I am looking to bring on some contractors to fill some roles at the provincial government. If you are looking for a contract soon please shoot me a copy of your resume. This RFP closes soon so submissions must be made ASAP.

The different categories in which positions are available:

• Senior Management Advisory/Strategy Development and Planning    
• Project Manager    
• Project Management Advisor    
• Change Manager    
• UAT Test Coordinator    
• Test Manager    
• Project Quality Assurance    
• Business Process Re-engineering Analyst    
• Business Systems Analyst (Senior)    
• Business Systems Analyst (Junior)    
• Solutions Architect    
• Data Architect    
• Application Architect  
• Technical Architect    
• Information Architect    
• Security Architect    
• Programmer/Developer    
• Records Consultant    
• Web Writer    
• Web Designer    
• Wed Developer    
• RedDot Content Management Consultant    
• SharePoint Portal Consultant    

This has come to me from a third party so its about all the information I have. Contracts will range from 6 to 24 months. Please submit to me a resume and desired rates. Thanks!

Mail Me

One of the interesting talks that came up at DevTeach one night was about goals. It is really important for us as programmers and people to set goals for ourselves. JP came up and asked “So what’s your goal with your company?” and I realized I did not have a straight up answer to that question. There are so many balls in the air that I just don’t know which route to go which usually means that they will all fall to the ground if I don’t start picking goals.

Personally I have no problem with goals and keeping on top of them. I actually heard of this technique from Tim Allan (yes the comedian). What I do is have a document on my desktop and I have four categories

• What am I going to do today
• What am I going to do this month
• What am I going to do this year
• What am I going to do with my life

I open this document and read everything every day. The last one is really hard to figure out. It gives a very finalizing feeling to say what you want to do with your life. I have found it very beneficial to read these things every day and remind yourself of where you are going long term instead of getting caught up in day to day life.

I am curious to see what others do to keep ontop of things and set goals.

Oh Beth Massi, the girl I apparently have a huge crush on is presenting on the future of VB. She is talking about VB9 and some of the new features that are coming out.

So a lot of this is going to be on LINq. We did the standard LINq then LINq to SQL which I could not see as I was sitting way in the back.

The standard LINq stuff:
dim query = from c in me.Controls _
   where typeof c is System.Windows.Forms.Button _
   select ctype(c, button)

for each b in query
   b.text = “Sweet”
next

We also talked about anonymous types. Anon types are actually created by the compiler by inspecting the properties referred to on the type after the fact and it creates a type on the fly. It is NOT the return of the variant type from vb6.

a good use of anon types (besides the linq stuff) is with arrays
for each v in {1,2,3,4}
   console.WriteLine(v)
next

XMLLiterals
dim emp = _
<employee>
   <name></name>
</employee>

and that is a full XML document you can access

She demo’d extension methods which is a nice way to add a method to an existing class (I could not read it from the back so I do not have an example of it). In Beth’s example she extended strings to have a print method that would do a console.writeline of the string.

Unfortunately at this point I had to leave to go get Beth flowers (seriously)… we decided someone needed to be pranked this year so I am presenting her a bouquet in her question period. Pictures coming once people send me copies of the ones they took.

The topic here is security through partial trust. Don asked if anyone had done a partial trust application, one hand was raised… it was not mine. I do agree hat this is overlooked by most devs because there is not a lot of people doing it out there and not a lot of blogging about this topic.

Don has a sample application setup where you can enter a file name and it will open it and output it to the screen. Windows allows us to access any file that the application identity has access to (in this case the asp.net identity). Don showed us the app opening his boot.ini file (H4XZ0R!). He also showed us a sample where a web page accessed the webservers file system to list and even download any file on the server.

How would you stop people from uploading a site that accesses other folders? Open up the central web.config and change the default trust level. This can be overridden and there is a way to prevent that setting from being overridden. Each one of the trust levels in the web.config file has a config file associated with it. The goal is to have applications use the medium trust level.

-Unrestricted fileIO permission has full rights to every file on that machine. Restricted fileIO permission can allow certain types of access (read, write, append, pathdiscovery) to certain files/directories.
-To change your trust level simply add <trust level=”Medium” /> in your config file. Once this was done our file reading example blew up as we do not have fileIO permissions.

Security policies are customizeable in two ways: custom trust level or sandbox risky code. Custom trust can be created by creating a custom config file (he copied the medium security config file as a good baseline). We then changed the fileIO permission set to allow read access to the “c:\windows\system32″ directory that we were accessing earlier. From the web.config file we reference that file like so:
<SecurityPolicy>
<trustlevel name=”CustomTrust” policyFile=”web_customtrust.config” />
</SecurityPolicy>
<trustlevel level=”CustomTrust” originUrl=”" />

Now that we have done that we can access files in that directory. But it we try to open ../../boot.ini we get a security exception.

An interesting point was that using an oledbconnection requires access to call unmanaged code which is quite dangerous. There is no way to setup restricted unmanaged code access. For this we are going to use the second option of sandboxing the code. We created our own permission set that allows oleDbPermission and unmanagedPermission. We then created a code group in the file called AccessDBSet with a membership condition of a strong name (sorry I know this is a little hard to get without seeing the presentation but I have been thinking of doing a series/talk on code access security so maybe that will help). We then sign our data access assembly with the strong name (which makes it a member of the codeGroup we defined in the config file). We also add [assembly: AllowPartiallyTrustedCallers] to the datalayer assembly (careful as this will allow any partially trusted app to call it).  

-Don mentioned that anything installed in the GAC gets full trust which is a surprising fact I did not know.

Now normally when you have a partially trusted assembly it will check all callers up the stack to see if they have OleDbPermissions. What the following code does is explicitly state that we do not want to check the callers at all.
oleDbPermission perm = new OleDbPErmisson(PermissionState.Unrestricted);
perm.assert();
…code here
perm.revertAll();

-Oh a new fact: OleDb actually requires full trust (its in small print on MSDN somewhere) but the sandboxing technique still applies.

overall a really good talk. I found it hard to follow as we were jumping through a lot of config files but some really good info I found.

Don asked a few questions and gave away some swag. I missed two of them but here are the rest:
What is the greatest vuln on the network? the user
What is the best protection against code injection? best answer: not accepting user input
In xp what is the best way to protect the user? not running as admin. W00t I won!

Cathi’s topic is maintaining applications with clickOnce. Click once allows deployment off applications without having to uninstall and reinstall apps on the system. Also deployments do not require administrative rights.

Cathi mentions that there are two variants: launched and installed. Launched apps are opened via a URL and will not appear in add/remove programs. Installed will be deployed to the system and show in add/remove programs. A launched application will not be available to offline clients.

In the build menu select publish my app from visual studio 2005 will launch the deployment wizard. The wizard will then compile the app and deploy to the server selected in the wizard. The wizard will create the vdir on IIS and even a launch page if so desired (The launch page will just have some assembly info and a run button). When you click run a security warning is given (more on this later) and then boom the app is loaded. The wizard thankfully remembers your settings so when you need to redeploy you do not have to keep entering your settings. By going to Project properties and selecting the Publish tab you can see more info about the deployment and gives you more control/options than the wizard.

A really cool feature was that you can group parts of your application into groups and download those separately or as required. If you had an accounting program you can group accounts receivable functionality into one group and accounts receivable into another. This minimizes the time to download as well as bandwidth unnecessarily consumed.

The update options are huge. You can check before or after the application starts (or not at all). You can set the frequency of updates (i.e. every 7 days). You can also specify a minimum version for the application to run so you are not forcing an update on people for minor changes to the app. If you changed the underlying data schema or something to that effect you would force the min version to be the current one and force that update on the users.

The publish version # is different from assembly version. This allows you to keep the same assembly version number but have a different one so every time you publish it will be a different version and allow clients to detect a new deployment.

Add remove programs will allow you to restore the application to a previous state (i.e. the last version) or remove the application. ClickOnce always maintains the current version on the computer and the last version installed. A more common way to rollback from a centralized point is with an app called MAGE (I assume it ships with 2005 but have not confirmed). By using Mage on the webserver where the app is deployed from (the webserver maintains every version on the server) you can open the manifest file and change all the settings you could from the visual studio deployment screen. From here we can also change the version that is current and allow us to rollback our deployment from a central location. The next time a client opens the app (depending on the update options) the application will update and rollback to the version selected via the Mage tool.

ClickOnce defaults to full trust which brings up the earlier mentioned prompt when using the launch model (i.e. via a url). There is a permission calculator within visual studio somewhere that will allow you to calculate the security level necessary. You can also debug in different security settings so that you can test how the app behaves in different permission levels. To drop the permissions down go to the project properties and select security; from there you can change the settings (as well as the perm calculator and debug in zone setting).

For full trust you can sign the app with a cert from someone like VeriSign. Then configure each computer to trust any assemblies signed with that cert will not prompt the user when they run any app signed with that certificate.

I asked Cathi a few questions after:
Q: Back in the old no-touch deployment days changes to the app were done by the file modified date. Is this still present with clickOnce?
A: It is but it is not recommended. There are lots of issues when you start crossing time zones, daylight savings differences, and even having a computers clocks set wrong. It is a really good idea to just use the built in published version number option.

Q: Can you still strong name an assembly and then configure each client computer to fully trust anything signed that way?
A: Yes but again its not the Microsoft best practice. I will be showing how to do that in the advanced session.

This was a great intro to clickOnce and was way better than trying to read up on it. And lets face it my illiteracy limits my reading.

Nick is talking about Virtual Earth and mapPoint in location aware applications. The talk is quite advanced with showing us an overview of both products (MapPoint has a nice soap interface… virtual earth requires screen scraping). There is lots of code in this demo as Nick gave us the disclaimer.

MS does not allow you to cache a lot of data actually and caching may invalidate your service level. Nick recommended to check with your MapPoint rep about this.

Nick shows how to find the closest hooters within 10 miles of our current location (Did I mention this app was free to download). He shows then how to get driving directions from the current location to the nearest hooters (free to download people… free!).

Developer account for mappoint is free but has a cap on how many hits you can make to the service to prevent abuse. Nick has never hit this limit so it is probably really high and would require multiple users on the same account to hit the cap. For a production App you will need a mappoint license.

Can you emulate GPS? yes you can in the v2.0 emulator (v1.1 ships with vs 2005) that ships with v6.0 of the mobile SDK.
Disconnected data? is really hard to do and limited. Nick recommended to use the bluetooth link on my phone to add in a modem or the wifi ability to pick up wireless access points.

Due to copious amounts of drinking I slept in and missed the first two sessions so instead of live blogging I will just do up a summary of the day.

Session 3 – JP Boodhoo
JP starts out by apologizing to the person who felt he was arrogant yesterday (someone put that for his feedback yesterday). I found it kind of funny that JP was so arrogant that he just assumed the person was in the room (kidding JP… I know you were sincere)

JP is taking a crappy website and doing some refactoring to patterns. Our first refactoring is going to be moving to the passive view… no heads explode. We just jump through MVP quite fast and I think a few people got really lost but JP is making the whole presentation available via a screencast so hopefully people will be able to watch the talk at their own pace. JP did the passive view which I have not done yet so it was good to see how that was build and how to test it.

Unfortunately my laptop battery died so it ended my note taking. It was really nice to go to a JP talk and not feel totally overwhelmed so either I go to too many JP talks or my coding skills are getting better.

Session 5 – Oren Eini
Oren is doing a talk today on monorail. Monorail is an MVC (Model View Controller) implementation on top of the .NET framework. It really keeps a good separation of tasks by breaking views and controls to separate code just by the structure of the code. It also breaks every task on a page (i.e. show,edit, delete, etc.) into separate files which keeps the code clean (but the solution gets a little messy but a good folder structure can alleviate that).

Oren is a really fast and knowledgeable presenter. At one point someone asked if Oren liked Brail over nVelocity. Oren’s response was “I rote Brail” so that was good for a laugh.

Here are my notes on creating a hello world app in monorail:
-Create a control that inherits from SmartDispatchController
-Implement our index() method
-Creates an index.brail in the /views/Home folder
-puts in Hello world into the index.brail file and runs it… one jackass claps (but it was funny)
-sets up PropertyBag["name"] = “oren”; in the controller
-on index.brail he put “hello ${name}” and it shows his name

I definitely need to spend some time and learn monorail. Looks pretty powerful to me

Session 6 – Rob Daigneau
Rob’s giving a talk today on Anti-patterns today. I was expecting the talk on software anti-patterns but it was actually people/behavioral anti-patters. It was a pretty good talk discussing a lot of the people/organizational issues we run into and dealing with those problems appropriately. We went pretty fast to take good notes but the slide deck is available so that might be good to review.

My favorite quote was about the perfectionist developer. His app’s are ”Apocalypse-Ready”: even if the end of the world happens the software will still function.

A good book recommend also came out of this talk: Gerald Weinberg, The Secrets of Consulting

Joel is doing a talk on Feature Driven Development. I had never heard the term so thought it might be good to check out.

-First appeared in 1999 (Java Modeling in Color with UML)
-A process to deliver frequent, tangible, working results repeatedly
-Book has 30 pages of process and the rest are examples (book is: “A practical guide to feature driven development”)
-Characteristics:
    -Highly iterative (1-2 weeks long usually)
    -Emphasizes quality at each step
    -Delivers frequent, tangible, working results
    -Minimum overhead and disruption
-Developers get constant feedback and a fast velocity
-Clients like is because they get results early and often as well as highly visible status reporting
-Managers like FDD because it gives an accurate picture of progress and status
-FDD is a balance between the heavy (large volumes of text) and light (none?) process
-Joel made a fun parallel stating that Agile = Hippies. Screw the man and walls and process lets just hang out and code man
-Heart and soul of FDD is communication, complexity, process pain and relief, and quality
-A feature is from the lense of a customer. It is a requirement that will bring value to a user or client. (I missed the naming convention for this but I am sure Google will help)
-Features are small (able to be implemented within an iteration)
-If a feature is larger then decompose it.
-If a feature is too large then it serves as a litmus test that your grand scheme is too big.
-Everything you write should be consumed (i.e. code is consumed by the compiler). Process is usually consumed by no one and is therefore useless.
-Group similar features into a feature set. Naming convention would be actioning deliverable (i.e. approving a bank loan)
-feature sets are grouped into sections (i.e. bank loans would have approving a bank loan and canceling a bank loan feature sets within it)

Practices
-Domain Object Modeling
-Develop by Feature
-Individual class/code ownership
-Feature Teams (one team implements one feature set)
-Inspections (forced inspection and review of code, domain, and architecture)
-Regular Builds
-Configuration Management (missed this point apparently)
-Reporting/Visibility of Results
-Feature->Work decomposition model (Now that I have work how do I break that down to tasks to do the work)

Process
1. Develop an overall model
2. Build Feature List
3. Planning
4. Design by feature
5. Build by Feature (return to step 4 for next feature)

Joel has gone onto breaking this down in more detail but I have missed a bit due to phone calls unfortunately. This does seem like a really valid methodology that adds some simple process to help keep you on track.

-The talk has now broken into FDD in team system so I am going to zone out for a bit as I don’t see having team system for a long time. I will have to look into FDD more though as it seems to be fairly balanced in its ideas.

Looking for a bit of inspiration for a security talk I am working on I am at “Compression, Encryption and Hashing in your app”.

Encryption
-So far general general general. I am bored…. its 30 seconds in (am I quick to judge)?
-Example is using precanned code which kind of sucks but he says he has lots of examples
-Apparently IV (initialization vectors)are the same as the term “salt”
-Rod said that encrypting a big string will result in a string of equal size once encrypted. I don’t know how much I agree with that statement (as there are so many different algorithms) but I don’t have any real world rebuttal to his fact.
-he just showed that it was 3 bytes bigger when using the triple des provider (I would like to try other algorithms)
-Ok so a basic presentation on encryption yet it was skipped what the purpose of a salt/vector is
-I think I am jaded against this guy… sorry for my bias
-A good question was asked “what is the best way to store your keys?”.
Rod: use public key infrastructure so you don’t have to worry about it.
Dave: well if you need to decrypt it then you need to store the key
Rod: obfuscate your code
Dave: c’mon its a string! How long would it take someone to run all the strings against encrypted data?
-I did not actually say this as I have the feeling it would turn into a long debate. Rod did say he was not an expert in that area but I know it is a hot topic in the security realm

Hashing
-Hashing can be used to determine is data has been tampered with
-I am bored so am going to add notes to his presentation if I was talking
-Dave: create a hash of data… send it to a client… when they send it back if the hash does not match then data has been matched (although two separate pieces of data can create the same hash it is very unlikely). This is the technique that is used when you run secured viewstate.
-Dave: hashes are useful for one way encryption. By using this you would hash someone’s password i.e. “qwerty” -> “34dgacws4″. When a user logs in you would take their password, encrypt it and compare it to the stored hash so user would login with “qwerty” which would become “34dgacws4″ then check if “34dgacws4″ = “34dgacws4″ and then the login would succeed. This is a good way to store information such as passwords as if someone steals your database you get back “34dgacws4″ which is useless as it can not be decrypted (it can be brute forced or rainbow table the data but that’s another rant)

Compression
-oh a slide on what compression is. If you don’t know what compression is go back to elementry (omg I can’t spell elementary back to school for me).
-SharpZipLib is an open source compression library
-Supports ZIP, GZIP, TAR and BZIP (although TAR is not a compression format it is a concatenation format… but that’s a technicality)
-ohhh how to use a library! YAY!
-ohhh lets change the encryption level and look at the output of filesize. soooo riveting!
-Rod used compression to compress a large dataset send it to the client and decompress it. On a LAN I think the time to take to compress the data would be a negative hit but along a slow speed or even a WAN link it might be beneficial but important to test (and make sure you have the CPU/Memory to handle the volume of compression/decompression for the application).
-I asked about this and he said that he when they turned it on they noticed no difference in performance but I would still recommend benchmarking your app with and without under load to check it out

-A good thing was that Rod had lots of real examples of using this stuff which was nice to see.

This talk had the great contradictory title of “Laws of Agile Development”. The talk had several great points:

-Seating was short in the room. JP asks to share a seat with me. I told him no kissing though (Sorry to dissapoint you Justice).
-Do one thing at a time
-Minimize wasted motion
-Maximize Feedback. (the faster you get feedback if something works the better i.e. TDD is great for that)
-Enable Changes (make it easy to change)
-Do the simplest thing that could possible work
-”It is easy to add complexity and hard to remove it”
-Simple is different for everyone and will very between technical levels
-Don’t build what you don’t need. Its a waste of time usually and things always change in projects so it turns out to be a wasted effort most of the time
-Design vertically as in slices of functionality not horizontally (i.e. trying to build the whole data access layer then business etc.)
-Integrating early with other systems/components minimizes the amount of rework that needs to be done later
-The Last Possible Moment: put off a decision until the last possible moment until you have to make a decission. This allows you to gather the most information. i.e. dont act on speculative info, keep your options open!
-”I want to be able to understand a peice of code by looking at its name”
-JP leaves… I hope he is getting some popcorn
-Bellware shouts out “Microsoft Sucks!” when Jeremy could not change the font size in visual studio for some reason.
-JP comes back… he does not bring popcorn.
-Single Responsibility is key (If you don’t do this… you should…. no rebuttles to this are allowed)
-We debated that a system having too many classes becomes hard to work with (my feeling is that namespacing allows you to divy any complexity into more logical grouping if necessary)
-Open Closed Principle – Software should be open for extension, but closed for modification”
-OCP: Be able to add new functionality to an existing codebase without having to modify (or do minimal modifications) to existing code
-Avoid leaky interfaces (i.e. should not have to check the type of a variable and function different based on type)
-Eliminate duplication (everyone should be… not many are)
-Jeremey feels that TDD is the most important design tool (I agree… but flame his blog if you don’t… not mine)

Jeremys Laws
-Zeroeth Law: If code is hard to test, change it
-First Law: Isolate the ugly stuff (be able to test ugly stuff in isolation like databases, ad, web services, messaging, etc.)
 a good example of this is using MVP to make testing the UI easy
-The slide changed… I am lost.. he had them on his blog he said

-Value proposition of TDD: save more time in debugging than you spend in unit testing

-Low blood sugar: I tune out (sorry)

-Socialize the design (its a community designed app)
-Collectively challenge the design of the code