Yup, and it’s sticking (a little bit) too! The view from my office 2:45pm:
Archive for March, 2008
Posted by BPuhl on March 28, 2008
Posted by BPuhl on March 23, 2008
Have you seen this? Apparently it’s a new feature of YouTube, which provides a pretty cool interactive relational browsing feature for video’s. Sort of a graphical version of clicking through the “related video’s” list. To start, pick a video, and blast it up to full screen mode, and you get this new button:
When you click it, you start “centered” on your video, and then just keep browsing through their web of video’s. Alternatively you can just build the link, so here’s a place to start: YouTube Warp of My Bunny Pancake
Posted by BPuhl on March 21, 2008
it’s generally not acceptable to reduce efficiency for the purpose of determining efficiency…
During a conversation about creating a 5 minute process which tracks metrics, to replace the 1 minute process that doesn’t track metrics
Posted by BPuhl on March 20, 2008
Sometimes it feels like my life is just a series of Monday mornings, with occasional weekend interrupts
Posted by BPuhl on March 17, 2008
I hate managers who want the “30 thousand foot view” – don’t they know that there is no oxygen at 30,000 feet?
Event better, is lately some architects are talking about the 90,000 foot view…
Posted by BPuhl on March 16, 2008
Active Directory can provide unique identity information within it’s scope. But sometimes, usually when applications are being developed, the identity requirements are a little bit more than what AD can provide.
For example, in your environment, do you have any identifier for a user, which you can guarantee is unique, and never reused throughout the lifetime of the enterprise?
This can be a hard question, because AD doesn’t (and arguably, shouldn’t) provide this kind of uniqueness in a way which is easily consumable by applications. Internally at Microsoft, quite a while ago, it was determined that a persons employeeID number was going to be the piece of identity information which is guaranteed to be unique at any given point in time, and never reused over any span of time.
Interestingly, I recently had to write an Identity FAQ type of document for our application team explaining this little bit of trivia. It seems that in the absence of this knowledge, they had simply assumed that a persons user name (samAccountName) was guaranteed to be unique, and hadn’t considered the impact of whether it could be reused. This has led to some interesting help desk calls, for example:
User Robert (call me Bob) Puhl works for Microsoft from 1995-1999 – user name, BPuhl
User Brian Puhl (me), gets hired into Microsoft in 2001 – user name BPuhl
When Brian goes to access several web applications, guess who’s information and history in that application context are already there? Yup, Brian meet Bob.
Much of the time, we’ll think about the need for uniqueness within the environment “now”. If you’ve only got a single domain, then you might get away with samAccountName. But if you fail to consider the time factor, then reusing common attributes like user name, can become nearly equivalent to reusing SIDs.
Posted by BPuhl on March 16, 2008
We’ve got our fair share of smart people working at Microsoft. So when one of them calls you up in near desperation with a problem, you know it’s gotta be a good one. This happened to me the other day, a co-worker on the networking team, who’s been there for longer than I can remember, calls up asking for any ideas that could save corpnet from the evil virtual machines. Was there anything Active Directory could do.
Unfortunately for her, the answer was no, I didn’t really have any great ideas because there are hundreds of thousands of machines on our network which aren’t joined to a production domain anyway, so I couldn’t help. but I was really intrigued by the problem.
It seems that in several of the buildings, the number of virtual machines that are popping up – in some cases, on the order of hundreds – are sucking all of the DHCP scopes dry, and on machines which have wireless NIC’s, they are killing the wireless AP’s. Even better, is the same people who are setting up these massive VM farms (usually for testing purposes), are the people who are calling help desk and the network team complaining that wireless is down, or that they can’t get an IP.
To put this a bit into perspective, one of the buildings that she was describing, has already been allocated 2 /21 networks. So for approximately 400 people in the building, they have over 4,000 IP addresses – and are still running out.
The obvious answer is to explain the miracles of NAT’ing virtual machines, or using private networks, etc…. but for some reason it’s just not happening (I have to assume, that it’s the “other” half, not the “smart people” referenced above).
I hadn’t actually thought about it though, we usually take things like ping/power/pipe for granted as “just working”. And this is coming from the AD guy, who is usually at the other end, where everyone else assumes that authentication is “just working”. But I suppose it’s good to remember that if you’re not doing NAT’s for your VM’s, then you very likely could be causing a network admin somewhere to pull her hair out and scream expletives at you.
Posted by BPuhl on March 15, 2008
This has been around for a long time, but I keep being surprised by all the people who haven’t seen it yet. Especially when they look at me funny because I say things like, “OK, so…” and “WTF Mate?”… Well, this is where those, and other similar quirky phrases that I repeatedly use come from. Enjoy:
I think Laura had the best response a couple days ago when I sent her the link:
Okay, so…I was laughing so hard the first 2 times…that I didn’t hear him say “F—ing kangaroos” until just now.
So now I’m at my desk with tears streaming down my face.
That is all, carry on.
Posted by BPuhl on March 15, 2008
So it’s been brought to my attention, that there is a very important distinction which I should probably make about my views of Cardspace in the enterprise. That distinction is the difference between Cardspace as a user interface – and Cardspace as the underlying infrastructure for performing claims based authentication.
The basic reason why I’m hesitant about Cardspace in the enteprise, is actually because I LOVE the idea of having my users perform claims based authentication and authorization…but I can’t fathom the idea that people are going to keep getting these UI pop-ups and having to pick the same card over and over again throughout the day as they are trying to do their job. Even having to click it once or twice per day is too much in my opinion.
Since we already know that Cardspace will show you all cards which meet the criteria, as an enterprise administrator, I’d like to say that if there is only a single card which meets the relying parties criteria – THEN USE IT! Don’t pop the UI, just go ahead and send the card, and have fun with that!
Yes, I realize that this violates numerous basic principles of user centric identity, however those principles that it violates are based on the idea that the person owns the digital identity. In a company, the enterprise owns the identities, and issues them to individuals for use on behalf of the enterprise. So we don’t really need (or in many cases want) the “transparency” or to provide the ability for a user to decline to send claims info, because that would distract them from the primary mission that we’ve issued the identity for to begin with – to do their jobs. It’s not as though an HR analyst would make the decision, “You know, I don’t think I want this application to know my employee ID number, so I’m going to decline to authenticate to it.” Ok, then what are you going to do, since accessing the application is a core part of your job, and the enterprise had determined (meaning, the app dev’s, security, IT, etc…) that the data was needed?
So don’t get me wrong, I love “claims based authentication and authorization”, and I firmly believe that Cardspace and Infocards have a HUGE value in the consumer space, anti-phishing, etc… But I would love to see either more granular policies available to administrators over the user interface, so that we could use the cardspace plumbing while intelligently presenting the UI only when it was necessary.
Posted by BPuhl on March 14, 2008
Ok, well, maybe this isn’t exactly a science experiment. More of an editorial on cause and effect. Actually, what this really started out as, was a place for me to vent all of the anger and frustration at my teenage daughter, which had built up as I had my head inside of the dryer, sucking fumes of Isopropyl Alcohol with my lungs on fire.
but that’s probably getting a little ahead of myself.
After spending some time outside, clearing my head and lungs of the noxious fumes, pondering on all of the ways in which to dispose of her body, it started to occur to me that maybe it wasn’t intentional…wasn’t malicious…and didn’t really even have anything to do with the fact that she’s a teenager. In the end, I decided it must have just been dumb, bad luck.
After all…who hasn’t, at some time in their past, left a pen in the pocket of jeans or a sweatshirt when they washed it. Right? In fact, I can distinctly remember several times, moving the clothes from the washer to the dryer, and finding a pen lying on the bottom of the tub. Toss that one in the trash.
So what kind of luck does it take for this pen to make it into the dryer? Not a huge stretch of the imagination. Done that before too. But I have NEVER, EVER for the life of me, EVER heard of a pen in the dryer with some clothes EXPLODING like this goddamn thing did!
Everything in the dryer at the time, got ink all over it, and then the dryer “caked on” the ink to the inside of the barrel.
Tried soap and water. Nope. Tried Gunk-Off. Nope. Tried 409. Nope.
Ahhh, but rubbing alcohol, that worked like a somewhat-lucky-sort-of-half-assed-but-still-got-most-of-it-off charm!
So the answer to the question ladies in gentleman, is that THIS is how I ended up with my head stuck in a dryer wiping down the inside with rubbing alcohol.