Haven't blogged much lately - that is, for more than a year I have written absolutely nothing. That ought to change now that I have taken the quiz at 43Things.com. Because as it turns out I'm apparently on a lifelong journey to learn and improve! 

As for improvement, I should try to blog over Christmas. In particular about how the stars are aligning in the greater constallation of identity, authoirzation, access control, SOA and cloud computing.

Till then ...

I took the 43 Things Personality Quiz and found out I'm a Self-Improving Traveling Lifelong Learner

Just got back from spending two days at the Business of Software 2007 conference organized by Neil Davidson of Red Gate Software. It was good and very inspirational. The lineup had many clever people, all saying equally clever things.

Still, I tend to favor substance over inspirational talks. Or maybe I just favor people talking about things that apply more closely to my situation, which is probably why I didn’t much appreciate Matt Mason’s talk about piracy, pop culture and innovation. I probably am a conservative when it comes to professional work; leave it to the professionals. And only small doses of pop culture for me, please.  (But no, I don’t buy Andrew Keen’s gloomy perspective as laid out in his book, The Cult of the Amateur. And don’t make the mistake I made and go and read it. His point is easily made in a few sentences. And his research is so one sided that it doesn’t classify as research.)

So back to substance; Bill Buxton I liked. He speaks and, it seems, thinks fast. His talk about designing things was very good and based on years of research and experience. I was inspired and it still felt like a proper and nutritional helping of his very relevant work.

I guess I like it when people do their research, which is why my second favorite was Jennifer Aaker. She spoke about the psychology involved in creating a strong relationship between company and customer. Well, she really did say consumer, but even in B2B it is real people buying your stuff. And then she would consistently use words like "transgression" instead of whatever would go down easier with an international audience. That was kind of funny to a guy with an accent, but with a dictionary at hand.

And there was much more. It was a great conference, and hopefully we will see a Business of Software 2008. And thanks to Neil for pulling all this together.

Recently the WS-Federation 1.1 specification was submitted to OASIS with the intent to have it ratified. The spec is long and I have not yet had a chance to actually understand. But our experience at Safewhere with WS-Federation and WS-Trust is obviously a shared one; that is, you basically only need a passive profile whereas the active profile used for web services is already covered by WS-Trust. SOAP based federation may be viewed as simply chaining together Security Token Services as specified by WS-Trust and as such does not need its own seperate spec.

Don Schmidt of Microsoft has started to blog about some of these things and as one of the authors of the specs he should know.

Web 2.0 has been all the rage for quite a while now. And concerns are being raised that this may be yet another bubble. But to me it makes no difference, as I probably wouldn’t know a web 2.0 if it grabbed me by the eyeballs (yes, I too remember the previous round of “stickiness” and “monetized eyeballs”).

I care mostly about hard technical problems with equally elegant technical solutions. Like the stuff we do at Safewhere. We are building an advanced and very cool suite of infrastructure products. We make a lot of hard, complex things simple, and we address problems that have not previously been addressed in a consistent and unified manner. Usability we don’t know enough about – and we will hire clever people to do this. But when it comes to hard computer science problems we employ the brightest comp sci graduates you can get.

Which brings me to the “and why in Denmark” part. If you ever want to put smart people to work on a hard problem, go with the Danes.  Danes may suck at doing marketing on a grand scale, but they excel at solving complex problems in small teams. Every person on the team will feel that he or she is as smart as the next guy, and they will all take responsibility for creating the best solution –as a team. Danes tend to accept only a very low power distance, and they are generally more anarchistic than many other nationalities.  When you build software this may be leveraged to create great results much more efficient, than would be the case in countries with higher power distance.

So why aren’t these fantastic Danes to be seen anywhere? Well, eh, the Danes have this other habit of being on vacation most of the time, getting off work early – and most importantly we have no confidence that we will ever be successful. And if you still manage to succeed on a grander scale, you better be prepared to be put down for it – badly and promptly.

At Safewhere we are betting, that we may leverage the collective intelligence and lack of power distance to become successful fast enough that nobody has the time to lose their nerve.

– And by the way, we do have one successful businessman from Denmark. He has big boats and sometimes uses them to transport guns to Iraq –for free and for love of USA and freedom.

Just finished the second week of exhibiting at Microsoft TechEd in Barcelona.  This week it was IT Forum which translates into an audience interested in how you actually run and manage an infrastructure based on products from Microsoft and its partners.  Not much to be said about the trade show as such – it was much like last week and we are happy.  The quality of the leads this week is probably a bit higher than those we got last week with the software developers.

But here is another perspective intentionally set up to provoke half the audience at IT Forum – only that they’ll never read this, as they are not interested. The half I’m talking about we may refer to as the scavengers of IT Forum.

It started when I flew back to Barcelona on Monday. The guy behind me was doing the best he could to make clear to all, that the personnel of the largest Scandinavian retailer get messed up and go to IT Forum only because their boss tells them to.  Was this a sign of what was to come? In a way yes, only the rest of the scavengers are probably not as bad as this guy from Coop.  Fortunately he was the first and in the end he still managed to take the price.

But indeed it is an indication of the difference between the two TechEd conferences. The audience of TechEd: Devleopers are software developers with an almost religious relationship to their computer, programming language, communication stack etc. These people go to TechEd because they wouldn’t miss it for anything, and they beg the bosses during the year to get a chance to go to the next TechEd. I like them for their genuine interest and oftentimes curious minds.

As for the audience of IT Forum it may be divided into two groups. One half tries to take what the developers came up with, and actually make it useful to users day in and day out.  These people buy, install, operate, and retire IT systems. They are focused on how to provide a smooth and robust infrastructure of value to their organizations. They may scavenge a bit, but not for a living.

The other half is the real scavengers.  And – inexperienced in a world of IT tradeshows as I am – this group turned out to be a crowd, you wouldn’t want to run into in a dark alley if carrying as much as a cheap pen with the logo of the local waste management company. Maybe they drink bloody marys like the guy from Coop or maybe they are just ordinary guys, but they share the common background of having no special interest in software and IT. They go to TechEd to rid Microsoft and the other exhibitors of free T-shirts, iPods, Frisbees, pens, flashlights, cookies, strange things with LED’s inside, etc. (But no chocolate fondue for these guys. Ha!) The bags they got when registering the first day were so loaded at the end of the week, that many gratefully picked up the extra bag offered by APC. 

And so I could go on – offended I am, and I know I’ll just have to get used to it.  But I am a developer at heart and I like people who show a genuine interest in what they do for a living.

 We just finished our first tradeshow, Microsoft TechEd in Barcelona. Next week we will do IT Forum as well.

TechEd: Developers, as it is officially called, was good for us, but not entirely the way I expected.  But first, here is why it was a success to our young company. We met with a lot of potential customers from our immediate vicinity, Denmark and Sweden. And several of those showed sincere interest and a couple even more than that. And to these people it is a comforting factor that Safewhere has actually started down the road to become an international software company. To them it means more customers to push Safewhere along the right path of continued innovation and development.

1. The Safewhere brand is unknown. Period.
2. Developers are not all that concerned about managing authorizations across deployed services and applications. They lean more towards computational and programming challenges.
3. Developers going to TechEd are pretty focused on what Microsoft will do to them and for them. Short of brand recognition, Xbox giveaways and chocolate fondue (no kidding, Compuware really did that - while at the same time employing a Formula 1 racing theme!), getting the attention of a developer takes our preparation of them even before they ever arrive at TechEd.

Now, that’s my analysis anyway. And our response is simple to identify and hard to execute: PR and Partners. PR generates recognition and partners generate interest in the concrete solution.
 
So in conclusion, I really had no idea on how it would go. It went very well – and next week at TechEd: IT Forum will most likely be even better.

Updated: Image removed

Safewhere, located in Denmark, is looking for technical software devlopers. We are developing an advanced SOA security product, working title Safewhere Authorization Services, which requires deep knowledge of, and interest in, frameworks and platforms more than general application developer skills. Advanced use of many Microsoft technologies is part of the job, as is implementation of core WS-* specs.

Let med know (my three initials@safewhere.net) if you need more info, or, if you read Danish, read a bit more here.

Didn't think this blog would be political, but whatever.

Check this piece of news from the Electronic Frontier Foundation.  Appearently many printers will print little invisible yellow dots, so that any document you have printed may be tracked back to your printer at any later time.   The article also references a list of printers that are known do the little Secret Service trick.

Who said types like John Le Carre and Michael Moore were ever paranoid?

Mark Fussel, (program?) manager of the WSE team, tells us that WSE 3.0 (find more here) will ship at the same time as as Visual Studio 2005 in November.  No "time frame" stuff here, just a time.

This should be good news to you too, if you are in any way serious about "industrial strength" Web Services.  As soon as you get it, you must apply the parts of the security stuff relevant to your service or app.  And consider all the other good things too - but security first!

Nothing exiting here, but just found out how to initate a Team Build in Team Foundation Server beta 3.

As I was able to figure out from elsewhere, pre-beta3 builds were done using some more or less homegrown code to construct an executable for scheduled builds.

That has appearently changed with TFS beta 3.  Now you schedule TFSBuild.exe using the right parameters as desribed in the documentation (Use the start command).  This part of the documentation is not - as far as I can tell - part of anything you get on disk and MSDN download at the moment.

(Notethough that the documentation has the command named teambuild, but its actaul name is TFSBuild and is located in ...\Microsoft Visual Studio 8\Common7\IDE) 

Just sat through today's PDC05 keynote which included an hour on the blessings of the new office system 12, which seems like the SAP for the information worker.

Complexity in terms of what it will do and how it will integrate is going absolutely through the roof. You can now do things so complex, integrated, elaborate, good looking etc. that you find yourself longing for the days of text email, phone calls, and binders.

The careful business executive should definitely think twice before moving up to all this new technology. If you think that your people didn't use but 10 % of the features of Office you will probably be going down to 5 % with this upgrade.

... but then again, if access, accuracy, and availability of information is part of your competitive edge - like really, not just your feel good edge - this upgrade may be for you.

Authorization Manager, or just AzMan , is authorization feature available with Windows 2003 and backported to Windows XP and Windows 2000 of appropriate service pack levels.

For details, please refer to other articles such as the MSDN Magazine November 2003 article Authorize It: Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager which explains well what AzMan does and how to use it.

Still I would like to point to a few areas of AzMan worth noting before deciding to use it in a production setup. AzMan is basically a rather simple feature based on a great concept. Still, as implemented in the current versions of Windows its adoption is probably held back by a few missing details.

AzMan in its current incarnation will ride on top of an authorization store hosted in either a simple XML file (with no associated schema), in Active Directory or in Active Directory Application Mode, ADAM. Using a file based store is not advised except for your development setup – in which case it is great. Using Active Directory gets you the performance and robustness you need, but requires that you raise the domain level to Windows 2003 functional level. Using ADAM is a fine choice, and presents only a few challenges in more advanced combinations with AzMan.

The biggest challenge with AzMan is defining your application in terms of Operations, Tasks, and Roles in a way that lets you move that definition forward through the stages of development and deployment. Following a common path you start out with a file based XML store, where you configure and test the setup. But as soon as you want to move the contents of the XML file forward into another environment with an AzMan store based instead on e.g. Active Directory, the missing export/import facility is brought to your attention. As it turns out you are left with only two options: either you manually configure the AzMan application definition for each deployment stage in each and every cycle, or you write you own service (preferably an MSI Installer custom action) capable of treating an AzMan XML store to a new home inside Active Directory.

Be sure to visit all the options under "Configuration" in the Admin Menu Bar above. There are 16 themes to choose from, and you can also create your own.

In the process of putting together an article for publication elsewhere, I have come across a fact that I had not been aware of till this point.

WS-Policy and therefore also WS-SecurityPolicy which were used as the config format of security in WSE 2.0 is no longer used in WSE 3.0. Instead a simpler and significantly more legible format is used. All that you may read from the Readme file put on your screen right after installing WSE 3.0. But you may as me have wondered how you exchange policies with other non .NET based solutions now that the switch has been made to this proprietary format.

As it turns out the proposed specification for WS-Policy is going through a lot of changes in the first place, and should therefore not be bet on anyway. (Someone even told me that the format was never supported by other vendors, which obviosly makes the point about being able to exchange policy files a bit moot.)

But as the quote below from a Microsoft lead explains, you should seperate how you configure security in WSE/Indigo and how you possibly exchange your policy with potential clients:

WSE 3.0 policy can be compared to Indigo config and is not a representation of WS-Policy. It is simpler and more readable. So WSE 3.0 does not implement WS-Policy in effect which has changed dramatically in the last few months.

However in the WSE 3.0 you have control over the way that policy serializes itself and combined with calling a service’s GetDescription() method you can image that there was a framework for WSE 3.0 that wrote WS-Policy equivalent which is interleaved with the WDSL from the service. This could then be consumed by Indigo’s servutil.exe tool.