At this point in time there is no formal event scheduled for the evening of Thursday October 5, so I am coordinating a community run gaming event that night. All you need to do is be willing to play and show up that evening (details will be determined as I figure them out).

I will be bringing some of my games and I would love for TechBash attendees to bring some of their games to share and play as well.

In the past I have run a Magic: The Gathering BYOB draft (Bring Your Own Boosters) and had a lot of fun with it. If I can get at least 8 people together who are interested I will run this at TechBash. All you need to do is to bring three sealed Magic: The Gathering booster packs, and we will draft from what everyone brings. I will supply the basic land and coordinate the draft. Hit me up on Twitter or email me ( joe at kuemerle dot com ) if you are planning to join me so I can keep track of everything.

Thanks, and see you at TechBash!

Starting on Wednesday and running through Friday at lunch I will be
roaming the halls of the hotels taking pictures of decorated doors. This
competition is not just to show off your skills but to continue to let
those cheerleaders know that they are not the only ones who have serious
conference spirit!

To get yourself in the mood (and to see what has been done at previous
events), check out http://doorcomp.com and get ready to decorate. Keep
that address bookmarked as you will need to know it during the
conference as your vote counts. Vote for the doors you love the best.

My personal thanks to the incomparable Emily Schweiss for donating another fabulous prize for
this year.

And now for the amateur legalistic mumbo jumbo: note that this
competition is something that I am doing personally, it is not
affiliated with CodeMash, any vendors/sponsors, other speakers, the
Kalahari resort or anyone else on the planet. Please remember that the
doors are Kalahari property and you should not do any damage to them
unless you feel like paying for a new door.

Thanks and I look forward to seeing what you come up with!

This year I am pleased to be able to give one of my favorite talks, Application Security: What you don’t know can hurt you. In this talk I will be going over the top vulnerabilities that can exist in your applications and in addition to showing how they can be exploited I will also cover how to defend against them.

I am also giving another fun talk about how to optimize agile development practices by building analytics into your applications and using the results to augment customer collaboration in the Close The Feedback Loop. Using Application Analytics To Improve Agile Development talk.

Finally I am going to bring something new and fun to CodepaLOUsa, a door decorating competition. I have run this at CodeMash for the past two years and now it is time to expand! Everyone is free to enter the competition, even if you are not attending the conference. During the course of the conference I am going to be walking the hallways of the conference hotel taking pictures of decorated doors and posting them to the competition voting site at https://doorcomp.azurewebsites.net/Doors/codepalousa2014. This is something I am running on my own and is not an official part of the conference, please also take care to not damage your hotel room door. I will be giving at least one prize away for the door that gets the most votes, stay tuned to this blog or my Twitter account where I will post where and when I will announce the winner.

You can check out what previous competitors have done in years past at CodeMash 2014 and CodeMash 2013.

I am really looking forward to CodepaLOUsa, feel free to say hi if you see me there, I’ll be the one in the kilt.

The first one is the door decorating competition. For all the years I have attended CodeMash I have been jealous of the cheerleader conference that comes in to the Kalahari the weekend after CodeMash. I’ve walked the hallways of the hotel and seen door after door decorated with ribbons, glitter, boy band pictures and other sparkly stuff. Last year I decided enough was enough and figured that the technical community can do as good or better than these kids. So I started the first unofficial CodeMash door decorating competition, in which I encouraged the attendees at all the conference hotels to decorate their hotel room doors. To my great joy a number of people stepped up and really put some serious effort into decorating their doors. I am amazed at the creativity and quality of the entries last year, and with the help of a few gracious members of the technical community I was even able to award small prizes to the winners.

This year I am asking for more. I want more people to decorate their hotel room doors. Just like last year I will be prowling the hallways of all the conference hotels, with my camera at the ready, to document your creativity. Just for reference, I am considering any hotel at which the CodeMash shuttle stops as a conference hotel so even if you are not at the Kalahari I expect you to participate. In fact, just like last year, I am going to open the competition up to non-CodeMash attendees. If you are not able to make it to CodeMash but still want to participate you can decorate your office door, cubicle wall or the front door of your house, send me a picture of it and I will enter you in the competition.

I am hard at work on an improved voting application that should be ready in time for CodeMash. Watch this blog, the CodeMash Google Group and the #CodeMash Twitter stream for the details when I launch it.

In addition, just like last year, there are a lot of overlapping sessions that I want to see and I know that I won’t be able to make it to. I am once again going to be doing my best to collect all of the presentation materials (slide decks, code samples, speaker blog entries, etc.) in one place so that everyone has a way to find these resources after the conference ends. To accomplish this I am maintaining a GitHub repository where I will do my best to accumulate all of the CodeMash session materials. If you are a speaker, attendee at a session or just a generally nice person I would really appreciate your help. The repository is public and I would love it if you could send me a pull request with the details of the session materials. I am planning on structuring it like the repository from last year so please feel free to contribute.

As I noted before neither of these are official CodeMash events, I am not affiliated with the conference, any sponsors or anything else. I just think that these are cool ideas.

Thanks to everyone, and I look forward to seeing you at CodeMash, I will once again be the guy in the kilt. Well, if Gary Short shows up then I will be one of the guys in a kilt.

Finally, I will also be at the CodepaLOUsa conference in February (which is yet another awesome conference, you really should go) and I will also be running another door decorating competition there as well as gathering up all of the presentation materials that I can find into another GitHub repository. If you are going to be there then please do plan on decorating your hotel room door and if you’re not yet signed up for the conference I am happy to get you a discount on registration.

I hope to see you around!

First, credit where credit is due. Thanks to @tomasrestrepo for pointing out some areas of potential instability. Next, a huge thanks for the time and effort that Stan Drapkin put into looking through my code and having an extended conversation with me on how to make it better. If you are interested in .NET security (and why wouldn’t you be?) then take a look at Stan’s new book Security Driven .NET. It contains a huge amount of content and I plan to use it to continue to improve this project even further.

The first thing you will notice in the latest 0.0.3 (still alpha) release of this library is the move from a single integrity function for a type to individual integrity functions for each encrypted value. The integrity function is intended to prevent a user with read/write access to the data store but not access to the encryption keys from tampering with data by replacing the contents of one blob with the contents of another. This is to replicate the add_authenticator functionality of the ENCRYPTBYKEY function in SQL Server. The intent behind this change is to minimize the reuse of HMAC keys used for data validation.

The next change is a performance optimization. In the initial release I was performing a PBKDF2 derivation on the master encryption key every time a value was encrypted or decrypted. Since PBKDF2 derivation is designed to be slow this is certainly not how you would want to write a production implementation. I am now caching the derived encryption key in memory for the lifecycle of the type. This means improved performance, not just with key derivation but also with master key retrieval since the key server only needs to be contacted once per key lifespan within each type.

On a related note, I have also fixed the HMAC algorithm and reduced it to SHA256. This is a performance optimization as using more bits for the hash then there are in the encryption is unnecessary.

I have also modified the encryption to not just encrypt the value but to add a message authentication value as part of the encrypted payload. I am performing the HMAC against the encrypted data as that is the strongest method for ensuring the data is maximally protected against tampering. By doing this, I gain additional security against tampering as the encrypted data has another layer of validation that has to stay in tact. There is also a performance gain in decryption, as I first perform the hash check of the encrypted data and if it does not match then I don’t even have to bother decrypting the data, as it is by definition invalid.

In order to implement message authentication of the encrypted data I needed to generate and store a unique value to use as the key for the HMAC. While there is no known weakness in reusing the encryption key as the HMAC key I chose instead to just extend the PBKDF2 derivation I am performing on the encryption master key and use the next set of bits from that function as the HMAC key.

Since I am already caching the key derivation I also cache the MAC secret value in the same structure.

With these changes I have increased the integrity of the encrypted values and further hardened the data protection process. By caching the key derivation results I have increased performance without a significant impact on the security of the library.

As noted in my original post I do plan to continue enhancing this library and will be diving further into the implementation in future posts. I am also going to build out some sample projects and document those as well. You can always check out the source code on GitHub as well as on NuGet.

Please feel free to reach out to me via email or on Twitter if you have any feedback, concerns or questions. I am also very open to suggestions on related topics where this library can be useful.

Finally, I am writing this in early December and CodeMash is about a month away. I am once again running a door decorating competition during the days of the conference. If you are at any of the CodeMash hotels let your geek flag fly and show off how well you can decorate your hotel room door.

If you are not able to make it to CodeMash come out to CodepaLOUsa in Louisville, KY in February. I will be speaking there and also running another door decorating competition.

Stay secure and I hope to see you around!

One of my favorite features of SQL Server it it’s ability to easily encrypt my sensitive data by using it’s built in column level data encryption features. I like that the cryptographic implementation is done correctly, using strong algorithms and following the correct encryption protocols. Often when developers have to implement their own encryption logic they miss items such as always using a nonce as an initialization vector every time they encrypt the data, using weak encryption keys or incorrectly using the algorithms. Another practice that leads to vulnerabilities is not correctly managing the encryption key, or worse, hardcoding encryption keys in the application or configuration files. I especially like that the data encryption functionality in SQL Server makes it so easy to properly encrypt and decrypt data.

I do have times that I need to securely store sensitive information but am not able to work directly with SQL Server. I may not even be using a relational database to store my data. This is why I decided to write a set of good encryption templates that can be used with a number of backend data stores. I also wanted to make the encryption easy to use with previously written code and as low friction as possible for a developer to introduce.

Since I am also a big proponent of reducing boilerplate code by using Aspect Orientated Programming techniques I decided to implement the data encryption functionality in a set of aspects for PostSharp. The free Express version of PostSharp should be enough to get started with these aspects. Now all a developer has to do to get strongly encrypted properties and fields is to decorate their existing POCO types with a few attributes and let PostSharp add the common encryption logic automatically at compile time.

In this blog post I am going to cover the details of the property (and field) encryption logic. Other posts in this series will cover additional items, such as providing the ability to perform lookups on encrypted data, specific key management features as well as  the details of an implementation specifically for RavenDB.

All of the code I am discussing is released under an open source license, the master repository is on GitHub.  You can also easily bring this functionality into your own projects by installing the packages from NuGet.

Good Encryption

Good data encryption is not an easy thing to get right. There are a number of pitfalls that even security focused developers can stumble into. With that in mind, I have attempted to make my data encryption as correct as possible. I am providing the code and packages with absolutely no guarantees that they are free from security defects. This code is for demonstration purposes and you should not use it blindly. Make sure that it is appropriate for your needs and please do let me know if you find any flaws or bugs in it and I will work to correct them.

With the disclaimer out of the way lets dig into the core functionality, encrypting and decrypting data.

Our encryption method attempts to ensure that all the data encrypted is done so securely. There is also an option to add integrity verification to the encryption process.

The integrity function will calculate a Hashed Message Authentication Code (HMAC) of the cleartext data before it is encrypted. We concatenate the cleartext data and HMAC before we encrypt it.

Once we have calculated the HMAC it is time to start encrypting the data All the .NET cryptographic functions work on byte arrays so I have standardized on a decision that I will represent all strings in Unicode. This ensures that I am able to successfully decrypt data  that has been encrypted by my functions by assuming that all payload data is a Unicode encrypted string. The first step in encrypting the data is to convert the string to a byte array.

Next, before we encrypt the data we need to generate a unique value that will be used as the Initialization Vector (IV). This is a nonce (a number that will only be used once) and each time we encrypt data we need to generate a new nonce. To do this I have created a helper extension method, FillWithEntropy, that will take a byte array and fill it with a cryptographically random set of values. Note that the standard System.Random functions are not sufficiently random for anything to do with cryptography and should never be used.

Finally, we need the encryption key itself. In my code I have taken pains to ensure that any encryption keys are stored separately from the encrypted data as well as not being directly accessible to my program. This enforces a good separation of concerns and increases data security. I have abstracted this separation by creating an  IKeyServer interface that will be used to return an implementation of a key server. That key server provides the GetKey method which will return the symmetric encryption key base value from the key store.

Now that we have our base encryption key value I run it through the Rfc2898DeriveBytes function to return a hashed byte array that is then used as the actual encryption key for the data.

With a unique IV and a non-obvious encryption key I ensure that the code will use the strongest implementation of a standard encryption algorithm. This means that I make sure to use the Cypher Block Chaining mode of my algorithm to ensure that my ciphertext cannot be easily tampered with.

Then, to make it easier to deal with encrypted data throughout the rest of the application I encode both it and the IV as Base64 strings. Finally, I concatenate both the IV and encrypted data together into a single string to make it easier to keep them together for future decryption.

The decryption process is a reversal of the encryption, where I split off the IV from the payload, decrypt the data using the same algorithm implementation and key and optionally verify any HMAC that is encrypted with the data. If all the decryption logic works I return the cleartext encoded as a Unicode string to the caller.  

Key Management

While implementing a fully featured key server is the subject of a future blog post I will review some of the basics of the key management functionality of my solution. All key values are stored separate from the encrypted data, this will ensure that any attackers have a higher bar to clear to extract any useful information from my encrypted data.

I interoperate with the key server by interacting with the IKeyServer interface which provides access to the actual encryption keys without tying my code to any particular concrete implementation of a key server. This gives me the flexibility of a number of different storage technologies and security layers to protect my encryption keys.

In order to decrypt the data I need to be able to retrieve the correct encryption key. To enable this I need to store some sort of pointer alongside the encrypted data that denotes which key was used to encrypt it. I accomplish this with the EncryptionKeys dictionary  in the type definition. This dictionary is responsible for storing the identifier of each key that is used to encrypt the given property. With my implementation we can have multiple properties, each encrypted with a different encryption key. By doing this we increase the strength of our encryption by minimizing the reuse of encryption keys. This can also form the basis of a strong data visibility restriction implementation, as, by withholding specific encryption key values from users we make it impossible for unauthorized users to access sensitive data since the cleartext of that data is never on their systems to start with.

The primary method I need to encrypt and decrypt data is the GetKey method. All I need to do is pass in the identifier of the key that was used to encrypt the property and it will return the encryption key.

Other useful methods on the interface are the Map method which will return a dictionary of property names and key identifiers that the server knows about. This is useful for administratively specifying which keys encrypt which properties without needing to define key identifiers in the source code. A Keys method can also be implemented that will return a list of which keys are currently available from the server.

Automatic Implementation

Rather than manually implement all the required code in base classes and expect other developers to correctly implement the functionality I am taking advantage of Aspect Orientated Programming to perform the boilerplate implementation of my encryption logic. This will ensure that the correct code is injected into the compiled assembly. Now all any developer has to do is decorate their types and properties with the given attributes and they will automatically receive this functionality in their program.

To perform all the work necessary to store encrypted data a developer just has to decorate their type definition with the [EncryptedType] attribute. For any fields or properties that need to be secured the developer just has to decorate them with the [EncryptedValue] attribute.

By using PostSharp I also gain the ability to transparently override the field and property getters and setters to make sure that the cleartext data is never persisted into the object. This is useful not only from a local security perspective as unencrypted data is never stored in the processes memory space, but it also is vital in situations where the object is serialized for storage or transmission. By overriding both the setter and getter I ensure that any serialization of the object will not return cleartext data as the data will always be encrypted and the field or property will always return the encrypted value.

As with all encryption at some point in time you need to get back the cleartext value of the data. To support this in as easy as way as possible for the consuming developer the IEncryptedType interface provides the ClearText method. Calling the ClearText method with the property name will return the unencrypted value of the field or property (provided the encryption key is both available and correct).

Since I am not a fan of having magic strings in my codebase and I really like to have IntelliSense I have also created an extension method, AsClear, that will extract the name of the property from a given expression and then return the cleartext value of that property.

Usage

Finally it is time to put all of this work into practice. While I will be writing future blog posts detailing a full implementation of all the features, the below code from my(sparse) tests demonstrates how to use the encryption.

I first define a type that will have an encrypted property and decorate the SSN property as the one I want to encrypt. Next I store a social security number in the SSN property and verify that when I read the value of the property through the standard getter that the value is encrypted. Finally I test that the decryption works correctly by retrieving the cleartext version of the property data by casting to IEncryptedType and calling the AsClear extension method on the SSN property.

Get the bits

All of the code required to implement transparent encryption of fields and properties is available under an Apache open source license. I plan to continue working on this code and improving it. If you would like to see the code or contribute to it I have it in a GitHub repository. Please feel free to let me know your feedback. I would love to see this project grow and be useful to people.

For easy use in your own solution you can install a prebuilt version of the code from NuGet.  At a minimum you will need both the IEncryptedType and the EncryptedType packages.

You can also get a RavenDB specific implementation that ensures that only a minimal set of serialized properties actually required to support the encryption/decryption will be persisted to the storage engine.

In Conclusion (for now)

This is the first post in my series, future installments will dive deeper into the specifics of the PostSharp implementation, enhance the logic to allow for effective and secure seeking through encrypted data, build a fully functional key server and create storage specific implementations of the code.

I hope you get some good use of this code. I am always open to hearing about specific use cases, feature requests or bug reports. You can email me, hit me up on Twitter or find me at a community event.

Feel free to take the code out for a test drive by grabbing it from NuGet or just check out the codebase and see how it works. As always do try to stay safe out there.

Last year we really showed those cheerleaders what properly decorated doors looks like so this year we need to step up our game. I would like to get more people involved so that there are more decorated doors at all of the CodeMash hotels.

Start planning now for January and you could be the winner of this fabulous first place prize or some other fun prizes I am working to get together.

As with last years competition this is something I am running on a personal basis and is completely unofficial. This is not an officially organized CodeMash function and is not affiliated with the conference, any of the sponsors or conference hotels. You can choose to participate at your own risk and please remember to take care and not damage your hotel room door. Thanks and I hope to see you at CodeMash!

Recently I introduced a BuildMaster server into my day job. With the growing number of applications I am responsible for managing and the tight deadlines for client work I needed an easy to use and reliable tool to automate both builds and deployments.  We selected BuildMaster after building proof of concept deployments with a number of tools and it stood out as one of the easiest to install and implement.

By taking advantage of BuildMaster’s  set of extensions I have been able to easily accomplish most of the tasks I needed to accomplish for deploying various .NET and pure HTML applications, however there was one feature missing.

We were building an interactive pure HTML application for a client and ended up with the usual explosion of JavaScript and CSS assets from various third party libraries as well as a number of our own assets. Between the desktop specific, mobile specific and common assets we had over 25 JavaScript files and more than a dozen CSS files. During the course of development I was asked if there was a way that we could reduce the sheer number of files that we were delivering, not just to make the handoff process easier, but also to increase the performance of the application by minimizing the number of requests required to render each page. In addition, while we were using minified versions of many of the third party JavaScript files we still had our own code to deal with as well as lots of wasted bytes in the CSS files.

I looked around and while there were plenty of compression options I didn’t want to bring in an entirely new technology stack for a deployment that mainly consisted of getting files from source control and copying them to a server. I decided that I was going to integrate the asset combination and compression directly into my existing BuildMaster deployment plan by building my own extension. I chose to use the YUI Compressor for .NET project to perform the asset combination and compression.

I wanted the consolidation and compression to happen at build time so that the other developers and designers I was working with did not have to deal with minified files. On the other hand, there are still some things that can break, so I made sure my deployment plan would automatically run and push new builds out to an integration server for immediate testing and feedback.

I could have started off with the documentation for building a custom action in BuildMaster, but since I have already contributed to a number of other extensions I had a pretty good idea of what to do.

After some tweaking work I have what I think is a nice BuildMaster wrapper around the YUI Compressor and I received permission to publish the source code to this extension so that others can take advantage of this action. The source code is up on GitHub, at https://github.com/PrecisionDialogue/bmx-pd-web.

The action is mostly a wrapper around the YUI Compressor but there are a number of settings that allow you to deeply customize what is going to be done to the assets.

The input files for each asset type consist of one or more filespecs, each on their own line. Each line is also interpreted so that you can use wildcards (including the BuildMaster ~\ syntax to represent the working directory). The union of all of the matching files is what will be processed.  You can also configure one or more regular expressions to denote filename patterns to be excluded. Each line of the exclusion regular expression is evaluated against the set of files and matching filenames are excluded from being combined, minified and/or deleted.

This action can combine asset files, compress asset files or do both. All activity takes place in the working directory of the files so when combining files I recommend using the “Delete original files” option to remove extraneous files.

The “Preserve subdirectories” option is useful if you use relative paths within your assets and need to preserve that structure. If you are combining files and preserving subdirectories a single file of the output name will be created in every subdirectory that has appropriate content.

If you don’t want to combine files but just need to compress them you can select the “Compress (JS/CSS) files in place” option. This option will ignore the output filename and just compress each matching artifact file. This is useful if you have path or filename dependent code in your scripts.

The rest of the options for each asset are the same as in the YUI Compressor and should work the same.

With this action I am now able to easily combine and minify CSS and JavaScript files reliably and ensure that only the correct compressed versions are promoted into the application environments.

I hope you find this useful and I am always happy to receive feedback.

I have always been a big fan of automating deployments, it makes life so much easier for both developers and the operations teams if there is a single, reliable and auditable way of ensuring the right code changes get deployed to the right environments. It is even better if the system is automated and provides the right tooling to ensure separation of privileges so that all compliance requirements can be easily met.

I am very proud to have worked on deployment automation features in BuildMaster to enable more robust and reliable deployments to both Amazon Web Services and Windows Azure.

First, I have worked with Amazon Web Services for a number of years, running some large scale systems using EC2 instances and lots of EBS volumes for SQL Server databases. I previously automated deployments using MSDeploy combined with lots of PowerShell but never had as integrated a solution as I would have liked. Expanding the AWS features of BuildMaster allowed me to finally implement the end to end promotion and deployment pipeline I always wanted. CloudFormation is an interesting base to build on, the template pattern lends itself well to easily managing multiple similar environments.  Using BuildMaster to manage the templates as well as configure and manage CloudFormation stacks during deployment allowed me to build a reference implementation that provided discrete testing environments and  high scalability while also controlling runtime costs by running a local integration environment and a smaller scale cloud based staging environment.

I have been very involved in watching Windows Azure evolve into a very capable cloud platform since its launch. With that, I was very excited to expand BuildMaster’s Windows Azure features. With the tooling that is now in place there is no longer any reason developers should ever have to deploy code directly into production from Visual Studio again.

Building features and documentation for Windows Azure allowed me to deeply explore the Windows Azure feature set and API. I had a great time building on the API and was able to implement features that allow for end to end deployment and management of Windows Azure Cloud Services as well as better promotion and deployment of Azure Web Sites. By running the integration environment premises and managing a minimal staging environment both bug fix turnaround time and runtime costs were able to be minimized. Also, the automation and security model made separation of duties painless and friction free.

I was able to do more than just work with cloud deployments and got to dip back into the Java world by implementing features for automating Maven builds, integrating with both Hudson and Jenkins as well as managing Artifactory repositories.

One of the most favorite things about my time at Inedo was that they have begun exposing the source code for BuildMaster extensions on GitHub. This makes it much easier for people to take advantage of the BuildMaster SDK and build a rich community of extensions that can solve every deployment need.

There is much more to talk about, including my projects to enhance ProGet, a professional quality NuGet server for inside the firewall but that will have to wait for another time.

I am going to be at DevLink in late August and am planning my fall schedule now. I am an INETA Community speaker and would love to give a talk at your user group or conference. I hope to see you at an event in the future!

I am thrilled to be back working on developer tools again, and I am looking forward to working with the awesome team at Gibraltar.  I am going to remain in Ohio and telecommute so I will definitely still be around at all of the great technical events in the region.

The first tasks I am going to be working on are in partnership with Inedo. I will be working on the awesomeness that is ProGet and BuildMaster.  I have been a big proponent of automated build and deploy systems for many years and BuildMaster looks like it is going to be a lot of fun.  It certainly looks to be easier to use than wiring up a CruiseControl build script to deploy my shiny new .NET 2.0 Windows services onto multiple production servers when the server administrator pushed the “Build” button. 

I have been working with getting a NuGet  server to play nicely for a number of in house libraries and I am excited to see ProGet maturing. I think that there is a lot of benefit for companies to host their own NuGet feeds in house and ProGet makes it dead simple to not only host your own internal libraries as NuGet packages but also to shadow the publicly available third party libraries we all depend on.

If you are going to be at CodepaLOUsa please join me as I talk about all of the fun I am having building a website and API with a single codebase using ServiceStack.NET in my Hey, You Got Your API In My Website! session. This is a great experience for me to try to get back some of my rusty Linux skills as I work on hosting my web application under Mono. 

Speaking of CodepaLOUsa I am going to be running an encore door decorating competition, just like the one I ran at CodeMash.  You can see how creative some of the CodeMasher’s got here and I expect even greater things from the CodepaLOUsa crowd. CodeMash may have the bacon but Louisville has bourbon! I even have some kind sponsors who stepped up so I will be able to offer a prize or two for the finalists.

If you are looking for links to some of the great content that was presented at CodeMash I am maintaining a GitHub repository with links to slides, notes, blog posts and even code repositories that the various CodeMash speakers have made public. I welcome pull requests so please do let me know if there is any other public content that I may have missed.

I am sad to be leaving my current position at BookingBuilder Technologies, they have been a great place to work and have always been very supportive of my community involvement. If you know anyone who is interested in working on a full stack .NET system covering everything from SQL Server to WPF and ASP.NET there is now an opening. You can see the details here. The job (and whole company) is 100% telecommute so you can work from anywhere. I also have a number of extra StackOverflow Careers invitations, please reach out to me if you would like one.