Simply Works

Simply Works

Simply Works, uploaded by Daniele Muscetta on Flickr.

I don't know about other people, but I do get a lot to think when the end of the year approaches: all that I've done, what I have not yet done, what I would like to do, and so on…

And it is a period when memories surface.

I found the two old CD-ROMs you can see in the picture. And those are memories.
missioncritical software was the company that invented a lot of stuff that became Microsoft's products: for example ADMT and Operations Manager.

The black CD contains SeNTry, the "enterprise event manager", what later became Operations Manager.
On the back of the CD, the company motto at the time: "software that works simply and simply works".
So true. I might digress on this concept, but I won't do that right now.

I have already explained in my other blog what I do for work. Well, that was a couple of years ago anyway. Several things have changed, and we are moving towards offering services that are more measurable and professional. So, since it happens that in a certain job you need to be an "expert" and "specialize" in order to be "seen" or "noticed".
You know I don't really believe in specialization. I have written it all over the place. But you need to make other people happy as well and let them believe what they want, so when you "specialize" they are happier. No, really, it might make a difference in your carrer 🙂

In this regard, I did also mention my "meeting again" with Operations Manager.
That's where Operations manager helped me: it let me "specialize" in systems and applications management… a field where you need to know a bit of everything anyway: infrastructure, security, logging, scripting, databases, and so on… 🙂
This way, everyone wins.

Don't misunderstand me, this does not mean I want to know everything. One cannot possibly know everything, and the more I learn the more I believe I know nothing at all, to be honest. I don't know everything, so please don't ask me everything – I work with mainframes 🙂
While that can be a great excuse to avoid neighbours and relatives annoyances with their PCs though, on the serious side I still believe that any intelligent individual cannot be locked into doing a narrow thing and know only that one bit just because it is common thought that you have to act that way.

If I would stop where I have to stop I would be the standard "IT Pro". I would be fine, sure, but I would get bored soon. I would not learn anything. But I don't feel I am the standard "IT Pro". In fact, funnily enough, on some other blogs out there I have been referenced as a "Dev" (find it on your own, look at their blogrolls :-)). But I am not a Dev either then… I don't write code for work. I would love to, but I rarely actually do, other than some scripts. Anyway, I tend to escape the definition of the usual "expert" on something… mostly because I want to escape it. I don't see myself represented by those generalization.

As Phil puts it, when asked "Are software developers – engineers or artists?":

"[…] Don’t take this as a copout, but a little of both. I see it more as craftsmanship. Engineering relies on a lot of science. Much of it is demonstrably empirical and constrained by the laws of physics. Software is less constrained by physics as it is by the limits of the mind. […]"

Craftmanship. Not science.
And stop calling me an "engineer". I am not an engineer. I was even crap in math, in school!

Anyway, what does this all mean? In practical terms, it means that in the end, wether I want it or not, I do get considered an "expert" on MOM and OpsMgr… and that I will mostly work on those products for the next year too. But that is not bad, because, as I said, working on that product means working on many more things too. Also, I can point to different audiences: those believing in "experts" and those going beyond schemes. It also means that I will have to continue teaching a couple of scripting classes (both VBScript and PowerShell) that nobody else seems to be willing to do (because they are all *expert* in something narrow), and that I will still be hacking together my other stuff (my facebook apps, my wordpress theme and plugins, my server, etc) and even continue to have strong opinions in those other fields that I find interesting and where I am not considered an *expert* 😉

Well, I suppose I've been ranting enough for today…and for this year 🙂
I really want to wish everybody again a great beginning of 2008!!! What are you going to be busy with, in 2008 ?

It's nice to see things called by their real name

Facebook Terms of Service state that it is forbidden to "[…] use automated scripts to collect information from or otherwise interact with the Service or the Site […]"

For this reason, I had to pull down the code of the small application I had previously released, which was "logging" into the mobile web application "pretending" to be a mobile browser and change your status. Big deal!!!

I am quite sure there are a lot of people writing "official" applications (that is using the "platform API" and so on) that are collecting A LOT of information about users who install their applications. They are being sent the info about the visitors by facebook, they are storing them, they might do whatever they please with (study it, sell it to spammers, to marketers, to making-money-assholes) and nobody will ever notice because it is on their servers and nobody can check that.

But a script that changes your status from remote – since this is not a functionality they CHOSE to expose in their API – then THAT is a big issue. Doh!
It's just plain ridiculous, but that's it.

Sure, the terms of service for app developers say a bit more in this regard:

[…] 4) Except as provided in Section 2.A.6 below, you may not continue to use, and must immediately remove from any Facebook Platform Application and any Data Repository in your possession or under your control, any Facebook Properties not explicitly identified as being storable indefinitely in the Facebook Platform Documentation within 24 hours after the time at which you obtained the data, or such other time as Facebook may specify to you from time to time;

5) You may store and use indefinitely any Facebook Properties that are explicitly identified as being storable indefinitely in the Facebook Platform Documentation; provided, however, that except as provided in Section 2.A.6 below, you may not continue to use, and must immediately remove from any Facebook Platform Application and any Data Repository in your possession or under your control, any such Facebook Properties: (a) if Facebook ceases to explicitly identify the same as being storable indefinitely in the Facebook Platform Documentation; (b) upon notice from Facebook (including if we notify you that a particular Facebook User has requested that their information be made inaccessible to that Facebook Platform Application); or (c) upon any termination of this Agreement or of your use of or participation in Facebook Platform;
[…] You will not directly or indirectly sell, export, re-export, transfer, divert, or otherwise dispose of any Facebook Properties to any country (or national thereof) without obtaining any required prior authorizations from the appropriate government authorities;

Are we sure everybody is playing by these rules, when every facebook "application" really runs on the developer'server ? How do you know that they are really storing only what you want them to store, and deleting what you want them to delete ? Everybody knows how difficult it is to really "delete" digital content once it has come into existance… who knows how many copies of this database/social graph are floating around ?

Of course that is not an issue because people don't talk about it enough. But a script that changes your status – now, THAT is a very terrible thing.

I just don't get this "politically correctness". It must be me.

Oh, no… look! It's not only me!
I had read this post of Dare, but I problably had overlooked the last bit of it…. because he did point out this Hypocrisy going on:

[…] Or (5) the information returned by FQL about a user contains no contact information (no email address, no IM screen names, no telephone numbers, no street address) so it is pretty useless as a way to utilize one’s friends list with applications besides Facebook since there is no way to cross-reference your friends using any personally identifiable association that would exist in another service.

When it comes to contact lists (i.e. the social graph), Facebook is a roach motel. Lots of information about user relationships goes in but there’s no way for users or applications to get it out easily. Whenever an application like FacebookSync comes along which helps users do this, it is quickly shut down for violating their Terms of Use. Hypocrisy? Indeed.

He then insists in a more recent post in calling things by their name:

[…] I will point out that 9 times out of 10 when you hear geeks talking about social network portability or similar buzzwords they are really talking about sending people spam because someone they know joined some social networking site. I also wonder how many people realize that these fly-by-night social networking sites that they happily hand over their log-in credentials to so they can spam their friends also share the list of email addresses thus obtained with services that resell to spammers?
[…] how do you prevent badly behaved applications like Quechup from taking control away from your users? At the end of the day your users might end up thinking you sold their email addresses to spammers when in truth it was the insecure practices of the people who they’d shared their email addresses with that got them in that mess. This is one of the few reasons I can understand why Facebook takes such a hypocritical approach. 🙂

Thanks, Dare, for mentioning Hypocrisy. Thanks for calling things by their name. I do understand their approach, I just don't agree with it.

I did pull my small application off the Internet because I have a family to mantain and I don't want to have legal troubles with Facebook. Sorry to all those that found it handy. No, I cannot even give that to you per email. It's gone. I am sorry. For the freedom of speech, especially, I am sorry.

I will change my status more often on Twitter.

Facebook development

I have been quite hooked into Facebook for the last couple of days, figuring out what it can and cannot do. It can do a lot. The possibility to inject code and brand new application into it is absolutely awesome.

PopFly lets you create mashups and even custom blocks, and I liked that too. But you have to use fancy-shiny Silverlight (which is very cool indeed, but probably not *always* necesary) and you can only create blocks using Javascript. Sure, as someone as already written, the meaning of AJAX is "javascript now works". I can understand (even if I don't know them for sure) the reasons behind certain choices. But I find it limiting. Maybe it is because I don't like Javascript. It must be it. 

Facebook, instead, empowers you to inject code into their social networking framework. Any code. In whatever language you like. They started it in PHP, but you can plug-in whatever you like: Java, Ruby, Perl…. you can even have your application running on your own server, still providing a seamless experience inside of facebook. This opens up to millions of possibilities, and I got fascinated by that.

At the same time, the paranoid part of myself has been thinking to the security implications of it. This open platform is cool, but it also sounds like a framework for cross-site-scripting (XSS) attacks. Sure, you can "report" an application made by a third party that does something weird… but who will really notice if all that happens under the hood is that your cookies get stolen (and someone accesses your bank account) ? Will you figure it out it has happenend because you wanted to see the "dancing pigs" loaded in your profile ? Or will you figure it out at all ?

This said, I set aside my fear for a while and I delved into coding. What I did learn in the last couple of years, having slowly moved away from security engagements, is to relax. When I was working costantly with security I was a lot more paranoid. Now I case much less, and I live a lot more.

So I developed a couple of quick and simple apps running from this very server into Facebook, and I started using thePHP5 library they provide, so to be able to follow the examples first and figure out how it was working.

Now I also want to take a look at the .NET library for facebook when I have time. It sounds cool.

Ancient and Modern (aka "Digital Printouts" and Writing Secure Systems)

Ancient and Modern (aka

Digital Printouts.
I often find it funny to use the old reflex camera with films, but I mostly use it as if it was a digital one: I make many shots, some are good some are bad – I don't bother printing them, I just let it develop and I scan the pictures I like from the film (several ones are even posted here this way).
I have even been talking about this with fellow flickerer's:…

On the opposite, it often happens that I want to print some photos made with the digital camera. So I take them to the shop on the Compact Flash, or more often on a USB pen drive.

Today, tough, something strange happened: the machine they use to print digital photos (some very big professional system for printing on photographic paper with a proprietary application which manages it) hanged while it was trying to load this one photo which was on the USB pendrive.

The guy at the shop got panicked: he said a week earlier a guy got the machine infected with a Virus through his USB pen, and he had to stop working for three days, spend a lot of money to get the system reinstalled…

I tried to tell him to close the application but he did not even get what I was talking about. He was saying that the system was not responsive… I was pretty sure the system WAS responsive, it was just the APPLICATION which was hanging, and since it looked like an NT-based system I tried to guide him through CTRL+ALT+DEL, to start "Task Manager", kill the application (this whole procedure took several minutes, and I had to show him which keys I was talking about as he was abel to find "ALT" but he had never hear of CTRL, left alone "DEL"). It was a Windows2000 Professional… so I wondered how did he logged in if he did not know that key combination….. I asked how did he get in when he started the machine…. "it opens automatically" he said. I see. I though it must be configured for autologon then. After killing the application he asked "how do I get out of this now??" "This" being Windows Explorer… I mean, the desktop. I pulled out my USB pendrive he was afraid of, I helped him reboot. He was nervous and he said it took much longer than normal to start up (I don't believe ONE word of it, it just took much less time than my laptop with Vista takes to start up… but he was worried and that makes one anxious and makes time flow slower). He was afraid and nervous that the "thing" could have been broken somehow by trying to load a JPEG…
NOTHING made him confident about me: I tried to reassure him I am an IT Professional, that I work for Microsoft (unfortunately I did not have my business cards with me today, that would have probably helped!), that I put my hands on much more complex and "missioncritical" systems, that I would not bring him any virus whatsoever and I am paranoid about computer security…
Nothing. Nothing worked to re-assure him that there wasn't anything to worry about my pen…

While the machine started I saw it doing AutoAdminLogon with Administrator… with a password of TWO characters.
Oh my god!
Then he wonders that he gets viruses from strangers. He runs as Administrator all the time!!!

But then I though and asked… "is there maybe a LIMIT on the SIZE of the file?". "Of course there is!".

Since the photo I wanted to print is actually a composition made of two photos pasted together, and each of the original was a 8 Megapixel photo, the resulting is a 16 Megapixel picture, a JPG file of roughly 8 megabytes in size. Well, this days it isn't much anyway. We nearly have cameras which produce files with that high resolution…
..but if THAT application has a limit… WHY on earth doesn't it CHECK for the bloody SIZE of the file BEFORE trying to load it ?

I mean, those are professional systems which – he said – cost around 150 THOUSAND of Euros… which they let run with an application which does NOT do any input checking/validation, runs the whole time as Administrator… while letting people bring in their own CD-ROMs, USB pens, flash memory cards….
and they expect it to be safe?

Now the guy was panicked and wouldn't let me plug my pen in the machine again.

Then he's keeping his shop closed in the afternoon since it is saturday, and I need that photo (and other ones) printed for tomorrow, because tomorrow it is my grandad's 91st birthday and I wanted to bring them printed for him and framed as a present!

Morale: I have to find another place to print them in the afternoon, in a rush, because some company sells print systems which are written like crap, which need to run as Administrator and won't do any input validation in their code. This is one of those situations where a design flaw matters.

Google has pissed me off this week!

Now I pretty much liked GMail and Google in general. But this time they REALLY pissed me off! I will tell you that I am not a google-hater even if I work for a competing company. Of course not everything that Google does is wonderful, but some of their services are really cool and useful and I have never denied to say they rocked when I felt they did.
In general, people seem to love them, and their stock value shows it (with the launch of "Code Search" this week they made a lot of people scream "how cool is this" so that they got back from just under 400 dollars to 417!). But that's not the issue. That is cool, that works. It's ok they make money if they make cool tools. It's fine for me.

In fact i consider GMail as being one of the best interface for reading mail that exist out there – I love "tagging" (oops: it's called "labelling" in their syntax), speed of search through messages (even tough Outlook 2007 is faster on indexed content, but still you have to buy it and install it on your PC)… I also especially love the way it shows THREADING… so that I moved pretty much EVERY mailing list I read on their account:

Ma come se fa ?
(ok, they could do better with the localized version of "Re:" in replies…. in Italian a lot of broken MUA's translate that into "R:" and that isn't understood by GMail and will make it think it is another thread…. but that's a minor issue, and also one that every MUA handling threading has – including "mutt" – the real problem is the broken MUAs sending the "R:" in the first place. But I digress too much….).

I also keep GMail continuosly opened in a browser during the day because a lot of informative mail and that sent by friends goes there. This to say that I do get a lot of their ads (that is – the point of having such an application, for them…). On the contrary, Windows Live Mail reduced its ads to show only one… not to annoy you too much.
But the ads in GMail were not *really* a problem (I don't read them anyway, I just plain IGNORE THEM).

But this week they REALLY pissed me off. They REALLY have. And here is the reason:
I have been using a script for MONTHS to backup my database (the one powering THIS blog) and send it "off-site" to my GMail mailbox. Pretty much something like a lot of other people do, described in various articles and blog posts. Then I was labelling them with a rule, so that I could access my backups easily in case I needed them.

Now I don't know if this violates their terms of use in any way… because I am not really using it as storage with those programs that circulated at one stage that had "reverse engineered" it. Those were bypassing the web interface altogether so people did use it as storage with a program without having to see their ads. That was the issue, I think. In my case, I am just sending MAILS to myself. One per day. I also delete the old ones every now and then, and they are not even huge in sized (attachments of 40 to 50KB so far!!)… anyway, I know a lot of people that store documents and all sort of stuff even in their corporate mailboxes in Outlook (then maybe index them with Windows Desktop Search of Google Desktop to find it back)… I was only doing the same with GMail. I don't see the big issue here….. they might think otherwise…. but from what happens I don't think that's the issue.

Anyway, now it's been three or four days that my backup mail gets rejected. My SMTP Server gets told:

host[] said:
550-5.7.1 Our system has detected an unusual amount of unsolicited
550-5.7.1 mail originating from your IP address. To protect our
550-5.7.1 users from spam, mail sent from your IP address has been
550-5.7.1 rejected. Please visit
550-5.7.1 to review
550 5.7.1 our Bulk Email Senders Guidelines.

Now for fuck's sake. You know how much I hate SPAMMERS and what I would like to do with them. But I also know that it does happen to end up in RBLs and such sometimes. Fine. But GIVE ME a way to tell you that I am NOT one! If you go to the link above, all you find is a form where you can specify that mail that ended up in your "junk" folder actually wasn't spam. Yeah, right. In my case it does not even go into my "junk" folder! How am I supposed to give me the original header that arrived to THEM if I only have the one sent by my mailserver ? They just blacklisted my mail server's IP Address! As they say, I even have an SPF record, I always use the same address, etc….
So I tried to fill in the form, the day after I also tried to contact their and addresses.
Still nothing.
They even tell you (in the automated reply when you contact "abuse":
"[…] For privacy and security reasons, we may not reveal the final outcome of an abuse case to the person who reported it. […]".
How great. How am I supposed to know if they even READ my complaint ?

You anti-spam people at GMail: "I am NOT a fucking spammer!!!!!". I 'haven't found a better way to tell ya this, you know, than writing it on my blog… this is just RIDICULOUS!

But to date my mails still get dropped. I'll probably have to send my backups somewhere else. At this point they pissed me off so much that I am also seriously considering getting back to use my own mailserver also for receiving and reading my mailing lists. Then I won't get ads there.
(I hope you have some dutch guy on board at Google, as "Google Translate" does not translate from/to dutch yet…. )

Edited on October, 8th – While GMail REJECTS those mails (it SAYS it is not accepting them), Hotmail simply DROPS them (that is: it does not even SAY it is not accepting them):

to=,[], delay=3, status=sent (250 <> Queued mail for delivery)

This way you THINK it is going to be delivered, but it NEVER shows up in your inbox. I don't know who's behaving the worst…

Dare's New Year Resolutions (my open letter about those)

Dare Obasanjo writes his proposition for this year that just began.

I don't personally know you, Dare, but I am a voracious reader of your blog, and I respect and estimate you a lot… so I thought I'll comment some of your thoughts here (hope you don't mind, and I hope the trackback works :-)). I'll do it because your writings often make me think, because I do have similar thoughts, because I feel like writing some more than a comment this time.

1) […] learn a new programming language: […]

Sure, why not ?
IronPython interests me too. Of course Python is widely used, a porting on .Net is interesting… but we need to see where it will end up in practice…
This kind of ports are always a bit whacky, IMHO… I read in the release notes: "[…] Most of the standard Python library is not currently implemented, so it is unlikely that many existing Python scripts will run successfully under this release of IronPython 1.0 Beta […]"
Right, I mean… this cross platform ports of stuff is always deluding in one or another way…. to me, at least.
I was also excited about MONO so I could run my C# (and ASP.Net) stuff on Linux for example… and yeah what they have done IS impressive, as some stuff simply works out of the box (I've got the small standalone application I described on my other blog (the risky one) compiled on Windows, then copied it and I'm running that off my linux server, for example, without much trouble… ) but you always need to be very careful about what references you use in your projects as not everything is implemented and will actually work…
Also, setting up mod_mono on Apache has been a pain and even once it is set up it is nowhere as flexible as using Visual Studio with IIS6….
So this kind of cross-porting is definitely INTERESTING, often in an achademic sense, but we'll see what happens about real usage (and usability) of these solutions….

If you want something really different, though, I would suggest taking a look at Ruby / Rails. It might piss off some more people (see resolution #4), so be warned… 😛

2) […]Write More Articles: […]
[…] Looking back on various articles I've written it's clear that since joining MSN and getting a new girlfriend my output has reduced. I only wrote two articles last year compared to a minimum of five or six in previous years. […]

Sure since I got in Microsoft I have the same. It's not Microsoft's fault, but I've got a couple of ideas about a number of reasons why this happens:

  1. Some stuff you do is confidential, so you simply can't talk about it (even though some people on the very seem to be writing about those anyway all the times: "not yet published KB articles", for example IS confidential information last time I checked…. I might be wrong on this one, and I won't link to anyone nor say names to protect the innocents 😉 But I've noticed this behavious several times…)
  2. Some other stuff would only be your opinion, but working at Microsoft your opinion can be misinterpreted/misquoted/used against you and the company.. so troubles also there. In fact, I was free to just get an idea and blog about it without getting all troubled about who reads that and what would they think about that, and… whatever including what I am saying in this very list. Examples: I was interviewing people in the security community, writing about open source things… all stuff I now think twice before doing. Sometimes even thinking twice is not enough, and I should think three times…
  3. Sometimes there might be unwritten rules about WHO has got the authority to blog/write about some topic so people tend to shut up in that case too. But they might be right, when there's people with authority let them speak…
  4. Some other times you solved a problem but I feel it is just not interesting enough, and that it more or less IS already documented (this happens in my case, not sure about you). When the documentation IS out there is a very good point. In fact, many times I find a lot more stuff on the public web by using Google or MSN Search on rather than by searching on the internal KB. This is actually very good of Microsoft, and there are A LOT of resources out there in the open with pretty much everything you need to know to solve your problems… in general, our documentation rocks, so why bother solving *and writing about) obscure problems ? Some colleague has already done it most of the times!
    Of course this is not always the case, and sometimes stuff are not documented, and in the latter case… well, you can usually go back to #1 in this list…. (I've got specific examples here, but they are confidential…)
  5. The TIME element is an interesting thing: at Microsoft I work more than I did in other places. This does not mean Microsoft makes me work too much. I actually enjoy being busy, and my idea about this is that you work more in general when on the vendor side of the IT market. I was working a lot in my previous jobs, then I have been less busy when I passed to the "customer" side or fence for a couple of years, and I was actually getting a little bored, and that's part of why I changed. Being on the vendor side (especially in Services) you are supposed to be the expert and face the customers everyday…. so you need to study more, be prepared.
    Also, I am very busy with my family lately (you might be with your girlfirend just as much, since you mention her :-)). This issue is of course personal, but since I moved back to my own country I need to do a lot more out of work too to help out my wife while she learns the language…

Some of the above reasons (those related to your work at least) might explain why you decided to move your blog to a private domain from
I have had a private blog (this one) way before even joining Microsoft. Then when I got in, I got the idea that a corporate one would be cool… but then with it comes a big responsibility as you are under a "flagship" site, really. Sure, everybody knows who you are anyway, but it is less… you get what I mean. In fact I feel better writing "at home" (but that would be better said in the "resolution number 4", below…).
Of course some other reasons might be the case for you, I don't know.

3) […] Come Up With New Career Goals:[…]
[…]When I was in school, my dream was to become a well-known technology guru like Don Box or Scott Meyers then get paid consulting gigs to be the hero that comes in to fix peoples problems and tell them how to build their software. Since then, I've seen a lot of the people who I once idolized end up working in the b0rg cube. In conversations with Don Box, he's mentioned that the life isn't as glamorous as I assumed.[…]"

You know, he's probably right… 🙁

"[…] It's going to be time for my mid-year review and discussion with my boss in a couple of weeks. I hope I have a clearer idea where I want to go by then […]"

That is an issue, I never know what to say in those reviews anyway… I should work on that too… 🙁

4) […] Piss of Less People with my Writing: […]
[…]Whatever. I've already gotten two angry emails from different folks at work about stuff I've written online and it isn't even the first week of the year. Maybe next year. 😉 […]

Welcome to the club 🙂

Oh well, look at the comments you received on your blog about it 🙂 That should bring your morale up a bit….
That's happening to everybody, especially when you don't conform to just repeating their pre-made speeches and just use your mind and speak out your own ideas.
See the examples I mentioned about refraining from writing some stuff at point #2…

Or in general what does happen might be due to the company that you feel like being a Dinosaur (a question: did Office Marketing campaign influence you, per chance ?) ?

Leaving jokes aside now, though, for what I can see so far, Microsoft luckily is open enough and DOES let you say this stuff enough, doesn't it ?….
…sure, every time I post something like this on the web (or on a public mailing list, or lately even internally) I've got that thrill that says to me: "holy shit, I am going to get fired this time…". But then it has not happenened yet (maybe I haven't pissed them off ENOUGH yet ?).
Let's hope they don't really get worried by people's opinion but the look at a couple of more practical/humane things, like:
1) he's doing his job all right, customers ARE happy (in my case);
2) he's got a family to feed… 😐


The death of the DMZ – italian translation

I have published an italian translation of Steve Riley's speech "the death of the DMZ" (original on

Since I had enjoyed the speech very much when I first listened to it, and I found myself in complete agreement with it, I started emailing the link above to some friends to notify them of its existance. Unfortunately italians are not famous for speaking and
understanding english very well… so I found out that many of them could not be bothered to listen to an entire speech
in english without having slides next to it… so they were asking me to "explain it".

Thus, I decided to write it down and translate it for those fellow (illiterate?) nationals. I have asked Steve permission to publish it, and since he agreed, you can now read it here:

Attack Surface

Michael Howard (author of "Writing Secure Code") has released an article on MSDN Magazine titled:
"Attack Surface – Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users".
It is definitely a good read, stressing developers to adopt a coding strategy that minimizes the risks.

You can find his announcement of the article on his BLOG
with link to the article itself.