Tuesday, November 09, 2010

Clearly ahead of my time

Yesterday I put up a post about Validating user input. Today, news that the British Navy has been hit with a SQL Injection Attack.

I have a very simple question about this.. Why is this sort of thing still happening? Not only are we talking about an attack that is very simple to defend about, but we are also talking about a Military Organisation. I’m sure that most countries have invested large amount of money into Cyber Security etc, but yet they are still failing at implementing simple security measures.

Here are a list of possible ways to have picked up this BEFORE it became an issue:

  • Code Reviews. Easy, internal and should be done by a person who knows about these sort of things
  • External Code Reviews. If you don’t have in-house expertise, there are plenty of companies out there who can help
  • Application Security Testing. Get an external company to try and break into the system.

There are many other ways, but these in conjunction with better education would go a long way to ensuring these types of attacks are a thing of the past.

Monday, November 08, 2010

There is just no excuse for….

not sanitising and validating your user inputs. These two items are the most important aspects of writing a stable and secure system.

Not only do I think that Sanitising and Validating is important, I also believe that it must be done in that exact order.

Here is a quick example of what can go wrong:

Imagine you have a web application used to sign up users. The only mandatory field is Username, and it must be a minimum of 10 characters in length. This is a very easy check, but developers will quite often perform a trim on data going into a database. What happens when you validate for length but then have your code remove 1, 2 or maybe even 10 characters?  The worst case here is that the string full of spaces pass validation then your code removes all 10 characters from the username, resulting in an attempt to insert a null into the database. From here, hilarity will ensue, with either a database constraint exception or random null reference exceptions down the track when you try to use the data for something useful.

This is a very basic example of what can go wrong when you either don’t sanitise, don’t validate or you get the two around in the wrong order.

We apps in particular are still a very popular target for malicious users, using SQL injection attacks, delayed injection attacks or any other method you can possibly think of.

So please, do the right thing, Sanities then Validate ALL your data.

My HTC Mozart

Well, I’ve now had my HTC Mozart for a little over 2 weeks, and I felt it was time I put up a few of my thoughts.

HTCMozart

I’ll start off with a simple statement. I LOVE this phone and I LOVE Metro.

What I like

Metro. Texting. Emails. Live Integration. It’s all so seamless, intuitive and easy to use. Admittedly, I’ve come over from WinMo6.1, so a lot of people are going to scoff at this, but I really like the speech balloon approach to text message conversations.

Keeping up to date with emails on this phone are a joy. I’ve pinned 2 of my email accounts to the main screen, and I can easily see when I have emails and how many. Reading emails is clean, easy and efficient. This is the first phone I’ve had where I actually question the need to use a desktop machine for emails. This is a good thing.

My previous phone was with 3, and the handset had serious issues when roaming (reboots, dropouts, crashes).. This was a killer for me. My Mozart on Telstra? It’s awesome. I get coverage everywhere I’d expect it. I travel between Canberra and Cooma regularly, and with this phone I get coverage most of the way. This is just awesome. Yes, I know this is more about the network, but at least when I roam it doesn’t reboot.

I have even grabbed the official twitter client, this app looks and feels like it belongs, while steel having the typical styling of twitter. It’s clean and easy to use. I’ve started using this for the majority of my twittering.

What I don’t like

As with previous version of WinMo and desktop Windows, a lot of manufacturers installed a lot of CrapWare. With WinMo 7, Microsoft limited the number of third party apps that could come pre-installed on these devices. This is a great idea. And the third party apps that came with my phone (Thanks HTC and Telstra) are perfect examples of why these sort of applications shouldn’t be pre-installed.

I’ll start with the Telstra hub, because I have mixed feelings about this. I really like the weather view on this. The overall feel of the hub is alright, except for 2 grips. The first of these is it’s slow.. There is a lot going on in this tab, and sometimes it’s just not responsive for 2-3 seconds. This isn’t good. My other gripe with the Telstra hub is “My Places”.. Is this the best you could do Telstra? Have a few buttons that just pre-launch a web URL? It kinda takes away from the whole experience. Fix these two things, and the Telstra hub could be my new best friend.

And then there is the HTC Hub..  Seriously HTC… Did you guys think about trying to fit into the Metro style? I think now. This looks/feels just like typical HTC I know better type of UI. It looks like it belongs on the front screen of an Android or WinMo6.5 phone. This isn’t Metro. All this screen does is provides Time/Weather information and links to other (reasonably useless) applications. If you can’t take this sort of thing seriously, then stay off my phone. You guys make great hardware, but I think you need to stay out of the phone software business.

What I’m “Meh” About

I’m still not impressed about the lack of a Music Marketplace for the phone. I understand that this isn’t just a Microsoft issue, but I do think that if Microsoft had been a little more organised, and maybe even been a little more aggressive then we would probably have a download service by now. The reason this is only “Meh” and not a “Don’t Like” is because I already have a large music collection and I already used the Zune desktop client at home. This resulted in a very easy migration over to the new phone, it just seemed to work.

Contact Management is another of my “Meh” items. I love the fact that a lot of contacts have been pulled from my various social networks. I even prepared and migrated all of my outlook contacts over to live before I got my phone. The “Meh” moment with this was the merge functionality. Both the phone and Live offer merge suggestions which seems like a good idea, but when 2 contacts with IDENTICAL names are not recommended, then I know it’s got problems. Fix this small issue and the merge will be up there in the like section.

Besides all of this, there are a few other “oddities”, but I am not going to complain because Microsoft are already working on addressing these. And no, I’m not talking about copy/paste and multi threading.. I’m talking about the following:

  • Open office documents directly from my live account
  • Filtering out some contacts. Some people are in my “larger” social graph because it’s the right thing to do, it doesn’t mean I want to know when when and where they poop directly from my phone.