Bill Sempf

I had a good time with the Columbus Architecture Group (ColArc) Tuesday night at the ICC conference center.  I gave the Economics of Cloud Computing talk there and it was well received.

I got some great commentary from Mark Freeman about the impact that CompuServe had on early internetworking, which is a very good point.  CompuServe was born out of TSO, with a large organization reselling unused computer time.  This is very similar to the IBM TSO concept, and what Google, Microsoft, Amazon and the other large players are doing now.

Another point was the impact of grid computing, which I need to research a little more.

One of the big impacts was security, though.  How is cloud going to interact with HIPPA?  how do you convince a CIO?  What else has to happen to prepare your application for the insecurity of the cloud?

Location is a problem too. How about a state’s requirement to keep all data inside its borders?  There are tough questions there!

Anyway, thanks for having me folks, and I hope to see you next month.

I was pleased to be introduced to DevLink by Brian Prince this year.  It is a great conference, catering to the more southern members of the Midwest development development family, similar in structure and content to CodeMash in January.  Held at a college campus, it has a loose, collegial feel (unsurprisingly) and has some great content.  The proof is in the pudding – a lot of people made the trek from Ohio and Indiana to Nashville for the three day con.

I went a day early to take part in a community leadership mini-con that the Midwest evangelism group for Microsoft put on.  Thrown in a unconference format, this was a gathering of sixty or so movers and shakers in the Microsoft developer’s community, along with a few of us hangers-on.  Steve Webb and I went to try and soak up as much of the community goodness as possible, and some great southern barbeque as well.  We got what we were looking for.

Open Source Community

Due in part to the MVC4WPF project, I have a recent interest in the community surrounding open-source.  I held a session on the Open Source Community and had a great discussion with a few experienced souls.  We determined that in order to have a successful open source project and surrounding community, you need four things:

• A strong leader, who can focus the energy of the group, and set direction.  Scattered development makes everyone feel bad about the project, and the only reason people participate at all is to feel good.
• An easy patching process.  If people don’t feel like they can participate, they won’t participate.
• An existing user base of sorts.  If there is already a group of people working on the project, they produce the core of the open source community.
• Tool Availability.  If you need VSTS 2008 to do the work, then fewer people will be interested.  You need to be able to do work on the product on your home machine.

The biggest key to growing a community is popularity.  Popular projects – at least in the Microsoft world – have four common characteristics:

• Need.  There has to be a need for the end result of the project.
• Caretaking.  Long after the shiny newness of the project has worn off, someone has to care for it.
• Ease.  Use, development, documentation, everything. 
• The source should be included in the product install.

Sponsorship ROI

Another cool discussion was on the topic of sponsorship.  As one would expect, it is harder and harder to get companied to pay for the trip to a conference – even an inexpensive one like DevLink – along with the time off, the travel, et cetera.  The group came up with seven ways to sell your company on the idea that going to a con was a good idea.

• You will be cool by association.  Especially if you are giving a talk, you get to say “Hey this consultant of ours went and presented a paper along with the Famous Tim Wingfield!” or whomever.
• Being elite is more marketable.  Following along with the last tip,. it is true that elite-ness is quite marketable.
• Providing training / brain dump.  When you get back from a con, offer to run a session or do a screen cast to train others.
• Put some skin in the game by offering to pay for part or take vacation time.
• It is true that events build experience, and experience improves marketability.  IF you go and get exposed to Azure, you can look a client in the eye and say “I have some experience with Azure.  What do you want to know?”
• Networking!  Local people travel.  You can sell and recruit.
• Point out that the sponsoring company will get to retain top talent.  People stay where they feel they are valued, and a cheap way to show value is sending people to events.

On the issue of companies paying the small sponsorship fee to become an actual sponsor of the event (apart from sending people) we discussed the idea of selling access to an opt-in email list.  This could be for sales purposes if you are a tool vendor, or recruiting if you are a consulting company.

At the con

Hey, wait, there was a con too!  After all of that that brain pumping at the community summit, I got to go hear the hippest cats in the Midwest talk about some cool technology.  Learned a lot, too.

Thursday was set up as two half-day sessions, which I was only sort-of impressed with.  Don’t get me wrong the content I attended was really very good, but three hour sessions are really very hard to do.  I’m not sure I would recommend it to the organizers for next year.

I started my day listening to Jim Wooley (aka @linqkinq) chat about database driven web.  He had a good strong overview of the various new ways to quickly set up ASP.NET data access, along with experienced view into the enterprise ready techniques.  We got a first look at RIA Services, along with the tasty morsels of LINQ and Entity Frameworks in action. 

The afternoon session was on cloud deployment, from the very experienced Ben Henderson.  We did a few end to end deployments of cloud applications on both Azure and S3, and I learned about the S3 Organizer for Firefox, which I recommend to anyone working in the cloud space.

The next two days of the con were the usual hour-long segments of technological goodness.  There were regularly seven tracks going on so no one had a problem finding something that they were interested in.  Additionally, there were the open spaces, which follows a free-flowing hippyism format with an open grid and user generated content.  I ran a session on the Managed Code Rootkits that I learned about at Defcon, and had a great conversation with Steve Wallace and others.  (We decided that more research was necessary as to the risk, because if you have admin access, there are worse things you can do than munge up the .NET Framework.)

Nashville

On top of it all, I had a great time in Nashville, without really ‘doing’ the city at all.  I didn’t go to a ball game, I didn’t hear any big name acts, I didn’t see any celebrities, but I had a great time.  The community summit was at Jack’s Bar-B-Que, which is a Nashville standout.  The hotel was two blocks from Broadway, where all of the fun is.  There was lots of good music to be had on every street corner – who needs to go to a show?  The restaurants that we visited had no fewer than fifty beers on tap each, so how can you you argue with that, I ask.  All in all a good time.

So thanks to Brian for inviting me, Steve for putting up with me, the organizers for bring good at what they do, and the presenters, attendees and volunteers for making DevLink an all around great con.  Can’t wait for next year.

Defcon 17 is in the books, and Gabrielle and I had another fantastic time.  Props go out to all of the Defcon staff.  The Locksport International team and TOOOL put another fantastic lockpicking village together.  Coffee Wars pulled a record turnout of thirty-six brews, and we met some great people there.  (We lost badly.) And thanks to the hard working goons we met.

We arrived on Thursday, but with the new Defcon 101 tracks, we were practically late.  The lines weren’t much worse than usual but there was a badge shortage right away thanks to the fine people at Chinese Customs.  Gabrielle and I ended up with paper badges at first, but Gabrielle social engineered us into two actual badges soon thereafter.

The badge, as usual, is fantastic.  Kingpin did an over-the-top job of building a sleek, simple badge that still has lots of hacking potential and out-of-the-box functionality.  It uses the 32 pin MC56F8002 processor, with a microphone and an RGB LED to produce visual effects from aural input.  Wired Magazine actually published the open source firmware.  I am not a hardware hacker, but I have been working on getting it to produce different visual output based on pitch rather than volume.

I didn’t get his name, but one of the engineering team from Freescale (the company that made the microprocessor on the badge) came to the con.  He just set up shop in the Hardware Hacking Village and helped people program the board.  It was one of the coolest things I have seen at any con.  As some of you probably know, my hardware experience is circa 1979.  He effortlessly moved between helping me with the most basic soldering questions to the most advanced programming questions.  I was blown.  Get me his address, someone.  I want to send him a bottle of Scotch.

It seemed like the traffic flow was worse at first compared to Defcon 15, but it soon leveled out.  Part of the problem was the need to clean out the rooms fully and then count them coming back in due to the fire code.  The marshals were around, and very visible, throughout the con.

There is a lot of talk about the Riv being too small.  I happen to disagree – I think that DT just needs to find a logistics volunteer that will orchestrate the talks in such a way to control the crowds.  I have seen Gabrielle do it.  It is possible.  (You hear that Jeff?  She will work for Absolut.)  The people at the Riv work their collective asses off to make it a good con and you just can’t replace that.  Let’s change the logistics instead.

Oh wait, there was technical content too!  Who knew?

The most significant thing I learned is that for all of the protections for CAS in the .NET Framework, there is a mind blowing flaw.  The framework assemblies are just called by name.  If you replace an assembly, EVERY .NET program on that machine will use the altered DLL to run the program.  Does that mean if you replace the encryption protocol to email the keys to China, that all programs will send that key to China?

Yes.

Discuss.

Props to Erez Metula.

There was a great talk on using iMacro to do screen scraping for AJAX sites, and I plan on getting some new PoCs for that up in the future.  It wasn’t rocket science, but it was a really good implementation of a simple idea that I sure as hell didn’t come with.  I mean, if it was easy, everyone would be doing it, right?  Screen scraping is a massively underused art.  There is a LOT of information out there and the web browser just sucks for really making use of it.

So much net development was done on Metasploit in the last 12 months that they got an entire track dedicated to it.  The biggest piece is undoubtedly the Oracle module, which really puts all of the disparate Oracle attacks into one place for ease in testing.  I can’t recommend its use enough if you are a pen tester or in charge of db security

The civil liberties content was significant compared to 15.  Nearly one whole track for three days was filled with lawyers telling us how not to go to jail when we fly to Italy on vacation with some music of questionable origin on our laptop.  I just popped in and out of these, but every time I did I learned something.

 Did you know that if you are asked to give up your password in the states you can say “come back with a warrant” but if you are flying overseas, they can just take the machine without your permission, copy the whole hard drive, and say “Thanks for the warez, d00d.”  Lesson learned?  Carry an empty laptop overseas and download your data set from a secure channel once you get there.   When done, upload results and clear the machine again.  Microsoft doesn’t even LET you carry a machine overseas.

Speaking of privacy (weren’t we, really?) social networking was a huge topic this year.  Tom Eston and Kevin Johnson gave a great talk on some proof of concept work they did on social networks and trust.  For instance, set up a parody account of a ‘B’ celebrity, and gain trust of followers.  Then send out a link for a fun quiz with an XSS attack.  Gain twitter cookie, get password, rinse and repeat.  Social Butterfly is another of their tools, which manages the creation of apps in social networking sites like Facebook.  It collects user accounts to be used for research purposes.  Check it out.  It’s not just that picture of the Christmas party last year that will get you in trouble on Facebook.

Locksport village was very informative, very well attended, and very well stocked.  I picked up some new equipment and finally met both Schuler Towne and Doug Farre in the flesh.  Doug and I are going to make some moves toward getting the Locksport International organization a little more, well, organized, and get things up and running there. 

Gringo Warrior was a hoot.  I supplied the live guard with a cigar (which he really needed!) and watched.  Deviant had a whole boatload full of people, and I hadn’t practiced enough, so I didn’t do it this year.  Maybe next year.  The ah-ha moment for that was watching a very accomplished picker run the whole gamut in three minutes, and then spend ANOTHER three minutes trying to open the car door.  After that, Deviant stood by the auto locks and yelled “Everyone look!!”  Took out his auto jigglers.  “Easy lock,” pop.  “Medium lock’” pop.  “Hard lock,” pop.  “GET some jigglers people!  They aren’t that expensive!”  I got some jigglers.

My Defcon moment had to be standing in the elevator lobby waiting for a ride down from my floor, when thmping bass – LOUD thumping bass – became clearly audible.  I thought “that’s one hell of a boom box.”  Wait.  Aren’t those lights?

The door opens, and there is a full mobile DJ station in the elevator.  I kid you not.  There was a mini-rave going on right there in the elevator with a DJ and dancing babes and the obligatory big white guy who can’t dance just bobbing his head and looking cool.  It had to have been the coolest thing I have ever seen in an elevator, bar none.

Can’t wait for next year, folks.  This one was fantastic.  Till then, see you at PhreakNIC!

So I am sitting here at TechColumbus watching the Unpanel at CloudCampColumbus.  Everyone here has a very good perspective on cloud and the problems and benefits.  The list of unpanel topics reads like a collection of general questions about cloud.

• Auto scaling
• Server huggers
• Hybrid Clouds
• Encryption
• Security
• Compliance
• The business case
• Disaster recovery
•  Scalability Planning

 I think we just about covered it.   We are picking sessions now.

• Intro to cloud
• Architecture for the cloud
• What and When to move to the Cloud
• Examples of cloud apps
• Enterprise Utilities
• Clous OS Security
• Cloud Storage
• App and Data Cloud Concerns

Proof that the unconference idea works?  Who knows.  Decided on the Architecture group, and now am sitting with a bunch of people smarting than me.  Bummer.

So anyway, there is some meta comversation revolving around cloud computing that I have yet to completely master, but I think I am getting the idea.  People are wrapping th ebig providers around themselves.  For instance, ShareThis, who is talking right now, is an EC2 partner, and they just resell the service.  They don't really make or provide anything at all.  It is an ISP reseller.

This begs the question - is this just hosting.  That's all it is.  Noone is really using this for anything significant yet, at least not at this level.  Right now, they are just providing site hosting for applications that go viral.

So what is the highest level of cloud?  What can be done with this other than scalability?  Funny, they are talking about the same scaling problems that everyone has now - caching, bad code, weak queries.  Cloud won't help there!  What is it REALLY for?

That meta question brought a lot of interesting answers.  Brian Prince brought up the reality of disposable computing.  I thought that was a good point - you can treat the computing resoruces as temporary assets.  Where does that lead us?  No answer yet.

After uploading the basic services to Azure early this morning, I felt the need to finish, and actually set up some kind of data storage for the system.  After all, the services are only useful if the data is actually accessible, and eventually I plan to resubmit this as my certified app for POINT's ISV certification.  So I squandered one of my two storage service keys to Sharp's database in the cloud.

At first blush, this seems straightforward.  I logged into the Azure dashboard at https://lx.azure.microsoft.com and provisioned a new storage services account.  This required only a unique name and a description.  In exchange, Azure provided me with three endpoints:

• the blob services;
• the queing services; and,
• the table services.

OK, right now I need tables.  I am essentially going to move the simple 4 table schema for Sharp into the cloud for this first version - we'll look at sophisticated use of property bags and whatnot at a later date.  I have my primary access key; time to move to Visual Studio.

I presented a paper last month for the ACM and IEEE that will be published in the Cloud Computing Journal next month.  Thought I would post a few links here for those who are interested in cloud - I did cover Azure.  I'll do a blog post for Azure and VB when I manage to upload SHARP to the cloud, like I plan to.

The slides are on the IEEE site: http://www.ieeecolumbus.org/node/97

The presentation video is at my SpeakerSite: http://www.speakersite.com/profile/BillSempf

The article will be on my Ulitzer site: http://williamasempf.ulitzer.com/

I hope you find the information as interesting as I did!

Weird not seeing Bill there.

Anyway, everything old is new again, again.  Microsoft Azure is Hailstorm with a little more structure around the standards of XML Web services.  Even has an SDK.  With the advent of REST and the strong strides made in reliability, security and transaction support it made sense to try it again.  However, as Steve Wallace pointed out on Twitter, you still have issues of 1)Trust and 2) Not Built Here Syndrome.  This will be a hard sell.

What am I talking about?  Azure is the new Software as a Service offering from Microsoft.  It is a 'cloud computing' (read: bunch of machines that use the Internet) environment where applications can easily be hosted with managed scalability.  You write an app, you put it on Azure, and then subscribers can get to it.  Like XBox marketplace, but for enterprise consumers.

Credit to Microsoft for doing what they said they were gonna do.  I remember at TechEd 2002 when Bill said that Software as a Service was the future and that they were going for it all the way home and back, I thought "nah".  But I was wrong.  They made a plan, and stuck to it, and here we are.

PDC attendees can register for Azure at azure.com after noon PDT.