Blog Home  Sign In RSS 2.0 Atom 1.0 CDF  

  def Softwaremaker() :
         return "William Tay", "<Challenging Conventions />"

  knownType_Serialize, about = Softwaremaker()
 

 Sunday, January 29, 2006
Saturday, January 28, 2006 11:54:04 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Friday, January 27, 2006

    Dont get me wrong. I love my new PocketPC Phone on Windows Mobile 5. Some great reviews can be found here, here, here and here.

    If you read all those reviews, it is with no doubt that everyone has their thumbs-up for this beauty and the common underlying praise is its Performance with a Samsung 400 MHZ Processor, which some suggests runs with the same cyclical power of a Intel 570 MHZ Processor, BUT outperforms even that of the Intel 624 MHZ that the Dell AXIM x50 has.

    This is the only PocketPC Phone that I have test-driven successfully with Skype. And if you know how the architecture of Skype works, if it can run Skype, it can run everything. In fact, I have chatted with many people over Skype using this phone ... No-one knows that I am chatting with them via a PocketPC Phone ... and it really makes me wonder about why would anyone bother with these types ?

    Anyways, while playing around with some of the softwares in there, I noticed a couple of boo-boos like those shown below




    Giggles aside and it is a great conversation starter amongst geeks, I have always preferred functionality over aesthetics - Who really cares how the food and the cook looks when it tastes good (the food, that is ...)

    I also fnid it fsacinatnig that the human brian is so cabaple of knowing and dceiphering the meaning, the intent, the samentics of these words, even though it is spelt wrognly.

    Is this an exercise of the brain or is it just simply to carry on the great legacy of software typos ?

    Thursday, January 26, 2006 9:00:34 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Thursday, January 26, 2006

    This is a long but great post (worth the time) comparing the presentation styles of Steve Jobs and Bill Gates. I must admit that I had fallen (almost) asleep hearing Bill present the last couple of times last year.

    His presentation was designed such that the focus was on his power-point slides. This is wrong. People are paying money to see and hear Bill speak. Bill has to carry himself ... and just like what that post mentioned > "There was a lot of  images and a lot of text".

    It was way too much.

    Wednesday, January 25, 2006 10:18:15 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Saturday, January 21, 2006

    I recently had a chance to sit down with a client to discuss about software systems as well as to find out what we can do for them in their new system proposal.

    I mentioned the 80/20 rule and explained to him what is was.

    Then, we talked about (Web) Services and he was aghast that we could still be using (Web) Services even within his own LAN - and not connected to the WWW.

    "...but I thought you need to be using a browser and connected to the internet to be using (Web) Services ? ..."

    Sigh. I have heard that one too many times. One of the recent misnomers, no doubt.

    Services, Services, Services. Code and Location is irrelevant. I had posted something like this a while back. It is good that the industry is taking some steps to correct this. See Point [1] of this referenced post.

    Friday, January 20, 2006 10:29:37 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Friday, January 20, 2006

    Sounds like SPAM ? It is not.

    This is a 100% ASP.NET 2.0 based CMS solution -- best of all it is free -- check out this blog post for some sites built with it.

    All the info you need is here. Let me know your thoughts if you are using it. I will be embarking on it very soon.

     

    Friday, January 20, 2006 1:22:50 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  • I am known to be a hard-driving consumer. Hey, I work hard for my money, they should do the same for mine. It is all fair and good.

    Recently, my phone line was bad (read: Noisy) and that affected my ADSL line as well (read: intermittent Internet Connectivity). When I called the service provider, they told me that the linesman would only come to my place after 3 days and, as usual, said: They will be there between 1300 to 1800 hours

    I was stunned. Where is the basic SLA ? They said that because of the rain these days, the Fault Lines Technicians and Engineers were swarmed and therefore were busy. I told them - to be honest - thats your problem; not mine. I cannot tell my boss or my clients that I can only answer emails or fight fires 3 days later because there was too much rain and a Global Billion-Dollar company like Singtel cannot handle it. They cannot compensate me for a quantifying amount for loss of service for 3 days because there is loss of business activities to me. Try to quantify that !!!

    Hey, SingTel - Learn ! Learn ! Learn ! If there is excessive rain and fault rates (read: Demands) are high. For goodness sake - Increase the size of your field team. Pay them per-incidence. Train more people. You have a basic service level to keep up. I will understand if your Comcenter gets terrorized or hi-jacked but Rain ? C'mon - That is hardly an excuse. As a global company that has revenues in billions - you ought to do better. Shame.

    And whats the deal with between 1300 - 1800 hours. I never did understand that. Why penalize a comsumer who has to take leave (hey, someone has to work hard to pay the service provider, dont they ?) to wait 5 hours for a technician who comes in and solves the problem within 10 minutes.

    I think this is becoming to be a Singaporean culture - started by the Government, of course. I still laugh when I hear our own economist forecasting: "...we expect our GDP to grow to between 1% to 4%".

    Dudes, that is a huge gap just to cover your as*es. If you are wrong, admit you are wrong. Dont give yourself that gap just so you can always be right.

    Try submitting that report to hard drivers in the US or Europe and see them cringed. Giving that GDP gap as actual reported numbers is insane. Dont they know that a 1% gap equates to billions of dollars. It is akin to saying that my company may rake in between 10 dollars and 1,000,000 dollars this year and get some angel investors to sink their see funds in it.

    Angel Investor: "Hey, I think I made a good investment today"
    His Wife: "Oh ? Which lucky company is that ?"
    Angel Investor: "Well, they stand to make 1,000,000 dollars because of their great product and wonderful management"
    His Wife: "Excellent ! Maybe its time to have that 3rd kid we have always wanted"
    Angel Investor: "Well, honey...not so soon ... because they can make just only 10 dollars too..."
    [His Wife puts on her clothes again ...]

    ...Thats why I think the weatherman in Singapore has the easiest job. Our weather is fairly constant all year around and I hope one day we dont hear our weatherperson saying something like: "...expect temperatures to be between 1 and 35 degree Celsius..." Of course, they are always right and never wrong.

    With all the noise I made and a threat to write to the press about it, the linesman came in 2 hours time on the very same day.

    Remind me not to go into any consumer business next time.

    Thursday, January 19, 2006 9:21:52 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Thursday, January 19, 2006
    Thursday, January 19, 2006 12:56:22 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  • Microsoft announced Go Live licenses this morning for Windows Communication Foundation (WCF, previously - Indigo) and Windows Workflow Foundation (WF) , which lets customers use the January Go Live releases of WCF and WWF in their deployment environments. Do note that these are unsupported Go Lives.) 

    More information about the Go Live program is at http://msdn.microsoft.com/winfx/getthebeta/golive/default.aspx.

    There are also a couple of community sites for WCF and WWF here:
    http://windowscommunication.net
    http://windowsworkflow.net

    The community sites give users everything they need to start using WWF and WF today.  If you have some great samples, do post them to the sites;  The WCF sample gallery and WF activity gallery allow you to host the samples/activities on your own site and create links to your own site from the galleries.

    As mentioned, I will be introducing more WWF Blogging to this site. Do stay tuned.

     

    Wednesday, January 18, 2006 9:58:09 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Wednesday, January 18, 2006

    Two of my favourite features out of many in Visual Studio 2005.

    1) Finally - A Correction of what was wrong for some time - There is a Add Service Reference now. This is essentially what svcutil.exe does for you. Awesome. Now we know we are speaking services and messages ... No more calls please.

    2) A simple IDE enhancement but yet one that can generate lots of productivity. VS.NET will launch any project (of a solution) that my cursor is residing on. No more booting up of Class Libraries or Service Components by mistake anymore, (esp. in-front of an audience)

    Wednesday, January 18, 2006 3:08:43 AM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Friday, January 13, 2006

    If you want some more of this, email me or comment your email here.

    [Update:] Sorry, many people have written in to me and all invites have all been given out.

    Friday, January 13, 2006 4:37:14 AM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Thursday, January 12, 2006

    With regards to my post here, I thought I expand on one of many enhancements that WS-Security Specifications 1.1 brings.

    "MutualCertificate11Security" assertion is one of the few security turnkey assertions in Web Services Enhancements (WSE) 3.0 and what basically it is is that the client and server are authenticated using X.509 certificates (X509SecurityToken). Message-level security is implemented using X509SecurityToken security tokens. This turnkey security assertion requires WS-Security 1.1

    Once that is configured and implemented properly, it is rather interesting to see what transcends on the wire. Here is a brief snippet:


    [wsse:Security soap:mustUnderstand="1"]
    ...
    [wsse:BinarySecurityToken ValueType="...oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="...wss-soap-message-security-1.0#Base64Binary" wsu:Id="SecurityToken-76ae..."]MIIBvD...[/wsse:BinarySecurityToken]

    [xenc:EncryptedKey Id="SecurityToken-6ec8..." xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"]
    [xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"]
    [ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /]
    [/xenc:EncryptionMethod]
    [KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"]
    [wsse:SecurityTokenReference]
    [wsse:KeyIdentifier ValueType="...oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="...oasis-200401-wss-soap-message-security-1.0#Base64Binary"]qRTA40Xfk6w1Os3mgpgy8UgwR/Y=[/wsse:KeyIdentifier]
    [/wsse:SecurityTokenReference]
    [/KeyInfo]
    [xenc:CipherData]
    [xenc:CipherValue]hBfCfVmg...[/xenc:CipherValue]
    [/xenc:CipherData]
    [xenc:ReferenceList]
    ...
    [/xenc:ReferenceList]
    [/xenc:EncryptedKey]

    [Signature Id="Sig-b679..." xmlns="http://www.w3.org/2000/09/xmldsig#"]
      [SignedInfo]
      [ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" /]
      [SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" /]
      [Reference URI="#Id-5cdc..."]
      ...
      [/Reference]
      [/SignedInfo]
      [SignatureValue]O/PdsVMS4PTIBtrx8eyFNzbTnjc=[/SignatureValue]
      [KeyInfo]
      [wsse:SecurityTokenReference]
      [wsse:Reference URI="#SecurityToken-6ec8..." ValueType="...oasis-wss-soap-message-security-1.1#EncryptedKey" /]
      [/wsse:SecurityTokenReference]
      [/KeyInfo]
    [/Signature]

    [Signature xmlns="http://www.w3.org/2000/09/xmldsig#"]
      [SignedInfo]
      [ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" /]
      [SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /]
      [Reference URI="#Sig-b679..."]
      ...
      [/Reference]
      [/SignedInfo]
      [SignatureValue]PDm4wS+3hzmXugHL1wcTWZXHcaGKkODVHU48XvVNC6catxiOr25
    xq9AGN8u8CgYo1JlnoEf2tuCUl86krKiUBSnMR/towfAs2doGg6a+vtjIl9F54c/VZtTPgwn
    QdZtJ28E8+ep5MIS2i+9Tamnui6qpX16IS3J1FcMjVBHQpMs=
    [/SignatureValue]
      [KeyInfo]
      [wsse:SecurityTokenReference]
      [wsse:Reference URI="#SecurityToken-76ae..." ValueType="...wss-x509-token-profile-1.0#X509v3" /]
      [/wsse:SecurityTokenReference]
      [/KeyInfo]
    [/Signature]
    ...



    One thing that you will noticed is that there are 2 Digital Signatures generated.

    The first one has a ReferenceID, which hints that it will be subject to encryption/signatures later on, and it is signed by a EncryptedKey type (which I talked about in my earlier post). Because it is encrypted by a symmetric key "#SecurityToken-6ec8", the [SignatureValue] is rather short and this signature basically signs the soap:Body with an URI of "#Id-5cdc..." The [EncryptedKey] value can be decrypted and derived by the server's private key

    The second signature basically signs the first signature (#Sig-b679...) and it signs it with the Client's Private Key that only the corresponding Public Key Pair can decrypt. The Public Key, together with the client's cert is sent over the wire via a [wsse:BinarySecurityToken] (#SecurityToken-76ae...). Because an asymmetric key is utilized here, the [SignatureValue] is relatively longer than the first signature.

    As we can see from here, the first signature signs the soap:Body and the second signature signs the first signature. These are generally known as "Supporting Tokens". These additional tokens may be specified to augment the claims provided by the token associated with the “message signature” provided by the Security Binding. Supporting tokens may be specified at a different scope than the binding assertion which provides support for securing the exchange.

    There are four properties related to supporting token requirements which may be referenced by a Security Binding: [Supporting Tokens], [Signed Supporting Tokens], [Endorsing Supporting Tokens] and [Signed Endorsing Supporting Tokens]. Four assertions are then defined to populate those properties: SupportingTokens, SignedSupportingTokens, EndorsingSupportingTokens, and SignedEndorsingSupportingTokens.

    What I have shown above is known as the [EndorsingSupportingTokens].

    The [SignedEndorsingSupportingTokens] is a combination of [SignedSupportingToken] and [EndorsingSupportingToken] and I will talk about that in a future post.

    Wednesday, January 11, 2006 5:06:42 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Tuesday, January 10, 2006

    I have been back fiddling at the Web Services Enhancements (WSE) 3.0 technology space for the past few weeks and I am now grokking into the plumbings since there are quite a few forums, blogs, posts out there focusing on the higher-level abstract programming model.

    I am very pleased that WSE 3.0 has implemented WS-Security Specifications 1.1 at its very core, so much so that it is the de-facto security standard to be used in most of the Turnkey Security Assertions that comes with the product.

    One of the things that I have always been asking for through my contacts and channels in the OASIS WS-Security Technical Committee is the ability to sign my document snippets with a symmetric key instead. Since XML-Encryption already utilized symmetric key encryption via the [xenc:EncryptedKey] [1] for performance and throughput reasons, there is no reason why XML-Digital Signature cannot do the same. While the improvements in throughput may be slight due to the fact that in digital signatures, messages are already hashed before encryption, it is still a viable option that should be made available.

    In WS-Security 1.0, this is what is commonly seen in the Digital Signature Parts:


    ...
    [wsse:BinarySecurityToken ValueType="...oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="...oasis-200401-wss-soap-message-security-1.0#Base64Binary"
    wsu:Id="SecurityToken-7b5d..."]MIIBxDCCAW...[/wsse:BinarySecurityToken]
     
      [Signature xmlns="http://www.w3.org/2000/09/xmldsig#"]
      [SignedInfo]
      [CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /]
      [SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /]
      [Reference URI="#Id-f7e1..."]
      [Transforms]
      [Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /]
      [/Transforms]
      [DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /]
      [DigestValue]avMezj5NhZwNerXidi5oBmjqi/g=[/DigestValue]
      [/Reference]
      ...
      [/SignedInfo]

    [SignatureValue]SJfnqZeDHboWDI2n2gWHqTJO5hXvZOFQw8UtDdajktzR40H+W6D
    prs5CW/l9A5TF3xcFfyryA3hz7c+0vdlZSnaA+cBn2qPxt7/YmwaAx5Ave
    awuach6YPYI123I4I3f58eSMUgPsx6/uuFQFcJltEMw1nWLE6Wb6CPg5OdtXLs=
    [/SignatureValue]
      [KeyInfo]
      [wsse:SecurityTokenReference]
      [wsse:Reference URI="#SecurityToken-7b5d..."
    ValueType="...oasis-200401-wss-x509-token-profile-1.0#X509v3" /]
      [/wsse:SecurityTokenReference]
      [/KeyInfo]
      [/Signature]


    Now in WS-Security 1.1 via WSE 3.0, I can do this:


    [xenc:EncryptedKey Id="SecurityToken-32e4..." xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"]
      ...
      [wsse:SecurityTokenReference]
        [wsse:KeyIdentifier ValueType="...oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="...oasis-200401-wss-soap-message-security-1.0#Base64Binary"]qRTA40Xfk6w1Os3mgpgy8UgwR/Y=[/wsse:KeyIdentifier]
      [/wsse:SecurityTokenReference]
      [/KeyInfo]

    [xenc:CipherData] 
    [xenc:CipherValue]n6PnkIWb+QsIeOPehLdtQQKYZn202uGqhN+ShCWyBaCf20rmVcta
    Bw2MhB1fv9pE0hOLpAxMMT5ffk4/hnwZ/ef2XcZediF6ySfpse14TI2TGy
    cp9XErpeYlZNn1wSchHlOEz2gVYfViZoEOIwn8qR7EofLN3U3Mc5Zp2qG2coI=[/xenc:CipherValue]
      [/xenc:CipherData]
      [xenc:ReferenceList]
      [xenc:DataReference URI="#Enc-0914..." /]
      [xenc:DataReference URI="#Enc-3aab..." /]
      [/xenc:ReferenceList]
      [/xenc:EncryptedKey]
      [xenc:EncryptedData Id="Enc-0914..." Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"]
      [xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /]
      [xenc:CipherData]  [xenc:CipherValue]RLASn...[/xenc:CipherValue]
      [/xenc:CipherData]
      [/xenc:EncryptedData]

    [Signature xmlns="http://www.w3.org/2000/09/xmldsig#"]
      [SignedInfo]
      ...
      [SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" /]
      [Reference URI="#SecurityToken-d217..."]
      [Transforms]
      [Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /]
      [/Transforms]
      [DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /]
      [DigestValue]A0K7OVwZN3vP4rIXfbTZYy+f+ck=[/DigestValue]
      [/Reference]
      [Reference URI="#Timestamp-6f12..."]
      ...
      [/Reference]
      [/SignedInfo]
      [SignatureValue]d8KmXpfspmKiEOZ1eBVY7mk05Wo=[/SignatureValue]
      [KeyInfo]
      [wsse:SecurityTokenReference]
      [wsse:Reference URI="#SecurityToken-32e4..."
    ValueType="...oasis-wss-soap-message-security-1.1#EncryptedKey" /]
      [/wsse:SecurityTokenReference]
      [/KeyInfo]
    [/Signature]


    Note the fonts in RED. There is a new URI: http://docs.oasisopen.org/wss/oasiswss-soap-messagesecurity-1.1#EncryptedKey which ties to a ValueType: A token type of an [xenc:EncryptedKey]

    ... and more importantly ...

    the [SignatureValue] contents is slightly shorter now because it is actually encrypted with a symmetric key now. I know I may be picking here BUT hey, even a single byte in reduction means a lot in throughput performance in terms of wire transfer of documents. .

    There are other improvements WS-Security 1.1 brings over its predecessor 1.0, which I will blog more about as I go along.

    [1] Just a note to defuse any confusion if it crops up: Asymmetric (Public-Private) key technologies are still very much used in WS-Security and other document-related security specifications today. I dont think it will be dropped anytime soon unless Quantum Cryptography takes off mainstream in a big way or the subtle effects of this reverberates adversely through the security space. Having said that, Symmetric (Master/Session) key technologies have a huge place in the security specifications world too, just by the fact that it is a 1000x faster than much-secure asymmetric ones. Therefore, both technologies co-exist and work very well together in the document security space. To put it simply, a symmetric key (KeyA) is randomly-generated (key-length can be specified by the application - the longer, the better) and then used to encrypt/decrypt messages (MsgA). Once that is done - KeyA is then subsequently encrypted by an asymmetric key (KeyB) and then transmitted through the message. Only the holder of the Private-Key pair of KeyB will be able to decrypt KeyA which can then decrypt/encrypt MsgA.

    Monday, January 09, 2006 9:41:51 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Saturday, January 07, 2006

    It seems that Microsoft is copying the Google G-mail thingy with the invitation lists to its beta software.

    I have got a couple of invites to give away for the MSN Messenger (Version 8) or better known as Windows Live Messenger. Drop me an email or leave your email here if you are interested in this beta program.

    [Update:] Sorry, many people have written in to me and all invites have all been given out.

    Saturday, January 07, 2006 12:31:36 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions