# Thursday, October 13, 2005

I have been out of it for about a week due to travel to present 7 sessions at TechEd Hong Kong, but now I am back.  It was a great event and as usual was characterized by very high energy keynotes!

The highlight for Bruce Backa and I in our presentations was our last session on Server Control Development for ASP.Net 2.0.  The demo of a control that leverages AJAX style updating to the content really churned the audience and opened some eyes.  I have been asked to provide the source code to that particular demo (for session WEB428) so here it is: WEB428Done.zip (51.22 KB)

I have to thank everyone who got us to go over there (for our fourth time!) and to Andres Sanabria from Microsoft for the slides and the framework for this particular demo.

Thursday, October 13, 2005 11:37:59 AM (Eastern Daylight Time, UTC-04:00)  #    Comments [28]  | 
# Friday, October 07, 2005
The vulnerability scanner called Nessus will no longer be available under a GPL license starting with the next version (version 3.0).

The announcement pointed to the fact that the community has done very little to help the product evolve, but many competitors have exploited the loophole of providing hardware appliances to cut the makers of Nessus.
Friday, October 07, 2005 6:24:51 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [20]  | 
# Friday, September 30, 2005
Microsoft's Channel 9 web site is putting up demos like mine on Looking at Server Controls with ASP.Net 2.0 (with an AJAX demo) and I must say it is a cool idea.  They are like video blog posts.  Duane Laflotte also posted like 3 of them on subjects Exploring the Crypto API in .Net.  I hope they keep it up and many more people contribute.  If they do we will need a really good way to seach.

My spot was a quick walk through of a control that is part of a session I am delivering at TechEd Hong Kong next week.  I gave the presentation at Code Camp 4 and Thom Robbins accosted me to record it.
Friday, September 30, 2005 12:18:21 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [23]  | 
# Tuesday, September 27, 2005
The three major credit companies are banding together to put all our eggs in one basket.  On many levels this kind of uniformity makes sense as it likely means more resources are being put on the problem, the consumers of the credit information are less likely to make mistakes associated with trying to juggle three different implementations and there will be more focused scrutiny on this unified security, but it also means that if you crack one, you get them all.  A friend of mine who is very active in the developer and security community, Phil, forwarded me the article from Eweek that outlined the effort in very vague terms.  Overall I think it is a good step, but as with all things secure, there are very few solid patches of ground.

We do the best we can, but it is very important for those that hold our information for us (whether we like it or not) to do the best they can.
Tuesday, September 27, 2005 5:10:20 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [23]  | 
# Thursday, September 22, 2005

New England is where the whole Code Camp phenomenon began and than God that I am not doing 12 sessions in 2 days the way I did for the first one!

But I am doing 3 sessions this weekend at the 4th Code Camp themed "Developers Gone Wild".

Thom Robbins has the details posted as well as a link to register here.

It should be great!  While I will only be there on Saturday due to a conflict on Sunday, I am very glad to be going. 

See you there;)

Thursday, September 22, 2005 11:18:28 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [37]  | 
# Tuesday, September 20, 2005

Many security experts who I hold in the highest esteem are ticking me off!

I hear it all over that, "you should never use obscurity as security" and while I agree if you put the word "only" in front of obscurity, but otherwise you are often teaching the wrong lesson.

When I was in the Infantry, we had these things called tanks.  They didn't rely on obscurity for their defense.  They had several feet of armor in the front and often a 120 mm smooth bore cannon backed up by a couple of machine guns, but we did camoflage them.  We did try to prevent them from being obvious.  The truth is that obscurity is a layer in the overall defense.  It is not a fool proof layer and on the Internet, in some respects it is not even a very good one, but I want all the layers I can get.  If obscurity isn't important at all then publish your schema and your overall architecture.  I am taking it to extremes, but we need all the help we can get in all things security.

I know that in a conversation I can get agreement on my point from those who are trying valiantly to just teach a valuable lesson, but I think the wording has to be more exact.

Maybe my war analogies are misplaced when it comes to Internet security and defeating hackers, but no one has convinced me of that yet.  It feels like war to me! 

Security is a war, don't fight fair!

Tuesday, September 20, 2005 11:33:47 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [28]  | 
# Monday, September 19, 2005
While I was at PDC I attended a slew of NDA briefings from Microsoft.  During one of them a flash went off and some people got understandably upset that someone might post a picture of a product being shown under strict privacy.  It turned out that nothing untoward occurred and no picture was posted where it shouldn't be, but it is the perfect situation for products that actually prevent bad behavior in this regard.  A friend of mine, Scott Stanfield, pointed me at this url which discusses technologies that are emerging that will handle this exact situation.
Monday, September 19, 2005 2:10:45 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [20]  | 
# Friday, September 16, 2005

As I got caught up on the activities here at the PDC in Los Angeles, I fell off the wagon of posting about what has gone on.  Overall it was a good event, but there weren't a ton of surprises.  As I write this I am listening to Michael Howard explain the updated threat modeling thinking that sounds quite good.  The push in threat modeling is to make it accessible to developers who aren't security gurus.  This is a good goal because I can count on one hand the number of clients that I have visited that actually do real threat modeling.  As the tools do more and more for us, this is the high value, non automatable activities that we need to see more in the enterprise.

This shows that MS is making a push on all fronts.  There isn't any complacency that I can find, though occasionally there is some confusion.

I have heard over and over again from people that you just can't keep your hands in everything anymore.  The number of products coming out based on the announcements here this week alone bring this point home.  Lets hope that it doesn't go so far that we ever get to the point where someone narrows their focus so much that they decide to become experts specializing in the File Menu of Word (and all 3487 entries and shortcuts in that menu)...

Friday, September 16, 2005 12:13:49 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [33]  | 
# Tuesday, September 13, 2005

I am writing this from Bill Gates' keynote at PDC in Los Angeles.  User experience is definitely the message of the day.  Windows Vista is a clear indication of the MS belief that if you build a better interface then they will come (or stay as the case may be).

Atlas, which will allow MS technology developers to build XMLHttp based, google map like, experiences is a prime example that this is the battlefield of this round.  There was a bit of a history lesson that was likely very unneeded given the crowd, but then WinFX (highlighting Avalon), Windows Vista and the supporting technologies were covered.

Windows Vista is supposed to, "Bring clarity to your world". The Vista demo was cool, it is hard to call it anything else.  If you like the UI in Windows XP then you might have a hard time being lured to Vista, but if you have ever envied the Mac interface then you will have to dig a bit to find enough justification to jump.  Control and security are the other motivator.  Phishing attacks have been increasing dramatically and IE 7 goes a long way to allowing you to be much more confident that you aren't being victimized.  The dynamic protection service will let you opt in to view a known phishing site so that you are never really prevented from hanging yourself.  I think this is a good example of MS keeping pace with the hackers, the problem for many people is that they may not want to move, but security will force the upgrade ultimately.

Office 12 was announced and will be released at the same time as Windows Vista.  The biggest changes are to the user interface (basically reinvented) and the intrinsic XML file format. 

More later...

Tuesday, September 13, 2005 12:29:02 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [23]  | 
# Friday, September 09, 2005
I am off to Microsoft's Professional Developer's Conference (PDC) this weekend.  I expect that I will see many of the people who read this at the event in Los Angeles.  While there I will be involved in quite a few activities including speaking at the So Cal .Net User Group's PDC Underground event.  If you are there and looking for me, I will be hanging out (and handling the scheduling) for the PDC TV Booth much of the time.  This is a booth that lets attendees have up to 3 minutes to say whatever they want on a topic of their choice and have it broadcast throughout the conference center.  Wish me luck!
Friday, September 09, 2005 4:26:53 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [22]  | 
Site Search


Locations of visitors to this page