Here is my identity and fraud link round-up for the week:

Does ID theft really cost $48 billion a year?

Stolen VA laptop recovered

Study: Most Technology Companies Have Data Losses

U.S. Navy: Data Breach Affects 28,000

KEYNOTE PRESENTATIONS

PRECONFERENCE TUTORIALS

Internet Explorer beta 3 has been released and can be found here. The IE team and Dave Massy are boast of its new features:

• New icons
• Tab reordering
• Authenticated FTP
• Easy access to email (put it back)
• Small details (for example, image resizing changes)

See some screenshots on the IEBlog.

What's really cool is that the IE team has made, and still is making, EXTRA effort to listen to what users are saying about IE 7 and adding features and improvements based on feedback. If you like, dislike or have an idea about IE7 you can submit your feedback in 3 ways:

Today my wife sent me one of those "I'm American hear me roar" emails that was simply a picture of an American flag with text stating: Why the hell should I have to press '1' for ENGLISH?!

You're right dear wife, and whoever created the political statement over the top of a pixelated American flag. Why should you have to press 1 for English? But since the statement is politically charged by the powerful American flag I'm pretty sure the question is nothing but a derogatory statement rather than a jab at the real issue... You see, if you ask me, the reason you have to press "1 for English" is because of bad design and usability:

The way I see it is that we have two use cases when a system is designed for two languages and the majority is English:

1. English caller
2. Caller speaking other language (we'll use Spanish as an example)

Seems simple, in most cases the English speaking caller is going to be a higher percentage than the Spanish right? So why inconvenience the majority? That'd be like having all IE 6 users click an extra button to view content...Dumb. So why don't we just do something like the following:

You: Ring... Ring... Ring....

Big Corp: Hello, welcome to Big Corporation! Hola, recepción al Big Corporation! Presione el número uno para el español (translated, I think: Hello, welcome to Big Corp, press number one for Spanish)

You: Wait patiently for a second (note, no phone fumbling here!)

Big Corp: Press 2 to get yourself into a loop, press 3 if you want to talk to somebody (even though you can't).....

Makes sense doesn't it? I know nothing about phone systems but it can't be that terribly difficult in this day and age. Can it?

Larry Dignan over at EWeek.com asks us how much our personal data is worth. He proposes "Stiffer fines, Safter Data". I agree and disagree; stiffer fines will eventually lead to safer data, but it won't happen right away. Enterprises need maintainable solutions and process that work first. In my opinion, identity theft lawsuits and media frenzy will drive this "solution".

How much is your stolen, used, and abused identity worth to you? Is $1000 enough? Has your identity been stolen? How much did it end up costing you money and time-wise?

What evil things could happen when you have lack of component integration testing? For example, when a team delivers A and B you naturally test A+B and then hopefully you test B+A.  Sometimes it's not as easy as A and B though. Sometimes it's as complex as H & I & T & S. A little exploratory testing goes a long way if you're having trouble with the orthogonal array.

Thanks Matt for sending this to me. The image comes from AnthemAmerica.com.

Opera 9 was realeased today. Opera continues to hang with the big dogs with new features such as:

• BitTorrent
• Content blocker
• Add your favorite search engines
• Tab Thumbnail preview
• Site preferences
• Widgets
• Improved rich text editing

Download Opera 9 here.

And here we are on a glorious data stolen Two-sday:

Laptop with D.C. workers’ personal data stolen
 
Equifax laptop containing employees' SSNs stolen
A coworker and risk manager, Simon points out: "Equifax is a BS7799-2 certified company.  They/we are not immune…."

On the bright side, we have employers rushing to stem data theft tide

Borland has released a free load testing white paper entitled "Choosing a Load Testing Strategy" to help market their product Borland SilkPerformer (formerly Segue). The paper is a good read and gets really interesting when they talk about home-grown testing applications, open source load-testing tools, testing with Mega-IDEs, Web only load testing tools, hosted load-testing services and of course Enterprise class load-testing solutions.

Download "Choosing a Load Testing Strategy" here.

A while ago LifeHacker.com wrote about the screen capture utility ScreenGrab by Andy. ScreenGrab is an extension for FireFox that allows you to capture a FireFox browser screen and save it as a PNG file in 3 different ways:

• The entire FireFox window (same as the PC ALT+PrtScr)
• The entire content of the site (scrolling content)
• The content that is viewable in the FireFox window (ViewPort)

Andy says he is working on adding the following features:

• Being able to select a region to grab (using something similar to MeasureIt).
• Removing my dependence on Java (much like the folks over at Pearl Crescent did with their PageSaver, based - like I said one would be eventually, on the Canvas widget).
• All those configuration options people keep whining about (default save to location, default naming, different file types, different menu locations).
• Making a shortcut key to do the grab.

SnagIt vs. ScreenGrab + Kleptomania

When making a choice on which to use for Web application testing here are some things to think about:

• SnagIt won't give you the OCR/text capture feature that Kleptomania has.
• ScreenGrab won't work in Internet Explorer.
• ScreenGrab doesn't have drawing tools.

For Web application testing ScreenGrab fills a hole in one of my favorite tools Kleptomania because it captures content that requires scrolling. Putting the two together is about the same price as SnagIt. Neither are magic bullets for Web application screen and text capturing. TechSmith, if you add OCR/text capture to SnagIt I'm sold. Until then I'm sticking with ScreenGrab and Kleptomania.

ScreenGrab 0.8 is free, download it here.

Stolen or "Lost" data reports sure seem a bit overwhelming lately don't they?

Stolen file contained unclassified information on 1,500 contract workers

Nearly 1 million prospective AIG customers could be at risk

How do you make sure that the Web Service you are testing complies with the Web Services Interoperability Organization standards? I use ParaSoft SOATest. It's really a no brainer because the tests are there by default when you create a project in SOATest (as seen in the image). The WS-I tests ensure that your Web Services are compliant with the WS-I Organization's Basic Profile version 1.1. When you look at the list of test assertions that SOATest conducts you can feel at ease that your service is definitely compliant.

This security breach hits a little to close to home:

Porn-surfing hits taxpayer IDs
Security breach - More than 1,300 people face identity theft after a state employee let in data-stealing spyware

Last night the 10 o'clock news said that the Oregon Department of Revenue would be sending letters to the individuals at risk.  I'm an Oregonian and I'm hoping I didn't make the list. It was rather amusing when the news station asked random Portland citizens their thoughts on the matter and they were more aghast with the fact that a Department of Revenue employee was surfing porn at work! Amazing... what is it going to take to wake up the public so they see the root of this identity theft problem?

My coworker Scott Hanselman recently blogged about his use and experience with the tool Invirtus VM Optimizer. The tool worked well for Scott and his dynamic disk MS Virtual PC images so I looked at how it could improve my fixed disk images. The site didn't reveal anything on improvment for fixed disks so I emailed support at Invirtus to ask about it:

I’m trying to understand how your product would work with a MS VPC that is utilizing the “Fixed Disk” feature. Since the VPC size is fixed will Optimizer shrink it to the smallest size and leave the image unusable (since it won’t don’t dynamically grow)? Or will Optimizer allow me to specify a buffer beyond the optimized size to ensure the VPC doesn’t run out of space?

The reply was:

Optimizer will work with a fixed disk in that it will increase the available free space to the maximum available. But, you cannot shrink the disk itself.

While writing test cases, on the side I converted a fixed disk image to a dynamic disk to see if Optimizer could decrease the 6.3 GB size. The attempt resulted in a slightly LARGER VPC size (6.4 GB). After scratching my head for a while I then emailed support to ask why:

I used your tool with a MS VPC that was a dynamic disk of 6.3 GB. After running the tool the disk ended up being a little over 6.4 GB. The VPC image was VERY clean prior to running of the tool (fresh Server 2003 OS install, SQL 2000, installed two Web Services and a few web sites). Am I missing something or is the tool primarily used for MS VPC bloat that is caused over time VPC? Why did the size go up?

The reply was:

In VM Optimizer we include a tool called Freespace.exe. Freespace.exe goes sector by sector and cleans the whitespace. This means that every sector on your disk is touched and when that happens on a virtual disk the size of the disk expands. However, in a dynamically expanding scenario the size will reduce quite substantially and in your fixed disk scenario the disk will remain approx. the same or grow just slightly.

So, no special magic here for me and my situation. It makes sense; you can't squeeze blood out of a turnip. For performance reasons, I converted a  6.3 GB virtual disk image to a 10.1 GB fixed disk image but the caveat is that copying and network transfer a bit painful. I'm assuming that the 3.8 GB difference is free space. My test environment doesn't need this much free space, 1 GB would be enough. At this point I think the only way to get my fixed disk smaller is to specify the free space when converting from dynamic to virtual. Does anybody know a trick for this? Am I looking at a feature request?

Update 6/19: I contacted Ben the Virtual PC Guy to see if he had any tricks up his sleeve for downsizing the free space in a fixed disk and he responded with: "We do not provide a way to change the maximum size of a virtual hard disk today.  If you want to do this you will need to create a new virtual hard disk - at your desired size - and then use a tool like Symantec Ghost to transfer the data to the new virtual hard disk."

Today Greg sent me a link and after clicking it the title of the article had me thinking that the identity theft pendulum had begun to swing the other way (in our favor). The article title was: Veterans Affairs chief calls for stronger data laws

The article is a reactive statement to the 26.5 million veterans information that was stolen a while ago and starts out hopeful with a great inspirational quote:

"It's an emergency at the VA, and it should be an emergency in our society,"

but then starts to take a roll down hill with:

Rep. Tom Davis, the Virginia Republican who heads the committee, said the incident had prompted him to weigh changes to a law called the Federal Information Security Management Act of 2002, which outlines procedures federal agencies must undertake in order to protect their data and systems.

I wonder, is it the actual incident that prompted Tom OR WAS IT THE FACT THAT THE VETS ARE SUING? Hope spirals back into the vast wasteland of stolen identity when the article goes on to say:

That law requires agencies to notify law enforcement and internal inspectors general when a breach occurs, but it does not require notification of potential victims or the public. It must be updated to include penalties, incentives and "proactive notification requirements," Davis said, adding that he is "troubled as the number and scope of losses continues to expand."

So if I understand right, once you let my data get stolen you'll find it in the goodness of your heart to tell me (instead of me finding out after my bank account is drained). That's proactive? I think not. Proactive is encrypting my data and being certified to manage my data. Ugh..This is pathetic.

I just did an Internet search for "Software Quality Assurance for Dummies" and found nothing. I can hardly believe it! The luck is equal to finding a dot com domain name that isn't taken.

If you're looking to get into Software Quality Assurance, or are green in SQA look forward to the up and coming publication: Software Quality Assurance for Dummies by Brent Strange:

P.S.
John Wiley & Sons, Inc. please contact me to get this underway. :)

Is it the fact that I work in a security group and this stuff naturally flows through my inbox or has the last week been a stolen data fiesta?

Hotels.com customers data is stolen and Greg is MAD (WARNING! Don't make Greg mad, it's not pretty. Well, sometimes it's humorous to watch... If you have the opportunity to rib him a little bit someday in person just bring up how slow Microsoft Virtual Server is and you'll see traces of the mad Greg. Mad level 3 out of 10). Anywhooo, Greg not only rants about how pathetic security is in the industry but offers some practical advice on knowing how secure a company is by their certifications. Good stuff.

Data lost on all 2.2 million (nearly all) active duty, reserve and guard members.

Veterans fight back and sue for data lost/stolen (this is what we need to wake the industry up).

Alex Scoble sent an article stating that cleaning up data breach costs 15x more than encryption. No joke? Go figure. But why do that? That's pro-active and not re-active. Fire-fight mode is sooo much more fun though.

Saphire In Steel has written a Ruby IDE for Visual Studio 2005 called Ruby In Steel. This definitely will give a big boost to all the Ruby/Watir browser automation going on right now.

Back at the beginning of 2006 when I was shopping for an automation solution, I gave Ruby and Watir whole-hearted try and was extremely frustrated that I was spending so much time debugging in a JavaScript like world. Can you say "Pain-in-the-ass" and "Inefficient"? Since then I've moved on to SWEA (SW Explorer Automation) and have been EXTREMELY happy debugging in Visual Studio.

For those of you working in the Ruby and Watir world you can download the beta version of Ruby In Steel here. If you want to see it in action you watch a debugging video demo here.

Are you a blogger or blog reader? Are you a fan of syndication? Let me present the latest in geek t-shirts for RSS. I had this one on the back burner since I started this blog in December of 2005 and finally sat down to create it tonight. This master-piece is titled "Feed Me" (I won't be offended if you consider it a master-POS). The image below requires ShockWave-Flash. If you can't see it, just go to Zazzle.com where this little beauty resides. Do you hate black t-shirts or would rather a sweat-shirt or tank top? Zazzle has a huge product line-up that you can place this advertising gem on. Gem you say? Yes, this is THE official RSS icon to be recognized by a cajillion internet users by 2007. TRUST ME. Don't be a "wanna-be" by displaying your syndication spirit in 2008. Get this frickin' thing on your chest now!