Wednesday, December 22, 2010

Windows XP, Powershell and Deployment

 

Anybody who has read my blog would understand some of my frustration with running in environments with out-dated operating systems. Well, this post is another in a series of mini-rants about how new technology running on old platforms, mixed with half-hearted implementations has again contributed to sub-optimal solutions.

I’m currently running Windows Powershell 2.0 on a Windows XP machine. A large majority of servers are still running 2003 Server. This “antiquated” environment outright rules out the use of powershell remoting for updating servers during deployment.

This shouldn’t be a problem, as powershell comes with very useful, built in commandlets that allow you to interrogate processes on remote machines, connect drives and do a lot of other really fun things. Once again, this is where my environment comes into play. Production Web Infrastructure doesn’t use our internal Active Directory for Authentication. This decision was made many years ago for security reasons. The result of this is that we need to pass credentials to both Get-Process and New-PSDrive to allow retrieval of processes and to map network drives. Lets look at each of these commands.

Get-Process

A quick look at this command (get-help get-process –full), reveals that it doesn’t allow input of credentials. The only way to use this command is to be pre-authenticated with the target machine, and have the correct permissions.

NEW-PSDRIVE

This command seems to be a little better, it actually has a parameter for credentials. This surely must be a winner.. Right??

It turns out, that the parameters are just passed through to the provider specified using the PSProvider parameter. Unfortunately the FileSystem provider completely ignores the this parameter, resulting in this commandlet completely useless for our environment again.

Where does that leave us?

It leaves me using Powershell, mixed with WMI and Windows Scripting for something that should have been very easy to implement.

I’m sure that this usage scenario isn’t particularly obscure, and hope that future iterations of powershell clean up some of the loose ends around being able to provide credentials to commands instead of assuming that the current user has access to all network resources.

Tuesday, November 09, 2010

Clearly ahead of my time

Yesterday I put up a post about Validating user input. Today, news that the British Navy has been hit with a SQL Injection Attack.

I have a very simple question about this.. Why is this sort of thing still happening? Not only are we talking about an attack that is very simple to defend about, but we are also talking about a Military Organisation. I’m sure that most countries have invested large amount of money into Cyber Security etc, but yet they are still failing at implementing simple security measures.

Here are a list of possible ways to have picked up this BEFORE it became an issue:

  • Code Reviews. Easy, internal and should be done by a person who knows about these sort of things
  • External Code Reviews. If you don’t have in-house expertise, there are plenty of companies out there who can help
  • Application Security Testing. Get an external company to try and break into the system.

There are many other ways, but these in conjunction with better education would go a long way to ensuring these types of attacks are a thing of the past.

Monday, November 08, 2010

There is just no excuse for….

not sanitising and validating your user inputs. These two items are the most important aspects of writing a stable and secure system.

Not only do I think that Sanitising and Validating is important, I also believe that it must be done in that exact order.

Here is a quick example of what can go wrong:

Imagine you have a web application used to sign up users. The only mandatory field is Username, and it must be a minimum of 10 characters in length. This is a very easy check, but developers will quite often perform a trim on data going into a database. What happens when you validate for length but then have your code remove 1, 2 or maybe even 10 characters?  The worst case here is that the string full of spaces pass validation then your code removes all 10 characters from the username, resulting in an attempt to insert a null into the database. From here, hilarity will ensue, with either a database constraint exception or random null reference exceptions down the track when you try to use the data for something useful.

This is a very basic example of what can go wrong when you either don’t sanitise, don’t validate or you get the two around in the wrong order.

We apps in particular are still a very popular target for malicious users, using SQL injection attacks, delayed injection attacks or any other method you can possibly think of.

So please, do the right thing, Sanities then Validate ALL your data.

My HTC Mozart

Well, I’ve now had my HTC Mozart for a little over 2 weeks, and I felt it was time I put up a few of my thoughts.

HTCMozart

I’ll start off with a simple statement. I LOVE this phone and I LOVE Metro.

What I like

Metro. Texting. Emails. Live Integration. It’s all so seamless, intuitive and easy to use. Admittedly, I’ve come over from WinMo6.1, so a lot of people are going to scoff at this, but I really like the speech balloon approach to text message conversations.

Keeping up to date with emails on this phone are a joy. I’ve pinned 2 of my email accounts to the main screen, and I can easily see when I have emails and how many. Reading emails is clean, easy and efficient. This is the first phone I’ve had where I actually question the need to use a desktop machine for emails. This is a good thing.

My previous phone was with 3, and the handset had serious issues when roaming (reboots, dropouts, crashes).. This was a killer for me. My Mozart on Telstra? It’s awesome. I get coverage everywhere I’d expect it. I travel between Canberra and Cooma regularly, and with this phone I get coverage most of the way. This is just awesome. Yes, I know this is more about the network, but at least when I roam it doesn’t reboot.

I have even grabbed the official twitter client, this app looks and feels like it belongs, while steel having the typical styling of twitter. It’s clean and easy to use. I’ve started using this for the majority of my twittering.

What I don’t like

As with previous version of WinMo and desktop Windows, a lot of manufacturers installed a lot of CrapWare. With WinMo 7, Microsoft limited the number of third party apps that could come pre-installed on these devices. This is a great idea. And the third party apps that came with my phone (Thanks HTC and Telstra) are perfect examples of why these sort of applications shouldn’t be pre-installed.

I’ll start with the Telstra hub, because I have mixed feelings about this. I really like the weather view on this. The overall feel of the hub is alright, except for 2 grips. The first of these is it’s slow.. There is a lot going on in this tab, and sometimes it’s just not responsive for 2-3 seconds. This isn’t good. My other gripe with the Telstra hub is “My Places”.. Is this the best you could do Telstra? Have a few buttons that just pre-launch a web URL? It kinda takes away from the whole experience. Fix these two things, and the Telstra hub could be my new best friend.

And then there is the HTC Hub..  Seriously HTC… Did you guys think about trying to fit into the Metro style? I think now. This looks/feels just like typical HTC I know better type of UI. It looks like it belongs on the front screen of an Android or WinMo6.5 phone. This isn’t Metro. All this screen does is provides Time/Weather information and links to other (reasonably useless) applications. If you can’t take this sort of thing seriously, then stay off my phone. You guys make great hardware, but I think you need to stay out of the phone software business.

What I’m “Meh” About

I’m still not impressed about the lack of a Music Marketplace for the phone. I understand that this isn’t just a Microsoft issue, but I do think that if Microsoft had been a little more organised, and maybe even been a little more aggressive then we would probably have a download service by now. The reason this is only “Meh” and not a “Don’t Like” is because I already have a large music collection and I already used the Zune desktop client at home. This resulted in a very easy migration over to the new phone, it just seemed to work.

Contact Management is another of my “Meh” items. I love the fact that a lot of contacts have been pulled from my various social networks. I even prepared and migrated all of my outlook contacts over to live before I got my phone. The “Meh” moment with this was the merge functionality. Both the phone and Live offer merge suggestions which seems like a good idea, but when 2 contacts with IDENTICAL names are not recommended, then I know it’s got problems. Fix this small issue and the merge will be up there in the like section.

Besides all of this, there are a few other “oddities”, but I am not going to complain because Microsoft are already working on addressing these. And no, I’m not talking about copy/paste and multi threading.. I’m talking about the following:

  • Open office documents directly from my live account
  • Filtering out some contacts. Some people are in my “larger” social graph because it’s the right thing to do, it doesn’t mean I want to know when when and where they poop directly from my phone.

Thursday, September 23, 2010

More on Open Music Platform

Ok, so I’m sure some people have read my post yesterday about the market speak coming from Microsoft about the state of Zune Marketplace in Australia.

I thought I should probably take some time out to explain my thoughts/feelings a little better.

Open Music Platform

I think the idea of having DRM free music, being able to share your music between devices regardless of where it came from is very important. I have a very large collection of completely LEGAL music that I want on my mobile devices.

From an adoption point of view, being able to sync a Windows Mobile 7 device with music you purchased from iTunes is great, and I wouldn’t expect anything less.

The State of Music In Australia

In Australia, we have very limited ways to get downloadable music. We have iTunes, Bigpond Music if your a Bigpond user and that’s about it. There are a number of online music stores online, but due to licensing restrictions they can’t sell us music in Australia. Sure, we can trick them by using US Proxies, Paying with US credit cards etc, but the point is that it’s actually against the Terms and Agreements and probably illegal.

Marketing Speak

The post I pointed to from Dave Glover didn’t do anything to clarify the original point that Zune Marketplace doesn’t allow Music Downloads within Australia. He went on to point out how we could use existing music we owned, get music from other sources, and all the Video content we could get. But I go back to the point that he didn’t address the original issue of not being able to buy music through Zune Marketplace which can be enjoyed in the US and Europe.

Usage Scenarios

Lets look at the major competition from an Entertainment point of view. You know who I’m talking about, Apple and their iPhone and iPad.

  • iOwners can use one tool to download new music and sync with their devices. It’s easy to use and just works. This is a simple scenario that won’t be available to Windows Phone 7 owners in Australia.
  • iPhones and iPads can natively access iTunes through wireless internet access. If you want new music and you have signal then it’s available. Again, this won’t be available to Windows Phone 7 owners in Australia.

Why is this happening

There are only 2 possible reasons I can imagine that would prevent Australian Windows Phone 7 owners from accessing online music.

  • MPAA or some other Music Industry representatives cannot come to an agreement with Microsoft. I actually find this unlikely due to the fact that Apple managed to get some sort of agreement in place.
  • Microsoft View the potential market in Australia to be too small, and therefore won’t invest the time and money into getting an agreement and systems in place.

My Criticism

My issue with this whole thing is the Marketing crap that comes out of Microsoft about this issue. It is an issue that will affect the uptake of the phone.

In addition to this, I did take the time out to reply to Dave Glover yesterday through the comments on his post. I think the worst thing I said in the post was “contempt”, in the context of the way they (Microsoft) can’t be honest about what’s going on. But it seems my comment didn’t make it through moderation process.

What I’d Like to See

This is really simple. I’d like to see Microsoft publicly acknowledge this as an issue and at least explain why we can get Video on our phones (I don’t care for this) but won’t be able to get music (I care about this). Possibly even detail what they are doing to correct it.

Ed.

Wednesday, September 22, 2010

An “Open Music Platform”

Sorry, that just sounds like marketing speak for “We are not going to provide music downloads for you”.

What am I talking about? Read this.

One of the things that has made iAnythings so popular is iTunes. It’s a one stop shop for Apps, Videos AND MUSIC. The iWantItNow generation don’t go to the music shop to buy CDs, take it home, rip it (is that even legal?) and then sync to their iDevice. Nope, they login to iTunes, download it and sync. 5 Minutes max to get the music they want.

With Windows Phone 7, we will have a useful tool called Zune. This works with the Zune marketplace and in the US, most of Europe and a whole heap of other countries, it will be the perfect replacement for iTunes. In Australia, we can only download Videos, not Music. In fact, in Australia we can’t use most online music stores due to the fact that we are not in the United States..

The answer is actually pretty simple.. Buy your music through iTunes then use the Zune software to sync with your phone.. But this isn’t as easy as it should be. Another option is to trick Zune into thinking your in the US, but that’s just not right is it..

Anyway, please don’t treat people in Australia with such contempt by telling us about Open Music Platforms. That’s just a nice way of saying “You don’t get it, suck it up”.

Monday, September 20, 2010

ASP.Net Crypto Attack

Well, unless you’ve been living under a rock for the last week you are probably now aware of the Crypto attack that is in the wild and targets ASP.Net applications. This attack is raising many of the same issues that we see regularly in the industry with SQL Injection Attacks.

Wait, what?? Yes, this is another of those situations where Developers and Administrators have been lazy. Yes, it is a Vulnerability and it needs to be fixed, but it’s also become a massive issue because a large number of ASP.Net applications don’t handle errors correctly.

The recommended workaround (from the MS Security Advisory) is to simply enable customErrors and redirect to a generic error page. Simple fact is that EVERY ASP.Net app out there should be doing this already. This is one of the many steps to mitigating against attacks on websites including SQL Injection attacks. Returning any information to potentially malicious users is bad.

So, let me quickly run through the bare essentials.

If your using .Net 3.0 or earlier, add this to your config file:

<configuration>
<location allowOverride="false">
<system.web>
<customErrors mode="On"
defaultRedirect="~/error.html" />
</system.web>
</location>
</configuration>




For .Net 3.5 and above


<configuration>
<location allowOverride="false">
<system.web>
<customErrors mode="On"
redirectMode="ResponseRewrite"
defaultRedirect="~/ErrorPage.aspx" />
</system.web>
</location>
</configuration>



There is an additional step that you should take to this. In your error page, add in a random sleep to the Page_Load event. Why?? The short and easy answer is that some attacks use timing information to derive information. Adding in a random sleep (generate the random number through the crypto engine) helps to remove another potential vector for gathering information.



Please, don’t be lazy, make sure your Web Apps are secure.

Thursday, September 16, 2010

Another Sad Day

Well, today’s the day. The official launch of the IE9 Beta, and it’s made me sad. I’m not sad because of what IE9 is. IE9 looks to be an absolutely awesome browser, much faster than previous version, possibly more secure and a hell of a lot sexier.

I’m sad because like may other people out there, I spend a large amount of time sitting in a Corporate environment that is still sitting years behind. Yep, I’m still on Windows XP. This limits me to IE8, or one of the many other browsers out there.

At home, I’ve already installed IE9 beta, and I have to say that my initial impressions are pretty good.. What can I say, I’m not particularly fussy about my browser, I just want it too work. IE9 Beta seems to fit that so far and has a few features that I’m pretty excited about. Pinning Web Pages and having them almost feel like an extension of the desktop is amazing. It’s just not the sort of amazing that I can experience at work.

I think for now, my Netbook

with wireless internet access is going to be how my web browsing is done from work. It’s just going to be separate from the corporate network.

Thursday, September 09, 2010

Warnings and Code Analysis

During development, I do my best to ensure that I eliminate warning and issues identified through code analysis. I like to do this from the start so I don’t have a massive list of “clean up” at the end of a project.

Unfortunately not all of the projects I work on start from a clean state. Like me, many developers inherit a large code base that needs to be extended, patched and enhanced. More often then not, these projects come with hundreds or even thousands of compiler warnings and have probably never been run through any static code analysis.

For code analysis, I have used FxCop and now Visual Studio Code Analysis. Using these tools, I can identify issues and correct them. On a few occasions however, the “issues” are by design and I can easily put a suppression on the error. Suppressions can happen at many levels, but I prefer to generally suppress issues at the lowest possible level. This makes me review every instance of an issue instead of blindly hiding things.

When you suppress a code analysis warning, you can add in an options reason for the suppression. This acts as inline documentation that allows me to share my reasons for doing this.

Now, this is where I currently have an issue. Compiler warnings don’t allow suppressions on a per-instance level. The best we have is the ability to suppress all warning of a type for a particular project.

I’d like the ability to attribute methods, properties or classes to suppress compiler warnings just like I can with my code analysis. Not only that, I’d like to be able to leave documentation as to why I’ve suppressed a compiler warning.

I guess what I’m asking for is to just implement support for compiler warnings that’s identical to code analysis in Visual Studio. This would make my life a lot easier, particularly when working with large inherited code bases.

Datagrids Oh my..

I’m just going to lay this out there.. Datagrids are the bane of my existence.

Ever since I started in IT, I’ve had the fun job of fixing issues in applications that insist on using Datagrids as edit controls. Datagrids are great tools for displaying information and for selecting data, but they are USLESS for editing.

Use a master/detail layout, or even a popup edit window.. Do something else.. BUT please don’t use datagrids for editing.

When WPF first shipped, did you notice that it DIDN’T have a datagrid? Did anybody stop to think that maybe this was a good thing?? Nope, everybody complained.. “WE NEED A DATAGRID”..

WPF shipped with a ListView and a ListBox. These were fine for displaying data and data selection. WPF also shipped with some really great edit controls.. These edit controls should be used for their intended purpose. You guessed it.. Editing data..

Please, stop the datagrid abuse. 

Thursday, September 02, 2010

Windows Mobile Development Blues

Well, with the official RTM for windows mobile 7 today, I thought I might grab the developer tools (beta) and have a bit of a play. So, over to the Windows Phone Developer site to download the tools.

The download was a very smooth process (as it should be, it’s just an ISO). I mounted the ISO as a drive and clicked setup.exe.. FAIL!!!

So, I started checking all the pre-reqs.

  • Visual Studio 2010 Ultimate (Check) *
  • Windows Vista/Window 7 (FAIL)

Yep, I’m at work, and my development machine is still running Windows XP. It’s a brand new box, 2.8GH Xeon processor, 4GB ram, SSD hard drive and Windows XP..

It seems the emulator for WinMo7 requires DirectX 10.1, which is why it won’t run on XP. It’s not a huge issue for me, because I have a few Win 7 machines at home that I can have a play with.

What does concern me however, is that there are a number of businesses/government agencies out there who still run Windows XP and will take another year or more to migrate. During that time, they are effectively locked out of doing development for a new exciting platform.

Will this effect the uptake of devices in a corporate setting?? Possibly. What it means for me is that it’s going to be very hard to push for WinMo7 as a platform until the organisation upgrades, which could still be a year or more away.

* The developer tools install VS 2010 express, but the tools can still be used from inside the full version of 2010.

Wednesday, July 14, 2010

Outlook Social Connector

I finally got around to installing outlook social connector today onto a machine running outlook 2003. The install went smoothly but I was surprised that the default installation doesn’t come with any pre-installed providers.

The first two providers I’ve installed are for Facebook and Windows Live Messenger.

Some of my contacts came up without any issues, unfortunately many of my contacts use multiple email addresses for home/work etc. This isn’t an issue with OSC, I just had to go through my outlook contacts and ensure that I had all email addresses that they use entered correctly.

With that done, OCS seems to connect most of my contacts pretty well now.

In general, it looks pretty good. I think with a few more features, like the ability to reply to facebook posts etc would make OSC a must have.

I’ll post with some more thoughts once I’ve used it for a few days.

 

Stay tuned,

Ed.

Monday, June 07, 2010

Dealing with invalid Certificates

Well, I’ve been working on a project that sends out large amounts of emails. It’s one of those projects that works fine in development, makes it through the test environment fine then BOMBS in production. It turned out that the systems was failing due to an invalid certificate. The certificate being used by the email server had expired months ago and nobody noticed.

While the Server guys were busy getting a new certificate, I implemented a quick fix to get the application working.

The fix involves setting up a call back used for Certificate Validation, very easy. Below is a sample (just Validates any request).

Callback

After the call back is setup, it’s just a matter of ensuring it gets called.

SetupCallback

And that’s it. Problem solved.

Obviously in the call back you’d actually check the error and only validate the certificate for the specific error you want to, but as an example, this works a treat.

Enjoy.

I didn’t know…

that you could use the keyboard shortcuts Ctrl + Tab in visual studio to switch between tabs. Better yet, it brings up a little dialog box that allows you to visually see the tabs you have open complete with a preview.

CtrlTab

Visual Studio 2010 unfortunately has the preview turned off by default (due to a reported performance issue right before release on slow netbooks). To enable the preview, just run the following command from a command line (or Start –> Run).

“reg ADD HKCU\Software\Microsoft\VisualStudio\10.0\General /v ShowThumbnailsOnNavigation /t REG_DWORD /d 1”

Enjoy.

Wednesday, January 20, 2010

A strange little feature..

I’ve never been one for formatting data in the database, it’s something I’ve always done when the data is being displayed. Some work I’ve been doing recently has further re-enforced this view.

See, while trying to reverse engineer some old code, I happened to notice some odd data. The data was an XML document generated within a stored procedure in Oracle. This should not be a big issue as the Xml should only be holding data, after all, Xml is really just a data storage/transport format. This generated Xml document is then used as a data source for a mail merge. I’m sure you can see where this is heading, the data in the Xml gets formatted instead of doing the formatting in the merge document.

One of the dates in the XML document needs to be formatted like “01 January 2010”. So, the date value is passed into the oracle to_char(datevalue, format) function with the format specified as “dd Month YYYY”. On the surface this all looks fine, except that the data coming out looks a little strange. There are extra spaces between the month and the year.

After a bit of playing and a few seconds using my favourite search engine,  and I found the answer. “Month” returns the full name of the month padded to 9 characters. Yep, it’s fixed width. There is no option for a non-fixed width full month format. You can do the abbreviated version (3 chars) or the full at 9.

I full understand that this isn’t something that can just be changed, but it would be nice (we are in 2010) to be able to format a date in oracle without the padding.

Well, that’s the end of my little story and mini rant.