Volunteer night is Wednesday at Nexient (2 Bloor West, at Yonge). If you"d like to be one of the intelligent, wonderful, sexy people we call our volunteers then click through the picture and get in there!

Registration is filling up fast, so if you"re planning to come out, please get your name and e-mail address in today. Confirmations will go out prior to the event, note that the site does not display a confirmation message. Freebies from our sponsors are available for the first 200 peple through the door who registered on the site. If you"re not sure whether you can come Saturday, you"re welcome to "just show up" but will not be eligible for the free swag.

There will be 12 to 15 great sessions through the day from a stellar cast of presenters. You can get details about most of these on the website already, all will be there soon.

On Saturday, Check-in starts at 8:00am, and the first sessions start at 9:00am. For the last session, we"ll wrap up with a Roundtable Panel where you can throw questions at your favourite speakers. Then it"s on to the raffle (complete your evaluations!) where you"ll have a chance at one of many, many great prizes. Check-out is at 6:00pm, soon after which my Event Receivers will be firing up for beer.

See you there!

I"m starting to take a look at VS 2008 and writing down some things that are still "not there":

• Renaming a class using the "Rename" refactoring still does not change the file name. Are you kidding me?
• using "prop" snippet produces the shorthand syntax for properties. Nice.
• This is still all the refactoring we have by default in VS 2008:

Are you kidding me?

• You can finally do test inheritance (and many other small blessings. someone is listening)
• You Still have to using anything that derives from Exception but not the "Exception" type in the "Expected Exception" attribute. Truly silly.
• the [ExpectedException] attribute is still broken!! This test should fail due to a wrong exception message, but passes:

• No easy extensibility mechanism.
• No ability to run NUnit tests.

Someone is not paying enough attention, or has their priorities screwed up.

I recently published a video on resizing Silverlight controls.  I just observed an odd behavior in the Firefox browser when setting the height of the plugin to any percentage (10%, 50%, 100%).  I can set the width to 100%, as the screenshot below indicates:

Notice the height is set to 100, not 100%.  Now, if I change the height to 100%, this is what happens:

By setting the height to a percentage (of any number) in Firefox, my silverlight control disappears.  If I set the height to a percentage in other browsers - the control behaves as it should.  Anyone know why height percentage does not work in Firefox?

The World Tour trudges along. Babak and I took the fast Acela train down to Washington DC and checked into the Crystal Gateway Marriott.

Nice turnout in Arlington today: about 150 people.

This Thursday, in Austin, at 5:30 Central Time, Jim and Ossie from NewTek are working on getting a live stream going so you can watch the demo as it happens. To get a high-speed internet connection in the meeting room, we have to pay the hotel an extra $100. After all the other hotel bills, that actually sounds kind of reasonable, believe it or not.

Anyway, the live stream is going to be in WMV (Windows Media) format. The URL for it will be here. A couple of days later I"ll get the flash version up if you have any problems with the stream or want to watch it later.

After the demo we managed to break the automated check-in machines at the Delta airlines check-in counter, trying to move to an earlier flight. Eventually a nice human at the counter straightened it out.

Now in Atlanta. See ya!

Not loving your job? Visit the Joel on Software Job Board: Great software jobs, great people.

This week"s travels: Arlington (outside Washington, DC), Atlanta, Dallas, Austin, and Boulder (outside Denver).

You can still sign up. We"ve been doing a pretty good job of getting everyone in, so don"t worry if you"re waitlisted... we"ll probably fit you in.

Thursday"s Austin event will be available on the internet, somehow, thanks to NewTek who will be bringing a TriCaster... a backpack-sized broadcast studio. Details to be announced.

Coming in November: Dublin, London, Cambridge, Amsterdam, and Copenhagen. More details later this week.

Not loving your job? Visit the Joel on Software Job Board: Great software jobs, great people.

I remember in college trying to call the catalog companies to get them to stop sending me mountains of paper catalogs. It was futile. Most of them had no way of doing that, and even if you got off the list, you"d always find your way back on again two months later.

Catalog Choice (it"s a .org) contacts catalog merchants on your behalf and gets them to stop sending you catalogs. For free.

Great idea, excellent implementation (very nice Ajax UI and great graphic design), and I"ll let you know if it helps.

Not loving your job? Visit the Joel on Software Job Board: Great software jobs, great people.

Read all about our vision for Unified Communications as the forma launch kicks off in Bill"s latest executive email to customers.

http://www.microsoft.com/mscorp/execmail/2007/10-16unifiedcommunications.mspx

"The Age of Software-Powered Communications"

DLR、そしてIronPython2.0、IronRubyが採用するライセンスであるMicrosoft Public License(MS-PL、元々はPermisiveだったのがPublicに名称変更されています)がOSIで承認されました。

オープンソースライセンスになったことで開発に協力していただける方達が、増えることを祈っています。

PS:IronPythonは2.0A5がリリースされています。2.0A5に対応したFePyのIPCE R6もリリースされています。

Visual Studio 2008 は開発環境としてマルチ プロセッサ／マルチコアプロセッサの能力を最大限活用することができます。

いくつか制約があるものの、ビルドにおいては、プロセッサごとにプロセスを分けて実行することができるようになります。たとえば、プロセッサが2つあるコンピュータにおいては、ビルドのプロセスを2つ実行させることができるといった具合です。

詳細については、下記の URL で解説 (現状は英語) がありますので、ご参考ください

http://msdn2.microsoft.com/ja-jp/library/bb383805(VS.90).aspx

最近，在Internet上搜索，除了Tim Chen的离开外，涉及到Microsoft最多的就是关于微软的“软件+服务”的战略，而且各家媒体从不同的角度对微软的S+S战略作了说明，可惜除了引证Ray Ozzia以及StevenB的只言片语外，给外人的感觉仍然是一头雾水。

从我的理解来看，微软的S+S包含两个层次。

微软所指的软件加服务，一是指网络服务，二则指微软安装在计算机上的软件

具体来说，有三种：第一，MS提供可以提供服务 的基础架构平台，例如LH+IIS7，用户可以在这上面自己定义和定制、部署自己的服务；其二，MS以及MS的partner/客户可以部署微软的系统，而这些系统为第三方服务，例如Exchage Hosting；第三，MS提供面向客户的服务例如Live等。

这是第一层次的微软的软件+服务，在第二层次上，我认为是“复合应用”，引用Ray的一段话：“

Software + Services is Microsoft’s approach for the next generation of computing. By bringing together the best of both software and services, we maximize capabilities, choice and flexibility for our customers. The power of local client and/or server software combined with the community and always up-to-date nature of services will beat software-only or service-only approaches. The broad Software + Services approach unites multiple industry phenomena including software-as-a-service, service-oriented development and Web 2.0 under a common umbrella. The entire industry is converging on a Software + Services approach, with different vendors approaching it from different starting points.”

从这段话可以看出，S+S融合了Web2.0、SOA、SaaS等概念，涵盖的是从用户体验、软件的部署、系统联合、应用的复合以及软件经济等各方面的大概念。

用户体验：例如通过Live、OBA等方式，将用户体验从客户端到浏览器、从桌面到移动终端等；

系统的部署：SaaS，解决系统delivery的新的模式；

系统联合：SOA的经典，解决数据、services、流程在不同的组织、不同系统的互联

应用复合：应该是一个新的方面，扩大了SOA的外延，将系统之间的集成 从后端的服务集成、数据的集成、流程的继承一直延伸到前段的客户体验，OBA就是一非常好的实践。顺便说一句，应用复合的提出，让响应SOA的人群看到了希望，相信对目前对SOA仅7%的满意率的比例会带来极大的提高。

软件经济：以salesforce为代表的新的软件经济模式

可以想象，在S+S的阳光下，未来的应用应该是这样：客户可以通过移动终端，随时check mail，同时，在邮件中通过集成的应用，完成对订单的处理而不用去专业的系统中，再通过调用UPS的快递服务，完成发货的处理。在发货以后，通过GPS或者RFID等，在Virtual Erath上实时地监测货物的到达情况。每天，通过终端，直接使用Excel Service，完成对销售的分析。

 Bill Gs latest update on the new software powered communication had some comments on this Microsoft Office RoundTable device which I had never really heard of - I did a Live Search and found this blog by Tom Keating that gives us a pretty good review of what it does. Other notes - a $5.0 Million dollar saving internally by Microsoft by moving to this solution.

The RoundTable Picture

It"s been about 10 months since we started publishing Office Visual How-tos (VHTs), which is a compound content type, mixing a short how-to article, code samples, and a video of that code sample in action. The wealth of this content type is that you can watch a quick video to visualize how a feature works and then you can read conceptual information and grab a code sample. We also provide a list of related resources for further reading and learning.

Here"s a sample VHT: Setting Conditional Formatting in Excel 2007 and here"s a pointer to a blog entry where I explained the project in detail. I am happy to share that we have published more than 100 VHTs. We have been lucky to have well-known MVPs and experts collaborate with us and contribute some VHT. A few names come to mind: David Gerhardt, John Peltonen, Ken Getz, Patrick Tisseghem, Ted Pattison, Joel Krist, Steven Hansen, and many other Microsoft programmer writers and product team members.

Another interesting fact is that the VHT content plan attempted to cover most relevant developer features of the different 2007 Microsoft Office system products, servers, services, tools, and technologies. We worked very hard to cover as many MOSS, WSS, Office Core, Office Client, and VSTO code samples. I pulled some numbers from our editorial calendar this morning to track the distribution of available VHTs by product and here"s how content looks like today:

The Office Developer How To Center provides a list of available VHT by title. Because we have so many articles to promote, it"s getting hard to list all on the MSDN Office Developer Center. To help a bit with discoverability, I built a quick html image map to help you find VHTs by product. Just use the image below and click the product name to go to the MSDN Library node where we list all VHTs by product.

We are interested in getting your feedback and comments. You can rate the articles and send comments using the Click to Rate and Give Feedback link located at the top right corner of the MSDN Library. We have a system that helps us track comments and ratings for every technical article and content asset living under the Office Development node of the MSDN Library. We hope you find this content useful and if you find errors in code or broken links, please let us know so we can fix them! Feedback is always appreciated. In fact, here"s a few nice comments for VHT content that we pulled last week:

• "Great example of simple but hard to find technique."
• "Super video - short and precise :)"
• "Thanks for the lovely article...!!!!!! You people have solved my greatest problem"
• "Thank you for this! It"s the first article I"ve found with all the required information needed to create associations and is also in a readable format."
• "It was an awesome Video which helped me out a lot!!"
• "Great content, bridging IT concepts and Dev experience."
• "This is great in learning Office 2007"
• "Haven"t tried it yet but this is EXACTLY what I was looking for!"

Finally, some people would like to have the videos available in Zune and IPod format, so we will start looking into this soon.

BPIO University 2 Day Workshop - Sales Track for Partners

This 2 day interactive workshop – targeted at Partners participating in the BPIO Campaigns – has as its outcomes:

·     to provide an overview understanding of the BPIO Campaign

·     to provide some relevant sales and marketing knowledge/skills/processes to assist Partners generate and convert leads relevant to the BPIO Campaign

·     point Partners towards a range of resources to assist them to capitalise on the opportunity provided by the BPIO Campaign.

By using tools made available by Microsoft to work with customers to understand their current level of optimisation, Partners can work with their customers to plan a path to achieve the highest level of business productivity infrastructure optimisation.

The BPIO University targets a number of solution areas including:

·     unified communications

·     collaboration

·     enterprise content management

·     enterprise search

·     business intelligence

This course will also supply you with all of the materials and tools you need to expedite the sales process and close deals faster.

REGISTER NOW https://www.local.microsoft.com.au/australia/events/register/home.aspx?levent=300213&linvitation

1 Day Jump-Start on Collaboration (MOSS), Enterprise Content Management and Search - Technical

The Jump-start is an interactive training session which provides you with the technical introduction and understanding of Microsoft Office SharePoint Server (MOSS), Enterprise Content Management and Microsoft Search from an architectural and solution overview perspective. The session is an Instructor led “chalk & talk” and does not include any hands-on technical labs.

These sessions are ideal if you are a technical person needing to cross train your Microsoft skills and gain an understanding of how these technologies work together in an overall solution. These sessions are led by an experienced ‘in the field’ instructor to give you the fast track introduction and guidance you need as part of your skills enablement roadmap.

Audience: Technical Pre-sales, Architects new to these technologies, Technical Consultants & System Engineers needing to cross train.

Technical Level: 200

Topics covered:

· A lap around the architectural landscape – The Microsoft 2007 Office System

· Understanding MOSS 2007 – features out of the box

· Collaboration Overview

· Understanding Enterprise Content Management – what this means to your business

· Enterprise Search capabilities

· Architecting a business solution so that its data is included in the Enterprise Search experience

· An overall solution summary

REGISTER NOW https://www.local.microsoft.com.au/australia/events/register/home.aspx?levent=799160&linvitation

1 Day Jump-Start on Unified Communication (Exchange 2007 and Office Communication Server) - Technical

The Jump-start is an interactive training session which provides you with the technical introduction and understanding of Unified Communication, Exchange 2007 and Office Communication Server from an architectural and solution overview perspective.  The session is an Instructor led “chalk & talk” and does not include any hands-on technical labs.

These sessions are ideal if you are a technical person needing to cross train your Microsoft skills and gain an understanding of how these technologies work together in an overall solution. These sessions are led by an experienced ‘in the field’ instructor to give you the fast track introduction and guidance you need as part of your skills enablement roadmap.

Audience: Technical Pre-sales, Architects new to these technologies, Technical Consultants & System Engineers needing to cross train.

Technical Level: 200

Topics covered:

· A lap around the architectural landscape – The Microsoft Unified Communication story

· Understanding Exchange 2007 – features out of the box

· Unified Messaging Overview

· Understanding Office Communication Server – what this means to your business

· Integration with Exchange 2007

· Office Communication Server capabilities and architecting a solution

· An overall solution summary

REGISTER NOW https://www.local.microsoft.com.au/australia/events/register/home.aspx?levent=371999&linvitation

1 Day Jump-Start on Business Intelligence and Performance Point Server

The Jump-start is an interactive training session which provides you with the technical introduction and understanding of Business Intelligence and Performance Point Sever from an architectural and solution overview perspective.  The session is an Instructor led “chalk & talk” and does not include any hands-on technical labs.

These sessions are ideal if you are a technical person needing to cross train your Microsoft skills and gain an understanding of how these technologies work together in an overall solution. These sessions are led by an experienced ‘in the field’ instructor to give you the fast track introduction and guidance you need as part of your skills enablement roadmap.

Audience: Technical Pre-sales, Architects new to these technologies, Technical Consultants & System Engineers needing to cross train.

Technical Level: 200

Topics covered:

· A lap around the architectural landscape – The Microsoft Business Intelligence story

· Understanding Performance Point Server 2007 – features out of the box

· Architecting Performance Management solutions

· An overall solution summary

REGISTER NOW https://www.local.microsoft.com.au/australia/events/register/home.aspx?levent=723236&linvitation

In past 2 weeks many potential partners and customers have asked me about evaluation version of BizTalk Server 2006 R2. You can download it at http://msdn2.microsoft.com/en-us/evalcenter/bb738071.aspx

…

Please feel free to send me your feedback. Enjoy

One of my colleagues and fellow Developer Evangelist, Michael S. Scherotter has recorded and made available a screen cast that shows you how to embed a Virtual Earth technology into a Groove Workspace.

Click here to go to the video.

~ Robert Shelton

James was talking about endangered languages the other day. I have just finished reading David Harrison’s new book on “When Languages Die – The Extinction of the World’s Languages and the Erosion of Human Knowledge”, which I discovered via Michael Kaplan’s blog. It’s a fascinating account of language disappearance, which takes place because thousands of languages are gradually “crowded out” by bigger languages. Six years ago, there were an estimated 6,900 distinct languages and Harrison points out that by the end of our 21^st century, only about half of these languages may still be spoken because their speakers will have abandoned them to turn to more dominant, more prestigious or more widely known languages. Harrison brilliantly demonstrates what language death or language extinction means for us. He focuses on the vast body of knowledge that will soon be lost and explores various knowledge systems (moon phases, folk taxonomies, knowledge encoded in traditional calendars, topographic naming systems…) to show how cultural knowledge is packaged in languages and cannot be transferred when people stop using their language. I found the discussion about number systems enlightening and captivating. He points out that counting systems provide a window into human cognition and that a lot is lost when the speakers of a language decide to move to the decimal counting system. His demonstration is simply superb. Harrison argues that it is urgent to document languages and to do whatever we can to preserve them and to encourage their speakers to go on using them.

If you are considering developing solutions around SharePoint, Office, Unified Communications or Business Intelligence think about attending this training... if you are wondering what BPIO-U is, it stands for "Business Productivity Infrastructure Optimization University".

BPIO University 2 Day Workshop - Sales Track for Partners

This 2 day interactive workshop – targeted at Partners participating in the BPIO Campaigns – has as its outcomes:

• to provide an overview understanding of the BPIO Campaign
• to provide some relevant sales and marketing knowledge/skills/processes to assist Partners generate and convert leads relevant to the BPIO Campaign
• point Partners towards a range of resources to assist them to capitalise on the opportunity provided by the BPIO Campaign.

By using tools made available by Microsoft to work with customers to understand their current level of optimisation, Partners can work with their customers to plan a path to achieve the highest level of business productivity infrastructure optimisation.

The BPIO University targets a number of solution areas including:

• unified communications
• collaboration
• enterprise content management
• enterprise search
• business intelligence

This course will also supply you with all of the materials and tools you need to expedite the sales process and close deals faster.

REGISTER NOW: https://www.local.microsoft.com.au/australia/events/register/home.aspx?levent=300213&linvitation

1 Day Jump-Start on Collaboration (MOSS), Enterprise Content Management and Search - Technical

The Jump-start is an interactive training session which provides you with the technical introduction and understanding of Microsoft Office SharePoint Server (MOSS), Enterprise Content Management and Microsoft Search from an architectural and solution overview perspective. The session is an Instructor led “chalk & talk” and does not include any hands-on technical labs.

These sessions are ideal if you are a technical person needing to cross train your Microsoft skills and gain an understanding of how these technologies work together in an overall solution. These sessions are led by an experienced ‘in the field’ instructor to give you the fast track introduction and guidance you need as part of your skills enablement roadmap.

Audience: Technical Pre-sales, Architects new to these technologies, Technical Consultants & System Engineers needing to cross train.

Technical Level: 200

Topics covered:

• A lap around the architectural landscape – The Microsoft 2007 Office System
• Understanding MOSS 2007 – features out of the box
• Collaboration Overview
• Understanding Enterprise Content Management – what this means to your business
• Enterprise Search capabilities
• Architecting a business solution so that its data is included in the Enterprise Search experience
• An overall solution summary

REGISTER NOW: https://www.local.microsoft.com.au/australia/events/register/home.aspx?levent=799160&linvitation

1 Day Jump-Start on Unified Communication (Exchange 2007 and Office Communication Server) - Technical

The Jump-start is an interactive training session which provides you with the technical introduction and understanding of Unified Communication, Exchange 2007 and Office Communication Server from an architectural and solution overview perspective.  The session is an Instructor led “chalk & talk” and does not include any hands-on technical labs.

These sessions are ideal if you are a technical person needing to cross train your Microsoft skills and gain an understanding of how these technologies work together in an overall solution. These sessions are led by an experienced ‘in the field’ instructor to give you the fast track introduction and guidance you need as part of your skills enablement roadmap.

Audience: Technical Pre-sales, Architects new to these technologies, Technical Consultants & System Engineers needing to cross train.

Technical Level: 200

Topics covered:

• A lap around the architectural landscape – The Microsoft Unified Communication story
• Understanding Exchange 2007 – features out of the box
• Unified Messaging Overview
• Understanding Office Communication Server – what this means to your business
• Integration with Exchange 2007
• Office Communication Server capabilities and architecting a solution
• An overall solution summary

REGISTER NOW: https://www.local.microsoft.com.au/australia/events/register/home.aspx?levent=371999&linvitation

1 Day Jump-Start on Business Intelligence and Performance Point Server

The Jump-start is an interactive training session which provides you with the technical introduction and understanding of Business Intelligence and Performance Point Sever from an architectural and solution overview perspective.  The session is an Instructor led “chalk & talk” and does not include any hands-on technical labs.

These sessions are ideal if you are a technical person needing to cross train your Microsoft skills and gain an understanding of how these technologies work together in an overall solution. These sessions are led by an experienced ‘in the field’ instructor to give you the fast track introduction and guidance you need as part of your skills enablement roadmap.

Audience: Technical Pre-sales, Architects new to these technologies, Technical Consultants & System Engineers needing to cross train.

Technical Level: 200

Topics covered:

• A lap around the architectural landscape – The Microsoft Business Intelligence story
• Understanding Performance Point Server 2007 – features out of the box
• Architecting Performance Management solutions
• An overall solution summary

REGISTER NOW: https://www.local.microsoft.com.au/australia/events/register/home.aspx?levent=723236&linvitation

After 10.5 years in DevDiv for Visual Studio (from VS6 to VS2005), I decided to move onto the different world.

and now I joined AdCenter team since last Monday. over 2 days, I start feeling the differences between shrink wrapped product and on-line/service based team. and it makes me really excited. Hopefully, I can share my experience more on the way.

This phrase has been bothering me for a while now. I hear it quite a lot on a project I"m involved in and I"m too stubborn to ask what it means so had to go research it. My guess is few others know quite what it means but nod sagely when they hear it so here is the scoop - it actually means nothing in IT terms. Well, compared to it"s real origin that is. As Peter Glaskowsky of C|Net confirms though, it does have a specific meaning in a machine shop:

In a machine shop, the phrase has a definite meaning: "speed" is the rate at which a tool cuts through the workpiece. "Feed" is the rate at which the tool is advanced into the workpiece, thereby determining the depth of the cut.

Meantime, in IT Peter comments:

In the computer industry, "speeds and feeds" has no particular meaning, but it"s generally used as a blanket term for the features and performance of a microprocessor or a whole computer system. I think many of the people who use this phrase in the computer industry have no idea where it came from or what it means; I hope this blog post will help spread the word.

So there you have it, you can continue to nod wisely safe in the knowledge that you now have this knowledge. Thanks Peter!

If you need a great case study of an Australian company deploying OCS, then read on....

"BHP Billiton is the world’s largest diversified resources company. It has 39,000 employees working in 25 countries worldwide and returned a profit of U.S.$13.7 billion (excluding exceptional items) in fiscal year 2007. With global operations demanding frequent inter-office communications, the company found itself hindered by a range of different systems and protocols, and poor call quality from its many remote offices. To consolidate its online meetings solutions worldwide, the company turned to Microsoft® Office Communications Server 2007 to deliver an integrated communications solution to improve collaboration and communication for its employees. With highly secure content sharing, software-based voice over IP capability, and integrated presence management, the new environment creates a unified communications solution that helps reduce long-distance call costs and travel budgets, and removes company dependence on hardware-based IP telephony solutions."

Get the full case study here:

http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000785

The October 2007 Windows XP Embedded Monthly Security Updates are now available on the Mobile & Embedded Communications Extranet (ECE) for Microsoft® Windows® XP Embedded Service Pack 2, Feature Pack 2007, and Update Rollup 1.0.  This supplement includes updates for both the Desktop QFE Installer (DQI) Tool and the Component Database.

The following updates are included in this release – please see the ECE for more details:   

• KB 933729   Vulnerability in RPC Could Allow Denial of Service.
• KB 939653   Cumulative Security Update for Internet Explorer.
• KB 941202   Security Update for Outlook Express and Windows Mail.
• KB 938127   Vulnerability in Vector Markup Language Could Allow Remote Code Execution.

The October 2007 Windows XP Embedded Monthly Security Updates are available at the following link on the ECE:

If you have questions on accessing the ECE, please email MS Mobile & Embedded Communications Feedback & Support, ECE@microsoft.com.

- Lynda

Adam Shostack here, with part four of my threat modeling series. This post is a little less philosophical and a lot more prescriptive than the one about flow. It explains exactly how and why I changed a couple of elements of the process. The first is the brainstorming meeting, and the second is the way trust boundaries may be placed.

The brainstorming meeting is a mainstay of expert threat modeling. It’s pretty simple: you put your security experts in a room with system diagrams and a whiteboard. Usually, you put your system designers in there, and make them promise not to strangle your experts. Optionally, you can add beer or scotch. Sometime later, you get a list of threats. How long depends on how big the system is, how well its requirements are documented, and how well your experts work together.

We like having our developers threat model. There are a lot of reasons for this. Not only do they know the system better than anyone else, but getting people involved in a process helps ensure that they buy into it.

Now this desire is great, but it leads to some issues, first and foremost is that many of the people who are now involved aren’t security experts. This means that they lack both direct experience of the process and the background that informs it. This isn’t a slam on them. I lack experience in the database design process, and I don’t have years of experience to help orient me. So I’d make mistakes designing a database, and someone who isn’t a security expert may make mistakes in security. For example, someone might try to use encryption to mitigate tampering threats. (The SDL crypto requirements cover this, and I try to gently correct them to integrity mechanisms like MACs or signatures.) This is a reality that we have to account for at the process design level.

Adding Structure to Chaos

So how does this relate to the brainstorming meeting? It’s a dramatic increase in the need for structure. Where experts may think they do better threat modeling with scotch in hand, , it certainly doesn’t lead to beginners having a flow experience. So we need a structure, and we need to provide it.

We encourage people to get started by drawing a whiteboard diagram. Almost everyone in software draws on whiteboards regularly, and this makes it an ideal first step. It’s an ideal first step because everyone can do it, see that they’ve done it, and feel like they’re making progress.

The core mechanism we’ve used to provide it is the STRIDE/element chart. (I’ll talk a lot more about its origins and limits in a few posts, but for now, let’s pretend it’s gospel, and enumerates all possible threats.) Given this gospel, it becomes possible to step through the threat modeling diagram, “turn the crank,” and have threats come out. “Item 7 is a data flow? Let’s look for T,I and D.” (Tampering, Information disclosure, and Denial of service.)

Similarly, we have four ways of addressing threats – redesign, standard mitigations, new mitigations, and risk acceptance. We have training on mitigating threats, we have explanation of why and when to use each (and they’re presented in a preferred order).

Lastly, we provide advice about how to validate the threat model and it’s relation to reality.

Between these four steps and the hamster wheel which ties them together, we give people the structure in which they can take on the process. The other thing I wanted to address is how we respond to consistent “errors” that we see.

Where Trust Boundaries Show Up

We used to give people clear guidance that trust boundaries should only intersect with data flows. After all, you can’t really have a process that’s half-running as admin, and half as a normal user. Logically, you have two entities. And people kept drawing trust boundaries across processes and data stores. It drove me up the wall. It was wrong.

As people kept doing it, I decided to swallow my pride and accept it. I now tell people to put their trust boundaries wherever they believe one exists. And they’ve continued exactly as before, but I’m a lot happier, because I’ve found a way to help them draw more detailed diagrams where they need them. Which includes anywhere a trust boundary crosses a process or data store. They’re happier too. No one is telling them that they’re wrong.

I was going to title this post “Lord grant me the strength to change the things I can, the courage to accept what I can’t, and the wisdom to know the difference,” but, first, it’s too long, and second, if we started that way, it would be wrong to add beer or scotch.

This 2 day interactive workshop – targeted at Partners participating in the BPIO Campaigns – has as its outcomes:

·     to provide an overview understanding of the BPIO Campaign

·     to provide some relevant sales and marketing knowledge/skills/processes to assist Partners generate and convert leads relevant to the BPIO Campaign

·     point Partners towards a range of resources to assist them to capitalise on the opportunity provided by the BPIO Campaign.

By using tools made available by Microsoft to work with customers to understand their current level of optimisation, Partners can work with their customers to plan a path to achieve the highest level of business productivity infrastructure optimisation.

The BPIO University targets a number of solution areas including:

·     unified communications

·     collaboration

·     enterprise content management

·     enterprise search

·     business intelligence

This course will also supply you with all of the materials and tools you need to expedite the sales process and close deals faster.

REGISTER NOW https://www.local.microsoft.com.au/australia/events/register/home.aspx?levent=300213&linvitation

Have you seen the new Live Search Maps ?  Launched today, the new interface is a LOT simpler to use, and a lot faster (it seems) to load and find results.  The Windows Live Search team has really been busy getting and incorporating all the feedback they"ve received into a much more solid and reliable product. I really like the simplified interface too - I can more easily search for people, places and addresses using a single entry field instead of two, and the system is smarter about interpreting...(read more)

I"m writing a series of blog posts over on the Team WIT Tools blog about how we"re managing our documentation projects using TFS. Look here for the first post. http://blogs.msdn.com/teams_wit_tools/archive/2007/10/16/managing-documentation-projects-in-team-foundation-server-part-1-planning-the-sprint.aspx

Te invitamos a ser parte del Tour Tecnológico 2007, que consiste en 20 eventos dónde platicaremos sobre las últimas tendencias de tecnología de Microsoft en todo el país! Queremos que seas parte del Tour escogiendo la AGENDA del evento en el sitio de votación! además podrás ganar alguno de los XBox 360 que obsequiaremos!

Entra aquí y crea la agenda para el Tour Tecnológico 2007!