comments edit

Parade of the
AthletesWhen the Olympics occurred, one of my favorite DJs spun for the opening ceremonies. Unfortunately I missed it, but I had heard good buzz about his performance. Now he’s come out with a CD called “Parade of the Athletes”. I have a feeling that if you liked the music he played for the Olympics, you’ll like this cd.

comments edit

I received an email in response to my post How To Avoid ClearText Passwords With UsernameToken that asks the following question:

…Thus if a hacker steals the hashed password from your database, he will be able to write an application that gives the hash to WSE and he will authenticate successfully - which is exactly what we are trying to avoid by storing the hashed passwords in the first place. \ \ …\ \ The bottom line: this approach won’t really solve the real problem - if I steal the hash from the database, I will be able to uthenticate successfully. I’d love this to work the way you describe but as a security-conscious developer I’m still losing sleep.

Although this is a true scenario, the author makes an assumption that is false. The purpose of storing a hashed password is NOT to stop a hacker who obtains the hash from being able to authenticate as that user.

Think of it this way, if I’m a hacker and I am able to compromise your user database and obtain a user’s hashed password, why would I ever try to authenticate as that user? Since I already have my grubby hands in the cookie jar, I might as well grab all the data directly from your compromised database.

Rather, the purpose of hashing a password with a salt value is to provide security to the user of the system that rogue employees of the company and hackers who compromise the database cannot use my password to log into other sites I frequent.

Ideally your database isn’t compromised very often, otherwise you have bigger problems than whether or not passwords are hashed.

That’s why a security minded developer doesn’t stop at hashing passwords. Code security is never enough and is only a small part of the equation. The IT staff have to make sure the database itself is secure and not likely to be compromised. Staff with access to the system must be trained to deal with social engineering attacks. What good is a hashed password if I can call up tech support and get any information I need by posing as an executive?

So to the author of this email, I suggest you don’t lose sleep over the hashed password scenario. As a security conscious developer, you have a huge number of other attack scenarios to lose sleep over. ;-)

comments edit

I picked up Twiggy from the vet after work and she’s been such a trooper. Check out the sassy hot pink cast that’s bigger than she is.

Twiggy with her cast \ I’m ready to whack some fools with this thing.

We took her for a really short walk so she could do her thing outside and she looked so sad limping along like a tiny little gimp. However, when I tried to take a video of her walking, she decided to show some pride(avi 1.07 MB).

comments edit

Twiggy Twiggy was at a newly opened small dog park when a group of other small dogs suddenly ganged up on her. Of course they couldn’t catch her because she’s a speed demon, but she must have caught her foot in a grate on the ground (extremely bad idea for a small dog park to have a grate on the ground) and broke her leg just above her ankle.

She’s at the vet now and is doing fine. If you have a pet that you care for, I recommend getting pet insurance. I hear it’s not too expensive and could save you a pretty dime in a situation like this. We were planning to purchase it but just hadn’t gotten around to it. Now we have a significant vet bill to pay.

Hopefully we can pick her up today or tomorrow.

code, tdd comments edit

One of the holy grails for unit testing is to get 100% code coverage from your tests. However, you can’t sit back and smoke a cigar when you reach that point and assume your code is invulnerable. Code coverage just is not enough.

One obvious reason is that Code Coverage cannot help you find errors of omission. That is, even if you had 100% code coverage from your tests, if you forget to implement a feature (and a test for that feature), then you’re shit out of luck.

However, apart from errors of omission, there’s the case presented here. Imagine you have the following simple class (I’m sure your real world class is much more complicated and interesting, but bear with me).

using System;
using System.Collections;

public class MyClass
{
    Dictionary<string, int> _values = new Dictionary<string, int>();

    public MyClass()
    {
        _values.Add("keyOne", "1");
        _values.Add("keyTwo", "7");
        _values.Add("keyThree", "10");

        // ...
    }

    public int SumIt(string[] keys)
    {
        int total = 0;
        
		foreach(string key in keys)
        {
            total += _values[key];
            _values[key] = total;

            //Maybe we do some other
            //interesting things here.
        }

        return total;
    }
}

Now imagine you test this class with the following NUnit fixture.

using System;
using XUnit;

public class MyClassTest
{
    [Fact]
    public void TestSumIt()
    {
        var mine = new MyClass();
        string[] keys = {"keyOne", "keyTwo"};
        Assert.Equal(8, mine.SumIt(keys));
    }
}

Voila! 100% code coverage. But does this satisfy the little QA tester inside? I would hope not and suggest that it shouldn’t. Code coverage is worthy goal, but often unnattainable in large systems (hence the need for prioritization) and doesn’t provide all the benefits it would seem.

To handle situations like this, unit tests need to go beyond concentrating on code coverage and also consider data coverage. Of course, that’s not always practical. In the above example, if I only have 10 keys, testing the possible permutations of SumIt becomes a huge burden. Often the best you can do is to test a small sample and the boundary cases.

comments edit

Colin shows how to configure CopySourceAsHtml for any source file that VS.NET provides syntax highlighting. In my case, I’ve mapped the shortcut CTRL+C CTRL+S to the Copy command and CTRL+C CTRL+N to CopyNow command.

<?xml version=”1.0” encoding=”utf-8” ?>

<root>

    <wow id=”1”>This is neat</wow>

</root>

<%@ Page language=”c#” Codebehind=”WebForm1.aspx.cs” AutoEventWireup=”false” Inherits=”EmailIntegrationWeb.WebForm1” %>

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN” >

 

<html>

  <head>

    <title>WebForm1</title>

    <meta name=”GENERATOR” Content=”Microsoft Visual Studio .NET 7.1”>

    <meta name=”CODE_LANGUAGE” Content=”C#”>

    <meta name=vs_defaultClientScript content=”JavaScript”>

    <meta name=vs_targetSchema content=”http://schemas.microsoft.com/intellisense/ie5”>

  </head>

  <body MS_POSITIONING=”GridLayout”>

   

    <form id=”Form1” method=”post” runat=”server”>

 

     </form>

   

  </body>

</html>

comments edit

My main man Colin is on fire with his latest version of CopySourceAsHtml add-in.

As this utility catches on, I think you’ll see a huge proportion of .NET bloggers using it to post source code snippets on their blogs. It now uses VS.NET’s own syntax highlighting to highlight the code. Thus whatever settings you have in VS.NET are used by the add-in. It’s also much more configurable with word-wrapping, ability to add extra styling options, etc… Here’s a couple of snippets as a demonstration.

According to the example’s on Colin’s site, it even works with aspx and css files. Unfortunately, that’s not working for me right now as I don’t see the context menu on those pages.

Nice job Colin!

    9 ///

   10 /// This just rocks my world!

   11 ///

   12 public class HtmlSourceTest

   13 {

   14     public void ThisMethodKicksButt()

   15     {

   16         //Yep. It does.

   17         Console.Write(“Hello World”);

   18     }

   19 }

///

/// This just rocks my world!

///

public class HtmlSourceTest

{

    public void ThisMethodKicksButt()

    {

        //Yep. It does.

        Console.Write(“Hello World”);

    }

}

comments edit

There is now a plug-in to use BlogJet to blog items from RSS Bandit. I haven’t tested it yet, but if the plug-in doesn’t do anything specific to RSS Bandit, it should be usable by any aggregator that supports the IBlogExtension interface. Want to write your own plug-in? Read my guide here.

Finally, I did it – a plugin to integrate RSS Bandit and BlogJet. If you’re using RSS Bandit to read feeds and BlogJet to post to your blog, this plugin is a must-have. It adds a new item to Bandit’s right-click menu – “BlogJet This!”. Click it and it will lanch BlogJet with the content of selected item.

Installation instructions and download.

[Via BlogJet weblog]

comments edit

When building an installer for a Windows Service in VS.NET 2003, conspicuously missing is the ability to specify a description for the service that is displayed in the Services applet.

I’ve written a base installer class that inherits from System.Configuration.Install.Installer for this purpose, but I’ll just present to you the source listings for the methods to add and remove a service description.

Check it out here. I hope you find it useful.

comments edit

So after much deliberation, I’ve decided on the M205 with a 60GB hard-drive, 512MB Ram, and a DVD-CD ROM drive etc… etc..

This is my first laptop ever so I’m pretty excited. Anyone have recommendations on synchronization software etc?

Thanks to people like Scott and Iggy for their input.

comments edit

Soccer Ball Today the soccer team I started playing with had their last game of the season. This was only my second game with them and we were playing the first place team in the league. This team was much slower than our last opponent and not as skillful, but were known for playing very dirty.

Fortunately on this day, the ref ran a tight ship and a nice game of soccer ensued. At least nice for the other team who proceeded to pound us for five goals to our two. We started off strong, but with no subs to speak of, the second half found us weary and unable to keep up.

The highlight for me was putting the ball in the back of the net in my second game with this team. The play involved flicking the ball over the defender and taking a shot off the bounce. They invited me to join them when the season starts in January. Hopefully by then I’ll have some fitness to contribute.

comments edit

Ali Gif you’ve watched da show yous probably ave wondered, ow can i attract da wicked bitches dig dat awesome omeboy? da secret is to learn to bang dig im? well in da house’s your chance to learns da ons and out of ali g-speak. respek!

In English, that translates to…

If you’ve watched the show you probably have wondered, how can I attract the lovely ladies like that awesome homeboy? The secret is to learn to speak like him? Well here’s your chance to learns the ins and out of Ali G-speak. Respek!

Check it out, the Ali G translator.

comments edit

I answered a question about ASP.NET deployment in a newsgroup recently where the person asked which files should he deploy when moving his site to a production server.

As a followup to my answer, Jon Galloway pointed the person to a neat deployment utility called UnleashIt.

UNLEASHit \ Ready to deploy, Sir!

UnleashIt provides integration with VS.NET 2003 as an add-in. You can create deployment profiles and share them with other team members. I plan to use this for any customization of my .TEXT blog I plan to do.

So why not just use Visual Studio’s copy project option? I’ve never used it but Jon had this to say:

Visual Studio has a copy project option for web projects, but it depends on your setup and you may miss files (javascript, css, images).

As usual, I have a few minor complaints as I’m just a nitpicky person. The first is that the application is not resizeable. The fonts on the main screen seem smaller than in other applications.

More problematic is that the application doesn’t seem to support adding file masks. Currently the application is missing *.asmx and *.ashx, but more importantly it would be nice to create a deployment profile using this tool that could handle Word docs (for example) if they were a part of the site.

comments edit

If you haven’t heard, RSS Bandit can synchronize its state (feedlist, read/unread, etc…) across multiple machines. I wrote about it in the RSS Bandit docs.

So far, there are four means for synchronizing feeds: Ftp, dasBlog, local or network file, and webDav. For the average user, these options might not be always be available.

However, using GMail Drive Shell Extension, you can create a local drive letter that maps to your GMail account. Then in RSS Bandit, open up the properties dialog, click on the Remote Storage Tab, choose the File Share protocol and enter the GMail drive in the UNC directory path (it doesn’t have to be UNC). In the screenshot below, I have the e: drive mapped to my GMail account.

Remote Storage Tab

Now you can use your GMail account for synchronizing your RSS Bandit state between multiple machines. Note that this usage of GMail is not supported by Google nor the developers of RSS Bandit. So if Google suddenly decides to disrupt this usage of GMail, you’ve been warned.

As you can see in the RSS Bandit Roadmap, there will be support for more synchronization sources in the next major release.

code comments edit

There’s a lot of focus these days on SOAP vs REST and the proliferation of WS-* specifications. Sometimes you wonder if WS-* solves problems that aren’t all that common or have already been solved.

For example, some in the REST camp will say, HTTP has security built in. It#8217;s called SSL. Why not use it instead of building WS-Security.

Another example is WS-Addressing. This places addressing information within the SOAP envelope so that the message can be delivered via transports other than HTTP. At first glance, I wonder how often this will be useful for web services when HTTP is the predominant mode of transport.

However, Pat Caldwell illustrates a real world scenario in which WS-Addressing solved a real need that REST couldn#8217;t and doesn#8217;t address.

REST has its place, but for some of those nitty gritty situations, SOAP keeps everything clean.