Tuesday, September 28, 2004

6 books read this year.

This year I have managed to read up 6 books. 6 books might sound very little, but I am a slow reader.

C# Text manipulation.
This book cover many aspect of string handling in .NET, including Unicode, i18n issues and regular expression which is my biggest gain of the book.

What they don't teach you at harvard
This book talk about management philosophy from the authur personal experience.

Visual Basic.NET Remoting.
Another tech book, the title speak for itself. But I got a little struggle with this book, I am still a little unclear on the sink. Anyway, all this complexity will go away with Indigo. Another aspect of difficulty is the code is all in VB.NET. I have to convert all the sample codes to C# to run and understand it. But that is not a bad thing after all, at least I don't just blindly compile the sample code and got a more thorough understanding of how remoting work.

Presenting to Win.
This is a more simple book to read. It doesn't talk about how to improve your presentation skills like other presentation book. Rather, it tell you how you should prepare for your presentation and how to tell a good story out of your presentation.

IIS 6 Programming.
A little disaapointed with this book. The contents cover only basic IIS 6 stuff. And the programmable aspect of IIS is not very discussed.

Writing Secure Code 2nd Edition.
This book is perhaps the must read for techies. It cover many aspect of security from process, to technology, coding, testing, documentation, common misconception and misunderstanding of security. However, some of the code is written in PERL, which make no sense to me :(.


Retrieving SQL Server 2000 Property

Here is a function to retrieve SQL Server 2000's property such as edition, version, patch, license and etc.

select serverproperty('edition')
select serverproperty('ProductVersion')
select serverproperty('LicenseType')
select serverproperty('NumLicenses')
select serverproperty('ProductLevel')
select serverproperty('ServerName')

For more information, look for 'serverproperty' in SQL Server Book Online.

Labels:

Sunday, September 26, 2004

SQL Server 2005 Beta 2 Installation Error

If you are installing SQL Server 2005 beta 2 from the CD given out during Teched, you will encounter an error. The installer will complain it cannot find a particular file.

To workaround this, you need to copy the CD into your hard disk, rename the following 3 files and then run the setup form your hard disk.


1. Rename
\Setup\Program Files\Microsoft SQL Server\90\COM\Microsoft.SqlServer.Replication.NativeResourceStringLo.netmodule

To
\Setup\Program Files\Microsoft SQL Server\90\COM\Microsoft.SqlServer.Replication.NativeResourceStringLoader.netmodule

2. Rename
\Setup\Program Files\Microsoft SQL Server\90\Tools\Profiler\TraceDefinitions\1033\Microsoft Data Transformation Services TraceDescriptions 9.0.xml

To
\Setup\Program Files\Microsoft SQL Server\90\Tools\Profiler\TraceDefinitions\1033\Microsoft Data Transformation Services TraceDescriptions 9.0.0.xml

3. Rename
\Setup\Program Files\Microsoft SQL Server\90\SDK\Assemblies\Microsoft.SqlServer.Replication.NativeResourceStringLo.netmodule

To
\Setup\Program Files\Microsoft SQL Server\90\SDK\Assemblies\Microsoft.SqlServer.Replication.NativeResourceStringLoader.netmodule

Labels:

Thursday, September 23, 2004

Google Yourself

Have you ever google yourself?

I just did a google on my name and my blogs came out in the result. What you have got for yourself?

Hmm.. what the story tell ? As long as you are living on the net, there are no way to hide.


What you think ?

Sunday, September 19, 2004

Using Password


After attending the Windows Password session by Jesper Johansson in TechEd,I now have a better idea for choosing and using a password.


  • Use pass phase instead of password.


    • Eg: Instead of 'password', you can use 'This is a good password'.

    • Pass phase is easier to remember and type than password because it is a natural statement.

    • Password usually require combination of upper case, lower case, symbols and numbers. Squeezing all this combination into a short word is a tough thing to remember.

    • Pass phase has more characters thus making brute force attack much more difficult if not impossible.


  • Never ever write down your password anywhere. I guess this has always been the old teaching, but people still do it.


  • Always secure your workstation. If the attacker can get physical access to your workstation, he don't ever need your password.


  • Simply replacing some characters with another set of characters does not give you much extra security.

    • Eg : replace 'a' with '@', 's' with '$'.

    • If you can think of this idea, obviously the attacker can too.


  • Don't choose a password simply based on what you see around you. An attacker can think this way too when he need to guess your password. Eg : When the attacker sit in front of your workstation, he see your family photo is there, he will probably guess your password using your wife or kid's name.


  • When you type your password, make sure nobody is around you to avoid shoulder surf.


  • Try as much as you can not to reuse password for multiple accounts that you have.


There is another blog on Windows Password. Follow this link:
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx

Labels:

Windows XP Service Pack 2

After sitting through Steve's session on Windows XP SP2 security enhancement,it kind of relief my concern about SP2. SP2 deliver security enhancement in 3 major areas.

Windows Firewall.
By default Windows firewall will allow all outbound traffics. This sound dangereous huh ? After some explaination, this seem to make sense. User will always want to be able to connect out and will allow the outbound traffics even they have to do it manually. If the eventual result is the same, then why should you block them at the first place ? Well, this is a food for thought. Some of your might not be agree with this kind of thinking.

It is blocking the inbound traffic that is important. Because if an attacker can get their bad stuff into your workstation, then basically they will have control over the workstation. In such case, whether outbound traffic is block by default is not relavent anymore.

Boot time security is another enhancement that is made. Why this is important? When Windows boot up, it take some time for the Windows firewall to start up and provide protection. Meaning in between that time, you Windows is not protected, hence attacker can that advantage of that small window of time to launch attack. With boot time security, only 3 kinds of traffic (which is DNS, DHCP, Netlogon) is allowed in the TCP stack until the Windows firewall start giving protection. This greatly limit what an attacker can do.

There are 2 profile that is provided in SP2. Domain and Internet. The 2 profiles apply different policies and have different restriction level when connected to corporate network and internet. A good question was asked during the presentation. If you establish a connection to Internet, and then using the Internet connection you establish a VPN connection to your corporate network, which profile are you on ?
The answer is, the interface that is connect to the Internet will have Internet profile applied. The second interface which is the VPN will have corporate profile.

Exception list allow an application that need to be act as listening server to open a port. The port will be open when the application run and is closed once the application is shut down. Alternatively, the port can also be configured to permanently open. In order for an application to be added to the exception list, the user must be an administrator. But once added, the application can run under a user with a lower security context.

The second major enhancement area is on Internet Explorer. The irritating popups can be blocked now. You can however has the option to allow popup from certain web sites. This is useful for intranet application.

The ActiveX installation dialog has a more friendly message. Plus you also have the option to configure how you want to trust the publisher.

Scripts can no longer open a window that totally cover the parent window. The new window must fit within the parent window and overlap with it. Before this, scripts can open a window that can cover the desktop and fool user into performing action that have malicious effect. However, this could break some existing application that have code/scipts that rely on this behavior.

Third enhancement area is email. There is new API that is added to check for attachment from email or Messenger and prevent execution of the attachment if suspect
to be unsafe.

All email content in Outlook Express will be default to plain text. Reason is HTML content can carry malicious scripts. Again, you have the option to turn on to display HTML content. External HTML content such as image will not be download by default.

There is a new security zone named Local Machine that is added to IE. This zone has strict policy in executing local contents. In the past, Local Machine has loose restriction on local content and attacker take advantage of this weakness to fool user into executing local content that has bad effect. Now the Local Machine zone has much more stricter policy in dealing with local content. For example, it does not simply allow scripts in the local content to execute.

Hooh... it is a long list. I only highlight a subset of enhancements over here.
There are much more to this.

To learn more about Windows XP SP2, goto :
http://www.microsoft.com/windowsxp/sp2/default.mspx

Friday, September 17, 2004

See You in TechEd 2005!

Today is the last day of TechEd 2004. There is only 3 sessions today and it ended at lunch time.

The day started with Steve Riley's session again on Wireless Networking. Although I have never setup a wireless network before, this presentation give me some key points on how to secure wireless networking. He also mention 2 common mistakes that people usually make in securing wireless network.

First is not publishing SSID. Even if you don't do this, attacker still have an easy way to find this out. All they need to do is to capture some packets that are flowing in the air and then be able to work it out.

Second is restricting MAC address. This is an extreme administration nightmare if you need to keep track of MAC address in every Access Point. Secondly, MAC address can be spoof as well. There are even tools that help you to do this.

Coming up next is Richard Campbell's Advance T-SQL. He show some techniques how to perform cross tab query in T-SQL. This session finish quite fast.

The last session of TechEd is Kimberly Tripp's SQL Server Database Partitioning. This is another SQL Server high performance session by her.

It is kind of a strange feeling that I started and ended the TechEd this year with her session. Throughout her sessions in TechEd, she have gave a lot of practical techniques as how to achieve high performance database.

That's all for TechEd 2004. See you again in TechEd 2005!


Architect Dinner

Aaron from Microsoft Malaysia host an architect dinner this evening for some of the Microsoft's partner, customer and some folks who is active in this architect community.

We have the honor to have Gurpreet and Harry Pierson from Microsoft Corp with us in this dinner and with us Microsoft's initiative in this area. It is evident that Microsoft have realize the importance of architecture in the enterprise space and have show effort in this area.

Building enterprise level application today is a challenging task and the complexity will even increase in the days to come. As globalisation evolve, it become more important for applications to be able to exchange data and integrate seemlessly in a business process. Enterprise architecture is an important deciding success factor. We have to start looking at how to decoupling information architecture and application architecture.

Later after the dinner, we join the MVPs who ealier also have another dinner elsewhere for a couple of pool games.

This is how the evening ended.


TechEd Day 4

Today spend most of my in security tracks.

Guess what? Steve Riley and Jesper Johansson did it again. For another time,
they turn a dry subject into an interesting session and won the applause.

The day start with Steve Riley's session : Security Enhancement in Windows XP SP2.
Will blog more about this session later in a separate post.

Following that is Ben Smith's Internet Explorer Security. This is basicaly an extension session of Steve's previous session. Ben's focus primarily to SP2 security enhancement that has been made to IE and highlight some of the changes that should be aware of.

The last session before lunch was Harry Pierson's session on architecture related topic. He explore the similarities between the evolution of cities in the 19th and 20th centuries and the development of IT shops and what the industry need to do and move next. Then he explain how Service Oriented Architecture fit into the picture. This presentation is also available as article on MSDN.

It is Steve Riley's session again : The death of DMZ. I feel guilty for falling asleep in this session as I have eat too much during lunch. Anyway, the main message of this session is the network perimeter, firewall and whatever protection you put on the network might no longer offer protection to your resources. Instead, the resource or object should know how to protect itself. This is archived using Right Management Service.

Last session of the day is Jesper Johansson's Windows Password, another awesome session. He walk us through the different authentication methods that is available in Windows environment and how they work. He also gave some tips of how to change the authentication method. He then go on to talk about password, what is good and bad password, how bad password and password stored using weak hash can be easily hacked. The take away from this session is however strong the password you choose, it is still not as good as a pass phase. Windows password can be as long as 127 characters. So instead having a password that is 'P@$$word', you can give something like 'I love thi$ p@s$word'. Isn't the later looks better and sounds more natural and easy to remember.

Wednesday, September 15, 2004

Tips to stay alive at Microsoft Events

Major Microsoft events like TechEd is always content intensive and exhausting. Here are some tips of how to stay alive through the events :

  • Get enough rest the night before so that you will be fresh the next day.
  • Get to the venue early so that you don't need to stuck in the crowd for registration and in the mean time for the event to start, get about 15 to 30 min rest.
  • Have a slightly heavier breakfast(a better timing will be about one and half hour before the event start so that by then, some of your breakfast will be digested).
  • Heavy lunch will always make you fall asleep in the evening. Instead, have light lunch and snacks in between breaks.
  • Don't expose to much to hot sun. That will make you feel tire.
  • In between break, take a short walk to exercise your muscles.
  • MS events are always held in cold room. Always bring a jacket so that you can keep yourself comfortable throughout the events.

Social Engineering Attack

You know what is social engineering attack ? It has nothing to do with Microsoft, it has nothing to do with Linux, neither it has anything to do with any technology. But it has a lot to do with you and me and every human being.

Social engineering is 'The art and science of getting people to comply to your wishes' (according to Steve Riley presentation slide). It make use of human intelligence to manipulate human in giving out their secret information.

If you think you are safe because you are not using a computer system for doing anything, you are DEAD WRONG! Social engineering has nothing to do with technology, it counts a lot with how smart are your in protecting your information.

For example, someone might call you pretending they are from your ISP. They tell you there is a problem and need to reset your internet account and ask for your user name and password. You just give it to them without thinking twice. Boom!! The attacker can now login to the ISP using the user name and password you just give.

Another example, someone might call you pretending they are from the credit card company. They ask you for your credit card information so that they can validate the recent transactions that you have made.

It is hard to combat this kind of attack as it take advantage of human weakness and mistakes. However, there are ways that you can minimize your chance of being attack.

First, be smart about how you will share your personal information. Don't simply give your information to sources that you can't validate.

Second, be careful in how you handle documents that include your personal information such as sales receipt that contain your credit card number. The attacker can pick this up from waste basket and find out where you have spend your money recently. The attacker could be just somewhere close to you observing your behavior.

Third, try to counter validate the person who contact you. In the previous credit card example, instead of you telling them your credit card info, ask them to tell you what they think your credit card number is and you will tell them whether it is correct. Since they claim they are from the service provider, they have have your info.

Forth, this is one of the thing that I start doing recently. Never ever simply give out your contact or business card. When you go to exhibition or some business function, some people will ask you to drop your business card so that you will get a chance to win a lucky draw or so. Don't do that, because you will never know what they will do with that infor. They could sell it to third party to make money, or they could start calling you to attempt new business from your (violation of privacy).

Wow!! There is no end to this list. But the bottom line is, take extra care of how you handle personal information(not just yours, but also peoples you know[attacker can also learn about your friend if they manage to pick up your address book]) and when you deal with a stranger.

Don't think you won't be fool with this. In the presentation, Steve teach us what it take to do SE attack. You can never imagine how easy it is. I did it once with my friend before and it work very well.

You can Google here for more info on this topic.

Labels:

TechEd Day 3

Entering day 3 of TechEd, today technical session start at 10.30am. The first session of the day is some marketing stuff from the partners, so I skip it. But I still arrive at 8.45am so that I can get a parking spot at the hotel basement.

First session I attend today is SQL Notification Services by Stephen Forte. I was kinda dissappointed coz I expect to see a lot of codes, rather his presentation only give an overview of NS. Nevertheless, that is a good start for me.

Second session is SQL Server 2005 Security Enhancement by Joe Yong. Like usual, Joe always run out of time when delivering his session. Good to know the the new version will have tighter security control such as password policy and encryption. Also introducing some new features like Schema (which is a container that bind database object to users, something like Oracle schema) and new system view which allow us to get database's metadata in a easier manner.

Third session is SQL Server Backup and Recovery by Kimberly Tripp. Luckily I have read the Backup and Recovery chapter in SQL Server 200 Resource Kit last week. Otherwise this sesison won't make sense to me. Kimberly's session have give me a deeper understanding into backup and recovery strategy. Good stuff!

Forth session which is the most interesting session today is about Social Engineering attack by Steve Riley. Steve is an excellent speaker. Throughout the presentation, his humor has kept the room awake.

Last session of the day was Jesper Johanssan's Network Threat Modelling. He is a great speaker too but this session hasn't been as technical as I expect and no real demo.


Tuesday, September 14, 2004

The TechEd Bag

I had a chat with one of my friend who is also a Microsoftian on the TechEd bag. The bag this year looks pretty good. It has a thick cushion which make it more comfortable to carry and the material looks more solid. It has a small compass on the right side of the stripe. I guess the bag is sponsor by Polo since their name is all over the bag.

The bag last year only last me for about 8 months. It tear off at the main compartment and surpringly I found out from my many other friends who is also using the same bag that their bag also tear off at the same place.

Let see how long this bag will last. It better be at least 12 months until the next TechEd!!!


TechEd Day 2

Today is the first TechEd conference day. Apart from attending the breakout session, I have meet up with quite a number of friends. Like other previous TechEd that I have attended, it is a place to meet up with friends and a whole bunch of other great peoples.

It has been a tiring day. The logistic is very disperse. It is a long way to walk from one track room to another. And the lunch lounge is so far away!!! I still prefer PWTC.

An interesting person I met today is Richard Campbell, the Toyboy on DotNetRocks radio show.

Monday, September 13, 2004

TechEd 2004 Preconference Workshop

Today I attended preconference workshop Designing for Performance (database stuff) conducted by Kimberly Tripp. It was a great workshop.

Kimberly is a great speaker and trainer. She has deliver the contents in such a smooth and easy follow manner. However, I was kinda lost towards the last module on indexing. Guess I have to do more homework in this area. But still I have take away alot today.

I will blog more about what I learn later when I fully digest the contents. Looking forward for her other sessions through out the week.

After glancing through the conference sessions schedule, looks like I will spend a lot of time in the Database track then followed by Security track. Windows XP SP2 session is especially important for me since it has alot dramatic change and I have to implement solutions in this platform.

Friday, September 10, 2004

Do not surrender you IC


Couple of days ago, I went to one of MAS (Malaysia Airline System) facilities. At the gate house, I give them my employee ID in exchange for the pass to enter their office. The security guard insist on IC or driving license.

Don't these people realize that they have no right to withheld our IC or driving license. Goverment has made this clear that we should never simply surrender our IC (especially MyKad) to other people including building's security guard and nobody has any right to withheld our IC even for security reason.

The security guard should only take my IC for recording purpose but has to return it immediately after that.

One of these bad things can happen to you if you give out your IC:
  • If you have change to Mykad, your personal information could be stollen from the smartcard in the card.
  • If they misplace or lost your IC, it is extremely hassle to apply for a new IC.

Bad things happen in life and if it does happen, who is going to be responsible for it?

Hope more building security management will pay more attention to this issue and change their policy.

Labels: