Almost a year and a half ago when I installed the first beta, the Start Menu was still present.  In the next iteration, it was disabled by default but could be brought back with a registry hack on a per-user basis.  I was concerned, but not fully alarmed.  Then the final public beta rolled around, and when I installed it I was appalled.  It was at that moment 10 months ago that I knew Microsoft was sunk.  I voiced my opinion loud and clear to many.  My friends were curious of my antics but had faith that in the final product, Microsoft would provide a way to have base Windows 7-like UI functionality.  After all, the comfort zone of the damned Start Menu was 15 years entrenched.  How could they simultaneously slap the whole world in the face while proclaiming, "PSYCHE!!!"

But they DID!!

The atrocity shipped soon thereafter, and in its crippled state, it has become the ultimate bottom-feeder, hoping for any random leftover scraps the market can toss its way.  We are witnessing the biggest blunder Microsoft has ever committed.  And there are some significant blemishes in its past.  This faux pas goes WAY past the strong-arm tactics of the 90's where the Office products were coded with secret undocumented APIs to which WordPerfect and Lotus were not privy.  I truly believe Bill has redeemed himself from those shrewd early days with his current outstanding commitment to better the world.  I am delighted that the Bill and Melinda Gates foundation exists.  I endorse it wholeheartedly.  I am quite grateful Microsoft has garnered the success it has over the past three decades.

In Bill's absence some kind of jealous power play has gone unchecked.  In apparent envy of Apple we've seen an attempt to win over the public with charades and marketing muscle.  Microsoft's iPod was the Zune.  Their iPhone was the Kin.  And now they've gone all-in to combat the iPad and have bet all their black chips on this one hand.  If the product were as addicting as aspartame or fast food then this would have worked.  But the product just sucks.  The public will not be won over by marketing shenanigans.  Pay for all the stupid band appearances and stores and giveaways you want.  Surround yourself with like-minded fools who parrot your mantras.  Bottom line is the product does not work.  Listen to your customers and learn a thing or two.  OR IS IT TOO EMBARRASSING?  Now that you've screwed the pooch, is there any way back?

Damn it, Microsoft, wake up and get your act together.  You have pissed off essentially ALL of the big-name hardware manufacturers.  Some have gone Chromebook, and many will go Ubuntu if you don't shape up NOW.  There is no time to mess around with creating a Windows Store until you bring back some shred of what the public wants in an operating system.

Windows 8 has amazing enhancements in speed and feature set.  I love HyperV.  And the slimming and trimming.  It absolutely rocks.  Kudos to all the hard-working teams that made that possible.  But it is just completely crippled with a pointless interface.  Ditch what doesn't work NOW.  Do not wait until you have blown another billion in advertising.

Can I be any clearer?  How many of you morons actually think the current approach is still gonna fly?  Truly -- wake up and take action.  It is now or never.  You can apologize to the public and THEY WILL UNDERSTAND.  You can reclaim the ground you have lost.  Or you can continue waltzing along with selective hearing, believing all the inner voices in your head chanting about how a common phone and desktop ecosystem can work.

Bullcrap.

You make DESKTOP operating systems.  Not tablet or phone OSes.  Don't throw away your core competencies.  You have Active Directory in 95% of corporations worldwide.  Do NOT piss that away.  You have an amazing new XBox release that will do well.  WHY THE HELL ARE YOU TRYING TO PUT THAT XBOX UI ON CORPORATE SERVERS???  WHILE STILL PROMOTING POWERSHELL???  Stop with the nonsense.  Do what you are good at.  I have solidly invested 25 years of my career in your products and I don't want to see you piss it away.

Straighten up, and get your act together.  You're gonna need it over the next 6 months.  Bring the red pill registry hack back and let's get a usable operating system back in the hands of the public.  Every time someone installs StarDock or Classic Shell they think in their mind, "Why was Microsoft incapable of just putting this in the box???"

I am done tearing you a new corn chute now.  I hope to God this isn't falling on deaf ears.  But as of late you seem quite steeped in denial.  Just in case, I should learn some Objective C instead of continuing to play the cello on the deck of this large ship.

Not nearly as impressive as its name sounds, but in Windows 7 we had the trick of creating a folder of tools called:

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

And on Windows 8 this still works.  This is a pretty useful thing with Win8 since it's more difficult to reference all the obscure tools because many of the good ones can't be opened directly from the Start page.

Consider this common construct that you and I have thrown into ASPX pages for years now:

<%# DataBinder.Eval (Container.DataItem, "EmployeeID") %>

In .NET 3.5.1 and older it returns -- tada -- a string.  No mystery there.  But in .NET 4.0 it returns the same type as the underlying data type -- which in this case for me was a nullable int.  Interesting, no?

The GAC in .NET 4.0 is cut into two parts now -- one half for .NET Framework 2.0 stuff, and the other for v4.0 stuff. When compiling any project, targeting .NET 2.0, 3.5, or what have you, this annoying error may pop up:

Could not load file or assembly 'System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.


If you are working on a 32-bit system then open a run box and perform this copy command:

xcopy "%ProgramFiles%\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.0\System.EnterpriseServices.dll" %windir%\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a


If you get a window popping up asking "(F = file, D = directory)?" then sure enough, this fix should work for you, and you should press "D".  If you instead get a message asking if you should overwrite, with "(Yes/No/All)?" then you already had the file in place, and this did not fix anything.

The goal here is to fully reconstruct the .NET 4.0 portion of the GAC for that one missing assembly.


I've got a couple HDR-HC1 cameras, one from Japan and one from the US, and really like the video quality that comes out of 'em.  As long as the scene is well-lit, the results are good.

Annoyingly using CapDVHS I could only capture HDV video from the Japanese one.  I haven't taken the time to figure out why until just today.  It was easy enough in the past to just always used the Japanese camera to capture HDV content.  Well, today I got curious and took a moment to figure out what the problem was.  Very simple indeed, just the i.LINK CONV setting was ON when it should have been OFF.  Here's what it should look like in the menu:

picture showing i.LINK CONV turned off in the menu of an HDR-HC1

After making that selection, instead of showing up in CapDVHS's list as "unknown video #1", it shows up as an HDR-HC1.  And capturing works great!

Four starcraft owned by galactically-registered prostitutes hovered over Phoenix late last evening, each illuminated with the traditional mark of the trade: a red light.  The markings on the side of two craft indicate they are from the galaxy "Sextans", NGC 3115, which is seen in our sky near the constellation "Hydra".  (Although the name of the spindle galaxy "Sextans" sounds provocative, its name comes from "sextant", which is a nautical measuring instrument.)

The galactic prostitute registry requires that sex workers be "chipped" with a biometric monitor to ensure the incurable AIDS virus found on Earth is not introduced on a galaxy-wide scale.  As such the error of the four is likely to go under investigation by the Empire.

Many speculate that the four femaloids had intended to set up shop for the evening at the popular planet Aphroditius that orbits the nearby star Alpha Centauri B.  Rodney Stahl, director of NASA's extraterrestrial monitoring center in Roswell, NM thinks that the four had gotten off course in the final leg of the journey after teleporting into the nearby vicinity.  "After all, Aphroditius is less than 5 light years away from Earth, and its features are remarkably similar," explained Stahl in a phone interview.

The whole event lasted about ten minutes, at which point the quartet likely wondered why their red light hadn't yet attracted any business.  Their ships huddled for a few minutes to get their coordinates, appearing from below as a single bright red flickering light.  Soon thereafter they teleported out of the solar system.

(OK, there is actually a little grain of truth to this story...  Last night I witnessed this phenomenon, which is now the second UFO sighting I've had.  I just wanted to find a fun way to explain what the heck those pulsing red lights could be.  Plus I didn't do anything interesting for April Fool's this year, until now!)


When playing back content from my 3D camcorder, if you aren't wearing shutter glasses then the result is pretty blurry and bland looking.  After putting on the glasses, the scene jumps to life.  So while putting together a sample photo to promote how it works, I wanted to superimpose a better 2D image, and stretch it over the existing image of a screen in the photo.  It had been awhile since I've done anything real with math, so I took a half hour and figured out a couple equations to do the mapping, and wrote a program to do the translation for each of the pixels into the quasi-3D space of the monitor screen, ending up with this result:

(The superimposed image doesn't look that believable here, but when I resized the picture down a bit, it looked better.)

The routine works by mapping each pixel from the source image into the proper x/y coordinate for the destination space, seen above.  And it works fine *except* that where the image gets stretched a bit much, there are moiré kind of effects that pop up.  These can be seen at the right side of the image above as lines of speckles.

Here's the formulas that do the mapping to create the result seen above:

destX=((lrx - llx) * (srcX / srcWid) + llx - ((urx - ulx) * (srcX / srcWid) + ulx)) * (srcY / sHt) + (urx - ulx) * (srcX / srcWid) + ulx

destY=((lry - ury) * (srcY / srcHt) + ury - ((lly - uly) * (srcY / srcHt) + uly)) * (srcX / sWd) + (lly - uly) * (srcY / srcHt) + uly

And here's what all my crazy variable names mean:

srcWid = source image width
srcHt = source image height

srcX = source X coordinate
srcY = source Y coordinate
destX = destination X coordinate
destY = destination Y coordinate

Coordinates that define the location of the destination image:
ulx = upper left corner of the image, x coordinate
uly = upper left corner of the image, y coordinate
urx = upper right corner of the image, x coordinate
uly = upper right corner of the image, y coordinate
llx = lower left corner of the image, x coordinate
lly = lower left corner of the image, y coordinate
lrx = lower right corner of the image, x coordinate
lry = lower right corner of the image, y coordinate

So basically if you supply a source x/y, you can then find what the appropriate destination x/y should be, and plot the color from one to the other.  So the code iterates through all the source pixels and plots each one to a destination pixel.  But it would be cleaner and often faster to go the other way, iterating through all the destination pixels to find what source pixel (if any) matches up to that point.  So basically the reverse of the above equations.  The real sticky part is that each of the equations is dependant on not just the srcX, but also srcY.  And as well, each point on the destination could conceviably map to *two* source pixels (but not more since the highest power expressed here is effectively a squared term.)

Anyone out there a math whiz that can think of an easy way to "go the other way", in other words in the two equations above, solve for srcX and srcY?  I found it kinda challenging.  A fun brain challenge more than anything else.  My hotshot math whiz brother may find the answer, who knows.


If you have one of these, you can capture *amazing* full-color high definition 3D video:

The general idea is:

1. Record a scene with two high definition camcorders running at the same time.  Have them mounted on a board, pointed the same direction, and spaced about 1 foot apart.
2. Acquire the footage into a computer and edit the streams to synchronize them with each other
to within 1/30 of a second.  You now have two streams, one for the left eye and one for the right.
3. Use a filter to combine the two matched streams such that
the left eye content is on top, and right eye content is on the bottom.  This would normally end up with a pretty tall video, 1440x2160.  But it has to be stretched back down to half the original height, 1440x1080.
4. On a computer with a CRT monitor (must be a high-end CRT, not LCD), set the
resolution to SXGA+ (1400x1040), True Color, and 60Hz vertical refresh.
5. Put a frequency doubler inline on the video signal that makes the
vertical refresh cook along at 120Hz.  Each frame being displayed is shown as a 1400x520 progressive slice, stretched to fit the whole screen.  Some CRTs can't scan that fast, so you have to try out high-end units until you find one that can actually go that fast.
6. Synchronize LCD-based shutter glasses to oscillate between left eye and right eye along with the new 120Hz vertical refresh.  Each eye gets 60 frames per second, and video is remarkably realistic, and looks really, really smooth.

I'm considering also trying a setup with a couple LCD panels to display the video stream, along with mirrors to allow a person to see the playback.  Something like this:

I've submitted this contraption to be shown at the next Maker Faire, held May 3-4 in Silicon Valley.  If you haven't been out to the Faire yet, may I just say that it's a must-attend event.  Think of "Burning Man", but for geeks.  Incredible.  At any rate, if you go then perhaps you'll get to see my 3D camcorder in action.


Over a million Japanese homes have a cutting-edge appliance that I'll bet you (along with 95% of America) have never even heard of.  No -- it's not a singing toilet seat with a remote control, butt warmer, and built-in bidet.  Why... here's one of those gleeking now:

So I bet that most of you have heard about -- and some out there even used -- that particular Japanese contraption.  Instead, the contraption I speak of is a heat pump that you add on to your water heater.  It saves about $350 a year on the electric bill!  The Japanese models are quite sleek, and resemble the condenser unit of a split air conditioner, as seen on the left in this picture:

That larger thing to the right is the hot water tank itself.  They make 'em rectangular over there, not cylindrical.

The Japanese models are fairly advanced, and the refrigerant of choice is actually not freon but instead CO2!  You know the slight cooling effect you feel when you first crack open a 2 liter and the "air" rushes out of it?  Well, that effect is put to work in a Japanese HPWH.  Here's a diagram:

They have a fun name for these CO2-based heat pump water heaters: "Eco Cute".  And you know the Japanese -- when they're excited about something they draw up cartoons with corny mascots -- in this case "Tankman" and "Pumpu"!

Even though there are more than a million of these installed in Japan, strangely here in the States these awesome CO2-based models are not available.  Instead over here there are only a handful of very small shops making heat pump water heaters (commonly abbreviated HPWH) using standard refrigerator compressors, so they use R-22 or R-134a.  Most of those shops seem to be struggling to make enough sales to keep afloat.  I think if only people knew more about the technology then the market would explode, since the payback happens in only about 3 years.  After that it's saving you money.  At any rate, being the environmental nut that I am I wanted in on this trend.

After Googling around awhile for HPWH I found a guy in Florida that was selling some American-made units for just $550 each, and sent him a fat cashier's check.  A couple weeks ago the thing arrived, and last weekend I got around to trying it out.  Here's a look under the hood:

Water gets pumped in from the tank with that brown pump on the right, circulates through the black oval-shaped heat exchanger in the middle, and goes back to the tank.  The heat exchanger is kept hot from the R-22 being pumped into it by the compressor.  Heat is dumped out through the curved evaporator with all its fins, seen in the bottom of this pic.

Most HPWH models are designed to be connected to an existing electric water heater, and this was no exception.  Here's the important electrical connections to deal with:

At first before connecting everything to the water heater I just wanted to turn it on and see it work.  So I put the unit in a bucket of cold water and connected just the 220V electrical connections.  Nothing happened.  I was pretty discouraged, and got out the multitester and schematic diagram.  Then I found out that in order to run this HPWH unit at all, it must, must, must be connected to a resistive load on the other side.  Turns out all I needed to do was just put the hot water heater in the circuit, which allows the 5-minute timer to get energized and actually do its thing.  5 minutes later a little relay tripped, which in turn juiced the coil for the main contactor, and everything jumped to life.  It was very welcome to feel tons of cold air pumping out the top of it.  Within a few minutes that bucket of water was pretty hot.

So now it's been installed for a week.  I need to make a better mount for it in my garage, and vent the cold outlet air to the outside for the winter months.  Seems to be doing the trick anyway.


Sometimes I'm a really early adopter.  So early that I buy stuff in Japan the moment it becomes available.  I've got a well-loved HDV camera that I got two and a half years ago that way.  Hard to believe that I've had it around that long.  It's now been on 3 continents, and has captured probably around 100 hours of really great content.  Quite a few "battle scars" along the way though:

One scratch in particular cut a little too deep.  On the fold-out screen in the upper-left corner under "HDV 1080i" you'll notice a nasty gash.  This went so deep in fact that it cracked the screen.  You could still use it, but with the backlight on it was atrocious.  This is one of those new touch-sensitive "hybrid" screens put out by Sony, advertised as being usable in direct daylight.  So I removed the backlight and was then able to at least use the screen outdoors:

Still not that great.  Then I pulled the cracked screen out of the camera and put just the LED-lit backlight in, which really cranks out quite a bit of light!  With the screen flipped around pointed towards your subject you could use it to deliver all the light you need when filming in the dark!

As usable as this was, it still wasn't as useful as a good screen would be.  So I called to check on the price for a replacement --  $130.  Ouch.  Too much.

I figured Sony probably made some other cameras with the same exact screen, so I researched a little to find the models that have a 2.7" wide screen with 123200 dots.  All these models looked like good candidates:

DCR HC47
SR52
SR72
DVD202
DVD203
DVD306
DVD404
DVD703
PC1000

After hunting around on eBay for a broken one with a good screen, I found a DVD203 for just $60.  A couple of weeks ago I received it.  Haven't had time to mess with it until last night, when I got out the phillips jewler screwdriver and got busy trading everything around.  Here's both cameras, with the flaky donor camera showing off its good screen, and the cracked screen removed from my HC1:

While taking everything apart, there's a few fragile kapton connectors to deal with.  One in particular is good to know about, the main feed that has tons of signal wires.  On this one I found it best to lift up the holder with a fingernail:

To detach the four other connections it was best to gently push both sides with a screwdriver.

Here's a look at the electronics inside the screen for both cameras:

Different circuit boards, but lucky for me the same actual screen assembly.  On the left is the cheapie donor DVD camera, and on the right my nice HDV camera.  Notice that only the backlight (lower right connection) and rec / tele / wide button connections (blue connection) are attached on the HDV camera.  At this point I had removed the cracked screen and put the backlight back in there.

With the main connection detached, I took out the whole screen assembly from the donor cam, and removed the three black screws holding everything together.  Here's the three main layers that result:

There's the plastic bezel, a rubber shock absorber piece, and most importantly the screen assembly.  The screen assembly itself has three sections: the touch-sensitive surface on top uses two smaller connections (at the left in the photo above, at the right in the photo below), the LCD part uses the bigger connection in the middle having lots of signal lines, and the LED backlight is a very simple connection with just 2 wires (at the right in the photo above, at the left in the photo below).  Here's another view after separating everything:

After pulling out just the screen assembly from this mix and detaching the three connections going to the circuit board, I was ready to drop it into the HDV camera.  Here's a look at the separate parts before putting them back together:

The screen assembly is at the right, which is first dropped into the bezel.  Then on top of that goes the circuit board and metal frame piece at the left that I'm holding.  It requires a thin black plastic separator that goes between the back of the backlight and the circuit board, to keep the circuit board from shorting against the backlight.

After dropping all of this in place and connecting the four smaller connections, it was time to reconnect the main connection coming from the camera.  To get the piece to go in as far as it's supposed to, I found it best to do this very carefully with needle-nose pliers:

Once it's as far as it should be, the connector can be pushed back down to secure it, and it ends up looking like this:

After getting everything back together, it worked perfectly on the first try.

Nice to be back in action again.

LCD screens have certainly changed the world.  Hard to find a device these days that doesn't use one somewhere.  But dang they're fragile.  If you have something with a broken screen, perhaps this tutorial will inspire you to try your hand at fixing it!


I had an error that was been driving me up the wall, CS0234: The type or namespace name 'Pkcs' does not exist in the namespace 'System.Security.Cryptography'.  This always happened while developing a web application in Visual Studio 2005 and wanting to use code that deals with certificates.  During development Intellisense would find the System.Security.Cryptography.Pkcs namespace just fine.  But it couldn't be found at runtime.  I had registered the System.Security assembly, and the project always built just fine.  The resulting assembly seemed perfectly normal.  But no matter what I tried, even reinstalling the .NET framework on the machine, would make that dumb error go away.

Well, after more tinkering I found out the issue is all in the web.config.  If you (1) install the normal payware version of Visual Studio 2005 and then (2) Install Visual Web Developer Express 2005 then later as you go back and develop with the payware version of Visual Studio then when you register assemblies it does not always add the references in the web.config file!  So the fix in my case was to change the <compilation> element in the web.config, found under <system.web>:

<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
<
compilation debug="true">
 

I just modified it to include the assembly reference like this:

<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
<
compilation debug="true">
<
assemblies>
<
add assembly="System.Security, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
</
assemblies>
</
compilation>

Now at runtime everything works great!


A question was posed to our user group's listserv yesterday.  After typing up a response I saw that I had written a short novel on the subject, and thought it may be of use to those outside our group.  First the question posed:

 

> My employer doesn't want to expose it's production databases to the world, so they sit safely behind a firewall. The production web servers want to talk to those databases, so we open the right ports to let them talk through matching, local machine user accounts. This way if the production environment accounts were compromised, domain privileges don't exist for these users, so the individual account cannot do anything with the internal domain (i.e. can't bring down the whole corporate network). Brilliant! Except...
>
> Problem: This solution requires us to replicate user accounts across every machine and we're getting more and more of them as we grow. It's a burden and it's also a QoS (Quality of Service) and security risk in its own right, because access is subject to account synchronization. What if password policy (like expiration) isn't enforced on an account? What if one machine in the web farm isn't synch'ed and we suddenly lose connectivity?
>
> There are controls that help mitigate risk with the current solution, but I have to believe there is a better way. Can someone explain alternatives to me in non-network-geek English?

 

The environment you describe is pretty common in the corporate world, with the majority of ports, including 135 / 137 / 139 for NetBIOS, 53 for DNS, and 88 / 464 / 500 / 3268 / 3269 for Kerberos, blocked by a firewall.  Corporate policy usually restricts you from joining any externally-facing web servers to an internal domain.  So basically you are the one that ends up doing the work that a domain controller would otherwise be doing, synchronizing everything, all in the name of better security.

Speaking of security, let's consider it to be kind-of like a war, us against hackers.  Our web servers are at the very front lines, the "tip of the spear", and are the ones most likely to be compromised.  If a web server falls into enemy hands, the security info it knows about can be obtained through "interrogation" by the enemy.  So if the web server was part of a domain, a hacker could search that domain for resources.  This is risky, as many computer names and user names would then be exposed.  The same kind of information you see when you go to add NTFS permissions to a file or folder, and click "Advanced", then "Find Now".  You can then see a list of users, groups, and computers.  It's too big a risk to take for most organizations.  Comparing it to war, sensitive intelligence is kept from those on the front lines, thereby limiting your exposure if someone gets captured.  So you end up doing all those "need to know" security updates manually to the machines on the front lines.

So how can we simplify administration for security between web servers and SQL servers?  There's a couple of options I can think of.


Option 1 -- Add a domain
Some corporate policies will let you set up a separate domain just for your SQL and web servers, so all those common "need to know" security details for the machines on your front lines can be easily set up.  There's little risk of sensitive data from the internal domain making its way to the outside because there's a real separation there.  No trust relationships between the inside and outside domains.  Having a separate domain greatly simplifies setting up web farms.  It's also essential to have your SQL server nodes joined to a domain when configuring database clusters.  If the web servers and SQL servers are on the same domain or trusted domains then it's much simpler to use SQL server in "Windows Authentication" mode.  So let's explore this option a little further.  Here's a diagram:

____________________
Internal corporate network
Your Vista / XP computer is sitting on a desk in here somewhere
____________________

 |
 |  Firewall allowing SQL requests only one direction
 |  (OK, maybe also terminal services connections
 |   in order to simplify administration via port 3389.)
V
____________________
* Domain Controllers for web environment (at least 2)
* SQL server(s)
____________________

A
 |
 |  Firewall allowing SQL, Kerberos, and NetBIOS requests
 |   (ports 53 / 88 / 135 / 137 / 139 / 464 / 500 / 3268 / 3269,
 |    plus whatever custom port you use for SQL.)
V
____________________
* Web servers joined to the "web" domain.  Each machine is "multi-homed" (has 2 network adapters), with one connection to the network above, and one connected below.
____________________

A
 |
 |  Firewall allowing HTTP and HTTPS
 |
V

vvvvvvvvvvvvvv
  The Internet
^^^^^^^^^^^^^^

In this case note that the domain controllers and SQL server(s) would use an IP addressing scheme that does not route on the Internet, like 10.x.x.x, or 192.168.x.x.  Also each web server would have an IP on this network.

If a web server were compromised then there would still be risk of an attacker discovering computer names and IP addresses of other web servers and database servers.  Also account names used on that separate "web" network.  But no risk that they would discover that same information on the corporate network.  You may want to explore this option to simplify your day-to-day administration.  Adding a new web server to the environment is as simple as having it join the domain, and then establishing file replication service (FRS), ROBOCOPY scripts, or something similar to synchronize files and permissions.

If data in the SQL servers has to be accessible on the corporate network then you could set up a firewall allowing just requests from the corporate network to be answered by the database servers, and then only on one port.  (Often better for this not to be the default of 1433!)  As long as you use a good firewall then it's pretty strong security, and very low risk of the corporate network getting exposed.  No domain-specific information would traverse the wire.

In addition to the 3 firewalls shown above, you can also establish IPSec for even better security.  This would be especially useful between the corporate environment and the segment with SQL / domain controllers.  Also somewhat useful between SQL and web servers because a compromised web server could potentially sniff network traffic going between other web servers and the database server, exposing sensitive data.  But bear in mind that you take a performance hit when using IPSec, so enabling this between web servers and database servers would slow down requests.


Option 2 -- Enable "Mixed" mode on your SQL server(s)
This one is quick and dirty.  It avoids the need to configure special Windows accounts at all, and has you change out your connection strings to use SQL logins.  It's functionally similar to what we saw with Option 1 in that security for the externally-facing resources is maintained separately from any internal credentials.  In Option 1 it was done in a totally separate domain.  In this option it's done by simply leveraging the security system baked into SQL server.  But then the security credentials have to be exposed in the connection string.  This doesn't protect the data in your SQL server nearly as well since a compromised web server could then give the attacker access to passwords used by the SQL service, potentially giving more access than in a scenario where the SQL server uses only Windows authentication.  Because of this many corporate security policies do not allow SQL server to be configured in mixed mode.  At least this option is simple, not requiring any additional hardware in your scenario.

With this option the SQL server(s) are still on the corporate network, so a major consideration is to harden the machines as much as possible.  Disable risky extended stored procedures.  This is more than just xp_cmdshell.  What about xp_runweb, xp_regread, and xp_regwrite?  Not to mention xp_dirtree and xp_enumgroups.  Here's a fairly good checklist of security stuff for SQL server:

http://www.sqlsecurity.com/FAQs/SQLSecurityChecklist/tabid/57/Default.aspx

A sideline note -- especially important now that Windows Server 2008 has gone gold -- IIS 7 can simplify permissions when deploying websites.  Instead of setting up NTFS permissions and having to copy them between web servers, you can use URL Authorization to configure the security right in the web.config.  This way all you need to do is copy the files onto the web server and you're done.  No more messing with NTFS permissions.

Hopefully this info will help you to find an easier way to administer your web environment!


When will this administration learn to stop looking for things that don't exist? Weapons of mass destruction in Saddam's hands. Okay, maybe there weren't any. Spinning centrifuges in Iran. Okay, maybe there aren't any. Muslims banding together and plotting to blow up natural gas lines or release serin in subways. Probably not. Or how about -- me hiding a flippin' explosive device in my shoe while boarding an airplane. Definitely not. But still I have to pay $2.50 every time I board, just to stand in that lengthy line and make my way through the scanners.

I'm tired of it. I love travelling overseas where this kind of nonsense does not exist, and where at this point people are much *more* free than here. Places that aren't steeped in financial turmoil -- their country is not deeply immersed in a completely pointless military exercise, with their Federal bank slashing interest rates in order to postpone the inevitable recession from all the spending.

At this point I hope Winston Churchill's sarcastic saying will still hold true -- "Americans will always do the right thing... after every other option has been exhausted." But this time after all the damage is done will we have enough energy left to do the right thing? Or have we lost a precious piece of freedom forever?

Why of all days did I pick today to rant? Well, today we have Dick Cheney pressuring Congress to maintain the wiretap measure. The same wiretap policy that was first secretly enacted by Bush in 2001. It places a stranglehold on our privacy. Did you know the government can legally turn the microphone on for any cell phone in America -- at any time -- and listen in for as long as they want? This bill is not just about tapping phone calls and emails. It's fairly invasive. At this rate pretty soon every time I fart there will be some sensor reporting it back to Homeland Security.

Let me step back and reminisce for a moment. I was fortunate enough to be born into this great land, whose constitution guarantees freedom for all. For a couple of centuries it really worked pretty well. We had some stinker presidents at times, but checks and balances sorted things out. I think another key thing is that in terms of foreign policy during our first 180 years we were reactive, not out to try to stir up trouble. We were worried about the beam in our own eye, not the mote in someone else's. But now we find ourselves following the conquests of a religious zealot, and we're just now becoming fully aware of the pack of lies that was spun to bring us to this point. Apparently 935 so far, and counting. I feel that so much has been lost, both at home and with the trust of the world, that 100% true freedom may not be found again in America. I don't want to walk out on it though. It's the land that I grew up loving. I have so much respect for the founding fathers. I hate watching people trample our inaliable rights.

We have the rest of the primaries coming up soon. Super Tuesday is just around the corner. I think that the one candidate that can best pull us out of this ridiculous mess is Ron Paul. (The link there goes to Wikipedia, not some fruity campaign page.) He's got a good track record. One of the few Republicans who voted against the Iraq war. He tells is like it is, and doesn't waffle. My friend Paul Schroeder has been bugging me for the past few months to take a look at his platform. I did, and I'm impressed. No wonder he's raised so much money with virtually zero assistance from the media. From what I have seen he's got the most honest, well thought out message out of the whole bunch. If you're registered Republican in a state that hasn't had their primaries yet then I would urge you to see what he stands for, and consider casting a vote in his direction. At any rate, be sure to visit the polls this time 'round. There's alot on the line.


At the MacWorld keynote this morning Steve Jobs saved the best for last.  Of the 4 major things he spoke about, the final thing was the announcement of the crazy-small MacBook Air.  This is the world's thinnest notebook, sporting an LED edge-lit screen, custom Penryn processor, and all that weighing only 3 lbs.  Small enough to fit in an envelope:

(Steve carried it out on stage in an envelope actually.)

MacBook Air specs:



  • A claimed 5 hours of battery life.  The battery actually consumes about 2/3 of the lower portion, pretty much the entire slender area of the machine!  (We can probably expect an honest 3 hours of use)
  • 0.16" to 0.76" wedge.  (The thickest part of the MacBook Air is thinner than the thinnest part of the Sony TZ series.)
  • Magnetic latch
  • 13.3" widescreen display with 1280x800 resolution 
  • Ambient light sensor to automatically adjust the display and keyboard backlighting
  • Full-sized keyboard
  • Multi-touch gestures available on the trackpad.  (Pinch zoom and rotate by twirling a finger around your planted thumb.)
  • 1.8" 80 gig hard drive, or 64 gig SSD as a pricey option
  • 1.6 GHz or 1.8 GHz Core 2 Duo (low-energy Penryn type in a CUSTOM package made just for Apple!)
  • Connectors include power, USB 2.0, Micro-DVI, and audio

In other news from the keynote, Apple has released their version of Home Server, which they call "Time Capsule".  They are also trying to redefine video rentals with what ends up being movie rentals in a simple iTunes-like interface.  You can watch flicks on PC, Mac, iPod, and iPhone.  With $3 rentals (well, $4 for new releases and $5 for HD movies) it's fairly competitively priced.  And the interface looks pretty slick.  After you rent you can start watching the movie right away while it downlods to your PC, and you have 30 days to finish watching it before it self-destructs.  In conjunction with all this video rental news the Apple TV appliance got a software update and a $70 price cut, now $230.  Watch out NetFlix and Blockbuster!


Got this phishing message in the email this morning:

Subject: Case ID: DXA6E9JK

Body:
Dear Bank of America Military Bank customer,

We regret to inform you that we have received numerous fraudulent e-mails which ask for personal
information. Please remember that we will never ask for personal information through e-mail or websites.

Because of this we are launching a new security system to make Bank of the Cascades cards more secure
and safe. To take advantage of our new consumer Identity Theft Protection Program we had to
deactivate all Debit/ATM cards.

To reactivate your card please call (800) 609-0579 and follow the steps.

Reactivation is free of charge and will take place as soon as you finish the process.

Wow, phishing scammers with a fake (800) number.  That's kinda gutsy, don'tcha think?  Shouldn't it be fairly easy to catch them?  Here's an MP3 recording of what you get when you call:

Note that it's 100% voice-synthesized, so there's no way to track by voice.  Well, it's all voice-synthesized except when you press an invalid option during the first part, which you hear me do in the recording, as it comes up with "that is not a valid option".  Could that possibly be the voice of the perpetrator?

I'm just surprised that even though they ask for card number, PIN, and expiration date, they don't ask for the 3-digit security code on the back of the card.

News


Welcome to my blog.
Here's what we've got on the menu today:

Tag Cloud


Article Categories

Archives

Post Categories

Image Galleries

Syndication: