October 2004 - Posts
One of my favorite talks at Win-Dev
was Dominick's "Improving Application Security through Penetration Testing". Pick up his slide deck here
. There are a lot of great tools listed -- some I have used, and some that were new to me. This is a great resource to have.
WinDev 2004 is over, and so ends my first big conference I have either attended or presented. I had a great time this week meeting the other speakers, lots of people attending the talks, and learning many new things from the various tracks.
I spent most of my time in the Security track, which is where I gave my talks. I also went to some sessions in the database (SQL Server 2005) and CLR/C# tracks as those are also very interesting to me.
My talks, for the most part, went well. My timing could have been better, though, as both ended a little earlier. I made the mistake of using slides from two-three months ago because I thought I couldn't change or update them after they were submitted. Hindsight, I would have reworked them to be more comprehensive for both talks as well as more practical for the second talk (I had some comments on the evals that it was too advanced).
Highlights of WinDev for me were meeting and/or spending time for the first time with Keith Brown (actually met him last week at XML DevCon), John Lam, Dominick Baier, Bob Beauchemin, Brent Rector, David Cowles, Jason Whittington, Juval Lowry, Kit George, Peter Provost, and Mark Pearce. These are all people I greatly admire and respect. I also enjoyed seeing people I work with at my main client site as well as spending time with Ernie Booth (who has done a great job among others with the Beantowndotnet.org group).
I especially enjoyed dinner with Peter Provost and Mark Pearce on Thursday night. Mark says he visits the US on business often (he is from the UK) and I hope to meet with him again -- a very, very bright and engaging fellow. Peter impressed me immensely with his knowledge and use of Extreme Programming (of which I am big fan) as well as architecture and patterns. I hope to meet him at future conferences as well.
Peter caught the "Secure AppDomain" bug from my second talk and wants to apply it immediately to unit testing of Code Access Security (looking forward to the results!). Mark, Peter, and I attended Keith's session on Unit Testing Security where he put together the start of code changes to NUnit to do some CAS testing! Great stuff!
A very special thanks to Keith for the opportunity to speak at WinDev this year.
I have posted my WinDev 2004 presentations and code on my SecureDevelop.net website:
S7 - Writing Least Privileged Applications: pdf, code
S8 - Hosting Applications in Secure AppDomains: pdf, code
Update: Link to WinDev2004 section of my site was wrong.
At the end of my "speaking debut" day at WinDev (more on that later), I went out to look at the lunar eclipse when I noticed several people looking up. Among them was Brent Rector. We got to talk a moment about obfuscation (he is talking tomorrow on this -- looking forward to it), and related issues with Whidbey. Like I said, there were several of us out there standing in the middle of the road looking up in the sky (it looked like we were looking up at the hotel, though). We thought that people passing by would think we were watching someone jump out of the window or something?!
Red Sox are about to win -- currently 3-0 on 8th inning. Woo hoo!
Update: They did it!! 4 games to 0! Red Sox - World Series Champs!
I have posted my presentations and demos from Code Camp II on my new site (more info to come on that after WinDev) and it will be posted to the Code Camp II site: http://www.msdncodecamp.com/.
I am in Quincy, MA (not Boston *) for WinDev this week. After getting in at 2:00 am on Saturday morning from the Applied XML DevCon (which was excellent - kudos to Chris, Sarah, and Becky), I spent a day with the family, and then headed over here Sunday afternoon. I spent the rest of the afternoon and evening with my older boys (12 and 14) who live on the South Shore - one of the benefits of having the conference to be so close to them.
I will be speaking on Wednesday afternoon on my two security topics: "Writing Least Privileged Applications" and "Hosting Applications in Secure AppDomains". I have been really looking forward to this week! I know I will enjoy meeting the other speakers and attendees, as well as soaking in a lot of great information.
* Quincy is not Boston - some have been confused about that. Trust me, I know the feeling. When I moved here 8 years ago, I thought ALL of this was Boston - the locals corrected me very quickly!
Doug's talk was very entertaining and informative. He is posting his slides on his blog
, but has already put up a scary picture of Don that he showed to us here
Jay Kimble (The Dev Theologian) has an interesting post on the dinner last night. I had lunch and dinner with Jay and I like his perspective and outlook as he is new to the XML DevCon as well. I have nothing to compare to, but everyone I have talked to who went to this last year or previous years say this year's DevCon is the best.
The speaker panel was entertaining as well heated as everyone expressed their own likes and dislikes (mostly dislikes) of XML, XSD, WS-*, RelaxNG, and the tools that surround them.
I especially liked seeing Tim Ewald express his thoughts. I can remember being introduced to Tim years ago at a local C++ Users Group (Tim lives in NH, I live in MA), talking about my first loves, COM and COM+. Of course, Tim wrote THE BOOK on the COM+. His attention these days is only on Web Services, and has recently left Microsoft and the MSDN team to work for that great local company, MindReef (makers of one of the best Web Services debug tool, SoapScope). Tim is giving the key note this morning; he is talking about his work with MSDN. I am looking forward to it.
One of the complaints about Tim Bray's talk this morning was that it depressed everyone about what is bad with XML (in particular, all the work being done to extend it with lots of WS-* specs before we really need them, among other problems).
Earlier, Sam Ruby talked to us about the encoding problems of RSS, escaping problems with XML/HTML, and how the rest of it is tenuous at best. Tim Ewald bemoaned this and pointed out how the MSDN team dealt with these problems, but Sam showed how http://msdn2.microsoft.com still had these problems (we saw this fixed very quickly by the responsive team at Microsoft).
Follow Sam's talk online at http://intertwingly.net/slides/2004/devcon. The bottom line of Sam's talk was that Atom (which Sam helped develop) helps solve these problems.
Just heard Whit Kemmey speak about "Using XML for Navy Missle Systems". This followed Don's talk on "WS-Why?" -- Don also used the same kind of loud slide deck as Chris.
A couple of interesting things for me about the XML for Missles talk. Whit showed what most considered to be an archaic use of XML as a scripting language as opposed to strictly a data medium. While that may be true, it works for them, and it falls within the confines of the navy's requirements.
The other point that really resonated with me is they only use OSs and code that they not only have the source code for but can also recompile (not Microsoft). Why? From a security perspective, they want to know exactly what every line does, plus they want to be able to put in their own updates and fixes, which not every company wants to allow. It is imperative that the code be known and tested to be reliable. I spoke with Whit afterward, and he mentioned they also code in the patches to the OS themselves rather than rely on the company providing it.
An interesting talk -- along with the liberally scattered pictures of submarines to keep interest high!
More Posts Next page »