Microsoft’s Channel 9 web site is putting up demos like mine on Looking at Server Controls with ASP.Net 2.0 (with an AJAX demo) and I must say it is a cool idea. They are like video blog posts. Duane Laflotte also posted like 3 of them on subjects Exploring the Crypto API in .Net. I hope they keep it up and many more people contribute. If they do we will need a really good way to seach.
My spot was a quick walk through of a control that is part of a session I am delivering at TechEd Hong Kong next week. I gave the presentation at Code Camp 4 and Thom Robbins accosted me to record it.
The three major credit companies are banding together to put all our eggs in one basket. On many levels this kind of uniformity makes sense as it likely means more resources are being put on the problem, the consumers of the credit information are less likely to make mistakes associated with trying to juggle three different implementations and there will be more focused scrutiny on this unified security, but it also means that if you crack one, you get them all. A friend of mine who is very active in the developer and security community, Phil, forwarded me the article from Eweek that outlined the effort in very vague terms. Overall I think it is a good step, but as with all things secure, there are very few solid patches of ground.
We do the best we can, but it is very important for those that hold our information for us (whether we like it or not) to do the best they can.
New England is where the whole Code Camp phenomenon began and than God that I am not doing 12 sessions in 2 days the way I did for the first one!
But I am doing 3 sessions this weekend at the 4th Code Camp themed “Developers Gone Wild”.
Thom Robbins has the details posted as well as a link to register here.
It should be great! While I will only be there on Saturday due to a conflict on Sunday, I am very glad to be going.
See you there;)
Many security experts who I hold in the highest esteem are ticking me off!
I hear it all over that, “you should never use obscurity as security” and while I agree if you put the word “only” in front of obscurity, but otherwise you are often teaching the wrong lesson.
When I was in the Infantry, we had these things called tanks. They didn’t rely on obscurity for their defense. They had several feet of armor in the front and often a 120 mm smooth bore cannon backed up by a couple of machine guns, but we did camoflage them. We did try to prevent them from being obvious. The truth is that obscurity is a layer in the overall defense. It is not a fool proof layer and on the Internet, in some respects it is not even a very good one, but I want all the layers I can get. If obscurity isn’t important at all then publish your schema and your overall architecture. I am taking it to extremes, but we need all the help we can get in all things security.
I know that in a conversation I can get agreement on my point from those who are trying valiantly to just teach a valuable lesson, but I think the wording has to be more exact.
Maybe my war analogies are misplaced when it comes to Internet security and defeating hackers, but no one has convinced me of that yet. It feels like war to me!
Security is a war, don’t fight fair!
While I was at PDC I attended a slew of NDA briefings from Microsoft. During one of them a flash went off and some people got understandably upset that someone might post a picture of a product being shown under strict privacy. It turned out that nothing untoward occurred and no picture was posted where it shouldn’t be, but it is the perfect situation for products that actually prevent bad behavior in this regard. A friend of mine, Scott Stanfield, pointed me at this url which discusses technologies that are emerging that will handle this exact situation.
As I got caught up on the activities here at the PDC in Los Angeles, I fell off the wagon of posting about what has gone on. Overall it was a good event, but there weren’t a ton of surprises. As I write this I am listening to Michael Howard explain the updated threat modeling thinking that sounds quite good. The push in threat modeling is to make it accessible to developers who aren’t security gurus. This is a good goal because I can count on one hand the number of clients that I have visited that actually do real threat modeling. As the tools do more and more for us, this is the high value, non automatable activities that we need to see more in the enterprise.
This shows that MS is making a push on all fronts. There isn’t any complacency that I can find, though occasionally there is some confusion.
I have heard over and over again from people that you just can’t keep your hands in everything anymore. The number of products coming out based on the announcements here this week alone bring this point home. Lets hope that it doesn’t go so far that we ever get to the point where someone narrows their focus so much that they decide to become experts specializing in the File Menu of Word (and all 3487 entries and shortcuts in that menu)…
I am writing this from Bill Gates’ keynote at PDC in Los Angeles. User experience is definitely the message of the day. Windows Vista is a clear indication of the MS belief that if you build a better interface then they will come (or stay as the case may be).
Atlas, which will allow MS technology developers to build XMLHttp based, google map like, experiences is a prime example that this is the battlefield of this round. There was a bit of a history lesson that was likely very unneeded given the crowd, but then WinFX (highlighting Avalon), Windows Vista and the supporting technologies were covered.
Windows Vista is supposed to, “Bring clarity to your world”. The Vista demo was cool, it is hard to call it anything else. If you like the UI in Windows XP then you might have a hard time being lured to Vista, but if you have ever envied the Mac interface then you will have to dig a bit to find enough justification to jump. Control and security are the other motivator. Phishing attacks have been increasing dramatically and IE 7 goes a long way to allowing you to be much more confident that you aren’t being victimized. The dynamic protection service will let you opt in to view a known phishing site so that you are never really prevented from hanging yourself. I think this is a good example of MS keeping pace with the hackers, the problem for many people is that they may not want to move, but security will force the upgrade ultimately.
Office 12 was announced and will be released at the same time as Windows Vista. The biggest changes are to the user interface (basically reinvented) and the intrinsic XML file format.
I am off to Microsoft’s Professional Developer’s Conference (PDC) this weekend. I expect that I will see many of the people who read this at the event in Los Angeles. While there I will be involved in quite a few activities including speaking at the So Cal .Net User Group’s PDC Underground event. If you are there and looking for me, I will be hanging out (and handling the scheduling) for the PDC TV Booth much of the time. This is a booth that lets attendees have up to 3 minutes to say whatever they want on a topic of their choice and have it broadcast throughout the conference center. Wish me luck!
I had a very interesting discussion that manifested itself as Duane Laflotte and I delivered our popular Hacker vs. Hacker session. I showed a technique that crashes the hacker’s computer when they try to brute force a web site (not for the faint of heart) and the very popular and legitimate question of whether it is prudent to antagonize the hacker.
Anyone who has met me probably can predict that I deliver a resounding hell yes to that question. I don’t believe that someone already seeking to attack me (in any regard) is worthy of my backing down. They are already throwing the first punch. I want to go for a kill if I can. Bullies fear those who stand up for themselves and hackers fear those who will prosecute them to the fullest extent of the law. If I lose then the hacker has just done what I expect they would have done without my intervention, but if I win then they do to prison, lose their job and maybe get banned from ever using technology again. I call that a bad bet on their part.
No surprise, this is exactly my take on terrorists as well. You either belive that killing 50 terrorists produces 55 or you don’t (in which case it means 50 fewer terrorist). Put me in the don’t column. I think that people who partake in either of these activities are not stable in many regards. We occasionally get a glimpse of a hacker or terrorist who is completely rational by all other appearance, but this is rare.
Don’t be afraid to vehemently and vengefully defend your turf. You won’t ever seeing an attacker decide that you are too peaceful and cooperative to attack.
In the wake of Hurricane Katrina, I am renewed in my frustration that the US government hasn’t called on the population to buckle down and conserve energy. In light of the Hurricane relief effort it would be, “Save energy and put the money toward relief causes”. During WWII the population was involved in the efforts of the nation at war by being asked to do everything from conserve fuel to collecting scrap metal. Is the government so skiddish that they are afraid we will revolt over any show of “weakness”. Troops overseas (I can say from personal experience) feel more supported when they know that the people back home are making sacrifices to help them accomplish their mission. My voice may not be enough, but I would like to call on every American to do two things that I have already undertaken myself in the wake of a massive natural disaster which occurred while my country fights two wars (don’t tell me that it is over, I have friends over there). The first is to give to the agencies that are aiding our countrymen in the gulf coast. That is a no brainer I think, but it bears repeating as often as possible. Second, bite the bullet and cut down on energy consumption beyond what the price at the pump would make you do already. I am sick of us being held hostage to OPEC and having a huge trade imbalance that is made up almost entirely of foreign oil. People who support our troops should put their comfort where their mouth is. It is easy to show a flag or talk about support, but maybe ease the burden a bit by buying a fuel efficient car or skipping a trip when you can.
I seem to be writing more and more about politics and commentary on our state of affairs. I will be sure to mark these posts as personal, but I am sick and tired of loud mouthed “Patriots” who drive the biggest gas guzzlers you could get. Maybe they haven’t thought about it, maybe they are just exercising their rights. My opinion is that they are selfish and being as unpatriotic as you can get.
End of Rant.