# Wednesday, January 04, 2006

Mark Russinovich has posted another excellent article on Spyware, this time pointing out the anti-spyware program as spyware strategem.

If you hoped that Spyware would just go out of fashion sometime this year, you are deluded.  The advent of better Rootkits, bogus anti-spyware programs (like the ones Mark points to) and the underlying profit makes this the cocaine of the Internet.  The problem is that all the victims are truly innocent in this case.

I want to thank my buddy Dan Krhla (DanK) for pointing it out for me.  He is a very good source of what is good on the Internet.

Wednesday, January 04, 2006 2:28:56 PM (Eastern Standard Time, UTC-05:00)  #    Comments [21]  | 
# Tuesday, December 27, 2005
I was asked by Sys-Con to make my predictions for 2006 and while I am loath to do this kind of thing, I did venture some.  We will see whether they turn out correct or not in about 12 months.
Tuesday, December 27, 2005 11:17:02 AM (Eastern Standard Time, UTC-05:00)  #    Comments [8]  | 
# Wednesday, December 21, 2005
My old friend and mentor, Bruce Backa is finally blogging and this is a MUST SEE!  If you want to learn lessons of business and technology the hard way then by all means ignore this, otherwise put this on your RSS reader and don't miss a post.  I work with Bruce and I still plan to read his posts religiously.
Wednesday, December 21, 2005 10:20:31 PM (Eastern Standard Time, UTC-05:00)  #    Comments [37]  | 
# Monday, December 19, 2005

About a month ago I signed up for a newsletter called FastTips by Microsoft.  My old friend, Thom Robbins had a big hand in creating this and actually has done many of the demos I have watched (very well I might add).  I often get asked where people should go to get up to speed faster and I can't think of a better way to push learning then a push based technology like this newsletter.  You can subscribe to FastTips here.

You can't know everything, but if you don't work at it you will soon find that you don't know enough.

Monday, December 19, 2005 10:14:29 AM (Eastern Standard Time, UTC-05:00)  #    Comments [20]  | 
# Saturday, December 17, 2005
Microsoft held the Boston Launch event at the new Convention Center on Thursday and by all accounts it was very successful.  Duane Laflotte and I delivered the Web Development session to a pretty packed room.  Overall the event surpassed the 3,000 mark and everyone I talked to seemed very pleased with the information provided in both the data and development tracks.

I wish I had posted before the event, but travel and things being so busy at CriticalSites have put me behind lately.  I plan to be more proactive going forward.
Saturday, December 17, 2005 11:11:58 AM (Eastern Standard Time, UTC-05:00)  #    Comments [25]  | 
# Tuesday, December 13, 2005

In a personal topic post (which are fairly rare here I am proud to say) a while ago I reported that a classmate of mine from West Point, Erik Kurilla was wounded in Iraq and gave some details.  I had to post a follow up especially given the news that Erik may end up being portrayed by Bruce Willis in a planned movie about the unit that Erik commanded in the troubled town of Mosul.  The London times has further details and while it is still somewhat speculative, I personally think that this would be a very cool thing.

As a veteran of the first Gulf War back in 1991, I don't as a rule watch movies about either the current war in Iraq or the one I fought in, but I will certainly make an exception if this comes to fruition.

While I wasn't very close to Erik at school, I did know him well enough to know that he is a true leader and just the kind of guy you want in charge when things get tough.

Tuesday, December 13, 2005 11:16:40 PM (Eastern Standard Time, UTC-05:00)  #    Comments [28]  | 
# Sunday, December 11, 2005

I was recently in a discussion with some friends about Web 2.0 and what that all meant along with recently finishing a search for a hosting company for our dedicated servers.  The two conversations actually led me to do alot of research and to alot of conclusions about the "next big thing" and how to get in front of it.

What follows are some opinions, advice and ruminations about the convergence of the two events:

As far as the next big thing, I think Web 2.0 is part of it.  Web 2.0 being the idea that the web is great, but the real gold in this next round is taking data from the web and other sources and combining it in interesting ways that results in extended value.  Like taking mapping data which is all the rage and tying into it for realtors so that prospective buyers can see not only maps, but see schools and stores and crime statistics.  The data isn't original as much as combined in an original way that adds value.  It takes a mature Internet (Web 1.0) for Web 2.0 offerings to be practical and that is the age in which we live.  When asked what the next big thing was my answers were things like robotics (especially in the military and law enforcement), commercial space operations, anti-biotic measures and other pharmacology rather than Internet or even computer technologies. 

But when you think of it, you could build systems that are geared toward the above growth industries which is the traditional approach (that is where the high dollar demand will be) or we can combine data with functionality that wasn't possible (or feasible) 2 years ago (ala the buzz word Web 2.0).

My point is that the two are related.  You can revolutionize the horse drawn buggy whip industry with a Web 2.0 approach to data integration, but you won't get rich on it.  Another hazard is to not play where you will get crushed by the capital intensive crowd when the world sees you are making noise (think niche).  The real danger lies in the lesson of experience in that every time I hear about a business proposal in an area that is not my field of expertise it sounds so easy ("what an opportunity"), but when you dig into the details you see all the complexities and barriers to entry under the skin.

Based on my own analysis, I am best suited either looking for a security offering to the growth industries or providing a value added service that pivots on security or finding a security product / service to build that leverages far flung data and innovative delivery (SOA). 

Relative to the web hosting side of this, you have to take your idea and get it built without going broke and get traffic and attention without hitting the same obstacle (going broke).

In my searches for a reliable hosting company I found one that I like and that has worked well for us since we adopted it (we are starting to move more servers based on our initial success).  The company is
SRAWeb.Net which is very good on the Dedicated Server side of things.  If you built your own Web 2.0 solution you could host it at a company like SRAWeb (or any other for that matter) and provide your service in the pilot phase on the cheap.  I really like the idea of keeping start up costs as low as possible.

Once you get the process going, it is a treadmill and again if you haven't done it, it really does sound easy until you dig into the details.  Just get the search engines to send you traffic, all it takes is some SEO (Search Engine Optimization).  I have made SEO a bit of a hobby and find sites like
WebHostingFacts.Net very direct in their advice since it isn't selling services (which are almost always overrated), but instead just gives advice.

The bottom line is that having a great idea is just the first step, it takes alot to get the get rich quick scheme to actually work.  Luck is a mandatory and completely unpredictable ingredient as well.  If you are upset that you missed that last big gravy train during the Dot Com bubble then think long and hard about the points I bring up here.  The rumble of the next big thing is upon us.

Sunday, December 11, 2005 9:39:25 PM (Eastern Standard Time, UTC-05:00)  #    Comments [13]  | 
# Wednesday, December 07, 2005
I am amazed that web developers often don't know IIS configuration as well as they should given it is the platform all their code must run against.  The most pressing misconception concerns Basic Authentication.  When you configure a web site to support Basic Authentication (a modestly practice) it encodes the user credentials.  Get this straight though, encoding doesn't mean encrypting.  It just puts it into a format for transmission.  That format is public and completely reversable which makes it as secure as clear text.

While I don't want anyone to take this as a rant against Basic Authentication, it is a wake up call because the credentials are sent on each and every request of the site using this authentication mechanism.  This means that if you use Basic Authentication you need to use SSL on every page request.  This is the detail I see missed most often.  I have seen many sites that put SSL on the login page, but the credentials still get sent clear text for the entire server to client communication.

Bottom line is that if you choose the mass support of Basic Authentication, you have to accept the overhead of using SSL on every single request to the site.
Wednesday, December 07, 2005 11:47:02 PM (Eastern Standard Time, UTC-05:00)  #    Comments [22]  | 
# Monday, December 05, 2005

I was browsing through the list of wireless vulnerabilities on the Wireless Vulnerabilities & Exploits site (our buddy Phil C pointed it out to me) and I was reminded why I always turn Bluetooth off on my devices or avoid them altogether.

Maybe it is just that "B" is so early on, but there do seem to be way too many exploits for this technology.  Granted someone has to often use a bluetooth gun or some sort, but that isn't as far fetched and just adds to the randomness of the attack.

An improved vision of Bluetooth or it's successor:
I want to see a version of Bluetooth or some replacement technology that does the same as far as functionality goes, but that has a metal contact on both device and accessory which must be placed together with physical contact in order to exchange public keys that they will then use along with unshared private keys inside the devices to make the communication not only authorized, but encryptable.  Why is this so hard?  This idea has been with me for well over a year and I just expected someone would implement it as Bluetooth 2 or something, but if it does in fact exist, I haven't heard about it yet.

Monday, December 05, 2005 9:41:24 PM (Eastern Standard Time, UTC-05:00)  #    Comments [20]  | 
# Sunday, December 04, 2005

A friend of mine who is doing business with us posed an interesting question about the digital nature of our contracts.  He said that with paper contracts you have the original that can be examined for changes and modifications.  You can’t white out a term or condition or add a few zeros to you compensation without someone being able to prove that you altered your copy.  Plus the both parties tend to keep a physical copy for comparison in case of one party contesting the contract.  In many cases we do business with contractors via a contract that is emailed as a PDF or sometimes as a Word document.  The contractor prints the contract and signs it.  Often we get only the signature page faxed back to us.

My security minded friend points out that, “it is easy to add or remove any word using any number of tools, in other words I may add an extra zero for my salary or change any thing, so how this issue is solved using digital contracts?”

My answer is that we ask the contractor to fax back the contract with a signature.  Our records in email show us sending them a specific document.  Without email documentation confirming changes or a new document sent to them there is support that the signature is based on the document we sent.  While it is possible to change systems, it usually leaves detectable footprints and it is unlikely that we would do contracts with 10 or 20 people in the same geography or job type and dramatically change the contract for one individual.  In this case if the company typically uses similar contracts it can be a benefit in supporting their side of the claim.  Ultimately the courts typically do the right thing in this regard and can decide when something has been altered, even when done expertly.

Even so, there is nothing like a confirming email after the contract is sent and another after the signature is received that covers the essence of the deal to add proof of your intentions in the face of an altered contract.

If you want the real answer then you likely have to ask your own legal counsel as I am not actually a lawyer or trained in the law beyond the basics of military law.  The point of this is that here is another vector for manipulation and attack.  Have you planned for how you would respond?

Sunday, December 04, 2005 9:42:02 PM (Eastern Standard Time, UTC-05:00)  #    Comments [15]  | 
Site Search

Categories

Locations of visitors to this page