(In)Secure Issue #14 Released

(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. Issue 14, has just been released.

The covered topics are:

  • Attacking consumer embedded devices
  • Review: QualysGuard
  • CCTV: technology in transition - analog or IP?
  • Interview with Robert "RSnake" Hansen, CEO of SecTheory
  • The future of encryption
  • Endpoint threats
  • Review: Kaspersky Internet Security 7.0
  • Interview with Amol Sarwate, Manager, Vulnerability Research Lab, Qualys Inc.
  • Network access control: bridging the network security gap
  • Change and configuration solutions aid PCI auditors
  • Data protection and identity management
  • Information security governance: the nuts and bolts
  • Securing moving targets
  • 6 CTOs, 10 Burning Questions: AirDefense, AirMagnet, Aruba Networks, AirTight Networks, Fortress Technologies and Trapeze Networks
  • The need for a new security approach
  • Data insecurity: lessons learned?
  • Wi-Fi safety and security

Are you an aspiring architect?

I guess by the very definition of an architect, you would have to have aspirational qualities. Mohammad Akif & and Dave Remmer, Architect Evangelists with Microsoft Canada are putting on a series of web casts just for you. Check them out....

Architecture 101 (Mohammad, May 24)


Architecture is the balance between art and engineering, it requires a certain mindset and approach to solving problems. Architects often function as a bridge between the business users and development groups and are increasingly being recognized as a critical community within organizations. Becoming an Architect can often translate in  to an elevated status from a career stage perspective but it is hard to find prescriptive guidance around how to become an architect. Join Mohammad Akif for the first of a four part series focused on aspiring architects. During the Architecture 101 session we will discuss some key ideas around Architecture and define attributes of an architect.

Software development lifecycle and methodologies (Dave, May 31)


Over the years the various approaches teams have used to develop software have evolved. Join Dave Remmer in the second of a series focused on aspiring architects where we will discuss the various stages projects go through and sample some of the methodologies used by teams developing software. In this session we will compare and contrast the waterfall, agile, RUP, Scrum and MSF methodologies and how they are used within software projects.

Services orientation and other architectural paradigms  (Dave, June 7)


One of the hottest topics in software architecture is the services oriented approach to building solutions and how this can provide agility, flexibility and reuse. Join Dave Remmer in the third of a series focused on aspiring architects where we will be looking at approaches to architecting software. This session will give an overall description of service orientation and how it differs from object oriented and component based architectures as well as a discussion of some of the organizational challenges teams experience when using a services oriented architecture.

Transitioning from a developer to an architect  (Mohammad, June 14)


Are you a developer who would like to learn more about becoming an architect? Or how to get formally recognized as one (since you already wear the design and architecture hat along with the developer one)?. Join Mohammad Akif for the fourth and last part of the series focused on aspiring architects, during this session we will discuss how you can attain the skill set required to be an architect and sell yourself as an architect within your organization and industry. We will also provide a list of resources that you can use to continue the transition from a developer to an architect role.

Are we still talking about Stored Procedures vs. Dynamic SQL?

Rob Howard and Frans Bouma still are. And I guess, I am now too. Let's summarize a few of the facts from these counter points:

  • Any form of pre-compilation or cached query plan arguments are moot betweem SQL and Procs. Rob has some outdated information and Frans corrects that in his post.
  • Stored Procedures can offer the perf benefits if they are designed properly that Rob claims by avoiding round trips and unncessarily data transfer when trying to get computed or aggregated data out of the database.
  • Both are susceptible to SQL Injection attacks if the SQL is concatenated with parm values.

Let's talk about security. Frans thinks that Role Based security is the way to get fine grained security in your database while using embedded or dynamic SQL. Frans's solution of adding users and roles in the database is a dated technique back to client server 2 tier systems. Web-based or other wise distributed applications typically have a connection pool - and unless you are going to have a connection pool for each role, then you can't rely on SQL Server based role based security to be your cop. Frans goes on to talk about how views can be used to encapsulate security rules just like a stored procedure.

Both Frans and Rob talk about the brittleness of SQL with regards to schema changes. Rob thinks your SQL centralization/encapsulation  should occurr inside of stored procedures. Frans think you should do this in a data access component that is part of your application. Frans hasn't really explained what his application's component does specifically but it sounds like he prefers to dynamically create the SQL on the fly by reflecting on schema of entities in his application.

What both of them has avoided is any realization that talking to a SQL Server database is the same problem as talking to any external service. Whose responsibility is it to provide the encapsulation and deep understanding of the underlying database schema. The answer to that question can't be answer universally. Back in May 2005, I blogged about the notion of DatabaseAsService.

Is your database a shared service between several applications? Some folks might even go as far as to say that their database is an enterprise service. Especially in this case it makes perfect sense to encapsulate complex internal schematics inside of the single shared resource the database. This can be done with Stored Procedures or Views, but do you really want each application to have intimate knowledge of deep schema details? That's brittle way beyond the scope of a single application.

In other cases, your database is more like a file that your application persists its data and it is not a shared resource. In these cases, the database is not really a service in terms of Service Oriented Architecture principles. In fact, I'd go as far to argue in these cases that the db is such an intimate part of your application's design that there should be no “mapping“ of schema inside/outside of the database and that they could/should be the same. Go ahead and make the full set of tables/schema public to your application logic.


The Code Room: Episode 3 - Breaking into Las Vegas

It's the good guys vs. the bad guys, fighting over millions of dollars. Could this happen to you? Maybe it already has. 


DevTeach Conference in Montreal

I'm going to be heading out in a couple of weeks to DevTeach in Montreal. In addition to my regular session talk on Datasets, I'll also be participating in an architecture panel discussion as part of Groupe d’usagers Visual Studio Montréal, Software Architecture Special Interest Group's Special Software Architecture Meeting. The meeting is open to conference attendees, members of the user group, and anybody else for $5. Here's the details....

Speaker: Joel Semeniuk, Microsoft Regional Director, Winnipeg

Subject: Software architecture from the trenches


Architecture is the soul of our software. Software Architecture truly helps to define our success since if our architecture fails us, our software fails us. However, what makes a good architecture? What truly drives architectural decisions? Is one architecture better than another? In this session we will explore and discuss some of these questions while taking a close look at a few real-world examples. In each real-world scenario we will explore the resulting architecture and review the constraints the project faced both during design and during production and maintenance phases. We will also look retrospectively at each architecture presented and discuss ways that it could be improved upon with Microsoft .NET 2.0.


Joel Semeniuk is a founder and VP of Software Development at ImagiNET Resources Corp, a Manitoba based Microsoft Gold Partner in Ecommerce and Enterprise Systems. Joel is also the Microsoft Regional Director for Winnipeg, Manitoba. With a degree in Computer Science from the University of Manitoba, Joel has spent the last twelve years providing educational, development and infrastructure consulting services to clients throughout North America. Joel is the author of "Exchange and Outlook: Constructing Collaborative Solutions", from New Riders Publishing and contributing author of "Microsoft Visual Basic.NET 2003 KickStart" from SAMS. Joel has also acted as a technical reviewer on many other books and regularly writes articles for .NET Magazine and Exchange and Outlook Magazine on a variety of infrastructure and development related topics. Reach Joel by email at joels@imaginets.com.


Followed by a software architecture expert panel:

Beth Massi, Software Architecture MVP

Joel Semeniuk, Software Architecture MVP, Microsoft Regional Director Winnipeg

Barry Gervin, Software Architecture MVP, Microsoft Regional Director Toronto

Mario Cardinal, Software Architecture MVP

Carol Roy, Microsoft Canada .NET architecture specialist for the public sector


Well known Nick Landry (MVP .NET Compact Framework) will act as the moderator.


Come hear these experts talk about software architecture hot topics.  You'll also have the chance to ask questions and talk to the panelists.


Monday June 20th, 5:30PM to 9:30PM

Location: Sheraton Centre, 1201 Boulevard Rene-Levesque West

Cost: free for all the DevTeach attendees and the Groupe d’usagers Visual Studio Montréal members.  $5 for non members or non DevTeach attendees.

Note: this session will be held in English

More info: www.guvsm.net or http://www.devteach.com/BonusSession.asp


15% off of MCSD/MCAD Certification Exams @ Pearson/VUE

Use the following voucher number MSAU113E1020. Good until August 31, 2005.

.NET Celebrity Auction

Be a sport and click on this link:


Then make a generous bid. If you'll win, you'll get an hour (or more) of help from a .NET guru/celebrity (or possibly me). But more, you'll also be helping Tsunami relief efforts.

The top bid gets to pick their consultant. Then next, and so on and so on. If you are in southern Ontario, and you get me, I'll make it up to you by coming to your office - for a whole day, hang out, and bring donuts. What will I do? I can tell you everything I know about Visual Studio Team System (breaking all kinds of NDA rules, etc.), try to convince you to use data sets, do some code reviews, help debug something nasty, defrag your hard drive, organize your mp3's, tell you what DataGrid girl is really like, whatever.

I'm visiting Vancouver, Calgary, Ottawa, Montreal over the next 3 months so if you live/work near there, my offer stands, pending my schedule. I'll also be in Orlando possibly in June (for TechEd), LA in Sept (for PDC), and Chicago in August, so ditto on those as well.

For more info on how it all works....


And finally, special thanks to the other RD's who are volunteering their time (especially all those fellow Canadians). Last but not least, special thanks to Stephen Forte and Julia Lerman for organizing this.

Trip to Ottawa and Requirements Traceability

I just got back from Ottawa, where last night I was speaking to the Ottawa .NET community about Visual Studio Tools for Office. (more on that later).

I wasn't surprised by the Grep Cup weekend inflated hotel rates, but I was surprised to find a “2.8% DMF Fee” on my hotel bill (on top of the 15% worth of federal and provincial taxes). Upon request, I was informed that this was a “Destination Marketing Fee” which goes to fund marketing efforts to promote tourism in the area. Various Ontario tourism centers (including Hamilton - go figure?) have been lobbying the provincial governments since post 9/11 in an effort for them to allow a tax (a real tax, not a fee) for the same purpose. This past summer however, the hotels decided that this was going nowhere so they decided to start collecting (on a voluntary basis) a fee (not a real tax).

Maybe it's just me, but I'm thinking the best way to attract people to your city is not to put a sneaky “DMF Fee” charge on those same people's hotel bill when they come to visit you and hope they don't ask about it. Even worst, because it's a fee charged by the hotel, and not a real tax - guess what - you pay tax on the DMF Fee. Icarumba! It turns out it's voluntary fee and not hotels collect it. The front desk staff sensed I was not pleased about being asked to pay for marketing fees on top of my room rate so they quickly waived the fee. But I wonder how many people willing pay this?

This all reminds me very much about requirements management and software development. Often, people, usually too close to the problem, design features into software that doesn't meet the requirements of the user. Take for example those goofy glyphs on the Lotus Notes login window. What about clippy? Is that satisfying anybody's requirements - or is it just pissing you off? With all of our best intentions, it is extremely important that we take the time to perform reality checks on what we are building against the requirements of our users.

Now to bring it all home. Do users really want to do their work in a web browser? Browsers are great for wandering and finding stuff, but do they want to see the value of their stock portfolio in a browser? You need to find the best environment for the job your users are trying to accomplish. If somebody is accustomed to using Excel to aggregate a bunch of their financial information, then maybe Visual Studio Tools for Office is the right tool for that job. While writing applications in Excel isn't exactly new, with VSTO you have the integration with the .NET Framework, Web Services, and the smart client deployment model, you can apply all professional development skills you have at your disposal to creating applications with Word & Excel. And don't worry, I have yet to see clippy show up in Visual Studio Office projects.


Penguins are sneaking into my house and leaving the doors unlocked.

In the past 3 weeks I have purchase, installed and used 2 Linux systems in my house....accidentally. First, I purchased a Roku High Definition Photo Viewer and MP3 video player for my TV. This is a nice little device that acts as a screen saver for your TV/Plasma Screen to avoid burn in....say of the DVD logo that you see from your DVD player when there is no disc inserted. The device sits between the TV and the rest of your home theatre video inputs - daisy chain style. It monitors the video traffic for no signal or no motion and after a time duration kicks in with your family photos. The photos can be retrieved over the network jack to a series of shares on your home network, or via a plugged in USB wireless adapter. It also has Compact Flash, SD/MMC, SmartMedia and memory stick slots. Not to mention of course I find out its running Linux. There was a bit of novelty involved in telnetting into my TV and using VI. That soon wore off when I discovered that the root password was blank, and that the change password binary was missing off install of Linux so I couldn't even change the password. Combine this with the fact that the setup wizard walks you through finding the network shares in your house and storing your userid/password credentials - this becomes a rather obvious security hole that could have been fixed by the manufacturers fairly easily.

Is this security attitude prevalent in the Linux world? I hope not, because yesterday I discovered another Linux box in my house.

I also recently acquired a NetGear Media Router. It's a regular router with the addition of a USB host port. This allows you to plug in a memory stick or a USB external drive to share as NAS storage. I was a bit surprised to see it show up in my Network Neighbourhood as a UPnP device named “Linux Internet Gateway“. There is also a GPL license in the box so I think that all points to it running Linux.

The device also has a nice feature that when you turn it on and it detects a network connection, it automatically decides to download and install updates to the flash bios. God forbid I turn the device off while it is doing this unbenounced to me. Bam, too late. I guess the power light goes from green to yellow when it's doing this. The 1 page card manual included with the device doesn't mention this nice “feature”. I found out the hard way. When you go the web page to administer the device in this mode you get to see that file system in it's raw form.

Downloading the manual tells me to reset the factory bios I have to hold down the reset switch with a pin for 90 seconds. Nice. I was able to do that but can't seem to get an IP out of the device any more.

I'm still evaluating the security risks of this device. It is slightly more secure with my data (via USB storage) by including a password on the administration of the machine - which is “password”. There is no password on the share it exposes and I can't see an option to put a password on the share so every body on my network (say when my geek friends come over and plug in) will have access to my financial records and family photos. Nice.

So I have accidentally installed 2 Linux boxes in my house with major security holes. I'm savvy enough to discover this on my own, but I doubt the typical residential consumers of these products would realize the security hole they are introducing into their personal data stores.

With the proliferation of these types of Linux devices into the average home, I'm sure this will draw the attention of script kiddies. Wouldn't it be cool to take over somebody's television set?  Maybe they'd throw some porn up during daytime TV, or steal my personal data - or delete it. Scary.

GDI+ Security Vulnerability

There is a new critical security vulnerability that affects a wide range of software that can't be easily patched through Windows Update. The vulnerability lies inside of GDI+ and can allow a maliciously formed JPEG image file to create a buffer overrun and inject malicious code - even through a web page's graphics...no scripting or anything.

Windows Update will go ahead and update major components but you also need to go to the Office Update site as well as update a bunch of other software you might have on your machine.

In particular for developers, the .NET Framework (pre-latest service pack) and even Visual Studio.NET 2003 and 2002 are affected and need to be separately patched.

The full bulletin with links for all the various patches are available here. http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

If you go to Windows Update it will also provide you with a GDI+ Detection tool that will scan your hard drive looking for affected components. I strongly you recommend everybody jump all over this one quickly.