Devin on Earth

One of the biggest criticisms I’ve seen of the MCM program, even when it first was announced, was the cost – at a list price of $18,500 for the actual MCM program, discounting the travel, lodging, food, and opportunity cost of lost revenue, a lot of people are firmly convinced that the program is way too expensive for anybody but the bigger shops.

This discussion has of course gone back and forth within the Exchange community. I think part of the pushback comes from the fact that MCM is the next evolution of the Exchange Ranger program, which felt very elitist and exclusive (and by many accounts was originally designed to be, back when it was only a Microsoft-only evolution designed to provide a higher degree of training for Microsoft consultants and engineers to better resolve their own customer issues). Starting off with that kind of background leaves a lot of lingering impressions, and the Exchange community has long memories. Paul has a great discussion of his point of view as a new MCM instructor and shares his take on the “is it worth it?” question.

Another reason for pushback is the economy. The typical argument is, “I can’t afford to take this time right now.” Let’s take a ballpark figure here, aimed at the coming May 4 rotation, just to have some idea of the kinds of numbers folks are thinking about:

• Imagine a consultant working a 40-hour week. Her bosses would like her to meet 90% (36 hours) billable. Given two weeks of vacation a year, that 50 weeks at 36 hours a week.
• We’ll also imagine that she’s able to bill out at $100/hour. This brings her minimum annual revenue to $180,000. They set her opportunity cost (lost revenue) at $3,600/week.
• We’ll assume she have the pre-requisites nailed (MCITP Enterprise Messaging, the additional AD exam for either Windows 2003 or Windows 2008, and the field experience). No extra cost there (otherwise it’s $150/test, or $600 total).
• Let’s say her plane tickets are $700 for round-trip to Redmond and back.
• And we’ll say that she needs to stay at a hotel, checking in Sunday May 3rd, checking out Sunday May 24th, at a daily rate of $200.
• Let’s also assume she’ll need $75 a day for meals.

That works out to $18,500 (class fee) + $700 (plane) + 21 x $275 (hotel + meals) + 3 x $3,600 (opportunity cost of work she won’t be doing) — $18,500 + $700 + $5,775 + $10,800 = a whopping total of $35,775. That, many people argue, is far too much for what they get out of the course – it represents just over 10 weeks of her regular revenue, or approximately 1/5th of her year’s revenue.

If those numbers were the final answer, they’d be right.

However, Paul has some great talking points in his post; although he focuses on the non-economic piece, I’d like to tie some of those back in to hard numbers.

• The level of training. I don’t care how well you know Exchange. You will walk out of this class knowing a lot more and you will be immediately able to take advantage of that knowledge to the betterment of your customers. Plus, you will have ongoing access to some of the best Exchange people in the world. I don’t know a single consultant out there who can work on a problem that is stumping them for hours or days and be able to consistently bill every single hour they spend showing no results. Most of us end up eating time, which shows up in the bottom line. For the sake of argument, let’s say that our consultant ends up spending 30% instead of 10% of her time working on issues that she can’t directly bill for because of things like this. That drops her opportunity cost from $3,600/week to $2,520, or $7,560 for the three weeks (and it means she’s only got an annual revenue of $126,000). If she can reduce that non-billable time, she can increase my efficiency and get more real billable work done in the same calendar period. We’ll say she can gain back 10% of that lost time and get up to only 20% lost time, or 32 hours a week.
• The demonstration of competence. This is a huge competitive advantage for two reasons. First, it helps you land work you may not have been able to land before. This is great for keeping your pipeline full – always a major challenge in a rough economy. Second, it allows you to raise your billing rates. Okay, true, maybe you can’t raise your billing rates for all the work that you do for all of your customers, but even some work at a higher rate directly translates to your pocket book. Let’s say she can bill 25% of those 32 hours at $150/hour. That turns her week’s take into (8 x $150) + (24 x $100) = $1,200 + $2,400 = $3,600. That modest gain in billing rates right there compensates for the extra 10% loss of billing hours and pays for itself every 3-4 weeks.

Let’s take another look at those overall numbers again. This time, let’s change our ballpark with numbers more closely matching the reality of the students at the classes:

• There’s a 30% discount on the class, so she pays only $12,950 (not $18,500).
• We’ll keep the $700 for plane tickets.
• From above, we know that her real lost opportunity cost is more like $7,560 (3 x $2,520 and not the $10,800 worst case).
• She can get shared apartment housing with other students right close to campus for more like $67 a night (three bedrooms).
• Food expenses are more typically averaged out to $40 per day. You can, of course, break the bank on this during the weekends, but during the days you don’t really have time.

This puts the cost of her rotation at $12,950 + $700 + (21 x $107) + $7,560, or $23,457. That’s only 66% – two-thirds – of the worst-case cost we came up with above. With her adjusted annual revenue of $126,000, this is only 19%, or just less than 1/5th of her annual revenue.

And it doesn’t stop there. Armed with the data points I gave above, let’s see how this works out for the future and when the benefits from the rotation pay back.

Over the year, our hypothetical consultant, working only a 40-hour work week (I know, you can stop laughing at me now) brings in 50 x $2,520 = $126,000.  The MCM rotation represents 19% of her revenue for the year before costs.

However, let’s figure out earning potential in that same year: (47 x $3,600) – ($13,650 + $700 + $2247) = $152,603. That’s a 20% increase.

Will these numbers make sense for everyone? No, and I’m not trying to argue that they do. What I am trying to point out, though, is that the business justification for going to the rotation may actually make sense once you sit down and work out the numbers. Think about your current projects and how changes to hours and billing rates may improve your bottom line. Think about work you haven’t gotten or been unwilling to pursue because you or the customer felt it was out of your league. Take some time to play with the numbers and see if this makes sense for you.

If it does, or if you have any further questions, let me know.

One of the cool things you can do with OCS is connect your internal organization to various public IM clouds (MSN/Windows Live, Yahoo!, and AOL) using the Public Internet Connectivity, or PIC, feature. As you might imagine, though, PIC involves lots of fiddly bits that all have to work just right in order for there to be a seamless user experience. Recently, lots of people deploying OCS 2007 R2 have been reporting problems with PIC – specifically, in getting connectivity to the AOL IM cloud working properly.

Background

It turns out that the problem has to do with with changes that were made to the default SSL algorithm negotiations made in Windows Server 2008. If you deployed OCS 2007 R2 Edge roles on Windows Server 2003, you’d be fine; if you used Windows 2008, you’d see problems.

When an HTTP client and server connect (and most IM protocols use HTTPS or HTTP + TLS as a firewall-friendly transport[1]), one of the first things they do is negotiate the specific suite of cryptographic algorithms that will be used for that session. The cipher suite includes three components:

• Key exchange method – this is the algorithm that defines the way that the two endpoints will agree upon a shared symmetric key for the session. This session key will later be used to encrypt the contents of the session, so it’s important for it to be secure. This key should never be passed in cleartext – and since the session isn’t encrypted yet, there has to be some mechanism to do it. Some of the potential methods allow digital signatures, providing an extra level of confidence against a man-in-the-middle attack. There are two main choices: RSA public-private certificates and Diffie-Hellman keyless exchanges (useful when there’s no prior communication or shared set of trusted certificates between the endpoints).
• Session cipher – this is the cipher that will be used to encrypt all of the session data. A symmetric cipher is faster to process for both ends and reduces CPU overhead, but is more vulnerable in principal to discovery and attack (as both sides have to have the same key and therefore have to exchange it over the wire). The next choice is streaming cipher or cipher block chaining (CBC) cipher? For streaming, you have RC4 (40 and 128-bit variants). For CBC, you can choose RC2 (40-bit), DES (40-bit or 56-bit), 3DES (168-bit), Idea (128-bit), or Fortezza (96-bit). You can also choose none, but that’s not terribly secure.
• Message digest algorithm – the message digest is a hash cipher used to create the Hashed Message Authentication Code (HMAC), which is used to help verify the integrity of the cipher. It’s also used to guard against an attacker trying to replay this stream in the future and fool the server into giving up information it shouldn’t. In SSL 3.0, this is just a MAC. There are three choices: null (none), MD5 (128-bit), and SHA-1 (160-bit).

Problem

Windows Server 2003 uses the following suites for TLS 1.0/SSL 3.0 connections by default:

1. TLS_RSA_WITH_RC4_128_MD5 (RSA certificate key exchange, RC4 streaming session cipher with 128-bit key, and 128-bit MD5 HMAC; a safe, legacy choice of protocols, although definitely aging in today’s environment)
2. TLS_RSA_WITH_RC4_128_SHA (RSA certificate key exchange, RC4 streaming session cipher with 128-bit key, and 160-bit SHA-1 HMAC; a bit stronger than the above, thanks to SHA-1 being not quite as brittle as MD5 yet)
3. TLS_RSA_WITH_3DES_EDE_CBC_SHA (you can work out the rest)
4. TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
5. TLS_RSA_WITH_DES_CBC_SHA
6. TLS_DHE_DSS_WITH_DES_CBC_SHA
7. TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
8. TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
9. TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
10. TLS_RSA_EXPORT_WITH_RC4_40_MD5
11. TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
12. TLS_RSA_WITH_NULL_MD5
13. TLS_RSA_WITH_NULL_SHA

Let’s contrast that with Windows Server 2008, which cleans out some cruft but adds support for quite a few new algorithms (new suites bolded):

1. TLS_RSA_WITH_AES_128_CBC_SHA (Using AES 128-bit as a CBC session cipher)
2. TLS_RSA_WITH_AES_256_CBC_SHA (Using AES 256-bit as a CBC session cipher)
3. TLS_RSA_WITH_RC4_128_SHA
4. TLS_RSA_WITH_3DES_EDE_CBC_SHA
5. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 (AES 128-bit, SHA 256-bit)
6. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384(AES 128-bit, SHA 384-bit)
7. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521(AES 128-bit, SHA 521-bit)
8. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256(AES 256-bit, SHA 256-bit)
9. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384(AES 256-bit, SHA 384-bit)
10. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521(AES 256-bit, SHA 521-bit)
11. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 (you can work out the rest)
12. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
13. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
14. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
15. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
16. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
17. TLS_DHE_DSS_WITH_AES_128_CBC_SHA
18. TLS_DHE_DSS_WITH_AES_256_CBC_SHA
19. TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
20. TLS_RSA_WITH_RC4_128_MD5
21. SSL_CK_RC4_128_WITH_MD5 (not sure)
22. SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (not sure)
23. TLS_RSA_WITH_NULL_MD5
24. TLS_RSA_WITH_NULL_SHA

Okay, so take a look at line 20 in the second list – see how TLS_RSA_WITH_RC4_128_MD5 got moved from first to darned near worst? Yeah, well, that’s because AES and SHA-1 are the strongest protocols of their type likely to be commonly supported, so Windows 2008 moves those to the default offered. Unfortunately, this causes problems with PIC to AOL.

Solution

Now that we know what the problem is, what can we do about it? For the fix, check out Scott Oseychik’s post here.

[1] HTTPS is really Hop Through Tightened Perimeters Simply – aka the Universal Firewall Traversal Protocol.

Iowa’s Supreme Court handed out a fairly shocking unanimous decision this morning striking down the definition of marriage as “one man, one woman”, upholding a 2007 Polk Country ruling

If you follow along my blog, you probably already know that I think this is a good thing, so I won’t comment extensively on it here. However, there’s one section in the article I linked to above that just reeks of so much stupidity that I have to respond:

Maggie Gallagher, president of the National Organization for Marriage, a New Jersey group, said “once again, the most undemocratic branch of government is being used to advance an agenda the majority of Americans reject.”

“Marriage means a husband and wife. That’s not discrimination, that’s common sense,” she said in a press release. “Even in states like Vermont, where they are pushing this issue through legislatures, gay marriage advocates are totally unwilling to let the people decide these issues directly.”

Really? Ms. Gallagher, did you really just stoop to the “30 billion flies eat shit” argument to justify your position? You lose.

Okay, to unpack that for anyone who didn’t follow that train of thought:

Ms. Gallagher is relying on the tactic of telling people “the government is ignoring your opinion.” By telling people this, she’s playing on a fundamental ignorance of the design and intent of the American government system, which is the tired old myth that America = democracy = the will of the people = only tolerating Christian values. Let’s see what our founding fathers had to say about that:

It is, that in a democracy, the people meet and exercise the government in person; in a republic, they assemble and administer it by their representatives and agents. A democracy, consequently, will be confined to a small spot. A republic may be extended over a large region.
Federalist No. 14

Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote!
Benjamin Franklin

Remember, democracy never lasts long. It soon wastes, exhausts, and murders itself.
John Adams

It cannot be emphasized too strongly or too often that this great nation was founded, not by religionists, but by Christians; not on religions, but on the Gospel of Jesus Christ. For this very reason peoples of other faiths have been afforded asylum, prosperity, and freedom of worship here.
Patrick Henry

I know no safe depository of the ultimate powers of the society but the people themselves, (A)nd if we think them not enlightened enough to exercise their control with a wholesome discretion, the remedy is not to take it from them, but to inform their discretion by education. This is the true corrective of abuses of constitutional power.
Thomas Jefferson

I have always thought that all men should be free; but if any should be slaves, it should first be those who desire it for themselves, and secondly those who desire it for others. Whenever I hear anyone arguing for slavery, I feel a strong impulse to see it tried on them personally.
Abraham Lincoln

I could go on all day and find tons of quotes, but the key threads that I’m weaving here are these:

America is not and was never intended to be a pure democracy. Remember the phrase “the tyranny of the majority”? Basically, it’s great to be in a democracy if you’re part of the 51%. Not so much to be in the 49% Our democratic functions are not set up to allow citizens to directly decide upon laws and legislation and the handling of day-to-day governance; they are set up to elect responsible leaders who do that for us, and to give us mechanisms to take those leaders out of the picture when they fail to discharge their responsibilities. That’s the “democratic republic.” Remember the Pledge of Allegiance? “I pledge allegiance to the flag of the United States of America and to the Republic for which it stands…”

By electing responsible leaders (including legislators and judges), we are in fact giving those leaders the mandate to act in the fashion they see as best. If we don’t like what they do with that mandate, then we’d better pay attention and give them feedback. You can’t leave the people out of the equation, but you can’t directly hand them the keys to the kingdom, either. That’s why we have checks and balances, including the judicial branch of government. It is their job to say, “No, these laws are causing harm and cannot be used, even though they are popularly supported.”  The exercise of democracy should never come at the expense of depriving others of their liberties. How long did popular opinion support and uphold slavery, and how much damage did that do to our country (and continue to do today)? How long was racism enshrined in our laws? Sexism? If you’re counting upon the will of the people to make the correct choice every time, you’ve got a pretty grim track record of results.

America was designed to be a refuge for all religious belief systems, not just a narrow stripe of fundamentalist Christianity. This includes religious systems that directly challenge basic beliefs of Christianity. It was never designed to be a system that promoted Christianity over all others, even though the majority of founders were Christians, espoused Christian ideals, and wanted to see this country continue to be based on a set of morals not completely incompatible with Christianity. When push came to shove, most of the founders espoused liberty and freedom *over* Christian principles as a guiding principle for the government. They reasoned, correctly, that Christianity could flourish in an environment where liberty was pursued, but the reverse was not true (as had been graphically demonstrated). That is, the proper place for Christian values is on the individual level and in our relationships with others, not hard-wiring our specific interpretations into our functions of government. Religion + bureaucracy + power = corruption of values and lessening of liberty.

Let me leave you with this final challenge if you’re still thinking that it’s your religious duty to enshrine your notion of marriage into the laws of our nation:

Show me a comprehensive case in Scripture for collective Christian political activism. Remember the specific accusations the Pharisees made against Jesus to Pontius Pilate and his answers to Pilate in return. Remember his response to the commercialism in the Temple, how his fiercest criticisms were reserved for those who used religion to gain and maintain power. And then take a look at the agenda and funding of groups like National Organization for Marriage and Focus on the Family who are leading this fight to preserve marriage (whatever that really means) and tell me how they’re not gaining power and money from their collective activism.

If you’re tempted to think this is an April Fool’s Day joke, no worries – this is the real deal. Yesterday, Microsoft published the Exchange 2007-aware version of Exchange Server User Monitor (ExMon) for download.

“ExMon?” you ask. “What’s that?” I’m happy to explain!

ExMon is a tool that gives you a real-time look inside your Exchange servers to help find out what kind of impact your MAPI clients are having on the system. That’s right – it’s a way to monitor MAPI connections. (Sorry; it doesn’t monitor WebDAV, POP3, IMAP, SMTP, OWA, EAS, or EWS.) With this release, you can now monitor the following versions of Exchange:

• Exchange Server 2007 SP1+
• Exchange Server 2003 SP1+
• Exchange 2000 Server SP2+

You can find out more about it from TechNet.

Even though the release date isn’t a celebration of April 1st, there is currently a bit of an unintentional joke, as shown by the current screenshot:

Note that while the Date Published is March 31, the Version is only 06.05.7543 – which is the Exchange 2003 version published in 2005, as shown below:

So, for now, hold off trying to download and use it. I’ll update this post when the error is fixed.

Nine months ago I stepped outside of my comfort zone and started a month of karate at the local YMCA. I didn’t expect to renew for a second month. It turns out that I love it. I’ve gotten to the point that I start dreaming about the things I’m doing, which is scary on one level and very cool on others. At any rate, I’ve had a lot of thoughts that need more time to flesh out and probably will only interest my fellow students, but I do want to share a few correspondences I’ve noticed lately between karate and the number nine.

• There are nine belts, or kyus, between rank beginner and black belt in my school of karate (which is part of the All-Okinawan Shorin-Ryu Matsumura Karate and Kobudo Federation, or OSMKKF). As of tonight, I have passed three of them. That makes me 7th kyu — what you might call orange belt, except that we don’t actually use the orange belt (or even stripes on the belts); we just have three blue belt kyus, three green, and three brown. I like this because it helps minimize rivalry between students.
• The blue belt kyus use the same basic kata, with what look to be minor differences for each kyu — mostly in the blocking techniques you demonstrate. The footwork, though, is the same, and it requires you to face the nine cardinal points of the compass (the normal eight plus the center position for the beginning and end of the kata). All too often we learn the specific steps of the kata and don’t stop to think about how the overall pattern looks or rhythm flows. That’s the kind of stuff I’ve started dreaming about, and man, it is cool!
• I have learned to examine the first kata at a whole new level with each additional kyu, and I have been told that this will continue. So the very first kata they teach us unpacks to at least nine separate layers! No wonder it takes years to really master this stuff! Some students make the mistake of thinking they’ve learned everything they need to know from the earlier levels; I’ve already had at least case of figuring out how a current technique I was mastering applied to an earlier technique, making both of them stronger as a result.
• In a typical Tuesday evening workout, I will practice various katas an average of nine times. This typically includes polishing the kata I will next be testing for and learning the basics of the next kata. There are days this does not feel like it is enough — and that would be right. So we practice at home too; in fact, there are certain parts that I find myself practicing at work as I walk back and forth from my office to the kitchen or to co-workers’ offices. (Apparently I look really funny walking through the lobby practicing punches.)
• For my next kyu, I start to fold in weapons work (which is the kobudo part; karate is technically only bare-hand work). I will first work with the bo staff, which is six feet or 72 inches tall — nine times eight. I’m tremendously excited to be working with the bo; somewhere in my head, the iconic definition or avatar of martial arts got associated with being a bad-ass with the staff, so now I feel like I’m finally stepping into the heart of what it means to be a martial artist. Intellectually, I realize this is silly, but it still feels true.

Don’t worry; I’m not trying to seriously assert that the number nine somehow has some sort of mystic foothold in karate (that would be number ten, which in Japanese is ju, and controls our workouts). I just noticed these and was amused. What’s been more awe-inspiring has been noticing the changes in the last nine months:

• I’ve continued to lose weight. Granted, I’ve not experienced the same dramatic pace as I did in the first month, but it’s still a slow and steady drop. This is really cool given some of the interruptions and stressors I’ve had during these nine months that have wreaked havoc with my karate attendance.
• My overall muscle tone has improved. You probably wouldn’t notice the difference, but I certainly do. Certain actions are a lot less effort than they used to be, and there is visible muscle definition amongst the remaining layers of pudge.
• My endurance has increased. Right now I’m at that point where if I miss a week and a half of karate, I definitely feel it, but if I attend regularly I can make it through the workouts and not feel completely beat up. More importantly, I’m better able to keep up as the speed of some of the workouts increases; if I slow down it’s to perfect technique, not because I can’t do it.
• My reflexes have improved. This has been the startling one for me, because as long as I can remember my reflexes have sucked. I’m still no Chuck Norris or Bruce Lee, but the other day I knocked a glass tumbler off the counter and caught it without looking directly at it. Whoa!

By some counts, these last nine months have gotten me a third of the way to black belt. I don’t feel that way; I feel that they’ve set my feet on a path that I’ll still be walking for years to come. I’m not worried about belts or kyus; that’s sensei’s job to track, not mine. I just have to get through each workout, each kata, each set of one-steps, each class having given my best and learned everything I can. The rest will take care of itself. I’d never have caught that glass if I’d been trying to learn it as a trick, but by focusing on each step while I’m at it, I’ve gotten my body — as out of shape as it still is — to a point where I can do things I’ve never been able to do before. And that, friends, is magic.