Daily Archives: November 12, 2004

DevConnections Attendee views and get the DVD

Community Cheerleading

Dave Bost got to do what I didn’t – attend sessions by some of the most awesome speakers on “the circuit” and then mine, too! I was busy working on my sessions so did not get to any. Here are his posts from Monday (Microsoft day), Tuesday and Wednesday with great details about the talks he attended. He also posted about the SQL Server and ASP.NET Keynotes by Tom Rizzo and Scott Guthrie. Dave is a user group leader who I knew from email, so it was fun to meet him.

They are making a DVD that can be purchased with all of the session from ASP.NET Connections and Visual Studio Connections, but not the SQL show. I believe it can be ordered through the registration page.

Posted from BLInk!

Digital Signatures at DevConnections

WSE

I had an awful moment in my WSE talk at ASPConnections thanks to great difficulty sleeping the previous night, so I want to be sure to write out my explanation of how a digital signature works here.

I have what I know is a terrific visual diagram to help explain digital signatures. What confused me when the slide popped up is seeing a private key next to the word encryption, which is correct for digital signatures but not for normal encryption. I had just walked the encryption diagrams and then hit the digital signing slide, saw that private key and my first thought was “but we don’t encrypt with a private key, we do it with a public key.” I really froze. In reality, my slide was right as I absolutely knew what I was talking about. Unfortunately i did not just allow myself to get past that moment of doubt. (which is a whole different topic about the balance of my knowledge, my presentation skills (both pretty good) and my confidence in them.)

So here’s the deal with why we are encrypting with the private key in this case. You can encrypt with any key you want, but you choose between them depending on your goals.

Encryption to achieve confidentiality: In this more common encryption scenario where we are trying to hide a message from prying eyes, we encrypt with the public key so that only the owner of the private key is able to decrypt. Anyone can see the message, but they won’t have the ability to decrypt it and view its’ actual contents.

Encryption as part of a digital signature: When digitally signing a message, we are creating a copy of the message body, hashing it (remember hashing can’t be undone) and then encrypting the hash. In the end, the validation is to ensure that the hash of the received message body matches this hash that we have sent along with the message body. If someone has mucked with the body or the hash (or both) there is no way that there will be a match on the other end. The encryption of the hash is done with a private key and then undone with the public key from the pair.

So this begs the question, why bother encrypting it if anybody can decrypt it? By encrypting with the private key, the recipient is absolutely assured that it was the sender (the only person with the private key) who created the digest. Think of this scenario: some devilish person could grab the message on its’ way, modify the message body and then create a new digest of that body. That would mean the digest would match the body when it’s received. But, that devilish person doesn’t have the correct private key to create the digest with. The recipient’s public key would recognize that immediately and the message would be invalidated.

So the process of signing doesn’t prevent anyone from mucking with the data (nor from even looking at the data – as this is the job of encrypting the message body), but just acts as a big red flag if the received message has been “violated” along the way.

Along those same lines, it’s good to note that encrypting a message body may prevent the wrong person from reading the actual data, but it is no guarantee that someone hasn’t taken the string of cipher text and altered it in anyway.



Posted from BLInk!

Why presentation slides change

Just Rambling

Someone who attended two of my talks commented that my slides were different than the printed slides in the distributed book. I can understand that this may cause some confusion if you are trying to follow the slides through the book and take notes. Changing slides is a hard choice but sometimes necessary.

In my case I had a presentation on the whidbey base class libraries and another on Web Services Security with WSE2, a very new technology that we are still getting a deeper and deeper understanding of.

Whidbey is a moving target. I initially put together this presentation a year ago using the PDC bits. I modified it for a June conference to reflect  changes in the May CTP bits. I revised it once again with the Beta1 bits for the ASPConnections show. The powerpoint slides were submitted in early September  so that the books could be printed. Since then the October CTP bits were released and I updated the talk once again to incorporate a few goodies as well as add in a few new discoveries and to revise some information that had become clarified. I believe I mentioned this at the start of the talk and I think it’s beneficial  to have the presentation be as current as possible.

For the second presentation, again, I considered the effect of changing the deck and, again, decided it was beneficial after doing a “trial run” of the presentation in Montreal in October. The deck represented about a 2 hour talk (at minimum) and I had to make some tough choices about what details needed to go. (I’m very happy to learn that I will now get 3 hours to do this next time!) What I ended up doing was hiding some of the slides. Additionally in the months between the printing and now, I implemented WSE2 in a pre-existing production app and have spent a lot of time in the WSE newsgroup. I have learned a lot about some of the problems and confusion a programmer will come up against using this tool and I chose to add some of these valuable lessons to the presentation.

Although I did talk to some other speakers about this I wonder how people handle this when presenting – especially with new material.

I will be posting these new versions of the power point slides to my own website and I believe that the DevConnections site also has a place where I can share them. When I do so, I will make note of that here in my weblog.

Posted from BLInk!

Tablets at DevConnections

Tablet

In addition to some of the Microsoft Tablet team being at the DevConnections because they were doing a full day pre-con and also decided at the last minute (or I only found out at the last minute) to do talks during the regular sessions as well, there was a definite, though concentrated,   tablet buzz at the show. The most interesting thing they did was set up a hands on lab in the exhibition hall with 30 tablets, a few people from the team and happily for me, Lora Heiny and Loren Heiny. The hands on lab is the same one I did at TechEd and is really a fantastic walk through demonstrating to programmers how easily they can tap in to the inking functionality of the tablet as well as how deep the API really goes. The lab definitely needs a VB version. I was there helping some VB programmers out who, though trying to learn about the tablet api, were struggling with things like casing and other syntax problems that prevent C# from compiling. I think that will get done soon (I even offered to do it, but I think it will happen from within the team). The lab had a lot of people in it throughout the show, though, considering there were about 1500 attendees, the sessions themselves were not heavily attended. My session had some last minute changes since there were the extra sessions added in and I basically had to cut it in half. And those that did attend my session, where I walked through some of the tougher issues to deal with when writing an ink-enabled web application (using my online Doodle app as the my demo), had been attending many of the tablet sessions so they were light on questions.

It was fun to go to the famous Aureole restaurant that was right in the casino – famous to us, because it has a beautiufl tablet application to help clients sort through their thousands of bottles of wine. I think I blogged about it once and might dig up that link when I’m on line again. I went with Arin, Mark, Elliot and Mason from the tablet team as well as Kathleen who has a new M200! Thanks for the vino guys.

Most fun for me was to hang out a bit with Lora and Loren, though they weren’t around in th eevenings.



Posted from BLInk!

Keeping up with the Joneses: Consultants and moving target technologies

Just Rambling

At the closing session of DevConnections there was a jam packed auditorium of attendees and a panel of a host of speakers up front. Carl Franklin ran around the room (literally 🙂 ) with a mike so people could ask questions. A larger percent of the questions were SQL Server related as that is the focus of one of the three conferences that make up DevConnections. There were a few questions about .NET, such as the future of the application blocks (which, by the way, is two-fold: much of what was learned in the app blocks is being folded into VS 2005 and they are also going to be part of Enterprise Services).

Yet one consultant stood up and asked an interesting business question. While there is so much push from Microsoft and from all of us who are excited about the new technologies, he is in a very familiar position. His clients’ VB6 programs run their businesses. They use SQL 2000. Everything works great. He said that his clients are afraid that he will push them to the new technologies which would be a great expense for them, even though their current systems more than suit their needs. What’s a guy (or girl) to do? He was looking for advice in handling this issue.

I have a client that was very happy on their VB6 apps and SQL 7 for a long time. I have been very fortunate that they trust my choices and although I continue to make minor changes to their enterprise VB6 application, every new piece of development in the past 2 1/2 years has been in .NET. This did not cost them anything extra since I spent my own time learning and experimenting. There are even pieces of their application that I have not charged them for, such as implementing WSE2 in one of the production apps. My ability to make these choices has also paid off in a very visible way with the use of a smart client application with a web services back end which solved a problem we had talked three years ago about solving with a very expensive T1 line to one of their satellite offices.

I have not leveraged anything new in SQL 2000 so that they were not forced to spend the large chunk of cash to upgrade from SQL7. This summer, it was discovered that their server had been hacked and in a quick build of a new server, the sysadmin chose Windows 2003 server which meant we had to move to SQL 2000. The 6 month trial was a saving grace in the emergency, but I know the client did more than grimace when those 6 months were up. Now they are asking me about SQL 2005 and Longhorn so that they can start planning ahead for the expense of upgrading all of their systems. I promised them that I have no plans to implement any of the sql 2005 features any time soon in their applications and that if I do find that I have a very strong business case for doing so, there would be plenty of time to prepare for the financial hit.

So, back to the guy at the conference with his question  – how will Microsoft support HIM in working with his clients to make these decisions and to assure his client that he is not needlessly costing them money? He  is in a rough place. One of the biggest reasons I left FoxPro years ago was because I was sick of defending it to potential clients who thought that Microsofot was going to bury it. This developer wants to learn and be proficient with the new tools. He also wants to keep his clients happy and to be a good consultant to them by helping them make the right choices and protecting them from unnecessary expenditures.

It’s an interesting question. I agree that there should be something that Microsoft can do to help him, but it has to be to help give *his* clients the best advice but not scaring them into moving everything to the latest and greatest technologies so that they can sell another server license.

Kathleen and I talked about this and I think it also fits somewhere in the conversation that Joel Spolsky began (or perhaps just raised to new heights) in his article about the API Wars. I expect to see more on this discussion in the near future.

Posted from BLInk!