Re: Skilling Up
> Any particular user groups that you would recommend? Come to MXUG next week: https://groups.google.com/group/mxug?hl=en&pli=1 There is also datamelb tonight: http://groups.google.com/group/datamelb As for getting started; it's obvious, but just find something you want to do, and try and do it. Most of "what I want to do" can be done in the form of a website, hence I'm doing various things in the ASP.NET MVC framework, which I would recommend. For Windows apps yes, WPF is of interest, but I wouldn't personally dedicate much time to Silverlight (but I'm biased, as I'm headed out of programming anyway, some people find it fruitful). Like others, I can highly recommend participation in online forums/mailing lists for the purposes of learning. StackOverflow is "good", but not great, in my humble opinion. But it is the better out of all the forum options. I tend to prefer lists as they allow deeper discussion. It's kind of a good time to get into .NET as there are a variety of changes in the framework that means you'll kind of be on even footing with other guys (LINQ is relatively new, etc, etc) so you can feel reasonable confident that even the longer-term programmers aren't experts in that yet, and there is still plenty of ground to discover and fun things to do. I don't personally see a lot of value in joining open source projects, but perhaps there is, perhaps not. Depends what project; you wouldn't want to waste time contributing to something that dies (of course some time spent learning is beneficial, but it's not ideal). My preference is for personal projects that have some general benefit (this is how I've learned various things and learned to love trac and hudson and nunit and so on). -- Noon Silk http://dnoondt.wordpress.com/ (Noon Silk) | http://www.mirios.com.au:8081 > "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Merry XMas everyone
And Merry Christmas from me; even to those who program in VB! On Fri, Dec 24, 2010 at 7:15 PM, Fredericks, Chris wrote: > Thanks Bill. > > A Merry Christmas and a safe and prosperous New Year to you and your loved > ones and to everyone on the list. > > > -Original Message- > From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On > Behalf Of Bill McCarthy > Sent: Friday, 24 December 2010 3:57 PM > To: 'ozDotNet' > Subject: Merry XMas everyone > > Hope you have a merry, safe and enjoyable xmas and New Years > > -- silky http://dnoondt.wordpress.com/ (Noon Silk) | http://www.mirios.com.au:8081 > "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Code Folding in VS 2010
On Fri, Dec 24, 2010 at 1:43 PM, Stephen Price wrote: > My 30" monitor is not in portrait mode, but my 24" monitor to the left > of it is. It's great for reading web sites, PDF's, twitter etc. Once > you have a portrait screen you miss it on machines that don't have it. Interesting; I've always kind of pondered this but never quite done it (I don't have a monitor that supports it anyway). Might be worth considering; one day (especially given the note about PDFs, which I'm reading much more these days). > Home machine: 24" in portrait, 30" middle, 27.5" right. It's great. > Work machine: 17" left + 19" widescreen main. GaaAH. > > Feel sorry for me? ;) -- silky http://dnoondt.wordpress.com/ (Noon Silk) | http://www.mirios.com.au:8081 > "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [OT] Getting rid of old computer books
On Sun, Dec 19, 2010 at 8:37 AM, Kirsten Greed wrote: > Hi All > > I am having a clean out of my bookshelves, and looking for recommendations > on what to do with the old computer books including some like Dan Appleman’s > Developing COM/Active X Components with Visual Basic 6 > > Is there any other option than straight in the recycle bin? > > I see there are some book swapping sites on the internet – but I haven’t > found a technical one I'm struggling to find it, but I'm fairly certain Michael Minutillo runs a technical book sharing mailing list. Nevertheless, I think your best bet would just be the paper recycling option. I'd hate to think schools or libraries have any use for VB 6 :P > Perhaps there someone out there who is deliberately stockpiling such books > for legacy application emergencies ? > > Thanks > > Kirsten -- silky http://dnoondt.wordpress.com/ (Noon Silk) | http://www.mirios.com.au:8081 > "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Automatic versioning strategies
Sorry for replying to myself yet again, but, failing any comments or suggestions for improvement, this will be the last :) On Sun, Dec 19, 2010 at 5:01 PM, silky wrote: > I mean, it's pretty awesome. The only issue is that there doesn't > seem to be a rpc function to get strictly a count, but perhaps I've > missed the option, or someone will write it. If anyone is interested > I'll probably write this up somewhere so that you can get an idea of > the whole setup (i.e. the NAnt build script). Written up: <http://www.mirios.com.au:8081/index.php?title=Beautiful_versioning_environment> -- silky http://dnoondt.wordpress.com/ (Noon Silk) | http://www.mirios.com.au:8081 > "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Automatic versioning strategies
On Sun, Dec 19, 2010 at 11:15 AM, silky wrote:
> Does anyone have any beautiful schemes for this?
>
> I've done a basic implementation in a current project, whereby the
> version is in the form of:
>
> major.minor.build.revision
>
> With the build and revision components being created in NAnt as part
> of the Hudson build process. This is then written into[1] the
> AssemblyInfo.cs file. But it occurred to me that it could be quite
> amazing indeed if the major/minor components could also be increased
> automatically, via integration with the bug tracker (which in my case,
> as you all know, is trac). It would be amazingly magnificent because
> you could mark any items that are a public bugfix, as incrementing
> minor, and any breaking changes as major. You could categorise them
> via trac and then have a process to auto-increment (i.e. perhaps there
> is a custom trac plugin that writes some meta-data to the hudson
> settings, or some similar strategy; publishing to hudson can read).
FWIW, this turned out to be reasonably easy. I decided on the
following strategy:
1. In the build script, if I could get a count of the current closed
tickets of some variety, that would be enough to adjust the
minor/major number, so, I...
2. Installed this plugin from trac:
http://trac-hacks.org/wiki/XmlRpcPlugin#Installation
3. Wrote this (to test if it works):
public interface Trac : IXmlRpcProxy
{
[XmlRpcMethod("ticket.query")]
int[] ticketQuery(string qstr);
}
class Program
{
static void Main(string [] args)
{
Trac proxy;
proxy = XmlRpcProxyGen.Create();
proxy.Url = "your trac location/rpc";
int[] result =
proxy.ticketQuery("status=closed&max=0&type=defect");
if( result.Length > 0 ){
foreach(int s in result){
Console.WriteLine(s);
}
} else {
Console.WriteLine("No results.");
}
Console.Read();
}
}
Using this: http://xml-rpc.net/
4. Implemented it as a callable function from NAnt.
5. Benefited from the brilliance.
I mean, it's pretty awesome. The only issue is that there doesn't
seem to be a rpc function to get strictly a count, but perhaps I've
missed the option, or someone will write it. If anyone is interested
I'll probably write this up somewhere so that you can get an idea of
the whole setup (i.e. the NAnt build script).
Still interested to know if someone has some better schemes.
--
silky
http://dnoondt.wordpress.com/ (Noon Silk) | http://www.mirios.com.au:8081 >
"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."
Automatic versioning strategies
Does anyone have any beautiful schemes for this? I've done a basic implementation in a current project, whereby the version is in the form of: major.minor.build.revision With the build and revision components being created in NAnt as part of the Hudson build process. This is then written into[1] the AssemblyInfo.cs file. But it occurred to me that it could be quite amazing indeed if the major/minor components could also be increased automatically, via integration with the bug tracker (which in my case, as you all know, is trac). It would be amazingly magnificent because you could mark any items that are a public bugfix, as incrementing minor, and any breaking changes as major. You could categorise them via trac and then have a process to auto-increment (i.e. perhaps there is a custom trac plugin that writes some meta-data to the hudson settings, or some similar strategy; publishing to hudson can read). Has anyone done anything along these lines? Are there other automated strategies that people have that are far superior? Interested to know. -- silky http://dnoondt.wordpress.com/ (Noon Silk) | http://www.mirios.com.au:8081 > "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature." [1] By the following tool: http://www.codeproject.com/KB/cs/AssemblyInfoUtils.aspx
[OT] - Any interesting projects happening?
Is anyone working on anything particularly interesting? If so, hopefully you will come to MXUG: https://groups.google.com/group/mxug?hl=en&pli=1 and talk about it! Somebody must be working on some new tool to revolutionise something or other, right? -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: C# to Delphi
On Wed, Dec 15, 2010 at 6:25 PM, Peter Maddin wrote: > Hi Greg > > > Did the Delphi authors do that?! > > Sorry no idea. The controls were purchased from a European site because I > could not get anything out of the States. The company, no longer exists so I > am glad I purchased source code or I would be screwed. I tried to purchase > TurboPower's LockBox but they would not supply it due to an export > moratorium on cryptographic cipher technology. This has been relaxed for > some time now but I am stuck with the legacy of went before. > > The code I purchased has been in use for many years and has been very > reliable (except for a memory leak that I managed to fix). I do not feel > competent to recode it. FWIW, it's probably far easier then you imagine. For any popular algorithm you'll find examples in just popular languages (java/c#), and you can easily translate that. There will be test vectors provided so you can test your implementation. It's not a few hours, but 2 or 3 days and you should easily get it done (at least, I'd consider investigating it). You should know that SHA-1 is considered "not good" as a hash: http://valerieaurora.org/hash.html, so I'd avoid it's use if possible. > The idea of writing a COM object to encapsulate the > Delphi code seems like the optimal solution. I am not that well versed in > COM so I have some study to do. At least I have texts on the subject. I > thought that with .NET, COM was deprecated (even if COM+ is not). Oh well. > > I will give the Delphi to C# converter suggested by Ian, a go as well. > > My fall back is to use the framework's cryptographic support (RSA not > elliptic curve) but that would mean two parallel delivery streams, the old > and the new that are not compatible with each other. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: .NET friendly cloud-compute recommendations
On Mon, Dec 13, 2010 at 10:31 AM, Joseph Clark wrote: > Howdy all, > > Does anyone have any experience with Windows/.NET friendly cloud-computing > solutions, specifically for the purpose of farming out compilation and test > agents? > > Internally we've semi-standardised on EC2 for all our java-based builds, but > from the literature I've read on the tubes, setting up a Windows image > doesn't sound like very much fun. I found it exceptionally trivial; I'm sure you won't have any problem. I mean, there's nothing to it really. Choose a Windows server, install things, image it? Or am I missing something? > I had a brief skim-read on the Azure platform, but it looks like it doesn't > provide any bare-bones infrastructure like msbuild. > > Are there any other alternatives? > > Cheers, > Joe. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: The breakpoint will not currently be hit..nightmare!..solution?
On Wed, Dec 8, 2010 at 5:09 PM, David Richards wrote: > Anthony, > > Some years ago I was suddenly unable to debug ASP.Net solutions. I'm a bit > hazy on the details so I'm not sure if it was the same problem you are > having. After days of trying to figure it out, I ended up reverting my > machine (I work in VMs) to an old backup and I was magically able to debug > again. At the time, I attributed it to installing Chrome (when was it first > available for download?) since that was the only obvious difference in the > systems but who knows what the real cause was. The point is, it seems it > was an environmental issue. > > In other words, perhaps your planned rebuilding of your PC will solve the > problem. Looking at his earlier message it seems that the problem is the PDB has a different path then the file he's debugging on in VS. As to how that's happened, I don't know. I think the answer will lie in the article I posted though (or at least one of the links from it). > David > > "If we can hit that bullseye, the rest of the dominoes > will fall like a house of cards... checkmate!" > -Zapp Brannigan, Futurama -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: The breakpoint will not currently be hit..nightmare!
I don't have an answer, but I did stumble across this article while
searching:
http://www.wintellect.com/CS/blogs/jrobbins/archive/2009/05/11/pdb-files-what-every-developer-must-know.aspx
Seems interesting (I haven't finished reading it yet).
On Wed, Dec 8, 2010 at 4:43 PM, Anthony wrote:
> It does stop at Debugger.Break()..which is a step forward?
>
>
>
> This the text i always get..i know what it is saying but no idea how to fix
> it
>
>
>
> Locating source for
> 'Q:\Data\Clients\gime\PoppClientDotNet2\Popp\MainForm.cs'. Checksum: MD5 {6a
> 78 31 4f a7 90 9 5 a4 60 57 e5 da a7 fb f3}
>
> Determining whether the checksum matches for the following locations:
>
> 1: Q:\Data\Clients\gime\PoppClientDotNet2\Popp\MainForm.cs Checksum: MD5 {5
> b7 15 40 ac be b0 68 0 7 4 5b 27 df 7d 97} Checksum doesn't match.
>
> The file 'Q:\Data\Clients\gime\PoppClientDotNet2\Popp\MainForm.cs' exists.
>
> Looking in script documents for
> 'Q:\Data\Clients\gime\PoppClientDotNet2\Popp\MainForm.cs'...
>
> Determining whether the checksum matches for the following locations:
>
> 1: Q:\Data\Clients\gime\PoppClientDotNet2\Popp\MainForm.cs Checksum: MD5 {5
> b7 15 40 ac be b0 68 0 7 4 5b 27 df 7d 97} Checksum doesn't match.
>
> Looking in the projects for
> 'Q:\Data\Clients\gime\PoppClientDotNet2\Popp\MainForm.cs'.
>
> The file was not found in a project.
>
> Looking in directory 'q:\'...
>
> The debug source files settings for the active solution indicate that the
> debugger will not ask the user to find the file:
> Q:\Data\Clients\gime\PoppClientDotNet2\Popp\MainForm.cs.
>
> The debugger could not locate the source file
> 'Q:\Data\Clients\gime\PoppClientDotNet2\Popp\MainForm.cs'.
>
>
>
>
>
> From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com]
> On Behalf Of Corneliu I. Tusnea
> Sent: Wednesday, 8 December 2010 4:18 PM
> To: ozDotNet
> Subject: Re: The breakpoint will not currently be hit..nightmare!
>
>
>
> Try to add in your code a Debugger.Break() see what's happening.
>
>
>
>
>
> On Wed, Dec 8, 2010 at 9:48 AM, Conrad Lang wrote:
>
> Have you checked the following:
>
> All folders related to your projects in the "Temporary ASP.NET Files" of all
> the "C:\Windows\Microsoft.NET\Framework\v?.?..." have been deleted.
> All bin and obj folders have been deleted (I know you've done this already
> though but may as well clean again).
> Check your projects are targetting the same .NET framework in the project
> properties.
> If you're debugging using IIS, check that the IIS AppPool is using the same
> framework as your project properties.
> Your solution startup projects are set to "multiple".
>
> Your web services should be "run" (not "run without debugging").
> Your client application or ASP.NET UI project should be "run" (not "run
> without debugging").
>
> Your breakpoints should be enabled (it's a silly suggestion but sometimes I
> forget I disabled a breakpoint).
>
> It might be worthwhile removing and adding the breakpoint again in case the
> VS upgrade somehow mangled its references (it's a long shot but worth a
> try?)
>
> If you're using the built-in ASP.NET development web server, maybe try
> change the port your dev ASP.NET app is running on.
>
> Good luck,
> Conrad.
>
>
>
> On Wed, Dec 8, 2010 at 4:27 AM, David Kean wrote:
>
> Then this means that it is likely that sources/PDBs don’t match what you are
> debugging. Try deleting all obj/bin directories and do a rebuild.
>
>
>
> From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com]
> On Behalf Of Anthony
> Sent: Tuesday, December 07, 2010 1:42 AM
>
> To: 'ozDotNet'
> Subject: RE: The breakpoint will not currently be hit..nightmare!
>
>
>
> Not a solid circle..red border
>
>
>
> From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com]
> On Behalf Of David Kean
> Sent: Tuesday, 7 December 2010 6:26 PM
> To: ozDotNet
> Subject: RE: The breakpoint will not currently be hit..nightmare!
>
>
>
> Is the breakpoint a solid red circle once you’ve started debugging?
>
>
>
> From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com]
> On Behalf Of Anthony
> Sent: Monday, December 06, 2010 8:06 PM
> To: 'ozDotNet'
> Subject: The breakpoint will not currently be hit..nightmare!
>
>
>
> Upgraded my asp.net projects to VS2010 and now i can’t debug my project as
> the breakpoints are not being hit.
>
> · I have deleted framework temporary files.
>
> · Delete bin and obj directories.
>
> · Re-referenced projects
>
> · According the modules window..the symbols are being loaded.
>
>
>
> still no luck
>
> Anyone have suggestioni’m going crazy
>
> Anthony
>
> --
> Regards,
> Conrad Lang
> Mobile: 04 2260 9718 | Home: 03 9029 2247
>
>
--
silky
http://dnoondt.wordpress.com/
"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."
Re: Setting CMD-window title
On Tue, Nov 30, 2010 at 11:08 AM, Ian Thomas wrote: > Aaah – thanks Glen. > > Now to try it on CMD.EXE and the Win32 console app I have to use. It won't work, the documentation says it is Get only. I think your best option will be to vary the parameters in some fashion such that you can differentiate that way. > Google (or Bing) is very much the enemy if you have a biased/misinformed > starting point. > > > > Ian Thomas > Victoria Park, Western Australia -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Unable to log in via Windows Auth during high load
On Mon, Nov 29, 2010 at 9:21 AM, David Connors wrote: > On 29 November 2010 08:19, silky wrote: >> >> It's confusing because every other page was loading fine, (and in a >> reasonable amount of time), but I couldn't authenticate to the admin >> area, in Firefox is just kept popping up the auth screen, and in >> Safari it instructed: "... the page reset, which may happen during >> high load". I can confirm the site was receiving something like 20 >> requests a minute (not that many, perhaps), but I just found it quite >> odd that I couldn't log in. > > I'd doubt it is load related based on your problem description. > Windows it normally pretty good with detail in failed login events - did you > check the event log? I was just looking at it now, didn't see anything of particular interest, but I'll review again. It'd be fairly coincidental if it wasn't. However, after the load stopped, I still wasn't able to log in again immediately. But after a few hours of patience, it did end up working. > -- > David Connors | da...@codify.com | www.codify.com > Software Engineer > Codify Pty Ltd > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Unable to log in via Windows Auth during high load
Has anyone noticed this before? This happened to one of my personal sites on the weekend. Windows Server 2003/IIS 6/ASP.NET 2.0 It's confusing because every other page was loading fine, (and in a reasonable amount of time), but I couldn't authenticate to the admin area, in Firefox is just kept popping up the auth screen, and in Safari it instructed: "... the page reset, which may happen during high load". I can confirm the site was receiving something like 20 requests a minute (not that many, perhaps), but I just found it quite odd that I couldn't log in. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Friday question - How to find my MSDN Subscription
On Fri, Nov 26, 2010 at 12:49 PM, Ken Schaefer wrote: > MSDN subscriptions page, after you login, should show your expired > subscriptions. > > I don't think this is an MSDN problem :-) You forgot your identifier. Thanks for that, glad to know that is the case. Perhaps there is a hope. I hope so. I'm desperate to enjoy the awesome rounded blueness of Visual Studio 2010 again. > Cheers > Ken -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: OT - iPhone Programming
Thans for the comments everyone, anyway, I think the current situation is clear. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: OT - iPhone Programming
On Fri, Nov 26, 2010 at 4:02 PM, DotNet Dude wrote: > On Fri, Nov 26, 2010 at 2:42 PM, silky wrote: >> On Fri, Nov 26, 2010 at 2:36 PM, James Chapman-Smith >> wrote: >>> Hi silky, >>> >>> Try taking a look at `MonoTouch`. It's Mono for the iPhone. >>> >>> http://monotouch.net/ >>> >>> From the website: >>> >>> "What is MonoTouch?" >>> >>> "MonoTouch allows developers to create C# and .NET based applications that >>> run on Apple's iPhone, iPad, and iPod Touch devices, while taking advantage >>> of the iPhone APIs and reusing both code and libraries that have been built >>> for .NET, as well as existing skills." >>> >>> And I believe that `MonoDroid` is coming for Android phones. >> >> Thanks James (and Hemal) >> >> I just noticed that MonoTouch is not free; probably more effective to >> buy a Mac for that price. But I don't know if I can justify that kind >> of expenditure. > > Depends if you plan to develop and sell apps and make the money back Hahahaha, clearly it depends on that! So then, what can you assume my position is? Okay, it's a friday, I can forgive that statement ... -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: OT - iPhone Programming
On Fri, Nov 26, 2010 at 2:36 PM, James Chapman-Smith wrote: > Hi silky, > > Try taking a look at `MonoTouch`. It's Mono for the iPhone. > > http://monotouch.net/ > > From the website: > > "What is MonoTouch?" > > "MonoTouch allows developers to create C# and .NET based applications that > run on Apple's iPhone, iPad, and iPod Touch devices, while taking advantage > of the iPhone APIs and reusing both code and libraries that have been built > for .NET, as well as existing skills." > > And I believe that `MonoDroid` is coming for Android phones. Thanks James (and Hemal) I just noticed that MonoTouch is not free; probably more effective to buy a Mac for that price. But I don't know if I can justify that kind of expenditure. > Cheers. > > James. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: OT - iPhone Programming
On Fri, Nov 26, 2010 at 2:38 PM, Hemal Modi wrote: > I have used monotouch in the past. More info: http://monotouch.net/ On a mac? Because I note at the bottom of the page it says: "Please note that MonoTouch requires a Mac, Apple's iPhone SDK and you must be part of Apple's iPhone Developer Program to test and deploy your software on a device and to redistribute your code." > HTHs, > Hemal -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Friday question - How to find my MSDN Subscription
On Fri, Nov 26, 2010 at 11:02 AM, Winston Pang wrote: > Isn't it generally tied in with your nominated Windows Live ID? > > Go to the MSDN subscription website and sign in with it, and look for manage > subscriptions. Yeah, that's the thing, I have no idea what my Windows Live ID is. I found one that could "possibly" be it, but it has nothing in the MSDN subscriptions tab. I suppose it's strictly my problem. I can't even find the email from the guy who set me up with it. And the fact that that email isn't in one of my "main" accounts (i.e. accounts I can remember the password to) isn't a good sign. I think I'm buggered, but I might have it on my main computer (this laptop is relatively new). I don't quite know what I was hoping for here. I guess it's more of a vent regarding the Windows Live process ( or more accurately, a vent against myself for having so many email accounts :P ) -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: web GPS mapping
On Fri, Nov 26, 2010 at 10:31 AM, Anthony wrote: > Anyone had any experience with GPS mapping ie place a dot on a map for a gps > location? Are there any free services i can use to do this? Its for > commercial use, i think i need a paid license if i use google maps is this > correct? http://code.google.com/apis/maps/faq.html#tos_commercial > regards > > Anthony (*12QWERNB*) -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Friday question - How to find my MSDN Subscription
On Fri, Nov 26, 2010 at 9:44 AM, silky wrote: > Does anyone know? > > I definitely used to have one, it's possible that it has run out, but > I can't even find an email telling me about it. Is all lost? Is there > someone I can potentially email to look it up? > > I've tried getting my password back by guessing what email account I > signed up with (I've got a few ...) but the one account that it was > probably with doesn't have an account at MSDN anymore. I don't quite > know what I'm hoping for here. Commisserations perhaps ... > > Appreciate any leads anyone can provide ... I guess an answerable question here is: Would it show an old MSDN subscription on my account, if I had one? Because I'm logged in with an account that could possibly be mine, but it shows nothing. I'm wondering if I've picked the wrong account, or it's the right account and I'm out of date. > -- > silky > > http://dnoondt.wordpress.com/ > > "Every morning when I wake up, I experience an exquisite joy — the joy > of being this signature." -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Friday question - How to find my MSDN Subscription
Does anyone know? I definitely used to have one, it's possible that it has run out, but I can't even find an email telling me about it. Is all lost? Is there someone I can potentially email to look it up? I've tried getting my password back by guessing what email account I signed up with (I've got a few ...) but the one account that it was probably with doesn't have an account at MSDN anymore. I don't quite know what I'm hoping for here. Commisserations perhaps ... Appreciate any leads anyone can provide ... -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Why DVCS, was Re: TFS Feedaback? Anyone moved away from it?
On Sun, Nov 7, 2010 at 10:23 AM, Joseph Cooney wrote: > Yeah, tfs integration is very good. There is a dvcs that has integrated bug, > work item tracking and wiki (called fossil) from the makers of sqlite. I > haven't used it, but it will be interesting to see how long tfs retains this > advantage. You've been able to do this since forever with svn+trac, and it looks like there is a plugin for mercurial as well: http://trac.edgewall.org/wiki/TracMercurial > Joseph > -- > > w: http://jcooney.net > t: @josephcooney -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Canonical ASCII string roundtrip
2010/11/5 Greg Keogh : > Folks, I have a pair of utility methods that I wrote in Framework 1.0 that > "escapes" and "unescapes" non-ASCII strings so I can roundtrip them via > ASCII. So the string "ABC123ΑΒΓ" (last 3 chars are Greek) becomes > "ABC123\u0391\u0392\u0393" and I can later reverse it. This ancient manual > code must be redundant now. Is there a way of doing this in the FCL now? I > can't quickly find one. The typical approach here would be to convert to base64: http://msdn.microsoft.com/en-us/library/system.convert.tobase64string.aspx > Likewise, I'd like to be able to roundtrip arbitrary Unicode string via > encoding="ascii" XML with high characters converted to &# entities. I can't > find an automatic way of doing this either. If I save an XDocument in an > ASCII encoded TextWriter the high characters turn into question marks. I don't know about this, but it seems appropriate for the chars to not be converted. I would "guess" that you need to convert them manually, because it's basically just an arbritrary encoding scheme, and I don't see why encoding="ascii" should neccessitate that. That said, there's probably some library or something that does it. Shouldn't be hard to search ... [...] > Greg -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy -- the joy of being this signature."
Re: I'm not very good at email.
On Fri, Nov 5, 2010 at 10:14 PM, Les Hughes wrote: > Dear List. > > Please disregard my inability to master email. The file explaining why is > attached :P I wouldn't worry, I've had "Master of Email" on my resume for years and hasn't helped me any :P > -- > Les Hughes > l...@datarev.com.au -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Why DVCS, was Re: TFS Feedaback? Anyone moved away from it?
On Fri, Nov 5, 2010 at 12:42 PM, mike smith wrote: > On 5 November 2010 10:59, silky wrote: >> On Fri, Nov 5, 2010 at 10:54 AM, Grant Molloy wrote: >>> Putting the flavour of your DVCS aside for the moment... >>> >>> How "secure" do you feel having all your code, IP, etc, sitting on somebody >>> elses servers ? >>> >>> If they shut up shop tomorrow, do you keep a local copy of everything too ?? >>> What cost per month are you paying to have it hosted *in the cloud* ? >>> (sounds so Web 3.0 !!). >> >> Who is this directed to? Me? (because I've got SVN hosted at amazon?) >> >> I feel fine. I've got backups of all my code on two drives anyway, and >> of course I have it all on my laptop. >> >> If Amazon shut up shop tomorrow, I'll lose a bit of data, but not much else. >> >> Any reasonable person has backups ... > > Backups of the code, or the rev history and all that? Code. I'll admit I haven't got an full svn backup going on the server at the moment, but to be honest if I lose that I'm not going to be too concerned. > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, > you'll get it, but it's going to be rough" - Adam Hills -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Why DVCS, was Re: TFS Feedaback? Anyone moved away from it?
On Fri, Nov 5, 2010 at 10:54 AM, Grant Molloy wrote: > Putting the flavour of your DVCS aside for the moment... > > How "secure" do you feel having all your code, IP, etc, sitting on somebody > elses servers ? > > If they shut up shop tomorrow, do you keep a local copy of everything too ?? > What cost per month are you paying to have it hosted *in the cloud* ? > (sounds so Web 3.0 !!). Who is this directed to? Me? (because I've got SVN hosted at amazon?) I feel fine. I've got backups of all my code on two drives anyway, and of course I have it all on my laptop. If Amazon shut up shop tomorrow, I'll lose a bit of data, but not much else. Any reasonable person has backups ... The server I have cost ~90 per month. It's expensive. > Grant -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Why DVCS, was Re: TFS Feedaback? Anyone moved away from it?
>> Yeah, this is what I thought. And I can't help but feel this is >> totally overrated. I mean, I don't know a single person who would say >> using SVN is slow. > > It is glacially slow when your repository is not local. There, a > single person has said it. Look at minute/s to do something like a > diff at times. Go off and make a coffee/s if you're doing an entire > update. Have lunch if you're picking up all the code for the first > time. Yeah, but I don't know you :) And I'll respond with the opposite claim. It's not slow, and my SVN repo is on an amazon server *over https*. And it's still fine. Now, I'm not committing megs of stuff at once, but nevertheless. *That's* not a reason to change. However, the specific points raised previously in this thread, and the comments from Dave have probably pushed me over the edge. > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, > you'll get it, but it's going to be rough" - Adam Hills -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Why DVCS, was Re: TFS Feedaback? Anyone moved away from it?
On Thu, Nov 4, 2010 at 6:10 PM, Paul Stovell wrote: > > > Broken how? [...] > In Mercurial it works different. You'd pull the 19 changes made to the trunk > to your local repository - they'd be replayed, one-by-one, against your > files. You'll still do the merges (leaving alone that Mercurial does a much > better job of merging than TFS out of the box), but since you're dealing > with one or two commits at a time, the merges are pretty simple, and if you > screw up, you don't have to start the whole thing again. Once you've > merged the trunk into your branch, you'd just push everything back to trunk. > Now all the changes are replayed against trunk, and trunk has all 32 > commits, with their history and dates exactly as you wrote them when you > checked them in during the week. It's a much more elegant model. Right. (Sorry if I wasn't clear, but I haven't used TFS and was more interested in how you consider Subversions merge broken; I understand that in the system you are describing it is 'different', I don't see any point in calling Subversion 'broken' though). > Paul -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Why DVCS, was Re: TFS Feedaback? Anyone moved away from it?
On Thu, Nov 4, 2010 at 5:40 PM, Paul Stovell wrote: > Hi Silky, > > I think in some ways you have to experience it - the proof is in the > tasting. But here are some things I like about it that work even for small, > local teams. > > 1. How many times did you make a small change, then delete it and try > something else, only to realize that you didn’t check in during that time > since it wasn’t “ready” to share with the team? Since most of your > interaction with source control is just to your hard disk, you’re more > likely to use it. On my current project with Mercurial I’m averaging a > commit every 10 minutes – lots of small changes. Never. I don't ever try the wrong thing. Seriously though, as I said to Joseph, I agree this is a legitimate benefit, and I like it. > 2. How many times have you done an SVN update/TFS “get latest”, tried > to merge, made a mistake, and lost changes in the process? With Mercurial > that doesn’t happen –it forces you to commit your local changes first, then > merge them with the server changes. If it fails, you can roll it back and > try again until you’re successful – you never lose changes. This I've legitimately never done. Merging with SVN is pretty nice, at least I think so. You just go around resolving conflicts. Not so tough. Don't disagree that it could be better, but I don't think there is an issue here particularly. > 3. Merging in DVC’s works fantastically. By comparison the merging > approaches of TFS and Subversion are broken. To even use a DVCS you’re using > branching and merging, since the server and your local machine are entirely > different repositories. In TFS and SVN, branching and merging is a scary > concept only used in the most dire of circumstances. Broken how? > Those advantages apply in the most connected corporate environment – when > I’m forced to use TFS I wish it had better support for these three features. > Prior to using Mercurial I just accepted that the way SVN made me work was > fine, and the occasional loss of code or busted merge was a fact of life. > Now I find it frustrating to work with TFS/Subversion and sometimes wonder > if a folder full of “copy of …”.zip files would be more effective J > > There are other advantages to do specifically with open source projects – > for instance, instead of sending a patch, people can put their repository > online to share with others, and you can cherry pick the changes you want > from them. The patching system really fails once a patch gets a little old. Right, I'm not interested in these, and neither are the majority of small enterprises, I would venture. I don't deny it's a benefit, and it's a good one, but not one that I care about. Anyway, I do appreciate these comments, and I may actually take a look, having been slightly convinced. > Paul -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Why DVCS, was Re: TFS Feedaback? Anyone moved away from it?
On Thu, Nov 4, 2010 at 12:37 PM, Joseph Cooney wrote: > argumentative? silky? GTFO! :) > Most of my experience with DVCS has been with > mercurial (hg) which I've used for about the last 2 years for my personal > stuff. Before that I used SVN. I think the difference (from my point of > view) is that hg works well in a super-set of configurations to TFS/SVN. If > you were a solo developer with TFS installed locally then hg probably > wouldn't be that much better (it certainly handles branching, merging and > backing up more cleanly than TFS/SVN). But most people don't work that way > - the server is remote. If you want to look at the 'history' for a file or > do a diff it's a network operation. Checking out is a network operation (at > least for TFS it is...not sure about SVN). In the case of TFS 2008 when the > server was off-line work ground to a halt. With hg sometimes there _is_ no > central server. I've had good experiences collaborating with other devs > using hg with no central server set up, just sending patches back and forth > for synchronization. You can set up your development processes such that > your DVCS is fairly centralized (like things would be with TFS/SVN) - devs > commit and push/pull often. Then you just get the perf wins of local disk > I/O vs. network I/O and better merging capabilities. Yeah, this is what I thought. And I can't help but feel this is totally overrated. I mean, I don't know a single person who would say using SVN is slow. It's never slowed me down at all (perhaps I'm just slow in general?). Checkout takes a while, sure, but you don't do that every day. Infact, you normally only do it a few times, perhaps when creating a branch or something. Okay, so you are telling me that perhaps git/hg is better because you automatically get your 'own' repo and you need to specifically 'push' it to the core; thus kind of creating a versioned development pattern automatically. Alright. I can accept that as useful. > High-level summary (from my POV) - DVCS well in a super-set of > configurations to old skool SVN/TFS/CVS > Joseph > -- > > w: http://jcooney.net > t: @josephcooney -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: OT - So, what's new in the world of programming?
On Thu, Nov 4, 2010 at 10:04 AM, Simon Reed wrote: > Not exactly new but I don't remember seeing it mentioned on here before Pex > automated white box testing. Unit testing for people who don't like writing > endless unit tests. Also moles for delegate testing. Been playing around > with it for a while and the time savings are good but the learning curve to > get the most out of it can be a bit steep. Cool; also from the list of VS "Power Tools"; this looks pretty cool: http://visualstudiogallery.msdn.microsoft.com/en-us/271d0904-f178-4ce9-956b-d9bfa4902745 > Simon > > http://research.microsoft.com/en-us/projects/pex/ -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: It's a question of Generics...
On Thu, Nov 4, 2010 at 10:25 AM, Clint Colefax
wrote:
> Just playing around with some generics, and I’m getting one bit that I’m not
> happy with. I thought I had this working, but I’ve changed something and now
> it doesn’t.
>
> I have an interface
>
> Interface IBase(Of T, E)
>
>
> And a child interface
>
> Interface ILevel1
>
> And a Class
>
> Class Level1
> Implements ILevel1
> Implements IBase(of string, integer)
>
> Then I have a factory with a method as such
>
> Function GetALevel(Of TLevel(Of T, E)() As IBase(Of T, E)
>
> In another class, I want to call the following
>
> Dim foo as Factory = new Factory
> Dim bar as foo.GetALevel(Of ILevel1)()
>
> I think that the type of T and E should be inferred from the ILevel
> interface.
How? The ILevel interface, as posted, doesn't implement anything?
It seems like you want to do something like (C#):
public static IBase GetALevel()
where T : IBase
{
return null;
}
But, that doesn't compile, because X and A aren't specified anywhere.
You need to "get" those types, at compile time, from the parameters
passed to the GetALevel(ILevel)
I'm just not so sure that's possible.
Maybe it is. I don't know. I agree it seems redundant to have to
specify the types that ILevel (assuming you mean for that to inherit
IBase with the appropriate types set) has. But I don't see how you can
make the return type of that method a generic IBase without getting
the types from the parameter (directly).
Hopefully someone else has some more useful comments.
> I’m sure I had this working, then a made a number of changes all
> around this code, then noticed it wasn’t working anymore.
>
> Can anyone explain this better?
>
> Thanks
>
> Clint Colefax
--
silky
http://dnoondt.wordpress.com/
"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."
Re: OT - So, what's new in the world of programming?
On Thu, Nov 4, 2010 at 9:32 AM, Peter Gfader wrote: > I came across "Mutation testing" 2 weeks ago. And loved the idea. > But didn't dig into it too much yet. > > The Idea of "Mutation testing" > > How can you trust your tests? > > Let a tool change your app a little and run all tests. > > If 1 test fails, because of that change, you had good tests in place... Heh, that's pretty cute, some sort of fuzzing applied to tests. Don't mind that. Nice one. > More here > http://en.wikipedia.org/wiki/Mutation_testing > and a .NET implementation here > http://www.simple-talk.com/dotnet/.net-tools/mutation-testing/ > > .peter.gfader. > http://blog.gfader.com -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Why DVCS, was Re: TFS Feedaback? Anyone moved away from it?
On Thu, Nov 4, 2010 at 6:26 AM, Joseph Cooney wrote: > I've used TFS on and off since about 2006 (mostly because I was working at > MS, as they are fond of TFS), but haven't used TFS 2010. It's biggest > strength IMO is integration - requirements, work items, bugs, builds, source > code and project documentation all from within Visual Studio. It's biggest > weakness is that it's not a distributed version control system (git, > mercurial). Without sounding too argumentative; exactly why should I care that version control is "distributed"? The stated arguments seem to be that you don't need to be online to do commits, or that there is a local history, or some other such things. I really just don't ever find the need for anything like that; am I doing something significantly different to everyone else? I mean, I've glanced over this: http://betterexplained.com/articles/intro-to-distributed-version-control-illustrated/ and it seems none of the benefits are really appropriate in a 'typical' environment. I guess what I'm asking is - is anyone, working in an office or alone, getting specific benefits from git or whatever, that come *purely* from it being significantly different from SVN, and exactly what are they? > If you're just going to use it as a revision control system > you're missing out on 80-90% of what TFS has to offer (and thus it might not > be worth it). TFS 2010 is a major update to the product (v2 really, since > 2008 was really a v1.1) so I'm doubtless overlooking some cool features > there 'cause I haven't used it. > Joseph > > w: http://jcooney.net > t: @josephcooney -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
OT - So, what's new in the world of programming?
Anything interesting? Anyone doing cool things with cool stuff that I would have absolutely no idea about? Interested to know. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: MVVM in a navigational paradigm
On Wed, Nov 3, 2010 at 7:02 PM, Winston Pang wrote: > Hey guys, > > I'm trying to apply MVVM in the WPF navigation model. > > I was just doing some thoughts around it > > Apart from the rule that the view model shouldn't know about the view, how > would a particular view spawn another view, and push it to the navigation > service for example? I've been playing around with some ideas of holding a > mapping between the View and ViewModel in a global list in App. Then have > App register against the messenger/mediator to respond to any other view > model's wanting to spawn a new view and navigating it to it. I'm not sure if > I'm on the right track. > > Would love to see how some other people have done it on here? A colleague of mine (much smarter than me) implemented a generic workflow system that was when used by several "views" (Silverlight/Mobile/Web/WPF). Basically, there was just a core workflow API, with was then held by each of the areas, and they would then implement/subclass appropriate items to render the various items (next/previous buttons, rendering of content in the certain type of question/input/whatever). I think this fits into your requirements. But I know I haven't given a lot of real detail. I can't quite remember exactly how it was implemented, and I don't work there anymore, but contact me offlist perhaps and I can tell you what I remember. The point is, a global mapping sounds bad. I think a strict sort of composition-based approach seems nice, with views being based of the core workflow system and rendered in some dynamic fashion. Hope this is reasonably useful. > Thanks. > > --Winston -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
OT - Superior Web Solutions
Be sure to have sound turned on, and be prepared for the experience of a lifetime: <http://superior-web-solutions.com/> I think we should all give up now. This is better then any website I will ever make. Be sure to check out the Studio. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Rant
On Wed, Oct 27, 2010 at 8:49 PM, Ken Schaefer wrote: > > Sorry – I misunderstood – I thought you were using the main IB website – not > sending feedback about > something. > > I suppose feedback goes into some kind of CRM system these days No no no, it's obviously because each feedback is read aloud - verbatim - to the CEO, and as a result only words are allowed, none of these unpronouncible symbols. > Cheers > > Ken -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: F# Help
On Wed, Oct 27, 2010 at 12:09 AM, Tom Gao wrote: > Hi guys, [...] > At the moment the compiler is complaining that on the line > > let lagrangeInterpolatingPolynomial(share : List, degree, > desiredPos) = > > in Lib.fs it isn’t able to find ShareEntity… Is the problem that they are in different modules? http://msdn.microsoft.com/en-us/library/dd233221.aspx > Anyone have any ideas? > > Thank you in advance, > > Tom -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
OT(ish) - Firesheep
May be of interest to some: http://codebutler.com/firesheep "When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests. It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable [...]" -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Submit form to another page using GET
On Mon, Oct 18, 2010 at 2:09 PM, Anthony wrote: > Is it possible to have a button submit to another page using get? > > I have an asp.net page with many button, textboxes...but when you clkick > the search button i want it to submit textboxKeywords to another page using > get ? > > I know i can postback to another URL using PostBackUrl="~/search.aspx" ImageUrl="/searchbutton.jpg" ID="ImageButton1" > runat="server" /> but how do change method to GET and specify which field to > send? > > Bascially when you click the search button i want it to redirect to > search.aspx?query= > > I am assuming that this must be done in code behind? Well, consider that your entire page is probably within a form. So, according to HTML you can't havev one form inside another, and according to Webforms, you can't even have two ... So, all this means is your search box needs to be in it is own non-asp.net form, just: ... It's been a while since I've written "ImageButton", but I'm pretty sure it will perform the submit on any form it is inside of. Give it a crack, and let me know if it doesn't work. It should (or some minor variant). > Is your website being IntelliXperienced? | www.yougoingmyway.com ? > regards > Anthony (*12QWERNB*) > > Is your website being IntelliXperienced? -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Assigning property at runtime from database?
On Sat, Oct 16, 2010 at 11:51 AM, Anthony wrote: > mmm...wonder what else i am missing... Sadly (or perhaps not) it's not a trivial process to list all of the things we don't know. If it was, life would be pretty boring really :) FWIW, I've found (as has virtually everyone else) that hanging around on forums is a great way to accidentally learn things :) -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Silverlight - Sharepoint 2010 List Item, Uploading file limitedto 3MB
On Thu, Oct 14, 2010 at 11:40 AM, Winston Pang wrote: > Yep, tested a lot of different various file sizes, and did multiple uploads, > I've increased time out to like a ridiculous figure like 20 minutes as well. These look promising: http://forums.silverlight.net/forums/t/202015.aspx http://forums.silverlight.net/forums/p/21513/75649.aspx -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Silverlight - Sharepoint 2010 List Item, Uploading file limited to 3MB
On Thu, Oct 14, 2010 at 8:29 AM, Winston Pang wrote: [...] > @Michael, I've increased it to 200mb, still does nothing, the default forms > generated for sharepoint lists can upload larger than 3 meg files, but my > custom silverlight web part seems to be dieing when it tries =\ Hmm ... So then, exactly how are you doing the upload with Silverlight? It seems like we could posit that the issue lies in that part, and you could try writing a tiny standalone silverlight bit to see if you can perform a similar type of operation outside of Sharepoint. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Fwd: [mxug:1317] Presenter Call
FYI, just incase anyone on this list isn't aware of this group yet, nice place to learn about various technical topics, if one is so inclined ... -- Forwarded message -- From: Robert Postill Date: Wed, Oct 13, 2010 at 2:27 PM Subject: [mxug:1317] Presenter Call To: m...@googlegroups.com Hello, Fancy presenting in front of a friendly group of geeks? Great, MXUG is on next week and we're looking for you. So pitch your ideas and lets meet up next Wednesday to discuss them :) Robert -- You received this message because you are subscribed to the Google Groups "mxug" group. To post to this group, send an email to m...@googlegroups.com. To unsubscribe from this group, send email to mxug+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/mxug?hl=en-GB. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Silverlight - Sharepoint 2010 List Item, Uploading file limited to 3MB
On Thu, Oct 14, 2010 at 8:49 AM, Winston Pang wrote: > This is exactly the same problem I'm suffering: > > http://efreedom.com/Question/1-3413839/Upload-Large-File-Sharepoint-Silverlight > > However the answer doesn't work. > > I've posted on the Sharepoint forums on MSDN as well, no reply either. If you're getting desperate, you can always try just trying to reproduce the problem on a different setup (even just a custom one where all the configured folders and so on are the same). Probably you've just missed something obvious, and a review of it from a different angle will help ... (Sorry that I have nothing useful to add). -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: NuPack
On Fri, Oct 8, 2010 at 3:47 PM, David Burela wrote: > I currently do have everything in a /libs folder. > > But right now how do you get everything into that lib folder? Lets use > nHibernate as an example > You go out, find the website, download it, unzip it, put it into your libs > folder, add all the references. > decide that you want to use the Ninject extensions for nHibernate, go find > them, unzip, copy to /libs reference > then go do the same thing with the actual ninject .dlls > vs. > inside of visual studio by typing > add-package Nhibernate.Linq > and having the system automatically download it, add all dependencies, and > and add to your project. Ah, I understand. Fair enough then. I actually prefer to specifically get everything I need, but I can see how some people would prefer this method. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: NuPack
On Fri, Oct 8, 2010 at 3:17 PM, David Burela wrote: [...] > What does everyone think of it? I guess I don't even really understand the problem. Why aren't all your references in a \lib folder in the same directory as the rest of your solution? -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [OT] Random numbers
On Fri, Oct 1, 2010 at 9:47 PM, mike smith wrote: [...] > Or there's the more achievable random numbers thru lava lamps > > http://www.lavarnd.org/what/how-it-works.html Or better yet, dice: http://pudec.connotech.com/ It's amusing because it's true, you just need a secure seed and then a good next-number generation algorithm. And there is Mersenne Twister for that: http://en.wikipedia.org/wiki/Mersenne_twister I don't know what the current state-of-the-art is there though. Interesting to find out about. I do find it quite amusing to imagine a big lottery-style device down at your local bank, that is permanently spitting the dice into the air and reading the values as the land periodically. Someone walks by, "Oh, that's just protecting your money". Cool. Seriously though, I do think it's quite legitimate. > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll > get it, but it's going to be rough" - Adam Hills -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [OT] article - security for smart grids
On Wed, Oct 6, 2010 at 6:20 PM, Ian Thomas wrote: > Yes, in the last year or so I've looked at the Google PowerMeter, Microsoft > HOHM, etc – ‘looked' meaning that I read the web pages, followed a few > links, looked at some blogs, looked at some info on controllers, etc. I > haven't actually hooked up any systems to hardware and power corps. > > Missed HEAT, though. > > Since originally posting, I've looked into what's evolving in SCADA – I see > the reticence to connect to internet, and the slow acceptance of TCP/IP > protocol (many proprietary protocols were used, years ago). I trust that any > new “SmartGrid systems” will work out the necessary security protections > (and not rely on security by obscurity). I'd like to draw you attention to this: http://www.mail-archive.com/cryptogra...@randombit.net/msg00086.html I think people get too caught up in saying and paying respects to "security by obscurity" but not taking in the whole picture, as the poster there makes a nice note of. It is appropriate to keep things secret, it is appropriate to keep things offline even if it's slightly counter-productive (depending on your *thread model*), and so on. I certainly don't "trust" that any SmartGrid would automatically be secure. It seems like just the opposite would be true. The recent padding oracle is actually pretty amusing in this regard. Even I remember when the oracle-type attacks were discussed, and nobody really noticed or did anything. Yet the vector existed for a long time (in multiple environments, and probably will continue to do so in some old libraries). Even when people *know* about vulnerabilities, products are still realised insecurely. Stuxnet again is a classic example of this. I really hope that if anyone does implement some sort of system, they have a rigorous system of security. But then again I really don't know anything about the topic, just wanted to draw your attention to the security-by-obscurity is Bad (tm) is not neccessarily a wise approach. After all, an AES key is just some "obscure" number. And obscurity (lack of information) is what solves the padding oracle attack. It makes sense, as I see it, to have "core" componentry *not online*, and other parts online. If it doesn't need to be online, don't make it so. > I don’t know much about building management systems, apart from a few radio > broadcasts. (much -> 0) > > > > Ian Thomas > Victoria Park, Western Australia -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [OT] article - security for smart grids
On Tue, Oct 5, 2010 at 6:43 PM, Ian Thomas wrote: > PG – I wasn’t aware of the CERT gov thing at all (ausCERT had offices all > over – I seemed to discover them down some obscure corridor in several > universities). > > I wonder what the overlap would be with the energy regulators, and power > corps like Horizon, Country Energy, etc? (there are at least 20, I believe). > > Silky – little (?nothing) in the more general ICT press from IDG is > technically useful, really. But it keeps me in touch, I guess. > > The reason that I bothered to OT-flag that article was that I do have an > interest in the overlapping areas of NBN / trans-sector usage of high-speed > data links / smart grids / smart energy / energy efficiency / technological > solutions to some of our profligate over-consumption, etc. Which is why I > don’t get too upset about the climate change / global warming hysteria (or > unmanageable emotional excess) – it’s probably good for us in the affluent > nations to respond to “GW”, since there may be some useful by-products – as > long as C-trading doesn’t become yet another unknowable and uncontrollable > financial derivative. > > On a technical tangent, some time ago Juval Lowy (IDesign) was promoting > what he termed the “next boom in software” – or the “Energynet” concept. In > a few email dialogues about 18 months ago, he told me that he had been > involved in “a few cool initiatives” in that area (using .NET), and he > reckoned the “potential is the internet revolution all over again” – > verbatim quote. I think it’s a little slow to take off, but the info I read > in the telecoms arena does display a lot of interest. > > Most of the larger iron ore and oil & gas companies used to use SCADA > systems – and like you, I had noticed one or two ComputerWorld type news > articles about security concerns, in the past couple of months. I’m out of > touch now with what’s happening there (NW of WA, oil & gas, etc), but I > suspect SCADA is still king. Right. I really don't know much about any of that. I have no idea what "Energynet" refers to. What I found interesting on the SCADASEC list is that mostly, the "ideal" environment is to keep "core" systems totally seperate from the internet at large. Interestingly, the security proposals in that link (lots of logging, centralised access control, etc) tend to go against that model. My (non-expert) opinion is that a seperated/segregated area for core process is ideal, and takes precendence over other concerns. It also seems to me that keeping the systems on a sort of "obscure" platform is a good approach; that is could there be a "hardened" .net release, that contains only X components useful for the various purposes. Probably far more challenging and would introduce complexity such that it outweighs any real benefits. I don't know. Arguably interesting to think about. > Thanks for the couple of links. > > > > Ian Thomas > Victoria Park, Western Australia -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Chair Recommendations
On Tue, Oct 5, 2010 at 5:27 PM, David Connors wrote: > I asked my physio this once. He said all those fancy high back > aeron/whatever chairs are the worst thing ever for your spine. > You should get an ordinary typist chair which is height/back/everything > adjustable. I think he said no arm rests is the best. > I swapped my fancy leather chair for one on his advice and have not looked > back - SO much more comfortable. I'm not sure I buy this, ... "back in the day", I used to have one of those aeron chairs, and they were super comfortable. I have no expert comments on the state of my back, and no useful anecdotes to offer even. A while back I looked into getting one, but they proved to be significantly out of my range (~1500 AUD new). I did some research and found lots of "similar" chairs, but never pulled the trigger. I'd also be interested to know if anyone has done their research on the matter and made a conclusive decision ... > -- > David Connors | da...@codify.com | www.codify.com > Software Engineer > Codify Pty Ltd > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Question re Formatting ASP.NET
On Tue, Oct 5, 2010 at 3:16 PM, David Boccabella wrote: > > Hi Folks > > I have a strange question and was wondering if someone can advise me in > VS2010 (and others). > > Many years ago when I was doing ASP coding there was a lot of talk re > embedded code in the web page, and the concept of mixing code with formatting > was frowned upon. > > I am now doing some programming in ASP.NET and when I add a control like a > DataSource it puts all of its properties within the ASPX page, not the code > behind page. > > Is there a way to tell VS2010 to do this automatically, or some way to select > a block and say ‘to code page’ I don't know the answer to your question, but I'm guessing it's not possible, but I mainly wanted to say that IMHO for things like DataSources, and almost anything else that "can" be configured "most appropriately" in the aspx/ascx, I prefer to do it there. That is to say, in older projects when I occasionally use things like ObjectDataSource, and then bind it to a Repeater, I write all the properties inline. It's nice because it's all kind of self-contained. Sure, you lose compile-time safety on those properties, but they are so "minor", that I don't consider it that important. Of course, things are done a bit differently in the MVC framework, but nevertheless. I was comfortable with that approach in that context. > Many thanks for any advice > > Dave > David Boccabella IT Manager > > Shamir Australia Pty Ltd. | 1/23 Luke St. Lytton, QLD, 4178 > P.O. Box 3346, Tingalpa DC 4173 > > P: 1300-553-465 | M: 0433-808-525 | F: 1300-554-075 > > www.shamirlens.com.au -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [OT] article - security for smart grids
On Tue, Oct 5, 2010 at 2:02 PM, Ian Thomas wrote: > I found this short piece http://bit.ly/8Xg61j "Smart grid security: Critical > success factors" very informative. It was written by Shoaib Yousuf, who is > the e-security strategy manager for Country Energy. > > Since the heaviest use of NBN will eventually be uses like smart grids (eg, > electricity management) and health, it's nice to see some helpful > information in the ICT press for a change. It's nice to see I agree, but clearly the article isn't really "technically useful". I.e. the *correct* implementation of the aforementioned is what is important. It's interesting to relate the advice in that article, to the known info regarding Stuxnet: <http://www.computerworld.com.au/article/363057/why_did_stuxnet_worm_spread_/> I.e. would those measures prevent a specific attack like stuxnet? Depends how hard-line your are in implementing the rules listed. So that's what is critical to convey, IMHO. Also, Ian, if you have an interest in this area, you might be interested in the following mailing list (SCADASEC) <http://www.infracritical.com/?page_id=53> American-based, but useful to see what real-world operators are doing. > I'm not sure whether these grids are still mainly SCADA. > ____ > Ian Thomas > Victoria Park, Western Australia -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Fwd: [Full-disclosure] Breaking .NET encryption with or without Padding Oracle
FYI, details of how to get the web.config are below. Hope everyone is patched by now. -- Forwarded message -- From: Early Warning Date: Mon, Oct 4, 2010 at 7:21 PM Subject: [Full-disclosure] Breaking .NET encryption with or without Padding Oracle To: full-disclos...@lists.grok.org.uk Dear list, Since Microsoft official fix is out, we published full details about "ScriptResource.axd" vulnerability in framework 3.5 sp1 and above which leads to arbitrary file disclosure in the virtual path. In addition we have included also details about the "T" exploit that can be used to circumvent initial Microsoft workaround. For more information: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html Regards, Giorgio Fedon Minded Security Research Team www.mindedsecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [OT] Regex question
On Mon, Oct 4, 2010 at 9:02 PM, Peter Gfader wrote: > Hi David > How did you solve it? > Did you brute force it or using some Regex Ninja tool that you want to > share? (I'm not David, but...) Interesting question Arguably, it's easy to see how he arrived that the correct answer (which is valid for the given examples, but not if the path contains a folder a dot, which wasn't in the requirements, so may be meaningless). I actually find the first instances hard to understand, and I don't think I would've logically gotten from *them* to the current answer without a fresh mind. I have vague memories of once upon a time using this: http://www.weitz.de/regex-coach/ But these days anything I do in regex is so simple that I can just test it inside c# itself. Of course, you probably already know about http://www.regular-expressions.info/ , but they do seem to have a list of tools, I haven't used them before though. > .peter.gfader. > http://blog.gfader.com/ > http://twitter.com/peitor -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [OT] Random numbers
On Fri, Oct 1, 2010 at 3:13 PM, silky wrote: > On Fri, Oct 1, 2010 at 2:29 PM, David Burstin wrote: >> This article: >> >> http://www.newscientist.com/article/dn19520-random-numbers-created-out-of-nothing.html >> sounds interesting, but being Friday, I was wanting to hear the thoughts of >> those who know much more about this kind of stuff than I do. (That means >> you, Silky et al) [...] > It's cool though, and I don't know enough about the physics of it to > really have any useful opinions. But it's probably interesting, from a > cryptography point of view, to wonder what is better: numbers from an > unknown source, or numbers from "known" sources with "known" seeds > that you can just combine in an unknown way. Relevant thread from the crypto mailing list on this topic: http://www.mail-archive.com/cryptogra...@metzdowd.com/msg11737.html The QM component of it is interesting, because I suppose it depends how you feel about the QM model we have. If you think it is complete, and that there is legitimately no way and no other model such that determinism can be introduced, then okay, you have a undeterministic generation of numbers. But are there easier ways to get undetermistic numbers? Maybe, because you just need to make them undeterminable *to a specific person* (i.e. the attacker, whom you can model), not to the entire universe at large :P :) -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [OT] Random numbers
On Fri, Oct 1, 2010 at 2:29 PM, David Burstin wrote: > This article: > > http://www.newscientist.com/article/dn19520-random-numbers-created-out-of-nothing.html > sounds interesting, but being Friday, I was wanting to hear the thoughts of > those who know much more about this kind of stuff than I do. (That means > you, Silky et al) Yeah, I don't know much about this specifically. All I really know[2] is this implementation of a similar technology: http://www.idquantique.com/true-random-number-generator/products-overview.html But it's interesting to note[1], as with almost any cryptographic system, the biggest issue is implementation-based attacks (i.e. side channel attacks and the recent padding oracle). It's cool though, and I don't know enough about the physics of it to really have any useful opinions. But it's probably interesting, from a cryptography point of view, to wonder what is better: numbers from an unknown source, or numbers from "known" sources with "known" seeds that you can just combine in an unknown way. I'd probably only feel comfortable with it once I knew how it works, so it's something to look into I suppose. Few relevant links: - http://arxiv.org/abs/1006.3512 - http://www.technologyreview.com/blog/arxiv/25355/?nlid=3170 > Cheers > Dave -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature." [1] http://www.physorg.com/news202139419.html [2] From my presentation on QKD: http://www.programmingbranch.com/presentations/
Re: IMPORTANT - ASP.NET update and security advisory
On Wed, Sep 29, 2010 at 3:02 PM, silky wrote: [...] > Agreed. > > It's definitely using that file to do the code execution though. But > I'm struggling to find any information on exactly what happens when > you hit WebResource.axd (i.e. what code path do you end up? I can't > find it, if anyone knows please let me know ...) Actually, until the sourcecode for the asp.net-specific app is relased, I think it's probably not appropriate to publically speculate on how it works. The fixes are obvious and well-described and trivial. So if anyone wants to email me offline, feel free, but I think I won't comment further (if I even have anything useful to say) until such time. > -- > silky > > http://dnoondt.wordpress.com/ > > "Every morning when I wake up, I experience an exquisite joy — the joy > of being this signature." -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: IMPORTANT - ASP.NET update and security advisory
On Wed, Sep 29, 2010 at 1:59 PM, David Connors wrote: >> The main problem is having effectively web-accessible content in the >> web root. It's virtually a flat-out "don't ever do it". > > I agree. But there have been parent path escaping issues in the past > that allow attackers to reference files outside of the web root even. > > A bit more clarity around this part of the exploit would be more helpful. Agreed. It's definitely using that file to do the code execution though. But I'm struggling to find any information on exactly what happens when you hit WebResource.axd (i.e. what code path do you end up? I can't find it, if anyone knows please let me know ...) -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: IMPORTANT - ASP.NET update and security advisory
On Wed, Sep 29, 2010 at 12:56 PM, David Connors wrote: > On 29 September 2010 12:52, silky wrote: >> >> My guess from reading the PDF I sent through is that they gain access >> to the Web.config by manipulating WebResource somehow (they imply as >> much I think). > > Yeah, that is as much as I could glean from the comments on the post. > >> >> So, of course it also follows that you should *not* store anything of >> any importance in the web.config. This is not so hard. Just load the >> important stuff from a file that is not in the web root. I think this >> is even possible with one of the MS add-ins (configuration manager or >> something, I forget its name sorry). > > I agree in principle, but without knowing more about that part of the attack > there are other issues: > 1. What user is the thread running at at the time those files are read? The > AppPool identity or something else? > 2. Is there any opportunity for parent pathing out of the web root etc? The main problem is having effectively web-accessible content in the web root. It's virtually a flat-out "don't ever do it". It so happens that, if I may say, .NET as encouraged bad practie with this. We should really all go back to basics and never do it, and if MS has some strategy to help everyone do this in a generic way, all the better. Of course, it's too much to have everyone "change", but it is technically the best approach, if possible. The other concerns - who loads it, who should have access to that folder, etc - are legitimate and should be handled appropriate defaulting to the "lowest possible". > -- > David Connors | da...@codify.com | www.codify.com > Software Engineer > Codify Pty Ltd > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: IMPORTANT - ASP.NET update and security advisory
On Wed, Sep 29, 2010 at 12:15 PM, David Connors wrote: > On 29 September 2010 11:07, silky wrote: > > > > It affects everyone using .NET. > > Everyone using ASP.NET who uses session state/view state etc. If you don't > use these things then there is no impact for you. Sorry but I think it's important to note this is .NET-Wide. The problem is *padding oracle*; it's just that ASP.NET has bad implementations. As I suggested last week, it's an attack against any generic encryption system that attempts to decrypt untrusted data (i.e. no HMAC). It happens that .NET reports *specifically* regarding the padding information, and thus any .NET process doing this type of encryption (ASP.NET's ViewState/FormsAuth/Whatever), reports it directly back (if you let it) and thus you can make inferences and determine the key. My guess from reading the PDF I sent through is that they gain access to the Web.config by manipulating WebResource somehow (they imply as much I think). So, of course it also follows that you should *not* store anything of any importance in the web.config. This is not so hard. Just load the important stuff from a file that is not in the web root. I think this is even possible with one of the MS add-ins (configuration manager or something, I forget its name sorry). > Though > this: http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx > says: > > What does the vulnerability enable? > An attacker using this vulnerability can request and download files within > an ASP.NET Application like the web.config file (which often contains > sensitive data). > At attacker exploiting this vulnerability can also decrypt data sent to the > client in an encrypted state (like ViewState data within a page). > > Has anyone read any more specifics on that part? > David. > -- > David Connors | da...@codify.com | www.codify.com > Software Engineer > Codify Pty Ltd > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Fwd: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
For Dave and anyone else interested, here's the link to the presentation. And their website: http://netifera.com/research/ with the tool, available for download, immediately. So patch immediately. -- Forwarded message -- From: Thai Duong Date: Tue, Sep 28, 2010 at 1:58 PM Subject: Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps To: Peter Gutmann , cryptogra...@metzdowd.com On Sat, Sep 18, 2010 at 8:43 PM, Peter Gutmann wrote: >>I'm one of the authors of the attack. Actually if you look closer, you'll see >>that they do it wrong in many ways. > > The FormsAuth as well, not just the view state? Interesting, I thought they > had that one right, at least. We promised Microsoft not to release anything before they have a working patch. Now they have it, so we release the slide we presented at EKOPARTY. Check it out. http://netifera.com/research/poet//PaddingOraclesEverywhereEkoparty2010.pdf -Thai. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: IMPORTANT - ASP.NET update and security advisory
On Wed, Sep 29, 2010 at 11:27 AM, Dylan Tusler wrote: > Right, but all the vulnerability walkthroughs I saw involved using the > vulnerability to get super-user status and then using that status to do > other nefarious things. > > If you don't have user authentication of any kind, is there any threat? If > nobody can login to my site, can the site's web.config still be accessed, > for example. I think it's safe to say if you are *never* attempting to decrypt something sent from the client, then you aren't at risk (I'd need to read through the entire vulnerability details to confirm this though, which I haven't done). But, it's hard to be sure of this, depending on what you are doing. ASP.NET may be doing it without your knowledge. The fix is so trivial (don't display any error info to the client), and generally good practice anyway, you should just do it. > Dylan. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: IMPORTANT - ASP.NET update and security advisory
On Wed, Sep 29, 2010 at 10:36 AM, wrote: > Question - does this just affect people using Oracle, or does it affect all > .net instances? It affects everyone using .NET. Specifically it also affects FormsAuthentication, which most of us are probably using somewhere. You *must* implement the fix described ASAP. Everyone working on an ASP.NET should read the advisory, check if they are vulnerable and fix it. > T. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: IMPORTANT - ASP.NET update and security advisory
On Wed, Sep 29, 2010 at 10:56 AM, Craig van Nieuwkerk wrote: > It is unrelated to databases at all, the Oracle name does confuse things > though. I didn't even consider that. Yes, "Padding Oracle" refers to a blackbox entity that gives information about something (in this case, cryptographic padding). The "original" meaning of "Oracle", before the DB system :) -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Remote control hardware / software
On Tue, Sep 28, 2010 at 11:13 AM, Arjang Assadi wrote: > if you are in Sydney drop by KPower, I remember they had such devices > + they also had some .net development going on > > they had some IP based door security products just for a door sitting > in middle of nowhere (+ more for stuff to allow you to open your home > door via sms or web) > > I never worked for them but I liked what they were doing > > www.kpower.com.au Wow: http://www.kpower.com.au/show-me-everything/mindball/w1/i1001435_1001304/ Perfect for christmas. I'm a bit confused how that can cost so much. Surely the detectors aren't that expensive. > Regrads Arjang -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Fwd: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
Demonstration of the attack against .NET Nuke (see below). Relevant MS websites describing fixes: - http://www.microsoft.com/technet/security/advisory/2416728.mspx - http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx -- Forwarded message -- From: Thai Duong Date: Sat, Sep 18, 2010 at 10:52 AM Subject: Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps To: Peter Gutmann Cc: cryptogra...@metzdowd.com, t...@ritter.vg On Wed, Sep 15, 2010 at 11:07 AM, Peter Gutmann wrote: > Tom Ritter writes: > >>What's weird is I find confusing literature about what *is* the default for >>protecting the viewstate. > > I still haven't seen the paper/slides from the talk so it's a bit hard to > comment on the specifics, but if you're using .NET's FormsAuthenticationTicket > (for cookie-based auth, not viewstate protection) then you get MAC protection > built-in, along with other nice features like sliding cookie expiration (the > cookie expires relative to the last active use of the site rather than an > absolute time after it was set). I've used it in the past as an example of > how to do cookie-based auth right > > Peter. > I'm one of the authors of the attack. Actually if you look closer, you'll see that they do it wrong in many ways. Here is a video that we just release this morning at EKOPARTY: http://www.youtube.com/watch?v=yghiC_U2RaM Slide, paper, and tools will be released on http://www.netifera.com/research. Thai. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Unit Testing and ASP.NET Resources
For an update on this, incase anyone is interested, it turns out it's
kind of solved in my environment (.NET 3.5/MVC).
Specifically, inside a controller when you have something like:
HttpContext.GetGlobalResourceObject("Messages", "SomeMessage")
It refers to an object that you can mock (or just create your own
implementation of). I went for the creating-your-own-implementation
approach, such that my test code looks something like:
public void SomeControllerTest ()
{
SomeController controller = GetController();
controller.Foo();
}
...
private BookingController GetController ()
{
BookingController controller = new BookingController();
RouteData routes = new RouteData();
controller.ControllerContext = new ControllerContext(new
FakeHttpContext(), routes, controller);
return controller;
}
...
public class FakeHttpContext : System.Web.HttpContextBase
{
public override object GetGlobalResourceObject (string classKey,
string resourceKey)
{
return classKey + "_" + resourceKey;
}
}
So, you can see that I'm not really loading the resources themselves,
just displaying the appropriate message (which I can then check via
tests). Pretty convenient. You can implement various other relevant
functions if you are so inclined. The classes are in the
"System.Web.Abstractions" namespace, which allows for the
mocking/re-implementing of various other relevant classes.
--
silky
http://dnoondt.wordpress.com/
"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."
Re: Remote control hardware / software
On Fri, Sep 24, 2010 at 3:32 PM, silky wrote: [...] > Or just a simple programmable device like: > http://www.netburner.com/products/serial_to_ethernet.html (I've used > something like that before, I can't remember the exact company name > right now though, but they are probably all similar). It's called Tibbo: http://www.tibbo.com/ Obviously, this using something like that implies you already have a serial-based PIN system, and just want to be able to send the commands over the net instead of locally. Which may or may not be the case. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Remote control hardware / software
On Fri, Sep 24, 2010 at 3:21 PM, Glen Harvy wrote: > Hi, > > I have received a few requests for a hardware / software solution that will > allow a user to enter a PIN at a remote unattended site that will then > contact via a wireless connection my software located off-site and providing > the PIN is accepted, at least allow a door/gate to be opened, lights come > on, dancing girls flash their tits etc etc etc. > > Does anyone know of such a beast available within Australia that will do > such a thing via a suitable wireless interface? You might try looking into arduino: http://www.arduino.cc/playground/Main/KeypadTutorial Or just a simple programmable device like: http://www.netburner.com/products/serial_to_ethernet.html (I've used something like that before, I can't remember the exact company name right now though, but they are probably all similar). > Thanks, > > Glen Harvy. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Unit Testing and ASP.NET Resources
On Mon, Sep 13, 2010 at 12:04 PM, Nathan Schultz wrote: > I have looked into this at one time, although my scenario was different; I > needed the HTTP Context to do some server-side mapping. > > I ended up admitting defeat and wrapped the .Net framework functionality I > needed in a class, and then used Rhino-Mocks to mock it. > > Unfortunately in your situation that doesn't prove that .Net will get your > resources correctly. At the same time, it's considered unnecessary to write > unit-tests over the .Net framework itself; at some stage an assumption must > be made. > > I did stumble upon a HTTP Simulator, but I have no idea how good it is: > http://haacked.com/archive/2007/06/19/unit-tests-web-code-without-a-web-server-using-httpsimulator.aspx Thanks Nathan. I'm not trying to test the Resources system itself, specifically I want to test that I am putting the right localised text in the right place, and that it "reads" well. So, it's basically a thing I need to "see". I think I've seen that post and I'm not sure it does the localisation correctly, but I'll check it out again, I could be wrong. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Is Silverlight dead ?
On Wed, Sep 22, 2010 at 7:30 PM, Scott Barnes wrote: > David with glasses? the one who falls asleep allot after 1x beer? > aren't you a tester or something? > > Anyway, I am more than happy to openly debate and discuss my opinions > / remarks but i think the attack posture you took was misguided and > definitely not accurate assessment of the situation. Geek fame is > over-rated and i make zero profit off having this attention if > anything it could have the opposite effect - I only traveled down this > path as it puts ? above peoples heads around the WPF/Silverlight > future(s), casts a bright light onto the Windows team and their > behavior and actually puts the DevDiv marketing team(s) on notice. Please, say something directly useful or take it off list (or on your blog)? > Regards, > Scott Barnes > http://www.riagenic.com -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Is Silverlight dead ?
On Wed, Sep 22, 2010 at 6:50 PM, Ken Schaefer wrote: > Some people want to know whether it's worth investing in a platform - i.e. > will it have a foreseeable > future, or is it a dead end? Sure, but how do you rate such a thing? Based on requirements and context. Evangelists (both at Microsoft and not at Microsoft) just talk from a biased point of view. We all do. I see no need to listen to that; just try and rate as objectively as possible. I agree its fair to wonder if it's being EOL'd, but it clearly isn't. End of story. > Cheers > Ken -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Is Silverlight dead ?
On Wed, Sep 22, 2010 at 5:12 PM, David Kean wrote: > Actually Scott, we have met. On many occasions. You might remember a little > Aussie activity that > your wife (and yourself) had a lot to do with on Saturdays in Redmond. > > I'll leave the discussions on future versions of products to the marketing > teams. I'll avoid feeding the > fire [...] I tend to agree; I don't really see the point of listening to anyone talk about the future of Silverlight. If you want to suggest features, do it, if you want to write a competiting product, do it, if you want to use something else, do it. The whole world doesn't need to know. If you find a use for it; use it, if you don't, don't. Simple. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
On Fri, Sep 17, 2010 at 2:29 PM, silky wrote: [...] > > From there it seems that we can conclude what we thought initially: do > > not send back .net exceptions for cryptography errors (always > > something generic like "invalid username/password combination"). > > > > Also, a general throttling/blocking of repeated invalid attemps > > (perhaps somewhat-exponentially slowed as n increases) is appropriate > > (there are other risks associated with doing this; i.e. inconvenience > > for users via a DoS style attack on accounts, but you can at least > > consider it and other similar approaches). > > Sorry to double-post, but I should comment on what I would consider > the "real" solution to be: Don't decrypt data you personally didn't > encrypt. That is, consider using a HMAC: > http://en.wikipedia.org/wiki/HMAC > > That is, you should ensure you are the person who encrypted the given > message. But also, I'm no expert so I hope someone can make a > definitive statement on the matter (i.e: Microsoft). Here is what appears to be their official statement: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Password Reset, was Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
On Fri, Sep 17, 2010 at 6:04 PM, Ken Schaefer wrote: [...] > > Agreed, I mean I don't want to start a whole thread here or > > miscelaneous security advice, but I do hope people realise that > > the correct pattern is to generate an access token (that only allows > > password reset), send that, allow only one login using it, and force > > the user to come up with a new password. You should never send > > the existing password (indeed, you should never even have it, it > > should be hashed and salted). > > Unfortunately commercial reality means that there are many types of systems > where the > original password needs to be kept. ON your average Windows server, logging > on a > service using a service account requires Windows to keep the password > somewhere. > There are many systems that need to interact with other systems, and require > the original > password to do so. A hash isn't always sufficient. Can't argue with that. But the original comment still stands, the default approach should be to hash and salt, unless someone says "Hey, we need that ...", then you question them rigorously until it's shown to be true :) > Cheers > Ken -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Password Reset, was Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
On Fri, Sep 17, 2010 at 5:15 PM, Samuel Lai wrote: [...] > > And if you have a "forgot password" don't say whether the email address you > > enter succeeds or fails. So many fail at this step. > > That isn't very practical though. How long should the user be expected to > wait for the password reset email to arrive? I often can't remember if I > have registered on a website, particularly if it was only to get access to > something. I tend to agree, I have many email accounts, and rarely remember what I used where. Amusingly, you could perhaps, if you were so inclined, show the image that gravatar would generate for the email address that you've retrieved. Conveys less information to the random password resetter, but more information to the actual account holder. > Also, what happens when a user tries to register with an email address that > has already been used? System error? Registration typically requires the solution of a CAPTCHA, forgot password doesn't (potentially it should), but anyway, that's an aside. The best approach to the attack meski is implying (harvesting emails) is just to slow down the process dramatically. It doesn't affect single users, but affects people trying to brute-force information from your site. > Personally, I'll settle for never seeing my current password being sent to > me in clear text again for whatever reason. Mailman, I'm looking at you, > among others. Agreed, I mean I don't want to start a whole thread here or miscelaneous security advice, but I do hope people realise that the correct pattern is to generate an access token (that only allows password reset), send that, allow only one login using it, and force the user to come up with a new password. You should never send the existing password (indeed, you should never even have it, it should be hashed and salted). -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
On Fri, Sep 17, 2010 at 2:24 PM, silky wrote: > On Tue, Sep 14, 2010 at 10:26 AM, silky wrote: > > [...] > > > > The cookie might have the hashed result of an SSN. Shouldn't, but might. > > > > I don't think it's hashing that is at risk (they mention AES). I think > > the attack is that you can prepare an invalid encrypted message, and > > brute-force-ish ask ASP.NET to decrypt it, and based on it's answers > > you can get closer to getting the key that the other .NET process is > > using. So, assuming this is so, you should never report a > > cryptographic failure (though, it's still implied, because you don't > > get what you want, so ...). But then again, I know nothing of the > > attack and I'm not an expert, this is just my guess. > > > > The moral is probably to not forget that bruteforce-style attacks are > > still legitimate. > > Details: > http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/ > (different tool but probably similar approach). > > From there it seems that we can conclude what we thought initially: do > not send back .net exceptions for cryptography errors (always > something generic like "invalid username/password combination"). > > Also, a general throttling/blocking of repeated invalid attemps > (perhaps somewhat-exponentially slowed as n increases) is appropriate > (there are other risks associated with doing this; i.e. inconvenience > for users via a DoS style attack on accounts, but you can at least > consider it and other similar approaches). Sorry to double-post, but I should comment on what I would consider the "real" solution to be: Don't decrypt data you personally didn't encrypt. That is, consider using a HMAC: http://en.wikipedia.org/wiki/HMAC That is, you should ensure you are the person who encrypted the given message. But also, I'm no expert so I hope someone can make a definitive statement on the matter (i.e: Microsoft). -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
On Tue, Sep 14, 2010 at 10:26 AM, silky wrote: [...] >> The cookie might have the hashed result of an SSN. Shouldn't, but might. > > I don't think it's hashing that is at risk (they mention AES). I think > the attack is that you can prepare an invalid encrypted message, and > brute-force-ish ask ASP.NET to decrypt it, and based on it's answers > you can get closer to getting the key that the other .NET process is > using. So, assuming this is so, you should never report a > cryptographic failure (though, it's still implied, because you don't > get what you want, so ...). But then again, I know nothing of the > attack and I'm not an expert, this is just my guess. > > The moral is probably to not forget that bruteforce-style attacks are > still legitimate. Details: http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/ (different tool but probably similar approach). >From there it seems that we can conclude what we thought initially: do not send back .net exceptions for cryptography errors (always something generic like "invalid username/password combination"). Also, a general throttling/blocking of repeated invalid attemps (perhaps somewhat-exponentially slowed as n increases) is appropriate (there are other risks associated with doing this; i.e. inconvenience for users via a DoS style attack on accounts, but you can at least consider it and other similar approaches). -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: sql server 2008 change data capture and friends
On Wed, Sep 15, 2010 at 6:05 PM, Greg Low (GregLow.com) wrote: > Hi Silky, > > Yes, I’ve used it to maintain lists of DDL changes to databases and servers, > not so much for source control but helping answer the “who did this and > when?” questions. > > It has a few limitations about what it can capture (such as a number of > things that are implemented only via system stored procedures and many of > these don’t fire DDL triggers) but overall it’s been pretty good for > tracking changes to the schemas. > > You just write a DDL trigger and associate it with the appropriate events > (there are group events like DDL_ALL) and in the trigger you get passed an > EVENTDATA object. It’s just a lump of XML that has details of who executed > what and when. > > Regards, Thanks for that. > Greg -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: FW: sql server 2008 change data capture and friends
On Wed, Sep 15, 2010 at 5:48 PM, Ian Thomas wrote: > > I haven’t used it or even seen a demo of it in use, but Red Gate’s SQL Server > Source Control seems like it does the job well. I'll have to check it out; I haven't used RedGates stuff recently, and back when I did I was just using the data/schema compare options, didn't realise they'd made something specific. Thanks. > I’m sure there are several people on the list who would use it, possibly Greg > Low would know if it is what you’re looking for. > > > > Ian Thomas > Victoria Park, Western Australia > > -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: sql server 2008 change data capture and friends
On Wed, Sep 15, 2010 at 5:40 PM, Greg Low (GregLow.com) wrote: > A better option for this is to use DDL triggers. They have a few > limitations but I’m sure they’d cover almost all the options that have been > mentioned. > Are you, or have you seen this, actually being done? Or is this just how you would go about it? (Interesting regardless, but keen to know). > Regards, > > > > Greg > -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: FW: sql server 2008 change data capture and friends
Interesting, I still think the fact that only alter is saved is definitely useful (and depending on how you implement your system, it's even enough). Mainly I suppose I was wondering if anyone had actually written some sort of scm system for dbs based around this (and other) systems built into sql server. I suppose not, or if they are, they aren't on this list and willing to tell me about it :P :) On Wed, Sep 15, 2010 at 5:01 PM, Tiang Cheng wrote: > Silky, I forwarded the question to a really smart db dev. Reply below: > > > > *From:* Alexander Wahyudi > *Sent:* Wednesday, 15 September 2010 10:34 AM > *To:* Tiang Cheng > *Cc:* Antonio Sagbini Quintero > *Subject:* RE: sql server 2008 change data capture and friends > > > > Hi Tiang, > > > > Sorry for the delay on getting back to you. > > > > Well I saw some posts on using CDC for Versioning, but In my personal > opinion it is not a true Schema versioning as it only records DDL commands > (e.g. Alter table) instead of the schema creation script. > > > > For Example: > > > > > > Version 1: > > Create table Currency > > ( > > CurrencyKey Int Identity(1,1) Primary Key NOT NULL, > > CurrencyAlternateKey varchar(5) > > ) > > > > Action: Add new column to table > > Alter table Currency add CurrencyName varchar(25) > > > > > > On source control apps it should be recording: > > > > Version2: > > Create table Currency > > ( > > CurrencyKey Int Identity(1,1) Primary Key NOT NULL, > > CurrencyAlternateKey varchar(5), > > CurrencyName varchar(25) > > ) > > > > > > But instead, CDC only recorded the ‘ALTER’ DDL Command: > > > > > > > > > > > > > > So I think for source control apps (VSS, TFS, or SVN) would still be my > recommended platform for source control > > > > > > More details: > > > > > http://www.sql-server-performance.com/articles/dba/Capture_DDL_Changes_Using_Change_Data_Capture_p1.aspx > > > > > http://www.sql-server-performance.com/articles/dba/Capture_DDL_Changes_Using_Change_Data_Capture_p2.aspx > > > > > > Hope that this answers your question. > > > > > > Alex W > -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature." <>
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
On Tue, Sep 14, 2010 at 10:22 AM, mike smith wrote: > On 14 September 2010 10:01, Damian Maclennan wrote: > > > ouch. That could get ugly. > > However, there's one fairly eyebrow raising line in there : > > "The attack allows someone to decrypt sniffed cookies, which could > > contain valuable data such as bank balances, Social Security numbers > > or crypto keys" > > If you're putting that sort of info into a cookie, you're probably doing > > it wrong. However if this exploit let you jump in on an authenticated > > session, then it could cause trouble. > > The cookie might have the hashed result of an SSN. Shouldn't, but might. I don't think it's hashing that is at risk (they mention AES). I think the attack is that you can prepare an invalid encrypted message, and brute-force-ish ask ASP.NET to decrypt it, and based on it's answers you can get closer to getting the key that the other .NET process is using. So, assuming this is so, you should never report a cryptographic failure (though, it's still implied, because you don't get what you want, so ...). But then again, I know nothing of the attack and I'm not an expert, this is just my guess. The moral is probably to not forget that bruteforce-style attacks are still legitimate. > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll > get it, but it's going to be rough" - Adam Hills -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Fwd: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
FYI, there don't appear to be any details (yet), but it is suggestive of the general comments that you shouldn't really report cryptographic mistakes in a deterministic way. As to how to mitigate it specifically, hopefully there will be some comments soon. -- Forwarded message -- From: =JeffH Date: Tue, Sep 14, 2010 at 7:34 AM Subject: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps To: cryptogra...@metzdowd.com practical "Padding Oracle Attacks" (cf travis' msg "padding attack vs. PKCS7" of Thu, 11 Jun 2009 11:37:16 -0500)... 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps <http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310#> by Dennis Fisher September 13, 2010, 7:58AM A pair of security researchers have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies, a weakness that could enable an attacker to hijack users' online banking sessions and cause other severe problems in vulnerable applications. Experts say that the bug, which will be discussed in detail at the Ekoparty conference in Argentina this week [0], affects millions of Web applications. The problem lies in the way that ASP.NET, Microsoft's popular Web framework, implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. A common mistake is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie will not decrypt correctly. However, there are a lot of ways to make mistakes in crypto implementations, and when crypto breaks, it usually breaks badly. "We knew ASP.NET was vulnerable to our attack several months ago, but we didn't know how serious it is until a couple of weeks ago. It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security," said Thai Duong, who along with Juliano Rizzo, developed the attack against ASP.NET. The pair have developed a tool specifically for use in this attack, called the Padding Oracle Exploit Tool [1]. Their attack is an application of a technique that's been known since at least 2002, when Serge Vaudenay presented a paper at on the topic at Eurocrypt [2]. In this case, ASP.NET's implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified. If the ciphertext has been changed, the vulnerable application will generate an error, which will give an attacker some information about the way that the application's decryption process works. More errors means more data. And looking at enough of those errors can give the attacker enough data to make the number of bytes that he needs to guess to find the encryption key small enough that it's actually possible. The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application's crypto API. Rizzo and Duong did similar work earlier this year on JavaServer Faces and other Web frameworks that was presented at Black Hat Europe [3]. They continued their research and found that ASP.NET was vulnerable to the same kind of attack. The type of attack is known as a padding oracle attack and it relies on the Web application using cipher-block chaining mode for its encryption, which many apps do. [0] http://ekoparty.org/juliano-rizzo-2010.php [1] Practical Padding Oracle Attacks http://netifera.com/research/ [2] http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf [3] <http://netifera.com/research/poet/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf> --- end ----- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Unit Testing and ASP.NET Resources
On Fri, Sep 10, 2010 at 11:45 PM, Wallace Turner wrote: > *this is just a though* > > Are you testing HttpContext.Current.GetGlobalResource( ) itself or the code > up until that point? > > If the latter then could you replace all your GetGlobalResource( ) calls > with your own static method? You could then use IoC to plugin in either the > real GetGlobalResource or your own GetResource( ) FWIW, this is probably what I'll need to go with. Here is a similar article on the matter: http://weblogs.asp.net/dwahlin/archive/2009/01/20/custom-asp-net-server-controls-and-language-localization.aspx > Wal -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: XML doc editor background colours
On Sat, Sep 11, 2010 at 6:36 PM, Greg Keogh wrote: > Folks, I just noted that Visual Studio 2010 has changed the way C# XML doc > comments are > coloured in the editor window. In VS2008 the XML doc background colour filled > all the way to > the right. In VS2010 it now fits to the foreground text (first sample). I > much preferred the old > way, as I would set the background colour to something distinctive (green in > this case) and > it made a nice visual separator between the methods. You would see a “block > of colour” between > methods. This visual “block of separation effect” is now weakened and it all > looks jagged. [...] > I personally think that a visual clue to separation of code blocks in large > source files is important. VB used > to have the separator line, which I quite liked, but it would abut the last > code line and look a bit ugly. You can use Regions for this purpose (highlighting areas of code). Perhaps you know about them, but just incase, like so: #region * Some component * #endregion Of course, it could be argued that having too much code in any given file is indicative of underlying flaws; but this argument may not always be legitimate. Worth thinking about though. > Greg -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: Unit Testing and ASP.NET Resources
On Fri, Sep 10, 2010 at 11:45 PM, Wallace Turner wrote: > *this is just a though* > > Are you testing HttpContext.Current.GetGlobalResource( ) itself or the code > up until that point? > > If the latter then could you replace all your GetGlobalResource( ) calls > with your own static method? You could then use IoC to plugin in either the > real GetGlobalResource or your own GetResource( ) Yeah, I had considered this. The problem is, (well, one could argue how much of a problem it is) is that not all calls to get resources are done via me directly calling HttpContext.GetGlobalResource ... (you can use the meta:ResourceKey approach on asp.net controls themselves to have various properties set). Now, it so happens that the particular code I want to test *does* directly call GetGlobal... so I could replace it in the IoC manner you describe. But I am kind of not overjoyed by that because it's not the "One True" way to get the resources. Ideally, I'd create a new HttpContext and direct it to the location of the resources. I'm still looking into doing this (it may or may not be possible). If it's not possible, I'll probably fall back to your method. Thanks for the comments. > Wal -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Unit Testing and ASP.NET Resources
Has anyone done anything in this area? The problem is, when tests are run from your unit testing framework (NUnit in my case), the calls to HttpContext.Current.GetGlobalResource(...) fail, obviously because there is no current HttpContext, but also perhaps less obviously because the resources don't exist in the project that I'm testing. I actually would like to test that the resources get returned correctly. (i.e. I want to have tests that run over a bunch of different languages checking that the results from various calls result in appropriate-language output). Clearly, one component of the solution will be a postbuild task to make sure the resources are copied to the testing project, but the harder problem to solve is how to make the calls work. Obviously, some IoC scheme is not a legitimate option. Anyone have any thoughts? Have I missed an obvious solution? Hope so. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: argument style, was Re: Access Database Replication
On Thu, Sep 9, 2010 at 4:32 PM, mike smith wrote: [...] > Paintballs at 50 paces? They probably wouldn't even sting much at that > range. :^) Trouble with email is it gets taken so damned seriously, whereas > if it was said to your face you'd get more context. (some of us get more > context than we could possibly need (in-joke)) I don't think that's the only issue though, because if it was, surely when I try and discuss with these people in a rational manner, off list, a happy resolution would be possible. But it is not the case. It baffles me, but I don't take it personally anymore, I've decided it has nothing to do with me. But I'm no psychologist. I also am incapable of holding a grudge, so perhaps I just don't understand that ability. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [SQL Question] Creating a computed field on a table on insert
On Thu, Sep 9, 2010 at 1:50 PM, David Connors wrote: > On 9 September 2010 13:49, silky wrote: > > > > Okay. > > > > Thank you for clarifying. > > Who are you and what have you done with Silky? It's obvious that I don't care about your opinion, right? :P I mean, I figure unbridled arrogance is encoded into the word "silky" now. Didn't want to double-up on a statement I can make using only the "from" address of this email account :) > -- > David Connors | da...@codify.com | www.codify.com > Software Engineer > Codify Pty Ltd > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [SQL Question] Creating a computed field on a table on insert
On Thu, Sep 9, 2010 at 1:47 PM, David Connors wrote: [...] > Flat out no use at all unless you had some pretty damned clear guidance on > what constitutes acceptable use or not. > > Users of the database write SQL and the SQL does not do what it says on the > tin as a result of triggers changing the nature of the set operations. That > automatically qualifies them as having a negative impact on your application > in my book. Okay. Thank you for clarifying. -- > David Connors | da...@codify.com | www.codify.com > Software Engineer > Codify Pty Ltd > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [SQL Question] Creating a computed field on a table on insert
On Thu, Sep 9, 2010 at 1:32 PM, David Connors wrote:
> On 9 September 2010 13:23, silky wrote:
>>
>> On Thu, Sep 9, 2010 at 12:20 PM, David Connors wrote:
>> > PS: Triggers are evil and you're going straight to hell for using one,
>> > shortly followed by me for providing this solution.
>>
>> What's your reasoning on this?
>
> It makes the database tier less deterministic:
> INSERT INTO whatever VALUES ('blah')
> GO
> (2 rows updated)
> etc
> If you end up in a mess with deadlocks it will be harder to unscramble as
> you're significantly increasing the potential for locking conflicts.
> Keep it simple. Capture the data integrity logic in the schema design with
> DRI and stored procs for the stuff that you can't do there, etc.
>
> I would hate to see an application that made very heavy use of triggers as a
> matter of course.
I agree on "heavy" use, but I certainly think there is an area of
"legitimate" use, no? I often have one or n triggers in any given
database (~5 in total?) for little items. And changing it over to a
stored-procedure based system just wouldn't be appropriate (IMHO,
because it's all handled via the OR/M).
I'm pretty sure you'd be happy with general use of them, right? Or
flat-out no use at all?
> I have a feeling I am about to end up in one of those discussions where I am
> on the opposite end of the opinion spectrum to the rest of the Internet.
Haha, I think judging from the mood of the list today we can be sure
my opinions are typically far from what many would have :P (Of course,
I'd generally disagree with that, but when have facts ever matter :P).
> --
> David Connors | da...@codify.com | www.codify.com
> Software Engineer
> Codify Pty Ltd
> Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417
> 189 363
> V-Card: https://www.codify.com/cards/davidconnors
> Address Info: https://www.codify.com/contact
--
silky
http://dnoondt.wordpress.com/
"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."
Re: argument style, was Re: Access Database Replication
On Thu, Sep 9, 2010 at 12:52 PM, Les Hughes wrote: [...] > We should just settle this like fine grown gentlemen a punch-on at the > 'Nerd Violence Dinner' tonight in Melbourne. While I know you and know this is meant as a joke, legitimate threats of physical violence from members of this list have been made my way previously, and I am now forced to take them all seriously. Apologies for having no sense of humour on this matter. > http://www.nerddinner.com/2977 > > :P > -- > Les Hughes > l...@datarev.com.au -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: [SQL Question] Creating a computed field on a table on insert
On Thu, Sep 9, 2010 at 12:20 PM, David Connors wrote: [...] > PS: Triggers are evil and you're going straight to hell for using one, > shortly followed by me for providing this solution. What's your reasoning on this? [...] > -- > David Connors | da...@codify.com | www.codify.com > Software Engineer > Codify Pty Ltd > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
Re: argument style, was Re: Access Database Replication
On Thu, Sep 9, 2010 at 10:53 AM, David Burela wrote: > Here is another idea. [... amusing irony ...] FYI, I've asked David to discuss this with me offlist (assuming he is talking about me). I won't comment further on the matter on the list. I suppose my last comment would be that is should be incredibly obvious that my comment wasn't an "attack" but a "friendly discussion". It even included the word "friends" in it! > -David Burela -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
