0 comments suggest edit

Dare puts this quote from Tim Bray up on his blog.

This has nothing to do with a California chip maker. Rather, its about a trip I recently took to a conference called Intelink, where the people gather who run one of the worlds biggest and most interesting intranets; the one that serves the community of U.S. Intelligence professionals\ … \ I was amused to note that on one of the sub-intranets distinguished by being loaded with particularly ultra-secret stuff, they were offering RSS Bandit for the people to download and use.

[Via Dare Obasanjo aka Carnage4Life]

Ok, I know 007 is actually a British Spy, but I couldn’t think of a good U.S. counterpart.

0 comments suggest edit

Aaron Skonnard mentionsthat

When you take the custom authentication route and write a UsernameTokenManager (UTM), your implementation of AuthenticateToken must return the same secret (e.g., password) used on the client side to generate the hash/signature, depending on which option you use.

As he correctly points out, this makes security experts cringe and hide under the bed (see Keith Brown’s cringing response where he proposes a solution).

The big issue is that your UsernameTokenManager needs access to the original cleartext password. But like any good security conscious developer, you don’t store passwords as cleartext, do you? (I sure hope not. Bad security conscious developer. Bad!). Hopefully you do something along the likes of what Keith suggests in his MSDN column. For each user, he stores a randomly generated salt value and a hash of the cleartext password combined with salt value. The salt value is unique per user.

Keith points out that the secret returned by the AuthenticateToken method doesn’t have to be the actual cleartext password. It just has to match the secret sent by the client. So if you store your passwords as an SHA1 hash, your client just needs to hash the password before creating the UsernameToken.

However, if you store your password as an SHA1 hash of the cleartext password + salt value, you’re going to have to do a little more work. Your client isn’t going to know the salt value for every user, so your client needs a way to discover that. This may require calling a separate web method just to query for the salt value given a user name. Service clients would be required to store that value (probably on a “session” basis) and use it when calling methods on the main web service.

Below is some sample code for doing just that. This assumes that user passwords are stored as described in the aforementioned article using salt and hash (no eggs, but do bring the ketchup). (My apologies for the ugly formatting, I didn’t want the code to be too wide)

//Make an initial web service call to get the 
//the salt value for the user "haacked".  
//This should be stored by the client so its 
//not called for every method of our main service.
MyServiceWse proxy = new MyServiceWse();

//In order to get the salt value, a special account
//"saltAdmin" is used to call GetSalt().  This account
//only has access to this method.
//This also requires that the client app knows the;
//saltAdmin's salt value up front.
string adminPassword = GetAdminPassword(); 
//implementation not shown.

UsernameToken adminToken 
    = new UsernameToken("saltAdmin", adminPassword
                    , PasswordOption.SendHashed);

string username = "haacked";
string salt = proxy.GetSalt(username);

// Hash password and salt.
string pw = "Password"; //assume this came from the user.
SHA1CryptoServiceProvider hashProvider 
    = new SHA1CryptoServiceProvider();

byte[] inputBuffer = Encoding.Unicode.GetBytes(pw + salt);
byte[] result = hashProvider.ComputeHash(inputBuffer);
string hashedPassword = Convert.ToBase64String(result);
//Set up the user's token.
//Notice we the hashed password instead of the cleartext one.
UsernameToken token 
    = new UsernameToken(username, hashedPassword
                    , PasswordOption.SendHashed);


//Make the actual service call.

The AuthenitcateToken method of your custom UsernameTokenManager class can now just return the hashed password value for the calling user from your data store and everything will work just fine and security experts can come out from under the bed.

0 comments suggest edit

Found this on Wesner Moise’s blog. He’s discussing the performance implications between managed and unmanaged code.

The working set for SharpReader is 30Mb, FeedDemon is 23 Mb, and RSS Bandit is 4 Mb in their initial configuration on my machine. (In comparison, the working set for MS Word and MS Excel are about 18 Mbs.) So, actually in their bare configuration, RSS Bandit is the tightest of them all, even considering that RSS Bandit also uses the .NET runtime.

[Via .NET Undocumented]

0 comments suggest edit

Toshiba M200 So I am in the market for a Tablet PC and after a bit of research, the Toshiba Portege M200 is the top contender for my hard earned dollar.

I’m trying to cut down on the time I spend sitting at a desktop by using a tablet PC for email, reading and writing blog entries, etc… Basically non gaming and non development tasks. I think the high resolution of the M200 makes it a nice choice for reading.

So my main question for you is do you think there’s a better Tablet PC out there (or about to be released) worth me looking at over the M200? Let me know. Thanks!

0 comments suggest edit

If you installed SP1 for the .NET framework, you may notice that certain feeds are broken and return an HTTP Protocol Error. Dare looked into this and posted an explanation and workaround to the problem.

Apparently a lot of web servers out there are a bit loose with the HTTP specification while SP1 tightens compliance. So c’mon people, stick the chest out, shoulders back, stand up straight, and stick closely to the spec.

0 comments suggest edit

Whoa! I saw this on Wired News. If anyone is in danger, it’s me. I love getting right up to the subwoofers and feel the wind generated (of course wearing my etymotic earplugs).

Doctors report several cases of collapsed lungs apparently caused by loud music. They theorize that lungs may start to vibrate in the same frequency as the booming bass, which could cause a small rupture.

[Via Wired News]

[Listening to: Beat Blender - - (0:00)]

0 comments suggest edit

I think Chris Anderson is totally wrong here. I am currently the smartest person in the room. I don’t CARE if I’m also the dumbest person in the room. He’s still wrong. ;)

(while talking to another senior person at Microsoft)

ChrisAn: “Have you driven a feature from scratch?”

Other: “Uhm, yes. I’ve worked on various platforms for the past 30 years, worked on the first release of DOS for Arabic and Windows for the Middle East”.

ChrisAn: “I’ll take that as a yes”

Remember to self, you are never the smartest person in the room… ever.

[Via simplegeek]

0 comments suggest edit

Wired printed an article recently (I wish I could remember the title) that discussed the network structure of relationships and fame. For example, imagine individuals as nodes in a big graph. Join the nodes by drawing directional vertices that indicate whether a person knows of another person. An arrow drawn from Bob to Alice indicates Bob knows Alice. The fact that there’s no arrow from Alice to Bob indicates Bob’s a total loser (or stalker).

In this graph, the average person’s node will have a roughly balanced number of arrows pointing in as arrows pointing out. That makes sense because in general, you’ll know around the same number of people that know you unless you’re a total loner. But for the truly famous, say for example Bill Gates, the arrows pointing in hugely outnumber the arrows out, which explains the hoard of people asking him for money. The effect of this is that there’s no way for Bill to have personal communications with everyone who knows of him. There’s literally not enough time (not to mention incentive).

The article goes on to discuss how this relates to websites and blogs. For the relative unknown majority out there with blogs (such as this one), the number of arrows pointing in is quite small. Yep. Most likely, your blog is downright obscure. However, there is one advantage. Having a small readership allows one to actually participate in the small number of inane conversations that spark from time to time in the comments section of a post. The fact I even have a comments section is often indicative of the small audience I serve.

However, once you turn it up a notch in audience size, things change. For instance, you’ll probably never get feedback from someone at the truly collosal sites such as CNN.com. Even sites that are somewhere in the middle such as Boing Boing and Slashdot have such a large audience that two-way communication is pretty non-existent.

To give you an idea of the mindshare these sites have, consider the following stats. A micro-node blog like mine gets around 40 web views and 150 aggregator views per post on average. That’s pretty darn insignificant, but at least I can be pretty sure that those aren’t all accounted for by my wife. Non-family members actually read this. “Hi y’all. Welcome! I come in peace!” Now suppose a site like BoingBoing decides to link to a post on this humble site like they did last week. Such an action leads to 18,365 web views (and counting) with 216 aggregator views. Keep in mind that this represents a small subsection of the entire Boing Boing readership who took the time to actually follow a link to some nobody’s blog. Talk about alot of arrows pointing in.

0 comments suggest edit

Recently I blabbed on and on about how to create a sane build process. One question I’ve heard in the past is what’s the point of a setting up a big formal build process when you have a very small project, perhaps with a team of one or two?

Well, I’d have to say there is no point to a BIG FORMAL build process for a small project. Rather, the build process should match the size and needs of your project and team. However, I will say this. Start early, because before you know it, your project and team will get big and you’ll be glad you have a build process in place. In the early stages, a simple NAnt (or MSBuild) script will suffice. Over time, that script will grow and grow. That’s exactly what I’m starting off with for Rss Bandit.

At this point, the script simply gets the latest version of the source code from CVS into a clean directory, compiles the code, and generates a compiled help file (.chm) using NDoc.

I plan to add a task to run unit tests, perform an FxCop analysis, and increment version numbers. However, I need to discuss version numbering with Torsten and Dare first. Eventually, I hope to add CruiseControl.NET integration. The purpose of this is to gain some experience with CCNET since I can’t yet use it at work.

Please Help!\ So this is all great and dandy, but the build file doesn’t work. I’m not terribly familiar with CVS, so if anybody can help me get this working, I’ll check it in to the CVS repository for RSS Bandit.


0 comments suggest edit

Restroom (A funny story I heard from somwhere. Supposedly its a true story.)

I was barely sitting down when I heard a voice from the other stall saying: “Hi, how are you?”

I’m not the type to start a conversation in the men’s restrooms at a rest stop but, I don’t know what got into me, so I answered, somewhat embarrassed, “Doin Just Fine!”

And the other guy says: “So what are you up to?”

What kind of question is that? At that point, I’m thinking this is too bizarre so I say: “Uhhh I’m like you, just traveling east!”

At this point I am just trying to get out as fast as I can when I hear another question.

Can I come over to your place after while?

Ok, this question is just wacky but I figured I could just be polite and end the conversation.

I tell him, “Well, I have company over so today is a bad day for me!”

Then I hear the guy say nervously…

“LISTEN, I’ll have to call you back. There’s an idiot in the other stall who keeps answering all my questions!”

personal 0 comments suggest edit

Italian GreyhoundSo after much deliberation and research, we’ve decided that we’re going to provide a home for a dog. In particular, we hope to adopt an Italian Greyhound from a rescue center. A rescue center is basically a foster home for dogs rescued from the dog pound. A rescue typically specializes in finding homes for a specific breed. For example, there is a Labrador Rescue, a Poodle Rescue, etc…

While paging through pictures and bios of dogs in need of a home, my wife grew really sad and wanted to rescue all of them. But we have a small Condo and can only really provide a good home to one dog.

If you’re looking to adopt a pet, try checking out your local animal shelter. For those of you in Los Angeles, check out the LA County Animal Care & Control. Oh, and as Bob Barker always says, “have your pets spayed or neutered”.

humor 0 comments suggest edit

Kyle sent me this classic photo from a friend of his, Brad Kagawa, who was at the RNC protest in New York. Brad scrambled across the march to take a picture of the geekiest protest sign he’s ever seen.

\ Will the W3C support this addition to HTML?

Whoever this person is with the sign, I <SALUTE/> you.

Thanks to Brad and Kyle for sending me this.

UPDATE: BoingBoing.net has a great entry about the mixture of tech, art and protest at the RNC. What makes the blog entry really great is that it includes a link to this post. ;)

UPDATE #2: And what makes this post great are the ensuing comments about HTML correctness that inevitably follow when geeks get political. My I think I’ll start posting everything as HTML.

UPDATE #3: So we may have identified the mysterious sign holder. Her name is Shalott. Of course, I have no way of confirming, but like Mulder, I believe! She got the idea from her friend Tzikeh who saw it online on a t-shirt.

0 comments suggest edit

I have a few GMail invites to give away. If you don’t mind having a profit driven corporation scanning the contents of your emails in order to target you with ads, then post a funny comment with your email address. Or just post a bland comment. I don’t really care.

In return, you’ll get a free web-based email account with 1000 MB of storage and the power of the Google search engine for searching your emails.

Sorry. I’m all out.

personal 0 comments suggest edit

So today, loads of clean people will be driving through the small town of Gerlach into the temporary city of Black Rock City. Trust me, they won’t stay clean for long, and will definitely bring home a souvenir of a nice coating of Playa dust over everything.

They are there to begin a week long festival known as Burning Man. This year’s theme is “Vault Of Heaven”. I believe my friends Ed and Michael (not Krimm) are going to be out there getting into all sorts of trouble.

I hope you all have a good time out there and be safe. Especially watch out for the sharks!

The author auditions for Jaws 5. (Notice the temple in the distance to
the right)\ The Black Rock legal team approaches…

0 comments suggest edit

In the comments section of the post about the geekiest protest sign, Clara points out that tshirthell.com sells a t-shirt with the end Bush tag (seen below).

End Bush T-Shirt

Tell them Haacked sent ya (not that I know those people).

As to the question whether this is XHTML, HTML, XML, SGML compliant? Who really gives a flying fuck? I mean c’mon people, get a freakin’ life! The real question is why choose a serif font over a sans-serif? ;)

For you real geeks: 0x3c 0x2F 0x62 0x75 0x73 0x68 0x3E

UPDATE: Oh, and this shirt is an XHTML compliant end tag (unlike the protest sign) assuming it is preceded by a start tag. According to Section 4.2 of the W3C recommendation, Element and attribute names must all be in lowercase.

0 comments suggest edit

We just got back from their wedding reception in San Francisco and we had a great time. I can see that you two will be very happy and I was honored to take part in the reception. Also, many thanks for the iPod, an overly generous gift, but one I will make good use of. I now finally have an iPod. Wohoo!