Places To Go
News and Reviews....
People To See
Places To Go
Tuesday, October 28, 2008
I am here at the PDC in Los Angeles this week and have heard quite a bit of grumblings about UAC. The MS employees on stage and elsewhere are basically saying that UAC is a necessary evil so that clients do not become vulnerable due to unauthorized software install (and other admin level actions). The developer side of this argument is that UAC is a blunt instrument like a security guard in your house that keeps asking you for your passport. You can’t argue that this guard will make your house safer, but he is also going to drive you crazy until you decide to fire him altogether. That is what we are seeing in the field with so many people simply shutting off UAC.
Now that Windows 7 is in sight it might be too late for my suggestion of how we might get the best of both worlds relative to secure software install. My idea is that when you go to install software you should be presented with a Capcha style challenge which ensure a real person is at the helm. Once that Capcha dialog is completed successfully the OS should track that this install is authorized and therefore exempt from future challenges since we know this is not malware (or at least not secretly installed malware).
Since this idea just came up this morning I am guessing I am missing some aspects to this approach that are problematic, but on first look I think this approach could help make things more secure while not destroying user productivity.
If you agree then bring this suggestion up to the people you know at MS. That is what I am going to try to do later today.
Thursday, September 18, 2008
I have worked on many software development projects, both commercial and line of business and every single time I talk about optimization to a developer they always jump to the same conclusion. They think I mean speed of execution. I grant that the majority of the time when people talk about optimization that is what they mean, but it is not 100% of the time correct. Often I care more about the maintainability of an application especially if I know it is destined (or doomed) to morph quite a bit over the next year or so. In these case it is often an application that will be used by employees and many of the standard assumptions do not apply.
Take our Intranet for instance. It is only used by employees and our closest contractors. We use it for tracking customers and projects, for forecasting sales and even timesheets. I don't care if it is 5% slower, I want it to be adaptable since we are an agile company. I don't mess with the code every week or even every quarter, but the code is written in such a way that I or any other developer on staff can go in and very quickly add a field or add other features very quickly. We didn't sacrifice security (that would be unacceptable), but we did forgo the multi tier architechure and stored procedures for parameterized queries. This is a sin in many circles, but if the application's backend is single use (only one application) then there is much less advantage to all the abstraction. I am sure the arguments will flow down on me now, but I see the same drive for complexity without purpose (real advantage I mean) in the Java world where code portability is everything and yet almost no one ever avails themselves of that costly feature.
The next time someone asks you to optimize something ask them if they mean for performance or maintainability and let the funny stares begin...
Wednesday, September 17, 2008
Life changes pretty fast sometimes when you aren't watching. I woke up today and realized that much more of my work is involved in keeping projects on the straight and narrow and much less is spent making database fields show up in the right place and with the right user access set. For that reason I am changing gears and will leave most of the technical details of our projects to Duane Laflotte
. He does it better on his blog anyways...
That having been said you can expect me to pick up the blogging pen again, but this time I plan to write about management of technical projects including things like sales, process engineering, fixed bid proposal generation and the other things that I wish five or ten years ago I had found a blog to read. I also will likely talk alot about commercial vs. business programming and the impact of new technologies on a technical consulting practice. If this makes some of those that followed my blog leave then I am sorry, but I do think that this blog will be better for the change (at least now I will feel like I can vent here a bit).
See you soon.
Monday, April 14, 2008
I have recently finished my last presentation here in Cairo at the EDC 2008 and wanted to start getting my presentations uploaded for all those who were asking about them. To make things run faster I am uploading them each in their own post especially since the AJAX example hasn't been packaged yet.
I covered Indexing in SQL Server including what works and what does not work. I was very happy that my friend Mohammed Meshref from the Microsoft SQL Server team was on hand to both help and to be picked on ;)
EDC08 SQL Indexing and Perf Draft 2.ppt (546.5 KB)
Friday, March 21, 2008
I have often thought about the mindset required to be good at the security game. I hang out with Duane Laflotte alot and he has the penetration tester mindset which lends itself nicely to security even when you aren't trolling on the dark side.
But it was an article that got picked up on Slashdot today about Bruce Schneier's
thoughts on this subject that revived the thread for me.
I have what I think is an interesting twist on this perspective in that I believe that the only way to teach what Bruce is holding out as unteachable is what I believe taught me to think this way. When I grew up I didn't think the way Bruce Schneier thinks. But I do now. The reason I believe is the military. When the Army trains infantry leaders it teaches them how to defend while looking always for ways to attack. The mild mannered programmer is taught to build, but if part of that training put in their mind that to be successful they had to tear down the abilities and infrastructure of the hackers then we might get a different result.
There is nothing to make you think like a hacker than to stand on a hill and realize that you are defending it at dawn and if you fail you and all your soldiers die. It also makes you want to get that unfair advantage and lay traps for the enemy. During a major training exercise in Germany I put soldiers in foxholes with signal mirrors and had them flash the enemy armor to draw fire while our vehicles flanked and destroyed them.
So I think if you want to be a hacker and you don't think like one I think the Army recruiter would be happy to help get you trained...
Wednesday, March 12, 2008
As I said a couple of days ago, I am speaking again in Cairo in a few weeks at the EDC. I have arrived on the topics that I am presenting. While these are still subject to change it looks like:
- A session on AJAX
- A session on Commercial Software Dev (vs. Business development)
- A session on Indexing Optimization in SQL Server
I am really looking forward to seeing all my friends and again want to thank Waleed Abdelwahab
for pushing me to revive this blog.
See you all soon!
Tuesday, March 11, 2008
Every few years I find that there are pieces (sometimes big ones) that I have not played with or encounted on a customer project and it tends to freak me out a bit. We have now arrived at that point in the cycle yet again! Expression, SilverLight, WPF and the like are all technologies that you will likely never see me present upon, but in the aftermath of MIX 08 and whole WideOpen Web movement I just have to dive in deeper and see what the implications are for the parts of the technology that I do use daily.
I think this is a key survival trait for me and I encourage everyone to reach down into that free time (you are still sleeping right?) and get a grip. The good news is that great blogs and podcasts are making this much easier then ten years ago. I promise to report what I find here and might even ask a non-rhetorical question or two ;)
Monday, March 10, 2008
I have finally confirmed the final dates for the Egypt Developers Conference which is held every year in Cairo. This year it is in Mid April and again I will be speaking. I really look forward to this event and for a short time I was afraid that the dates would move to a week where I couldn't attend, but I now know that this is not the case.
This week I have to solidify which sessions I will present and am thinking about doing a session on commercial software development (as opposed to business software development) on the new Software Architects track.
Last year I made the mistake of re-presenting session from previous years at the request of some very well intentioned people who were running the show, but I will not make that same mistake again.
See you in Cairo!
A very good friend of mine reminded me that I have this blog that I have been neglecting and I must say that he is right. It is easy to fall out of a habit even one so important and I think in my case it has been that I always want to write really interesting things. The problem is that really interesting things is a really high bar and is almost always a matter of perspective.
Consider this the warning shot that I plan to come back to this blog and write about all aspects of technology and software development. Security when I have something to say, but overall there is alot left unsaid in the name of keeping the blog on topic.
Friday, May 25, 2007
Someone in my office just forwarded me a link to a video that has Scott Guthrie talking about ASP.Net. Not very unexpected, but the video turns out to be set inside Halo thanks to the crew a Red vs. Blue and it fabulous.
I don't know what site it was originally hosted on, but if you remotely like Halo, or ASP.Net or Scott or anything remotely cool and / or entertaining, check it out!
Red vs. Blue themed ASP.Net ad featuring Scott Guthrie