Places To Go
News and Reviews....
People To See
Places To Go
Tuesday, September 27, 2005
The three major credit companies are banding together to put all our eggs in one basket. On many levels this kind of uniformity makes sense as it likely means more resources are being put on the problem, the consumers of the credit information are less likely to make mistakes associated with trying to juggle three different implementations and there will be more focused scrutiny on this unified security, but it also means that if you crack one, you get them all. A friend of mine who is very active in the developer and security community, Phil, forwarded me the article from Eweek
that outlined the effort in very vague terms. Overall I think it is a good step, but as with all things secure, there are very few solid patches of ground.
We do the best we can, but it is very important for those that hold our information for us (whether we like it or not) to do the best they can.
Thursday, September 22, 2005
New England is where the whole Code Camp phenomenon began and than God that I am not doing 12 sessions in 2 days the way I did for the first one!
But I am doing 3 sessions this weekend at the 4th Code Camp themed "Developers Gone Wild".
Thom Robbins has the details posted as well as a link to register here.
It should be great! While I will only be there on Saturday due to a conflict on Sunday, I am very glad to be going.
See you there;)
Tuesday, September 20, 2005
Many security experts who I hold in the highest esteem are ticking me off!
I hear it all over that, "you should never use obscurity as security" and while I agree if you put the word "only" in front of obscurity, but otherwise you are often teaching the wrong lesson.
When I was in the Infantry, we had these things called tanks. They didn't rely on obscurity for their defense. They had several feet of armor in the front and often a 120 mm smooth bore cannon backed up by a couple of machine guns, but we did camoflage them. We did try to prevent them from being obvious. The truth is that obscurity is a layer in the overall defense. It is not a fool proof layer and on the Internet, in some respects it is not even a very good one, but I want all the layers I can get. If obscurity isn't important at all then publish your schema and your overall architecture. I am taking it to extremes, but we need all the help we can get in all things security.
I know that in a conversation I can get agreement on my point from those who are trying valiantly to just teach a valuable lesson, but I think the wording has to be more exact.
Maybe my war analogies are misplaced when it comes to Internet security and defeating hackers, but no one has convinced me of that yet. It feels like war to me!
Security is a war, don't fight fair!
Monday, September 19, 2005
While I was at PDC I attended a slew of NDA briefings from Microsoft. During one of them a flash went off and some people got understandably upset that someone might post a picture of a product being shown under strict privacy. It turned out that nothing untoward occurred and no picture was posted where it shouldn't be, but it is the perfect situation for products that actually prevent bad behavior in this regard. A friend of mine, Scott Stanfield
, pointed me at this url
which discusses technologies that are emerging that will handle this exact situation.
Friday, September 16, 2005
As I got caught up on the activities here at the PDC in Los Angeles, I fell off the wagon of posting about what has gone on. Overall it was a good event, but there weren't a ton of surprises. As I write this I am listening to Michael Howard explain the updated threat modeling thinking that sounds quite good. The push in threat modeling is to make it accessible to developers who aren't security gurus. This is a good goal because I can count on one hand the number of clients that I have visited that actually do real threat modeling. As the tools do more and more for us, this is the high value, non automatable activities that we need to see more in the enterprise.
This shows that MS is making a push on all fronts. There isn't any complacency that I can find, though occasionally there is some confusion.
I have heard over and over again from people that you just can't keep your hands in everything anymore. The number of products coming out based on the announcements here this week alone bring this point home. Lets hope that it doesn't go so far that we ever get to the point where someone narrows their focus so much that they decide to become experts specializing in the File Menu of Word (and all 3487 entries and shortcuts in that menu)...
Tuesday, September 13, 2005
I am writing this from Bill Gates' keynote at PDC in Los Angeles. User experience is definitely the message of the day. Windows Vista is a clear indication of the MS belief that if you build a better interface then they will come (or stay as the case may be).
Atlas, which will allow MS technology developers to build XMLHttp based, google map like, experiences is a prime example that this is the battlefield of this round. There was a bit of a history lesson that was likely very unneeded given the crowd, but then WinFX (highlighting Avalon), Windows Vista and the supporting technologies were covered.
Windows Vista is supposed to, "Bring clarity to your world". The Vista demo was cool, it is hard to call it anything else. If you like the UI in Windows XP then you might have a hard time being lured to Vista, but if you have ever envied the Mac interface then you will have to dig a bit to find enough justification to jump. Control and security are the other motivator. Phishing attacks have been increasing dramatically and IE 7 goes a long way to allowing you to be much more confident that you aren't being victimized. The dynamic protection service will let you opt in to view a known phishing site so that you are never really prevented from hanging yourself. I think this is a good example of MS keeping pace with the hackers, the problem for many people is that they may not want to move, but security will force the upgrade ultimately.
Office 12 was announced and will be released at the same time as Windows Vista. The biggest changes are to the user interface (basically reinvented) and the intrinsic XML file format.
Friday, September 09, 2005
I am off to Microsoft's Professional Developer's Conference (PDC) this weekend. I expect that I will see many of the people who read this at the event in Los Angeles. While there I will be involved in quite a few activities including speaking at the So Cal .Net User Group's PDC Underground event
. If you are there and looking for me, I will be hanging out (and handling the scheduling) for the PDC TV Booth much of the time. This is a booth that lets attendees have up to 3 minutes to say whatever they want on a topic of their choice and have it broadcast throughout the conference center. Wish me luck!
Wednesday, September 07, 2005
I had a very interesting discussion that manifested itself as Duane Laflotte and I delivered our popular Hacker vs. Hacker session. I showed a technique that crashes the hacker's computer when they try to brute force a web site (not for the faint of heart) and the very popular and legitimate question of whether it is prudent to antagonize the hacker.
Anyone who has met me probably can predict that I deliver a resounding hell yes to that question. I don't believe that someone already seeking to attack me (in any regard) is worthy of my backing down. They are already throwing the first punch. I want to go for a kill if I can. Bullies fear those who stand up for themselves and hackers fear those who will prosecute them to the fullest extent of the law. If I lose then the hacker has just done what I expect they would have done without my intervention, but if I win then they do to prison, lose their job and maybe get banned from ever using technology again. I call that a bad bet on their part.
No surprise, this is exactly my take on terrorists as well. You either belive that killing 50 terrorists produces 55 or you don't (in which case it means 50 fewer terrorist). Put me in the don't column. I think that people who partake in either of these activities are not stable in many regards. We occasionally get a glimpse of a hacker or terrorist who is completely rational by all other appearance, but this is rare.
Don't be afraid to vehemently and vengefully defend your turf. You won't ever seeing an attacker decide that you are too peaceful and cooperative to attack.
Thursday, September 01, 2005
In the wake of Hurricane Katrina, I am renewed in my frustration that the US government hasn't called on the population to buckle down and conserve energy. In light of the Hurricane relief effort it would be, "Save energy and put the money toward relief causes". During WWII the population was involved in the efforts of the nation at war by being asked to do everything from conserve fuel to collecting scrap metal. Is the government so skiddish that they are afraid we will revolt over any show of "weakness". Troops overseas (I can say from personal experience) feel more supported when they know that the people back home are making sacrifices to help them accomplish their mission. My voice may not be enough, but I would like to call on every American to do two things that I have already undertaken myself in the wake of a massive natural disaster which occurred while my country fights two wars (don't tell me that it is over, I have friends over there). The first is to give to the agencies that are aiding our countrymen in the gulf coast. That is a no brainer I think, but it bears repeating as often as possible. Second, bite the bullet and cut down on energy consumption beyond what the price at the pump would make you do already. I am sick of us being held hostage to OPEC and having a huge trade imbalance that is made up almost entirely of foreign oil. People who support our troops should put their comfort where their mouth is. It is easy to show a flag or talk about support, but maybe ease the burden a bit by buying a fuel efficient car or skipping a trip when you can.
I seem to be writing more and more about politics and commentary on our state of affairs. I will be sure to mark these posts as personal, but I am sick and tired of loud mouthed "Patriots" who drive the biggest gas guzzlers you could get. Maybe they haven't thought about it, maybe they are just exercising their rights. My opinion is that they are selfish and being as unpatriotic as you can get.
End of Rant.
Tuesday, August 30, 2005
The deeper I dig into each generation of tools (VS 2005 at the moment) the more I see the trade off of CPU for developer time. It used to be that the programmer would go to extremes to maximize the performance of their code and that the tools were written in much the same way. Over the years this trend has reversed and has really accelerated the other way. When you hit enter in VS 2005 it is doing a background compile which allows it to catch typos and other errors in much the same way that Word does. This is great if you want to be productive, but I often hear lamentations that performance is being tossed. When I look at modern CPU power, I have to admit that I think it is high time we made reasonable tradeoffs. I see more and more servers that are barely touching CPU usage in double digit percentages as the march of Moore's law overtakes our consumption of the resulting CPU cycles.
I am not advocating wasting resources, but it I have to write a small application for a simple task then I am all for getting it done in half the time in exchange for it using more memory or even if it were to run 5% slower than writing it with older tools. The truth is that as applications evolve and add features they almost always run slower in most circumstances than they used to, but only if you stick with the same hardware.
For myself I say keep the productivity gains coming in the tools and as long as it doesn't get caprious, I won't complain.