Did I get the CAPM credentials? No. Total failure. I did accomplish some goals on the personal level, but this one that I set for my career path wasn’t done. Heck, I haven’t even finish the book!. I’m about 20% done with it, and at this pace I’ll finish it in 2 months.

I guess I’ll have to take some time off and use it exclusively to study. Anybody with a good study group?
One of my strategies is to force myself to do things is by paying something towards it. Like a gym mebership, wich I used for about a year regulary. So, I guess I’ll have to pay for a 1 month course CAPM cert preparation. Any other ideas?

The wait is over and we have the new windows novelty: Windows Azure. It’s Microsoft’s approach to the “new” could computing.
Will continue posting about it as soon as i finish some sessions I’m attending (bt not putting too much attention thou).

Still Azure will be in Beta (CTP) stage until late 2009 possibly, but we the fortunate attendees of PDC2008 will be the first ones to get an account to test. I’ll be posting about that too (hopefully the accounts will be ready next week).

I’ll be in LA from monday to thursday trying to get a grip of the newest MS gossip Microsoft Strata.

In the last years there has been some key presentations that have changed, and amazed, the world of technology. And Steve Jobs has been present in many of them, from the Mac redesign, the iPhone, and the latest MacBook Air. He is simply a master of presentations, and here is a very interesing article about simple elements he use to amaze the masses and deliver a great presentation:

Deliver a Presentation like Steve Jobs

 For registration go to:

http://www.microsoft.com/heroeshappenhere/default.mspx

See you in San Diego’s!

The best feature of this software is that is the price: free, zero, nada, nulo, nitchs. Thank God for open source programmers.

All the feature list can be found at the website, so I won’t go deep on explanations. I’ll just say that is a very robust software offering several encryption algorithms (AES-256, Serpent, and Twofish) and three hash functions (RIPEMD-160, SAH-1, Whirlpool) all of them yet to be broken (rumors about SAH-1 being compromised have circulated the net but no practical example yet, mathematical and conspiration theories only). Additinally, you can stack the algorithms to create a more complex result (slower process but theorically more secure), so the possible combinations with the corresponding benchmark in my machine are:


(For comparison, unencrypted IDE drives range from 60 to 90MB/s, SATA150 from 90 to 130MB/s and SATA300 from 120 to 200MB/s)

But what concern us about it is the next two features: real time encryption and virtual disk/device configuration.

Virtual disk encryption means you can create a file and mount it as a volume that creates a new drive in windows. While device encryption means you can configure the whole storage device (disk, volume, usb drive, et al) to be encrypted.

Real time encryption means that all encryption work is done on memory, and transparent for the user. You just configure the disk and voila! you have a new drive letter where you can read/write without noticing it’s being encrypted.

I tested with one virtual disk (Quang didn;t allow me to format the disk I borrowed) and here are my impressions:

I created a 10GB virtual file with the AES-Twofish encryption and whirlpool hash and tested the following scenarios:

• big files read/write
  
• network read/write
  
• VPN accessed (mounted the file located @ the office in my home computer )
  
• Media play (mp3, video)
  

The assumption that people use the same user/password in several accounts gives attackers an advantage: they don’t have to break into your bank to get your info, they just have to get your username/acount from that shady forum you suscribed 6 months ago.

To prevent this kind of attack, and at the same time prevent our head to explode for all informatino we need to memorize, there is a very simple trick to allow us to use the “same” password for every account we have, but having the peace of mind that by subscribing to that forum with lots and lots of torrent files you won’t be as exposed to account stealing as the normal user.

The solution is to use an algorithm to create our passwords, simple enouhg for us to remember, but giving a complex enough result to have different passwords in every one of our accounts.

First, we start with a “base” password. Something we’ll always remember. It could be your current password you use for all your accounts . Let’s say for example, that we use “123mambo”. That itself could be a very good password: characters and numbers, not relating to anything specific or giving information about us. But you shouldn’t use it for all of your accounts. So let’s add a simple process to customize it for all of our accounts.

For every website/place we need a password, we take our “base” password, and add some of the letters directly from the name of that site and create something unique for all websites. That’s it… simple, right? Let’s see how it works.
the characters I’ll use to “salt” my password will be the 1st, 2nd and 5th letters of the site’s name, and the total number of characters in the name.

Let’s see how it works:
take www.hotmail.com for example. Applying my previously decided algorithm, the pasword for my hotmail account would be:
“123mambo” + “h” (1st char) + “o” (2nd char) + “a” (5th char) + 7 (“hotmail” = 7 chars) = 123mambohoa7
Now let’s create the password for a yahoo account:
www.yahoo.com
“123mambo” + “y” (1st char) + “a” (2nd char) + “o” (5th char) + 5 (“yahoo” = 5 chars) = 123mamboyao5
and what about our newspaper subscription?
www.nytimes.com
“123mambo” + “n” (1st char) + “y” (2nd char) + “m” (5th char) + 7 (“nytimes” = 7 chars) = 123mambonym7

Some other website examples and their results:
www.mymail.com – “123mambomyi6″
www.unitedbank.com – “123mamboune10″
www.bankofcalifornia.com – “123mambobao16″
www.usabank.com – “123mambousa7″
Microsoft Money – “123mambomio14″
Outlook – “123mambooul7″
Time Reporter – “123mambotir12″

So, as you can see, we can get pretty much secure passwords without the hassle of using too much of our memory.

I hope this one was useful for you. Be creative, and please don’t use 123mambo ’cause I already use it (j/k) but above all, be safe.

Phising is nowadays one of the most effective attack techniques. It consists in obtaining users information thru a fake copy of a real website. Then send messages to users asking to enter their data (login information usually) in that website. That website will allways fail to validate the users, so users try again and again until they give up. But by then, users already gave away their info to some stranger just waiting for it to get access to the real websites.

Just last week, I was in my home computer when I realized that something had modified my HOSTS file (see modified content below). That with the intent of getting login information for the online banking system of Banamex bank (citi group’s mexican bank).
If I had any account in Banamex and I wouldn’t realized of the modification, I could’ve entered my info in that fake website. And then several days later discover some strange transactions in my accounts, starting the lenghty process of recovery from an identity loss (fight with the banks, trying to get the money back, etc).
As that day’s good action, I decided to inform Banamex bank about what happened, waiting at least that they could try to take the fake website down, alert their cusomers, or anything.. but oh deception!
They only let their stupidity arise. And here is the communication I had with them (in spanish because they are a mexican bank, basically I let them know about the attack and they answered me with a customer service phone number so they can give me a better service… yeah right!):


De: Abraham Vargas (XXXXXX@XXXXX.XXX)
Enviado el: Viernes, 25 de Mayo de 2007 01:07 a.m.
Para: Servicio A Clientes (1) [BNMX]
Asunto: Servicio a clientes (Portal 1)
Modulo de Servicio Clientes
Nombre del usuario :ABRAHAM VARGAS
Mail del usuario :XXXX@XXXXXX.XXX
Teléfono del usuario :000
Fax del usuario :000
Dirección del usuario :USA
Colonia del usuario :USA
CP del usuario :92069
Ciudad del usuario :SAN MARCOS CALIFORNIA
Estado del usuario :OTRO
País del usuario :ESTADOS UNIDOS
Tema de contacto :SERVICIOS EN LINEA BANCANET
Comentario del usuario:QUE TAL LES ESCRIBO PORQUE ALGUN VIRUS DE INTERNET CAMBIO LA CONFIGURACION DE MI COMPUTADORA PARA QUE AL INTENTAR ACCESAR EL SITIO DE BANAMEX ACCESARA A LA SIGUIENTE DIRECCION DE IP 189.180.78.75 PARA QUEINVESTIGUEN PORQUE PARECE SER UNA DIRECCION FALSA PARA OBTENER PASSWORDS DE SUS USUARIOS. LA CONFIGURACION COMPLETA QUE CAMBIO FUE EL ARCHIVO HOSTS Y PUSO ESTO EN LUGAR DE MI ARCHIVO ORIGINAL:
189.180.78.75 WWW.BANAMEX.COM
189.180.78.75 BANAMEX.COM
189.180.78.75 WWW.BANCANETEMPRESARIAL.BANAMEX.COM.MX
189.180.78.75 BANCANETEMPRESARIAL.BANAMEX.COM.MX
189.180.78.75 BOVEDA.BANAMEX.COM.MX
189.180.78.75 WWW.BOVEDA.BANAMEX.COM.MX
ESPERO PRONTO PUEDAN ARREGLAR EL PROBLEMA
SALUDOS

And the answer was:


From: "Atencion Empresarial 3 [BNMX]" (atenempre3@banamex.com)
To: XXXX@XXXXXX.XXX
Subject: SC-Servicio a clientes (Portal 1)
Date: Mon, 28 May 2007 11:30:00 -0500
Estimado Cliente
Buenas tardes, reciba un cordial y afectuoso saludo.
Con el objeto de proporcionarle el mejor servicio , le invitamos a llamar a los teléfonos de atención a clientes (1800 226 2639 (1800 BANAMEX))
Nota:
Este mensaje tiene el carácter de informativo y la falta de recepción de la misma por parte del cliente no implica obligación ni responsabilidad alguna del banco.
** Nota: Le recordamos que Banamex nunca le solicitará información confidencial como su número secreto, password, información personal y de sus cuentas vía correo electrónico. Si recibes un correo solicitando esta información, sospecha de su origen, no conteste o de click en ligas de estos correos y reenvíelo a la dirección de correo electrónico giso@banamex.com
Gracias y Saludos!!
ATENCION EMPRESARIAL 3
Tel.: 1800 226 2639 (1800 BANAMEX)
La información contenida en este mensaje esta destinada únicamente para el uso de la persona o entidad identificada como receptor. Cualquier uso no autorizado es responsabilidad del receptor. Si usted recibe este mensaje por error favor de notificarlo inmediatamente al remitente y hacer caso omiso de la información ahí contenida.
The information contained in this e-mail message is only for purposes of the intended recipient. Any unauthorized use is responsibility of the receiver. If you have received this e-mail message in error, please immediately notify the sender and delete it from your computer.
What can we wait from a customer service like that?
Thank you, but that’s useless to me… so, do you have an account with Banamex?