By Matthew Hile on 9/24/2008 3:35 PM

I was listening to a .Net Rocks! interview of Eric Brechner, the director of engineering learning and development for Microsoft Corporation. His group is responsible for improving the people, processes, and practices of software development across Microsoft through the application of Human Performance Technology. His blog posts, I. M. Wright’s “Hard Code”, typically start with a rant and weaves that into a useful lesson in the human side of work/life. This he does is with humorous touch. He has combined a number of the more memorable posts into a book by the same name.

In the show he is discussing the reception of his posts at Microsoft and mentioned that he did not expect staff to go to the external blog but would "...include it in the email I sent just minimizing the effort required to actually get the column." (about 21:47 into the podcast).

I have been touting the advantages of using RSS feeds for years. In this way users can decide what they want and automagically pull new information from web sites. This is the general currency of blogs and news sites. But if Eric is needing to package his information into emails for the clearly tech savvy individuals at Microsoft I will need to rethink my insistence and come up with some alternative approach.

By Matthew Hile on 9/17/2008 7:56 AM

I started having difficulties this morning with one of my DNN sites that uses SSL to protect the entry of a user's name/password combination. Before logging on I could view the publicly available web pages. After signing on, however, I still only saw the publicly available pages (there was no indication that I was signed on). Clicking the signin button again displayed all of the tabs (visible and invisible) but when I clicked on any that were NOT secure I was taken to a blank secure sign in page.

I cleared the cache, deleted cookies, even restarted the computer and tried again all to no avail. Then I remembered that my copy of NoScript had been updated when I started. Checking out the change log for the most recent version I found these additions

v 1.8.1.2
=====================================================================
x Switched "HTTPS|Automatic Secure Cookie Management" off by default:
  even if all the reported login issues (especially the ebay.com one)
  have been fixed, it probably deserves more testing from opt-in
  volunteers before a general "default-on" release 
+ Unsafe cookies can be handled either globally (default), or per tab
  (noscript.secureCookies.perTab)
x Fixed "force HTTPS" not working across some redirection patterns

This lead me to the NoScript options page. When I unchecked the "Enable Automatic Secure Cookies Management" option my site worked as expected. Rechecking it caused a failure. Adding my site to the "Ignore unsafe cookies set over HTTPS by the following sites" list also fixed my problem.

So, from this it looks like there may be a difficulty with the cookies being set by DNN when it uses SSL for security OR a problem with NoScript's new options. I am not sure which.

UPDATE: I heard from both the NoScript and DNN folks (within an hour of my reports). The consensus was that it was probably a problem with NoScript and its initial implementation of Automatic Secure Cookie Management. It is useful to note that the Newer versions of NoScript have turned this feature off by default. As for DNN, it uses "standard asp.net forms authentication cookies" and "automatically marks all cookies as being HttpOnly, so that cross-site scripting attempts cannot intercept cookie details to use in authentication/impersonation attacks."

By Matthew Hile on 7/30/2008 5:41 AM

I was working on a new DNN module and had made a variety of changes. I clicked the debug button to get a fresh build to test and ... nothing. My build failed but there were 0 errors. So I dumped the web cache, restarted IIS rolled back of the code to a previous version and ... "build failed" 0 errors.

Doing a search, I found that this was not a unique experience (with as many folks as there are doing development how could there be a unique experience - we all share the same pains). The kernel of my solution was found in this post. The steps in Visual Studio (2008 is the version I am using) that did the trick were:

1. Tools > Options
2. Projects and Solutions > General
3. Check the box for "Show Output window when build starts"
4. Projects and Solutions > Build and Run (if you do not see the last option make sure that the "Show all settings" check box, at the bottom left of the Options window, is checked.)
5. Set MSBuild project build output verbosity to "Diagnostic"

In my case at least, this gave me enough information to figure out where I was failing and got me on the road to fixing the problem.

By Matthew Hile on 7/15/2008 12:06 PM

Next week (21-July-2008) I am presenting an overview of the DNN Repository module to the St. Louis DotNetNuke Users' Group. In anticipation of that I wanted to make my PowerPoint slide stack available.

I have been using the Repository module for some time to provide users with downloadable files (which is only one of the module's uses). The real advantage of this approach is the "Dashboard" which allows users to quickly select a subset of documents based on user assignable, and hierarchical, categories and attributes. From a user's perspective this was a big step up from DNN's default Documents module. When I used that users could sort by the various categories but there will still so many items that they found it difficult and confusing.

After preparing for my presentation I have learned quite a few things about the module. First, it's utility is good for things like directories and even blog posts - that is things that do not have attachments. The module's templates (both packaged and user create) provide a very nice and powerful way to customize the layout of the items in the module. The next version promises to make the creation and management of these even easier and more powerful.

However, for my purposes, providing downloadable files, there are some significant weaknesses which will send me looking for other modules. These are:

• A GUID is added to the name of each file uploaded. This GUID is changes when ever the file is updated. This permits multiple files to have the same name. In the file versioning promised future version this will also come in handy. However, it seems search engine unfriendly.
• The module does not support DNN secure directory format. Thus files are accessible (if you know the GUID enhanced file name) from the Internet regardless of the DNN security settings.
• Links to the files can be embedded into other DNN pages. However, if the file is updated (thus changing its GUID) the link will break.

So while the module has the really great ability to filter documents, its other difficulties will make me search for a better way to provide search engine friendly, securable files* to my users.

 

* NOTE: I do realize that security and search engine friendly are incompatible goals. In my sites sometimes I want one and sometimes the other. However, this module provides neither.

By Matthew Hile on 7/3/2008 1:21 PM

I just returned from the Children's Bureau's Regional Partnership Grant meeting in DC. The conference had some a few hundred participants form 50+ projects around the country. The different grant sites all focused on the issues around methamphetamines and the children and families it impacts. Our project, the Circle of Hope, does this by providing advanced support services to families who are and have received substance abuse treatment services before they loose their children.

During the conference I had the opportunity to present and facilitate a discussion about how to create cases for reporting data to the Feds. I also did a presentation as part of a plenary session about "Making the Case." Both the audio vile and handouts are available on the project's web site.

I have also posted twice about some of the other presentations I heard. they are "Stages of Collaboration Partnerships & Stages of a Group" and "The Big Red Slice."

All in all it was a pretty interesting and worthwhile conference.

By Matthew Hile on 7/3/2008 1:19 PM

From the Children's Bureau's Regional Partnership Grant meeting in DC Nancy Young presented about collaboratives, Failure by Fragmentation. 

Suggested that two approaches to partnership could be described as:

Shared outcomes = responsibilities + results in a genuine partnership of accountability (data driven, results based).

or

Partnerships rest on trust and trust grow out of relationships build over time (relationships and personalities are important and that you need to make it work with people).

Basically neither works alone: there is a need to balance process and content.

She went on to describe the four stages of collaboration (Sid Gardner, Beyond Collaboration to Results, 1996 )

1. Information exchange (getting to know you)
2. Joint projects (shared grants),
3. Changing the rules (redirection of funds),
4. Changing the system (results-based funding)

It is interesting to think about how these stages fit with "stages of group" development. That is forming, storming, norming, and performing. Information exchange seems to easily fit with the forming stage. Joint projects would potentially push storming as groups fight for turf, try to cope with different views of the problem, and work to deal effectively with each other. Just as with groups, only if the collaborative can get through the storming stage will it be able to move into the third and forth stage of collaboration. Indeed, one of the comments made by Nancy is that if you have not fought in the group then you are really not collaborating.

By Matthew Hile on 7/3/2008 1:07 PM

From the Children's Bureau, Regional Partnership Grant meeting in DC,  Wesley Clark, CSAT Director, SHMHSA talked about the "big red slice." Reporting that most (almost 90%) of women who have a SA problem do not think that they need treatment. With effective treatment, that is from entry to a one year of nonuse, takes about three treatment episodes and nine years.

This suggests two things. First, we need to speed the impact of services. If we we could halve treatment length we could treat twice as many individuals for the same number of dollars. However, even with that we would not be able to provide services to more than 20% of individuals in need. Second, regardless of improvements in treatment services, in our current environment we have very little chance of getting enough services for all those in need. So - at least in economic terms - we best not teach the "big red slice" that they need services because there are none to be had. Better to keep them ignorant and placid than enlightened and demanding. Of course, from a moral and ethical perspective, this thinking is wildly inappropriate. These individuals need effective and accessible services, providing them would improve not only their lives but the lives of their children, partners, and communities. How can we afford not to do this?

By Matthew Hile on 6/20/2008 12:08 PM

While trying to install Adobe Acrobat 8 on a Vista (enterprise) machine I got the following:

Error 1304,Error writhng to file C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

I checked the directory and was unable to adjust the permissions. I checked out the Adobe forms to no avail. I did a Google search and found a bunch of stuff. Finally, at the bottom of a long set of posts about this issue I found the answer from an anonymous poster.

Install the Adobe reader first. It successfully deals with writing the required file into the directory and you are good to go with the Acrobat Professional install.

By Matthew Hile on 5/19/2008 11:50 AM

In a tech nation podcast Dr. Moira Gunn interviewed Tom Hayes about network culture. While the conversation was generally interesting the notion of being attention rich or poor really caught my attention. By this he meant that for those of us in what might be termed the connected world we suffer from an abundance of information to which we have to little time to attend. That is we are attention poor. While less connected individuals have a lot of attention that they are not using and are thus attention rich. This all relates to the attention economy first described in the 70's. As often described the attention economy means that producers of content will succeed to the extent that they can provide more information and less fill.

What peaked my interest in this was an experience I had a few months ago. We had developed a web site for providing information on a particular mental health related project to both family/consumers and professionals. The professionals to whom the site were shown were quite positive and interested in testing some of its features. However, none of them actually went on line later to do this testing. The family/consumers, on the other hand, were very enthusiastic sharing the site and information with others and wanting to push for its expansion.

From the processional's perspective - Since they were attention poor, having lots of content to which they needed to attend, this site did not really provide enough new information to warrant spending very much of their limited attention.

From the family/consumer's perspective - They were willing to invest their attention in it. Whether this was because they were attention rich and the cost minimal OR because we provided enough new information to overcome the attention cost of those who are attention poor, we do not now know. However, this would be an interesting test. Do we get higher utilization among those who are attention rich?

Another, perhaps more interesting, question would look at the digital divide through the lens of the attention economy. The poor are less likely to have access to the Internet.  Does this mean that they would be attention rich and more accessible to sites that would meet their information needs? Is there a relationship between attention and poverty? Or do the day-to-day difficulties of living with poverty not allow someone the luxury to have any attention to spend even if they did have access?

By Matthew Hile on 5/14/2008 10:12 AM

I got enthused about an new security device, Yubico's YubiKey, after listening to Steve Gibson's Security Now podcast episode 141 (with a brief description) and episode 143 (with an interview and full description). Basically, this slim USB device emulates a keyboard and emits a unique password each time it is touched. Using a web service, as well as other methods, you can test to make sure the string is a valid password. Various software examples for doing so is available from their web site.

Since I deal with securing protected HIPAA data I am constantly on the lookout for solutions to further protect access to that information. Combined with a user ID and password this device seemed to offer a simple, cost effective, two factor authentication approach.

Yubico provides a variety of sample code for Java, C, and a C# .NET. However, I needed a VB implementation that I could use in DotNetNuke. To this end I created a new DNN module, rewrote the code from the C# example, and implemented a basic system for validating the YubiKey against the Yubico's web service.

The basic code for the validations is below

Function verify(ByVal strAuthorizationId As String, ByVal strOdp As String) As Boolean
Dim _result As Boolean = False
Dim _response As String = ""
Dim request As HttpWebRequest
Dim response As HttpWebResponse
Dim strYUBICO_AUTH_SRV_URL As String = "http://api.yubico.com/wsapi/verify?id="

Try

request = HttpWebRequest.Create(strYUBICO_AUTH_SRV_URL + strAuthorizationId + "&otp=" + strOdp)
response = request.GetResponse

Dim ver As String = response.ProtocolVersion.ToString
Dim reader As StreamReader = New StreamReader(response.GetResponseStream)

' Review the response and proceed accordingly
Dim str As String = reader.ReadLine

Do While str <> ""
str = reader.ReadLine
_response += str + "-"
If str.StartsWith("status=") Then
If str.StartsWith("status=OK") Then
_result = True
End If
Exit Do
End If
Loop

If Not _result Then
' Write failed attempt to log
Dim objEventLog As New DotNetNuke.Services.Log.EventLog.EventLogController
objEventLog.AddLog( _
"Yubikey Authenticaion Failure", _
"ID: " & Left(strOdp, 12) & " Returned: " & _response, _
PortalSettings, _
-1, _
DotNetNuke.Services.Log.EventLog.EventLogController.EventLogType.ADMIN_ALERT)
End If

Return _result

Catch exc As Exception

ProcessModuleLoadException(Me, exc)

End Try

End Function

 

I have also zipped the source code and the installation file if you would like to explore and play with this function. NOTE: To use this code you will need to replace

Dim _authId As String = "-1" '

with your code that can be obtained for free from http://yubico.com/developers/api/