Are you sick of the 3 letter acronyms that are used to define every aspect of the software industry? Then you should check out this well written satirical list by the Secret Geek ;)

My personal favorite:

HDD - Heisenberg driven development - cannot be defined without altering the meaning

 

I remember posting what was a rather critical attack of the Microsoft Points system. Just days later I was posting a retraction on that critique. It has been many moons since I realized the value of being able to acquire points or even used those points across the MSN\Zune\Xbox eco system.

I recently entered the MSN autos Design Challenge. I was immediately eligible for 100 microsoft point (about 1 song) for submitting a design for the Dodge Challenger. I can also gain as much as 2100 points (about 2 1/2 albums worth) by providing feedback on other car designs.

I am always concerned with closed economic systems that do not allow you to take the full value of items you have acquired into the real world. I have, however, committed to using the points I acquire to purchase MP3's in the Zune Market Place. That is the only valuable item that I can find that is truly independent of the Microsoft eco system.

The recent stir in high profile security issues has got me real paranoid about my computer habits. Trying to secure myself from the marauding hordes of criminal hackers has always been a cat and mouse game. I just try to make sure that I have as much information as possible.

The issue of spam is still a really big one, most of the time I get about 20-30 unsolicited mail, mostly harmless, but once in a while I get a piece of mail that gets past my safe guards and makes me worried for all my friends that are little less cautious than I am.

So here are my golden rules for spam detection ... be suspicious if the email sent to you is not able to identify you by first and last name (or maybe your login ID). There should be sufficient hints in the email that let you know that the company emailing you knows enough about you to warrant your trust. For example every email that I get from PayPal has my full name in the email. So I feel d less suspicious that this is a random spamming campaign. When an email begins "Dear <youremail>," then this is a clear indication that I should treat the contents with a healthy dose  of skepticism.

So I recently received an email from "NatWest" the bank, not the real one of course. Some unscrupulous rascal attempting to masquerading as NatWest.

 

Of course they wanted my banking details account numbers, PIN even my credit card information. Thankfully there has been significant adoption of layered security which allows you to setup additional personal questions, and there are some sites that allow you to select personalized pictures that make your login experience uniquely identifiable.

So I noticed that when I open up the phishing site in FireFox 3, I got no indication that it was a spoof site (as above). However, IE immediately let me know that the website was really a poorly disguised phishing attack (below) and warned me to go no further. I am not sure what mechanism keeps track of phishing sites but FireFox was a little slow on this one.

Banks never want you to update security information by email and in fact go to great lengths to only use emails for account related alerts and\or marketing. The easy to use golden rule I have established for my wife and I is to always use our predefined browser favorites to browse to our financial\sensitive information. If there is a legitimate need to ask me to update my details it will have to start and end at our favorites list.

DISCLAIMER: Please do not follow any of the links in the images I show, I am quite certain that are meant to hurt honest hard working people like you and me. Also due to the nature of the post I feel the need to reiterate that all the content I post on my site constitutes my own opinion and is not a reflection of my employer or any of their policies.

I am a member of only one social network, and that is LinkedIn. Contrary to popular opinion I think it is a great way to get in touch with professional contacts both past and present and it really fills a gap that my email contacts cannot by itself. I actually got a hold of an old high school classmate who I knew was in the technology field.

I recently encouraged my wife to get in on the LinkedIn network, as we have recently moved into a new area, and she is looking for work.  I thought this could be another way to found out what is available in Central Ohio area. As she was getting ready to fill out the form we were confronted by this form that requested my email address and password. As much as I admire and even trust LinkedIn there was exactly zero chance of me providing them with the password to my email inbox.

This is like giving someone permission to get a a copy of my house keys because they need to fix the sink, it is just not going to happen. I mean really think about it, how many of your various online accounts can be reset via your email and password combination.

I would much prefer to type each email address by hand, which is exactly what we did. There must be a better way to do this kind of thing ... OpenID anyone!

 

 

 

 

I have been doing a fair share of security related audits and programming over the last few years, and the following is a list of my favorite faux pas.

I always feel that giving specific details of errors encountered on your site is a sure fire way to attract trouble. So my first defensive tip is to always use custom error pages.

<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />

Secondly, always ensure that you are capturing application level errors in your application, there are many errors that do not show up within any error handling that you place at the web form level.

void Application_Error(object sender, EventArgs e)
{
   //get reference to the source of the exception chain
   Exception ex = Server.GetLastError().GetBaseException();

   //log the details of the exception!
   EventLog.WriteEntry("PoppaString",
     "MESSAGE: " + ex.Message + 
     "\nSOURCE: " + ex.Source +
     "\nFORM: " + Request.Form.ToString() + 
     "\nQUERYSTRING: " + Request.QueryString.ToString() +
     "\nTARGETSITE: " + ex.TargetSite +
     "\nSTACKTRACE: " + ex.StackTrace, 
     EventLogEntryType.Error);
}

The threat of cross site scripting is real one and could performed in a variety of ways. While most developers tend to check for text input validation I have also seen omission in the the validation of cookies and URLs, these inputs are as open to attack and should be validated before using.

HttpUtility.HtmlEncode(Request.Form["name"]);

note: This is by no means an exhaustive list and is really only meant to represent a few low hanging fruit in coding securely for ASP.NET.

I have been working with my wife (a graphic designer) on a couple of web related projects at home, and I have realized that our concepts and worlds rarely overlap in any meaningful way. Even with her new focus on digital media it really takes a long time for us to grok each others worlds. Her universe rests within the Adobe Suite of products, mine within Visual Studio and never the twain shall meet.

Any meaningful discussion about user interface design within Visual Studio inevitably turns toward XAML and I have recently found two light weight XAML applications to start testing with. The first is XAMLPadX which is a marked step up from Notepad, however, being new to the world of XAML I need intellisense really badly. This caused me to turn to the loving arms of Kaxaml which provided a really clean install and intellisense that helped me navigate this new world. In addition if you are brave enough to install the beta version it also provides direct support for the subset of XAML that is Silverlight.

That was my first step, but I still needed an application that would allow my wife and I talk in the same XAML language without asking her to completely transform her workflow. This problem has apparently been solved for a while and I was relieved to find an Adobe Illustrator plug in created by Michael Swanson, that allows you to export XAML code for consumption in other applications.

My brief stint of XNA gaming may have to go on the back burner until we have this technology mastered!