Loading...
Loading...Insights and perspectives on technology, leadership, and business.
Showing all 197 articles
With the recent announcement from Microsoft that they will adopt Chromium for future development of their Edge browser, I think things are going to get interesting and not in the usual bad way that usually means. Here is a link to the post by Joe Belfiore for reference. In decades past we have seen...
It has become apparent to me that the world has reached an inflection point. It used to be that when you were in school you had to figure out what you wanted to be when you grow up and work very hard to acquire skills that would determine your success in that chosen profession. I have often...
If you are like me, you have been in a constant struggle that finds you striving to get more done in less time. Eventually you get to the point that you have to let things go from your to do list (que Frozen soundtrack here). To top it off there has been a recent backlash...
A conversation that comes up often concerns what rights a Windows Administrator (domain or local) has to folders and files. The common assumption is that being an Administrator is the backstage pass, but while it is somewhat true, the details are a bit more complex. Windows did not get to survive...
As I have been running various organizations I have detected a key trend that I think delivers a critical insight. I find that people who are open to have their perspective changed are able to adapt to our changing technology world much better than those that are not open to changing their mind....
As the Presidential elections draw closer here in the US, I have been having conversations with a number of people who do not vote and in many cases have no intention of voting. I found this attitude baffling at first, but have grown to understand that it comes from a lack of understanding of the...
The details of my session at TechEd in Orlando are posted here . Hope to see you there!
There is still time to sign up for the upcoming Boston Code Camp! Go to here for details. Hope to see you there!
A friend of mine forwarded me a link to a provocative paper by Microsoft Research that called into question whether the security advice provided to users for their online activities is useful based on a risk-reward calculation. The link and the PDF document can be found here . At first glance I...
I am happy to announce that very soon I will be providing a monthly article in the SD Times on Microsoft Technology. With this regular writing task to spur me on I expect (and hope) to be doing alot more blogging as well…
Recently I have had two of my most senior employees come to me seperately and suggest new products for the company to build. I encourage this of course, but find I have to help them understand some things about what I call Disciplined Entrepreneurism. Ultimately when you decide to build a product...
While I resisted Twitter for a long time, not too long ago I started following selected individuals on Twitter including Richard Campbell (richcampbell on twitter). I plan to start using Twitter myself hopefully to communicate things of value, but for now I am using it as a comsumer. This morning...
IBM has decided to build the mother of all Cloud Computing data centers in of all places, China. I will advise all that will listen that this is a fantastic blunder since China is the absolute worst choice for such a resource. I do not want any of my corporate code and data or the data from...
If you looked into playing with Azure in the past, but did not jump in then it is time to take another look. Microsoft has added options over the last year that really remove objections to trying it out. If you have an MSDN subscription then you pretty much get a free playground in Azure that is...
I have talked to many of you over the course of the past week and have been cautious due to the fact that I was concerned for your safety. A failed rebellion is a painful thing especially when it is not known who will lead the aftermath. Now that I see the resolve in my friends there I know that...
My friend and collegue Adam Cogan is a big proponent of documenting best practices. In fact his company, SSW puts all kinds of lists of these best practices up on their website. Recently Adam chimed in on a list we are both on with a link to the best practices (Rules) around setup and I realized...
Paul Randall has a compiled document with all his blog posts on SQL Myths that I think is a must read if you consider SQL Server part of your core competence. It is probably not very interesting to pure devs, but I would still suggest you take a scan of this so you can avoid making assumptions that...
We have a saying in the various companies with which I associate and it is “Any fool can manage success, but it takes talent to manage a crisis”. The leader, project manager, team leader, or whatever you call the person in charge has to not be wishful. This sounds easy, but in my experience it is...
Michele Bustamante and I have started recording the first episodes of our new security focused podcast LockDown. While the website is up, it has place holder content describing Carl Franklin of .Net Rocks fame as our first guest (that was the original plan). However as usual Carl was flying around...
The Microsoft Identity story has matured quite a bit in the last couple of years and now would be a good time to get up to speed if you have been waiting for the train to get some speed. Vittorio Bertocci has pulled together the training he has been delivering around the world into a training kit...
I have noticed a very interesting reaction recently to the way Apple has been throwing their weight around controlling who and what can be put in the appstore. Until a month or so ago there was a legion of companies and developers in my own circle, figuring out how they would enter the market and...
I was recently asked how to cost effectively do backup and Disaster Recovery (DR) for a 50 or so person organization. Here is what I have found to be a pretty good way to go that won’t break the bank. For an organization this size I use Backup Assist (http://www.backupassist.com). It leverages...
The latest security threat as outlined here has hit over 100,000 people already and if you read through the details of how organized the attack is you will understand why it has been so successful. The problem is that while we have to protect ourselves from every threat, the bad guys only have to...
It seems that everytime the government gets involved in high tech, things go wrong. Today I found out that there is a looming intervention that I think could potentially screw up one of the biggest successes in US based high tech, namely processor technology. If you get time soon check out the...
Lately I have been helping customers find talented developers. As the topic of many books, courses, web sites and numerous other sources (many of which I have read or used) it is a problem that I find keenly interesting. There are of couse many, many ways to look at it, but I think I have found the...
Over the last year I have gotten an education on PHP and MySQL web sites to go along with my existing expertise with ASP.Net and SQL Server. It turns out that I purchased a web site a little over a year ago that supports gamers who play World of Warcraft (a game I have played for years). The site...
I have been working on commercial products for a long time and repeatedly have seen companies compete with similar solutions. Often one is the technology leader and innovates while the other plays catch up and only survives by clever marketing. Sometimes the laggard can become the market leader,...
I just got back from the Microsoft PDC in LA and have been thinking about what I saw there. It turns out that I have come to a couple of conclusions that I will surely post more about in the future, but for now here is the overview. First there were several Windows Azure announcements that have...
For many, many years I have been writing and reviewing contracts between my company and clients. As a result I have some insights into how things can be made to work more simply. First up, this is not legal advice, just me sharing some experiences. You should always run your contracts by your...
I am packing tonight to head to the PDC in Los Angeles and wanted to tell anyone else who will be attending that I am hosting a Birds of a Feather session at lunchtime on Thursday on security hype . The thesis is that we are seeing a steady stream of over hyped security “issues” that tend to remind...
As I work to build commercial software products I am regularly forced to remember that bug is a relative term. That sounds like a weasely way to explain away a fault in your software, but it really does turn out to be true especially when you have been on the ISV side of the conversation. Back in...
A friend of mine pointed out that now Dolly Parton is leveraging SilverLight and IE8 Web Slices on the site for her new album. I think this is an interesting signpost that SilverLight is rapidly approaching widespread acceptance. Check it out the web slice at the Add on Gallery .
Most of you know me from Criticalsites or NTP Software since those are the two companies with which I have been associated for over a decade now. This post is to tell you all that while I am still doing work with both of these companies they are now my clients rather than my employers....
I am getting ready to go to the PDC this year and I got to thinking that devs need to dig in now more than ever to stay up to date on the latest and greatest tools available to get their jobs done. I spent this last week teaching a class on SQL Server 2008 at Blended Solutions in Manchester, New...
Lately I have been working on developing a new product key system and realized that one of the core rules of the road is not documented anywhere I can find (which is crazy in this day and age when everything is supposed to have already been said). The rule is pretty simple once you think of it. You...
Microsoft has just announced that there are security flaws in the Active Template Library (ATL). While many developers will think that this only applies to C programmers and while to some extent they are correct I think it is important to take a lesson from this issue. Micheal Howard has posted a...
Microsoft has always done well with version 3 goes the well worn saying. And so I have high expectations for SilverLight 3 which has just released. Being more involved with Security, Business Processes and Enterprise System Development I have not delved as deeply into SilverLight 1 and 2 as I had...
I am currently reading the book “Outliers, the Story of Success” by Malcolm Gladwell and while I am very interested in the entire book so far I was very struck by a specific passage about half way through dealing with job satisfaction. The quote is, “three things – autonomy, complexity and a...
Over the years Microsoft has pitched alot of product and while I have always liked the technology (MS Bob, et. al. aside of course) they have not always been the most marketing savvy company when it comes to media. Over the weekend I what promises to be the best leverage of new media by Microsoft...
My favorite interviewers Carl Franklin and Richard Campbell invited me to appear again on .Net Rocks recently. We talked at length about the circumstances that we often see that cause technical projects in particular to fail. Initial feedback has been quite positive so if you happen to listen to it...
Most of the people I know feel uniquely qualified to say how a particular commercial software product should work based on their experiences of using it. It doesn’t matter which product you pick, it is always the same. The problem with this is that it is almost impossible for an individual to be...
I sent the following email out to our entire company today and afterwards thought it would be interesting to post if for no other reason than to compare notes with others who grapple with these same issues (i.e. everyone). If you have a company of any size at all I would highly recommend sending...
I noticed an article on Wired about robots stealing jobs and got to thinking about outsourcing, this down economy and all the conversations I have had (calm and otherwise) about jobs moving offshore. Ultimately I don’t see any reasonable way to stop jobs from following a well established lifecycle...
In my business we deal with companies that are by their very nature risk averse and hence I only play with the newest tech for our internal projects, the occasional customer emergency and in my free time. Even so I have watched Microsoft’s Azure pretty closely and while I am confident that...
I promised to upload my presentations from last month’s New Hampshire Code Camp so here they are… I delivered the keynote address for the event covering how to survive as a developer in this depressed economy. NH Code Camp Feb 2009 Keynote.ppt (592.5 KB) I also got to debut a new session on How to...
I am here at the PDC in Los Angeles this week and have heard quite a bit of grumblings about UAC. The MS employees on stage and elsewhere are basically saying that UAC is a necessary evil so that clients do not become vulnerable due to unauthorized software install (and other admin level actions)....
I have worked on many software development projects, both commercial and line of business and every single time I talk about optimization to a developer they always jump to the same conclusion. They think I mean speed of execution. I grant that the majority of the time when people talk about...
Life changes pretty fast sometimes when you aren’t watching. I woke up today and realized that much more of my work is involved in keeping projects on the straight and narrow and much less is spent making database fields show up in the right place and with the right user access set. For that reason...
I have recently finished my last presentation here in Cairo at the EDC 2008 and wanted to start getting my presentations uploaded for all those who were asking about them. To make things run faster I am uploading them each in their own post especially since the AJAX example hasn’t been packaged...
I have often thought about the mindset required to be good at the security game. I hang out with Duane Laflotte alot and he has the whole hacker mindset which lends itself nicely to security even when you aren’t trolling on the dark side. But it was an article that got picked up on Slashdot today...
As I said a couple of days ago, I am speaking again in Cairo in a few weeks at the EDC. I have arrived on the topics that I am presenting. While these are still subject to change it looks like: A session on AJAX A session on Commercial Software Dev (vs. Business development) A session on Indexing...
Every few years I find that there are pieces (sometimes big ones) that I have not played with or encounted on a customer project and it tends to freak me out a bit. We have now arrived at that point in the cycle yet again! Expression, SilverLight, WPF and the like are all technologies that you will...
I have finally confirmed the final dates for the Egypt Developers Conference which is held every year in Cairo. This year it is in Mid April and again I will be speaking. I really look forward to this event and for a short time I was afraid that the dates would move to a week where I couldn’t...
A very good friend of mine reminded me that I have this blog that I have been neglecting and I must say that he is right. It is easy to fall out of a habit even one so important and I think in my case it has been that I always want to write really interesting things. The problem is that really...
Someone in my office just forwarded me a link to a video that has Scott Guthrie talking about ASP.Net. Not very unexpected, but the video turns out to be set inside Halo thanks to the crew a Red vs. Blue and it fabulous. I don’t know what site it was originally hosted on, but if you remotely...
StrangeLoop has finally announced their AppScaler device! Richard Campbell told me about his involvement in StrangeLoop a while ago and I have been dying to tell people about it, but until now it has been confidential. Basically the AppScaler takes a web farms major headaches and lifts them into...
Most companies pay lip service to security, but the emphasis is just not there. There is bluster and maybe even a few conversions soon after an embarrassing security breach, but all too often a scapegoat is found, fired and then it is back to business as usual. The missing element is real...
ZDNet recently had an article about new attacks that allow systems to be exposed to the worst kind of attacks just by visiting a web page with a bit of Javascript. The root of the problem is actually not changing the default passwords on those ubiquitous home routers from linksys and netgear...
New games all the time, this one is Blog Tag. Don Sorcinelli tagged me via his blog and so now I am to write a blog entry that reveals things about me that you wouldn’t be likely to know and then tag others. I will do the first part to the letter, but will only tag a single individual...
Forbes.com has a story about the use of typing patterns to identify whether a user is the actual user or a hacker. I like the idea, though I fear it won’t catch on. Defense in depth, adding an edge is important, but the key element from this article comes at the very end where they say that...
My fellow Microsoft Regional Director, Jonathan Goodyear recently wrote a very full and detailed description of what the Microsoft Regional Director program really is , that should help anyone who still thinks I am a MS employee. I hope this helps clarify things a bit, though I do expect to still...
My good friend, Eileen Rumwell, has started blogging . Her blog is something I plan to keep watching especially since in the short time it has been up she has already thrown out some great insights. The really cool thing is that having come from a marketing background, Eileen has been...
Time magazine’s cover story is about how people are scared of very, very unlikely things such as bird flu which hasn’t killed anyone in the US while the regular flu kills tens of thousands each year. Security is the same way. I often see organizations worrying about “Carlos the mad hacker”...
Microsoft has just released their new Anti-XSS library which helps developers do the right thing more often without as much effort as before. If you are interested in this (and trust me, you are) your first stop is to go to the tutorial and see how it is done. As you will see it isn’t stupid...
Chad Hower is a smart guy and I came across his post on protecting the software you write from pirates right at a time that we were revisting the question ourselves. On the whole I agree with Chad, while he comes off as against anti-piracy in the beginning of the post, in the end you realize that...
I have commented before on this issue and a recent blog post forwarded to me has dredged up the topic again. If you want to get rid of a drive after retiring a server or getting indicted then most of the things you can think to do to that drive will not remove the data. You can rewrite the...
Code Camp 6 is tomorrow at the MS office in Waltham and this is the first one since the original world premier Code Camp that I am going to miss. With Thom Robbins moving on to Redmond and the rush of business that everyone seems to be seeing, this 6th edition didn’t come together nearly as early...
Sometimes the Fear, Uncertainty and Doubt (FUD) argument is very well disguised. In an article the Chief Scientist at McAfee is decrying some of the new features that MS is putting into Vista to try and stop virus infection and the spread of spyware. This is terribly self serving as in...
As Vista nears launch there are some things you will want to know. Will it support your hardware? Where are the secret buttons that make it usable? Today’s post helps answer that second one. By all reports UAC (User Account Control) can drive even the most security minded user insane...
Steve Riley had a good long post on his blog about Mandatory Integrity Control as it is implemented in Vista that drew even longer comments. Great concept, as you will see from several of the comments, this isn’t the first implementation, but I expect it will be the first to get nearly universal...
My prolific friend Phil forwarded me a story about Chinese hackers trying to do in the US Commerce Department . There are a couple of interesting points in this story: 1. Why would you need to take Internet access away from users? Aren’t they behind firewalls? Were the hackers luring...
Having been involved in many software projects, some commercial, some consulting, some disasterous, I have noticed some trends that I would like to share. If you are commissioning (read paying or betting your job) a development project, you have to avoid being wishful. If you just trust that...
The topic of the AT command and the command prompt came up on an internal list I am on with Microsoft the jist of which was, “How do I securely turn this junk off”. The answer is that to some degree the command prompt and especially when coupled with the Task Scheduler is a security hole that...
If you want to keep track of how prevelent phishing attacks are from month to month (and I do) then you should check AntiPhishing.org . The site is pretty meager in most regards, but the front page has a bar chart that is pretty staggering when you realize that they are only measuring people...
There are many varying opinions on almost everything, but Compliance is one of those topics like economics, everyone has a different opinion it seems. I was reading an article by one of the Systems Engineers at Network Appliance entitled, “ Six Tips for Archive and Compliance Planning ” and while I...
It seems that even though we all know we need to patch our system, we are now having to do it faster and faster to avoid the vulnerable time between patch availability and exploit. In an article on ZDNet there are details of how the latest exploit is being used, but soon you should see a post...
I have been casting about for .Net Best Practices and came across Adam Cogan’s lists of how to do pretty much everything. The funny thing is that I have known Adam for years and was aware that he had compiled quite alot of information on his site, but until I started to dig through it I...
I am sure it is reported elsewhere, but I found an article on a proof of concept virus that targets AMD processors on a magazine site in Australia. The article dismisses the threat of such an item and pretty much holds it up as just a curiosity in the fight against hackers, but I see it...
I know it is simple and probably not an amazing tool, but I am finding www.dnsreport.com to be amazingly helpful in some troubleshooting I have had to do recently. Sometimes the most important thing is to just have the right tool…
Microsoft has released a 12 step plan to help its image and communicate their intent to prevent the kinds of lawsuits like the one going on with the EU. While I think the plan will work on a number of levels, I am disappointed that it had to happen this way. I am not of the belief that...
I normally don’t post twice in one day, but this blog post by Rob Caron was VERY helpful in understanding VS2005 licensing and the relationship between the products. I expect it will help alot of people grasp it since I get asked this question a fairly often in my roaming. Thanks Rob and...
I was just thinking about one of the bugs listed in the latest hotfix from MS and realized that while aspx and config files are not at risk since they are mapped to aspnet, the express database if stored in App_Data probably is. We don’t typically use SQL Express, but my bet is that this is...
When I see an article like this one in eweek , I always wonder about how the people doing this cool thing will make enough money (or any money) so they can continue to do these cool things. Basically they are using the Google Search APIs to ferret out sites on the Internet that are hosting...
When you are working on commercial software or even just industrial strength business software you have to balance things. Time to market is everything and while you must have usable, quality code, you have to get it done. One of the things that is hardest to balance is...
Tonight at TechEd in Boston there is the Panel discussion. This is an event by pretty much all the user groups in the area and I will be one of the panelists. The room (251 at the Convention Center, not the Hynes) is open at 6:00 PM with the meeting starting at 6:50 PM. The room...
If you are into threat modeling (and you should be) then you should check out the latest version of the product formerly code named “Torpedo”. I think this is the first product to make real strides (bad pun intended) toward making threat modeling more approachable for the average developer....
At Code Camp 5 in Waltham this past Sunday I was delivering my session entitled “All you need to know about Membership”, when I learned that I didn’t know everything I need to know about membership. Someone asked if the scripts were available that aspnet_regsql.exe uses to create the membership...
MS has committed, at some level, to support VB6 on Vista. In an article from February there are some details, but we now know that if you have a VB6 application that you cannot live without, you will probably be OK for years to come. This is both good news and bad news. While I feel the...
A friend of ours, Phil, sent Duane and I a link to an article about web attacks (Phil does this alot). He commented that he hadn’t heard of CRLF Injection before and while I had heard of it, I realized that I wasn’t comfortable explaining it on the spot with examples so I read the link ....
Sharing a web server between development teams is always fun (not). We had a problem surface today (or resurface) where if a developer creates a web application on IIS that uses .Net 1.1 for example (not an uncommon occurance) and some other developer creates a web application on that same...
Scott Guthrie pointed me at a link to the source code for the ASP.Net 2.0 providers including the Membership and Role Management providers. While I think the Profiles, Web Parts and Site Navigation providers are important and cool, I expect to do much more with the Membership provider. ...
I was recently asked by a very technical and very sharp friend of mine about the symantics of permissions on copy. I figured if he needed some guidance on how this works then there must be a ton of other developers who could use a refresher so here goes: There are alot of reasons that a developer...
Like the Code Camps another good idea is coming out of the Microsoft Developer Evangelists. This time it is a web site with an interesting concept. If you go to http://www.community-credit.com/DevCommunity.aspx you will see it in action and also be able to see the people who are working...
As promised, but fashionably late as always, here are the slides from this Saturday’s Mini Code Camp Security Edition. I want to thank everyone that attended and the feedback has been great (no death treats so far)! Membership.ppt (752 KB) Security Best Practices.ppt (579 KB) Check Duane’s blog at...
In dealing with our teams of developers and engineers I find myself preaching some basic rules that make life easier for me when I try to deal with the legion of emails I get every day. I thought to document them and in doing so realized that they have a decidedly security slant to them (big...
Ted Neward just launched his new site at http://www.tedneward.com . Check it out, Ted is one of the most interesting and intelligent people I know. If you ever need to cross the .Net platform with Java then he is the guy to take a lesson from.
Microsoft has chimed in on the questions about ClickOnce security raised by Dominick Baier and basically is asserting that this is a non-issue . I am not buying. I think that using the excuse that older technologies do something a certain way undermines the principle of secure by...
If you are at all into security or even if you just think technology is cool then you have to watch the latest episode of the The Code Room . In this latest episode you will see our own Duane Laflotte, our resident top hacker as part of the team of evil doers that hack a casino in vegas. I...
When I was in Cairo for the MDC a few weeks ago, I gave several talks that touched on the new membership controls in ASP.Net 2.0. One question that came up repeatedly was how far can you stretch the provider before you have to write a custom membership provider. The answer turns out to...
Dominick Baier of DevelopMentor, wrote on Saturday about a pretty dramatic change in the way ClickOnce security is configured by default in the RTM version of .Net 2.0. This is a must read if you plan to use ClickOnce and haven’t already revamped the default security settings. If you...
A recent court case was brought to my attention in which a user whose personal and financial information was stolen tried to sue the company for not using encryption on the data. The article covering it is explains how the data was stolen and the ruling of the courts. The question raised is...
I was asked by my publisher at Sys-Con to send him my reaction to the comments on Slashdot.org about the test this month that the U.S. Dept. of Homeland Security is doing that are being called CyberStorm. Rather than repost I figured I should provide a link to my comments, but I can sum...
Duane and I are doing a mini (one day) Code Camp in Waltham in late March focused on security . We already have a pretty good list signed up so if you really want to come, register today. We are running it on Saturday, March 25th starting first thing in the morning. See you there.
I recently did something I do quite often, namely created a series of PowerPoints for a presentation. I try to use graphics where appropriate or more accurately, pictures consisting of drawn boxes with arrows and other lines. I find that in some ways my presentations are better for lack of...
A number of the Microsoft Regional Directors and I have been posting back and forth all day about the C# vs. VB.Net issue, but not in the way that contentious bone usually plays out. Rocky Lhotka not only started the thread, but he also was the first to bring it into public space with his post and...
As the title of this site states, it is a real battle to keep up with the technology and an even bigger challenge to have a life along with that effort. On a fairly regular basis now I realize this when a standard feature of a widely available tool or technology is virtually unknown and...
Carl Franklin has done it again by teaming up with Scott Hanselman to bring us the podcast called HanselMinutes. HanselMinutes is a deep technology podcast that I find very compelling as well as informative. The combination of personalities (both of whom I am very happy to know well) is...
Mark Russinovich has posted another excellent article on Spyware , this time pointing out the anti-spyware program as spyware strategem. If you hoped that Spyware would just go out of fashion sometime this year, you are deluded. The advent of better Rootkits, bogus anti-spyware programs (like...
I was asked by Sys-Con to make my predictions for 2006 and while I am loath to do this kind of thing, I did venture some. We will see whether they turn out correct or not in about 12 months.
My old friend and mentor, Bruce Backa is finally blogging and this is a MUST SEE! If you want to learn lessons of business and technology the hard way then by all means ignore this, otherwise put this on your RSS reader and don’t miss a post. I work with Bruce and I still plan to read...
About a month ago I signed up for a newsletter called FastTips by Microsoft. My old friend, Thom Robbins had a big hand in creating this and actually has done many of the demos I have watched (very well I might add). I often get asked where people should go to get up to speed faster and...
Microsoft held the Boston Launch event at the new Convention Center on Thursday and by all accounts it was very successful. Duane Laflotte and I delivered the Web Development session to a pretty packed room. Overall the event surpassed the 3,000 mark and everyone I talked to seemed very...
In a personal topic post (which are fairly rare here I am proud to say) a while ago I reported that a classmate of mine from West Point, Erik Kurilla was wounded in Iraq and gave some details. I had to post a follow up especially given the news that Erik may end up being portrayed by...
I was recently in a discussion with some friends about Web 2.0 and what that all meant along with recently finishing a search for a hosting company for our dedicated servers. The two conversations actually led me to do alot of research and to alot of conclusions about the “next big thing” and...
I am amazed that web developers often don’t know IIS configuration as well as they should given it is the platform all their code must run against. The most pressing misconception concerns Basic Authentication. When you configure a web site to support Basic Authentication...
I was browsing through the list of wireless vulnerabilities on the Wireless Vulnerabilities & Exploits site (our buddy Phil C pointed it out to me) and I was reminded why I always turn Bluetooth off on my devices or avoid them altogether. Maybe it is just that “B” is so early on, but there do...
A friend of mine who is doing business with us posed an interesting question about the digital nature of our contracts. He said that with paper contracts you have the original that can be examined for changes and modifications. You can’t white out a term or condition or add a few zeros...
I try to read the blog of Dave Hitz, one of the founders of Network Appliance, and while I don’t link all the time I found one of his entries pretty on topic. Like my title above, Dave stole the most provocative words from his post to stir interest. His post is titled, “ Beware of Cyanide Gas...
I had a conversation with a friend of mine recently about the physical protection of his home. I have a bit of a reputation as a gun enthusiast that is somewhat earned. What surprised my friend and got him to urge me to post this entry is that my advice was a surprise to him and...
Mark Russinovich is a brilliant guy and likely not so popular with the people at Sony these days. Mark was testing out some root kit detection and removal software and discovered that in their exuberance to implement Digital Rights Management Sony has created a very ham handed solution that...
A friend of mine has a system that will require them to generage a large number of username and passwords for their users and they want to use usernames that make sense to the users. That is a common request, but he is concerned that a saavy user could deduce the username of others based on...
Thom Robbins of MS is introducing a really cool competition called the “Launch 2005 Screencast Contest”. The concept is that you get a free 30 day copy of Camtasia and record one or more demos with audio. The entries will be screened and the winners in the major launch cities will win...
In the media and likely on your network! I am suprised (pleasantly) to see so much attention being paid to a lurking menace. Jon Box recently posted about it on his blog and called for a few of us to comment (which I did). The fact of the matter is that Rootkits are like the devil,...
My nephew, John Hynds, also happens to be a security consultant (big surprise) and he pointed me at a recent what we think it a perfect example of a Cross Site Scripting (XSS) exploit as carried out against MySpace.com . We find that most people have trouble understanding Cross Site Scripting as an...
I have been out of it for about a week due to travel to present 7 sessions at TechEd Hong Kong , but now I am back. It was a great event and as usual was characterized by very high energy keynotes! The highlight for Bruce Backa and I in our presentations was our last session on Server Control...
The vulnerability scanner called Nessus will no longer be available under a GPL license starting with the next version (version 3.0). The announcement pointed to the fact that the community has done very little to help the product evolve, but many competitors have exploited the loophole of...
Microsoft’s Channel 9 web site is putting up demos like mine on Looking at Server Controls with ASP.Net 2.0 (with an AJAX demo) and I must say it is a cool idea. They are like video blog posts. Duane Laflotte also posted like 3 of them on subjects Exploring the Crypto API in .Net...
The three major credit companies are banding together to put all our eggs in one basket. On many levels this kind of uniformity makes sense as it likely means more resources are being put on the problem, the consumers of the credit information are less likely to make mistakes associated with...
New England is where the whole Code Camp phenomenon began and than God that I am not doing 12 sessions in 2 days the way I did for the first one! But I am doing 3 sessions this weekend at the 4th Code Camp themed “Developers Gone Wild”. Thom Robbins has the details posted as well as a link to...
Many security experts who I hold in the highest esteem are ticking me off! I hear it all over that, “you should never use obscurity as security” and while I agree if you put the word “only” in front of obscurity, but otherwise you are often teaching the wrong lesson. When I was in the Infantry, we...
While I was at PDC I attended a slew of NDA briefings from Microsoft. During one of them a flash went off and some people got understandably upset that someone might post a picture of a product being shown under strict privacy. It turned out that nothing untoward occurred and no picture...
As I got caught up on the activities here at the PDC in Los Angeles, I fell off the wagon of posting about what has gone on. Overall it was a good event, but there weren’t a ton of surprises. As I write this I am listening to Michael Howard explain the updated threat modeling thinking...
I am writing this from Bill Gates’ keynote at PDC in Los Angeles. User experience is definitely the message of the day. Windows Vista is a clear indication of the MS belief that if you build a better interface then they will come (or stay as the case may be). Atlas, which will allow MS...
I am off to Microsoft’s Professional Developer’s Conference (PDC) this weekend. I expect that I will see many of the people who read this at the event in Los Angeles. While there I will be involved in quite a few activities including speaking at the So Cal .Net User Group’s PDC...
I had a very interesting discussion that manifested itself as Duane Laflotte and I delivered our popular Hacker vs. Hacker session. I showed a technique that crashes the hacker’s computer when they try to brute force a web site (not for the faint of heart) and the very popular and legitimate...
In the wake of Hurricane Katrina, I am renewed in my frustration that the US government hasn’t called on the population to buckle down and conserve energy. In light of the Hurricane relief effort it would be, “Save energy and put the money toward relief causes”. During WWII the...
The deeper I dig into each generation of tools (VS 2005 at the moment) the more I see the trade off of CPU for developer time. It used to be that the programmer would go to extremes to maximize the performance of their code and that the tools were written in much the same way. Over the...
For a week or so… Sony is now providing an update to their PSP game system that provides a web browser most likely because hackers have been finding ways to enable web browsing on their own. It is a smart move, but it certainly won’t stop users from reverse engineering every single aspect of...
In New England we are holding our fourth Code Camp in late September (24th and 25th) in the Waltham, MA offices of Microsoft. This is where it all began and the fourth will likely be bigger than those before it. I wanted to not only remind people of the date, but also tell about a...
A classmate of mine from West Point, LTC Erik Kurilla, was wounded (shot 3 times it seems) while serving as a combat commander in Iraq. While I rarely (almost never) bring personal stuff into my blog and as you will see I will weave this a bit toward my favorite subject of security, but I...
I know there is alot of information about Phishing attacks (attempts to trick users into logging into fake sites with credentials for things like ebay or paypal), but I am seeing more and more sophisticated attacks and felt that I had to raise the warning again. In our company and those...
I have started to encounter more and more instances where companies want to get out of the business of hosting websites themselves and since the price of outsourced web hosting has dropped the use of shared and dedicated server hosting has accelerated. There are many security as well as...
It is no secret to anyone who knows me or has heard me speak on the subject of security that I have learned quite a bit of my way of thinking about computer and Internet security while serving in the military and while attending the United States Military Academy (West Point). I tend to think...
Windows 2003 Server Pack 1 has a new capability that you might want to look into called Quarantine VPN. With this technique you can validate that all clients that connect to your VPN meet specific requirements before they actually get access to network resources. Microsoft has been doing this...
As you might have noticed I am reworking my blog (bit of a face lift and some bug fixes), but I am also changing the URL. I registered www.PatrickHynds.com and while I am leaving the blog accessible from the old address I am changing the redirects so let me know if it causes trouble. Lets...
The concept of Least Privilege is applied to developers and software testers all the time to advocate that the application be developed and tested using the lowest privileged account possible to get the job done. For our purposes (network administration), I am referring to using...
I have spent alot of time recently talking about passwords and I think the reason that I can’t seem to get off the subject is that there is so much that has to change about the way passwords are actually handled by companies. Most recently I had a discussion that caused me to poll several...
I am seeing the signs that the Security business is going through a consolidation as some of the bigger names buy up smaller firms to cover their bases. Most recently, VeriSign bought iDefense for $40 Million . I don’t think this is THE consolidation as there are many, many more...
For those of you that haven’t heard, I am participating in yet another Ebay auction to raise money for Tsunami relief. I know the media has moved on, but many people are still in trouble and need help. If you want to be a puppeteer for an hour with me or some of the biggest speakers at...
For those of you going to TechEd this year, I hope we see you at the RD GrokTalks. I would define them here, but Scott Hanselman has already put it so well than I imagine I am best off linking to his post here . Let me know what you think of the idea.
Just recently I talked about online password security and I referred to the way most sites on the Internet handle passwords as the Ugly in my “the Good, the Bad and the Ugly” slide. Most sites I visit not only allow me to put in a woefully weak password, but don’t allow me to set a strong one...
A customer said today that they are using stored procedures so unless I knew of any other SQL Injection risks then they thought that was enough. The truth is that the answer is that this is true in most people’s minds. The problem is that this common mindset is exactly the kind of thing...
The stereotype of the malware and spyware author is the lone disgruntled hacker who has squandered their talent on rage and hate. Sounds like the perfect villian for a melodrama. It turns out that the truth is much worse. The driving force behind most of this software is actually...
I just read an article which quotes Jesper Johansson as saying that we should reverse the long held truism that users should not write their passwords down for their own reference. Jesper is a well respected (though often contreversial) Security Heavyweight who has worked for Microsoft for...
As we start to ramp up for TechEd US things are already getting weird. I shouldn’t be surprised, but two guys that I know well and expect most of the people who read this also know of created a video redolent with inside jokes . Scott Hanselman and Rory Blythe star in this very short...
A recent article about terrorists being behind continued attacks on our energy companies in an attempt to disrupt the power grid made me realize that this should serve as a wake up call for the rest of us. If you are running a business related web site in the US or one of its allies you have...
If you have ever seen him speak then I don’t have to go any further than the title. His handle of ActiveNick fits him on so many levels and his blog is no exception. He has posted very regularly and I expect great things from him with lots of cool and insightful things on mobility and...
For those of you that don’t know, a big concern in companies vulnerable to corporate espionage (almost everybody) is employees walking away with a USB drive full of confidential data. Device Lock has solved this problem for several of our clients and they have just released a new version. If...
In case some of you have noticed recently there was an article on zdnet (not my favorite publication anyways) that quoted James Gosling, Sun’s CTO, stating that “ Microsoft’s decision to support C and C++ in the common language runtime in .Net one of the “biggest and most offensive mistakes that...
My good buddy, Stephen Forte , had a zany and brilliant idea (we are used to both from him, just not at the same time)! The concept is that about 20 of us that do the book and speaker thing have offered up consulting time to be auctioned off on eBay with all proceeds going to Tsunami...
MSDN puts on local events and it is that time again. I just checked out the registration site and have decided to go to the Bedford, NH event this Thursday. I have the added advantage that Joe Stagner runs these events in my area, but I know that other sections of the country also have...
If you use Internet Explorer then you should pay close attention to this… An exploit to security holes in Internet Explorer (even if you have XP SP2 installed) has been posted by a group called GreyHats. They are not happy that MS has not fixed the exploits since they were made known in...
It seems to hold true that any tool can have a good and a bad use. In a recent attacks, Google was used as a support mechanism for spreading a virus and defacing web sites . While there isn’t anyone who can guarentee that a particular package or product won’t be vulnerable, it does pay to...
A recent article about a security flaw in the new Google Desktop Beta should serve as another reminder that you should never use beta software on production machines. The rule for me has always gone that if I would be upset by a total rebuild of the box, then only tested and finished...
MS has made available a preview of the Member Management Component that you can use to build into .Net 1.1 sample applications. It isn’t exactly what will be released with VS.Net 2005, but it gives you something to play with so you can get used to the new model. Be advised that it seems that...
Who owns the passwords that you or your users use to access your network or application? If you don’t know, then you have a problem. Your users hopefully memorize their passwords, but therein lies the rub. If an accountant has gone to the trouble of memorizing a complex password then...
A recent article about how Petco not only was found to be vulnerable to a SQL Injection attack, but also got fined for the false claims this realization cast on their privacy policy just goes to show that no matter how much we talk about it, SQL Injection remains a huge risk. But the stakes have...
On December 7th the C Sharp Group of Greater Boston will host a potluck dinner with two focused discussion groups at the Waltham, MA Microsoft Office. Robert Hurlbut will lead the discussion on development strategies during the first hour. This topic includes test driven...
Dell has launched a website designed to help small businesses deal with all the security challenges. The site seems good, but the performance was so bad at one point that I can’t decide whether that means it is a resounding success or a dismal failure. It is very much aimed at selling more...
Carl Franklin and the New England office of Microsoft are putting on another edition of the Code Camp event. This time it is a mini-Code Camp with Carl doing the one man band thing all about VB.Net. If you can make it to the MS Waltham office on January 23rd then you should. ...
A common bit of advice bandied about lately (by Jesper Johansson of MS, me, and others in and out of MS) is to turn off LM Hashes on your Windows systems and networks. This is great advice, but there is a proviso. Some things depend on LM Hashes to work. Most of them are not an...
Thom Robbins of MS New England fame has come up with another very interesting event! Right on the heels of a very successful Code Camp 2 this past weekend he has announced a development contest where you can win a Mobile Device. Check out the details on Thom’s Blog . Should be interesting to...
Often we don’t know we are in danger until we get clobbered. We have all had that feeling in the pit of our stomachs after something heavy falls where we were standing a few minutes ago. In the middle ages ignorance of disease killed many and the same is true of most in the modern world of computer...
Now there is an even more dangerous exploit for jpg files. Details can be found here . I have seen an example of this exploit in action. In the demo I got from our security team, displaying the custom crafted jpg image caused the workstation to reboot. If you didn’t take the last...
Backup is a fairly antique part of IT nowadays. The trend over the last year or so seemed to be real time backup to SANs at huge cost in terms of infrastructure. Now Microsoft has announced that they are going to put forth an offering that will not only bring this solution down to...
Now I have heard it all! Terrorists, Hurricanes and now JPEGs can be used to attack your computer! To see what I am ranting about check out the article .
I just finished reading an upcoming article from Forbes Magazine (unfortunately you will have to register to read it before the September 20th pub date) about the belief that terrorists are turning to hacking as their next major vehicle to do damage. In the article they point out things like,...
The Software Development Life Cycle (SDLC) is a well established and well thought out concept. There are books and experts and cool slides galore that talk about it and how security should fit into it. The problem that I see is that the process as most people think about it isn’t...
As promised I am posting all the demos from TechEd Hong Kong last week. DEV370: Developing Applications Under Windows XP Service Pack 2 DEV370 XPSP2.zip (369.75 KB) Special thanks to Jon Box and Dan Fox of Quilogy for developing and presenting this session...
I am listening to the Don Kiely interview on Dot Net Rocks and thought that it was worth pointing the security minded toward. I have known Don for a while from conferences out and about, but hadn’t realized how much he has delved into the Least Priviledge issue until listening to Carl...
If you haven’t used it yet then you should get to know this tool. If you have then you should be happy to know that the final 1.0 version of AuthDiag is now available at http://download.microsoft.com/download/6/c/9/6c96682c-8449-4112-a089-3b98c0035d0c/AuthDiag.msi When you are using Windows...
And it was a great event! For those that attended, I will be posting the demo code before the end of the week so stay tuned!
I was talking to an old friend at the recent Mobility Day held at the Microsoft Office near Boston and he brought up an incident that I have seen happen to others. I realized though that it isn’t something talked about often so it seemed like perfect blog fodder. He told me of working with a...
We regularly do network and application reviews for customers to make sure they know where the security problems are hiding. I kind of expect to find servers unpatched, applications accepting unvalidated user input and the raft of standard security faux pas on both the network administrator...
Thom Robbins has worked with Chris Pels (and myself as lazy consultant) to create an event that I expect to become as popular as the Code Camps! They are called Cabanas (all the best ideas are stolen anyways) and the first will be held in the Microsoft office in Waltham (outside...
Carl Franklin is giving away a Tablet PC to someone who fills out his survey. Go to http://www.franklins.net/dnrforms/tabletcontest.aspx to enter.
In case you need a way to clean up after getting hit by the Download.Ject exploit… Download.Ject malware removal tool released Microsoft has learned of a Trojan program that is downloaded by the Download.Ject malware, also known as Scob, to client machines from infected IIS servers. When a user...
Someone recently sent me a link to an MSDN article about 10 must have tools . While looking it over I saw The Regulator listed and started thinking about validation of client data. Everyone has by now heard that you must validate your data from a client before you act on it, but what does...
Microsoft has released a Knowledge Base article, 870669 , that describes how to implement a change manually that will disable the browser’s capability to leverage the ADODB.Stream object. This could be a painful fix for many organizations as you may be using that object for certain file based...
The Downtown Boston .Net User group is having it’s first meeting tomorrow night. In a coordinated effort with the Boston .Net User group that regularly meets outside Boston in the Microsoft Office in Waltham, MA, Sam Gentile is hosting a downtown version for those that find it hard to escape...
I have recently been asked by a deeply knowledgable friend of mine, Malek Kemmou , about the latest in Intrusion Detection software. I realized that if he was curious, then this might be a topic worthy of a few words… The bad news is that there is not much out there really...
There was a time when I believed that I could keep a server secure enough that I could get away with not putting it behind a firewall. This used to entail just having a security plan and minimizing the attack surface. Then it got harder and harder to keep up. I held out for as...
went well, except for the 7 hour drive to get there that should have been 3.5! OK, back to the intent which is technology entry… I spoke on Sharepoint Programming and the crowd was varied (never heard of SharePoint to SharePoint guru), but engaged. Single Sign On was the big thing...
Jeopardy Answer: What are 3 things that don’t go together easily! If you feel the need to host ASP.Net on a windows domain controller and can’t bring yourself to upgrade to version 1.1 then at least read this KB article . The crux of the problem is that domain controllers on IIS 5.0 servers...
Alot of sources say that you should rename your administrator account on your windows systems and windows network. While I agree with this wholeheartedly, you need to take the war to the hacker. First, renaming the administrator account to admin or adm or something equally obvious when seen...
More than a year ago, I spent a day or two wading through WSE 1.0 (hence the title) to prepare a nice demo for a talk on GXA that Andrew Brust and I did at CeBit held in NYC. In my travels, I reviewed Tim Ewald’s white paper called “ Programming with Web Services Enhancements 1.0 ” and soon...
I have been considering starting to blog for a long time. There were false starts and pronouncements that I would begin that were left unfulfilled. As I write this first entry I realize that I picked the correct name for this journal – Tech Siege . The reason is that since before...