People just don't think, research or plug in their brains a lot of the time before speaking typing.

Such was the case the other day over at Kim Cameron's Identity Weblog, which was defaced recently via a  vulnerability in the blog application software used to drive the site. Kim is a Microsoft employee and is their Identity Architect. So, he's in a public-facing security role at the company.

As Kim points out, people came out of the woodwork in the comments on a very brief ZDNet article to slam Microsoft, it's applications, the fact that the site was hacked, etc. What they did not realize, even after it was pointed out to them a few times by others, is that the site runs on a BAMP architecture (similar to LAMP, but in this case it's BSD Unix, Apache, mySQL and PHP).

Kim's site runs 100% on non-Microsoft products. The vitriolic commenters on the ZDNet site slammed Microsoft technologies where none exist, and exuded the virtues of using - for example - Linux, Apache, mySQL and PHP -- the very platform that they did not take the time to discover (or even ask) had just been victimized.

You know what they say about assuming things? Yeah.

Security threats are real and exist on all platforms equally, not just IIS and Windows, not just in Windows applications. Bad programmers are bad programmers, and even when well-programmed, new threats arise all the time and need to be remediated once known. There's nothing about that fact that's Microsoft-specific, and to assume such is irresponsible.

I like and respect Kim, and the work he has done is excellent. His evangelism of the need for better forms of identification, authentication and credentialing has been invaluable, and his emphasis on the broad-spectrum community, not just Microsoft, is the right way to address the issues that cross all platforms and application types.

I have seen this non-thinking, just-fire-off-at-the-mouth, *nix-fixes-everything mentality backfire on people before, to great cost. Any system administrator who thinks running anything other than Windows solves their security problems or obviates the need to test, patch, review and maintain has his or her head stuck so far in the sand we have to strain to see their backside. Thinking and reasoning is what makes people special and unique. Take the time to know the facts, understand the circumstances, and reason based in reality.

Facts: Problems exist everywhere - Windows, Linux, OSX, PHP, ASP.NET, you name it. More often than being caused by an underlying platform issue, most security vulnerabilities and exploits are the result of programming errors, a lack of defensive programming style, and poor test coverage. I've managed enough software development with a specific focus on security of the applications to know you can create a completely locked down platform on any of the options available, whether Linux or Windows or other. But if you don't have a solid application, you're screwed. It's a lot like buying a great alarm system with laser detectors in the ceiling, trip wires on the roof, foot-think ceilings of concrete to prevent break-through, glass break sensors on explosive- and projectile-proof glass ... and leaving the front door standing open.

Kudos to Kim for keeping his cool personality in the face of all this and, as always, providing a measured and reasoned response. As he says, "There’s a lot of ideology to get past in teaching people about security." So true.

Modesto, California - home to the annual Ninja Parade, was once again treated to an amazing display of Ninja skill this year.

Thank you, Onion News Network, and to Alex for passing this along. :)

November will be a busy month of conference travel for me. On November 7th I'll fly briefly to Las Vegas for a quick panel gig at the DevConnections conference (I'll be there Wednesday afternoon and all day Thursday), followed by a more extensive trip on Saturday the 10th to Barcelona, Spain. I'll be there for the entire IT Forum week of Microsoft's TechEd Europe conference. I've never been to Spain before, so I'm looking forward to the trip.

If you'll be at either of the shows, let me know and hopefully we can meet up and say hi. I'll be there in part to help run some floor events and to record more interesting interviews for our RunAs Radio shows.

I'm also going to stop off in the SF bay area on my way back from Spain to spend Thanksgiving with my dad and family there. By the time I get home it will have been two weeks on the road.

There's been a slight lack of specific information about the actual Gmail IMAP rollout timeframes (the phrase being thrown around - "a few days" - is sufficiently vague, yet it tends to make one think of the number "three"), as well as a lack of information about Google Apps email service and IMAP on that system (as opposed to the generic Gmail platform). Some people already have IMAP enabled. I don't yet. I'm a little bummed, but I know how these massive rollouts for a system this size can be. They don't just happen automagically. So I exercise patience and use this time to drive myself nuts, heh.

Anyhow, I went looking for some specifics over at the Google Help site today, and found some new content in the Apps for Administrators specific help, as well as a linked description of how long it may be before I see it show up in my Apps email accounts:

We're working hard to roll out IMAP access to all our users, but it'll take about a week.

To use IMAP, you must have your interface language set to 'English (US)'. You'll know that IMAP is available in your account when the Forwarding and POP tab in your settings becomes Forwarding and POP/IMAP.

Until then, thanks for your patience!

There's a variety of other IMAP Setup related topics there as well. And you'll want to check out these third-party resources for some details in configuring things like iPhone and Thunderbird (or any client, really) so it works just the way you want it to:

• Lifehacker: Turn Thunderbird into the Ultimate Gmail IMAP Client
• How-to from 5thirtyone: Proper Gmail IMAP for iPhone & Apple Mail

So, within less than a week it sounds like, and I have the info I need to optimize my clients when it does happen. Nice - that helps. :)

I got up this morning to the first frost of the season. It's cooled off quite a bit here the past week or so. I snapped a couple pictures. I like shadow-light images with a little contrast punch. You still cannot record images digitally quite the same nice way you can with film. But you can fake it if you try, and it costs a hell of a lot less per shot, that's for sure. Makes it way too easy to be lazy and trust in your luckiness though. I miss film. Heh.

Also, I have added a "Photography" category to the site, with its own RSS feed as well, since that's been a bit of a missing piece here.

Looks like you can now (finally) link multiple Windows Live IDs together. You may also know them as your passport login addresses (Microsoft did a name change a while back).

If you have a Windows Live ID that you use for work and one that you use at home, you can link them so that you only have to sign in to Windows Live once to manage all of your accounts. When you link more than one Windows Live ID, you can sign in to a Windows Live site or service with one account and still have access to information related to the linked accounts.

Go to http://account.live.com and log in with your Live ID that you use primarily. You'll see a screen like the one below (click to enlarge the image):

Once you click the link to link your LiveIDs, you'll be asked to provide the necessary information, and one more click 'til you're all set:

Once linked, you can choose which LiveID you want to use on site with a switcher-link, like this one:

Nice stuff. Now I can switch between my LiveIDs without going through the pain on signing in and out all the time.

For as long as Gmail has been around, The People have asked for IMAP (Internet Message Access Protocol) access to their accounts. Today, that time has come.

Google has announced they are rolling out IMAP across all Gmail accounts over the next few days. What does that mean? It's well-explained on the Gmail blog, right here. A little bird let me know this morning in IM. I really need to stop sleeping in so I can be the first to know every now and then, heh.

Ars technica has a good post explaining IMAP to the layperson and outlining the Gmail situation.

Now comes my big question: Is IMAP functionality also being rolled out to users of Google Apps mail (which is basically Gmail and other Google apps that you can use with @yourdomain.com)? I hope so, since that's they way I use their stuff. In the past Google's typical approach has been to enable new stuff on Gmail before rolling it out to Apps users. I've seen some people this morning claiming it's showing up here and there in apps accounts, but the people saying it are not actually mail for apps users, so grain-of-salt in my book. If you have a Google Mail for Apps setup, is IMAP an option for you yet?

If IMAP in Apps accounts happens (I am sure it will), my iPhone will get changed from POP to IMAP immediately (finally no more tedious deleting and marking as read), and Outlook 2007 or Thunderbird might just get resurrected. Fingers crossed!

Links:

• Google announcement by David Murray at Google
• YouTube video showing how to enable it (simple) as well as set it up on your iPhone:

I grew up in northern New Mexico. Green chile was everywhere, and found in everything. I remember for a while my dad was on this kick where he dreamed up all kinds of green-chile-in-it dishes. Random, crazy stuff like green chile pancakes and  ... well ... you name it. He had a condition where he couldn't taste much of anything, so I think it was the texture and spice that he liked. Anyhow, long story short: For the longest time I was completely burned out on green chiles.

Then I moved away from the area, and slowly the desire to eat good New Mexican food with green chiles in it returned. By far the best green chile in the whole wide world is from Hatch, New Mexico - a small farming town that's fairly close to where I grew up (well, close in a New Mexico sort of way). There is no debate on this one, by the way. Hatch chile is the best chile. Period.

The other day I decided to make some posole (my current recipe for which is below), and I used chiles in a can from the local (meaning Oregon-based) Safeway store. the posole turned out good, but honestly the green chile leaves a lot to be desired. I was spoiled, ruined, and spoiled again as a kid by Hatch.

I went online yesterday morning to the Hatch Chile Express web site at www.hatch-chile.com and ordered 14 pounds of roasted, peeled, diced and frozen Hatch green chiles from the Chile Capital of the World. You can also get whole chiles there, but unless you're making rellenos there's no point - Get diced and save the hassle of cutting and tossing out parts.

Today, almost exactly 24 hours later, the box arrived via FedEx. The shipment was very carefully and well-packaged, in a strong container with Styrofoam insulation and a frozen cold pack inside, and the 14 one-pound bags of chile were still perfectly frozen and went straight to my chest freezer (after some inspection and sampling of the goods, of course). I ordered mostly medium (since that's what I usually cook with) plus a few bags of hot and mild for good measure. Just the smell of this frozen chile confirmed I'd made a good decision.

Not often I get excited about putting food in my freezer, but as weird as it may sound I was excited today. Hatch chile is that good.

I also ordered some mild and medium variety seed for planting next spring (although the climate here will likely make for a challenging growing season). They threw in a book of recipes (which includes instructions for roasting the chiles if I can get them to grow) as well as several dish options and a handwritten note on the invoice about the varieties I had requested. It's nice to know you're interacting with a real, live person. :)

If you want the best green chile the world has to offer, you go to Hatch, New Mexico. If you can't get to Hatch, then you go online to Hatch Chile Express at www.hatch-chile.com -- and you'll be glad you did. By the way, you can also order wreaths, ristras and a bunch of other cool looking holiday-season stuff there. Highly recommended, check them out. And no, they're not paying me to say that - I am just that impressed and I think if someone sells something great, letting others know is a good thing to do. These are local farmers, actually in Hatch (not some large reseller in some city somewhere), and it's a family-run business. Their phone number and email address are on the web page. There's really no better way to do business.

Here’s my updated and current Posole recipe (an edited version of the one I posted here in 2004), archived here for myself so I won’t lose it, and for anyone else who’s interested and wants to try it:

• Two #10 cans (108oz) Hominy (Juanita's or a similar Mexican style preferred, fresh or frozen/bagged is even better)
• Two large yellow onions, sliced and cut up (not diced)
• One tablespoon (or so) minced/chopped garlic
• One teaspoon dry oregano (Mexican oregano if you can get it)
• One envelope/package menudo spice mix (a few ounces, optional)
• One quart (or less if you prefer) of frozen or canned green chiles, diced, preferably hot or medium strength (do not use jalapenos – use real green chile)
• Salt (plenty)
• Pepper (plenty)
• Two pork tenderloins, about 4-5 pounds each
• Olive oil

In a large stock pot (16 to 20 quarts size), combine the hominy, onions, garlic, oregano, and green chile. Fill with water to cover the ingredients, plus a little more (don’t get too worried about the water – just make sure it’s pretty full). Salt and pepper the heck out of it, and plan to do so again later. Turn on the heat and bring to a boil while preparing the meat.

Cut the pork into small cubes or similar shape pieces (like you can cut pork into cubes, yeah…).In a frying pan, heat a small amount of olive oil and brown the pork slowly, adding some salt and pepper to the meat.

After browning the pork, add it to the stock pot contents, and stir the meat in.Once it boils, turn the heat back to simmer the stuff. Simmer for about 15 minutes, stir, and boil again. Do this twice, then simmer again on low heat.

Now comes the hard part – leave it alone until the cows come home, stirring about every 30 minutes. Keep it on low heat, just enough to bubble a little, to avoid burning the food at the bottom of the pot. "Until the cows come home" translates loosely to anywhere between say five or six hours and overnight (depending on what time you start, I suppose). Trust me – let it cook down, it needs it. Add some water as needed to keep the stock covered. It will thicken up a bit as it goes.

And don’t be stingy with the salt and pepper in this recipe – you’ll need it. You will probably find you need to add some salt while cooking one or more times. Stir it in and cook for a few minutes, then stir again and taste.

Serve with tortillas, and if you want grate a little cheese on top when you serve it up.

I didn't realize this site actually existed until now. The Microsoft Developer Network's Beginner Developer Learning Center, located at http://msdn.microsoft.com/vstudio/express/beginner/, looks to be a useful resource for people wanting to get a start in software development. The site has two "tracks" available: Web development and Windows app development, using the Express versions of Visual Studio.

Welcome to the Beginner Developer Learning Center - a centralized learning environment specifically targeted to beginning programmers. Here you'll find a rich array of learning content that starts with the very basics, and guides you through step-by-step to becoming a fully-fledged developer!

No experience or programming knowledge required - so dive right in!

So, hey kids - Go get learning!

While I won't be able to attend myself (since I will be at TechEd in Spain at the time), the Seattle Code Camp is set to take place November 17th and 18th in Redmond. Anyone interested in presenting or attending (it's free!) can go to seattle.codecamp.us for more information and to get signed up.

Code Camp is a new type of community event where developers talk with—and learn from—fellow developers. All are welcome to attend and speak.

Code Camps are (1) by and for the developer community; (2) always free; (3) community developed material; (4) no fluff – only code; (5) community ownership; and (6) never occur during working hours.

Recently I have been working on writing a set of practices for taking the IT Help Desk to the next level. Well, actually it's about fixing what's broken and reworking the people, processes and technology components in order to be a great, service-oriented help desk with happy customers and happy, motivated employees. And yes, it is possible to have it all.

At any rate, I read this blog entry by Tim Heuer recently, and it illustrates well the common problem with IT support processes. Read and weep.

When you read something like that and both laugh and cringe (mostly cringe in my case), it makes you think.

ITIL, COBIT, and everything else standards-based aside, there's a whole slew of internal motivations and behaviors common to IT organizations and customers, yet not really addressed by standards, that can make or break the success of your service desk and organization. Having processes and checklists in place is great, but what makes for a really great IT organization? What makes someone a great help desk customer?

You never get perfect (on either side of the desk). But you can run a practice that is measurably successful and does more than maintain status quo (not always a good thing, by the way) and just get the job done.

What are some of your help desk stories, good or bad? What have you seen that works? For all that is decent and tactful, please don't disclose your employers, any people or specific teams here (or they'll be deleted). But some illustrations would be great. Just be nice. :)

Adam Shostack of Microsoft takes a critical look at threat modeling and changes to TM processes in a short series of posts on the MSDN Security Development Lifecycle (SDL) blog. It's a good read, especially when aligned with Larry Osterman's recent writings (which I mentioned recently) and those of others. If you're not a reader of the SDL blog and you're a security person or developer, I recommend it highly, by the way.

"In this first post of a series on threat modeling, I’m going to talk a lot about problems we had in the past. In the next posts, I’ll talk about what the process looks like today, and why we’ve made the changes we’ve made. I want to be really clear that I’m not critiquing the people who have been threat modeling, or their work. A lot of people have put a tremendous amount of work in, and gotten some good results. There are all sorts of issues that our customers will never experience because of that work. I am critiquing the processes, saying we can do better, in places we are doing better, and I intend to ensure we continue to do better."

Here's quick links to the blog articles by Adam. Those interested in secure development need to know and use a threat modeling process, and a critical view of said processes is important, so it's good to see this healthy example:

• The Trouble with Threat Modeling
• The New Threat Modeling Process
• Getting into the Flow With Threat Modeling

(also via Michael Howard's blog, which is a must-read security resource, too)

Okay, who wants to add me for Halo 3 fun? My XBox Live gamertag is gergin8or. I'm pretty lame at these games but what the heck. What's yours?

UPDATE: The question of whether this actually tells you whether you're left or right brained has come up (I wondered myself how legitimate of a brain test this could actually be), and a post right here on greengabbro.net offers a reasonable and well-written explanation as to why it likely does not, in fact, tell you much of anything about your personality or brain. There's also some links to some interesting auditory "illusions" that I found quite interesting. But still, regardless of the braininess of the image, please enjoy playing with the illusion below. It's true that it can be seen turning either way (it's an illusion). But it's also still very interesting that different people see it different ways on the first try, or more often than not the first several tries.

The Herald Sun, a newspaper in Australia, has a cool page up with an animated image that can tell you whether you are right- or left-brained. Here is the original page, with the details.

Look at the image below. Which way is the dancer model turning, clockwise or counterclockwise?

Most people see it turning counterclockwise, which is correlated to being left-brained. If you see it turning clockwise, you're right-brained. Can you make it change directions? for some it can be difficult to impossible. I can get it to change briefly if I really try (I see it turning counterclockwise).

Here's what they say it all means:

 How's it look to you? What do you think?

Windows Home Server, a way-cool implementation of the operating system that lets you easily create a flexible and remotely-accessible storage point, is now available for purchase on newegg.com. The price (as of the time of this posting) is $189.99, and it's worth every penny.

What is Windows Home Server? In a few short words... Backups, share and access files, easy setup (simpler than a VCR to use) and you just add drives to grow over time. Plus there's a bunch of cool add-on's already available. If you're a Windows geek, it's based on Windows 2003 server, so adapt away!

First of all, you should read a few of the reviews on the newegg page. They accurately and effectively describe the high points (and the remarkably few lower points) of the product. And here is a marketing description of the product that hits the basics:

Windows Home Server helps you pull together and protect all your family's files in a single, central location that makes sharing easy.

Protect the things you care about
Keep all those digital memories safe for future generations with features like automatic daily backups and full system restore.

Connect with your friends and family
Share your photos, music, movies, and other files from a single, central location that everyone in your home can get to. Friends and family can see and share any files you want, whether they're in another room or another country.

Organize everything all in one place
This smart hub helps your family organize all your shared files in one place. Windows Home Server cuts down on clutter and brings order to digital chaos.

Grow into the future
You can add more space easily whenever you need it, so no more hard choices about what to keep and what to delete. And new products and services will be added as Windows Home Server keeps growing and getting better.