Server: Microsoft-IIS/7.0\r\n

Last day of TechEd Asia 2005 in Singapore, not as good as I was expected but heck wasn't too bad as well. As usual, both Jesper and Steve rock the event inside out. Very good speakers with lots of passion in their job, though some of the stories are repeated if you've been following the TechEd events :) nevertheless - they kicked axx !

Earlier on I blogged about where to find useful web application security books! Now, to see how well you've learned, let's try to hack it :)  Get the web application hacking tools by PortSwigger.net. Burp suite was released couple weeks ago, it is a set of web application hacking tools that give your to the ability to check against vulnerabilities of you web application in an automated or manual way; enumerating the structure of the web application; as well as facilitate an interactive debugging environment via its proxy interface. Burp suite 1.0 consists of 4 modules, including: Burp intruder, proxy, spider and repeater. Oh ya, it's a Java application :)

So what are the best web application security books around? I found a few over here.....  too bad - mine wasn't in the list :)
Anyway, out of 12, I have read four. If you are in web application space, I encourage you to get at least 4 to 6 books from the list.

I'm sure most of you know Chris Adam :) the IIS webcasts guy?coz most of the IIS webcasts are presented by Chris. I know Chris for sometimes, and met him during last year global MVP summit. Well, back then he was errrr.... Supportability Beta Lead...... don't ask me what is Beta Lead ? supportability ? :)  I having hard time figure out the job title and the role + responsibilities... Anyway - Chris is Program Manager now :)  go go go !! and he is now blogging @ technet.com.

I'll be at Singapore next week for the Microsoft Tech.Ed Asia 2005, if you like to meet up - just look for me :)  I'll be participating in a Discussion forum and helping out the INETA/Cuminis booth. So see you there!

Well, I've been very busy :) and the sky in my area has been very very hazy! it's like living in smoking city! just like if you went to a meeting room with 20 team members with 18 of them smoking :) well, though I smoke, but I'm not part of the 18, coz it's enough to kill your lung if you stuck there for 1 hour. Luckily, I'll be traveling up north to for a week plus then head down to Singapore for few days, situation over there are not too bad compare to where I stay now. 

Anyway, here's what I read for the past few days.
a) Patch day - from Jeffery's blog with 3 critical, 1 important, 2 moderate and 1 re-released. Thought none are direct IIS related, few are linked to IIS including the printer spooler for Internet printing, kerberos vulnerability in Windows Integrated authentication.

b) Citibank - defeating virtual keyboard. In my country, I think they implemented this a month ago, it is so not user friendly and dumb. You know you need to 'click' your pin over the predefined button, rather than normal PIN number input field. And yesterday, I read one article showing the POC to defeat this so called 'security technology' :)

c) W2k Security Update Rollup 1 - re-release! with so many issues with the previous release, Microsoft has decided to release the package again soon, refer this kb.

d) Top 10 useful Microsoft blogs - from Redmond magazine. Well, two of the msmvps.com blogs make it to the list (Susan and Donna) and although I'm not as prolific compare to the two lovely ladies, but I'll not agree with the author comments about his thoughts on other msmvps.com bloggers“...But it seemed most of those I clicked on were hopelessly out of date...“ hopeless? mmm...  'most of those' ? or maybe I'm just being sensitive? oh well... bla bla bla

e) Chris Crowe in the house !!! the former owner of IISfaq.com is back! and still an IIS MVP. We actually exchanged couple of emails few year ago before I was adwarded, a nice guy indeed. Now, he is rambling and blogging about IIS.

That's all for now, time to get back to work :( 

Recently, a user emailed me and ask “I like to attend IIS 6 trainings, do you know any?”  Good question, I have no much clue on this as well :)  Well, so I dig around, and here's what you can do:

a) TryIIS6.com - click on Get Online Training, this is a great place to start learning about IIS 6, there are video clips, animated presentation slides, simulations and lot more.

b) Course 2694 - this is the only Microsoft official workshop for IIS 6 :(  how sad - only 1 course ???  It's a new course to replace course 2295 for IIS 5. I remembered quite a while ago Microsoft was gathering our feedbacks on official curriculum for IIS 6, not sure if this is the one, but it's kinda sad to have only ONE course for the product!

c) IIS Webcasts - one of the best ways to learn IIS 6. For the past webcast schedule, you can always refer to the IIS Webcasts section that I have in my blog.

d) Evaluation kit - IMHO,  this is the only way to learn IIS 6 :)  or if you have an existing Windows 2003 license, it's even better as it won't expired after 180days. Get you hand dirty with it, put it in a test machine or load it in a virtual pc/server setup. Try everything in real! read the helpfile, it's been the best documentation so far compare to the previous version, but of coz, it contains some error information, etc in it. But you can always refer to the latest Technical documentation at Microsoft.com.

Hope that you can kick start your IIS 6 experience with the above and don't forget to visit IIS newsgroups, IIS Insider, IIS-resources.com, IISfaq.com, etc to seek experts help and guideline. And of course, there are many training companies offering different training courses for IIS 6, you need to google this as I didn't pay any attention on those.