Tuesday, March 30, 2010

DenDNN – Do you know about the Denver DNN User Group?

The Denver DotNetNuke group meets about once every two months and the next meeting should be around mid May.

For more information: http://denver.dnnug.com/

David Ferreira is the current organizer of this group.

Monday, March 29, 2010

Multi touch for your Windows laptop

I have a MacBook and I love the multi touch interface that it provides through its touch pad. Everytime I return to using my Windows machine after using the MacBook, I long for the multi touch interface.

Scrybe changes all that.

First here is what you need to know…. Your laptop should have a Synaptics touch pad. (My Inspiron 1520 has this). Next get Scrybe and install it. (http://www.uscrybe.com/)

You will probably need to restart your machine.

The first thing to try is scrolling. Use 2 fingers and drag it down your touch pad….. woo! hoo!

Now to use three fingers. Tap with three fingers. This should bring up a drawing panel. Here you can draw different symbols and have different operations performed.


Drawing the question mark symbol opens up your browser and takes you to your favorite search engine. You can even create custom gestures to do different things.

Its no MacBook multi-finger interface, but it just makes life so much easier (especially 2 finger scrolling). I love it.

Here are the gestures supported:


(tip: use the above image as a wall-paper – to remind you of all the basic gestures, until you have memorized them all)

If your laptop does not have a supported touchpad device then the installer will pop up the following message and quite:

Sunday, March 28, 2010

Results of Martin Fowler’s VCS survey:

VCS – Version Control Systems

TFS approval is 0%! Nobody asked me what I think….! My thought: when you look at what TFS is – a complete system that is not just a VCS but also a tool to manage your development process and communicate with your development team – my approval rating is 100%. (As an analogy - Its not just a knife, its a swiss army knife for a developer – but remember when all you need is a knife – dont go out and buy a swiss army knife)


RMM: steps toward the glory of REST

On Martin Fowler’s site “Richardson Maturity Model: steps toward the glory of REST

Introduces REST through a series of steps/levels that you might even go through while implementing and exposing webservices for your application.

This is how I read the 4 levels translate:

Level 0: Using something like SOAP and a single end-point (URI)

Level 1: Introducing multiple URIs (each acting like an end-point), to perform different operations.

Level 2: Using the HTTP verbs (Get,Post,Put,Delete, etc…) when performing different types of operations on each URI that you expose.

Level 3: Adding links in your responses to operation requests that allow for discoverability of what can be done next.

Saturday, March 27, 2010

Words - esemplastic

esemplastic • \es-em-PLAS-tik\  • adjective
: shaping or having the power to shape disparate things into a unified whole

Friday, March 26, 2010

Words - Shibboleth

shibboleth • \SHIB-uh-luth\  • noun
1 : catchword, slogan *2 : a widely held belief or truism 3 : a custom or usage regarded as distinctive of a particular group

Tuesday, March 23, 2010

Historical Day!

March 23, 2010 – history made….

Comcast – Connection Speeds

Current Comcast connection speed stats that I get at home:

Using WireShark to diagnose network issues

WireShark is an awesome packet sniffer tool that is free. It is a complicated tool and in the hands of a pro – probably extremely powerful. Unfortunately it is extremely hard to understand and use.

What I wanted it to do is tell me if packets from my VPN connection tool were at least hitting the network adapter (Probably the simplest thing that you can use WireShark to do – determine if packets destined to a certain address are hitting your network adapter).

Step 1: Install WireShark

Get it from sourceforge at http://sourceforge.net/projects/wireshark/files/ (or www.wireshark.org)

The basic options should be good for everyone.

Step 2: Start up WireShark.

Step 3: Under interface list you should see all your network adapters. Select the one that you are using for trying to connect to the destination address.

In my case, I had 2 interfaces listed – one for the wired port and the other for the wireless port. The wireless port for some reason was named Microsoft on my computer. This is the one I selected.

Selecting the interface will open a new window: The Wireshark Capturing window.

Step 4: The wireshark capture window.

If you selected the correct interface you should immediately begin seeing a whole bunch of traffic, representing all the current connections that your computer is making through this interface. (If you dont see any traffic, open up your browser and try and browse to some site. This should begin listing traffic in the window. If not, you most probably picked the wrong interface).

Step 5: Test if you are able to communicate with the destination.

What you need for this is the IP address of the destination (at least thats how I was going to do it).

In the capture window there is an filter text box. Type the following expression “ip.src == xxx.xxx.xxx.xxx || ip.dst == xxx.xxx.xxx.xxx”, where xxx.xxx.xxx.xxx is the IP address of the destination that you are trying to connect to. The expression will display only those packets that either originated at the other IP address or are destined to that IP address. This will make it easier to figure out if the connections are going out correctly.

Now try and run the operation that will initiate the external connection. If you see activity in the window, then things are working and the problem is elsewhere. If you dont see activity, then the issue is probably on your end – and the first place to look would be your firewall rules.

The activity will look something like the following window:


Note: There are only 2 things to learn from this post: Use WireShark when you need to look at network packets at a low-level and the expression ip.src == “xxx.xxx.xxx.xxx” || ip.dst == “xxx.xxx.xxx.xxx”. Everything else is just extra information!

Saturday, March 20, 2010

HaHaa Brothers Show – Lessons in Asp.Net Security


A disturbing video with Scott Hanselman dancing to hamster on a piano and then to Beyonce!

Actually this is a good video of a MIX10 demo that shows how your coding practices can make your ASP.Net MVC app vulnerable and also instructs on best practices and ways to secure your web-app.

Demo 1: java-script injection

lesson 1: dont trust user data

lession 2: in MVC use the ValidateInput attribute

lesson 3: use “<%:” instead of “<%=” when using server variables in your front end code. This new construct is similar to calling html.encode.

Demo 2: javascript injection with defer tag on script

lesson 1: learn about the the AntiXSS library and use the AntiXSS.Encoder (which if you recall my previous post is an encoder based on a white list instead of the black list that the default encoder uses). You can set the AntiXSS encoder as the default encoder via the HttpRuntime setting in the web.config.

lesson 2: Use Ajax.JavascriptStringEncode

Demo 3: Cross-Site request forgery attack (a confused deputy attack)

This attack attempts to rely on the fact that you are already logged in to a secure site and attempts to submit a form with all the data that could lead to an unauthorized action.

lesson 1: Use the ValidateAntiForgeryToken in MVC on your controller methods and insert the token using Html.AntiForgeryToken into the html.

When the method in the controller gets called, the ValidateAntiForgeryToken will look at the hash code in the html page (inserted as a hidden field) and the hash code in the cookie and will throw an error if the 2 values do not match.

Demo 4: Javascript injection that redefines JS methods.

In this demo, a special method is called every time an ID is set on a page element. The hack depends on arrays that are being returned as JSON to a GET request.

I need to review this hack again – as I wasn't completely able to understand how the hack worked and what the fix does.

One best practice specified is that when returning data that should be secured then one should not return it as an array.

Demo 5: Hacked post values via tools like Fiddler

cool tip: to listen to messages being sent to a local HTTP server (like when you are developing an ASP.Net app), use “localhost.:” or “ip4.fiddler” so that data is passed through the fiddler proxy.

lesson: in MVC your post data is automatically bound to the controller methods parameter type. If a hacker tries to guess properties on your model type, then they might be able to send bad data to your application.

One way around this is to setup a white list (or a back list) using the Bind attribute on your parameter. The bind attribute tells MVC what data from the post can be automatically copied into your model object.

This video is definitely a good way to spend 60 minutes of your time.

Windows Phone Developer Tools CTP


What it includes:

Visual Studio 2010 Express for Windows Phone CTP
Windows Phone Emulator CTP
Silverlight for Windows Phone CTP
XNA 4.0 Game Studio CTP

note: requires a restart of the computer

Friday, March 19, 2010

TFS 2010 – New Feature – Team Project Collections

One problem that all previous versions of TFS suffered from was that if you worked in a large organization and had only one TFS server instance then you could potentially end up with hundreds of projects on that server. I hated this design because it did not let me separate out all related projects into separate sections.

In TFS 2010 a new feature called Team Project Collections has been added. Superficially what it looks like is as though you have multiple TFS instances on one single server. Basically now when you try and add a project through team explorer, you will not just specify/select the TFS server but also a TFS project collection. Here is an image from the TFS documentation that explains Team Project Collections…


Team Project Collections dont only allow you to corral all similar projects into collections, but it also allows you to specify a different set of hardware resources that each team project collection ends up using. This is a really cool feature because in our case we are starting of with a single machine deployment of TFS. When we begin outgrowing the single server model, we will be able to create a new Team Project Collection and have it use a new database server.

One thing to remember is that because each Team Project Collection will exist in its own database is that you will not be able to reference work-items between projects that exist in different team project collections. On the other hand, you will be able to backup any Team Project Collection on its own, as it is, its own database.

Some more information can be picked up from BHarry’s blog post: http://blogs.msdn.com/bharry/archive/2009/04/19/team-foundation-server-2010-key-concepts.aspx

Thursday, March 18, 2010

Monday, March 15, 2010

Posters for Developers

Found a good collection of posters for use by developers (from the Developer Readiness Program website): http://www.newdrp.com/Posters/tabid/58/Default.aspx

TFS Tip – Workspaces and Team Projects

Tip 1: When you create your TFS Team Project, then create it with the following structure

Team Project Name

The reason for the above structure is that it will allow you to manage your releases better. See tip 2.

Tip 2: create a separate workspace mapping for the new team project at the Main folder level. This will allow you to easily find all the pending checkins for the main brain of that team project.

Now when you create your first release “Release 1”, you will branch it from Main and it will look like this:

Team Project Name
    |       |---Source
    |       |---Documents
    |       |---Database
    |       |---Builds
    |----Release 1.0

At this point create a separate workspace mapping to Release 1. This will allow you to easily find all the checkins related to “Release 1” as opposed to modifications that are part of your main branch. In turn, you will not end up checking in stuff from your main branch by mistake, when you are trying to checkin stuff for your release 1 branch.

Tip 3: If your get-latest begins to take too long then cloak the folders that contain the large items that change infrequently (typically the database and documents folders).

Tip 4: Always use groups to manage your Team Project memberships. Otherwise you will have a lot of administration work later on in the project’s life (when new members come on or old members leave your team).

Sunday, March 14, 2010

Colorado .Net Devs Twitter Stream by Ely Lucas

Ely Lucas has created a Twitter list of .Net developers in Colorado. Follow the list to stay tuned to the local .Net chatter: http://twitter.com/elylucas/colorado-dotnet-devs

More info about the group: http://www.tweetdeck.com/list/elylucas/colorado-dotnet-devs/1810003/#directory

Pi computed to 10,000 digits

In honor of Pi day (from Cnn):


Friday, March 12, 2010

.Net Type names, creating objects at runtime, etc.

I keep forgetting these…. so here is post to log it to memory….

1. .Net Type Name:

The format is: “Namespace.TypeName, DLLName, Version=x.x.x.x, Culture=culture, PublicKeyToken=key”

Eg: Class MyHelloWorldClass in namespace MySampleNamespace.SubNamespace in the DLL MyHelloWorldDll.dll with version, no culture or publickey specified.

“MySampleNamespace.SubNamespace.MyHelloWorldClass, MyHelloWorldDll, Version=, Culture=neutral, PublicKeyToken=null”

2. Creating an object of MyHelloWorldClass at runtime by using only the fully qualified type name.

Type typeLoadedAtRunTime = Type.GetType("MySampleNamespace.SubNamespace.MyHelloWorldClass, MyHelloWorldDll, Version=, Culture=neutral, PublicKeyToken=null");
Object objectLoadedAtRuntime = Activator.CreateInstance(typeLoadedAtRunTime);

Why are the above 2 useful? If you want to separate out the implementation details of certain parts of your application, such that your application does not care about exactly how certain methods are performed, then you develop your application to interfaces. You then create separate classes that implement those interfaces and provide the concrete implementation of the methods needed by your application. When your application runs, you can decide based on a variety of factors (eg: configuration file information), which class should be created to handle the methods needed by the application and your application then uses this runtime generated object for all its processing needs. (As you will be using Interfaces, the last line above will change to create an instance of a particular type).

eg: IHelloWorldClass objectLoadedAtRuntime = Activator.CreateInstance(typeLoadedAtRunTime) as IHelloWorldClass;

And if you need to list out the fully qualified names for all the types in your dll, here is some code to do just that.

string assemblyPath = args[0]; 
if (string.IsNullOrEmpty(assemblyPath))
    Console.WriteLine("Path to assembly not specified at command line");
Assembly loadedAssembly = null;
catch (Exception exp)
    Console.WriteLine("Error: " + exp.Message);

Module[] modules = loadedAssembly.GetModules();
Console.WriteLine("Assembly: " + loadedAssembly.GetType().Name);
foreach (Module module in modules)
    Console.WriteLine("Module: {0}\nFullyQualifiedName: {1}", module.Name, module.FullyQualifiedName);
    Type[] types = module.GetTypes();
    foreach (Type type in types)

Thursday, March 11, 2010

Comcast releases data usage meters for high speed customers

Comcast has implemented a 250gb per month limit on the amount one can transfer over their high speed connection.

Go to https://customer.comcast.com/Secure/UsageMeterDetail.aspx, login and you will see your usage history.

Comcast has had a usage limit since about October 2008, but without a usage meter, I always felt like the Comcast usage police might come knocking at my door. Having a usage meter is a step in the right direction. I wish they would add some kind of alert system, that I could use to signal to me when usage goes over by a certain amount (that way I can keep track of my data usage and if any pirate is trying to steal my bandwidth).

Here is what data usage meter looks like.


What’s A Startup? First Principles.

What’s A Startup? First Principles. 

a startup is an organization formed to search for a repeatable and scalable business model.

A good post by Steve Blank on what a Business Model is and other good stuff that any business person should be cognizant of.

How Does Customer Development, Agile Development and Lean Startups Fit?
The Customer Development process is the way startups quickly iterate and test each element of their business model. Agile Development is the way startups quickly iterate their product as they learn. A Lean Startup is Eric Ries’s description of the intersection of Customer Development, Agile Development and if available, open platforms and open source. (This methodology does for startups what the Toyota Lean Production System did for cars.)


Mapping Business Entities to Data Transfer Objects

DTOs???? Why???

Here is an example: You wish to open up some processing to external callers via a web-service. Should your business entities also become your data-contracts?

Well, in my opinion (and from what I am seeing on the Internet), the answer is no. The answer is two-fold: separation of concerns and stability of your webservice. Enter data-transfer-objects (DTOs).

Typically you create your DTO in your service interface layer (they layer where you write your web-service). Your business entities are hydrated from your repository by your resource access layer. The business logic layer processes requests, gets the business entities from the resource access layer and provides it to the service interface layer.

The service interface layer then converts the business entity object to the DTO and then passes it back over the wire to the client calling the webservice.

Why is this good? For one – if your business entity changes, your web-service does not have to change (a good thing, especially if your webservice is publically accessible) and if your business entity had extra methods, fields, etc, they dont get pushed down the wire as your DTO is typically a very simple and clean object.

Why this post?

Well it turns out that the mapping between business entity objects and DTOs can be very boring, time consuming, pain to maintain, etc….

Enter Automapper. Automapper is an open source CodePlex project that performs mapping between objects using conventions. So as long as your DTO objects and BE objects share the same property and field names, the transfer of data will be nice and simple.

The code couldnt be simpler:

Mapper.CreateMap<SourceClass, DestinationClass>();
DestinationClass destinationObject = Mapper.Map<SourceClass, DestinationClass>(sourceObject);

Automapper also supports flattening (taking a complex object and converting it to a simpler object).

Sunday, March 07, 2010

Hacme and WebGoat

Hacme and Webgoat are 2 reference implementation applications that have been deliberately made insecure so as to teach developers how to create secure applications.

WebGoat (OWASP project): http://code.google.com/p/webgoat/

Hacme: (McAfee): http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm

Complex Numbers

I had forgotten all my complex number theory and this post by Steven Strogatz refreshed all that: Finding your Roots.

Incidentally – complex numbers have become a first class citizen of the .Net 4.0 framework with the introduction of the Complex type (found in System.Numerics namespace).

Microsoft U-Prove SDK

Microsoft released a preview of the U-Prove cryptographic technology at this year’s RSA Conference. As part of the preview, Microsoft has released a C# reference implementation to allow testing/learning about this new technology.

The C# SDK can be found at : http://code.msdn.microsoft.com/uprovesdkcsharp

The CTP information can be found at: https://connect.microsoft.com/content/content.aspx?contentid=12505&siteid=642

The spec details can be found at: https://connect.microsoft.com/site642/Downloads/DownloadDetails.aspx?DownloadID=26953

This looks like an early CTP release that Microsoft is using to discover what the security community as a whole thinks about U-Prove and I am sure the SDK and the specs will change quite a bit. I am not sure what the road map for U-Prove and hence dont know what the time line looks towards a full-fledged release of the technology.

Market penetration of .Net

From: “.Net in Mission Critical Applications

  • Windows Server has #1 server OS share (52.7%) for deployed mission-critical applications
  • Windows Server and .NET are the #1 (54.1%) deployed application server
  • .NET usage exceeds Java across all sizes of enterprises
  • Windows Server is the #1 OS used (46%) by deployed mission critical Java applications
  • SharePoint leads (over IBM WebSphere) as the #1 portal used by enterprises’ primary mission-critical application
  • SQL Server leads (over Oracle) as the #1 database used by enterprises’ primary mission-critical application
  • BizTalk Server leads (over Oracle) as the #1 process integration technology used by enterprises’ primary mission-critical application
  • Microsoft leads as the #1 (58.6%) vendor for service oriented architectures
  • Wednesday, March 03, 2010

    Microsoft’s Anti-XSS Library

    I first came across the Anti-XSS library while reading the following post: Cross site scripting and ways to code against it on the IT_Country blog.

    So what is it?
    According to Microsoft:

    AntiXSS 3.1 helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine

    Doesnt “System.Web.HttpUtility.HtmlEncode” do that already?
    Yes, but there is a difference. The biggest is that HttpUtility.HtmlEncode uses a blacklist, whereas AntiXss.HtmlEncode uses a whitelist. (A whitelist is basically a list of allowed attendees at a party and a blacklist is a list of unallowed people to a party). Obviously a white list is more restrictive and hence more safe. According to Syed Aslam Basha, (Tester on Microsoft’s Information Security Tools Team), these are the differences:

    1. Anti-XSS uses the white-listing technique, sometimes referred to as the principle of inclusions, to provide protection against Cross-Site Scripting (XSS) attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). System.Web.HttpUtility.HtmlEncode and other encoding methods in that namespace use principle of exclusions and encode only certain characters designated as potentially dangerous such as <, >, & and ' characters.
    2. The Anti-XSS Library's list of white (or safe) characters support more than a dozen languages (Greek and Coptic,Cyrillic,Cyrillic Supplement, Armenian, Hebrew, Arabic, Syriac, Arabic Supplement, Thaana, NKo and more)
    3. Anti-XSS library has been designed specially to mitigate XSS attacks whereas HttpUtility encoding methods are created to ensure that ASP.NET output does not break HTML.
    4. Performance - the average delta between AntiXss.HtmlEncode() and HttpUtility.HtmlEncode() is +0.1 milliseconds per transaction.

    from: Differences Between AntiXss.HtmlEncode and HttpUtility.HtmlEncode Methods

    How do you use it?
    Its simple really:

    AntiXss.GetSafeHtml: Returns well formed HTML that is XHTML compliant. (if <html> or <body> tags are missing they are added back in).

    AntiXss.GetSafeHtmlFragment: Returns well formed HTML fragments (does not try and add <html> or <body> tags).

    The AntiXSS library also provides other methods that can be used depending on where you are going to be using the user input data. For example:
    AntiXss.HtmlAttributeEncode – used when user input is being used as an attribute inside a HTML tag.
    AntiXss.JavaScriptEncode – used when user input data is being used inside <script> tags.
    AntiXss.UrlEncode – used when user input is being used in a url.

    Correct Sequence of Usage:

    According to the documentation, the correct sequence is not to perform the encoding as soon as you start working with the user provided data, but just before presenting the user provided data back to user.

    Here is an example from the documentation:

    // Correct Sequence **** 
    protected void Button1_Click(object sender, EventArgs e) 
        // Read input String Input = TextBox1.Text; 
        // Process input ... 
        // Encode untrusted input and write output 
        Response.Write(”The input you gave was” + Microsoft.Security.Application.AntiXss.HtmlEncode(Input)); 
    // Incorrect sequence!!!
    protected void Button1_Click(object sender, EventArgs e)
        // Read input
        String Input = TextBox1.Text;
        // Encode untrusted input
        Input = Microsoft.Security.Application.AntiXss.HtmlEncode(Input);
        // Process input
        // Write Output
        Response.Write(”The input you gave was” + Input );

    AntiXSS Members:




    Returns a safe version of HTML page by either sanitizing or removing all malicious scripts.


    Returns a safe version of HTML fragment by either sanitizing or removing all malicious scripts.


    Encodes input strings for use in HTML attributes.


    Encodes a input string before safely sending it to a browser client.


    Encodes input strings for use in JavaScript.


    Encodes input strings for use in universal resource locators (URLs).


    Encodes input strings for use in Visual Basic Script.


    Encodes input strings for use in XML attributes.


    Encodes input strings for use in XML.

    More Info:

    CodePlex: AntiXSS 
    CodePlex Discussion: http://antixss.codeplex.com/Thread/List.aspx.
    AntiXSS 3.2 download: http://www.microsoft.com/downloads/details.aspx?familyid=051EE83C-5CCF-48ED-8463-02F56A6BFC09&displaylang=en
    Security Tools Team Blog: http://blogs.msdn.com/securitytools/archive/tags/Anti-XSS/default.aspx
    OWASP XSS Prevention Cheat Sheet: OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet