No Mini-PCI at Fry's. Bummer.

Today, I discovered that Fry's Electronics, once a bastion of computer/network/electronics geekery, is now completely irrelevant. I was shopping for a new mini-PCI wireless NIC, since my Intel chipset whatever-its-called OEM NIC that came with my IBM/Legend ThinkPad has always been weird and flakey, and I finally got sick of it. So, I packed one of the kids up in the car and bopped over to Fry's -- only to be told, "we don't carry laptop internal components except memory and hard drives." What?! Laptops aren't exactly alien technology... Maybe Fry's back in San Jose is still a 20,000 sqft flea market of every device you'd ever need, but at least here in Austin, it's basically a bargain-basement version of Best Buy, and I have the sneaking suspicion that I'm the last to figure this out.

Anyway, sure, I could have gone for the PC-Card or USB compact NICs, but I hate having stuff sticking out the side of the computer -- I move it around a lot in a pretty small backpack, and I fly occasionally, so I'm always afraid I'm going to snap stuff like that off. So I did what I should have done in the first place, and spent 20 minutes looking for a mini-PCI NIC online.

At the suggestion of a friend, I felt that if I'm going for a new NIC, I may as well get the hotrod of them all -- so I bought a Ubiquiti Super Range 9 from BSC for $129.95 -- so now I'll totally be able to see every network in my zipcode. Sweet! And all for only 3x the price of a typical Linksys/D-Link ugly-stick-out-the-side card.

Paypal Introduces Security Fob

Strikingly similar to the RSA SecurID, PayPal has rolled out their own two-factor authentication (2FA) dongle.

While it's easy to dismiss random number key fobs as susceptible to man-in-the-middle attacks, I do think that if such this device were required on all accounts, it would significantly impact the effectiveness of traditional phishing scams -- assuming the attacker is actually going for PayPal account access.

Trouble is, the Security Key is a) optional and b) non-free, which will surely impact its rollout significantly. Maybe VeriSign (the manufacturer of the fob) will have a fantastically better marketing plan than RSA did, and actually get more than 5% of the PayPal users to adopt it.

The other problem is that there are plenty of PayPal-targeted phishing sites that really don't care about your PayPal login information -- there's just riding on the trust of PayPal to do things like collect credit card numbers, secondary banking information, and identity information. So, they really won't care if you give a correct or incorrect security code.

All that said, it is nice to see that PayPal is deploying a real second channel 2FA, rather than the "ask me for more passwords" 2FA schemes that other financial sites have deployed to comply with U.S. regulatory requirements. I just don't think 2FA, generally, is particularly effective in solving the problem of phishing. I suppose it's better than nothing, though.