Over at Gizmodo a story popped up this morning regarding GoogleVoice doing some webapp upgrades. If you have a phone with an HTML5 browser stop reading immediately and surf to GoogleVoice Mobile. What was a moderately cool service just got a caffeine shot.

Before I get into how GoogleVoice just got better, first let me explain how I am already using it. I’ve been using GoogleVoice for months now since I moved. I kept the cell phone number I was using back in Rhode Island so that friends and family can still reach me easily but down here I’ve been telling everyone my GoogleVoice number. The first awesome thing is that I can give people this number and if they try to call me it rings on the cell phone, at my office desk phone, and it will also pop-up the call on my Gizmo5 account if I am logged on at a computer. This means that if I want to be I am instantly contactable no matter where I am during the day.

Also, people can text message me at my GoogleVoice number and they come through as an email, which through Exchange is immediately pushed to me phone from my Google hosted domain email account. When I reply to the email it is turned back into an SMS and sent to their phone. Instead of paying $0.10 to give someone 140 characters of text I can carry on a lengthy conversation for free.

When I get a call from someone I have the option to set up a wide range of options including call-screening, the caller ID appearance of numbers on my phone, what voicemail message they hear, and when I want to be Do Not Disturb. I can leverage these features to customize the call handling not only for my own benefit but for how I want the caller to be treated. If I like you I can immediately answer; if I’m not sure I can listen to you live while you leave a voicemail and pick up at any time; or if I really don’t like you I can have you straight to voicemail or simply blocked.

Now then, using GoogleVoice on the iPhone used to be a bit of a pain. You went to the website, it forwarded you to the mobile version, you got this text-only 1995 style page that was simply a textbox with the number you want to call or a list of your contacts. When you wanted to place a call you hit the persons name or typed a number and hit submit and a few seconds later you got an incoming call from GoogleVoice (odd phone number from random place – possibly long distance). For text messages you had to go to another page via a link, wait for it to load, & fill out the form. It got the job done but it wasn’t especially sexy.

Today when I booted up the page the interface was completely different. Now we get images and fading between pages and buttons and drop down menus. While I imagine this could cause some slowness on Edge once it is all cached I suspect there will be little of a noticeable difference in speed. In fact I’d expect a speed improvement with the current design because you spend less time making page requests and more just doing little Ajax query/responses. The interface is streamlined and more intuitive, and I have yet to notice a loss of any features.

While previously the entire list of my contacts was pulled up every time I went to the site there is now a button to switch to them. This probably speeds things up if you make the majority of calls from dialing a number but might mean one extra button push if you do it from contacts. It seems to store the contacts in a local cache so while the first load of the list took a couple seconds it was instantaneous after that.

The procedure for placing a call has changed a little bit, but this change I really like. When I dial a number and hit submit it begins to setup the call session through Google. Now instead of receiving a call from Google the app told my phone to dial a number. Because I told it I was on my cell phone when I logged in and it already knew my cell number it used that information to find me a local call exchange who I assume is owned by Google. So now I was definitely calling a local number to route the call which makes GoogleVoice even more free-er than it was before.

The changes, while mostly aesthetic, add up to a vast improvement for the usability of the service on an iPhone. I’ll have to see in the coming weeks how it modifies my calling behavior but I could legitimately see it being enough to compel me to use GoogleVoice instead of the native calling capability of my phone because I won’t have to worry about unexpected call charges, and I can easily get more people using the GoogleVoice number for my incoming calls when I show up on their caller-ID.

Apparently, Bank of America thinks it’s totally appropriate to ask for your login credentials to other bank’s websites.

Bank of America asks for login credentials from other bank websites

I was a customer of my old bank for nearly 12 years. Sadly, my old bank just doesn’t do business in the area I’ve moved to. Seeing as I didn’t want to run into this problem again I decided to go with a nice big bank that covers all the places I might move in the foreseeable future. I figured that Bank of America would fit those needs. That was until I started the application process.

First half of Application Page at BoA

Second half of Application Page at BoA

Moxie presented at Blackhat this year about his discovery of a vulnerability enabled by the automatization of CA certificate assignments and failures by X.509 encryption implementations to handle null bytes. Video has a recap of his last presentation and then the new stuff starts at 15min.

Blackhat Presentations Archive

Basically all the big names in browsers, SMIME mail clients, IRC clients, and VPN are vulnerable. Also, sky is falling.

I know this is totally old news, but it’s some pretty heavy stuff that really kind of happened and then everyone went back to business as usual.

SSLStrip is a tool for MITM attacks where the attacker can intercept information to be transmitted between a user and the server such as login credentials.

Any information security professional worth their salt needs to see the video embeded at [Moxie's SSLStrip page].

The good news is that token keys and user/client certificates is the easy fix, though it makes for more cost/work than just your standard SSL connection. Also, web developers can help the problem by not embeding https links into an http page or translating those with HTTP/redirects.

An awesome new product showed up on [Hackaday] a couple weeks ago. The [SheevaPlug] is an extremely ultra-small computing device that opens up numerous opertunities for portable and nonintrusive (IE: covert) computing. Obviously, my initial impression of the device was “Cool” but when you look at it from the perspective of a penetration tester then it really has some possibilities.

Read more…