Clearly ahead of my time

Yesterday I put up a post about Validating user input. Today, news that the British Navy has been hit with a SQL Injection Attack.

I have a very simple question about this.. Why is this sort of thing still happening? Not only are we talking about an attack that is very simple to defend about, but we are also talking about a Military Organisation. I’m sure that most countries have invested large amount of money into Cyber Security etc, but yet they are still failing at implementing simple security measures.

Here are a list of possible ways to have picked up this BEFORE it became an issue:

• Code Reviews. Easy, internal and should be done by a person who knows about these sort of things
• External Code Reviews. If you don’t have in-house expertise, there are plenty of companies out there who can help
• Application Security Testing. Get an external company to try and break into the system.

There are many other ways, but these in conjunction with better education would go a long way to ensuring these types of attacks are a thing of the past.

There is just no excuse for….

not sanitising and validating your user inputs. These two items are the most important aspects of writing a stable and secure system.

Not only do I think that Sanitising and Validating is important, I also believe that it must be done in that exact order.

Here is a quick example of what can go wrong:

Imagine you have a web application used to sign up users. The only mandatory field is Username, and it must be a minimum of 10 characters in length. This is a very easy check, but developers will quite often perform a trim on data going into a database. What happens when you validate for length but then have your code remove 1, 2 or maybe even 10 characters?  The worst case here is that the string full of spaces pass validation then your code removes all 10 characters from the username, resulting in an attempt to insert a null into the database. From here, hilarity will ensue, with either a database constraint exception or random null reference exceptions down the track when you try to use the data for something useful.

This is a very basic example of what can go wrong when you either don’t sanitise, don’t validate or you get the two around in the wrong order.

We apps in particular are still a very popular target for malicious users, using SQL injection attacks, delayed injection attacks or any other method you can possibly think of.

So please, do the right thing, Sanities then Validate ALL your data.

My HTC Mozart

Well, I’ve now had my HTC Mozart for a little over 2 weeks, and I felt it was time I put up a few of my thoughts.

I’ll start off with a simple statement. I LOVE this phone and I LOVE Metro.

What I like

Metro. Texting. Emails. Live Integration. It’s all so seamless, intuitive and easy to use. Admittedly, I’ve come over from WinMo6.1, so a lot of people are going to scoff at this, but I really like the speech balloon approach to text message conversations.

Keeping up to date with emails on this phone are a joy. I’ve pinned 2 of my email accounts to the main screen, and I can easily see when I have emails and how many. Reading emails is clean, easy and efficient. This is the first phone I’ve had where I actually question the need to use a desktop machine for emails. This is a good thing.

My previous phone was with 3, and the handset had serious issues when roaming (reboots, dropouts, crashes).. This was a killer for me. My Mozart on Telstra? It’s awesome. I get coverage everywhere I’d expect it. I travel between Canberra and Cooma regularly, and with this phone I get coverage most of the way. This is just awesome. Yes, I know this is more about the network, but at least when I roam it doesn’t reboot.

I have even grabbed the official twitter client, this app looks and feels like it belongs, while steel having the typical styling of twitter. It’s clean and easy to use. I’ve started using this for the majority of my twittering.

What I don’t like

As with previous version of WinMo and desktop Windows, a lot of manufacturers installed a lot of CrapWare. With WinMo 7, Microsoft limited the number of third party apps that could come pre-installed on these devices. This is a great idea. And the third party apps that came with my phone (Thanks HTC and Telstra) are perfect examples of why these sort of applications shouldn’t be pre-installed.

I’ll start with the Telstra hub, because I have mixed feelings about this. I really like the weather view on this. The overall feel of the hub is alright, except for 2 grips. The first of these is it’s slow.. There is a lot going on in this tab, and sometimes it’s just not responsive for 2-3 seconds. This isn’t good. My other gripe with the Telstra hub is “My Places”.. Is this the best you could do Telstra? Have a few buttons that just pre-launch a web URL? It kinda takes away from the whole experience. Fix these two things, and the Telstra hub could be my new best friend.

And then there is the HTC Hub..  Seriously HTC… Did you guys think about trying to fit into the Metro style? I think now. This looks/feels just like typical HTC I know better type of UI. It looks like it belongs on the front screen of an Android or WinMo6.5 phone. This isn’t Metro. All this screen does is provides Time/Weather information and links to other (reasonably useless) applications. If you can’t take this sort of thing seriously, then stay off my phone. You guys make great hardware, but I think you need to stay out of the phone software business.

What I’m “Meh” About

I’m still not impressed about the lack of a Music Marketplace for the phone. I understand that this isn’t just a Microsoft issue, but I do think that if Microsoft had been a little more organised, and maybe even been a little more aggressive then we would probably have a download service by now. The reason this is only “Meh” and not a “Don’t Like” is because I already have a large music collection and I already used the Zune desktop client at home. This resulted in a very easy migration over to the new phone, it just seemed to work.

Contact Management is another of my “Meh” items. I love the fact that a lot of contacts have been pulled from my various social networks. I even prepared and migrated all of my outlook contacts over to live before I got my phone. The “Meh” moment with this was the merge functionality. Both the phone and Live offer merge suggestions which seems like a good idea, but when 2 contacts with IDENTICAL names are not recommended, then I know it’s got problems. Fix this small issue and the merge will be up there in the like section.

Besides all of this, there are a few other “oddities”, but I am not going to complain because Microsoft are already working on addressing these. And no, I’m not talking about copy/paste and multi threading.. I’m talking about the following:

• Open office documents directly from my live account
• Filtering out some contacts. Some people are in my “larger” social graph because it’s the right thing to do, it doesn’t mean I want to know when when and where they poop directly from my phone.

More on Open Music Platform

Ok, so I’m sure some people have read my post yesterday about the market speak coming from Microsoft about the state of Zune Marketplace in Australia.

I thought I should probably take some time out to explain my thoughts/feelings a little better.

Open Music Platform

I think the idea of having DRM free music, being able to share your music between devices regardless of where it came from is very important. I have a very large collection of completely LEGAL music that I want on my mobile devices.

From an adoption point of view, being able to sync a Windows Mobile 7 device with music you purchased from iTunes is great, and I wouldn’t expect anything less.

The State of Music In Australia

In Australia, we have very limited ways to get downloadable music. We have iTunes, Bigpond Music if your a Bigpond user and that’s about it. There are a number of online music stores online, but due to licensing restrictions they can’t sell us music in Australia. Sure, we can trick them by using US Proxies, Paying with US credit cards etc, but the point is that it’s actually against the Terms and Agreements and probably illegal.

Marketing Speak

The post I pointed to from Dave Glover didn’t do anything to clarify the original point that Zune Marketplace doesn’t allow Music Downloads within Australia. He went on to point out how we could use existing music we owned, get music from other sources, and all the Video content we could get. But I go back to the point that he didn’t address the original issue of not being able to buy music through Zune Marketplace which can be enjoyed in the US and Europe.

Usage Scenarios

Lets look at the major competition from an Entertainment point of view. You know who I’m talking about, Apple and their iPhone and iPad.

• iOwners can use one tool to download new music and sync with their devices. It’s easy to use and just works. This is a simple scenario that won’t be available to Windows Phone 7 owners in Australia.
• iPhones and iPads can natively access iTunes through wireless internet access. If you want new music and you have signal then it’s available. Again, this won’t be available to Windows Phone 7 owners in Australia.

Why is this happening

There are only 2 possible reasons I can imagine that would prevent Australian Windows Phone 7 owners from accessing online music.

• MPAA or some other Music Industry representatives cannot come to an agreement with Microsoft. I actually find this unlikely due to the fact that Apple managed to get some sort of agreement in place.
• Microsoft View the potential market in Australia to be too small, and therefore won’t invest the time and money into getting an agreement and systems in place.

My Criticism

My issue with this whole thing is the Marketing crap that comes out of Microsoft about this issue. It is an issue that will affect the uptake of the phone.

In addition to this, I did take the time out to reply to Dave Glover yesterday through the comments on his post. I think the worst thing I said in the post was “contempt”, in the context of the way they (Microsoft) can’t be honest about what’s going on. But it seems my comment didn’t make it through moderation process.

What I’d Like to See

This is really simple. I’d like to see Microsoft publicly acknowledge this as an issue and at least explain why we can get Video on our phones (I don’t care for this) but won’t be able to get music (I care about this). Possibly even detail what they are doing to correct it.

Ed.

An “Open Music Platform”

Sorry, that just sounds like marketing speak for “We are not going to provide music downloads for you”.

What am I talking about? Read this.

One of the things that has made iAnythings so popular is iTunes. It’s a one stop shop for Apps, Videos AND MUSIC. The iWantItNow generation don’t go to the music shop to buy CDs, take it home, rip it (is that even legal?) and then sync to their iDevice. Nope, they login to iTunes, download it and sync. 5 Minutes max to get the music they want.

With Windows Phone 7, we will have a useful tool called Zune. This works with the Zune marketplace and in the US, most of Europe and a whole heap of other countries, it will be the perfect replacement for iTunes. In Australia, we can only download Videos, not Music. In fact, in Australia we can’t use most online music stores due to the fact that we are not in the United States..

The answer is actually pretty simple.. Buy your music through iTunes then use the Zune software to sync with your phone.. But this isn’t as easy as it should be. Another option is to trick Zune into thinking your in the US, but that’s just not right is it..

Anyway, please don’t treat people in Australia with such contempt by telling us about Open Music Platforms. That’s just a nice way of saying “You don’t get it, suck it up”.

ASP.Net Crypto Attack

Well, unless you’ve been living under a rock for the last week you are probably now aware of the Crypto attack that is in the wild and targets ASP.Net applications. This attack is raising many of the same issues that we see regularly in the industry with SQL Injection Attacks.

Wait, what?? Yes, this is another of those situations where Developers and Administrators have been lazy. Yes, it is a Vulnerability and it needs to be fixed, but it’s also become a massive issue because a large number of ASP.Net applications don’t handle errors correctly.

The recommended workaround (from the MS Security Advisory) is to simply enable customErrors and redirect to a generic error page. Simple fact is that EVERY ASP.Net app out there should be doing this already. This is one of the many steps to mitigating against attacks on websites including SQL Injection attacks. Returning any information to potentially malicious users is bad.

So, let me quickly run through the bare essentials.

If your using .Net 3.0 or earlier, add this to your config file:

<configuration>
 <location allowOverride="false">
   <system.web>
     <customErrors mode="On" 
        defaultRedirect="~/error.html" />
   </system.web>
 </location>
</configuration>

For .Net 3.5 and above

<configuration>
 <location allowOverride="false">
   <system.web>
     <customErrors mode="On" 
        redirectMode="ResponseRewrite" 
        defaultRedirect="~/ErrorPage.aspx" />
   </system.web>
 </location>
</configuration>

There is an additional step that you should take to this. In your error page, add in a random sleep to the Page_Load event. Why?? The short and easy answer is that some attacks use timing information to derive information. Adding in a random sleep (generate the random number through the crypto engine) helps to remove another potential vector for gathering information.

Please, don’t be lazy, make sure your Web Apps are secure.

Another Sad Day

Well, today’s the day. The official launch of the IE9 Beta, and it’s made me sad. I’m not sad because of what IE9 is. IE9 looks to be an absolutely awesome browser, much faster than previous version, possibly more secure and a hell of a lot sexier.

I’m sad because like may other people out there, I spend a large amount of time sitting in a Corporate environment that is still sitting years behind. Yep, I’m still on Windows XP. This limits me to IE8, or one of the many other browsers out there.

At home, I’ve already installed IE9 beta, and I have to say that my initial impressions are pretty good.. What can I say, I’m not particularly fussy about my browser, I just want it too work. IE9 Beta seems to fit that so far and has a few features that I’m pretty excited about. Pinning Web Pages and having them almost feel like an extension of the desktop is amazing. It’s just not the sort of amazing that I can experience at work.

I think for now, my Netbook

with wireless internet access is going to be how my web browsing is done from work. It’s just going to be separate from the corporate network.

Warnings and Code Analysis

During development, I do my best to ensure that I eliminate warning and issues identified through code analysis. I like to do this from the start so I don’t have a massive list of “clean up” at the end of a project.

Unfortunately not all of the projects I work on start from a clean state. Like me, many developers inherit a large code base that needs to be extended, patched and enhanced. More often then not, these projects come with hundreds or even thousands of compiler warnings and have probably never been run through any static code analysis.

For code analysis, I have used FxCop and now Visual Studio Code Analysis. Using these tools, I can identify issues and correct them. On a few occasions however, the “issues” are by design and I can easily put a suppression on the error. Suppressions can happen at many levels, but I prefer to generally suppress issues at the lowest possible level. This makes me review every instance of an issue instead of blindly hiding things.

When you suppress a code analysis warning, you can add in an options reason for the suppression. This acts as inline documentation that allows me to share my reasons for doing this.

Now, this is where I currently have an issue. Compiler warnings don’t allow suppressions on a per-instance level. The best we have is the ability to suppress all warning of a type for a particular project.

I’d like the ability to attribute methods, properties or classes to suppress compiler warnings just like I can with my code analysis. Not only that, I’d like to be able to leave documentation as to why I’ve suppressed a compiler warning.

I guess what I’m asking for is to just implement support for compiler warnings that’s identical to code analysis in Visual Studio. This would make my life a lot easier, particularly when working with large inherited code bases.

Datagrids Oh my..

I’m just going to lay this out there.. Datagrids are the bane of my existence.

Ever since I started in IT, I’ve had the fun job of fixing issues in applications that insist on using Datagrids as edit controls. Datagrids are great tools for displaying information and for selecting data, but they are USLESS for editing.

Use a master/detail layout, or even a popup edit window.. Do something else.. BUT please don’t use datagrids for editing.

When WPF first shipped, did you notice that it DIDN’T have a datagrid? Did anybody stop to think that maybe this was a good thing?? Nope, everybody complained.. “WE NEED A DATAGRID”..

WPF shipped with a ListView and a ListBox. These were fine for displaying data and data selection. WPF also shipped with some really great edit controls.. These edit controls should be used for their intended purpose. You guessed it.. Editing data..

Please, stop the datagrid abuse. 

Windows Mobile Development Blues

Well, with the official RTM for windows mobile 7 today, I thought I might grab the developer tools (beta) and have a bit of a play. So, over to the Windows Phone Developer site to download the tools.

The download was a very smooth process (as it should be, it’s just an ISO). I mounted the ISO as a drive and clicked setup.exe.. FAIL!!!

So, I started checking all the pre-reqs.

• Visual Studio 2010 Ultimate (Check) *
• Windows Vista/Window 7 (FAIL)

Yep, I’m at work, and my development machine is still running Windows XP. It’s a brand new box, 2.8GH Xeon processor, 4GB ram, SSD hard drive and Windows XP..

It seems the emulator for WinMo7 requires DirectX 10.1, which is why it won’t run on XP. It’s not a huge issue for me, because I have a few Win 7 machines at home that I can have a play with.

What does concern me however, is that there are a number of businesses/government agencies out there who still run Windows XP and will take another year or more to migrate. During that time, they are effectively locked out of doing development for a new exciting platform.

Will this effect the uptake of devices in a corporate setting?? Possibly. What it means for me is that it’s going to be very hard to push for WinMo7 as a platform until the organisation upgrades, which could still be a year or more away.

* The developer tools install VS 2010 express, but the tools can still be used from inside the full version of 2010.

Outlook Social Connector

I finally got around to installing outlook social connector today onto a machine running outlook 2003. The install went smoothly but I was surprised that the default installation doesn’t come with any pre-installed providers.

The first two providers I’ve installed are for Facebook and Windows Live Messenger.

Some of my contacts came up without any issues, unfortunately many of my contacts use multiple email addresses for home/work etc. This isn’t an issue with OSC, I just had to go through my outlook contacts and ensure that I had all email addresses that they use entered correctly.

With that done, OCS seems to connect most of my contacts pretty well now.

In general, it looks pretty good. I think with a few more features, like the ability to reply to facebook posts etc would make OSC a must have.

I’ll post with some more thoughts once I’ve used it for a few days.

 

Stay tuned,

Ed.

Dealing with invalid Certificates

Well, I’ve been working on a project that sends out large amounts of emails. It’s one of those projects that works fine in development, makes it through the test environment fine then BOMBS in production. It turned out that the systems was failing due to an invalid certificate. The certificate being used by the email server had expired months ago and nobody noticed.

While the Server guys were busy getting a new certificate, I implemented a quick fix to get the application working.

The fix involves setting up a call back used for Certificate Validation, very easy. Below is a sample (just Validates any request).

After the call back is setup, it’s just a matter of ensuring it gets called.

And that’s it. Problem solved.

Obviously in the call back you’d actually check the error and only validate the certificate for the specific error you want to, but as an example, this works a treat.

Enjoy.

I didn’t know…

that you could use the keyboard shortcuts Ctrl + Tab in visual studio to switch between tabs. Better yet, it brings up a little dialog box that allows you to visually see the tabs you have open complete with a preview.

Visual Studio 2010 unfortunately has the preview turned off by default (due to a reported performance issue right before release on slow netbooks). To enable the preview, just run the following command from a command line (or Start –> Run).

“reg ADD HKCU\Software\Microsoft\VisualStudio\10.0\General /v ShowThumbnailsOnNavigation /t REG_DWORD /d 1”

Enjoy.

A strange little feature..

I’ve never been one for formatting data in the database, it’s something I’ve always done when the data is being displayed. Some work I’ve been doing recently has further re-enforced this view.

See, while trying to reverse engineer some old code, I happened to notice some odd data. The data was an XML document generated within a stored procedure in Oracle. This should not be a big issue as the Xml should only be holding data, after all, Xml is really just a data storage/transport format. This generated Xml document is then used as a data source for a mail merge. I’m sure you can see where this is heading, the data in the Xml gets formatted instead of doing the formatting in the merge document.

One of the dates in the XML document needs to be formatted like “01 January 2010”. So, the date value is passed into the oracle to_char(datevalue, format) function with the format specified as “dd Month YYYY”. On the surface this all looks fine, except that the data coming out looks a little strange. There are extra spaces between the month and the year.

After a bit of playing and a few seconds using my favourite search engine,  and I found the answer. “Month” returns the full name of the month padded to 9 characters. Yep, it’s fixed width. There is no option for a non-fixed width full month format. You can do the abbreviated version (3 chars) or the full at 9.

I full understand that this isn’t something that can just be changed, but it would be nice (we are in 2010) to be able to format a date in oracle without the padding.

Well, that’s the end of my little story and mini rant.

An interesting task

Over on the OzDotNet mailing list, one of the posts was asking if it’s possible to detect if there is an active exception. I believe the purpose is to change the behaviour of a method that is being called from a catch block.

While I suspect the what I consider to be the “best” solution is to pass a parameter into the function, the idea really hit a “geek spot” somewhere deep inside me. So, without further ado:

   1:          public static bool InCatchBlock()

   2:          {

   3:              StackTrace stackTrace = new StackTrace();

   4:   

   5:              bool inCatchBlock = false;

   6:   

   7:              foreach (StackFrame stackFrame in stackTrace.GetFrames())

   8:              {

   9:                  MethodBody body = stackFrame.GetMethod().GetMethodBody();

  10:   

  11:                  if (body != null)

  12:                  {

  13:                      foreach (ExceptionHandlingClause clause in body.ExceptionHandlingClauses)

  14:                      {

  15:                          bool isFinally = clause.Flags == ExceptionHandlingClauseOptions.Finally;

  16:   

  17:                          if (!isFinally && stackFrame.GetILOffset() >= clause.HandlerOffset && 

  18:                              stackFrame.GetILOffset() < clause.HandlerOffset + clause.HandlerLength)

  19:                          {

  20:                              inCatchBlock = true;

  21:   

  22:                              break;

  23:                          }

  24:                      }

  25:   

  26:                      if (inCatchBlock)

  27:                      {

  28:                          break;

  29:                      }

  30:                  }

  31:              }

  32:   

  33:              return inCatchBlock;

  34:          }

This function above, simply walks the current call stack and checks at each frame to see if we are inside a declared catch block. It seems to work fine for the limited testing I’ve done.

On a related note, I personally believe that code should not care about where it’s called from, as it creates intimate coupling with upstream code, which is more likely than not to create issues with your code.

National Broadband Network

Wow, it’s been months.. no, years since this process started. Finally today we got the announcement we were all waiting for. Who is going to build the NBN?? Who won, who can provide the best service??

Well, it turns out that nobody was a winner. The government has cancelled the request for tender process and has decided to go it alone.

So, the plan?? A new Government owned business, who will implement a new network, implemented over the next 8 years. $4.7 billion of initial capital, but the plan is for a total of $43 billion for the full 8 years..

Personally, I think this is a very interesting result. The NBN along with Voice over IP, the Social Internet and Mobile communications will effectively make Telstra’s existing infrastructure obsolete… I guess we will see soon what Telstra plans to do. Will they build a competing network?? Lower prices so they can actually compete?? I do hope this move brings competition to the market, and that the Governments moves will produce a workable/usable network.

A growing shrinking problem

A growing trend around the net lately, has been shrinking URLs. This isn’t a new thing, it’s been around for several years thanks to tinyurl and a few other sites.

The purpose of shrinking URLs is to make re-typing addresses easier, to make the links neater and to cut down on space.

Twitter has benefitted massively from shrinking urls. With such a small limit on message length, it’s means users can have a URL AND a little bit of info in their message. It’s a win-win.

Unfortunately, it seems that more places are also adopting the process of URL shrinking, in some cases, with very little benefit and some big downsides for me.

So, what’s the problem?? I regularly use a little feature that exists in nearly every browser, I like to look at where a link points to before deciding if I’ll click on it. See, it’s very easy to have a URL A Nice Site with Puppy Dogs that really points to www.somebadurl.com. Personally, I’d not click on the link despite the promise of puppy dogs.

Shrinking urls, unfortunately hides the true destination of a hyperlink, and as such, means that I am running blind. This means, I have to use my best judgement based on trust. Do I trust the person/site that posted the link. In general, this isn’t to bad.

But this is where it’s getting more difficult. Several social media sites are now actively shrinking all URLs posted on their site. These links can be posted by anybody, people I don’t know, people I don’t trust. The result, the sites no longer have my patronage. Sure, I’m only one person, but I’d rather be safe than run the risk of something far nastier.

News Flash: Wally has been found

It’s been years, many books, and finally the day has come. Here is Wally

A Quick history of the internet

Anybody who thinks Microsoft haven’t gotten their mojo back only have to stop and grab IE8 and take a look at this video (IE8 not required)..

IE8 News

Straight from the horses mouth via twitter. “@NickHodge IE8 Final: you'll be able to download it from 3:00am AEST tomorrow. http://www.microsoft.com/ie8”

So, I guess tomorrow morning I’ll be updating my IE8 RC installs.. w00t!!