BPuhl’s Blog

A little bit of everything without actually being much of anything

Archive for the ‘Rants’ Category

Overheard in a meeting (paraphrased)…

Posted by BPuhl on October 14, 2010

…the problem is, that instead of trying to make what we have work.  Every software architect believes that that their <widget> will be the solution that everyone adopts…


Typing this, reminded me of something else that I heard recently, which was along those same lines…

Of course my idea on the whiteboard is better than all the code that you’ve written!


Posted in Babbling and Blabbering, cloud, Quotes, Random Tecnical Stuff, Randomness, Rants | Leave a Comment »

Bad Combination…

Posted by BPuhl on January 5, 2010

(Non-technical rant in progress…)

Interesting trend happening around Redmond lately.  Over the past few months, there have been 5 different traffic circles built, 3 feeding into one another in Woodinville, and 2 on East Lake Sammish drive in Sammamish.  Both cities border Redmond, and both happen to be roads that I drive frequently.  In fact, I have to go through the 3 circles in Woodinville each morning after dropping my daughter off at school.

So what.  Isn’t it a good thing when a city takes out half a dozen consecutive stop lights, and replaces them with a slow but smooth flowing traffic circle?  Well, if this were in California where I grew up and learned to drive, sure, it would be great.  But this is Washington, and if you’ve ever had the chance to hop on a freeway in or around Seattle, then you’ve probably noticed:  The stop & merge.

Yeah, it seems that drivers in Washington don’t actually know how to merge with traffic, instead, they stop…sit…wait for the orderly flow to slow to a crawl and somebody to wave/honk at them, and then they gun it to try to catch up to speed… 

So kudo’s to the traffic engineers (who I suspect live out of state) for picking a control device which allows for a nice, orderly flow of traffic through these intersections.  It’s too bad they have to get screwed up by the stop and merge.

Oh yeah – and to the beige Toyota Highlander on East Lake Samm this afternoon – Although the sign is red & white – it’s an upside down triangle that says YIELD, it’s not an octagon that says STOP – there is a difference!

Posted in Randomness, Rants | 2 Comments »

unprotect a visio object

Posted by BPuhl on September 11, 2009

If you happen to be using the Office 2010 preview…And using Visio…And open a sheet on which you’ve protected objects…AND you need to undo the protection of those objects…


Then let me save you 20 minutes of looking around.  You have to go into the options (click the office logo button on the top left), and then add in the Developer tab to the ribbon.  The protection button is hidden in there.


Posted in Random Tecnical Stuff, Rants | 1 Comment »

Enabling RSAT tools in Win7

Posted by BPuhl on August 6, 2009

Does anyone else think it’s odd that you have to go through and click every one of these darn little boxes to enable all of the RSAT tools?  Odd defaults…


Posted in Randomness, Rants, Win 7 | 2 Comments »

Collection agencies….

Posted by BPuhl on April 10, 2009

I have had a few discussions recently at work about ways to make things more convenient.  Either convenient for our users (cloud services), convenient for our customers (single sign on), etc… 

But a one-two punch hit me, when I just had 2 close friends – both of whom have been impacted by the financial mess – have their identity attacked because something that had built in security controls (checks) was made to be more convenient (by phone), and in the process all of the controls were removed so my friends were vulnerable.

Really, I call it fraud, or identity theft, or just plain robbery…  But in both cases, the banks say that there are no laws against this:

My friend lost her job, and fell behind on payments.  She owed $1100 for this months rent, $4400 to a creditor that by this point had gone to a collection agency, and some other bills (credit cards, gas, electricity, etc…).  Through creative budgeting and working with parents, friends, and anyone else, she scraped together $5000 that she could use. 

With the new money available, she came up with the following plan:

   $1100 for rent
      900 for the other bills
      500 to the collection agency
      The rest to be used for the following months rent, payments, etc…

She called the collection agency, and agreed to pay them $500 now, and then set up a payment plan for the rest of the money.  That’s where the first mistake happened:  They wanted the payment as a “check by phone”.  So she voided a check, gave them the info, etc…

The collection agency first attempted to clear the check for the full $4400.  Because the money was in the account, the check cleared – of course, this meant that she couldn’t pay any of the other bills, or her rent, etc…  And she had already tapped out her friends, parents, etc…

You can imagine that the calls to the collection agency were like:  “Sorry, sucks to be you – we’ve got our money now”

The bank was equally useless:  “You gave them a check by phone, the money was in the account, they cleared it…Sucks to be you”

This was just completely ridiculous, but it shows that in the absence of standards or protocols, there is no shortage of people that will offer things for the sake of “convenience” which blow the hell out of “security”.  If you have to write a check and sign it, then you fill in the amount, etc…  modification of that is check fraud.  But those security controls went out the window when banks allowed people to do “checks by phone”, and there is absolutely nothing to prevent unscrupulous people from raping your bank account if you give them the information.

The second case is similar, but with a slight twist

My friend has slowly but surely been paying off debts that were racked up over a period of time, and has been working through one of those debt consolidation management companies.  Since she wasn’t getting the resolution that she needed from the company, she took back the money that was in their escrow account and started working with the collection agency independently.

On the first phone call, she had an $7,000 debt and worked with the agency to negotiate down to where they would accept $4300.  Seems like a good deal, so again, check by phone for $4300.

A couple of days later, she received a notice from the collection agency, indicating that they “Had an agreement for an initial payment of $4300”.  In other words, the deal they made on the phone was a lie, instead of negotiating the total, they just wanted an initial payment and were going to keep going after her for the remaining balance.

Ahhh…but the check by phone hadn’t cleared yet.

So a quick call to the bank, a $28.00 stop payment charge, and there was a stop-payment for that check before it cleared.

Good right?

Not so much.  2 days later, $4300 was withdrawn from the account anyway, by check #1001 (not the check number she gave them).  A long, convoluted, multi-transfer call back with the bank this time, and they could see where the initial check number had attempted to clear, been rejected (the stop payment), and then the company had re-submitted another check by phone with the different check number and got the money.

After several days of arguing, it’s still unclear whether the bank is going to say “Sorry, sux to be you” or if they are actually going to help.  I’m not holding my breath.

So again, the safety features around checks – being numbered, signed, amounts written (twice) – are all placed into the trusting hands of the least trustworthy person (the merchant that wants your money), and there is remarkably little recourse.  I suppose you could go get a lawyer, etc…  But during that time the money is gone, life still needs to be lived, and a lawyer is going to take 30% of whatever you get back anyway (or some amount of payment)…

All for the sake of convenience (to whom?)

There are better ways, one of which I really like.  I’ve had a credit card with CitiBank since college.  And many years ago, they came up with this idea of virtual account numbers for your credit card.  You can go to their website (or they have a downloadable application), and if you want to make a purchase, you can get a one-time use credit card number (with expiration and CVC) for that one purchase.  I haven’t used it in a while, but IIRC you can even specify the amount of the purchase you’re going to make (which is really the protection).  This is great, because the security of a credit card is handing the piece of plastic with the signature on the back to the person behind the register.  With online purchases, you can’t do that, so instead lets take the things which you can control (amount of purchase, usefulness of the number after it’s been used properly) and control those instead.  Reasonable mitigations.

This is the type of control that we’re going to need if we want to protect our resources in a more “convenient” (read: Online) world.

Posted in ADFS, Digital Identity, Friends and family, Identity and Access, Randomness, Rants | 3 Comments »

Being Hacked is ok (if you’re paying for it)

Posted by BPuhl on March 27, 2009

There were many great speakers at TEC 2009 this year (and I was there too!), especially in the Federated Identity track.  One of the things that I was interesting, was during one of the sessions the speaker described many of the current non-federated authentication schemes that SaaS providers can use.  The implementations may have varied slightly, but they often amounted to “Give us your user name and password, and we’ll authenticate you across some out-of-band channel.”  The deployment of this service requires that extra channel for auth, sometimes being a VPN connection, or an LDAP service that the provider can authenticate against…things like that.

A comment was made, something about the security risk that this poses; after all, it IS by definition a “man in the middle attack.”  The next couple of minutes were spent blasting this type of ridiculous design (after all, this was the federation track) and how horrible this was and people would never let this type of set up occur at their company.

Of course, that’s probably not true at all, is it?  After all, every application outsourcing project I’ve worked on includes the “user SSO” line item, but nobody says what that has to be.  And the corporate security risk analysis has to outweigh the hard dollar cost savings that were driving the project to begin with, which is why I suspect that the typical CorpSec risk analysis always ends up somewhere in the Billions of dollars with a picture of the company going down in flames.  Yet even that’s not enough even enough to stop the project from moving forward, because at the end of the day, IT departments are often not empowered to say “No, you can’t do that”…rather…we end up saying, “This sucks, but here’s the best that we can do to make it work.”

And that is why, a man in the middle attack, even one with credential harvesting, is OK if the company is paying someone to do it (and saving real money in the process)

And it’s why now more than ever we need comprehensive federated authentication solutions, so we don’t have to get run over by these hacks.

Posted in ADFS, Digital Identity, Identity and Access, InfoCards, Random Tecnical Stuff, Rants | Leave a Comment »

3-D as an Afterthought

Posted by BPuhl on February 22, 2009

So it’s really tough to find something that can be moderately entertaining to a 16 year old, appropriate for the 4 year old, and not bore the snot out of the adults.  So far the options have pretty much limited themselves to bowling, or Pixar movies. 

Took a chance this afternoon, and we all loaded up to go see Coraline in 2-D.  This isn’t really a movie review, because seriously – Coraline?  But hey, it had a chance.

What is interesting though, is the current rash of 3-D movies that are coming out again.  In this case, we had the option of seeing “Coraline in 3D”, or just regular 2D.  Well, we thought we had the option but the 3D version started 10 minutes ago, and the 2D version started in half an hour, so 2D it was.

Sitting there though, it was obvious that this wasn’t a movie that was built around 3D.  Instead, it was a 2D movie with a couple of gratuitous scenes where they very obviously (even in 2D) drew in extra bits and pieces that would pop out of the screen in the 3D version.

I guess I’m just used to 3D in the “intentional” kind of way.  Usually when it’s been a trip to Disneyland, or someplace similar – starting way back when with Captain E-O, and more recently with the Bugs Life and similar movies that were actually made to be shown 3D.

Like I said, I didn’t really have huge expectations for the movie to begin with.  But it’s annoying when it’s so ridiculously obvious that they made the movie, and then after the fact, the marketing department told the artists to go back in and add some bugs popping out so they could market it in multiple dimensions.

Posted in Randomness, Rants | 2 Comments »

Blogvertising? Commentvertising? Comment-o-blogvertising?

Posted by BPuhl on October 14, 2008

If you have a blog, what’s your policy on commenter’s who either blatantly, or very-suspiciously are advertising via comments on your blog?

I noticed this about a month ago, when the following comment appeared in one of my posts:

Kristofer Younger
http://research.epokinc.com/blog | kris@epok.net |

Very valuable information to us and our customers. We deal with extranet sharing with our product, and users are constantly worried about the legal aspects of trust within federation applications. Thanks for some great pointers. -K

From A kinder, gentler federation agreement, 2008/09/17 at 6:51 AM

This was obviously an advertisement for their product, but at that point I decided that it would be new “new policy” that I wasn’t going to filter or edit comments, unless they were obviously spam – this was close, but I figured what the heck.

Today though, a much more subtle comment came through:

New comment on your post #212 “Zune Warranty Coolness”
Author : Josh (IP: , ausisaw2k3ps304-dmz.aus.amer.dell.com)
E-mail : njosh@gmail.com
Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=

Sweet story! really neat that they sent a box for it to be sent back in and sent you a new one, sound like a really smooth operation. Had the same service for my Dell laptop and was extremely please with how easy it was. love it when companies really go out of their way to make warranties easy

You can see all comments on this post here:


This seemed innocent enough, except look at the reverse lookup for the IP address.  This guy is coming from behind the Dell proxies!  Suddenly this seemingly innocent comment just became a blogvertisement for Dell.

I’m not sure whether I should just filter these as spam (probably), just not allow them, or just let them through.  But in either case, I’ve realized that due to the nature of the comments, I don’t feel any guilt at all about posting their e-mail or IP addresses in this post…

Posted in Random Tecnical Stuff, Randomness, Rants | 5 Comments »

Zune Subscriptions…

Posted by BPuhl on September 23, 2008

I’ve got 3 Zunes in my house, that are used by 3 different people.  Here are my options for a Zune Pass subscription:

– Pay $16 per month each so that each Zune user can have their own subscription, friends, and “social experience”
– Pay $16 per month total for the unlimited music downloads, but use a separate/shared LiveID that each person needs to log in to. 

Let’s just get this clear right off the bat – I don’t want to share my 16 year old daughters “social experience” – In fact, I don’t even want HER to participate in it, but that’s a different tangent…

The thing is, that even though the Zune Pass subscription service is restricted to “3 Zunes and 3 computers”, the reality is that the Zune subscription is also restricted to a single LiveID.  From a user experience/scenario perspective, then this the wrong identity to be tying it to.  Of course, if you’re in marketing and trying to maximize profits, then this makes perfect sense.

So why bother with all of this?  Because in previous posts, I’ve talked about different federation scenario’s, and where the authorization policy gets applied.  In this case, what we really want (we, being me, the guy paying the bill) is for the subscription (authz policy) to be tied to the Zune (policy enforcement point) themselves.  And if you’ve got a Zune, then you know that it actually has it’s own identity (just try plugging it into a new computer), and the relationship of the validity between the Zune and the music which is DRM’d on it (ie. the data) is really the one that you want to enforce. 

Of course, that’s what I’d like.  I’m sure the marketing people are/were expecting that a single user would have multiple Zunes, and that is the target market that they were shooting for.  But it also demonstrates a fundamental concept that’s always been lacking in LiveID – the ability to group multiple LiveID’s together for shared access to common resources.

Instead, I’m forced to flip between different LiveID’s for different purposes, because I’ll be damned if I’m going to pay $50 a month so that each Zune can have it’s own separate subscription.


(edited 9/24/2008 8:30am to add:
And for all of the iPod bigots out there who are going to leave me a bunch of comments about how getting an iPod will solve the worlds problems (overnight there have already been a few), kindly explain HOW that would help here since I tried iTunes about 6 months ago and it did the same thing – I’m deleting all ‘get an iPod’ comments, which is something that as a general rule I don’t do)

Posted in ADFS, Identity and Access, Random Tecnical Stuff, Rants | Leave a Comment »

Homeowners Insurance

Posted by BPuhl on September 21, 2008

I’ve been dealing with some plumbing problems recently.  Specifically, a drain line from the kitchen which runs under the concrete slab to connect to the other drain lines on their way out to the sewer – failed.  Since I have a split level house, the plumbers came out, and tore up the ceiling downstairs to run a new drain line from the kitchen into the garage.  I started ripping out moldy walls, replacing studs, etc…  Altogether, about a $4500 adventure.  (which is relatively cheap for this kind of an issue – fortunately we didn’t have to dig up the slab)

So where was my home owners insurance through all of this? 

Remembering back to when I bought my house, there was something like a 4 inch stack of paperwork that required about 150 signatures.  Ok, ok, ok – I’ll admit it here – No, I did not actually read and fully understand every single word of every one of those documents that I signed.  (really, did you?) 

Well, one of those pieces of paper was my home owners insurance policy, and I really should have read it more thoroughly.  Growing up, I’ve always seen various types of insurance have $250, $500, or $1000 deductibles – something like that.  Ah, turns out that State Farm gave me a policy with a “One Percent” deductible – which put’s it at…oh…about $4500 or so.  DOH!!!  (And I’m not blaming them, because I would actually bet that they TOLD me about it as well.  This is all my fault, State Farm has actually been pretty good)

What’s worse, is that when I called to ask about filing the claim, the nice lady offered that just by saying the word, I could change my deductible to $1000 and it would take effect immediately (unfortunately not retroactively), and it would cost an additional $140 per year.  Now – quick math says that there are about 25 “hundred-forty-dollars” inside the $3500 difference between my 1% deductible and $1000 (not to mention, hopefully, the value of the house goes up over time).  Was I stupid!?!  Of course, change that stuff immediately! 

(and those of you diving for the comment button – that was a rhetorical question)

So I’m doing most of the repair work myself now (Home Depot shareholders can thank me later).  Lesson learned, the hard way for me, but sharing this with you on the off chance that just possibly, you might not have read all that paperwork either.

Posted in Babbling and Blabbering, Randomness, Rants | 2 Comments »