A CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart) is a program that can tell whether a user is a human or a computer, and has a variety of uses including:

• Preventing comment spam in blogs
• Protecting web site registration
• Protecting online poll integrity
• Preventing rapid dictionary attacks
• Excluding search engine bots from accessing certain pages
• Protect systems vulnerable to e-mail spam

Most CAPATCHA's are images with distorted text - frequently seen at the bottom of web registration forms, and looking something like this:

Some of the original inventors of the CAPTCHA system at Carnegie Mellon University have implemented a means by which some of the effort and time spent by people who are responding to CAPTCHA challenges can be harnessed as a distributed work system.

This system, called reCAPTCHA, works by including "solved" and "unrecognized" elements (images which were not successfully recognized via OCR) in each challenge. The respondent thus answers both elements and roughly half of his or her effort validates the challenge while the other half is captured as work.

If you need a CAPTCHA service for your web site, then the CMU reCAPTCHA service is a nice way to provide that functionality and get your users to give back a little to education by archiving human knowledge through helping to digitize books in the process. There is an ASP.NET library for reCAPTCHA here and library modules for other programming languages and application plug-ins are available here.

Live Mesh puts you at the center of your digital world, seamlessly connecting you to the people, devices, programs, and information you care about - available wherever you happen to be.

The design goals for Live Mesh are to have ...

• ... your devices work together
• ... your data and applications available from anywhere
• ... the people you need to connect with just a few clicks away for sharing and collaborating
• ... the information you need to stay up-to-date and always be available

Mesh achieves these design goals by combining the power of "cloud services", with the convenience and rich experience of your many devices.

Overview of Live Mesh platform experience

Resources

• "Welcome to Live Mesh" blog post
  http://blogs.msdn.com/livemesh/archive/2008/04/21/welcome-to-live-mesh.aspx
• Windows Live Developer blog - "Introducing Live Mesh"
  http://dev.live.com/blogs/devlive/archive/2008/04/22/279.aspx
• Live Mesh Team blog
  http://www.mesh.com/blog
• Overview of Live Mesh platform experience
  http://www.on10.net/blogs/nic/Hands-on-with-Live-Mesh/
• Platform experience quick tour
  http://www.mesh.com/Welcome/Tour.aspx
• Platform quick tour for developers
  http://www.mesh.com/Welcome/TourDeveloper.aspx
• New York Times - "Microsoft Reveals a Web-Based Software System"
  http://www.nytimes.com/2008/04/23/technology/23soft.html?ex=1209614400&en=8682b3a30abb4b90&ei=5040&partner=MOREOVERNEWS
• ComputerWorld - "Microsoft to weave Web 'Mesh' for data, devices and applications"
  http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079778&intsrc=hm_list
• ComputerWorld - "Analysts: With Live Mesh, Microsoft tries to shift Web 2.0 playing field back to its strengths"
  http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079964&intsrc=news_ts_head
• eWeek - "Live Mesh - A Developer's Dream?"
  http://www.eweek.com/c/a/Application-Development/Live-Mesh-A-Developers-Dream/
• Angus Logan's blog entry - "Live Mesh Technology Preview + links to all the write ups"
  http://blogs.msdn.com/angus_logan/archive/2008/04/23/live-mesh-technology-preview-links-to-all-the-write-ups.aspx

Online payment service PayPal plans to block users from making transactions from Web browsers that don't provide anti-phishing protection.

http://www.eweek.com/c/a/Security/PayPal-Plans-to-Ban-Unsafe-Browsers/

http://news.bbc.co.uk/2/hi/technology/7354539.stm

In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, PayPal Chief Information Security Officer Michael Barrett said there's a "significant set of [PayPal customers] who use very old and vulnerable browsers" and made it clear that any browser that falls into the "unsafe" category will be banned.
"In our view letting users view the PayPal site on [an unsafe] browser is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts."

So if you're a browser maker that doesn't provide any anti-phishing protection and doesn't support the use of EV (Extended Verification) SSL certificates, then you better get an update out soon!

In a move that further demonstrates Microsoft's commitment to user-centric data portability, Microsoft has partnered with some of the world's top social networks to make data portability for contacts a reality.

Earlier this month at MIX08, Microsoft announced the release of the Windows Live Contacts API, which web developers can use to enable their users to transfer and share their Windows Live Contacts in a safe and secure way. Starting today, Microsoft is working with Facebook, Bebo, Hi5, Tagged and LinkedIn to exchange functionally-similar Contacts APIs, allowing all partners to create a safe, secure two-way street for users to move their relationships between our respective services.

Along with these collaborations, Microsoft is introducing a new web site at www.Invite2Messenger.net that people can visit to invite their friends from our partner social networks to join their Windows Live Messenger contact list.

For quite some time now, Microsoft has been making investments in the pursuit of data portability to put users at the center of their online experience, while at the same time being thoughtful about balancing user security and privacy with the experience. Today’s announcement is another step in that direction.

More details about this announcement, and the principles that underlie it, can be found on this blog posting on dev.live.com by John Richards.

Resources

• Blog posting - Microsoft launches Invite2Messenger.net and announces deal with 5 top social networks
• Blog posting - Windows Live Platform MIX08 Announcement
• Blog posting - Delegated Authentication SDK v1.0

Update: Angus Logan provides a detailed look at how the sharing experience works for the first two implementation - Facebook and Bebo, including some great screenshots.
Two way contact APIs with the top Social Networks and Windows Live - invite to WL from Facebook; invite to Bebo or facebook from Windows Live - SAFELY!

Angus Logan posted a great summary of the way Microsoft and Windows Live handles credential capture, which is worth a detailed read by everyone:

No Microsoft web site will ask you for your Live ID credentials except login.live.com (and accounts.live.com when linking accounts).
Any other web site which asks you for your credentials may not be evil.com but they could be sloppy coders or they could be hacked -- putting your credentials at risk of being stolen.

This equates to the First Law of Password Hygiene:

Only hand over your account credentials to your Identity Provider (for example, Windows Live ID),

• Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
• Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
• Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
• Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
• Law #5: Weak passwords trump strong security
• Law #6: A computer is only as secure as the administrator is trustworthy
• Law #7: Encrypted data is only as secure as the decryption key
• Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
• Law #9: Absolute anonymity isn't practical, in real life or on the Web
• Law #10: Technology is not a panacea

Item #1 is particularly important in relation to yesterday's news!
If you install an application on your machine, you are implicitly granting it a certain level of trusted access -- so you better be sure you know and trust the source of that application.

Sound familiar? Yes, that's exactly the sort of issue that Windows Live ID Delegated Authentication is intending to combat.

If I think about an archiver application for an online mailbox, then I would want to allow it to do this action on your behalf:

• Read a copy of each e-mail in your mailbox

But NOT allow it to do these things:

• Send e-mail on your behalf
• Delete items in your mailbox
• Access any of your other data (Contacts, Calender, etc) apart from your mailbox

So how does Delegated Authentication help in this case?

Delegated Authentication is a way to permit access to personal information, but with more precise control over access and usage permissions than the current binary decision (that is, fully on or fully off) that comes with the generally bad practice of handing over your account credentials to another Web site.

[ Delegated Auth Whitepaper ]

In other words, if I were using this particular app, I would want to grant it something like a Mailbox.Read permission only, but not Mailbox.Write or Mailbox.Send or Calender.Read or Contacts.Read, and definitely not giving it my full acccount credentials.

The core principles here are that people should scope the permissions they grant to an application to access their data in the cloud, and they should get out of the bad habit of handing over their account credentials (such as passwords)

Angus Logan posted an impassioned statement showing why Live ID users should only even enter their account credential into their identity provider (login.live.com), which is a timely reminder to all Live ID users.

We also took a very strong stance on this in the Delegated Auth Whitepaper:

Only hand over your password and account credentials to your identity provider (for example, Windows Live ID), and to NO ONE else.

Hopefully today's issue will act as a wakeup call to the industry and result in a very serious look at consent-based data access techniques like Windows Live ID Delegated Authentication

Here's the MIX08 presentation from Angus Logan covering the overall Windows Live Platform developer functionality, and heavily emphasizing lots of great Live ID technology.

• Windows Live ID Web Authentication is covered from 24:18 through 35:21
• Windows Live ID Delegated Authentication is covered from 35:30 through 46:43

The 3D Virtual Earth geo-coding example around 59:00 through 1:00:29 is really cool too!

Developing with Windows Live Platform
http://sessions.visitmix.com/?selectedSearch=T29

This is a big step in delivering real, user-centric data portability - giving Windows Live customers explicit control over sharing their information from Windows Live services.

Full details are on the Windows Live ID team blog and the Windows Live Developer portal

• Delegated Authentication whitepaper
• Delegated Authentication SDK v1.0 blog posting
• Windows Live Platform Announcement blog posting

You may have wondered why my blog has been “dark” for so long, and the short answer is that I moved to a new role at Microsoft in September 2007 and at about the same time had to deal with a series of illnesses in the family, which occupied a great deal of my time and attention.

Winding back to September then … After 4 years of working on Web Service Standards and Interoperability at Microsoft (involving 21 WS-* specifications, 8 Feedback Workshops, 13 Interop Workshops and 4 Plug-fests), I’ve changed roles.

I’ve moved back to my software roots, and taken a technical role as a Feature PM in the Windows Live Identity Services (aka Live ID / Passport) product development team.

Live ID [1], [2] is an interesting place to learn about world leading software-as-a-service - the team runs one of the biggest authentication services on the web today - handling over 400 million active users and over 1 billion transactions per day!

Interestingly, much of the current and future work of the Live ID team is focusing on leveraging web services technology and appropriate standards such as WS-Trust / WS-Federation to achieve broad interoperability and deployment for Live ID technology in the industry.

Web services and standards-based interoperability are playing a key role in creating a network effect around identity data, which IMHO is one of the significant themes driving forward the "Third Age of Web Services" [3].

So in some ways then, I am really just moving from the sell-side to the buy-side of the standards business!

[1] http://dev.live.com/liveid/
[2] http://msdn2.microsoft.com/en-us/library/bb288408.aspx
[3] http://www.thearchitect.co.uk/weblog/archives/2005/05/000357.html

I expect there will be a lot of Out of Office auto-replies like this across Microsoft and Corporate America today:

Tuesday 9/25 - Today is Halo 3 day, so I will be unavailable for most of the day, evening and night to "finish the fight" against the Covernant and Flood.

Expect e-mail replies to be delayed during this time.

http://research.microsoft.com/research/pubs/view.aspx?tr_id=1355

The task of consistently and reliably replicating data is fundamental in distributed systems, and numerous existing protocols are able to achieve such replication efficiently. When called on to build a large-scale enterprise storage system with built-in replication, we were therefore surprised to discover that no existing protocols met our requirements. As a result, we designed and deployed a new replication protocol called Niobe. Niobe is in the primary-backup family of protocols, and shares many similarities with other protocols in this family. But we believe Niobe is significantly more practical for large-scale enterprise storage than previously-published protocols. In particular, Niobe is simple, flexible, has rigorously-proven yet simply-stated consistency guarantees, and exhibits excellent performance. Niobe has been deployed as the backend for a commercial Internet service; its consistency properties have been proved formally from first principles, and further verified using the TLA+ specification language. We describe the protocol itself, the system built to deploy it, and some of our experiences in doing so.

By the way, I'm not sure where the "2008" bit at the end of this videa clip comes from, because yesterday's news confirmed that Halo 3 has gone Gold and is ready for the scheduled release date of 25-Sept-2007.