When you’re in a good mood, all your creativity goes out the window

I think it may have something to do with actually getting enough sleep last night. So in a fit of lazyblogging, I read this article on CIO.com about interviewing skills. Its not bad, and covers the basics, although I was struck with laughter when I read the advisory note on “witness intidimation”, wondering whether the author was for it or against it! Reading this won’t turn you into Gibbs, and it doesn’t deal with other issues such as when to make (or break) rapport, or how to take control over the interview. (For example: questions such as “what happens if the witness wants to record the interview” means you are not in control).
Furthermore, Muffett has pointed me at “Ten Mistakes that CIOs consistently make that weaken enterprise security“. Interesting, funny, insightful reading. Its worth quoting here (because this is a lazy blog day after all).
  • Use process as a substitute for competence: The answer to every problem is almost always methodology, so you must focus savagely on CMMi and ITIL while not understanding the fact that hackers attack software.
  • Ostritch Principle: Since you were so busy aligning with the business which really means that you are neither a real IT professional nor business professional, you have spent much of your time perfecting memorization of cliche phrases and nomenclature and hoping that the problem will go away if you ignore it.
  • Putting network engineers in charge of security: When will you learn that folks with a network background can’t possibly make your enterprise secure. If a hacker attacks software and steals data yet you respond with hardware, whom do you really think is going to win the battle.
  • Over Rely on your vendors by relabelling them as partners: You trust your software vendors and outsourcing firms so much that you won’t even perform due diligence on their staff to understand whether they have actually received one iota of training
  • Rely primarily on a firewall and antivirus: Here is a revelation. Firewalls are not security devices, they are more for network hygiene. Ever consider that a firewall can’t possibly stop attacks related to cross site scripting, SQL injection and so on. Network devices only protect the network and can’t do much nowadays to protect applications.
  • Stepping in your own leadership: Authorize reactive, short-term fixes so problems re-emerge rapidly
  • Thinking that security is expensive while also thinking that CMMi isn’t: Why do you continue to fail to realize how much money their information and organizational reputations are worth.
  • The only thing you need is an insulting firm to provide you with a strategy: Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed
  • Getting it twisted to realize that Business / IT alignment is best accomplished by talking about Security and not SOA: Failing to understand the relationship of information security to the business problem — they understand physical security but do not see the consequences of poor information security. Let’s be honest, your SOA is all about integration as you aren’t smart enough to do anything else.
  • Put people in roles and give them titles, but don’t actually train them: Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.

I’d add another one to this list – “Outsource everything in the belief that IT is non-core”. IT, like it or not, is not only the brains, but the entire digital nerve system of your organisation. Handing it over to people who are paid a tenth of what you pay your own staff, and don’t be surprised if your digital nerve system gives your organisation Parkinson’s disease.

We could tell you, but then we’d have to tax you


I suspect fraudulent use of National Insurance Numbers. I go to HMRC website and find this page:


hmm NIM39140 looks like what I need so I click on it. Go on try it.

My flabber is ghasted, but its nice to see HMRC taking confidentiality of information seriously.

BGP stands for Bring Complete Paranoia

Rory Cellan writes in his BBC blog that:

So the Pakistani authorities order the country’s ISPs to block access to
YouTube. That is done by the country’s telecoms provider sending out what is, in
effect, a new – and false – route to get to YouTube. The result is that any
traffic from Pakistani users to YouTube gets directed into a cul-de-sac. So far,
so normal, for any country – China, Turkey, Iran – which decides to control its
population’s access to certain websites.
But what appears to have happened in this case is that the dodgy route map somehow leaked beyond Pakistan’s borders, and was adopted by the giant Asian telecoms business
PCCW. Once it started broadcasting this new way to find YouTube, the rest of the world’s ISPs altered their maps, sending everyone up the wrong road.

Now, I’m no longer a network engineer. Terribly bright people now shepherd Internet traffic around the world, carefully grooming and optimising traffic routes between the different Internet “clouds” (known more formally as Autonomous Systems, or AS). In fact, the BBC is an AS, as is BT, and most big ISPs are autonomous. This means that clouds can choose which way is best for traffic going into – and out of – their cloud. So for example my ISP at home can decide that the best way for me to get traffic to and from Australia, for example, is via a cheaper (but longer) land link running through Asia, than by a satellite hop. And they’d probably be right, satellite links tend to be slooow.

What happens here is an issue of transitive trust. Most “peering agreements” (the name for the decisions two AS’s make to send traffic between each other) are technically complex, and some include the following rules:

  • If I can’t send traffic to another third party directly, I’ll send it to you.
  • If you can’t send traffic to another third party directly, you can send it to me.

Those two rules sound pretty simple, however they’re pretty important. The question then arises how does an AS know where it can and cannot send traffic to? Enter the Border Gateway Protocol, or BGP for short. BGP controls routing information which can be thought of as meta-data on the traffic. Its an automated system for updating clouds on which other clouds can be reached through each other. Then the router decides which route is the shortest (or best in some other way configured by its network engineers – for example, “send as much traffic as possible over the cheap landline rather than over the expensive satellite link”) and voila, you get to see the Google homepage.

There is a whole industry built up around providing expertise and BGP services, from companies like InterNAP, and industry associations such as LINX. BGP routes get used to advertise places we shouldn’t go – for example, some anti-spam services provide a list of IP addresses that network engineers can say “don’t try and send traffic here”. It can include malware sites, persistent spammers, and as we’ve seen, a government can mandate that all traffic can be dropped and that all routers in a particular jurisdiction must carry this “internet death penalty“.

Where this becomes a security issue, is that BGP is designed to propagate the “best” routing information around the internet. This is designed to assist the internet’s self-healing process, so if a cable going under the atlantic is cut – separating a link between two clouds, other routes are automatically brought into play. If you have a collection of routers who say “We know that the best route to youtube.com is to just drop the traffic on the floor”, they will announce this route to their peers, and the peers will pick this up, announcing it to their peers, and so on.

This is a transitive trust issue. While network engineers can force the routers to filter the routes sent to them, most of the time they prefer not to – and why would I be jaded and cynical about a peering ISP who I know well and probably go for drinks with their staff? Well, we’ve seen the answer.

Security pro’s would note that the potential for damage of wild and crazy routes being propagated across the Internet, both in terms of PR damage, lost time, and so on, would be worth the mitigation cost of filtering out bogus routes before they are adopted into the routing tables, however ISP’s typically focus on availability, throughput – all the things that their customers demand. Network Engineers are highly skilled people, but they’re not security experts.

All this puts an interesting slant on the arguments for and against Net Neutrality.

This is not news

Deloitte reports that:

IT security pros working in the technology, telecommunications, media and
entertainment industries say they’re confident they can handle external security
threats, but nearly half lack a formal security strategy, according to a new

Indeed true. And without a strategy, there’s no planning. Without planning, there’s no real threat and risk control. Without threat and risk control, then we’re back to the good ‘ol “Hey! We gotta firewall!” (or insert-the-name-of-your-favourite-new-appliance-here) approach.

How to spot a boiler room

I received the following post from the Motley Fool financial investing service. Not that I have any cash to invest, but the following is very good anti-fraud advice.

As our ‘Good, Bad and the Ugly email campaign continues, we look at a nasty share scam – the ‘boiler room’.
I think the ‘boiler room’ is the ugliest financial scam of them all.
Telesales staff outside the UK call up unsuspecting private investors and pressure them to buy dodgy shares at inflated prices. Some people believe the crooks’ sales patter and frequently they end up losing all the money they’ve invested. Don’t assume that it won’t happen to you. Often the victims are pretty sophisticated folk who have been playing the markets for ten years or more.
Indeed, the Financial Services Authority (FSA) has highlighted one case where a management consultant in his 50s lost 40,000 to a boiler room scam, and he had been investing in the stock market for 12 years.

How does it work?

Boiler rooms are always based outside the UK and are not regulated by the FSA. The boiler rooms use various techniques to get hold of names to call. They can follow up initial market research calls or call up investors on shareholder registers of small companies. Dealers can then offer free research on a punter’s favourite share, and a relationship can be built from there. Or you might be offered free research via junk mail. If you send a reply card back with a tick in a particular box, the dealing room can then claim it’s making a legitimate phone call.
Often the boiler room salespeople push shares that ‘are about to IPO’ (list on the stock market) and ‘big profits’ can be expected. More often than not, the company never lists and the investors lose all their cash. Sometimes the shares are listed, often on fairly obscure markets such as the ‘pink sheets’ in the US. On occasion, the shares are listed on better known exchanges, but either way there’s a good chance that the share price will start to fall shortly after you’ve paid your cash. What’s more, the boiler room may have taken an outrageously high dealing commission.

Why does it work?

The boiler rooms don’t give up easily. They will constantly call a target, trying to build a relationship and get their confidence. According to FSA research, six out of ten targets were pursued for at least a month regardless of whether they purchased shares. Nearly a quarter of targets said they were receiving calls from the same boiler room for more than a year.

What can you do?

If you’re cold-called by somebody trying to sell you a share, be very suspicious indeed. If it’s such a sure thing, why is he ringing up complete strangers and telling them about it? The simplest approach is to hang up as quickly as possible. If your curiosity won’t let you do that, you can check the FSA’s list of unauthorised overseas firms that are targeting UK investors. But if a firm isn’t on the list, don’t assume it’s a kosher operation. Boiler rooms frequently change names to get around this.

You can find out much more about boiler rooms in this excellent FAQ compiled by star poster JakNife on our discussion boards. Also read these useful tips by my Foolish friend David Kuo.


> Anatomy Of A Boiler Room Scam


> How To Spot A Scam


Get hacked by google, bush, and hotmail

Over the weekend, I got the following message on MSN.

23/02/2008 22:43:03 Jonathan *mssoc d@hotmail.com :)
23/02/2008 22:44:04 Jonathan *mssoc d@hotmail.com hey
23/02/2008 22:44:04 Jonathan *mssoc d@hotmail.com it watches this animation of bush 😛
23/02/2008 22:44:04 Jonathan *mssoc d@hotmail.com http://[deleted].googlepages.com/bush.exe
I’ve changed the name of the sender, and deleted the googlepages website name, because frankly, you don’t want the ball of infection that is bush.exe.

First thing is, never run an .exe from the internet. Even if your friend has told you its safe (How do they know? Answer most commonly given “Well it didn’t trip out my copy of McAfee”). As we’ll see, even downloading the little pucker can be hazardous.

Normally when I do malware research, I use the electronic equivalent of thick rubber gloves and a bacterial safety screen. No one is pleased when malware stomps all over their system, including me.

Avast didn’t pick it up. Not quite trusting one AV, I submitted the result to VirusTotal, and the scan results showed a couple of potential heuristic nasties (the link is to the report). In the meantime, I deleted bush.exe unopened.

And this is where it went wrong.

You see, even deleting a file (or moving it to the Recycle Bin) counts as an access to a file. On access virus scanners open up a packed file (like bush.exe) to see what’s inside. This means that code set to execute when the file is opened… does. The next thing I knew, my resident protection for Spybot S&D was going crazy.
By the way, Spybot S&D is freeware. If you don’t have it installed, either you didn’t know about it (you do now), or you are certifiably crazy. Go install it now, I’ll wait.

Spybot reported that three new files had appeared, and were trying to insert themselves into my startup. Those files:


They picked C:\WINDOWS because that’s the default setting of the %temp% variable in Windows. There are times when UNIX’s /tmp folder looks eminently more sensible than using a system executable folder to drop stuff in, and this is indeed one of them.

A popup appeared (in Spanish) asking me to install the latest Flash player. Oops. Clicking “don’t install” did not help, and Spybot screamed at me for firing off more instances of the virus. I blacklisted the processes from adding themselves to my startup registry, and spybot went ballistic, warning me that this thing was indeed running rife through my system, trying to infect as much as possible.

So, while spybot was ringing every alarm bell it could find to let me know I had a problem (Houston?) and bringing my machine to a crawl, I fired up Security Task Manager (not free, but useful) and quarantined the nasty processes. I booted from clean, ran a startup AV scan. Everything looked ok.

This took about 2 hours, and the lessons I’d pass on are:

  • Don’t ever download and run an .exe file. My friend didn’t even know that I’d received this message from her, as it fires up windows messenger silently (fortunately I have this set to block already).
  • Run Spybot. Its a line of defence.
  • If you absolutely must download these things, use a virtual machine (Microsoft’s Virtual PC, or VMWare) and examine what’s going on under a clean disk image. Then wipe and start afresh. Better not to.
  • Don’t trust processes that “look good”. WINLOGON.EXE and LSASS.EXE are both names of system processes, however they normally live in %systemdir% (C:\WINDOWS\SYSTEM32)
  • I got thwacked in the chops by being too careless, and was lucky. My friend still has this thing running around their machine. Not so good.
So, that was my weekend fun. How was yours?

Fingerprint scan at nursery door

The BBC reports that a nursery has installed fingerprint scanning at its entrance to increase the safety of its young pupils.

In an interesting quote, UK Biometrics director Ryan Hole said: “By fitting a biometric access system they now have the one key that cannot be lost, stolen, forged or hacked – the human fingerprint”.

Some ways I can think of subverting a biometric access system:

  • Go in the window
  • Kick the door in
  • Lift a fingerprint (needs sellotape, google for it)
  • Bribe, con or coerce an authorised user. For example, “My finger doesn’t work, I need to get my kid to the doctor now!” (Given that there is a Felinfoel pub just up the road, there is good beer available for bribery).
  • Wear a bandaid, bemoan the office shredder/photocopier/rabid secretary. Repeat the above con.
  • Tailgate behind an authorised user
  • Use someone else’s authorised finger, having first thoughtfully removed it from their body
  • Exploit the software. All software has bugs, some bugs are interesting security holes. (attributed to Muffett).
  • Get a rogue fingerprint on the database.
  • Grab a kid before (or after they go in the door). Better still, push the parents in the door, and shut it after them, so they have to use the fiddly biometric lock to get out.
  • Put superglue on the sensor. Wait until lock is removed. Enter.

The point about all of this is that security “point solutions” don’t work, neither in the physical world, nor in the exciting online world where all of our bank details slush about. Its essential that all risks are assessed, and solutions combined to make sure you don’t just shift a threat from one attack point to the other (for example, no window locks means that the expensive biometric lock will actually remove very little risk).

The other things to think about are that when a failure of the security device occurs (not if), how will the nursery audit who went in and out of the nursery, and when? More importantly, if a “rogue” fingerprint gets into the database, how easy is it to detect and remove? Can I register my index finger under the print for the left little finger of the headmistress?

Most importantly, the risk of biometric systems is that the credentials can be stolen. Fingerprints can be copied, and facsimile “fakers” make that duplicate the print of the target. Now if you find out that stanley’s password is “yelnats”, he can change it. But how do you change your fingerprint once its been lifted off a glass you drank from?

On Coercive Psychology

I encountered someone who was into “The ISA Experience” recently. I was interested, then became aware how one of this person’s goals was to recruit me into ISA. I’m not very recruitable.
I found the following article on Coercive Psychology on F.A.C.T.Net, and its worth noting here. Remembering that the weakest link in Information Security is the soft squidgy thing in front of the keyboard, good ISO’s should be aware of some of the pressures that can be brought to make people act abnormally.
WARNING: This stuff is nasty. You will win few friends if you deploy this sort of stuff in your daily lives (but it might be fun watching your local church group to see how many of these techniques accidentally get used).
The Definition

Coercion is defined as “1. To force to act or think in a certain manner, 2. To dominate, restrain, or control by force, 3. To bring about by force.”
Coercive psychological systems are behavioral change programs which use psychological force in a coercive way to cause the learning and adoption of an ideology or designated set of beliefs, ideas, attitudes, or behaviors. The essential strategy used by the operators of these programs is to systematically select, sequence and coordinate many different types of coercive influence, anxiety and stress-producing tactics over continuous periods of time.
In such a program the subject is forced to adapt in a series of tiny “invisible” steps. Each tiny step is designed to be sufficiently small so the subjects will not notice the changes in themselves or identify the coercive nature of the processes being used. The subjects of these tactics do not become aware of the hidden organizational purpose of the coercive psychological program until much later, if ever. These tactics are usually applied in a group setting by well intentioned but deceived “friends and allies” of the victim. This keeps the victim from putting up the ego defenses we normally maintain in known adversarial situations.
The coercive psychological influence of these programs aims to overcome the individual’s critical thinking abilities and free will-apart from any appeal to informed judgment. Victims gradually lose their ability to make independent decisions and exercise informed consent. Their critical thinking, defenses, cognitive processes, values, ideas, attitudes, conduct and ability to reason are undermined by a technological process rather than by meaningful free choice, rationality, or the inherent merit or value of the ideas or propositions being presented.
How Do They Work?
The tactics used to create undue psychological and social influence, often by means involving anxiety and stress, fall into seven main categories.
TACTIC 1. Increase suggestibility and “soften up” the individual through specific hypnotic or other suggestibility-increasing techniques such as: Extended audio, visual, verbal, or tactile fixation drills, Excessive exact repetition of routine activities, Sleep restriction, and/or Nutritional restriction.
TACTIC 2. Establish control over the person’s social environment, time and sources of social support by a system of often-excessive rewards and punishments. Social isolation is promoted. Contact with family and friends is abridged, as is contact with persons who do not share group-approved attitudes. Economic and other dependence on the group is fostered.
TACTIC 3. Prohibit disconfirming information and non supporting opinions in group communication. Rules exist about permissible topics to discuss with outsiders. Communication is highly controlled. An “in-group” language is usually constructed.
TACTIC 4. Make the person re-evaluate the most central aspects of his or her experience of self and prior conduct in negative ways. Efforts are designed to destabilize and undermine the subject’s basic consciousness, reality awareness, world view, emotional control and defense mechanisms. The subject is guided to reinterpret his or her life’s history and adopt a new version of causality.

TACTIC 5. Create a sense of powerlessness by subjecting the person to intense and frequent actions and situations which undermine the person’s confidence in himself and his judgment.

TACTIC 6. Create strong aversive emotional arousals in the subject by use of nonphysical punishments such as intense humiliation, loss of privilege, social isolation, social status changes, intense guilt, anxiety, manipulation and other techniques.
TACTIC 7. Intimidate the person with the force of group-sanctioned secular psychological threats. For example, it may be suggested or implied that failure to adopt the approved attitude, belief, or consequent behavior will lead to severe punishment or dire consequences such as physical or mental illness, the reappearance of a prior physical illness, drug dependence, economic collapse, social failure, divorce, disintegration, failure to find a mate, etc.
These tactics of psychological force are applied to such a severe degree that the individual’s capacity to make informed or free choices becomes inhibited. The victims become unable to make the normal, wise or balanced decisions which they most likely or normally would have made, had they not been unknowingly manipulated by these coordinated technical processes. The cumulative effect of these processes can be an even more effective form of undue influence than pain, torture, drugs or the use of physical force and physical and legal threats.
How does Coercive Psychological Persuasion Differ from Other Kinds of Influence?
Coercive psychological systems are distinguished from benign social learning or peaceful persuasion by the specific conditions under which they are conducted. These conditions include the type and number of coercive psychological tactics used, the severity of environmental and interpersonal manipulation, and the amount of psychological force employed to suppress particular unwanted behaviors and to train desired behaviors.
Coercive force is traditionally visualized in physical terms. In this form it is easily definable, clear-cut and unambiguous. Coercive psychological force unfortunately has not been so easy to see and define. The law has been ahead of the physical sciences in that it has allowed that coercion need not involve physicalforce. It has recognized that an individual can be threatened and coerced psychologically by what he or she perceives to be dangerous, not necessarily by that which is dangerous.
Law has recognized that even the threatened action need not be physical. Threats of economic loss, social ostracism and ridicule, among other things, are all recognized by law, in varying contexts, as coercive psychological forces.
Why are Coercive Psychological Systems Harmful?
Coercive psychological systems violate our most fundamental concepts of basic human rights. They violate rights of individuals that are guaranteed by the First Amendment to the United States Constitution and affirmed by many declarations of principle worldwide.
By confusing, intimidating and silencing their victims, those who profit from these systems evade exposure and prosecution for actions recognized as harmful and which are illegal in most countries such as:fraud, false imprisonment, undue influence, involuntary servitude, intentional infliction of emotional distress, outrageous conduct, and other tortious acts.

51 things women wish men knew

This is a public service announcement, shortly to be followed by “1056 things men wish women knew… well actually just one or two.

1. When you see a girl with huge knockers, do not go “Damn!” and then laugh appreciatively to yourself – we can hear you.

2. Whenever possible, please say whatever you have to say during commercials.

3. If you don’t act like soap-opera guys, don’t expect us to dress like Victoria Secret models.

4. Mark anniversaries on a calendar.

5. There is no such thing as too much spooning.

6. Just because you L the C doesn’t mean we have to S the D.

7. This is how we see it . . . Don’t call = Don’t Care.

8. Which also means that if we don’t call, take the hint.

9. We like you to be a little jealous . . . but overly possessive is not necessary.

10. Putting things in our butt does not turn us on.

11. Return favors: we massage, you massage; we shave, you shave (and not just your face).

12. Foreplay is not an option . . . its a prerequisite.

13. We’re allowed to be late . . . you are not.

14. Eye contact is key.

15. Don’t take longer to get ready than we do.

16. Laugh at our jokes.

17. Three words . . . honesty, honesty, honesty.

18. Girls can be groupies. Guy groupies are stalkers.

19. We never have to wonder if your orgasm was real.

20. Do not start with us. You will not win… not kidding .. we ALWAYS win

21. Would you like it if a guy treated your sister that way? We didn’t think so.

22. If you ask nicely, we usually answer the same way.

23. We will never have enough clothes or shoes! Ever!

24. We have an excuse to act bitchy at least once a month. Come on guys…most of you have more PMS then us girls..

25. Open the door for us no matter where we are . . . even at our house and getting into the car. I know it seems like a lot but is it that hard?

26. We love surprises!

27. We liked to be kissed softly, not with an iron tongue.

28.Pay attention to the little things we do, because they mean the most.

29. Boxers and maybe boxer briefs sometiems . . . NEVER whitey-tighties, NEVER!

30. Clean your room before we come over.

31. Always brush your teeth before you see us . . . a fresh mouth and white teeth are a necessity plus we do the same for you.

32. When we use our teeth it means that you suck at going down on us, so we are just returning the favor.

33. Even though you are sometimes insensitive and hurt us, we still love you with everything we are.

34. Sometimes even when you think we hate you, we don’t, we just want you to apologize so we can be allowed to love you again

35. Don’t act hard around your friends because I won’t make you hard tonight. AKA don’t be an ass

36. Sometimes “NO!” really means “NO!”

37. “Wife Beaters” are not an adequate form of fashion.

38. If we wanted to be on video tape, we’d be a porn star not your girlfriend.

39. Sensitive guys are great . . . but crying more than we do in a movie just isn’t right.

40. Don’t let ex-girlfriends cause drama, relationships are stressful enough!!!!!

41. It takes a special kind of stupid to forget birthdays.

42. Guys who are good cuddlers = guys who know how to satisfy a woman.

43. “Fat Chicks” have feelings too–all chicks have feelings.

44. Silent treatment + shoulder shrugs + tears + yelling + nasty looks = YOU DID SOMETHING WRONG!

45. If you are not a good dancer, please be self-aware.

46. Just because a girl doesn’t pick up on the first ring doesn’t mean she’s not waiting by the phone.

47. You don’t have to spend a lot, if it means a lot.

48. Don’t say you love me if you don’t mean it.

49. Don’t lie to us . . . we will catch you…eventually we always catch you.

50. When the girls get together, we talk about EVERYTHING. Meaning my best friends know everything about you.

51. Don’t Make Promises You Can’t Keep

So, how many of those things were actually a surprise, gentlemen?

Scribd: doing sensible things with iPaper

How do you keep your electronic documents? More to the point, how do you publish and distribute them?
Most people create documents using MS Office or OpenOffice. I’ve switched from Adobe Photoshop to The Gimp for all my graphics work, its a lovely little program. But when I send stuff to publishers, I am still stuck with churning out PDF’s. Its received wisdom that its a bad idea to send out the original office docs – too many comments, metadata snippets, and of course, the risk of change.
I’ve used pdfFactory from Fineprint for a while. I like it, its a nice PDF file converter that gives me little pain. However, there’s still the thorny issue of managing and distributing all those documents electronically. Wouldn’t it be nice to say “here’s a link to the document and I’ll keep it updated with the latest version?”
Enter ScribD. They provide a hosting service where your documents live, and can easily be displayed to the world, or kept private. For fun, you can even embed them in a blog post. Here’s an old presentation I did in 2006:

Read this doc on Scribd: OTR 2006 Presentation

And because RSS usually kills embedded objects, you can click on the link directly at http://www.scribd.com/doc/2149696/OTR-2006-Presentation.

I like this, and even more impressive, they responded in about 5 minutes when I asked them when they would support OpenID.