August 2003 - Posts
If you're following the weblogs.asp.net main feed, this will be redundant...sorry!
I've added my blog to the PDC Bloggers OPML feed. Attending PDC and have a blog? Add it at the PDC Bloggers web site:
Great idea from Drew Robbins and Kevin Schuler! Thanks, guys!
For those who have patiently followed the ongoing saga of my quest to get a T1 installed in my home office, the T1 is now in and operational! And only two months and 10 days after it was ordered. :-)
Actually, considering that my local telco is Verizon, and their workers have been threatening to strike since early this month, I count myself fairly lucky that it didn't take longer. I've still got my web and email servers running on the DSL line, since I haven't decided yet whether to keep my current configuration -- in which I keep the servers behind the router using NAT and just forward the necessary ports to the appropriate private address -- or put the servers directly on the Internet, since I've got more IPs available with my current service. The upside of making this change would be less router configuration (although I've learned a lot about configuring a Netopia router, anyone who's done it can tell you that it's not the most user-friendly interface), while the downside would be a much greater need for patch and configuration vigilance on the servers. And, of course, I'm procrastinating about it somewhat, since migrating the DNS to new IP addresses will cause at least some disruption while the new records propagate.
I'll probably end up keeping the servers behind NAT, and make the migration sometime over the weekend, since (given the holiday) I can probably safely assume that traffic will be pretty modest anyway.
Ole Eichorn comes up with one of the most concise descriptions of one of my big hangups with Java:
I continue to mess around with Java, in the form of IBM's eclipse framework. It is a beautiful IDE and makes Java development of desktop applications very easy. However, deploying desktop applications is not easy; you have to use Sun's Java Web Start, which is a whole lot more complicated than simply distributing an .EXE. And there seem to be performance problems... Of course, it is cross-platform, but that only helps developers, not users. [emphasis mine]
I'm not going to get into the “.NET is better than Java” or vice-versa discussion here. I just think that Eichorn sums up very well the problem with the cross-platform arguments in favor of Java. Until users of a Java application can be assured a consistent and high-performance experience on every platform, cross-platform doesn't strike me as a terribly compelling argument. NOTE: that's my opinion, I'm not stating it as factual for anyone else, so please don't deluge my comments section with rants about how I don't know what I'm talking about, etc. I'm not running /. here, just my humble little blog. :-)
WARNING: don't drink while watching this...snarfing danger!
In posting my opinions on the blaster worm, and on what might be done to prevent future occurrences, I seem to have opened myself up to some blasting of my own:
Ok, there's been a few people who don't know better talking about how everyone should have been patched for MSBlaster already, and that all admins who haven't patched are morons.
This is a pretty easy statement to make when you are responsible for 1-10 machines, and patching pretty much means hitting windows update.
However, life isn't that simple for everyone. In addition to my developer hat, I also have the (mis?)-fortune of being the IT manager for my company's site of ~200 nodes, with about a dozen production servers and a similar number of dev & qa servers. We are part of a bigger, global enterprise network consisting of about 60,000 nodes.
Now, first, I'd like to point out that nowhere in my original post did I once assert that “all admins who haven't patched are morons”. Nor did I even suggest that keeping large networks up-to-date on patches is easy. But if it were easy, companies wouldn't need IT staffs, now would they? So I recognize it's not easy...but it is necessary.
Also, it would appear that those who took umbrage at my original post either missed or ignored the main point of the post, which was not about bashing sysadmins, but rather that we all (those of us who are computer savvy, know how to use a firewall, install patches, etc.) have a responsibility to help our friends, families, and co-workers understand and use good security practices. So my point wasn't to beat up on sysadmins, to lay blame, or to create some “us vs. them” thing between developers and sysadmins. It was to say that the problems we're having (collectively) with the blaster worm represent a failure on all our parts on some level. It's that which we should be thinking about before the next worm comes along.
I'm puzzled...practically at a loss for words. The cause? The fact that yet again, Microsoft finds and patches a vulnerability before an exploit is widely available, and still, hundreds of thousands of computers are infected. This is inexcusable.
Home users get somewhat of a break, if only because many of them are simply ignorant of good security practices (rule #1, use NAT, or a firewall to close any unused ports). Yes, they should be patching their computers, but too often they don't. But the really amazing thing is the number of businesses or government agencies getting hit hard. The DMV in Maryland shut down yesterday because of this worm. I want to know who's responsible for network security at the DMV, and I want them fired...NOW! I'm glad I don't live in Maryland (though I suspect my state may not be much better), given that this worm could potentially have been designed to lift information from computers, rather than just stage a DDOS attack.
What's the point of this rant? Just this...we, the more computer savvy of society, have a responsibility to do what we can to prevent crap like this. The reality is that software is never going to be perfect, as long as humans are writing it. And Microsoft is in a bind because consumers would freak if Microsoft shipped their OS with firewall and automatic updates enabled. So, IMO, it is encumbent on us to educate our less computer-savvy friends, relative, and even those we work with (bosses, co-workers, and even clients) about the importance of firewalls, patching, and other important security practices. We can make a difference, if we make the effort.
OTOH, perhaps a better idea would be to institute a system of fines in which each time your computer is infected with a worm or other malware that can cause problems for others, you're fined $50. Perhaps a hit in the pocketbook would make people more aware of taking the necessary steps to secure their machines.
Keith Warren even suggested the idea of writing worms to “vaccinate” vulnerable machines:
It all makes me wonder why we have not evolved in this fight much in a way that the medical field does. I am talking about vaccination. Vaccines in large part work by giving a small dose of the problem and I do not understand why we do not take that little tidbit and run with it. After knowledge of the vulnerability was available someone could have created a worm vaccine that replicated and propagated itself in an identical fashion but had an actual purpose; to download and install the patch! Doing this coupled with a patch campaign would significantly reduce the attack surface.
It's a clever idea, but obviously one that won't fly legally. Any other ideas for preventing worm/virus propagation and getting users/managers/admins to take security seriously? I'd love to hear them.
OK, so maybe it's not completely off-topic, since written communication is
probably very important to bloggers in general, even .NET bloggers, but while I
was putting together my previous blog entry,
I did a Google search to ensure that I was using the phrase "hear, hear"
correctly (it's not "here, here", as some write it). I ran across the following
link, which lists this as well as a number of other common "homophone" errors,
and also lists a variety of other common grammatical errors. If you write (and
few of us don't), you should take a look. It also covers my personal pet
peeve, "loose" vs. "lose":
"lose his virginity" (not "loose");
One of the most useful passages:
19. Your unconventional grammar choices aren't creative license;
they're bad grammar. There's quite a bit of leeway with this, of course:
sentence fragments and comma splices can, in the right hands, be good writing.
But one of the primary purposes of writing-- if not the primary
purpose-- is communication, and if your mechanics are so bad or your word
choices so strange that others can't understand them, you're not
communicating. Also, any divergence from standard English usage should be a
purposeful choice. If you use "gonna" because that's the word that you think
your narrator would use, or you eschew quotation marks because you want to
blur the distinction between thought and speech, then you've made a purposeful
choice. It may or may not be a good choice, but at least you've thought
about how your unconventional usage will affect the impact your story has on
its readers. But using bad grammar because you can't be arsed, or because you
think standard English looks funny on the page? Not cool, and not
All in all a very useful (and concise) compendium of common writing
problems, and one well worth bookmarking for anyone who wants their writing
taken seriously. As developers, we've got the luxury of compilers that will
tell us when we get something wrong. As bloggers and writers, we don't
have that luxury. It's not enough just to run a spell check before posting
something...you really should have a good handle on the language and it's usage
(this applies to all languages, not just English), or at the very least,
bookmark a cheat-sheet like this.
There has been a lot of talk on a lot of the
blogs over going to PDC, the cost of PDC, etc. There is an argument made
that the cost of an event like PDC is prohibitive, preventing folks working at
smaller employers, or even the self employed from attending. This sort
of begs a question: Who is responsible for your
Another hearty "hear, hear!" (see the comments section for more) Too many people make their
careers someone else's responsibility and then kvetch when they get passed up
for a promotion, raise, etc., or when their employer doesn't do what they want
(send them to training, to a conference, etc.).
Let's face it, the days when employers would pay to send you to a class, then
pay you a bonus for each Microsoft certification test you passed are largely
over. I worked in the consulting field during those days, and when I passed the
tests, you bet I took advantage of the bonuses that were offered. But I can't
imagine complaining had they not been available. Likewise, if I could get an
employer to cover conference costs, that was always a nice bennie, but if I
really wanted to get to a conference, I knew it was ultimately
my responsibility to find a way to make that happen.
If you want to go to PDC (and I think that most Microsoft-oriented developers
should), then find a way. Beat the bushes for discounts or passes. Find others
who are going who can share hotel costs. Find a way to sweeten the deal for
your employer by offering them something useful in exchange for helping you get
to PDC. Do something that will get you closer to the goal of
getting to PDC (or getting whatever other training, etc. will advance your
career). But don't complain that PDC is "too expensive" or too time-consuming,
or that your employer won't pay for it.
Bottom line: if you're sitting at home instead of in L.A. in late October, it
won't be your employer's fault for being stingy, and it won't be Microsoft's
fault for making PDC too expensive. It'll be your fault for not finding a way to
get there, and ultimately you will be the one who has to play
catch-up on the information provided at the PDC. Not that playing catch-up is
impossible, or even that you have to go in order to keep up. There are probably
many good reasons for not going, financial ones included. This is not about
beating up on people who really can't afford to go to PDC, or who have more
important things to do with their time and/or money. It's just to say that if
you really want to go to PDC this year, you can find a way, and
complaining isn't it.
If all else fails, you could try blegging. ;-)