I was listening to DNR last night, the guest was Kim Cameron and they were talking all about Identity.  The topic of the let me get my work done button came up.  This is the digital version of the boy who cried wolf story. 

When the user is bombarded with endless security dialogues that they don't understand they blur into one big let me get my work done button.

I thought I'd represent it graphically :)

When you think you have found all the places to set exchange server's data stores and moved them to a data disc you should re-check! 

There is always one that is still set to log to your system drive and the gods of pain and irony will find a way to fill it.

...with apologies to the hundred of thousdands of people trying to read this blog between midnight and 10:00am...

So I mentioned earlier that I am excited about using XPath against XML data stored in SQL Server (v2000 at the moment) but I keep coming up against the same problems, like text/ntext data types are invalid for local variables in a batch and I can't fit the documents I want inside varchar(8000). 

The result with the most Google Juice on this points to the solution we all want.  There needs to be a version of sp_xml_preparedocument that accepts a pointer to a text/ntext column.  There are various solutions around, none of which are kind on server resources (like creating an undetermined number of varchar(8000) variables in scope) and none of which are pretty.

The chances of getting this went from slim to none last Nov.  Oh well.  I've yet to sink my teeth into SQL Server 2005 and I know they have done a lot with XML in that release, but Microsoft:  Do you think every system and team cuts over to the new version of your products the day after launch?  I understand you're excited but the same happened to VB6 when VS.NET 1.0 came out.

The project I have in mind involves taking the XML out of Excel documents and working with it using XPath and XSLT.  So for now this dosen't live in the data tier.  Oh well.  The sun will rise on the morning.

Oh and a nod to the brainy and beautiful Anina for "google juice" links. 

I've been a fan of Crypto-gram for ages.  Blogged about it too.  It's author, Bruce Schneier, really knows his stuff.  It's a welcome reminder each month than when dealing with information security -as everyone employed in tech really is- paranoia is a very healthy emotion.

He asked bloggers to help spread the word of a proposed contest on Movie-plot terrorist threats.  These are the kind where (in my words) someone has a maybe valid/maybe invalid idea about how a terrorist can go about their aims, then removes the doubt around their own stupidity by trying (often including proposing great expense) to mitigate the risk.  Sigh.

I'll be tracking the Technorait results for this too :)

I have reprinted Mr Schneier verbatum from this month's Crypto-gram below.


Movie-Plot Threat Contest



NOTE: If you have a blog, please spread the word.

For a while now, I have been writing about our penchant for "movie-plot
threats": terrorist fears based on very specific attack scenarios.  Terrorists with crop dusters, terrorists exploding baby carriages in subways, terrorists filling school buses with explosives
-- these are all movie-plot threats.  They're good for scaring people, but it's just silly to build national security policy around them.

But if we're going to worry about unlikely attacks, why can't they be exciting and innovative ones?  If Americans are going to be scared, shouldn't they be scared of things that are really scary?  "Blowing up the Super Bowl" is a movie plot to be sure, but it's not a very good movie.  Let's kick this up a notch.

It is in this spirit I announce the (possibly First) Movie-Plot Threat Contest.  Entrants are invited to submit the most unlikely, yet still plausible, terrorist attack scenarios they can come up with.

Your goal: cause terror.  Make the American people notice.  Inflict lasting damage on the U.S. economy.  Change the political landscape, or the culture.  The more grandiose the goal, the better.

Assume an attacker profile on the order of 9/11: 20 to 30 unskilled people, and about $500,000 with which to buy skills, equipment, etc.

Post your movie plots here on this blog.

Judging will be by me, swayed by popular acclaim in the blog comments section.  The prize will be an autographed copy of Beyond Fear.  And if I can swing it, a phone call with a real live movie producer.

Entries close at the end of the month -- April 30.

This is not an April Fool's joke, although it's in the spirit of the season.  The purpose of this contest is absurd humor, but I hope it also makes a point.  Terrorism is a real threat, but we're not any safer through security measures that require us to correctly guess what the terrorists are going to do next.

Good luck.

Post your entries, and read the others, here:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html

Movie-plot threats:
http://www.schneier.com/essay-087.html

http://www.time.com/time/nation/article/0,8599,175951,00.html
http://www.schneier.com/blog/archives/2005/10/exploding_baby.html
http://www.schneier.com/blog/archives/2006/02/school_bus_driv.html
http://www.imdb.com/title/tt0075765

There are hundreds of ideas here:
http://cockeyed.com/citizen/terror/plans/terrorwatch.html

Since I was doing nothing else on Monday, after the blog post below I spent a couple of hours going through the work in Visual Studio.

While I am still not sold on the concept of the tests driving the development process, it does make you consider your class design from the point of view of it's consumers.  Also the screencast did help bring some clarity to practical test design with NUnit, which is something I strugled with earlier.

My next problem with it:  How do we manage the problem that arises from programmers testing their own input validation for example?

Also the MVP pattern was easier to implement than it looked on DNR TV.  I look forward to watching the episode dedicated to it.

Maybe it's a hangover from a public holiday but I can't seem to find out from the system tables or sprocs.  Man it can't be that hard!

Google here I come :-(

Stay tuned for update if I find out...

So I'm catching up on some DNR TV with an easter egg and I'm watching the episode on Test Driven Development with Jean Paul Boodhoo [part 1 & part 2].  The obvious flaw -which they caughed to later- was trying to cover TDD, Interface-based programming with mock objects using NMock, and the model-view-presenter pattern, and an intro to ReSharper in one show.  Just too much new information.  Later they did a show on MVP (I am still to watch this...)

Anyway, it's clear the JPB is very capable at making this agile + patterns mashup work well for him, but I can't escape the common criticsm that it's just so much heavy lifting up front!   I'm prepared to accept that this work pays dividends, but they must accept that at first look this methodology looks to be the enemy of prodictivity, and that is going to be a very hard sell for regular mortals in the SME/ISV space.

The one idea I'd like to contribute to the debate is a what-if:  What if JPB & his freaky kind are just doing in long-hand now, what in future revs of Visual Studio we will be able to declaratively to get the same benefit with less effort?  Then, I'd be interested!

While on the topic of DNR, and DNR TV, the Dot Net Rocks! guys (I get the impression Carl specifically) have been on the bandwagon of using BitTorrent.  Makes sense when you are distributing content like they are.  They like µTorrent, me I hvae been a fan of Shareaza, because it's an open-source project rather than a commercial veture it has no problems being banner & pop-up free and has a seriously slick UI, but I just found out uTorrent supports RSS feeds that include .torrent files - perfect for having your DNR and DNR TV downloaded!

While on the topic of Carl, Pwop Productions, and their shows... Hanselminutes show #12 "Top Ten Utilities you Didn't Know You Had" is well worth 30 of your minutes.  Some old, some new, there has to be a time-saver in this bunch for anyone.

Obviously it's been too long between blogs for meso apologies for the link-fest and drifting between tangents... you may return to you're regular scheduled programming...

Getting back to normal on the network now.  New server for this blog, prompted by an exploded hard drive, evidence below...

Another thing I am seeing more of that requires some comment is poor requirements definition and specs for technical work.

An obvious benefit of a development team working to correct and complete specs is the output can be measured against the spec to give the project a logical and objective conclusion.

The other side of this is a healthy spec & requirements sesssion incourages the stakeholders in the project to actually think through their requirements.  Lesson: Don't take this for granted.

I've just seen a couple of notable examples of this lately when questioning a minor point in the spec has had the client say "Ah!  I didn't think about that!" raising more fundamental questions about the project.

I'm working on a throey that you can never ask the average guy what they want, because by virtue of being in the middle of their own business domain they are blinded to actually knowning the right answer.  You can only learn what they need.

After blog mint [?]:  Just more on that "ah!" moment.  I'm not saying it's a failing on the stakeholder's part.  It's natural and healthy part of requirements definition.  Just don't forget that it can (and will) happen.

I know what makes me sick and what makes me well, but that dosen't make me a doctor.

Knowledge of a specific business domain dosen't qualify you through some holy invocation to be a database designer.

Sounds like I'm taking a pretty hard line on this :)

Really it all stems from seeing people put in way too much effort to cope with bad ideas.  Take for example this pretty simple rule of normalization:

• Every time a row and column meet, that cell should hold one and only one bit of data.

Break that rule and you will be forever doomed to write hard to maintain queries.  I was just discussing a scenario that needed to  regularly update part of a field for a large number of rows.  Luckily that scenario isn't seeing the light of day <phew>

So, what criteria do you think should be on the test that issues licenses to develop databases?

Some possible reasons:

• VCs didn't learn from the first .com crash
• Technology pundits didn't learn from the first .com crash
• flickr 

Yeah, let the VCs and technology writers (with the exception of Robert Scoble) race each other to the bottom of the ocean.  Long live flickr!

Why I reckon flickr rocks:

• They blog.
• They know about Interestingness.
• You can get practically everything delivered over RSS.
  
• Tagging just rocks.
• You can upload straight from your Windows folders, or by email, or from OSX, or from iPhoto, or...
• The user experience is very nice.  Good implementation of AJAX.  Very clean UI.  Branding is nicely done.

So yeah, hype will always be there but if it was all for flickr, well, it wasn't wasted

(go on, give my flickr page a nudge...)

OK, this is my wishlist for a proximity security device for the Windows platform.  There are a couple out there, but none that do all what I want, and are available locally and are affordable.  Maybe no more than $100-150 initially and comming down with volume.

Backgrounder:  A proximity security device is just a gizmo that is aware of how close you are to your computer, and secures it when you're not around.

• It has to work with Windows integrated security.  This means not starting a new process that covers the screen and requires yet another local password store.  Nor somthing that starts the Windows screensaver.  It has to lock Windows at the NT Security later.  It should also be Group Policy aware, so your AD could stop your account being used on a machine that did not support the device.
  
• You're going to need a dongle on your keyring, and some receiver in your pocket, but No USB!  The system should not be able to be neutralized by ripping out the dongle while you're away from your desk.  Also USB leaves too much of the process visible to the driver stack.
• It needs to be tamper evident.  So if a machine is rebooted while secured it needs to be noted somewhere in big red letters!
  
• It needs to pause Windows Media Player/Winamp/Sonique/iTunes :)
• You must only be able to log in to the machine again when the dongle is in proximity.
• Maybe even some biometric on the keychain dongle so that it can only send back a signal when your fingerprint matches.
• It would be nice if one keychain could lock multiple machines.
• Lastly, and most importantly, it must automatically lock your machine when you move a certain distance from the machine with no questions asked.

Has anyone seen such a gizmo?  Or am I meant to keep dreaming :)