, more often they use auto-bidding software which performs the function. If you know your true max value, it makes sense.

However, it generates a lot of controversy and anger. This is for two reasons. First, there are many people on eBay who like to play the auction as a game over time, bidding, being out bid and rebidding. They either don't want to enter a true-max bid, or can't figure out what that value really is. They are often outbid by a sniper, and feel very frustrated, because given the time they feel they would have bid higher and taken the auction.

This feeling is vastly strengthened by the way eBay treats bids. The actual buyer pays not the price they entered, but the price entered by the 2nd place bidder, plus an increment. This makes the 2nd place buyer think she lost the auction by just the increment, but in fact that's rarely likely to be true. But it still generates great frustration.

The only important question about bid sniping is, does it benefit the buyers who use it? If it lets them take an auction at a lower price, because a non-sniper doesn't get in the high bid they were actually willing to make, then indeed it benefits the buyer, and makes the seller (and interestingly, eBay, slightly less.)

There are many ways to write the rules of an auction. They all tend to benefit either the buyer or the seller by some factor. A few have benefits for both, and a few benefit only the auction house. Most are a mix. In most auction houses, like eBay, the auction house takes a cut of the sale, and so anything that makes sellers get higher prices makes more money on such auctions for the auction house.

Read on...

Topic: 
Tags: 

IMAP server should tell you your SMTP parameters

When you set up a mail client, you have to configure mail reading servers (either IMAP or POP) and also a mail sending server (SMTP). In the old days you could just configure one SMTP server, with no userid or password. Due to spam-blocking, roaming computers have it hard, and either must change SMTP servers as they roam, or use one that has some sort of authentication scheme that opens it up to you and not everybody.

Topic: 

Web sites -- stop being clever about some structured data

A lot of the time, on web forms, you will see some sort of structured field, like an IP address, or credit card number, or account number, broken up into a series of field boxes. You see this is in program GUIs as well.

On the surface it makes sense. Never throw away structure information. If you're parsing a human name, it may be impossible to parse it as well from a plain string compared to a set of boxes for first, last and middle names.

Topic: 

Sudden web traffic not so great with Adsense

As I've written before, Google's Adsense program is for many people bringing about the dream of having a profitable web publication. I have a link on the right of the blog for those who want to try it. I've been particularly impressed with the CPMs this blog earns, which can be as much as $15. The blog has about 1000 pageviews/day (I don't post every day) and doesn't make enough to be a big difference, but a not impossible 20-fold increase could provide a living wage for blogging.

Browsers: Time to have a default margin

In most browsers, the default style presents text adjecent to all sides of the browser window, with no margin. This is a throwback to early days of screen design, when screen real estate was considered so valuable that deliberately wasting it with whitespace was sacrilige.

Of course, in centuries of design on paper, nobody ever put text right up to the margins. Everybody knows it's ugly and not what the eye wants. Thus, when you see a web page using the default style, which I end up with myself out of laziness, people have a reaction to it as ugly.

Topic: 

How web sites can do a much smarter 'pledge drive'

There is buzz about how Jason Kottke, of kottke.org, has abandoned his experiment of micropayment donations to support his full-time blogging. He pulled in $40,000 in the year, almost all of it during his 3 week pledge drive, but that's hardly enough. Now I think he should try adsense, but I doubt he hasn't heard that suggestion before.

However, PBS/NPR are able to get a large part of their budgets through pledge drives, so it's possible to make this happen. I think we should be able to do it better on the web.

Wanted: A google/yahoo/etc. ad optimizer

Yahoo is now entering the context-driven ad field to compete with Adsense, and that's good for publishers and web authors. I have had great luck with adsense, and it provides serious money for this blog and my other web sites, which is why I have the affiliate link on the right bar encouraging you to join adsense -- though I won't mind the affiliate fee as well, of course.

Experimenting with Yahoo Publisher for RSS

While I have been using Google ads on the blog for some time (and they do quite well), they don't yet do RSS ads outside of a more limited beta program. So I'm trying Yahoo's ads, also in beta but I'm on the list.

They just went live, and all that's showing right now is a generic ad, presumably until they spider the site and figure out what ads to run. Ideally it will be ads as relevant as Google Adsense does.

Competition between Google and Yahoo will be good for publishers. Just on basic click-rates, one will tend to do better than the other, presumably. If one is consistently doing not as well, they will lose all the partners, who will flock to the other. The only way to fix that will be to increase the percentage of the money they pay out, until they get to a real efficient market percentage they can't go above.

Read on for examination of the economics of RSS ads.

On the two-tier internet

Of late there's been talk of ISPs somehow "charging" media-over-IP providers (such as Google video) for access to "their" pipes. This is hard to make sense of, since when I download a video from a site, I am doing it over my pipe, which I have bought from my ISP, subject to the contract that I have with it. Google is sending the data over their pipe, which they bought to connect to the central peering points and to my ISP. However, companies like BellSouth, afraid that voice and video will be delivered to their customers in competition with their own offerings, want to do something to stop it.

To get around rules about content neutrality on the network that ILEC based ISPs are subject to, they now propose this as a QOS issue. That there will be two tiers, one fast enough for premium video, and one not fast enough.

Today I've seen comments from Jeff Pulver and Ed Felten on possible consequences of such efforts. However, I think both directions miss something... (read on)

MMORPG for Seniors and Shut-ins

I was visiting a senior citizen today who rarely leaves her house due to lack of mobility. Like many her age, she is not connected to the net, nor interested in it. Which makes the following idea a challenge.

Could we design a really engaging game/online community for seniors? Especially those who have had to give up much of their old community because of infirmity? They don't want to slay monsters like in Evercrack or Warcraft. They won't build objects like in Second Life.

Pages