I read the article at http://redtape.msnbc.com/2008/08/almost-everyone.html about the "Forgot your password" link to reset your password as being a possible attack vector. I think they discussed the security issue quite well and also pointed out that there are no reports that this method has been used widely to attack accounts. I know that in all the time that I have had a Hotmail account I have twice gotten e-mails about a password reset that I didn't initiate. The first time I ignored the e-mail until I got a reminder about 10 days later that it was about to expire, the second time I immediately clicked on the link stating I hadn't started the password reset. I also went and changed my password just in case someone had compromised my account.

The article has some good advice about not using obvious answers to the reset questions. I think this might be one case where my generation has a lot more latitude in choosing a non-obvious answer. While my birth date and mother's maiden name might be easy to find on the Internet, when I was a teenager there was no blogging so I would assume outside of the people that I went to school with and a few close family members nobody would know the name of my first girlfriend. It might be easy for a hacker to guess the answer to that question but hopefully it would take them a few tries and the back end systems would be alerted well before they guessed the correct answer.

Another tactic that I have used is to pick an "obvious" question but then give it a false answer. As was pointed out in a recent issue of the RISKS digest, they aren't validating the answer, just that you can type in the same value twice. I use the name of my pet as a question but rarely if ever use Max which was the name of my dog but instead make up other "names". The best are a semi random set of number and letters that aren't even a name so if someone is running a dictionary attack of the most common pet names your answer will not be in the dictionary.

To help me not forget the password in the first place, or to remember the answer if I need to I can always look at my Password Minder file. The thing I like is it will automatically generate random passwords for me and has a notes area where I can write down my secret question and answer. The data (both passwords and comments) is encrypted on the disk so I feel pretty safe about it not being stolen from me.

I got an e-mail stating that the PDC 2008 early bird registration deadline had been extended to Monday, September 8. That means that you still have time to save on registration. Here is a snippet of the body of the e-mail with more details on the Professional Developers Conference.

Get Your Head above the Clouds at PDC2008

Have you ever attended a Microsoft Professional Developers Conference? It’s an event so packed with great information and new technology, attendees claim their brains start sending back “out of memory” error messages. That’s what happens when a torrent of peer-to-peer geekology throttles your cerebral cortex.

At PDC2008, you can engage your senses and discover what’s new with Cloud Services, Live Mesh, Windows 7®, multi-core development, the Dynamic Language Runtime, and F#. There’s also much more, but we want to save a few surprises.

Oh, and here’s a little bonus for you: when you register before September 8^th, you’ll save $200 USD. Sweet!

Let’s break it down:

· PDC2008 is the place to hear about the future of Microsoft’s platform. You’ll hear from the actual engineers that architect and build our technologies, and they’ll blow your mind with everything they have to reveal.

· And what about the UnSessions, better known as Open Space? It’s our conference-within-a-conference for attendees…Microsoft folks need not apply. You can also spend time in our Hands-On Labs, which is like a big sandbox for geeks like us.

· Use your Jedi mind tricks to convince your boss to let you sign up for one of 10 super deep pre-con sessions, presented by industry experts and Microsoft technology leaders.

· Hear Ray Ozzie and other executives (don’t worry, they used to write code too) share their perspectives on the future of technology and computing. We call them keynotes, and you can expect some big news.

So, if you value your brain, we’d love to see you at PDC2008. Let us help you get your head above the clouds!

Register (http://www.microsoftpdc.com/Registration/) for PDC2008 by September 8th at (www.microsoftpdc.com) to save $200!

PDC2008 Dates and Location

WHEN:
October 27-30, 2008
Pre-cons October 26, 2008

WHERE:
Los Angeles Convention Center (http://www.lacclink.com/), Los Angeles, CA

REGISTER NOW( http://www.microsoftpdc.com/Registration/)

I ran across an application at http://wordle.net that will allow you to paste in a bunch of text, the URL to a RSS or ATOM feed, or a del.icio.us user name and it will read the text, remove common words, and then create a word cloud. I created one for my blog.

The most surprising part of this word cloud to me is that the largest words don't necessarily match with the tags that I have defined. I think I will have to rethink my tagging system to make sure that content is easy to find.

Join us on Wednesday, August 20 for our monthly meeting. The meeting will start at 6:00 at the NuSkin NOC located at 1175 S 350 E, Provo. Our topic will be continuous integration and the speaker will be Craig Berntson. Here are some more details on the meeting:

Continuous Integration with .Net
Continuous Integration is a development practice where code changes are continuously checked in to source control and then automatically checked out, built, and tested. Whether you are a one person shop or have many developers, by using Continuous Integration, you will improve the quality of your software and increase your productivity.

This session will show you how to use Continuous Integration in your daily development by integrating several free tools. Attendees will learn:
- How to implement Continuous Integration methodology into the development process
- How to automate code check out and the build
- How to automate unit testing, code standards checking, documenting, and other needs
- How to report the results of all the automation to the development team

Craig Berntson a Microsoft Certified Solution Developer and has been a Microsoft MVP for over 10 years. He wrote the book “CrysDev: A Developer’s Guide to Integrating Crystal Reports”, available from Hentzenwerke Publishing. He has also written for FoxTalk and the Visual FoxPro User Group (VFUG) newsletter. He has spoken at various developer events in North America and Europe. Currently, Craig develops hospital software for a Fortune 100 company in Salt Lake City.

Microsoft has been busy planning for PDC. Some important things that you may need to know.

1. The early bird discount ended yesterday so if you were counting on that to persuade your boss you need to come up with some other justification. The registration link is http://www.microsoftpdc.com/Registration/

2. Microsoft has been posting additional sessions. You can check out the agenda at http://www.microsoftpdc.com/Agenda/

3. If you can't get your boss to pay for your trip and conference fee don't despair. You may still be able to get a chance to go to L.A. through one of the several contests running on the PDC site. Check out the different contests and the prizes at http://www.microsoftpdc.com/Social/Contests.aspx

It has been almost a month since I posted last. Part of it has been that I have been busy but the biggest part was that the computer that I was hosting my blog on decided to die. I am still not 100% sure what the problem is but the machine would only boot about 1 in 4 times and then would tell me that it couldn't find a core Windows Server file. After spending a couple of days trying to fix the problem I decided that now is the time to upgrade the hardware (I had been contemplating it for a while). I ordered the hardware but between shipping problems and my travel schedule I didn't have a lot of time to work on the new machine. Unfortunately remote access doesn't help me add memory or hard drives to a case. I got a new machine with dual processors, mirrored system disks, and 4 GB RAM. I also got to upgrade to the latest version of dasBlog" target="_blank">dasBlog.

I installed Windows Server 2008 with Hyper-V and have started setting up virtual machines for things like my domain controller, this web server, etc. That will hopefully allow me to not have another month long crash and even if something that is not redundant in the machine dies I can start up the virtual machines that I really need on another machine to get it up and running quickly. I will also have the ability to create virtual machines to check out new technologies.

While I was down a lot of interesting things happened but the one that sticks out most in my mind is the Release To Manufacturing (RTM) of SQL Server 2008 last week. I am looking forward to learning more in the months and years ahead.

Here is the body of an e-mail that I got announcing that the latest CTP of BizTalk Services has been released and is ready for us to start working with and providing feedback on.

Announcing the BizTalk Services "R12" Release

We're thrilled to announce that the BizTalk Services "R12" Community Technology Preview (CTP) is now available for general use.

"BizTalk Services" is the code-name for a platform-in-the-cloud offering from Microsoft. Currently in active development, BizTalk Services provides Messaging, Workflow, and Identity functionality to enable disparate applications to connect quickly and easily. Combined together in an integrated offering, these capabilities deliver a Service Bus architectural pattern that is immediately usable by applications that need to connect across the Internet.

Many enterprises employ the 'Enterprise Service Bus' pattern to interconnect disparate systems within an organizational domain. Built on Microsoft platform technology, an ESB might include building blocks such as Windows Server, Active Directory, BizTalk Server, as well as the Windows Communication Foundation and Windows Workflow Foundation technologies included in the .NET Framework. "BizTalk Services" extends the concept of an ESB to truly exploit the Internet, for instance by exposing individual service endpoints in a secure fashion or by selectively federating elements of distinct identity systems to facilitate cross-company collaboration.

For ISVs and Solution Providers creating specialized business solutions that enable collaboration and information exchange across increasingly mobile and distributed work-forces, "BizTalk Services" provides the cloud-based platform building blocks to create sophisticated (Internet-) Service Bus solutions with broad reach that could otherwise only be realized by operating dedicated Data Centers of significant complexity - which is often out of reach for both, ISVs and their customers.

Major Changes

With the release of BizTalk Services "R12", developers must update all clients and SDK installations to the new release.

New in R12 - Workflow

The most exciting new capability we've added in the "R12" CTP is Workflow. These new cloud-based Workflow capabilities enable 'service orchestration' from the cloud. This specialized cloud-based, or hosted, Windows Workflow Foundation runtime can orchestrate services that connect to systems in your enterprise, or to systems running anywhere on the Internet via Web services messages. This new power and capability will enable an entirely new set of application scenarios, and we're very excited to see what people will do with it.

In the SDK you will find samples showing how to create and control Workflow instances hosted on the BizTalk Services cloud, including a sample Workflow implementation that monitors the availability of a website and fires multicast events into the service bus indicating the state.

New in R12 - Identity

For R12, the BizTalk Services Identity Service has been expanded and enhanced to enable more flexibility for scenarios demanded by our customers. R12 introduces a new approach for creating, viewing, and managing access control rules. This approach relies on a few key principles outlined below:

* Every Identity Service account owns a Security Token Service (STS).

* An STS is composed of one or more scopes.

* A scope contains zero or more access control rules.

* An STS owner can grant another Identity Service account permission to edit the access control rules in a scope

A practical illustration to clarify:. The Messaging Service owns an STS whose root scope is http://connect.biztalk.net/services/. When you create a new account (newaccount) in the Identity Service, the messaging service creates a new scope http://connect.biztalk.net/services/newaccount. The Messaging Service then grants (newaccount) the permission to create access control rules in that scope. Any communication endpoints hosted there can thus be secured by the owner of the scope. Rules from R11 accounts have been migrated to the "root" scope of the new account.

On the protocols front, we've added several new capabilities for 'REST' services. We now support integration with Windows Live ID and have added RFC2617 Basic and HTTPS/Client Certificate support for acquiring security tokens using simple HTTP GET requests.

New in R12 - Messaging

Connectivity Modes

The most fundamental new feature area in the Messaging service are the new 'connectivity mode' settings on the RelayBinding. Before this release, BizTalk Services clients and listeners always required outbound TCP ports 808 and 818 to be available for connecting to the BizTalk Services cloud for all connection modes except the clients of a listener running with ConnectionMode.RelayedHttp.

In this release we are introducing three different connectivity modes: Tcp, Http, and AutoDetect. The connectivity mode can be set on a static property of the RelayBinding. The Communication\ExploringFeatures\ConnectionModes\Multicast sample shows how. For clarity: 'Connection Mode' defines the type of end-to-end connection that is to be established through the Relay. 'Connectivity Mode' defines how a particular endpoint connects up to the Relay.

The 'Tcp' connectivity mode is the most efficient one and works as in previous releases. The 'Http' mode is new. It creates a volatile FIFO buffer for messages in the BizTalk Services cloud and polls for messages using HTTP 'parked requests'. The Http model exhibits delivery latency characteristics similar to Tcp mode, albeit with slightly higher bandwidth consumption on idle connections. The 'AutoDetect' mode will check whether TCP connectivity is available and will choose 'Tcp' if that's the case and 'Http' otherwise.

The new HTTP-based connectivity option is only effective for the RelayedOneway, RelayedMulticast and RelayedDuplex connection modes. RelayedDuplexSession, HybridDuplexSession, and RelayedHttp (listener only) still require TCP connectivity at this time.

Transport Credentials and Unauthenticated Access

Also, in the "R12" release, the model for specifying the client credentials for the Relay has now been closely aligned with the standard WCF client credentials model. Instead of picking and instantiating token providers, there is now a TransportClientEndpointBehavior that holds all credential information and credential types. The samples in the Communication\ExploringFeatures\RelayAuthentication of the SDK download clarify the use of this new behavior.

We have added a pair of 'WebNoAuth' samples which introduce a new capability that we had a lot of requests for: Unauthenticated client access. When registering a service listener you can now explicitly waive the authentication requirement for clients connecting to your service. This is very useful in Web scenarios where you want to enable any HTTP client to connect to your service and don't want them to authenticate in any way. For the time being we suggest that you always use this new unauthenticated access mode for RelayedHttp services until we release the update for the 'Web' client authentication capability.

For R12, we have omitted the 'Web' (REST) samples for Relay authentication since that area is undergoing some substantial protocol changes. The update for this will be released soon. In the interim, existing applications that were built on a prior release of the BizTalk Services SDK to use the authentication technique shown in the R11 'Web' sample must be modified to use unauthenticated access as shown in the new 'WebNoAuth' sample.

Give it a try

The new BizTalk Services "R12" CTP is online and available now for your use. The SDK is available at http://labs.biztalk.net. If you already have an account for BizTalk Services, your accounts and settings have been migrated to the new environment. If you don't have an account yet, just sign up, download the SDK, and get started creating the new generation of connected applications.

Tonight we will be having our monthly meeting of the Utah County .NET User Group. As always our meeting will be held at the NuSkin Network Operations Center at 1175 S 350 E Provo at 6:00. Tonight we will have a short presentation on WCF and then have some time to answer coding questions you might have.