Hotels Switching to Biometric Room Keys

Posted on November 9, 2005 by Doug Porter

In another assault on personal privacy, I just read about a plan to move towards using biometric identifiers for hotel room access over standard room keys. Read Hotel Card Keys Edge Toward Extinction. I had never thought much about biometric identifiers as security risks until recently. I figured unique to me as a person was a good thing, but after listening to Brandon McMillon speak on A Primer to Secure Coding (Parts 1 and 2) at the 2005 Alabama .Net Code Camp many good points about biometrics were raised.

1) In computer terms, a biometric reader (fingerprint, handprint, retina scan, etc) takes unique values from the physical attribute and converts it into a numeric value (we’ll call it a hash).

2) That hash is compared to what is stored in a database and if a match is found, then identification is verified

3) So, the validation system is only accepting a hash (generated by the machine that examines the biometric attribute) which is a number, and a certain type of reader will always generate the same hash value

4) If you somehow gain access to that number, you can always spoof the reader that generates that value to the authentication system (of course this does rely on being able to gain access to the intermediate system).

And then the real kicker that has made me anti-biometric (and didn’t I just read that United States Passports will start containing RFID chips, and probably personal info, maybe even biometric by October 2006). If someone compromises the hash and has access to the intermediary system…you can’t do anything to change your identifying information to restore security to the system. The manufacturer would have to change their hash algorithm. If a username or password is compromised, I can change those easily. Hard to change my fingerprints or retinas.

So hopefully, these hotels will have some backup authentication mechanism in place. It would seem they would have to. Big Rob brought up the point last night about people with no fingers. Can’t discriminate against them. I for one will refuse to stay at a hotel that demands biometrics. I just don’t trust the security of the systems.

Posted in Privacy, Technology | Leave a comment

Kathy Sierra Speaks the Truth (As Usual)

Posted on November 8, 2005 by Doug Porter

Over at the Creating Passionate Users blog, Kathy Sierra (one of the masterminds behind the wonderful Head First series of books) has a fantastic post that every working Joe should read. It is When clients (and bosses) go bad…. It really does a great job talking about the up and downside to overbearing work environments. Everyone in the tech industry has probably felt both sides of this at one time or another.

Posted in Technology | 1 Comment

New Home for The Porter Method

Posted on November 7, 2005 by Doug Porter

Well I finally bit the bullet and decided to get some hosting space and break free from the chains of Blogger.

The new home for this blog will now be located here: The Porter Method Blog.
Please update your links accordingly. The new feed location is here. RSS Feed.

My new webhost is TextDrive. So far the experience has been good. The new blogging setup will be using WordPress. If you see something that looks strange, then it is probably because of my ineptitude with WordPress. Hopefully it won’t take too long for me to get up to speed.

Eventually I’ll have a full site running at www.theportermethod.com, but things are a bit hectic right now, so it may be a couple of weeks.

Posted in Misc | Leave a comment

Alabama .Net Code Camp 2005 Recap

Posted on November 1, 2005 by Doug Porter

First of all here is a link where you can download a zip file of my presentation.

Introduction to Creating Installation Packages with Microsoft’s Windows Installer XML (WiX) Toolset

To run the examples, you should download the latest binary version of WiX and extract the archive to C:\Wix

Then download my presentation and extract it to C:\, add the C:\WiX directory to your path. After this you should be able to work with all of the samples.

The contents of the presentation archive are:
Introduction to Creating Installation Packages with Microsoft’s Windows Installer XML (WiX) Toolset.ppt – Presentation File
Guid.vbs – VBScript to generate GUID and place it into the clipboard using some magic IE Automation
xsd_doc.html – HTML Documentation generated from the WiX XML Schema (a bit easier to use than browsing the XSD file directly and reading the documentation)

Here are the other sessions I attended:

Pooling for PerformanceAndrew Corley
Very interesting session talking about the advantages of Database Connection Pooling and Object Pooling. SQL Server offers built in support for connection pooling. The .Net Framework makes adding support for Object Pooling completely trivial. Looks like a great implementation. Andrew did a great presentation and will be speaking to the Lower Alabama .Net User Group in the near future about SQL Server 2005 (I believe that will be the topic).

Building High Performance Applications with ASP.NET 2.0Russ Fustino
Russ is a Microsoft evangelist so his presentation skills (and wit) were top notch. He showed off some fantastic new enhancements to ASP.Net 2.0.

The ones that really caught my eye were the builtin support for caching pages. You can cache an entire page based on a time duration or cache all but certain portions of a page. Very impressive is a new feature working with SQL Server 2005 that allows a page’s dataset to be tied to a set of database tables and be updated by a push from the database server informing the page that the underlying data has been changed, so refresh the cached copy. Really cool stuff. Russ mentioned that the architecture is open so you can write you own broker to work with different databases. The VS.Net 2005 IDE support of creating ASP pages is of course wonderful.

Another awesome new feature is the ability to compile your pages and server side code down to dll files (which will improve the performance). I’m sure it will start a flame war, but I really wish the JSF (Java Server Faces) guys would have emulated MS’s ASP.Net. I was not impressed with JSF when we recently evaluated it at work. Sun is very far behind in this regard. That’s ok, all of the cool kids are using Ruby on Rails anyway 🙂

During this session I saw something that made me think of Kathy Sierra and her Creating Passionate Users concept. After seeing one of the new features I actually saw two developers exchange high fives. They were that enthused about what they would be working with soon. That’s is definitely a passionate user base.

Free .Net Tools (log4net, code-gen, reflector and more)Paul Lockwood
Paul showed off some free tools that enhance .Net development. He showed Log4Net, a great open source logging framework (which I’m very familiar with since it is a port of Log4j). NDoc was another tool Paul showed. It examines assemblies and generates a nice documentation file of the classes and methods. Reflector was the coolest one he showed off. It is a decompiler for .Net code. Get your obfuscator ready because you can really pull out very accurate source code from normal compiled code. A bit scary actually.

DataWindow.NETDavid Avera
Dave showed off the new features that will be coming out in DataWindow.Net 2.0 (which is currently in an open beta that you can join here). Some new presentation styles are coming along with support for connecting datawindow objects to .Net DataSets. I have a bit of a bias since I do some work with datawindows through PowerBuilder but I think DataWindow technology is awesome.

A Primer for Secure Coding (Parts I and II)Brandon McMillon
Brandon went into various forms of attacks that can be raised against systems (Spoofing, Man in the Middle, etc). He described some principles for bringing security into the development process through threat modeling. There was an overwhelming amount of information (he said the slide set was actually a week long course, so we did skip around a bit). We finished up getting into web specific attacks such as Cross Site Scripting (XSS) attacks and everyone’s favorite….SQL Injection attacks. All in all a good session. Can’t wait for the slides to be posted so I can really pour through the information.

One of the organizers of the event, Microsoft’s Joe Healy, posted a recap of the event

All in all it was a great event and I’m glad I was able to attend. I will post a link when I find out where the presentations for the other sessions will be posted. I also would like to say thanks to Rich and Laura for opening their lovely home to Casey and me for the weekend (and for the fantastic Baked Spaghetti).

Posted in C#, Technology | 1 Comment

Free Commercial Databases as Far as the Eye Can See

Posted on October 31, 2005 by Doug Porter

Looks like with Oracle’s recent announcement all of the big names in the commercial database market have free versions that can be used in production environments. There is Sybase ASE Express Edition for Linux, Microsoft’s SQL Server 2005 Express Edition, and Oracle Database 10g Express Edition.

Here’s a short feature comparison on the very basic stats.

Oracle Database 10g Express Edition
4 GB of data
1 CPU
1 GB of RAM
One instance per server
Downloads For Windows or Linux

Microsoft’s SQL Server 2005 Express Edition
4 GB of data
1 CPU
1 GB of RAM
Windows Only

Sybase ASE Express Edition for Linux
5 GB of data
1 CPU
2 GB of RAM
Linux

Each of these databases are exceptional pieces of technology. I have worked mainly with Oracle and SQL Server and am really blown away with the features that have been packed into Oracle 10g and SQL Server 2005. I think these moves by the commercial database companies to release free versions of their software could really have an impact on the open source databases typically used to build small to medium sized databases on the cheap. We’ll see how it affects their future.

Also, the Alabama .Net Code Camp this past weekend went great. I’ll have a post tomorrow summarizing things and posting a link to the files from my presentation.

Posted in MS SQL Server, Oracle, Sybase, Technology | Leave a comment