Archives
-
Have a fling!
This is way cool…
-
Community Server :: Forums
Just announced by Rob Howard of Telligent Systems (and former caching guru from the ASP.NET team at Microsoft):
-
New weblog
I’ve got a new blog, on the MSDN blog server that I’ll be using for my blogging while I’m a Microsoft employee. Not sure whether I will continue updating my weblogs.asp.net blog or not, but most of my blogging energy will be directed at the new blog. The new address is:
-
Why you shouldn't be using passwords of any kind on your Windows networks . . .
…use passphrases instead:
-
Now running under WPA...
It took me a while, but I’ve finally upgraded my home network to use WiFi-Protected Access (WPA) instead of WEP for securing my wireless connectivity. The upgrade was complicated by a laptop with a built-in WLAN adapter that didn’t support WPA (I switched to using the wired connection on that one) and a wireless bridge that was the wrong hardware revision to support an upgraded firmware patch to enable WPA (a Linksys WET54G). The good news is that after a few frustrating phone calls to Linksys, they allowed me to swap my wireless bridge for the later revision, which supports WPA via a firmware update. I got the new unit today, updated the firmware, configured my router (WRT54G), bridge, and TabletPC to use WPA, and all is working quite nicely. If only it was as easy getting WPA-enabled hardware as it was to configure the settings…
-
Nifty solution to some of the problems of least privilege
One of my fellow Microsofties has come up with a neat solution to some of the hassles of running your workstation using a non-admin account. My advice for getting around things you can’t do as a non-admin has long been to simply run programs from a command prompt that you’ve started with RunAs, using the credentials for an account with admin privileges. The problem is that some programs don’t play well in this scenario, particularly install programs that run based on specific settings for the user installing the program. When you run programs like this, they (and/or their settings) end up associated with the admin account you’re using, rather than your less-privileged account.
-
Lookout 1.2 Available for download
Despite the concerns of some that Microsoft was taking it away from the community by acquiring the company, Microsoft has made Lookout, an add-in for searching through Outlook email stores quickly,
available for downloadfrom the Microsoft download center. Enjoy! -
Red pill
So...
-
BlueVision ASP.NET Intellisense Generator
Thanks to Wim for the plug, and for letting us know about a way to get intellisense for custom ASP.NET server controls without hacking XSD:
-
An open letter to wireless networking manufacturers
Dear Wireless Networking Manufacturer,
-
Security at Home
If you’ve got friends or family who are the non-geek types, and need help with security, this might save you a few of those “how do I…?” phone calls…
-
News coming Monday...
In a little less than a week, I’ll have an announcement to make here…watch this space!
-
MS04-024: Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)
Another example of why it’s a bad idea to run as an administrator on a day-to-day basis:
-
Security...not just a Microsoft problem
As evidenced by a Linux kernel flaw that resulted in a DoS attack against Akamai, effectively denying access to large sites like Google, Yahoo, and Microsoft. Not gloating here, just observing that this demonstrates that all operating systems can be vulnerable to security issues. This also suggests that the “more eyes = more secure” assertion made by open source advocates is perhaps a little overstated. After all, the Linux kernel is probably one of the most read parts of the Linux codebase. If it’s possible to find a flaw in the kernel, what does that say for other parts of the codebase that are not as thouroughly vetted? Again, this is not about trashing Linux, it’s about being clear that security is an issue for everyone, it’s not just a Microsoft problem.
-
Hawaii photos
For those of you who might be interested, you may have noticed that on the schedule for my recent MSDN Security Briefing tour, was a stop in Honolulu, Hawaii. I had a great time there, as you might expect, though I did manage to get pretty badly sunburned (that’s what happens when you spend two hours in a futile attempt to teach yourself how to surf, without using any sunscreen). Here’s a couple of photos from the trip:
-
Rob's addition to our technology vernacular
First, he helps put ASP.NET on the map. Now, Rob “invents” a term for a common computer malady…let’s give the man some Google juice. J
-
Security Tour Complete
The MSDN Security Briefings tour I was on is complete, as of this week. My sincere thanks to everyone who came out to listen and learn. I especially appreciate all the kind comments I received.
-
Memorial Day
This weekend, my thoughts and prayers are with those serving their country, and with those who have served in past conflicts. May those currently in harm’s way come home safely to their families and friends, and may we always honor and remember those whose sacrifices make freedom a reality, not just a nice idea.
-
Debugging an ASP.NET application as a non-admin
One of the many Microsoft bloggers provides a workaround for those of us looking to debug ASP.NET applications without resorting to Admin privileges…a workaround that uses the predecessor of the Whidbey web server from ASP.NET Web Matrix to do debugging locally:
-
The consequences of poor security...
…apparently apply to l33t h4x0r5, too:
-
Aloha!
Greetings from Honolulu! Just completed an MSDN Security Briefing event here on Oahu. Very nice crowd, and lots of good questions. Of course, the beautiful weather is a nice added bonus. I went up to my hotel room earlier this morning to find a rainbow streaking across the sky over the ocean.
-
Want free software?
Haven’t got your copy of Visual Basic .NET yet? Want to get an extra copy? Well, you can pick up a copy of Visual Basic .NET 2003 Standard by viewing and rating 5 movies at http://msdn.microsoft.com/vbasic/atthemovies/. Seems like a pretty good deal to me.
-
MSDN Events
Today I finished up my week in the sunny Florida panhandle presenting security talks for MSDN. On Tuesday, I was in Pensacola. The folks there were great, and a fun crowd. I also had a good time with my group today in Fort Walton Beach (the actual event was in Mary Esther). In between, my wife and son and I got to spend a little time at the beach. My son, who just turned 1 year old, got to stick his toes in the sand for the first time. He wasn’t quite sure what to make of it at first, but warmed up to the beach after a while.
-
Running as Admin - Don't!
I’ve written about the problems of running your machine day-to-day as Administrator, and tips for making development as a non-Admin easier on a number of occasions. As a brief reminder, there are many viruses and other malware that would never have spread as widely as they did if the infected user had not been running as admin. Additionally, developers who run as admin when they develop and test software can inflict errors on those who use their software while running with lower privileges. And unfortunately, the ad-hoc “fix” for such problems often ends up being for that user to run with elevated privileges.
-
Tip for Visual Studio 2005
Useful tidbit from the MVP summit:
-
What is a buffer overrun?
Below is an excellent, yet brief, description of buffer overruns, which I found on the Microsoft bloggers feed on http://weblogs.asp.net. I do a demo of a buffer overrun in the Essentials of Application Security session, one of two I’m presenting at numerous locations in the eastern US. One of the things I find quite surprising is the relatively high percentage of C++ programmers in the sessions, and even more so, the relatively low percentage of them who’ve actually seen what a buffer overflow looks like. The fact that it’s so easy to code a buffer overflow makes me very glad that I use managed code. Now all I need to do is make sure that I’m not vulnerable to SQL Injection attacks (use stored procedures and good input validation) or Cross-site Scripting attacks (use good validation, and HTML encode all input before echoing it back to the browser).
-
Carl Franklin reports on another DPAPI wrapper,
this one in VB.NET:
-
First week of MSDN Security Goodness
I just finished up my first week of doing MSDN security briefings for Microsoft. I had a great time with the audiences in Albany, NY and Staten Island, NY. Both audiences were very attentive and asked some great questions. I’m looking forward to this week’s talks in Roanoke, VA, and Charlottesville, VA on Tuesday and Thursday of this week. So if you’re in those areas, and want to learn more about what you can do as a developer to create more secure applications, sign up, and come on down!
-
MSDE Scalability
Ever wanted the definitive answer on just exactly how MSDE limits performance and scalability? Well, you’re in luck, as Microsoft has now published a whitepaper describing how the governor in MSDE works. The short version is that the governor stalls connections for a few milliseconds on each logical read or write, once the limit of more than eight concurrent operations has been reached. The connection limit for MSDE is the same as for a standard SQL Server instance (32,767), but obviously the more concurrent connections, the more likely you are to reach the limit of 8 concurrent operations that triggers the workload governor. Read the paper for all the juicy details, including specifics on physical vs. logical reads/writes, and how/when the governor is activated. Good stuff.
-
Awesome tips for troubleshooting debugging...
…in VS 7, from Min Park:
-
Going to Tech-Ed?
Make sure to check out the Birds of a Feather (BoF) sessions, which are being run by INETA:
-
DevDays Washington, DC
Just want to say “thank you” to all the folks who came out to the Ronald Reagan building in Washington, DC to see the DevDays presentations today. I had a great time presenting, along with my buddy Anil, and like Anil, I definitely got the impression that folks got a lot out of the talks. Thanks also to Justin Damelin, the local Microsoft Developer Evangelist who was responsible for coordinating the event with the speakers, and all of the other great folks who made the event (IMHO) a great success. Now I can’t wait for the next one. J
-
A movie for sci-fi geeks
Apparently this movie, which is currently slated for release only in Japan, is a live-action version of a classic anime story. Looks like these folks have decided that after the somewhat disappointing (but beautiful) CG movie Final Fantasy: The Spirits Within, live action is the way to go. All I can say is that the trailer looks amazing, and makes me hope that a subtitled version will eventually reach the U.S. Heck, I might even watch this one without subtitles (ok, not really, but it it's close).
-
DevDays DC Reminder
A quick reminder…DevDays in Washington, DC is this Thursday, March 4th. I’ll be presenting the security overview for the Web track. If you read my blog, please stop by and say “hi” afterwards.
-
ASP.NET Resource Kit now available
Kent officially announces the availability:
-
Chili
I haven't made it since before I started my blog, but I shared the following recipe on a mailing list a while back, and it was well-received, so I'm posting it here for any chili fans. It's ready-made for modification, so go nuts! :-)
-
Build a Registration and Login Control
My latest article on the MSDN ASP.NET Developer Center is up. It walks through the process of building a server control that allows simplified registration and login using Forms Authentication against an XML credentials file (of course, you can easily modify the control to use whatever credential store you’d like). Take a look, and if you have any comments, I’d love to hear them.
-
NoVaSql Meeting Cancelled
Tonight’s meeting of the Northern Virginia SQL Server User Group has been cancelled due to inclement weather. Check the Web site for updates on next month’s meeting.
-
Attending or Speaking at DevDays 2004? Got a Blog?
Then sign up at DevDaysBloggers, and share your DevDays preparations and experiences with others!
-
The Importance of the Principle of Least Privilege
My two favorite people to read on the subject of security are Michael Howard and Keith Brown. In a recent posting, Keith explains the Principle of Least Privilege, and why it’s important. The most important reason for limiting the security privileges your code requires to run is to reduce the damage that can occur should your code be exploited by a malicious user. If your code only runs with basic user privileges, it’s difficult for malicious users to do much damage with it. If you require users to run your code using administrator privileges, then any security weakness in your code could potentially hand control of that machine (and potentially other connected machines) to malicious code that exploits that weakness.
-
angryCoder on going Independent
Jonathan Goodyear, aka angryCoder, has posted the second article in a series he’s doing on becoming an independent consultant (you can find the first part here). In this installment, Jon talks about marketing yourself, and about how to get your customers to come to you (rather than the other way around).
-
Microsoft Baseline Security Analyzer 1.2
Version 1.2 of the Microsoft Baseline Security Analyzer, an essential tool for keeping up with the latest patches and security settings on your machines, was released today.
-
Mark the Date(s) - DevDays 2004
DevDays 2004 is coming in March to a venue near you! This year’s DevDays focuses on two tracks, both oriented around best practices. The Smart Client track will speak to best practices for development, security, and deployment of Windows client applications, while the Web Development Trackwill focus on security in Web applications.
-
Wow.
Probably one of the best reasoned arguments I’ve heard in a long time…would that I could argue stuff half as well. And it’s not even about politics (unless you count XML validation as political…oh, never mind).
-
AppDomains ("application domains")
If you haven’t seen Chris Brumme’s explanation of AppDomains, you owe it to yourself to take a look. It’s an older link (posted in June of last year), but well worth re-posting:
-
I want one...
The first 1 terabyte (you read that right!) external drive. Firewire 400/800, USB 2.0/1.1 compatible. Whoa.
-
Good News / Bad News with Win2K3 Web Edition
Over the last couple of days, I’ve been spending a good deal of time reviewing the security of the web sites I host. I run my sites on a server sitting on a fractional T1 in my office (I like to have physical access to my web server, which is why I don’t use a hosting service). Originally, my web server had been sitting behind my wireless router which simply passed all port 80 traffic to the public IP address to the web server. But I found that for a variety of reasons, I wanted more direct control over how traffic is routed to various sites that I host. So I moved the web machine from the wireless router to directly connect to the T1 router using its own IP address. The dilemma was that since I leave the T1 router relatively open (filtering NetBIOS ports, but not much else) and lock down traffic at the second router, connecting the web server directly would leave it open to port scans and attacks, right?
-
OK, maybe I'm late to the party, but...
…it looks like someone’s finally come up with a sensible use for Internet-connected appliances:
-
REVIEW: I'm a convert to NewsGator
For a long while, I resisted the notion of paying for an RSS aggregator, but I just broke down and plunked down $29 for NewsGator. Up until fairly recently, I had resisted even trying NewsGator, being fairly happy with SharpReader (which I still consider to be an excellent tool, especially given that it's free). But then I started having problems with entire feeds' worth of posts disappearing suddenly, meaning I could no longer search for information in them...one of the reasons that I used an aggregator in the first place. So I decided to give NewsGator a try.
-
Happy New Year!
A very Happy New Year to all of my readers (both of you)!