Fri, 23 May 2014 21:32:00 GMT
If you're looking to catch up with me, you can find me at my current blog, which is at http://devhammer.net/
Sat, 31 Jul 2004 13:31:00 GMT
Just announced by Rob Howard of Telligent Systems (and former caching guru from the ASP.NET team at Microsoft):
One of the largest Microsoft Open Source projects (previously known as ASP.NET Forums) Community Server :: Forums has just been released!
More details here:
A few tidbits...
- over 150 compiled server controls
- hundreds of thousands of lines of source code (C#) included
- localized in over 10 languages
- designed to run everything from small single server sites to large multi-server web farms, and the discussion platform used by sites such as http://channel9.msdn.com, http://forums.xbox.com, and http://www.asp.net/forums
(image) [Rob Howard's Blog]
Sat, 31 Jul 2004 04:22:00 GMT
I’ve got a new blog, on the MSDN blog server that I’ll be using for my blogging while I’m a Microsoft employee. Not sure whether I will continue updating my weblogs.asp.net blog or not, but most of my blogging energy will be directed at the new blog. The new address is:
Visit early…visit often.
Wed, 28 Jul 2004 19:17:00 GMT
…use passphrases instead:
So this is my first ever blog entry and seeing as how I'm a senior member of the PSS Security Incident Response team, you may think I've stopped taking my medication by opening with a title like the one above! Medication issues notwithstanding, it's true - you should NOT be using passwords of any kind. Why? For starters, passwords are ridiculously easy to guess or crack. Worms like Agobot / Phatbot / Polybot / SDBot / RBot (no I didn't write this one) all ship with dictionaries of passwords numbering in the hundreds and they can easily replicate to a system that has a password in this word list, and the miscreants are really good at keeping these wordlists up to date with passwords that they've cracked from other systems.
As an example of what I'm talking about check out Symantec's write-up of this little nasty that we encounter on my team just about every day:
Read the whole thing at: http://weblogs.asp.net/robert_hensing/archive/2004/07/28/199610.aspx.
Tue, 27 Jul 2004 02:54:00 GMT
It took me a while, but I’ve finally upgraded my home network to use WiFi-Protected Access (WPA) instead of WEP for securing my wireless connectivity. The upgrade was complicated by a laptop with a built-in WLAN adapter that didn’t support WPA (I switched to using the wired connection on that one) and a wireless bridge that was the wrong hardware revision to support an upgraded firmware patch to enable WPA (a Linksys WET54G). The good news is that after a few frustrating phone calls to Linksys, they allowed me to swap my wireless bridge for the later revision, which supports WPA via a firmware update. I got the new unit today, updated the firmware, configured my router (WRT54G), bridge, and TabletPC to use WPA, and all is working quite nicely. If only it was as easy getting WPA-enabled hardware as it was to configure the settings…
Sun, 25 Jul 2004 12:29:00 GMT
One of my fellow Microsofties has come up with a neat solution to some of the hassles of running your workstation using a non-admin account. My advice for getting around things you can’t do as a non-admin has long been to simply run programs from a command prompt that you’ve started with RunAs, using the credentials for an account with admin privileges. The problem is that some programs don’t play well in this scenario, particularly install programs that run based on specific settings for the user installing the program. When you run programs like this, they (and/or their settings) end up associated with the admin account you’re using, rather than your less-privileged account.
Aaron Margosis has come up with a way to fix this that’s quite easy to use. His solution is to create a batch file that adds your less-privileged account to the Administrators group, using the credentials of an existing admin account, then spawns a new command prompt using the account that you just added to the administrators group. The batch file then removes your less-privileged account from the Administrators group.
By doing it this way, Aaron’s solved two of the tricky parts of elevated privilege…keeping the scope small (only the command window has the elevated privileges, until/unless you spawn other programs from it), and making sure that profiles of apps that you install are associated with YOUR account, rather than the admin account you’re using). I’ve only played with this briefly, but it looks to be quite a nice solution to a vexing problem.
The download available from Aaron’s blog also includes a batch file for setting yourself up as a Power User, in case you’d like to further limit the privileges you’re granting yourself. There are still some caveats with Aaron’s approach, so make sure you read his entire post and understand what the batch files are doing before you use them, but with that caveat, I think this is a great addition to our security toolbox!
Fri, 23 Jul 2004 20:49:00 GMT
Despite the concerns of some that Microsoft was taking it away from the community by acquiring the company, Microsoft has made Lookout, an add-in for searching through Outlook email stores quickly,
available for download from the Microsoft download center. Enjoy!
UPDATE: Apparently, the old link is dead, but the download can now be found at http://www.lookoutsoft.com/Lookout/download.html (via http://sandbox.msn.com/). Thanks to Niclas Lindgren for the update on the whereabouts of the download.
Mon, 19 Jul 2004 19:21:00 GMT
The big announcement that I hinted at last week is that, as of today, I have assumed the role of. NET developer evangelist with Microsoft, working in the East region. I want to say thanks to all the folks who've helped me develop the skills to get here, particularly my friends at INETA and ASPInsiders. I'm looking forward to helping folks in my new role. Though it may take me some time to get up to speed, feel free to ping me via the Contact link if I can be of assistance.
UPDATE: I'm ashamed to admit that I forgot to thank a very important group of people...the MVPs. Between my leads, my fellow ASP.NET MVPs, and others I've met through the program, I learned a good deal, and had a lot of fun. Thanks to Ben, John, and the rest for honoring me with the award, and for being great colleagues and friends.
Thu, 15 Jul 2004 22:29:00 GMT
Thanks to Wim for the plug, and for letting us know about a way to get intellisense for custom ASP.NET server controls without hacking XSD:
ASP.NET control developers know how much of a pain it can be to create a specific XSD file in order to achieve IntelliSense support in your ASPX mark-up. See Andrew Duthie's article on MSDN here.
I've been using the ASP.NET IntelliSense Generator from BlueVision Software for quite a while now and thought I'd share it with you.
Wed, 14 Jul 2004 20:49:00 GMT
Dear Wireless Networking Manufacturer,
It has come to my attention that some of you (one rhymes with ink-sys) are still shipping new wireless networking equipment that does not support WPA out of the box. This is inexcusable.
Please stop manufacturing and selling products that do not support WPA out of the box, particularly newly-introduced products. Also, please ensure that any current products clearly state whether they do or do not support WPA. And, no, “future” support via firmware flash does NOT count. For the record, WEP doesn’t count, either. WEP and MAC filtering are better than nothing at all, but they are grossly inadequate for security purposes, and have been known to be so for years at this point.
From this point on, I will NOT be purchasing any wireless networking gear that does not support WPA, and I will do my darndest to convince my friends and family to follow suit. If you wish to sell your products to me, get on the stick and do what’s necessary to WPA-enable your products.
Thanks for your attention to this matter…
Wed, 14 Jul 2004 19:27:00 GMT
If you’ve got friends or family who are the non-geek types, and need help with security, this might save you a few of those “how do I…?” phone calls…
Last week, Microsoft put up an updated Security at Home web site for home users. This is a great place to send your family and friends who are interested in security issues and in protecting their PCs. Check it out here:
Security at Home
Microsoft's new Security at Home site helps non-technical users by providing tips and tricks, how-tos, and the latest virus information without all the technical talk.
Wed, 14 Jul 2004 02:15:00 GMT
In a little less than a week, I’ll have an announcement to make here…watch this space!
Tue, 13 Jul 2004 19:02:00 GMT
Another example of why it’s a bad idea to run as an administrator on a day-to-day basis:
This update resolves a newly-discovered, publicly reported vulnerability. A remote code execution vulnerability exists in the way that the Windows Shell launches applications. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. However, significant user interaction is required to exploit this vulnerability. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
Tue, 15 Jun 2004 16:06:00 GMT
As evidenced by a Linux kernel flaw that resulted in a DoS attack against Akamai, effectively denying access to large sites like Google, Yahoo, and Microsoft. Not gloating here, just observing that this demonstrates that all operating systems can be vulnerable to security issues. This also suggests that the “more eyes = more secure” assertion made by open source advocates is perhaps a little overstated. After all, the Linux kernel is probably one of the most read parts of the Linux codebase. If it’s possible to find a flaw in the kernel, what does that say for other parts of the codebase that are not as thouroughly vetted? Again, this is not about trashing Linux, it’s about being clear that security is an issue for everyone, it’s not just a Microsoft problem.
Mon, 14 Jun 2004 00:07:00 GMT
For those of you who might be interested, you may have noticed that on the schedule for my recent MSDN Security Briefing tour, was a stop in Honolulu, Hawaii. I had a great time there, as you might expect, though I did manage to get pretty badly sunburned (that’s what happens when you spend two hours in a futile attempt to teach yourself how to surf, without using any sunscreen). Here’s a couple of photos from the trip:
A Hawaiian rainbow, viewed from the balcony of my room:
Diamond Head, viewed from a surfboard off Waikiki Beach:
Tue, 08 Jun 2004 02:51:00 GMT
First, he helps put ASP.NET on the map. Now, Rob “invents” a term for a common computer malady…let’s give the man some Google juice. J
I've been working a lot lately on my laptop and I use the built-in eraser head mouse pointer; I just cannot stand the touchpad. After too many days my right-index finger will begin to ache -- as it's doing now -- from overuse. So I thought I'd look this condition up and when I didn't find one I decided to invent my own 'condition':
mousepointeritis (mouspoin(image) t(image) ritis) a condition caused by repetitive use of an eraser-head mouse pointer as commonly found on laptops.
The sad part about this is rather putting my laptop down I just switch to a different finger for the mousepointer/eraserhead!
Sat, 05 Jun 2004 00:29:00 GMT
The MSDN Security Briefings tour I was on is complete, as of this week. My sincere thanks to everyone who came out to listen and learn. I especially appreciate all the kind comments I received.
If you’re interested in getting the slides from the presentations, they’re available via the following links:
If you have any trouble with the above links, or if you’d like to see the other slide decks that are available, you can find them here.
If you’d like to see the presentations I did (as well as two other related presentations) in their online version, go to:
For additional online security training, go to:
If you have any questions from the presentations, feel free to ping me via the Contact link on my blog.
Sun, 30 May 2004 03:04:00 GMT
This weekend, my thoughts and prayers are with those serving their country, and with those who have served in past conflicts. May those currently in harm’s way come home safely to their families and friends, and may we always honor and remember those whose sacrifices make freedom a reality, not just a nice idea.
Fri, 28 May 2004 19:54:00 GMT
One of the many Microsoft bloggers provides a workaround for those of us looking to debug ASP.NET applications without resorting to Admin privileges…a workaround that uses the predecessor of the Whidbey web server from ASP.NET Web Matrix to do debugging locally:
The debugger team has gotten many requests to debug ASP.NET applications as a non-admin. In Whidbey, the ASP.NET team did a good job solving this problem. Their solution is much nicer then mine. In the mean time, here is a way that you can get this scenario to work in the 7.1 IDE. I hope this helps. If it doesn't work for you, you can post a comment, but don't call PSS. This isn't supported.
Beats running as Admin… J