People just don't think, research or plug in their brains a lot of the time before speaking typing.

Such was the case the other day over at Kim Cameron's Identity Weblog, which was defaced recently via a  vulnerability in the blog application software used to drive the site. Kim is a Microsoft employee and is their Identity Architect. So, he's in a public-facing security role at the company.

As Kim points out, people came out of the woodwork in the comments on a very brief ZDNet article to slam Microsoft, it's applications, the fact that the site was hacked, etc. What they did not realize, even after it was pointed out to them a few times by others, is that the site runs on a BAMP architecture (similar to LAMP, but in this case it's BSD Unix, Apache, mySQL and PHP).

Kim's site runs 100% on non-Microsoft products. The vitriolic commenters on the ZDNet site slammed Microsoft technologies where none exist, and exuded the virtues of using - for example - Linux, Apache, mySQL and PHP -- the very platform that they did not take the time to discover (or even ask) had just been victimized.

You know what they say about assuming things? Yeah.

Security threats are real and exist on all platforms equally, not just IIS and Windows, not just in Windows applications. Bad programmers are bad programmers, and even when well-programmed, new threats arise all the time and need to be remediated once known. There's nothing about that fact that's Microsoft-specific, and to assume such is irresponsible.

I like and respect Kim, and the work he has done is excellent. His evangelism of the need for better forms of identification, authentication and credentialing has been invaluable, and his emphasis on the broad-spectrum community, not just Microsoft, is the right way to address the issues that cross all platforms and application types.

I have seen this non-thinking, just-fire-off-at-the-mouth, *nix-fixes-everything mentality backfire on people before, to great cost. Any system administrator who thinks running anything other than Windows solves their security problems or obviates the need to test, patch, review and maintain has his or her head stuck so far in the sand we have to strain to see their backside. Thinking and reasoning is what makes people special and unique. Take the time to know the facts, understand the circumstances, and reason based in reality.

Facts: Problems exist everywhere - Windows, Linux, OSX, PHP, ASP.NET, you name it. More often than being caused by an underlying platform issue, most security vulnerabilities and exploits are the result of programming errors, a lack of defensive programming style, and poor test coverage. I've managed enough software development with a specific focus on security of the applications to know you can create a completely locked down platform on any of the options available, whether Linux or Windows or other. But if you don't have a solid application, you're screwed. It's a lot like buying a great alarm system with laser detectors in the ceiling, trip wires on the roof, foot-think ceilings of concrete to prevent break-through, glass break sensors on explosive- and projectile-proof glass ... and leaving the front door standing open.

Kudos to Kim for keeping his cool personality in the face of all this and, as always, providing a measured and reasoned response. As he says, "There’s a lot of ideology to get past in teaching people about security." So true.

Modesto, California - home to the annual Ninja Parade, was once again treated to an amazing display of Ninja skill this year.

Thank you, Onion News Network, and to Alex for passing this along. :)

November will be a busy month of conference travel for me. On November 7th I'll fly briefly to Las Vegas for a quick panel gig at the DevConnections conference (I'll be there Wednesday afternoon and all day Thursday), followed by a more extensive trip on Saturday the 10th to Barcelona, Spain. I'll be there for the entire IT Forum week of Microsoft's TechEd Europe conference. I've never been to Spain before, so I'm looking forward to the trip.

If you'll be at either of the shows, let me know and hopefully we can meet up and say hi. I'll be there in part to help run some floor events and to record more interesting interviews for our RunAs Radio shows.

I'm also going to stop off in the SF bay area on my way back from Spain to spend Thanksgiving with my dad and family there. By the time I get home it will have been two weeks on the road.

There's been a slight lack of specific information about the actual Gmail IMAP rollout timeframes (the phrase being thrown around - "a few days" - is sufficiently vague, yet it tends to make one think of the number "three"), as well as a lack of information about Google Apps email service and IMAP on that system (as opposed to the generic Gmail platform). Some people already have IMAP enabled. I don't yet. I'm a little bummed, but I know how these massive rollouts for a system this size can be. They don't just happen automagically. So I exercise patience and use this time to drive myself nuts, heh.

Anyhow, I went looking for some specifics over at the Google Help site today, and found some new content in the Apps for Administrators specific help, as well as a linked description of how long it may be before I see it show up in my Apps email accounts:

We're working hard to roll out IMAP access to all our users, but it'll take about a week.

To use IMAP, you must have your interface language set to 'English (US)'. You'll know that IMAP is available in your account when the Forwarding and POP tab in your settings becomes Forwarding and POP/IMAP.

Until then, thanks for your patience!

There's a variety of other IMAP Setup related topics there as well. And you'll want to check out these third-party resources for some details in configuring things like iPhone and Thunderbird (or any client, really) so it works just the way you want it to:

• Lifehacker: Turn Thunderbird into the Ultimate Gmail IMAP Client
• How-to from 5thirtyone: Proper Gmail IMAP for iPhone & Apple Mail

So, within less than a week it sounds like, and I have the info I need to optimize my clients when it does happen. Nice - that helps. :)

I got up this morning to the first frost of the season. It's cooled off quite a bit here the past week or so. I snapped a couple pictures. I like shadow-light images with a little contrast punch. You still cannot record images digitally quite the same nice way you can with film. But you can fake it if you try, and it costs a hell of a lot less per shot, that's for sure. Makes it way too easy to be lazy and trust in your luckiness though. I miss film. Heh.

Also, I have added a "Photography" category to the site, with its own RSS feed as well, since that's been a bit of a missing piece here.

Looks like you can now (finally) link multiple Windows Live IDs together. You may also know them as your passport login addresses (Microsoft did a name change a while back).

If you have a Windows Live ID that you use for work and one that you use at home, you can link them so that you only have to sign in to Windows Live once to manage all of your accounts. When you link more than one Windows Live ID, you can sign in to a Windows Live site or service with one account and still have access to information related to the linked accounts.

Go to http://account.live.com and log in with your Live ID that you use primarily. You'll see a screen like the one below (click to enlarge the image):

Once you click the link to link your LiveIDs, you'll be asked to provide the necessary information, and one more click 'til you're all set:

Once linked, you can choose which LiveID you want to use on site with a switcher-link, like this one:

Nice stuff. Now I can switch between my LiveIDs without going through the pain on signing in and out all the time.