Virtual Servers - gotta love 'em, gotta hate 'em.

If you ever have to support a large number of dev and test servers in your IT environment and have found yourself frustrated with the administrative and technical overhead, a virtual machine architecture might be for you. It's all the rage these days, but (trust me on this one, I should know) there's lots of ways to de-optimize (read: screw up) a virtual machine/server environment. To make it work effectively, there are a few things that you need to know and do to make your environment hum like a well-oiled (virtual) machine.

The problem is, until recently there has been relatively little prescriptive architecture for using virtual environments for specific test environments. In the case of Microsoft Virtual Server, there is now a reference architecture and detailed documentation that you can take advantage of by just downloading the documents:

Windows Server System Reference Architecture Virtual Environments for Development and Test (WSSRA-VE) can help large organizations and enterprises create environments for development and testing that emulate their own production environments. The guidance describes the architectural blueprint, planning considerations, deployment practices, and operational considerations for creating and supporting a virtualized instantiation of the Windows Server System Reference Architecture. It leverages the power of Virtual Server 2005 and automated deployment and configuration tools to minimize the physical infrastructure and logistical overhead necessary to deploy emulations of various data center services.

Like WSSRA itself, the WSSRA-VE is intended to aid users in their own effort to model their operational environment and condense it to a scale that can be representative of the infrastructure integration challenges facing developers and testers of distributed, message-based applications and IT services, and still be inexpensive and relatively economical to build and use throughout a large-scale IT organization.

I had a layover at the Denver International Airport for several hours today, so I called my mom, who lives over near Boulder. She jumped in the car and drove over to the airport for coffee and lunch.

The Pur la France chicken pot pie in the main terminal upper level is highly recommended. And so are those deals where they announce they have over-booked and will give a round trip ticket to anyone who will volunteer to take the next flight. I got lunch with my mom, a free round trip ticket, first class seat for no extra charge on the next flight, and on top of that I am able to work right now in the airport during business hours instead of being on an airplane during the time that counts. So I was able to test a very cool new demo version of one of our security software products and test market it to my mom. She provides good feedback.

I sent her a Logitech Quickcam Pro the other day so we can do video instant messaging and calls with Live Messenger v8, and I was showing her how to use the notebook camera I bought for my end of the connection. That's her right there, snapshot taken with my notebook Logitech cam (which is a great little camera).

Well, off to North Carolina... Then back home to Portland.

Security training - especially good, quality training - can be hard to come by without traveling somewhere and paying some hefty class fees. That's why my eyes opened wide when I found the Carnegie Mellon University/CERT Virtual Training Environment, which has a whole slew of great documents, tutorials and other resources that can enable anyone to learn a whole lot about computer, network and application security and forensics.

The Virtual Training Environment (VTE) is a Web-based knowledge library for Information Assurance, computer forensics and incident response, and other IT-related topics. VTE is produced by the Software Engineering Institute at Carnegie Mellon University.

What specifically is available? The VTE houses four types of training materials:

• Documents: Whitepapers, handbooks, instruction guides, and other written material related to one or more IT topics such as information assurance, computer forensics, or incident response.
• Demos: Demos are narrated recordings of instructor’s desktops. They enable users to watch and listen as an instructor describes the activities he or she is performing on a particular machine or piece of software.
• Lectures/Modules: Modules are actual class instruction that has been video captured and transcribed. Modules are synchronized to a PowerPoint slideshow. Users can navigate through the module using the slide title or using VCR-like controls.
• Labs: Labs are hands-on training exercises in IT-related topics using virtual machines. Each Lab has an accompanying walkthrough document and can be reserved and ‘taken’ using the browser.

All of the materials except the labs are available to the public, without having to sign up or anything. The hands-on labs are available only to organizations that have a relationship set up with CERT. There's not any obvious information on the site that indicates how to establish that relationship. but I did a Google search and found a brief announcement on the Carnegie Mellon University site indicating that emailing the VTE support email address (which is available on the VTE site link, below) is the way to find out more.

Access the CERT VTE at: http://vte.cert.org/

The Microsoft Download Center has a new audio podcast available (MP3 and WMA formats are listed) titled "How Microsoft IT Implements Encryption Using SQL Server 2005."

Podcasts appear to be a new thing there (first one was posted on January 19th), although I am not sure the technical name of "podcast" is accurate in this case, since I don't find a RSS Subscription feed anywhere that points to the files, and that's kind of half of what makes it a podcast. If anyone can find a RSS feed for these, please let me know.

But at any rate, there's some good content there. If you're an IT pro looking for some good drive time geek out audio, click here to search for podcasts on Microsoft Downloads. I'm grabbing "Podcasts: How Microsoft Information Security Protects Critical Information Assets" for my flight to North Carolina on Monday. Between that and the Battlestar Galactica season one video, I think I'll have plenty of content to keep me busy between powerpoint deck edits.

(via Chris Pirillo)

Dude. You think Robert Hamburger's the bomb? (You're right if you do, by the way)

Well then you MUST check out the Ask a Ninja video podcast blog thingie.

"You've got questions. Ninja's got answers."

Go here, don't delay: http://askaninja.blogspot.com/

Hahah. Sweet, super sweet. You can also subscribe to the video podcast in iTunes.

CNN has an article that covers the 25 worst words you can use in your resume. Why are they so bad? In a nutshell, because:

a) everyone uses them, so there's no originality, and
b) they don't really mean anything

Seriously. Read the article and then do something about it. I've looked at a couple hundred resumes in the past month or so and this article is spot on. Good advice that needs to be read by all.

Resumes are (or, rather should be) about standing out from the crowd on the merits and saying something real, so take the time to do it well. That's what the potential employer is looking for.

Oh, and never be your own resume editor. Always rely on a hard-core, ruthless and smart copy editor to point out your flaws. And if that makes you uncomfortable, find a therapist or trusted friend to help you with that character problem and you'll not only get over that hump, you'll also probably interview better.

If you're a geek and you don't know what Gnomedex is, you're truly missing out on something amazing. It's an annual conference, spawned from the brain of Chris Pirillo, and it's an event where a whole slew of the ultimate geeks and even some nerds gather and talk about all kinds of cool stuff. For example, last year IE7 was demo'ed for the first time at Gnomedex, where the IE team announced and showed off RSS integration in the browser and Longhorn/Vista OS. And many, many other interesting presentations were made. But most importantly, the people you meet are awesome.

• Details and info is here - go read
• Content from last year's conference sessions is here - go watch if ya like
• Sign up here - I've got my tickets, get yours before they're all gone

There are 300 seats in the main hall. 100 are already sold. If you're going (or think you might be), act now! If you know a true geek and want to give him or her a great gift, a Gnomedex ticket and a trip up to Seattle is a terrific thing to do for someone.

Be there and be square. Word.

I've been a South Park fan ever since it came out. Who woulda' thunk these cartoons would become such a phenomenon. I laugh my ass off every time I watch it.

I have to say that at $1.99 an episode, it's a bit pricey - maybe buying the DVD sets online (you can find some good deals if you look) might work better for some people. But for the convenience factor, and in terms of iTunes store's expansion into the video content arena, this is cool.

South Park on the iTunes Music Store - click here to open in iTunes

Comedy Central and Apple just added South Park, Drawn Together (never really watched that one) and Best of Comedy Central Standup to the iTunes store.

Published just this month, an important whitepaper is now available that provides authoritative information about applying  the "don't run as admin" concept in the real world.

Should you care? Yes. Absolutely. Why? Because running as an administrator or high-privileged user opens the door to malicious software ruling your world by potentially damaging your computer and data, compromising confidential information, and harming your company's reputation and business relationships. Put simply, you should do it because it's now possible, because with Windows Vista it will be enabled in terrific ways that reduce the pain, and just because it makes obvious good sense.

Users will download and install software they're not supposed to. Policies don't solve technology problems. Rather they guide solutions to people problems. Users will take CDs they bought with a major record label on the sleeve and stick them in their CD-ROM drives, whether or not they are supposed to, and we've all learned recently that you cannot trust major record labels to product safe, appropriate software. Users will surf to web sites and (regardless of how much education and prevention you do, and how many times you tell them to never click on that stupid thing that says their computer might be infected) they'll click and download and even install software that wreaks havoc, logs keystrokes or any one of a thousand other bad things.

People and process changes and preventions are important - don't get me wrong. We need to educate and provide standards, and we still need to hold people accountable for behavior. But that does not remove from us the responsibility to make proper and correct technology decisions when it comes to operation and implementation security. Period.

People, process and technology - it's a combination of all three of these, in careful balance, that makes a true security ecosystem work.

But making changes like this is, honestly, something that most business and technology people avoid, because they're afraid they won't be able to operate that way. Or they're afraid someone will complain. Sorry guys, not a good enough reason, not anymore.

So... What's the problem we're trying to solve? From the paper:

"A significant factor that increases the risks from malicious software is the tendency to give users administrative rights on their client computers. When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, e-mail clients, and instant messaging programs, also have administrative rights. If these programs activate malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised Web site or by clicking a link in an e-mail message."

The approach into which the least-user model falls is a layered security, defense-in-depth style. We cannot rely solely upon one layer of security to solve all our malware problems, and the fact is this: If all computer users already ran with least-privileged accounts, the incidents of malware (spyware, adware, etc) would be significantly less. In the real world, we are stuck in a position of needing to make a change, but for the future we will do well to remember how taking the easier route early in a technology phase can come back to bite us later.

"A defense-in-depth strategy, with overlapping layers of security, is the best way to counter these threats, and the least-privileged user account (LUA) approach is an important part of that defensive strategy. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. This strategy also aims to limit the use of administrative credentials to administrators, and then only for administrative tasks.

"The LUA approach can significantly mitigate the risks from malicious software and accidental incorrect configuration. However, because the LUA approach requires organizations to plan, test, and support limited access configurations, this approach can generate significant costs and challenges. These costs can include redevelopment of custom programs, changes to operational procedures, and deployment of additional tools."

Small and large organizations (of all types) are faced with this problem. While it's not the end of the world, it's often not a trivial task to change to a least-privileged computing model if you're already deployed in a mode where all users are administrators. This is common in software companies and other place where people have liberal privileges in order to provide ultimate flexibility in their development and design world.

I should also note that in Windows Vista, the next version of Windows, there are significant improvements in the operating system that will make it completely feasible to apply a least-privilege user model to every single computer, while affording users the ability to install software and make appropriate configuration changes in a controlled and safer environment. In my opinion, any shop that deploys Vista when it's available and does not take advantage of this security capability is negligent (and there will be many companies where that will happen, just watch). Find out more about Windows Vista User Account Control (UAC) at the Microsoft Technet site pages that cover the subject, and be sure to read and subscribe to the UAC Team Blog.

I highly recommend this whitepaper. It cuts to the chase and explains things in a clear and concise way, while addressing real world concerns and providing links and references to third-party tools and information. If you run a network or a dev shop, or if you're in any way responsible for secure computing, this is a paper you need to get familiar with.

Description and summary of the whitepaper from the Microsoft download page:

This 100-level technical white paper provides information on the principle of least privilege and describes how to apply it to user accounts on Windows XP. The paper covers the following topics:

• Risks associated with administrative privileges
• Definition of the principle of least privilege
• Definition of the least-privileged user account (LUA) approach
• Benefits of the LUA approach
• Risk, security, usability, and cost tradeoffs
• Implementing the LUA approach
• Future developments

This paper also describes at a high-level the issues that affect implementation of the LUA approach and provides useful links to other online resources that explain these concepts in more detail.

Omar Shahine sent me a message inviting me to sign up for Live Contacts this evening. It's a service that ties together your Messenger address list, Hotmail/live mail contact lists, and MSN spaces profile info (all, of course, associated with your passport identity), and let's you subscribe to someone else's contact info. Once subscribed, any time someone on you Live Contacts list changes their contact info, it changes in your list. So, it's always connected and up to date.

Plus, you can choose how much of your personal and business contact info to share (granularly), and with whom to share it.

Start by logging into your Spaces profile (mine's here, not used much to date) and then you can share your contact info with others. Choose "Edit Profile" on your space page, and scroll down to the "Contact Information" section - that's where you can specify how and with whom to share your info. It'll always be up to date in other people's Messenger and Hotmail/Live Mail apps.

Microsoft Security VP Mike Nash answers a stack of questions posed by Slashdot readers. The Q&A is pretty good. Nash provides substantial answers to some fairly pointed questions. One thing is clear, both in the answers and in my own experience: Security is hard - if in no other way, then from the standpoint of overcoming the many cultural and technical hurdles.

Nash covers a broad range of important topics and addressed many, many issues. Click on over to read, but here's a very brief couple of excerpts:

On code security and secure code review processes:

"Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated."

And on the cultural challenges of prioritizing security:

"Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization."

If you're even tangentially involved in security for your organization, and especially if you're a technology company, this Q&A is definitely worth the read.

I've received a number of requests for Windows Live Mail invitations recently, due to my recent post offering up Windows Live Messenger account invitations. I don't have any Live Mail invites, but I'd suggest you sign up here and see what happens. At least one person to whom I suggested this signed up today and received his invitation today, as well:

• http://ideas.live.com/
• http://imagine-msn.com/minisites/mail/?locale=en-us

(Windows Live Mail is the new version of Hotmail, currently in beta test mode and available only by invitation, which you can sign up for at the above addresses)

From Mark Harrison's weblog:

All Windows SharePoint Services customers are entitled to an extended free trial of Antigen for SharePoint. This trial version will be active through June 30, 2006.

To download, simply go to www.sybari.com/wss and fill out the form.

Antigen for SharePoint allows Windows SharePoint Services users to collaborate without the risk of uploading or downloading infected documents or inappropriate content.

The simple and honest fact is that many people who have deployed WSS or SPS don't run any anti-virus software on their SharePoint implementations - and that's a huge mistake. Running plain-ol' AV on the server's file system is exactly the wrong thing to do, because all the SharePoint files are stored in the database where regular AV software can't touch them. And besides that, running real-time AV scans of a SQL database file (which is constantly changing) is a supreme resource and performance killer if there ever was one.

I've worked with Sybari's Antigen products on both SharePoint and Exchange for several years. In my book, it's the best thing in AV-Land since sliced bread. So check it out.

Life, work and everything else is pretty crazy these days. I'm tentatively scheduled for some major surgery on my lower back in February, and my day (and evening) job is hectic and quite challenging in many ways (but I'm not complaining). Add everything else that happens in life into the mix, well... Recently it's been just a bit overwhelming at times.

I've traveled more than usual lately. One of the things I found made it more bearable (besides wearing my rigid back brace on airplanes - thank goodness for that stupid thing) is the new iPod video model I recently picked up. I discovered Battlestar Galactica, the revived show that everyone and their brother has apparently seen and raves about. Now I can see why they rave. I used to watch the original series when I was a kid - it was the greatest show on TV for a period of time, at least in my book. So, I purchased the pilot mini-series of the new, modern version via iTunes a couple weeks ago and watched it on my flights to Philly and Pittsburgh. What a great show. Definitely made a couple long flights much more sane. I downloaded the first season of the show the other night and will start watching that soon.

Some of you know I've had back problems for some time. I now have back surgery set for February 15th in Seattle. There are some tests that I have to get done before then, too (bone scan, labs, etc.). From what the doc says, I guess I will be relatively out of it for a while - at least a few weeks. It's quite an intimidating prospect, actually: I have never had major surgery before, so I am more than just a little nervous, even though the doc is terrific and has tons of experience. More on that later, maybe when the day gets closer. Afterward it will certainly make for an interesting and geeky bionic-man kind of tale, assuming all works out and the surgery actually happens. First things first.

Have you ever had major surgery? Care to share your experience? Mine will be an anterior (read: from the front) approach to the lumbar spine (at L5-S1), where they'll remove the disc and then do their handiwork. Not too common, but maybe there's someone else out there who's been through that sort of thing. If so, let me know.

The mind can really play tricks with what the eye sees. This short video is a great example of a really cool optical illusion.

Update: Reader Rocco points out the Grand Illusions Web site, where you can download a PDF file that contains the pattern to cut out and fold. along with instructions. Very cool! Print it on your color printer and amaze the kids!

• http://www.grand-illusions.com/opticalillusions/dragon_illusion/

The site has a number of other cool optical illusions worth checking out, as well.

Know of any others? Drop a line!

(via Digg)