December 13, 2006

C00D2EEF Unable to locate the media server. The operation timed out.

While toting my laptop between home and my client, I need to change the internet settings for proxy server and automatic configuration script. I had accidentally left my proxy server checked when I got home and then installed the Zune software. Naturally the Zune media player took the settings from Internet Explorer (you *ARE* on IE 7.0, right? :) ).

Becuase of this, I was able to view and search in Zune Marketplace, but could not connect to the media server. These settings are located under Options -> Playback -> More Options... -> Network tab, and then find HTTP in the listview and configure the proxy properly.

Hopefully no one else runs into this, but if you do....


Zune, Baby!

I'm sitting here listening to Sour Girl by STP on my new Zune (this year's fabulous Holiday gift from Magenic). I'm on the 14 day pass right now and will definitely be doing some exploring! :)

More to come on the Zune experience...


November 12, 2006

.NET 3.0 links

We're all excited that .NET 3.0 is here. Here are a few links and comments to help you out...

If you have previous versions of .NET 3.0, PLEASE PLEASE PLEASE do yourself and your friends a huge favor and run the Pre-released Microsoft .NET Framework 3.0 Uninstall Tool.

Once you've installed, the RTM link to .NET 3.0 is: here

UPDATE: 11/30/2006 : 3:11pm
Apparently i'm not the only one happy about .NET 3.0 shipping.  Aaron Skonnard just posted a link of Doug and Don dancing and singing on channel 9


Code Camp 2006 - What a great day

The inaugural Twin Cities Code Camp was yesterday at New Horizons of Minnesota in Edina, MN.  I don't have the exact stats, but I heard there about 140 attended!

The facilities were first rate, Magenic provided plenty of pizza and soda for lunch, and the camaraderie was excellent.  I saw .Net people talking to Ruby people talking to Java people; it really warmed the heart :)

I attended the following sessions:

  • Neil Iversen's SharePoint as a Development Platform
  • Jason Bock's State of Languages in the CLR
  • Robert Boedigheimer's Utilizing .NET Cryptography
  • Andy Morrison's Building Reusable Business Processes in BizTalk
  • (my session) Securing Web Serivces in WCF
  • Scot Yokiel's Intro to WCF

Being a security enthusiast, Robert's session was one of my favorites. It distilled the essence of hashing and crypto into very tidy, bite-sized pieces to digest. Grab the slides/code and check it out. Robert has a really nice demo on how to tamperproof querystrings, which has implemented.

The content was first rate, I got to meet a lot of people, see a lot of old friends, learned a lot (technical and about presenting) and the post-event speaker party was good clean fun as well.

Thanks again to Jason Bock for getting this started.  Thanks to all of you who attended, presented and sponsored food/prizes.  I'm looking forward to the next one (April 2007???)!


November 07, 2006

Some Halloween pairing wisdom from Mr. Fowler

I was catching up on some blogs this afternoon and ran across this one from Martin Fowler's posted on 10/31/2006...

From my experience, XP/Agile has a lot to do with doing what makes sense in development and getting rid of the stuff that doesn't and if something is 'Agile', very little is mandated or else it wouldn't be very 'Agile', right? :)

I've been on teams where pairing is done.  One particular project we did a lot of pair programming which turned out very nice IMHO.  There were few bugs, we hit our estimates and the code was clean and well-factored.  Most importantly, the client loved it and it solved a real business problem!!!

Another pairing benefit (which Mr. Fowler alludes to in his final point) is in the area of code reviews (you *ALL* do code reviews, right?).  Just like documentation, security, and testing, code reviews are sadly one of the first qualities to go when a project gets behind because “there's not time to do it”, even when the reality is that “there's not time not to do it”.  I see too much poor quality code get written and developers spending too much time firefighting because of hastily constructed in “heroic code“.

The final point in Mr. Fowler's post is about code smell; I have nothing to add except “RIGHT ON”!  Developers constantly raise the layer of abstraction to raise productivity which is why we don't write business apps in assembly anymore.  Duplicated code stinks, espically when there is a bug in it and it gets copied throughout the organization...grrr...

I think developers should give pairing more thought; if for no other reason than to reduce the chance of carpal tunnel syndrome by 50% :) 


November 01, 2006

Back from darkness + CODE CAMP IS NEAR!!!!!!!!!!!!!

Blogging has been on the backburner for a while due to project deadlines at my current client. After AJAXifying a couple of pages, making them IE and FireFox compatible and fixing some JSON, it looks like the project is sitting in good shape, so I'll rip out a few blog posts again. :)

As Mr. Bock points out, Twin Cities Code Camp is coming up in less than 2 weeks (11/11/2006, yes that is a Saturday but come on out and build the community and/or learn something!). If building community or learning (voice of Austin Powers here) "aren't your bag baby" (back to my voice, sorry), you can at least come out and win some fabulous prizes donated by some very generous contributors.


October 31, 2006

VB 6.0 + Microsoft InteropForms Toolkit 1.0

Brad Abrams posted a link to the Microsoft InteropForms Toolkit 1.0 on his blog today. This should be very helpful in gracefully pulling existing VB 6.0 resources into the .Net Framework.


October 15, 2006

Arithmetic overflows/underflows in C#; yes it is possible

I've been meaning to write about this for a few weeks; better late than never!

On day 3 of Building Connected Systems, Mr. Brown mentioned that it is possible to overflow numeric variables in C#. This surprised many other students in class (myself included) as developers assume 'managed code' takes care of this like it does with array bounds checking. From my understanding, VB.NET does not allow this scenario (I have not verified this, but trust Mr. Brown's assertion)!

When I started writing this entry, I was just going to do Int32, but after expanding to other integral and float types, I noticed differing behavior in how the .NET runtime handles this scenario. So, to try this out, I fired up a C# console app Visual Studio 2005 and here's what I found:

  • int.MaxValue + 1 == int.MinValue (it overflows and wraps around with no exception)
  • uint.MaxValue + 1 == 0 (it overflows to zero since it is unsigned; no exception thrown)
  • float.MaxValue + 1 == float.MaxValue (yes, the runtime handles the overflow, no exception is thrown, but it behaves differently tha int and uint)
  • double.MaxValue + 1 == double.MaxValue (same as float)
  • decimal.MaxValue + 1 throws a System.OverflowException

Keith's recommended turning on overflow checking for all C# projects and then using the 'unchecked' statement if you really need to squeeze performance out of your code. (My aside on this is that if you're really writing high perf code, perhaps managed code is not the optimal tool for the job?? One of my favorite Fergesonisms (circa 1998) is: "Use the right tool for the right job".
To turn on overflow/underflow checking in your C# project:
1. Right click on your project in the Solution Explorer and select Properties
2. On the Build tab, click the Advanced button
3. Make sure "Check for arithmetic overflow/underflow" is checked

An FxCop Rule or source control checkin policy would be two good tools to build around this! :)


October 12, 2006

New metasyntactic variable or What is a Manamana?

I think that Manamana would make an excellent metasyntactic variable.

If not, at least you can watch the video and get a moment of levity during your work day! :) It is highly recommended to start scrum meetings with :)


Cat cloning company "Declawed"

Who ever would have guessed that cat cloning is not economically viable?!?!?!?!?!

Associated Press Business News: Cat-Cloning Company to Close Its Doors - MSN Money


October 03, 2006


For those who missed Aaron Skonnard's post on this today, the PAG team just released the new version of the Web Service Software Factory for WCF RC1. This is the same WSSF that I was referring to on Day 2. This is just the WCF version and not the ASMX version.


September 29, 2006

Time wasters for today

Sometimes we all need to dis-engage the mind for a bit.

Isaac, the QA engineer on our project team, has a knack for finding fun diversions:

Line Rider
Flash laser game


September 26, 2006

Lost email, culture and hiring

Someone was kind enough to email from this blog after reading a post asking about Magenic culture and what it's like to work here. I apologize for not replying, but I (insert embarrassed smiley face here) lost your email.

Please feel free to send another email and I would be happy to talk to you!

This brings up a good topic; in case you're aggregating this feed and don't visit the site, Magenic is always looking for good people. Check out the Careers page for more info.


September 25, 2006

IIS 7 Resources

Last week while I was in training, Eric Deily, a Program Manager on the IIS 7 team, came in to talk about the work they are doing. I tried to take good notes to pass along!

  • They have their own web site with code samples/demos/forums. Eric says the product team members actively monitor and watch the forums.

  • There is a link to the feature matrix  

  • There is a much better extensibility story. Developers will be able to swap in/out components. e.g. if you don't like how the static file handler works, you can write your own and replace the one that ships with IIS (via config)

  • That beast Metabase.xml is going away, replaced with a much better configuration UI and XML structure (much rejoicing there)

  • For those using PHP, there will be a module to support you

  • CGI is turned off by default (in the spirit of reducing your attack surface area)

  • It has web services exposed for remote server config (no more DCOM here) secured via Transport Layer Security (TLS/HTTPS)

  • Appcmd.exe will replace the admin scripts

  • They are VERY concerned with backwards compatibility - no web site left behind :)

  • Inetfino.exe is not installed unless you install the "IIS 6 management compatibility" component. This is a BIG CHANGE if you have scripts/developers who use iisreset on a regular basis.

  • Much more diagnostics/tracing built in. You will be able to do a dump at the app domain level if needed.

  • Microsoft PSS helped write more detailed error messages with suggested courses of action

  • You can play with this before Vista/Longhorn server comes out at

  • IIS7 will NOT BE on SERVER 2003. Eric said this was a technical limitation, not a marketing one!

  • For Longhorn Server, the team is focusing on the server-farm scenario

  • Eric did a very cool demo/sample at of writing your own module to replace the directory browser to build a photo gallery type of feature!


September 22, 2006

Building Connected Systems - Day 5 (the last day)

WOW, what a great week; this was a top-notch experience all-around!

Kudos to Pluralsight for putting on a great class. Covering this many topics in a week is a tall order but they pulled it off admirably!

The class was held at the Redmond Marriott Town Center where we received first class treatment and accommodations. I hope Pluralsight is able to keep using this location for future events.  (As a bad pun, their employees were very 'service oriented') :)

Clearly, Pluralsight has some of the best instructors in the industry (which is why I wanted to come here in the first place; if you're going to spend time and money on training, it had better be good training!).

Today, we're down to the eye-candy topics: WPF, Fritz did an AJAX demo with Atlas.

From a personal standpoint, I got to see my friend Brian (a Microsoftie) a couple times. Eric Deily from the IIS7 team came out to talk about features of IIS 7.0 which was very intresting. The IIS7 team has spent a great deal of effort in allowing you to swap in/out modules via config at a server->application level. This helps an admin pare down the server features to reduce attack surface, which is a good thing. If you want to write your own modules, you can swap out the built-in ones with your own (e.g. if you think you can build a better static content handler, go-for-it)!

Please feel free to email me (jeffk at Magenic dot com) if any of the blog posts about this week raise questions, etc...espically the areas of WCF and security!

It's fun being here in Seattle, but I'm realy looking forward to getting home again!


September 21, 2006

Building Connected Systems - Day 4

Ok, my mind is oatmeal now :) but i'm going to blog about today anyway!

Keith did the Workflow WWF (WF) lecture and lab today. In WF:

  • the Activity is the main unit of execution, reuse and composition

  • right now, integration between WF and WCF is not a great developer experience right now (this will improve as the WF and WCF teams have merged to the Connected Systems Division)
After the WF lecture, Keith left us in the very capabable hands of Mr. Fritz Onion who led us through ASP.NET 2.0 stuff for the rest of the day (UI, Data and web parts). After 3 days of solid learning, Fritz was kind to the class and didn't beat on us too much! :)

At the end of the day, Don Smith from the Microsoft Patterns & Practices Team (PAG) came in to talk about the good work they're doing and did demo of the WCF Service Factory. I'm really looking forward to the new build of this tool which supports the RC1 of the .NET 3.0 framework! Don was a blast to listen to and I know the class was glad he came out to talk to us!

One more day! :)

September 20, 2006

Building Connected Systems - Day 3

Today is 'Security Day' with the esteemed Keith Brown leading the class. We talked about lots of WCF-Security stuff, and also a lot about web security.

Some of the more interesting web security things were:

  • The Code Room - Vegas starring Keith Brown et. all.  It is a fun little poke at security on web sites and shows session hijacking and SQL injection.

  • Keith has an excellent set of tutorials about input validation located at All developers should be using these techniques to improve web site security!

  • Integer overflow in managed code exists in C#!!!! This suprises a lot of people (myself included). Keith recommended turning on checking at a project level, and use the 'unchecked' statment if you really need to 'squeeze' performance and bypass the overflow/underflow checking.

  • I got Keith to sign my copy of The .NET Developer's Guide to Windows Security (ok, a bit nerdy I admit)

  • The Cookies and tamper detection module is excellent!

  • We did a lab on input validation using regular expressions. Here is a good link to the PAG site on common regular expressions. Remember, all user input is EVIL and NOT TO BE TRUSTED!

  • Manageability (instrumentation) often gets overlooked in apps because we're too busy building features. However, when it comes time to debug, it is difficult to impossible to quickly find the problem. The .Net Framework makes it trivial to write to the event log and Windows performance counters and there is no reason not to do it!

My brain is full for today. Time to relax for a bit and get ready for days 4 and 5.


Building Connected Systems - Day 2

Day 2 was excellent. Aaron did a demo on the Web Service Software Factory. If you have not seen this, check it out. It is something the PAG team built to help accelerate initial project creation. It creates a solution with multiple projects (web service layer, biz object layer, a mapping layer, and even some test projects). Ther is also one available for WCF, but as of this post there is no a version for RC1 available yet. I strongly encourage y'all to check this out as it seemed very useful! After that We focued on WCF concepts; contracts, serializers, behaviors and bindings. To end the day, Microsoft Connected Systems Division (think: WCF + BizTalk) Archtect Steve Swartz came in and talked about potential future directions. Some interesting comments were:

  • WCF is happy with SOAP or REST

  • MSFT is going to push more services "into the clouds": e.g. there is already a beta STS service available here

  • MSFT is going to try to make BizTalk more of a .Net extension and not a silo of its own.

  • Improve developer tools; e.g. if a developer wants to publish an RSS feed, it should be as simple as instantiating a class and 'start pumping RSS out'.

  • Start thinking about 'claims' in the security space. Check out Kim Cameron's blog for more information.

  • Autonomy is 'a' value - it is not the 'one' correct architecture value. (think: 4 tenets of SOA)

Steve was a blast to listen to; scary-smart guy!


September 19, 2006

A funny from day 2 of class

"WSDL is like the sun; it's great and does a lot of good things for you, but don't look at it too long." - Aaron Skonnard


September 18, 2006

Building Connected Systems - Day 1

Day 1 was good. There are only 16 people in the class (2 Microsofties, and 2 former Microsofties, myself included) which is nice for personal attention and discussion. Today we reviewed SO, Web Services and the existing technology stack (ASMX 2.0, WSE 3.0). A lot of it was just tablesetting and laying the justification groundwork for WCF, WF and BizTalk. Near the end of the day we started on some BizTalk 2006, which will flow into tomorrow (about 1 hour left of the lab). Aaron Skonnard was our instructor. I love listening to people who are passionate and knowledgable about a topic. Some of the more intresting comments were:

  • ".Net Remoting has the least optimistic future of the communication models (ASMX, WSE, Enterprise Services, Remoting & MSMQ)"

  • It would be really interesting to see a WCF Channel for SQL Service Broker

  • The REST vs. SOAP debate: one thing in favor of SOAP is the existing tools (which is likely why Google chose SOAP for their SOAP Search API and not REST

  • Contract first vs. Code first for web services; typically collaberation drives contract first and smaller projects tend to migrate toward code first

I'm really looking forward to Day 2 which will cover WCF.

Early bedtime tonight! :)


.NET Campsight: Building Connected Systems

It begins:

More to come as I have time to post! :)


September 15, 2006

Foo has a name

Nearly every developer has used the word 'Foo', 'Bar' etc...Apparently there is a Wikipedia entry for it: Metasyntactic variable - Wikipedia, the free encyclopedia


Twin Cities Code Camp - Nov 11, 2006

The inaugural Twin Cities Code Camp will be held Nov 11, 2006. Check out the sessions here.

As of this post, 3 other Magenicons will be presenting (Jason Bock, Michael Dunn and Rocky Lhotka). I will be doing a session on using the security features of Indigo Windows Communication Foundation (WCF). Best of all, it's FREE!!!!!! Hope to see y'all there!


September 14, 2006

Twin Cities Code Camp

The Twin Cities Code Camp will be Nov 11, 2006. Check out the sessions here.

I will be presenting a session on using the security features of WCF.

come one, come all!


June 30, 2006

June 24, 2006

WCF/Indigo - Change to .svc file format for .Net 3.0

after installing the .Net 3.0 (winfx) components, my Indigo service stopped compiling -- i was getting a System.Web.HttpParseException on my Service.svc file...

after much hunting around for 'HttpParseException', I stumbled upon the answer searching for 'Service directive':
-- and --

Basically, change "Service" to "ServiceHost" and change "class=MyFancyIndigoService" to "Service=MyFancyIndigoService"

May 15, 2006

Mort has a hoot

I doubt this was one of the persona scenarios envisioned for Mort, but apparently Mort has been busy writing a computer virus using Visual Basic (some would argue many VB programs are really viruses, but I digress; I've written plenty VB code myself!).

This virus reinforces that the biggest security risk is often from the inside!


April 24, 2006

Microsoft password checker - misinformation

The blog entry at has some bad information that needs to be corrected regarding Microsoft's recently published password strength checker.

In this blog post, the autor states:
GOOD it's a java applet that appears to run locally so your password is never sent over the internet

This is clearly NOT a Java applet if you take a cursory peek the HTML source! The password input button named 'pc001' has an event handler named 'onKeyUp' which calls a JavaScript method named EvalPwdStrength. This method is downloaded from here.

I notified SANS of the misinformation and requested a correction be published. I guess this is a good reminder that you can't believe everything you read on the internet; even from a popular site such as SANS (including my blog too!) :)

I agree with the SANS author's assertion that typing your passwords into a web page, no matter where it's hosted, is a bad idea. Just follow the guidelines and you'll have strong passwords.

If you have trouble remembering lots of strong passwords, try using a password manager program such as:


April 20, 2006

The lamest phishing attempt I've seen yet

I recieved an email today that apparently was some kind of phishing attempt. Yes, the "=20" were acutally part of the message.... :)

Dear Customer,

Your current login & password = combination are=20 out of date.
To renew please click Reply and get back to us with the=20 following information:
Your Name, Account Number, Login and=20 Password.

National City=20 Support


April 19, 2006

banner ads are getting very specific

Maybe someday it will be specific enough to say:

"Meet single female baseball fans, with runners in scoring postition, a lefty on the mound, and during day games". crazy...


Spielberg to design 2008 Olympic ceremonies

oh great, maybe he will add drama and pageantry like "E.T. Win Gooooolllllllllddddd"


April 17, 2006

Some nice "running as non-admin" links

I was having trouble editing the power settings on my work laptop (running as non Administrator, non Power User).

So, firing up my trusy browser and favorite search engine resulted in a lot of nice links that I wanted to share.

Managing Power Options as a non-administrator

Temporary admin for your limited user account

Changing the system date, time and/or time zone (I feel less strongly about this one, but posted in case it was helpful)

and of course the granddaddy of posts:
Item 9: How to develop code as a non admin

Doing this requires some learning and some dicipline. There is a registry hack if you want to get Flash to work properly (i'll post that link sometime when i find it again).


Edit 4/18/2006 12:56pm:

oops, forgot another granddaddy: Mr. Howard's Non-admin best practices in Windows XP

apologies to Mr. Howard :)

April 15, 2006

Paypal Phishing Phake toolbar

yes, i know Phake is not a word. :)

Seriously, I see the phishing artists are hard at work with new ideas to trick people.

Tonight I received an email in my Junk Mail from "PayPal" which was clearly a phake. This is not new, we've all received emails like this.

I always like to open the phake link to see how accurate it looks compared to the real site. The interesting thing to note about this phishing site is they hid the real address bar and put in a simulated address bar textbox (the dropdown even sort of works on it).

In the picture below, the toolbar on the top with the address "http://0xd35bda31" is the 'real' toolbar (I right clicked and re-displayed the toolbar) and the toolbar with the "" is the phake toolbar.

Is having a removable toolbar in IE really worth it? (I don't have FireFox installed, so I can't test it to see what it does on there. Maybe one of my loyal readers could do that and comment?). Web sites have long been able to hide/show the address and menu bars. Should my browser really allow some random website to voliate my boundries like this? One way to remedy this would be for browsers to create an option to override the ability for script to hide/show menu and address bars.

These types of phishing pages will only get more sophisticated and confusing. Please IE/FireFox, help protect users from this type of deception!

Here is the phake phishing link (PLEASE DON'T GIVE THEM ANY USEFUL INFO!)

Here is the screenshot of the browser with the phake toolbar:

I hope phishing is not good!


April 14, 2006

A new kind of pop-up (meta-popup?)

I was poking around tonight and ran across the link to post jobs on.

Of course, there is a popup which my trusty Google toolbar popup blocker stops, but then I get this window...

Yeah, like I'm planning on 'unblocking' popup matter how nicely they ask!


April 07, 2006

April 04, 2006

Improving credential collection, one site at a time

I recently opened a savings account at ING Direct. I was impressed with the login screen.

The first time I hit the page, it asked for:

  • Customer number

  • First 5 digits of my mailing zip code

  • And my pin, transcribed visually into letters (see the picture, it is worth 1000 words!)

The second time I hit the page (F5 - refresh), it asked for:

  • Customer number

  • 4 year digit of my birth date

  • And my pin, transcribed visually into letters, but using a different set of letters corresponding to each number (again, see the picture!)

After a few more refreshes, it asked for:

  • First 4 digits of SSN

  • Last 4 digits of SSN

  • First 3 digits of SSN

  • Last 3 digits of SSN

True, if you know my customer number, birthday and SSN i'm still pretty much out of luck, but at least the pin transposition along with the different credentials combinations could help slow down an automated attack vector!

All that plus a better rate on my savings account! :)


2 year old Identity theft

Apparently even innocent children are victims of identity theft per this MSNBC article.

It’s a practice that often victimizes innocent people, like 2-year-old Tyler Lybbert of Draper, Utah. She doesn't understand that she's got some serious credit problems.

"She's basically got two loans out on her Social Security number and, I believe, a credit card out," says Tyler’s mother, Camber Lybbert. "She's got $15,000 in debt."

This article goes on to discuss illegal immigration, but to me ID theft is a separate issue. True, illegal immigrants are going to want to obtain false identities, but there are thieves who are legal US citizens and there are thieves from other countries who don't even have to set foot in the US to steal someone's identity.

I wish there was an easy answer to this, but there isn't (or it would have already been fixed). The best countermeasure right now is vigilance I guess. :(


April 02, 2006

Straight and long

The golf season in MN is FINALLY here. I played my first round of the year Sat (no, not an April fools joke) at Valley View Golf Course in Belle Plaine. It was 51 degrees, cloudy and little wind, so playing conditions were very nice for April!

My first teeshot was, in fact, straight and long. My faithful blog readers know which club I hit it with, and I still love that driver!

I shot in the mid 80's which didn't dissapoint me; first round of the year typically doesn't come w/ many lofty expectations! I'm more pleased with "NO THREE PUTTS" for the round!

One of my playing companions hit a ball from the teebox into a garbage can on a different teebox, which I've never seen before! I skipped my teeshot across the ice on the 18th hole onto the fairway! Try that in Florida, baby!

The season is here. I believe the official scoring season sanctioned by the MGA is 4/15 so this was a 'free' round for my handicap.

I have no intention of blogging about each round, but figured the 1st one was noteworthy!


March 24, 2006

Why is MSN IM such a memory pig?

I had Task Manager up checking memory usage and noticed the msnmsgr.exe using roughly 55MB, which suprised me.

So, I terminated and restarted the process and it started up to 33MB!

It seems like this app should use a smaller footprint...


March 22, 2006

Golf 2006 - can't wait

Yes, it's the worst time of the year in MN; cold enough to have some snow, but warm enough to start dreaming of getting back out on to the links! is again posting the Golf Courses Open in Minnesota.



March 21, 2006

I want this!

Kingston Technology Company - Press Releases - Kingston Introduces Industry's First Fully Secure USB Drive Specifically Targeted for Enterprise Use

Nice :) 'nuff said


Feds Again Score Low on IT Security

While looking through the 2005 U.S. government's security report card, it is concerning that ANY agency should get an F, much less agencies like these that are critical to the function of the country!!!

  • Department of Defense

  • Department of Homeland Security

  • Department of the Interior

  • Department of State

oh, and kudos to the Treasury and Commerce departments on their D- and D+ grades respectively.

More information about scoring methodology and the hearing in general is available here.

Thanks Computerworld Security for catching my eye on this....


March 16, 2006

Schneier on Security: Basketball Prank

Here's an excellent story that Mr. Bock found on Bruce Schneier's blog.

It gives a whole new meaning to "March Madness" :)

Social engineering is still quite effective, alive, and well!


Qwest Voice Mail setting is unsecured

I've had Qwest voice mail for a number of years now (probably around 10). I've always had it set to ring 4 times before going over to voice mail; 4 is a pretty reasonable number of rings IMHO.

Recently, the phone would ring 2 times and then go to voice mail, making for numerous missed calls (some of which were telemarketers, so i didn't mind THAT much). Obviously, someone or some interal Qwest system changed that value from 4 to 2 for me as I didn't even know how to change it.

I finally got tired of sprinting to the telephone to pick it up before 2 rings, so I searched Qwest for the answer on how to change this voice mail setting and came up with the answer.

So, I called 800-669-7676 per the instructions, entered in only my telephone number and chose the number of rings (2-8 is allowed). Reread the last sentence. Notice how I did NOT need to type in my account password, last 4 digits of my social or use my account code (as found on my monthly statement).

Just to be sure I didn't make sure I didn't 'miss' something, I tried again and again was able to change my voice mail settings w/o providing any real authentication credentials.


From a privacy/security standpoint, this annoyed me, so I called 800-669-7676 again, punched the zero key a whole bunch of times so I could actually talk to someone, and asked about this. The response I received is that since the number of rings for voice mail is a low priority thing, that "it is unnecessary" to secure it. I asked if the changes were logged (because I wanted to find out when my account got changed from 4 to 2 rings) but that information was unavailable. Ok, I grant you the value of the asset in question here (# of rings) is low, but it is just the premise here that is troubling:

1) Why can someone change my account settings w/o my authorization
2) what other systems does Qwest have that allow similiar changes?

One of my friends suggested how easy it would be to build a war dialer and randomly change people's voice mail rings daily. As I found out, 2 rings is akin to mini-DoS attack!

So, I'm hoping that if this information becomes public, it will cause a change at Qwest, and hopefully not spawn an epidemic of random voice mail ringer changes!


March 14, 2006

Free CDs highlight security weaknesses - Computerworld

Free CDs highlight security weaknesses - Computerworld

Even a low tech scam like this was 75% effective! "While the front of the CD contained a written warning to users to check their company's internal security guidelines before running the CD, as many as 75 of the 100 CDs were played."

People are still the weakest link in security: "The experiment underscores what experts say is the weakest point for IT security: people. While many companies have policies and make their employees sign legally binding documents with rules of use for company computers, it's doubtful users get specific training on why those rules are in place, Chapman said."

Forewarned is forearmed I guess...

BTW, if people are giving out free Milli Vanilli CDs, that is also a dead giveaway that it contains 'very bad things' :)


March 06, 2006

Google makes a funny

For googles (I mean giggles) I Googled for the word maps. My assumption was Google Maps would come up as the first search result; apparently my assumption was incorrect...LOL

Click here for a larger picture

cheers and happy mapping

February 25, 2006 | Xbox 360 - Original Xbox Games on Xbox 360 | Xbox 360 - Original Xbox Games on Xbox 360

a link for me so i don't have to Google for it all the time

Hopefully there will be more on this list soon!

Waterfall 2006 - International Conference on Sequential Development

Waterfall 2006 - International Conference on Sequential Development

A coworker (PeteS) forwarded this through our technical email list and it was too funny not to post :)

My favorite is wordUnit

hope to see y'all there! :)


February 15, 2006

A good, good day

It was a good, good day today.

I (re)started at Magenic Technologies on 2/6/2006 and am very happy to be back! Lots of friendly faces that I knew from before, and lots of friendly new faces as well!

1. I became billable again this afternoon for a client in downtown Minneapolis. I will be building web services (ASMX & WSE 2.0 currently) in an SO environment. The project is really cool and is a great fit for me. Plus, there is just something cool about working downtown Minneapolis!

2. I got an XBOX 360 today, which is perfect timing as I sent my old XBOX in for repairs (DVD drive failing; can't read discs anymore). The new dashboard is cool and the wireless controller is very nice. I don't have any games yet (the only backwards compatible game I have is Namco Museum). I downloaded Gauntlet (yes, the Atari game circa 1985) to play which was quite nostalgic! :) I'm looking forward to picking up another controller and perhaps a few games for the new console so I can make better use of the hardware than playing 21 year old coin-op games like Gauntlet, heh heh...

see you online!
jk (snk13)

January 31, 2006

Indigo Gotcha #2 was : WCF Config file intellisense... why hath thou forsake me?

Thank goodness for IntelliCrack, espically for new technologies whose help files are skimpy to non-existent a la Indigo/WCF

I was having the same issue as Bryan, and by changing

<configuration xmlns="">



allowed 2k5 to start displaying IntelliCrack again.

Note: I am not complaining, but rather am thankful for schema. XSD is love. ;)


btw, IntelliCrack was my very first Wikipedia contribution! It is fun to contribute, albeit something silly...

Indigo gotcha #1

In working with Indigo (Jan CTP), if you try to generate metadata (WSDL, XSD) from an assembly, make sure it is a dll and not an exe, or you get a misleading error message like:

C:\Projects\Indigo>svcutil.exe "C:\Projects\Indigo\bin\Debug\MyIndigo.exe"
Microsoft (R) Service Model Metadata Tool
[Microsoftr .NET Framework, Version 2.0.50727.129]
c Microsoft Corporation. All rights reserved.

Error: There was an error exporting the ContractDescription loaded from the type: Foo.IBarService, MyIndigo, Version=, Culture=neutral, PublicKeyToken=null
Duplicate contract QNames are not supported.
Another ContractDescription with the Name: IBarService and Namespace: has already been exported.

This happened when I was writing a self-hosted service using a console application and for ease of initial development included the service, message and data contracts in the self-hosted service. I really wanted to get the WSDL out of the service so I could tweak it (that is a whole other post).

Long story short, I changed the project from a console application to a class library and reran svcutil.exe and all was well in Indigo-land again:

C:\Projects\Indigo>svcutil "C:\Projects\Indigo\bin\Debug\MyIndigo.dll"
Microsoft (R) Service Model Metadata Tool
[Microsoftr .NET Framework, Version 2.0.50727.129]
c Microsoft Corporation. All rights reserved.

Generating Metadata Files...

If this post saves even 1 person some debugging time, it was worth it! :)

I'm glad Indigo is (almost) here!


January 24, 2006

The Amazing Message Plant! (and Monkey phone call)

I heard about the The Amazing Message Plant! on the 93X half-a**ed morning show on my drive in this morning. Right now, there are only stock messages, but when they get the custom message feature added, can you even imagine the possibilities?

In a similar genre, Glen was showing us This site is powered by actual SM2C technology "(simulated monkey to consumer)" to make the magic happen. Again, quite amazing :)

I hope this brightens your day as it has mine :)