I have been getting more phishing e-mail lately that points me to "bad" files on what would normally be "good" sites. Last week I got a message that pointed to index1.htm on a site. Index.htm was the valid home page and appeared to be the personal site for a young lady in Brazil. I couldn't read the page but it didn't look malicious. When I went to the index1.htm page it had a flash application that would tell me that I needed to download a new viewer to view a news article.

The message today pointed me to a web site for a doctor. The link went directly to a .exe file in the URL so I knew better than to click on it. The interesting thing about this message is that I supposedly got an e-card from "a friend". At the bottom of the message was a link to www.greetingcard.org which has a section for an "Email Scam Alert!" on the lower right of its home page. You would think that the phishers would not put in clues that their e-mail is bogus right in the e-mail. Then again, maybe I should be thankful that they are not better as it would be harder to figure out which e-mails are legitimate and which ones I can blog about.

I read the article at http://redtape.msnbc.com/2008/08/almost-everyone.html about the "Forgot your password" link to reset your password as being a possible attack vector. I think they discussed the security issue quite well and also pointed out that there are no reports that this method has been used widely to attack accounts. I know that in all the time that I have had a Hotmail account I have twice gotten e-mails about a password reset that I didn't initiate. The first time I ignored the e-mail until I got a reminder about 10 days later that it was about to expire, the second time I immediately clicked on the link stating I hadn't started the password reset. I also went and changed my password just in case someone had compromised my account.

The article has some good advice about not using obvious answers to the reset questions. I think this might be one case where my generation has a lot more latitude in choosing a non-obvious answer. While my birth date and mother's maiden name might be easy to find on the Internet, when I was a teenager there was no blogging so I would assume outside of the people that I went to school with and a few close family members nobody would know the name of my first girlfriend. It might be easy for a hacker to guess the answer to that question but hopefully it would take them a few tries and the back end systems would be alerted well before they guessed the correct answer.

Another tactic that I have used is to pick an "obvious" question but then give it a false answer. As was pointed out in a recent issue of the RISKS digest, they aren't validating the answer, just that you can type in the same value twice. I use the name of my pet as a question but rarely if ever use Max which was the name of my dog but instead make up other "names". The best are a semi random set of number and letters that aren't even a name so if someone is running a dictionary attack of the most common pet names your answer will not be in the dictionary.

To help me not forget the password in the first place, or to remember the answer if I need to I can always look at my Password Minder file. The thing I like is it will automatically generate random passwords for me and has a notes area where I can write down my secret question and answer. The data (both passwords and comments) is encrypted on the disk so I feel pretty safe about it not being stolen from me.

I got an e-mail stating that the PDC 2008 early bird registration deadline had been extended to Monday, September 8. That means that you still have time to save on registration. Here is a snippet of the body of the e-mail with more details on the Professional Developers Conference.

Get Your Head above the Clouds at PDC2008

Have you ever attended a Microsoft Professional Developers Conference? It’s an event so packed with great information and new technology, attendees claim their brains start sending back “out of memory” error messages. That’s what happens when a torrent of peer-to-peer geekology throttles your cerebral cortex.

At PDC2008, you can engage your senses and discover what’s new with Cloud Services, Live Mesh, Windows 7®, multi-core development, the Dynamic Language Runtime, and F#. There’s also much more, but we want to save a few surprises.

Oh, and here’s a little bonus for you: when you register before September 8^th, you’ll save $200 USD. Sweet!

Let’s break it down:

· PDC2008 is the place to hear about the future of Microsoft’s platform. You’ll hear from the actual engineers that architect and build our technologies, and they’ll blow your mind with everything they have to reveal.

· And what about the UnSessions, better known as Open Space? It’s our conference-within-a-conference for attendees…Microsoft folks need not apply. You can also spend time in our Hands-On Labs, which is like a big sandbox for geeks like us.

· Use your Jedi mind tricks to convince your boss to let you sign up for one of 10 super deep pre-con sessions, presented by industry experts and Microsoft technology leaders.

· Hear Ray Ozzie and other executives (don’t worry, they used to write code too) share their perspectives on the future of technology and computing. We call them keynotes, and you can expect some big news.

So, if you value your brain, we’d love to see you at PDC2008. Let us help you get your head above the clouds!

Register (http://www.microsoftpdc.com/Registration/) for PDC2008 by September 8th at (www.microsoftpdc.com) to save $200!

PDC2008 Dates and Location

WHEN:
October 27-30, 2008
Pre-cons October 26, 2008

WHERE:
Los Angeles Convention Center (http://www.lacclink.com/), Los Angeles, CA

REGISTER NOW( http://www.microsoftpdc.com/Registration/)

I ran across an application at http://wordle.net that will allow you to paste in a bunch of text, the URL to a RSS or ATOM feed, or a del.icio.us user name and it will read the text, remove common words, and then create a word cloud. I created one for my blog.

The most surprising part of this word cloud to me is that the largest words don't necessarily match with the tags that I have defined. I think I will have to rethink my tagging system to make sure that content is easy to find.

Join us on Wednesday, August 20 for our monthly meeting. The meeting will start at 6:00 at the NuSkin NOC located at 1175 S 350 E, Provo. Our topic will be continuous integration and the speaker will be Craig Berntson. Here are some more details on the meeting:

Continuous Integration with .Net
Continuous Integration is a development practice where code changes are continuously checked in to source control and then automatically checked out, built, and tested. Whether you are a one person shop or have many developers, by using Continuous Integration, you will improve the quality of your software and increase your productivity.

This session will show you how to use Continuous Integration in your daily development by integrating several free tools. Attendees will learn:
- How to implement Continuous Integration methodology into the development process
- How to automate code check out and the build
- How to automate unit testing, code standards checking, documenting, and other needs
- How to report the results of all the automation to the development team

Craig Berntson a Microsoft Certified Solution Developer and has been a Microsoft MVP for over 10 years. He wrote the book “CrysDev: A Developer’s Guide to Integrating Crystal Reports”, available from Hentzenwerke Publishing. He has also written for FoxTalk and the Visual FoxPro User Group (VFUG) newsletter. He has spoken at various developer events in North America and Europe. Currently, Craig develops hospital software for a Fortune 100 company in Salt Lake City.

Microsoft has been busy planning for PDC. Some important things that you may need to know.

1. The early bird discount ended yesterday so if you were counting on that to persuade your boss you need to come up with some other justification. The registration link is http://www.microsoftpdc.com/Registration/

2. Microsoft has been posting additional sessions. You can check out the agenda at http://www.microsoftpdc.com/Agenda/

3. If you can't get your boss to pay for your trip and conference fee don't despair. You may still be able to get a chance to go to L.A. through one of the several contests running on the PDC site. Check out the different contests and the prizes at http://www.microsoftpdc.com/Social/Contests.aspx

It has been almost a month since I posted last. Part of it has been that I have been busy but the biggest part was that the computer that I was hosting my blog on decided to die. I am still not 100% sure what the problem is but the machine would only boot about 1 in 4 times and then would tell me that it couldn't find a core Windows Server file. After spending a couple of days trying to fix the problem I decided that now is the time to upgrade the hardware (I had been contemplating it for a while). I ordered the hardware but between shipping problems and my travel schedule I didn't have a lot of time to work on the new machine. Unfortunately remote access doesn't help me add memory or hard drives to a case. I got a new machine with dual processors, mirrored system disks, and 4 GB RAM. I also got to upgrade to the latest version of dasBlog.

I installed Windows Server 2008 with Hyper-V and have started setting up virtual machines for things like my domain controller, this web server, etc. That will hopefully allow me to not have another month long crash and even if something that is not redundant in the machine dies I can start up the virtual machines that I really need on another machine to get it up and running quickly. I will also have the ability to create virtual machines to check out new technologies.

While I was down a lot of interesting things happened but the one that sticks out most in my mind is the Release To Manufacturing (RTM) of SQL Server 2008 last week. I am looking forward to learning more in the months and years ahead.

Here is the body of an e-mail that I got announcing that the latest CTP of BizTalk Services has been released and is ready for us to start working with and providing feedback on.

Announcing the BizTalk Services "R12" Release

We're thrilled to announce that the BizTalk Services "R12" Community Technology Preview (CTP) is now available for general use.

"BizTalk Services" is the code-name for a platform-in-the-cloud offering from Microsoft. Currently in active development, BizTalk Services provides Messaging, Workflow, and Identity functionality to enable disparate applications to connect quickly and easily. Combined together in an integrated offering, these capabilities deliver a Service Bus architectural pattern that is immediately usable by applications that need to connect across the Internet.

Many enterprises employ the 'Enterprise Service Bus' pattern to interconnect disparate systems within an organizational domain. Built on Microsoft platform technology, an ESB might include building blocks such as Windows Server, Active Directory, BizTalk Server, as well as the Windows Communication Foundation and Windows Workflow Foundation technologies included in the .NET Framework. "BizTalk Services" extends the concept of an ESB to truly exploit the Internet, for instance by exposing individual service endpoints in a secure fashion or by selectively federating elements of distinct identity systems to facilitate cross-company collaboration.

For ISVs and Solution Providers creating specialized business solutions that enable collaboration and information exchange across increasingly mobile and distributed work-forces, "BizTalk Services" provides the cloud-based platform building blocks to create sophisticated (Internet-) Service Bus solutions with broad reach that could otherwise only be realized by operating dedicated Data Centers of significant complexity - which is often out of reach for both, ISVs and their customers.

Major Changes

With the release of BizTalk Services "R12", developers must update all clients and SDK installations to the new release.

New in R12 - Workflow

The most exciting new capability we've added in the "R12" CTP is Workflow. These new cloud-based Workflow capabilities enable 'service orchestration' from the cloud. This specialized cloud-based, or hosted, Windows Workflow Foundation runtime can orchestrate services that connect to systems in your enterprise, or to systems running anywhere on the Internet via Web services messages. This new power and capability will enable an entirely new set of application scenarios, and we're very excited to see what people will do with it.

In the SDK you will find samples showing how to create and control Workflow instances hosted on the BizTalk Services cloud, including a sample Workflow implementation that monitors the availability of a website and fires multicast events into the service bus indicating the state.

New in R12 - Identity

For R12, the BizTalk Services Identity Service has been expanded and enhanced to enable more flexibility for scenarios demanded by our customers. R12 introduces a new approach for creating, viewing, and managing access control rules. This approach relies on a few key principles outlined below:

* Every Identity Service account owns a Security Token Service (STS).

* An STS is composed of one or more scopes.

* A scope contains zero or more access control rules.

* An STS owner can grant another Identity Service account permission to edit the access control rules in a scope

A practical illustration to clarify:. The Messaging Service owns an STS whose root scope is http://connect.biztalk.net/services/. When you create a new account (newaccount) in the Identity Service, the messaging service creates a new scope http://connect.biztalk.net/services/newaccount. The Messaging Service then grants (newaccount) the permission to create access control rules in that scope. Any communication endpoints hosted there can thus be secured by the owner of the scope. Rules from R11 accounts have been migrated to the "root" scope of the new account.

On the protocols front, we've added several new capabilities for 'REST' services. We now support integration with Windows Live ID and have added RFC2617 Basic and HTTPS/Client Certificate support for acquiring security tokens using simple HTTP GET requests.

New in R12 - Messaging

Connectivity Modes

The most fundamental new feature area in the Messaging service are the new 'connectivity mode' settings on the RelayBinding. Before this release, BizTalk Services clients and listeners always required outbound TCP ports 808 and 818 to be available for connecting to the BizTalk Services cloud for all connection modes except the clients of a listener running with ConnectionMode.RelayedHttp.

In this release we are introducing three different connectivity modes: Tcp, Http, and AutoDetect. The connectivity mode can be set on a static property of the RelayBinding. The Communication\ExploringFeatures\ConnectionModes\Multicast sample shows how. For clarity: 'Connection Mode' defines the type of end-to-end connection that is to be established through the Relay. 'Connectivity Mode' defines how a particular endpoint connects up to the Relay.

The 'Tcp' connectivity mode is the most efficient one and works as in previous releases. The 'Http' mode is new. It creates a volatile FIFO buffer for messages in the BizTalk Services cloud and polls for messages using HTTP 'parked requests'. The Http model exhibits delivery latency characteristics similar to Tcp mode, albeit with slightly higher bandwidth consumption on idle connections. The 'AutoDetect' mode will check whether TCP connectivity is available and will choose 'Tcp' if that's the case and 'Http' otherwise.

The new HTTP-based connectivity option is only effective for the RelayedOneway, RelayedMulticast and RelayedDuplex connection modes. RelayedDuplexSession, HybridDuplexSession, and RelayedHttp (listener only) still require TCP connectivity at this time.

Transport Credentials and Unauthenticated Access

Also, in the "R12" release, the model for specifying the client credentials for the Relay has now been closely aligned with the standard WCF client credentials model. Instead of picking and instantiating token providers, there is now a TransportClientEndpointBehavior that holds all credential information and credential types. The samples in the Communication\ExploringFeatures\RelayAuthentication of the SDK download clarify the use of this new behavior.

We have added a pair of 'WebNoAuth' samples which introduce a new capability that we had a lot of requests for: Unauthenticated client access. When registering a service listener you can now explicitly waive the authentication requirement for clients connecting to your service. This is very useful in Web scenarios where you want to enable any HTTP client to connect to your service and don't want them to authenticate in any way. For the time being we suggest that you always use this new unauthenticated access mode for RelayedHttp services until we release the update for the 'Web' client authentication capability.

For R12, we have omitted the 'Web' (REST) samples for Relay authentication since that area is undergoing some substantial protocol changes. The update for this will be released soon. In the interim, existing applications that were built on a prior release of the BizTalk Services SDK to use the authentication technique shown in the R11 'Web' sample must be modified to use unauthenticated access as shown in the new 'WebNoAuth' sample.

Give it a try

The new BizTalk Services "R12" CTP is online and available now for your use. The SDK is available at http://labs.biztalk.net. If you already have an account for BizTalk Services, your accounts and settings have been migrated to the new environment. If you don't have an account yet, just sign up, download the SDK, and get started creating the new generation of connected applications.

Yesterday I got an e-mail saying it was and open letter from United Airlines to its "best customers" about the high cost of fuel and how it is causing problems in the industry. The gist of the e-mail was that speculation on the cost of oil is what is driving up the cost of oil and that the government needs to regulate the market to save us all from high fuel prices. I was immediately suspicious because I have flown United Airlines but do not have enough miles to be awarded any status in their frequent flier program. The e-mail was "signed" by the executives of several airlines asking me to  I didn't click on the link for several reasons.
1. I was busy and didn't think I had the time.
2. The text on the link and the actual link didn't point to the same web site. The link goes through unitedoffers.com which could be a web site by United Airlines but I didn't want to spend the time to check it out.
3. As I already stated I was a little suspicious of the "best customers" claims.
4. I generally don't click on links in unsolicited e-mail but instead prefer to go directly to the web site linked to.
5. The emotional nature of the subject. When I get an e-mail that gets me fired up and angry I always try to stop, calm down, and think a little before I do anything with it. This was drilled into me early on in my career by a VP of Software Engineering who would talk a lot about Carreer Shortening Moves.

Later in the day yesterday I got my monthly notice from Delta Airlines about my frequent flier account. Since I fly with Delta and have a lot of frequent flier miles I was sure they would mention this open letter since they were one of the signers. They didn't so I was pretty sure it was a phishing e-mail. I went on my way smug in my assurance that I had done the right thing.

As I was watching the local news they ran a story about the open letter. The story was more about the rising cost of fuel for airlines and the number of layoffs each airline had announced for this year but they did mention the open letter. So then I got to thinking that maybe the letter was legitimate.

This morning I spent a few minutes looking around for the answer to the question on whether the e-mail is valid or not. Here is what I found out.

When I went to the TV station's web site I couldn't find the article in the list of most recent articles. I also tried their search on the site but it couldn't find the article either. That makes me wonder why other stories from last night are on the web site but not that one. [+1 for phishing e-mail]

I checked the United Airlines, Delta Airlines, and Delta Airlines blog sites but didn't see the open letter mentioned on any of them. [+3 for phising e-mail]

Unitedoffers.com redirects back to the United Airlines web site. [+1 for legitimate e-mail]

I typed in the address of the link in the e-mail. The site looks like it is calling for reform of the oil speculation market. I haven't clicked on any other links. [+1 for legitimate e-mail]

Doing a Live search and Google search for the web site bring up the web site, a lot of people asking in forums if this is a real site, and some descriptions like this one:
"Go to the web site and enter your zip code so your representatives can be identified. Next, enter some personal information and emails get sent to the peeps that made an oath to serve." [Neutral since I don't know what personal information they are collecting]

In the end analysis I decided that I wasn't curious enough to go to the web site and enter my personal information (or even get to the page where I could see what the information they are asking for is) so I may never know if this is a legitimate e-mail or not. If I start seeing it posted to the official web sites of the airlines that supposedly signed the document I will probably decide that it is legitimate and then see if I want to sign the petition. The other thing that I have decided to do is to give into the emotion that I felt when I first read the e-mail and look up the e-mail address of my Senators and Representative and ask them if they have seen this and if there is anything that they can do.

According to eWeek at http://www.eweek.com/c/a/Application-Development/Microsoft-to-Deliver-SQL-Server-2008-in-August/ Microsoft announced that SQL Server 2008 will be released next month. I have been playing with the release candidate 0 for the last couple of weeks, specifically looking at the spatial data types. I have enjoyed it and can see many applications for this technology. I am looking forward to the full release.

Make sure that you check out the list of webcasts for .NET 3.5 at http://www.microsoft.com/events/series/msdnnetframework35.aspx?tab=webcasts&id=liveall. There are several webcasts scheduled for this month by a bunch of good speakers.

Microsoft has set up a new web site for Windows CardSpace. It is geared to the end users and will be useful for people like my parents to help them understand what Windows CardSpace is and why it might be important to them. It doesn't have any technical information (although it does link to several useful sites) so I wouldn't expect it to be some place I visit daily but I hope it will help to grow the number of people who understand the advantages of Windows CardSpace.

There has been a lot of press coverage about Bill Gates leaving his day-to-day activities at Microsoft to focus on philanthropy. As I have been reading them I have been thinking about what it will mean for Microsoft. I have seen several companies where the founders have left. In most cases the transition was smooth because everyone understood their jobs and realized that what they were doing wouldn't change. Over time, however, the new leadership started to change things and the companies took on a new feel. This transition happens every day on a much smaller scale when a manager leaves a team or sometimes even when a new member joins a team. What makes this so newsworthy is the size of Microsoft and the effect that it's products have in our everyday computing life. I would venture to say that even if you have never used Windows (say using *nix or the Mac exclusively) you are still influenced by what Microsoft does just because people will ask you questions about their Windows machine.

I wish Bill Gates the best of luck in his new ventures and hope that his work will have a huge positive effect on the world. It would be nice if we could see some of the diseases that have been eradicated in the United States completely eradicated in the world, learning opportunities for more of the people in the world, and technology solving more problems that don't revolve around profit and loss. I don't know that it will lead to world peace but we can always dream that someday all of the efforts of the good people in this world will lead to something like that.

I am sure you have had a time in your life when it seems like everyone gives you advice. It might be graduation, marriage, the birth of a child, a change in jobs or something that prompts the people around you to offer advice. Most of the time you are forced to smile pleasantly, act like you are going to take the advice, and then wait until the giver of the advice is out of earshot to mumble to yourself about how you wish people would leave you alone. Occasionally you really need advice and go looking for it. One of those cases might be if you thought that your personal information had been stolen. You would expect that the government that had issued the identity claims would have the best advice on how to fix the problem.

I read an article about the web page at http://www.hmrc.gov.uk/manuals/nimmanual/NIM39140.htm that will tell people in the UK how to handle the case of their National Insurance Number has been abused. (The original article likened the National Insurance Number to the US Social Security Number but whether they are similar or not isn't really important here, just that someone thought you should have a way to report/fix fraud of the National Insurance Number.) The web page has a title that boldly proclaims:

NIM39140 - National Insurance Numbers (NINOs): Format and Security: What to do if you suspect or discover fraud

You can see from the formatting that there are several paragraphs and bullet points that should give you the information that you need. However each and every paragraph and bullet point is replaced by the text:

(This text has been withheld because of exemptions in the Freedom of Information Act 2000)

This leaves you wondering what you should do if you suspect or discover fraud. I haven't looked around to see if there is any information on another web site or if you are just stuck going back to the people who always give you advice and asking for some. This time, however, you will need to listen closely and follow their advice.

I meant to blog this earlier but the page at http://www.microsoft.com/events/series/msdnnetframework35.aspx?tab=webcasts&id=live lists the webcasts for the .NET Framework 3.5. There are several 100 level webcasts on ADO.NET Data Services and WCF to help you get started along with some 400 level webcasts for those who want to go deep into the technology.