# Monday, 20 November 2006

I'm 29 now... my birthday last week past pretty much like any other day. Had a ton of meetings, rain nearly flooded my car, and then to top it off I had to head out to the data center for some early morning work. Yes, I should probably just take the day off next time.

Well, I'm hitting the big 30 soon. Time to take account of my life, time to reflect on what I've done and wheter I'm happy with myself with it.

Hmmmm....
Yes...
No...
Maybe???


Monday, 20 November 2006 01:32:02 (Malay Peninsula Standard Time, UTC+08:00)  #    Comments [0]  | 
# Sunday, 19 November 2006

I just a call from my colleague who mentioned that our client's website was down. I RDPed into the machine and based on the event logs, figured out that there was something wrong with the connection between the webserver and the SQL server express that was installed.

I looked at the services list for the machine but noticed the SQL Server service was started. Then I noticed something weird, the instance name of the SQL Server was SQLExpress where as we had already set it up as the default instance previously.

Further checks revealed other worrying signs, our SQL user was missing, and a DB which was less known to the client was also missing from the server.

This is going to be a problem.. only 3 parties have access to the server, us, the client and the web host service provider. Obviously having the actual database file deleted and also the SQL user itself must mean that someone had pretty much full acess to the server.

Question now is.. who screwed up?


Sunday, 19 November 2006 17:14:43 (Malay Peninsula Standard Time, UTC+08:00)  #    Comments [0]  | 
# Tuesday, 14 November 2006

Been having sort of an argument with a client recently.

The project in question is to make a desktop widget, thingamabob that will pull down information about the client's promotions and offerings so that the users can be kept up to date on the client's offerings.

The client also has BIG BIG plans for future expansions of the product, so it's not just a plain and simple RSS viewer.

So half a year ago, when this item was first inserted into the project proposal I already stepped in and informed the client that based on what they want, and planned to do int he future, the best way that we can go with was to use .Net to make the program. And they all agreed to using the .Net framework then.

6 months later and after some staff turn over, they're telling me a different story. And now they're asking us to use alternate methods, the main alternate method is of course to use Win32 to make it.

But ask any ISV who gets paid on a project basis if they'd commit to a 2 month deadline for a Win32 UI application and they'd probably tell you it's a crazy thing to suggest.

The results will be known today on how things go...


Tuesday, 14 November 2006 09:50:51 (Malay Peninsula Standard Time, UTC+08:00)  #    Comments [2]  | 
# Monday, 06 November 2006

Overheard from the head of a certain high education instituition to the lecturers who are teaching there.

"Now your annual review will be based on the passing rate of your students, cause if you're doing your job properly your students won't fail!"

Oh great.. just what we needed more lecturers who are afraid to flunk students who are not up to par!


Monday, 06 November 2006 23:16:26 (Malay Peninsula Standard Time, UTC+08:00)  #    Comments [1]  | 

Today I was going to login to the Citibank website to check out my credit card activity and I was told to create a username instead of using the credit card number to login. Cool I thought, at least I don't need to remember the credit card number when going in anymore. So I followed the steps to create a username and password.

So I punched in a username, then I entered the password using their virtual keyboard (to stop the spoofing attacks) and I pressed continue.. then I was greeted with the message the USERNAME you have chosen is not strong, please follow the security guidelines.

So I took a closer look at the fields to see what they mean by a strong USERNAME... then I noticed it's the SAME guideline for the password.. which are..

• 6 characters or more, with at least 1 alphabet and 1 number
• May contain the following special characters @, . and _
• Cannot contain 3 identical characters in a row (e.g. alpha111 or aaa125)
• Cannot contain 3 consecutive alphabets or numbers in a row (e.g. abc269 or alpha123)

Which just made me go... WHAT THE HELL? Instead of a simple username like weiminchanz and then followed by a complex password of l3t1tb3th3w4y I have to make a complex USERNAME as well?!?!? w31min8i8v7 don't they know if you make the user have to remember more complex stuff then they're gonna have more of a reason to stick it under their keyboard?

It seems that in their blur of thinking that complex=secure the people behind the design of the security system forgot WHY passwords get leaked in the first place. Which is mainly... people have bad memory!


Monday, 06 November 2006 22:20:34 (Malay Peninsula Standard Time, UTC+08:00)  #    Comments [0]  |