# Friday, September 16, 2005

As I got caught up on the activities here at the PDC in Los Angeles, I fell off the wagon of posting about what has gone on.  Overall it was a good event, but there weren't a ton of surprises.  As I write this I am listening to Michael Howard explain the updated threat modeling thinking that sounds quite good.  The push in threat modeling is to make it accessible to developers who aren't security gurus.  This is a good goal because I can count on one hand the number of clients that I have visited that actually do real threat modeling.  As the tools do more and more for us, this is the high value, non automatable activities that we need to see more in the enterprise.

This shows that MS is making a push on all fronts.  There isn't any complacency that I can find, though occasionally there is some confusion.

I have heard over and over again from people that you just can't keep your hands in everything anymore.  The number of products coming out based on the announcements here this week alone bring this point home.  Lets hope that it doesn't go so far that we ever get to the point where someone narrows their focus so much that they decide to become experts specializing in the File Menu of Word (and all 3487 entries and shortcuts in that menu)...

Friday, September 16, 2005 12:13:49 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [33]  | 
# Tuesday, September 13, 2005

I am writing this from Bill Gates' keynote at PDC in Los Angeles.  User experience is definitely the message of the day.  Windows Vista is a clear indication of the MS belief that if you build a better interface then they will come (or stay as the case may be).

Atlas, which will allow MS technology developers to build XMLHttp based, google map like, experiences is a prime example that this is the battlefield of this round.  There was a bit of a history lesson that was likely very unneeded given the crowd, but then WinFX (highlighting Avalon), Windows Vista and the supporting technologies were covered.

Windows Vista is supposed to, "Bring clarity to your world". The Vista demo was cool, it is hard to call it anything else.  If you like the UI in Windows XP then you might have a hard time being lured to Vista, but if you have ever envied the Mac interface then you will have to dig a bit to find enough justification to jump.  Control and security are the other motivator.  Phishing attacks have been increasing dramatically and IE 7 goes a long way to allowing you to be much more confident that you aren't being victimized.  The dynamic protection service will let you opt in to view a known phishing site so that you are never really prevented from hanging yourself.  I think this is a good example of MS keeping pace with the hackers, the problem for many people is that they may not want to move, but security will force the upgrade ultimately.

Office 12 was announced and will be released at the same time as Windows Vista.  The biggest changes are to the user interface (basically reinvented) and the intrinsic XML file format. 

More later...

Tuesday, September 13, 2005 12:29:02 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [23]  | 
# Friday, September 09, 2005
I am off to Microsoft's Professional Developer's Conference (PDC) this weekend.  I expect that I will see many of the people who read this at the event in Los Angeles.  While there I will be involved in quite a few activities including speaking at the So Cal .Net User Group's PDC Underground event.  If you are there and looking for me, I will be hanging out (and handling the scheduling) for the PDC TV Booth much of the time.  This is a booth that lets attendees have up to 3 minutes to say whatever they want on a topic of their choice and have it broadcast throughout the conference center.  Wish me luck!
Friday, September 09, 2005 4:26:53 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [22]  | 
# Wednesday, September 07, 2005

I had a very interesting discussion that manifested itself as Duane Laflotte and I delivered our popular Hacker vs. Hacker session.  I showed a technique that crashes the hacker's computer when they try to brute force a web site (not for the faint of heart) and the very popular and legitimate question of whether it is prudent to antagonize the hacker.

Anyone who has met me probably can predict that I deliver a resounding hell yes to that question.  I don't believe that someone already seeking to attack me (in any regard) is worthy of my backing down.  They are already throwing the first punch.  I want to go for a kill if I can.  Bullies fear those who stand up for themselves and hackers fear those who will prosecute them to the fullest extent of the law.  If I lose then the hacker has just done what I expect they would have done without my intervention, but if I win then they do to prison, lose their job and maybe get banned from ever using technology again.  I call that a bad bet on their part.

No surprise, this is exactly my take on terrorists as well.  You either belive that killing 50 terrorists produces 55 or you don't (in which case it means 50 fewer terrorist).  Put me in the don't column.  I think that people who partake in either of these activities are not stable in many regards.  We occasionally get a glimpse of a hacker or terrorist who is completely rational by all other appearance, but this is rare.

Don't be afraid to vehemently and vengefully defend your turf.  You won't ever seeing an attacker decide that you are too peaceful and cooperative to attack.

Wednesday, September 07, 2005 11:26:24 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [28]  | 
# Thursday, September 01, 2005

In the wake of Hurricane Katrina, I am renewed in my frustration that the US government hasn't called on the population to buckle down and conserve energy.  In light of the Hurricane relief effort it would be, "Save energy and put the money toward relief causes".  During WWII the population was involved in the efforts of the nation at war by being asked to do everything from conserve fuel to collecting scrap metal.  Is the government so skiddish that they are afraid we will revolt over any show of "weakness".  Troops overseas (I can say from personal experience) feel more supported when they know that the people back home are making sacrifices to help them accomplish their mission.  My voice may not be enough, but I would like to call on every American to do two things that I have already undertaken myself in the wake of a massive natural disaster which occurred while my country fights two wars (don't tell me that it is over, I have friends over there).  The first is to give to the agencies that are aiding our countrymen in the gulf coast.  That is a no brainer I think, but it bears repeating as often as possible.  Second, bite the bullet and cut down on energy consumption beyond what the price at the pump would make you do already.  I am sick of us being held hostage to OPEC and having a huge trade imbalance that is made up almost entirely of foreign oil.  People who support our troops should put their comfort where their mouth is.  It is easy to show a flag or talk about support, but maybe ease the burden a bit by buying a fuel efficient car or skipping a trip when you can.

I seem to be writing more and more about politics and commentary on our state of affairs.  I will be sure to mark these posts as personal, but I am sick and tired of loud mouthed "Patriots" who drive the biggest gas guzzlers you could get.  Maybe they haven't thought about it, maybe they are just exercising their rights.  My opinion is that they are selfish and being as unpatriotic as you can get.

End of Rant.

Thursday, September 01, 2005 10:33:01 AM (Eastern Daylight Time, UTC-04:00)  #    Comments [22]  | 
# Tuesday, August 30, 2005
The deeper I dig into each generation of tools (VS 2005 at the moment) the more I see the trade off of CPU for developer time.  It used to be that the programmer would go to extremes to maximize the performance of their code and that the tools were written in much the same way.  Over the years this trend has reversed and has really accelerated the other way.  When you hit enter in VS 2005 it is doing a background compile which allows it to catch typos and other errors in much the same way that Word does.  This is great if you want to be productive, but I often hear lamentations that performance is being tossed.  When I look at modern CPU power, I have to admit that I think it is high time we made reasonable tradeoffs.  I see more and more servers that are barely touching CPU usage in double digit percentages as the march of Moore's law overtakes our consumption of the resulting CPU cycles.

I am not advocating wasting resources, but it I have to write a small application for a simple task then I am all for getting it done in half the time in exchange for it using more memory or even if it were to run 5% slower than writing it with older tools.  The truth is that as applications evolve and add features they almost always run slower in most circumstances than they used to, but only if you stick with the same hardware.

For myself I say keep the productivity gains coming in the tools and as long as it doesn't get caprious, I won't complain.
Tuesday, August 30, 2005 1:56:29 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [25]  | 
# Monday, August 29, 2005
For a week or so...

Sony is now providing an update to their PSP game system that provides a web browser most likely because hackers have been finding ways to enable web browsing on their own.  It is a smart move, but it certainly won't stop users from reverse engineering every single aspect of the system.  What it does for Sony is provides them some good will by providing what users will get eventually anyways.

A primary tenet of leadership is to never give an order that won't be obeyed, it just makes you look like an idiot.

It will be interesting to see what Sony's next move is in this game of cat and mouse.
Monday, August 29, 2005 8:32:44 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [22]  | 
# Wednesday, August 24, 2005
In New England we are holding our fourth Code Camp in late September (24th and 25th) in the Waltham, MA offices of Microsoft.  This is where it all began and the fourth will likely be bigger than those before it.

I wanted to not only remind people of the date, but also tell about a special meeting that will help us deliver better and better community content by fostering the develop of our technical speakers.  The local (and newly formed) MCT User Goup is focusing their meetings on helping sharpen technical presentation skills and their September 1st meeting (6:00 PM I think in the Waltham MS Office) is dedicated to what can only be called a Code Camp speaker casting call.  We are hoping to educated and recruit the next generation of Code Camp presenters and establish a best practice of actually caring about the quality of local technical presentations.

Hope to see you there if you are interested in being a technical presenter, are already a technical presenter or just like / are good at heckling technical presenters!
Wednesday, August 24, 2005 3:30:47 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [48]  | 
# Sunday, August 21, 2005

A classmate of mine from West Point, LTC Erik Kurilla, was wounded (shot 3 times it seems) while serving as a combat commander in Iraq.  While I rarely (almost never) bring personal stuff into my blog and as you will see I will weave this a bit toward my favorite subject of security, but I felt I had to say something here.

If you read the writeup it is pretty amazing when we read that, "The Commander of Deuce Four, LTC Erik Kurilla, was shot three times in combat yesterday in front of my eyes. Despite being seriously wounded, LTC Kurilla immediately rejoined the intense and close-quarter fight that ended in hand-to-hand combat. LTC Kurilla continued to direct his men until a medic gave him morphine and the men took him away.".  I haven't seen Erik for a while, but he is a stand up guy who has always been very serious about every mission he gets.  If I am reminded about any lesson here it is that when we get a setback or even a catastrophe, we have to keep our heads and not make it worse.  If you flail, you fail.

Being in the service helped me immensely in dealing with security because it is the same mindset (though the military consequences are much more intense I have to admit).  You have to re-evaluate every time the situation changes and that could be minute by minute.  Erik could easily have just rolled over once he was hit and let someone else direct the battle or do the fighting, but he determined that he was still required and still able (though God knows how) so he made the call. 

My info says that Erik is OK and is already back stateside.  It was not my intention to stir up political debate with this post, but to show the kinds of people I look to for my inspiration when I think about protecting resources.  I believe that the wars we fight will and are extending into cyberspace faster than most people think.  Ultimately the courage to do the harder right rather than the easier wrong is easiest to find when we are reminded regularly of the immense sacrifices and miraculous bravery of people like Erik Kurilla.  I am proud to know him and regret that I haven't seen him in so many years and didn't get know him nearly as well as I would have liked while we were at school together.

Erik, get well soon and thanks!

Sunday, August 21, 2005 10:50:17 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [38]  | 
# Wednesday, August 17, 2005

I know there is alot of information about Phishing attacks (attempts to trick users into logging into fake sites with credentials for things like ebay or paypal), but I am seeing more and more sophisticated attacks and felt that I had to raise the warning again.  In our company and those clients who listen to our advice, it is a general practice to remind the staff of anything important from time to time, such as virus warnings in case people's guard has fallen or there is a new twist on attack vectors.

In that spirit, when I see a more potent phishing attack I think it is wise to remind people about the hazards.

The message that caught my attention and spawned this post invited me to "Verify your PayPal Account" in the subject.  As I had just messed with PayPal, I was particularly vulnerable, just as an employee whose brother was on vacation would likely succumb to something spoofing him that said, "see the photos" (from an actual client case).  Being very wary of anything online (or otherwise), I examined the actual destination of the link that looked like it would take me to "https//www.paypal.com/login" and noticed that the link actually pointed me to http://paypal.com.login-user488.info/login" (URL changed slightly to protect the innocent and not aid the guilty).  At first glance you might not notice that the domain isn't paypal.com, but is actually login-user488.info.  This could be a very painful mistake for the user who goes to this page and types in their paypal credentials which are likely linked to their credit card.  This is the online equivalent of using a fake cash machine and punching in your PIN for the bad guys to harvest later.

The moral of this story is to be wary even of emails you expect as the attacker might just be lucky to hit you at the time you expect their kind of luring message.  It is a very costly mistake.  In most email clients such as Outlook you can see where a link points by just holding the mouse cursor over the link without doing any clicking.  A better practice is to open up the browser yourself and type the address of the site yourself and then you know you are going where you think you are going.

If you wish to stay up to date on phishing attacks I will do my best to bring up reminders from time to time, but you should also check regularly on Duane Laflotte's blog as in the process of running our security practice at CriticalSites, he tends to see ALOT of these.

Wednesday, August 17, 2005 10:09:09 AM (Eastern Daylight Time, UTC-04:00)  #    Comments [7]  | 
Site Search


Locations of visitors to this page