# Monday, December 19, 2005

About a month ago I signed up for a newsletter called FastTips by Microsoft.  My old friend, Thom Robbins had a big hand in creating this and actually has done many of the demos I have watched (very well I might add).  I often get asked where people should go to get up to speed faster and I can't think of a better way to push learning then a push based technology like this newsletter.  You can subscribe to FastTips here.

You can't know everything, but if you don't work at it you will soon find that you don't know enough.

Monday, December 19, 2005 10:14:29 AM (Eastern Standard Time, UTC-05:00)  #    Comments [20]  | 
# Saturday, December 17, 2005
Microsoft held the Boston Launch event at the new Convention Center on Thursday and by all accounts it was very successful.  Duane Laflotte and I delivered the Web Development session to a pretty packed room.  Overall the event surpassed the 3,000 mark and everyone I talked to seemed very pleased with the information provided in both the data and development tracks.

I wish I had posted before the event, but travel and things being so busy at CriticalSites have put me behind lately.  I plan to be more proactive going forward.
Saturday, December 17, 2005 11:11:58 AM (Eastern Standard Time, UTC-05:00)  #    Comments [25]  | 
# Tuesday, December 13, 2005

In a personal topic post (which are fairly rare here I am proud to say) a while ago I reported that a classmate of mine from West Point, Erik Kurilla was wounded in Iraq and gave some details.  I had to post a follow up especially given the news that Erik may end up being portrayed by Bruce Willis in a planned movie about the unit that Erik commanded in the troubled town of Mosul.  The London times has further details and while it is still somewhat speculative, I personally think that this would be a very cool thing.

As a veteran of the first Gulf War back in 1991, I don't as a rule watch movies about either the current war in Iraq or the one I fought in, but I will certainly make an exception if this comes to fruition.

While I wasn't very close to Erik at school, I did know him well enough to know that he is a true leader and just the kind of guy you want in charge when things get tough.

Tuesday, December 13, 2005 11:16:40 PM (Eastern Standard Time, UTC-05:00)  #    Comments [28]  | 
# Sunday, December 11, 2005

I was recently in a discussion with some friends about Web 2.0 and what that all meant along with recently finishing a search for a hosting company for our dedicated servers.  The two conversations actually led me to do alot of research and to alot of conclusions about the "next big thing" and how to get in front of it.

What follows are some opinions, advice and ruminations about the convergence of the two events:

As far as the next big thing, I think Web 2.0 is part of it.  Web 2.0 being the idea that the web is great, but the real gold in this next round is taking data from the web and other sources and combining it in interesting ways that results in extended value.  Like taking mapping data which is all the rage and tying into it for realtors so that prospective buyers can see not only maps, but see schools and stores and crime statistics.  The data isn't original as much as combined in an original way that adds value.  It takes a mature Internet (Web 1.0) for Web 2.0 offerings to be practical and that is the age in which we live.  When asked what the next big thing was my answers were things like robotics (especially in the military and law enforcement), commercial space operations, anti-biotic measures and other pharmacology rather than Internet or even computer technologies. 

But when you think of it, you could build systems that are geared toward the above growth industries which is the traditional approach (that is where the high dollar demand will be) or we can combine data with functionality that wasn't possible (or feasible) 2 years ago (ala the buzz word Web 2.0).

My point is that the two are related.  You can revolutionize the horse drawn buggy whip industry with a Web 2.0 approach to data integration, but you won't get rich on it.  Another hazard is to not play where you will get crushed by the capital intensive crowd when the world sees you are making noise (think niche).  The real danger lies in the lesson of experience in that every time I hear about a business proposal in an area that is not my field of expertise it sounds so easy ("what an opportunity"), but when you dig into the details you see all the complexities and barriers to entry under the skin.

Based on my own analysis, I am best suited either looking for a security offering to the growth industries or providing a value added service that pivots on security or finding a security product / service to build that leverages far flung data and innovative delivery (SOA). 

Relative to the web hosting side of this, you have to take your idea and get it built without going broke and get traffic and attention without hitting the same obstacle (going broke).

In my searches for a reliable hosting company I found one that I like and that has worked well for us since we adopted it (we are starting to move more servers based on our initial success).  The company is
SRAWeb.Net which is very good on the Dedicated Server side of things.  If you built your own Web 2.0 solution you could host it at a company like SRAWeb (or any other for that matter) and provide your service in the pilot phase on the cheap.  I really like the idea of keeping start up costs as low as possible.

Once you get the process going, it is a treadmill and again if you haven't done it, it really does sound easy until you dig into the details.  Just get the search engines to send you traffic, all it takes is some SEO (Search Engine Optimization).  I have made SEO a bit of a hobby and find sites like
WebHostingFacts.Net very direct in their advice since it isn't selling services (which are almost always overrated), but instead just gives advice.

The bottom line is that having a great idea is just the first step, it takes alot to get the get rich quick scheme to actually work.  Luck is a mandatory and completely unpredictable ingredient as well.  If you are upset that you missed that last big gravy train during the Dot Com bubble then think long and hard about the points I bring up here.  The rumble of the next big thing is upon us.

Sunday, December 11, 2005 9:39:25 PM (Eastern Standard Time, UTC-05:00)  #    Comments [13]  | 
# Wednesday, December 07, 2005
I am amazed that web developers often don't know IIS configuration as well as they should given it is the platform all their code must run against.  The most pressing misconception concerns Basic Authentication.  When you configure a web site to support Basic Authentication (a modestly practice) it encodes the user credentials.  Get this straight though, encoding doesn't mean encrypting.  It just puts it into a format for transmission.  That format is public and completely reversable which makes it as secure as clear text.

While I don't want anyone to take this as a rant against Basic Authentication, it is a wake up call because the credentials are sent on each and every request of the site using this authentication mechanism.  This means that if you use Basic Authentication you need to use SSL on every page request.  This is the detail I see missed most often.  I have seen many sites that put SSL on the login page, but the credentials still get sent clear text for the entire server to client communication.

Bottom line is that if you choose the mass support of Basic Authentication, you have to accept the overhead of using SSL on every single request to the site.
Wednesday, December 07, 2005 11:47:02 PM (Eastern Standard Time, UTC-05:00)  #    Comments [22]  | 
# Monday, December 05, 2005

I was browsing through the list of wireless vulnerabilities on the Wireless Vulnerabilities & Exploits site (our buddy Phil C pointed it out to me) and I was reminded why I always turn Bluetooth off on my devices or avoid them altogether.

Maybe it is just that "B" is so early on, but there do seem to be way too many exploits for this technology.  Granted someone has to often use a bluetooth gun or some sort, but that isn't as far fetched and just adds to the randomness of the attack.

An improved vision of Bluetooth or it's successor:
I want to see a version of Bluetooth or some replacement technology that does the same as far as functionality goes, but that has a metal contact on both device and accessory which must be placed together with physical contact in order to exchange public keys that they will then use along with unshared private keys inside the devices to make the communication not only authorized, but encryptable.  Why is this so hard?  This idea has been with me for well over a year and I just expected someone would implement it as Bluetooth 2 or something, but if it does in fact exist, I haven't heard about it yet.

Monday, December 05, 2005 9:41:24 PM (Eastern Standard Time, UTC-05:00)  #    Comments [20]  | 
# Sunday, December 04, 2005

A friend of mine who is doing business with us posed an interesting question about the digital nature of our contracts.  He said that with paper contracts you have the original that can be examined for changes and modifications.  You can’t white out a term or condition or add a few zeros to you compensation without someone being able to prove that you altered your copy.  Plus the both parties tend to keep a physical copy for comparison in case of one party contesting the contract.  In many cases we do business with contractors via a contract that is emailed as a PDF or sometimes as a Word document.  The contractor prints the contract and signs it.  Often we get only the signature page faxed back to us.

My security minded friend points out that, “it is easy to add or remove any word using any number of tools, in other words I may add an extra zero for my salary or change any thing, so how this issue is solved using digital contracts?”

My answer is that we ask the contractor to fax back the contract with a signature.  Our records in email show us sending them a specific document.  Without email documentation confirming changes or a new document sent to them there is support that the signature is based on the document we sent.  While it is possible to change systems, it usually leaves detectable footprints and it is unlikely that we would do contracts with 10 or 20 people in the same geography or job type and dramatically change the contract for one individual.  In this case if the company typically uses similar contracts it can be a benefit in supporting their side of the claim.  Ultimately the courts typically do the right thing in this regard and can decide when something has been altered, even when done expertly.

Even so, there is nothing like a confirming email after the contract is sent and another after the signature is received that covers the essence of the deal to add proof of your intentions in the face of an altered contract.

If you want the real answer then you likely have to ask your own legal counsel as I am not actually a lawyer or trained in the law beyond the basics of military law.  The point of this is that here is another vector for manipulation and attack.  Have you planned for how you would respond?

Sunday, December 04, 2005 9:42:02 PM (Eastern Standard Time, UTC-05:00)  #    Comments [15]  | 
# Monday, November 21, 2005

I try to read the blog of Dave Hitz, one of the founders of Network Appliance, and while I don't link all the time I found one of his entries pretty on topic.

Like my title above, Dave stole the most provocative words from his post to stir interest.  His post is titled, "Beware of Cyanide Gas".

Another fine example of security is such an arms race.  I recall talking to clients just a couple of years ago and the standard was that server disks should be wiped and then destroyed.  That is still the standard, but the definition of destroyed keeps moving on us.  Dave points out the ridiculously small slivers of intact disk platter needed to read data and the reaction of one our our more security conscious customers was, "I guess we will have to add an acid bath after we sledge them...". 

A big part of this battle is just staying in formed on what can be done and then figuring out whether you care or not.  If you have passwords and huge databases with Social Security Numbers or Credit Card numbers then letting someone read even one sliver of the platter may be disaster (though small by today's standards as massive security blunders go). 

Always think about the level of response based on the threat.  If a serial killer escapes in your neighborhood then you are justified to double the locks on the doors and get a bigger dog, but if they escaped 3,000 miles away from you with no history or indication that they would come looking for you then you are overreacting.  If you apply these same standards to your electronic response then you will probably come out alright. 

Lastly, as always watch out for the cyanide gas!

Monday, November 21, 2005 6:52:24 PM (Eastern Standard Time, UTC-05:00)  #    Comments [15]  | 
# Thursday, November 10, 2005
I had a conversation with a friend of mine recently about the physical protection of his home.  I have a bit of a reputation as a gun enthusiast that is somewhat earned.  What surprised my friend and got him to urge me to post this entry is that my advice was a surprise to him and something he admits he had never heard before from anyone.

The issue wasn't computer or even company security, but security at home.  How do I protect my family in a world where convicts escape, kids kill and home invasion is a common occurence?  I do have weapons including an AK47, but they are not ready at a moments notice.  I have kids so I have bolts out and disassembled, ammo stored away from the weapons and trigger locks (in the case of the AK there is a cable locked through the barrel).  I can't just run and grab one of these weapons for the defense of my home and that works since that isn't my plan.  We have 3 dogs who average about 70 pounds each and should they alert me to a problem I am most likely to grab my paintball gun or a wooden sword to join the fray.  If I confront an intruder in my house with a paintball gun then there are several advantages.  I won't be having rounds going through walls and hurting my family or pets, I won't be causing a fire or water damage with paintballs, but if I put 20 rounds into someone at close range they will be down.  Anyone who has played paintball knows what I mean, especially if they have been hit from 10 feet or less (not recommended).  I live in NH which means that I am unlikely to be prosecuted should I kill someone invading my home, but why make killing the person a goal?  I view it as impossible for a court to convict someone if they choose an obviously non-lethal weapon especially when given more deadly alternatives.

I know this seems to be off the topic of security as it relates to technology, but if you have been reading my posts you know that I don't see a distinction in most cases.  Security is security.  I would welcome your comments on how this concept (well recieved by all I have discussed it with) might apply to technical security.  I will reserve my analogies for now.
Thursday, November 10, 2005 2:33:39 PM (Eastern Standard Time, UTC-05:00)  #    Comments [28]  | 
# Thursday, November 03, 2005

Mark Russinovich is a brilliant guy and likely not so popular with the people at Sony these days.  Mark was testing out some root kit detection and removal software and discovered that in their exuberance to implement Digital Rights Management Sony has created a very ham handed solution that behaves more like a rootkit than some of the very worst actual rootkits out on the Internet.

Read Mark's Blog which details his discovery or go to theregister.co.uk article that summarizes it.  Good reading about bad code!

Thursday, November 03, 2005 2:47:12 PM (Eastern Standard Time, UTC-05:00)  #    Comments [33]  | 
Site Search


Locations of visitors to this page