Attention all Portland, Oregon and Vancouver, Washington area peoples:

Drop everything, sign up right now (see details below), and meet me to play HALO 3 on two 50-foot ultra-hi-def video movie screens this Thursday (October 11th) at 7:00 p.m. just across from the Portland Airport in Vancouver at Cinetopia. Why? Because it will be the ULTIMATE Halo 3 event.

And you're guaranteed a win, because I will be there. Bonus. Heh.

YOU GET TO PLAY HALO 3 on two 50-foot ultra-hi-def video movie screens (like double 1080p resolution, beautifully up-scaled by some super-fancy equipment to make for an awesome image) and an awesome theater setting, reserved just for us - and the proceeds benefit the fight against diabetes. What more can you ask for?

Your donation of $25 (or more) at the door or will go straight to the America Diabetes Association. You can also pre-donate online and bring your printed donation receipt to the door. There's room for 120 people, so register today to save your seat(s)!

ALSO -- The first 10 people who let me know (in the comments and/or via email) that they have signed up (details of which are below) because they read it here - and then show up to play - will have their $25 donation matched by me. So let's make this happen! It's for a great cause and will be tons of fun.

And blog about this on your own site if you have one. Spread the word!

You need to sign up ahead of time so seats can be counted - so please do it now!

Here are the details:

• When:  Thursday evening, October 11th, 7:00-Midnight (and yes, you can leave earlier if you want or have to, it's not Hotel California or anything)
• Where:  Cinetopia - here's a map and their web site
• Who:  Due to the content and whatnot, 18 and older, please
• Register for this event at http://iammasterchief.com/ with the RSVP code "FIGHTDIABETES" (and just ignore the fact that the date there is wrong, and you won't get an email confirmation - if you see the PDX event after signing up, you're good to go)
• You can donate online and bring your web receipt, or donate at the door (but either way, please sign up at the link above)

You can also read more about this event on Rich and Scott's blogs. Proceeds benefit the American Diabetes Association (and Scott explains that quite well).

Business sponsors of the event include: Aivea, Robert Half Technology, Microsoft, the Portland Area .NET Users Group (PADNUG), the Software Association of Oregon, of course Cinetopia and others. A special thank-you goes out to all of them!

I have realized more and more that the time I'm taking off from working right now is time I need to spend doing the sort of things I can't realistically do while employed full-time. For example, I'm actually considering taking the time (and the expense) to get my private pilot's license. We'll see. That may be a bit of a stretch (and the rainy season is coming). But every time I see Jeremy Zawodny post about airplanes and flying, I get excited about it again. Darn you Jeremy!

I've always wondered what it would be like to travel the highways in a big truck. I'm writing this from northern California because I am on the road this week with my friend Broc (he's the goofball in the picture). He drives a 18-wheeler for his family's moving company. We left Portland on Tuesday and we're driving someone's household items to Modesto, California. Then we turn around with a different trailer and load and head back home by the end of the week.

I'm not sure exactly what it is about traveling from here to northern California in a semi truck that interests me this much. Seriously, we could be going anywhere and it would be an adventure for me just traveling over the road in the semi for the first time. Add to that the fact that I have never made the trek from Portland to California on the ground (it's always been by air) and it certainly makes for something to look forward to. In fact, I have never driven further south in Oregon than Eugene before today. Considering I've lived here for pushing nine years, that's kind of sad. And the chance to hang out with a friend for a few days is pretty darn cool, so I'm glad he asked.

It was a great drive today - nice scenery. Mt. Shasta is incredible and huge. It was amazing to be able to see it off and on for such a long time as we approached it and drove past. The peak is at more the 14,000 feet and much of the surrounding area sits down around 3,000 feet more or less, so you can imagine how it stands out. Shasta Lake is very, very low right now. Like maybe even 100 feet low, it's crazy. But it looks like a great place to bring the boat for an extended trip next year. It's on the list.

What would you do if you had unlimited flexible time? I'm always open to new ideas. :)

I've worked in the financial services software industry for years. For the last couple years I ran the security division of a major online-banking software and services provider. Security is paramount in that market. The responsibility that goes along with the role is huge, but it's a responsibility that's shared by everyone involved. Taking security seriously can't be something that happens after the work is done, and it can't just happen at some milestone point in a project. It needs to be an ingrained principle, part of the way things are done from beginning to end.

Threat modeling, loosely-described, is a design process by which you examine your software application design through the eyes of the bad guys, in order to determine what your design needs to take into consideration and how it should be built to protect against malicious threats. From the design phase you take your documented threat model into development and use it as a living document throughout the development lifecycle. Or at least that's how we did it.

Larry Osterman, who's worked at Microsoft pretty much forever, is a pro when it comes to threat modeling and secure coding. I haven't ever met Larry, but I've read his thoughts on the topic and they're solid. He's written before a couple times about this, and more recently (over the past month) he wrote and posted a series of excellent articles on his blog about threat modeling at Microsoft in the Windows division. If you're into this sort of thing, as I am, it's also very interesting to look back at his articles from the earlier years and to compare how they do things today. They've matured quite a bit.

I'll leave the narrative and examples to Larry, but let me add this by way of punctuation: Threat modeling takes some time and effort, but understand that security is a critical component of quality. Reputations (and therefore businesses) depend on it. It takes a very intentional process to properly understand the landscape and to look at all the threats and vectors of attack. It's not easy for people to shift gears. Most developers spend all their time thinking in terms of getting software to function according to customer requirements. Just as important is making sure it won't do what the bad guys want it to do. So, if you're ready to argue that you don't have time to do threat modeling, I have a solid argument (several of them really, which are backed up by real-world proof) that you can't afford not to. Threat modeling is risk management for the software industry.

And then there's the very-real side benefit of threat modeling. When your designers and developers sit down before building the product and really start to think about all aspects of quality in a formal, documented manner, you don't just get security improvements. They'll be seeing and thinking about general product improvements that you just won't get otherwise. I can't tell you how many times someone has come to me during a threat modeling process with a look of glee in their eyes, excited to tell me "hey this threat modeling stuff is pretty cool, and we even came up with some other stuff that isn't strictly security-related but will make it a much better product. I'm glad we did this."

The rule of the game is strategic thought, proper defense, quality first, and better software done faster that costs less. And it can happen if you let it.

If you're a software developer, tester or product manger and you don't know what threat modeling is and how it works, you're missing out on something that really should be required in this day and age. So here is what you should do:

1. Read Larry's articles, they're quite good.
2. Buy three books (you'll notice Michael Howard is an author on them all):
• The Security Development Lifecycle
• Writing Secure Code (2nd Edition)
• Threat Modeling
3. Be a leader and implement what you learn.

Update: Engadget has the details of the formal release today.

Looks like this Tuesday in Redmond will be Zune 2 day. I've been curious what they'll come up with for the next-generation device. I don't own one yet. Several friends of mine do. It's a nice device which (for me) has a couple imposed limitations that make it not as useful for me.

Rumors floating around about Zune 2 include a flash-based memory design (instead of hard drives), thinner case and WiFi integration (but we'll see if it's the classic Zune hobbled WiFi or something more useful). Also, word is there will be a new community site for Zune users announced.

For my part, I hope there's some revolution in the announcement, not just evolutionary changes. That might catch my wallet's interest.

via BetaNews

iTunes (and my friend John) reports that v1.1.1 of the iPhone software is available. Since I have third party apps installed, I am hesitant to install it just yet. My phone has not been unlocked carrier-wise, but app-tap is on there.

• Apple video about the latest update
• iPhone Atlas list of notes about the update - excellent
• A list of undocumented features in iPhone firmware v1.1.1, also from iPhone Atlas (where do they get this stuff, anyhow?)

I think I will wait a little while and see what people have to say. No point being the guinea pig on this one. :)

UPDATE: I was able to update my app-tap-modified iPhone to v1.1.1 without a restore required, no problems. Of course, I no longer have any third-party apps on the device, so I will be looking for updates there in the next few days.

Where to look in early moments to see what works and doesn't? Well, Engadget is such a great place...

mcg @ Sep 27th 2007 2:14PM
What the hell, I'm trying it now. I haven't unlocked my SIM but I have AppTapp installed and a number of applications, including SummerBoard. I'll let you know how it goes. 

Ben Kreeger @ Sep 27th 2007 2:16PM
Yes, please let me know what happens; I've got AppTapp installed.

mcg @ Sep 27th 2007 2:19PM
Oops, it's probably best that I reply to my original post. I got the dreaded "unknown error" when attempting to install the software right off the bat. Maybe undoing jailbreak would have averted that problem, but what's done is done. Now I am having to use the iTunes Restore Phone feature. Looks like I'll be losing my apps and my data. No big deal to me, really, but beware. I'll post again when I'm up and running with 1.1.1.

mcg @ Sep 27th 2007 2:25PM
Now I'm back in action. Lost apps and data. Had to reenter my voicemail password.

Interestingly, I have a new icon next to the standard BlueTooth blue icon---it's in the shape of my bluetooth headset. Looks to be a batter meter. Nice.

mcg @ Sep 27th 2007 2:27PM
Now I'm syncing my photos, music, calendar, etc. It's going to take awhile, so I'll wrap it up here. Bottom line, if you've done a jailbreak, be prepared to start from scratch. It would be nice if someone could un-jailbreak the phone and see if that prevents us from having to reinstall everything.

Arjan Zuidhof, a .NET software engineer in the Netherlands comments briefly on his linkblog regarding our recent podcast show and interview about being a DBA:

"When was the last time *you* listened to a podcast? Honestly? One of the things I know I should do more, but, ahh, the lack of time is standing in the way. Still, learning how to be a better DBA is definitely a healthy career path if you don't know where to go..."

That got me thinking. Arjan's point seems to be consistent with those of many others, and truthfully I have to include myself in that list of people who have found podcast consumption to be too hard from time to time. I have found myself wondering aloud and to myself how in the world anyone can possibly  get the technology to work seamlessly, find and organize podcasts, have them in a place where they can be consumed, and still find the time to actually listen to them.

And then there's the whole (somewhat true) problem I refer to as the "most-podcasts-suck" phenomenon. It can be painful and a bit of work to find a good show, let alone stick with it.

But some of the best learning I have done over the past year or two has been from podcasts, so I can tell you there is a tangible benefit. I listen to a total of maybe 6 or 7 podcasts, and I listen whenever I find I have the time. I don't listen to every episode in its entirety, either - it has to keep my interest. I also don't plan it all out or have a podcast listening schedule. And I have found that's important for me if I am going to be part of the podcast "listernership."

The first thing I had to do was to have a set of tools that make it possible to listen without having to think about it. Here are the tools that I have found actually make it possible, in my real world:

1. iTunes - Love it or hate it, the fact of the matter is, iTunes makes subscribing to and consuming podcasts freakin' easy. And on top of that, you get show ratings, the podcast directory on the iTunes store, and a lot more. Plus, when you consider that the producers of a podcast have to work to get their show into iTunes, it's raises the bar slightly and as a result the signal to noise ratio is a little lower.
2. The Mac Mini on my kitchen counter - With some compact speakers and the iTunes client running on it, I just load the Added recently playlist and listen. Obviously, this could be a Windows machine or whatever. The point is, in the space where you spend your time, it's good to have the ability to let stuff play in the background, and your primary iTunes subscription point show be there.
3. iPod (or iPhone in my case) - The thing that matters the most here is that you need to have it with you all the time. Truth be told, my iPod saw so little use day-to-day that I seriously consider that particular purchase to be a waste of money. I have a friend who has actually used it much more than me. But the iPhone, on the other hand, goes everywhere with me. As a result, the iPod content on the phone actually gets listened to. I cannot overemphasize the importance of this point: Listening needs to be something you just do. The planning part should be limited to the discovery of and subscription to content. After that, the whole idea is to focus energy on the shows, not the delivery mechanism. Else you'll find yourself frustrates and giving up. And that's, well, pointless.

I'm a Windows and Wintel guy primarily, so you might be surprised to see the glaring consistency in manufacturer above. Get over it, I did. And it works. That's what matters. 

My point here is this: The time it takes to actually listen to podcasts is often confused and munged with the time it takes to be able to listen to podcasts. I'm not saying that Arjan's situation is specifically that, but rather his comments caused me to think through some common frustrations based on my own experience and the experiences of others.

I've heard many people say they just can't find the time for it. I know I certainly get frustrated with shows that ramble on and on and present nothing useful. That's why - for example - Scott Hanselman's excellent Hanselminutes podcast is intentionally compact and focused on a specific audience, and it's why we work hard to keep RunAs Radio around 30 minutes per show and focused on topics for IT professionals.

What I've found is that if you can work out the technology part of things, and then be willing to spend a little bit of time here and there glancing at recommendations made by others and which fill your own interests, you can learn and consume a lot of good stuff in the "between" time (and still have time left over for other stuff).

For those who roll their eyes and doubt, here's my "preachy" thought for the moment - for what it's worth: If your schedule won't allow you to listen to a podcast every week or two (and this statement is coming from a true workaholic, people) you might want/need to take a hard look at your schedule and figure out what's wrong with it. Missing out on good information, whether it be written or recorded or what have you, is an unfortunate and damning side effect of too-much-ness. We all got to where we are today by learning, and stopping now really isn't an option - unless our goals are to slide backward and relegate ourselves to being second-best. There should be time for family and friends, time for yourself, and then time for work.

Anyhow, a special thanks to Arjan for making me think. :)

Do you listen to podcasts? Or do you find you can't? Why or why not? What is the one thing podcast producers could do today that would make a real difference to you, the kind of difference that would make it really worthwhile for you to spend some time with them?

Ready? Discuss!