How to Add High-Performance Runtime Tracing to your Application

For logging, we’d  like you to use Event Tracing for Windows (ETW) instead of creating your own.  There are several reasons:

    ETW is fast—probably faster than most custom solutions that are implemented as part of an app
    Good tools support with Xperf, Windows Performance Toolkit, and so on.
    Traces are stored in kernel buffer—any traces your app has written aren’t lost if your app terminates unexpectedly
    Your support staff can work with other support organizations, such as Microsoft CSS, seamlessly, because ETW is a common infrastructure

Dan Ruder has provided a sample C++ application covering how to add Event Tracing for Windows (Logging) to a Windows application and has also written an article on how to add Event Tracing for Windows to a C++ Application (copied below).

See Also

    Download the Windows SDK

    Use this not this

The following article, authored by Dan Ruder to compliment the aforementioned sample, covers how to add ETW to your app:
How to Add High-Performance Runtime Tracing to your Application
Applies To

Windows API programming for the following versions of Windows:

Client: Windows 7, Windows Vista

Server:  Windows Server 2008 R2, Windows Server 2008
Summary

This article explains how to use the Event Tracing for Windows (ETW) functions to add runtime trace logging to your application.  The ETW system provides high-speed logging that can be enabled and disabled dynamically without restarting the application.  This makes ETW useful for diagnosing application behavior without invasive debugging.  It can be used to:

    Record how users interact with your application
    Record resource consumption and release patterns
    Record performance statistics
    Create a history of operations to verify correct application behavior
    Create a history to troubleshoot incorrect application behavior
    Enable advanced end-to-end diagnostics across multiple software layers

 

This article will focus on the manifest-based ETW functions which are available starting in Windows Vista and Windows Server 2008.
Prerequisites

List of technologies and software that you need to understand or install in order to create and run this code.

    Microsoft Windows 7 Software Development Kit

Solution

The design of the Event Tracing for Windows (ETW) API is that an application does not write the whole trace message at runtime; instead, it writes an event descriptor plus parameter data to a trace session which saves the data into a log.  Later, the trace log is processed by matching the event descriptors with a list of events in an XML manifest file and formatting message strings with event parameter data.  Therefore, the steps to use the ETW API in your application are:

    Design the trace events your application will report.
    Create an event manifest to describe the event messages.
    Add tracing functions to your source code.
    Add the event manifest to your project.
    Build the project.

Read more: See Also:
QR:

Posted via email from Jasper-net

Writing events with System.Diagnostics.Eventing

... or, how the hell to use Vista and 2008's new ETW stuff with managed code. And, introducing ecmanaged: A decent way to do all this stuff.

Quick ETW Overview

Actually, the real ETW overview is here: http://msdn.microsoft.com/msdnmag/issues/07/04/ETW/ <-- This is some of the best overview and documentation on it (the other good stuff is the ecmangen documentation in the Windows SDK bin folder). The MSDN stuff is terribly confusing for the most part. Or maybe I'm too spolied by how easy it is to find stuff in the BCL. My overview is on what you gotta do to make things work in .NET.

ETW is a real pain to use with .NET. Even so, ETW starts off looking really promising. You define everything in a nice XML manifest file, and everything is based off that. But wait, everything? Shouldn't the manifest be the end-all? Yea, that'd make logical sense. No, you run some tools from the Windows SDK. First you run MC, which generates a .h header file. Managed devs are growning now -- why the hell should something as general as event tracing be language specific? The .h file contains the processed event descriptors, ready for C consumption.

It worsens: MC also generated a resource script. You have to compile that with RC and it'll create a Win32 .res resource. Then you compile that into a binary (the C# compiler has the /win32res option). Then you go back and edit your XML manifest and make sure it points to the final binary. Wait, what? Yes. The resources that MC generates for RC contain all the messages that are in your XML manifest. Someone thought it was a really cute idea to go and make the Event Viewer not only read all the data from your manifest, but also have to go look it up from some binary resources.

Actually, this probably made sense to someone on the Windows team since I'm guessing they already have tools to go and localise Win32 resources or something. Unfortunately, it sucks and makes no sense for anyone NOT in their particular position. Now, I hope I'm wrong (I really, really want to be wrong), but I think there's no way to force the message strings to just stay in the XML file and be read from there.

Finally, things get easy again. Just run "wevtutil install-manifest Some.man" (wevtutil is in system32). In fact, this utility is so user friendly, it even lets you type "im" instead of "install-manifest". At this point, assuming the other steps went well, your provider shows up in Event Viewer.

ECManGen

But wait, how do I actually make that manifest? This part is almost the easiest. In the Windows SDK, there's a lovely little tool called ECManGen. Just fire it up, and go to town adding Providers, Channels, Templates, and Events.

Providers are the main things that show up in your Event Viewer, such as MyApp-FooProduct-LameComp. Channels separate Admin/Operational/Debug and others. Templates are an argument list for Events. If you have, say, a bunch of events that take the same kinds of parameters, you can share templates among them (I find it helpful to create a "SingleStringTemplate".) It's very straightforward.

*Note: I can't actually get Admin channels to work. If I create an event and stick it in an Admin channel and set its level to Informational, MC complains (as does ECManGen) that the level has to be Critical, Error, or Informational. Uh, OK. Instead, just use Operational.

Except... ECManGen is a free utility. (Free? Perhaps not, seeing as the annual MS bill for a 4-person dev team is around $20,000 (counting just MSDN) -- but it's well worth it.) Part of the docs say: "NOTE: For the Manifest Generator Tool to function correctly, the file winmeta.xml (which contains pre-defined metadata values) must either be in the Include directory of the SDK or in the same directory as the Manifest Generator tool." OK, easy enough. Except... it doesn't work that easily. The only way I got it to work was to copy the xml file over to the same directory, *and* start ECManGen from that directory.

Oh yea, ECManGen won't open your manifest file if you pass it as an argument, so forget about cute VS integration. Just Google ecmangen and go rate up the bugs on Connect :).

Going Managed

OK, so you're not living in the last century and use decent tools -- how does this map to C#? First off, you create an EventProvider with the right Guid (the one from your manifest). Then you create an EventDescriptor for each event, matching up all the little parameters (the MSDN docs for EventDescriptor have more details). Finally, you can call WriteEvent, passing the EventDescriptor *by ref* for some reason (no, I can't figure out why).

Oh yea, and you have to hookup that Win32 resource to your C# project, so if you needed another resource (like another app manifest?), you'll have to go deal with merging them and all that hassle. And, don't forget to make sure the parameters you pass into the object[] array of WriteEvent line up with what your manifest has. And also, the .NET API won't even handle the Boolean->BOOL (4 byte) silliness for you.

In summary, it's a lot of boring, error-prone work, and you'll have to repeat it every time you edit your manifest. Yuck. Maybe it's just easier to use the old event log stuff and forget about all this fancy ETW stuff.

Read more: Atrevido
QR:

Posted via email from Jasper-net

Intro to WinDBG for .NET Developers

When your code goes into production, you usually no longer have access to its binaries when they reach their final destination.  Whether that is someone’s desktop or a set of servers, you no longer have access to directly observe your code and its environment.  Operating system patches are applied, network policies are changed, firewall rules are restricted, disks are configured… as your code lives its life in its new home, there’s a wide range of things that may change in its environment and affect how it behaves (or rather misbehaves).  You liberally littered your code with lines of logging logic to learn in these lulls (long alliteration!), and that gives you an idea of where the code is not performing as expected, but you still are unaware of the exact reason (and thus, the fix) that your code is not working as expected.

Your challenge now is to try to figure out what is going wrong without wasting the customer’s time doing troubleshooting, because there’s nothing that a business user loves more than being asked by a technical guy which button is he really clicking to get that error.  You don’t have the luxury (should have thrown that in the alliteration sentence previously) of spending days or weeks doing troubleshooting, you need to know what is happening right now.

In a perfect world, you would have the stack trace, you’d be able to inspect locals, you could debug the code.  Well, it turns out, you can do just that… and never attach to the customer’s environment.

Download WinDbg and Get Started

Download the Debugging Tools for Windows to your local developer machine.  You can get them as part of the Windows SDK.  Choose the Debugging Tools for Windows in the Common Tools section if you only want the debugging tools for your current machine’s platform.  If it is an x86 machine, then only the x86 tools are installed.  If your machine has an Intel 64-bit processor, then only the x64 tools are installed.  If you choose the redistributable version, then you get all three (x86, x64, and Itanium).   After you download, install to your local developer machine (not the customer’s machine).

One tip is to change the installation path.  By default, windbg will be copied to the Program Files directory.  Instead, change the path to something like “d:\debug”. This will make it easier to add extensions.

Now that you’ve installed, in the start menu you will see a new program group, “Debugging Tools for Windows (x64)”, and a new program in it called “WinDbg”. 

Read more: Kirk Evans Blog
QR:

Posted via email from Jasper-net

Core OS Events in Windows 7, Part 1

Today's computer software constantly breaks new grounds. Consumer software applications offer a sophisticated set of features that enable rich new experiences. Powerful server applications are setting new records in throughput, speed and scale. These improvements have been made possible by rapid progress in hardware technologies and continuous adoption of software advancements in optimization, virtualization, and distributed and parallel computing. However, as a result, software applications have become larger and more complicated. At the same time, users' expectations about software quality are higher than ever. Fundamental characteristics such as performance, reliability and manageability have proved essential in the long-term success of software products, and they are often celebrated as primary features.

Increasing software complexity and higher user expectations on quality thus present a difficult challenge in software development. When an unexpected problem occurs, predicting internal states of all relevant components is nearly impossible. Retracing the history of execution flows is cumbersome and tricky, but often necessary in finding out the root cause of software problems. When users report problems after deployment, they expect the root cause of the problem to be quickly identified and addressed. The overwhelming number of hardware and software combinations, different workload characteristics, and usage patterns of end users make such tasks even tougher. The ability to use a mechanism that enables you to understand system execution in a transparent manner, with minimal overhead, is invaluable.

Event Instrumentation

Instrumentation is one such effective solution in measuring and improving software quality. Software performance counters have provided a convenient way to monitor application execution status and resource usage at an aggregate level. Event instrumentation has also been popular over the years. Events raised by a software component at different stages of execution can significantly reduce the time it takes to diagnose various problems. In addition to scanning for certain events or patterns of events, one can apply data mining and correlation techniques to further analyze the events to produce meaningful statistics and reports on program execution and problematic behavior. The ability to collect events on production systems in real time helps avoid the need to have an unwieldy debugger setup on customer machines.

Introduced in the Windows 2000 operating system, Event Tracing for Windows (ETW) is a general-purpose event-tracing platform on Windows operating systems. Using an efficient buffering and logging mechanism implemented in the kernel, ETW provides a mechanism to persist events raised by both user-mode applications and kernel-mode device drivers. Additionally, ETW gives users the ability to enable and disable logging dynamically, making it easy to perform detailed tracing in production environments without requiring reboots or application restarts.

...
...

The following command starts the kernel session and enables process, thread, disk, network, image, and registry events. The collected events will be stored in a file called systemevents.etl in the current directory. Controlling the kernel session and collecting core OS events require administrator privileges:

> logman start "NT Kernel Logger" –p "Windows Kernel Trace"  (process,thread,img,disk,net,registry) –o systemevents.etl –ets

To stop the collection, users need to issue the "logman stop -ets" command:

> logman stop "NT Kernel Logger" –ets

Read more: MSDN Magazine
QR:

Posted via email from Jasper-net

Watch Channels From All Over The World With TV for Google Chrome

Want to watch TV on your computer and surf the web at the same time? TV For Google Chrome is a handy Google Chrome extension that lets you stream online TV channels directly from the browser. It provides TV channels from all over the world, and allows you to choose genres ranging from business, religious, educational, sports, music, news, movies, lifestyle, entertainment and more. Moreover, the channels are updated regularly and are sorted by, Countries and Categories (genres). All you need is to select the country, and then select the TV channel. It will open a separate window, and start streaming the TV channel right away.

Once you’ve installed the extension, click the button in the toolbar to open a compact pop-up with a list of TV channels sorted by Countries and Categories. You will find almost every country in the list, however, some stations from specific countries might not be available.

Read more: Addictive tips
QR:

Posted via email from Jasper-net

Disk Investigator: View MFT Zone, Check Raw Data Saved On Disk Sectors & Clusters

Disk Investigator is a multi-purpose, powerful hard disk tool that lets you find raw data saved on disk partitions, and check unreadable disk clusters and sectors. The application is built to navigate through the disk sectors, while showing the raw data in HEX, TEXT, and Decimal form. This not only helps you identify identical data written on the disk partitions, but also verify the performance of data shredding utilities. If you’ve recently used a file shredder to securely delete data from disk partition, it lets you view the current raw data present on the disk. Moreover, the application gives detailed insight into disk structure, including total logical sectors, bytes per sector, sectors per cluster, cluster size, MFT start cluster, MFT zone clusters and more. Additionally, it includes a simple, yet feature-rich file explorer that lets you view files and folders saved on disk, check raw data (in Text, Dec, and Hex form) of selected file, and check CRC-32, and MD5, Hash, RipeMD, and SHA hash value.

When launched for the first time, it starts fetching disk information, including starting sector on disk, cluster distribution, total clusters etc. Once done, you will see main window, showing all the information retrieved during the scan process. It shows drive view with complete disk information, and raw data written on first sector of disk. However, you can use Sector input field and slider to navigate through disk sectors. If you want to search a specific text string from the disk, use Search option to view specified text/hex values.

Read more: Additctive tips
QR:

Posted via email from Jasper-net

How To Backup Files To BitLocker-Enabled Virtual Hard Disk [Beginner's Guide]

Microsoft’s VHD (Virtual Hard Disk) format is widely used to contain and run guest operating systems using Microsoft virtualization software, MS Virtual PC. Unlike previous versions of Windows, Windows 7 natively supports creating and mounting virtual hard disk using Disk Management utility. Not only does it create MBR partitions, it also allow creating GUID partition on VHD to store large amount of data. With Windows 7, you no longer need an additional tool to attach VHD files for accessing virtual hard disk data and backing up files and folders to virtual hard disk file. When you attach a virtual hard disk file, you can access and modify its content just like the way you use physical hard drive’s volumes. Since Windows 7 provides all disk-related features with attached virtual hard drive, you can use it as a secured backup storage. In this post, we will guide you through the process of creating a virtual hard disk and encrypting it with BitLocker to securely backup files and folders.

Performing disk management tasks require you to login to Windows as administrator. So, make sure that you have required administrative privileges for creating a new hard disk volume. First off, open Computer Management console from Computer right-click context menu, and navigate to Storage –> Disk Management.

Read more: Addictive tips
QR:

Posted via email from Jasper-net

Right Inbox: Schedule Emails In Gmail To Be Sent Later [Chrome]

Right Inbox seamlessly integrates with Gmail and lets you schedule your emails to be delivered at a later time. Using this extension, you can set a date and a specific time for your emails to be sent in future. What should’ve been incorporated in Gmail by default, Right Inbox makes up for that missing scheduling feature. You can choose any date/time for your messages to be delivered, and Right Inbox will automatically send your emails at the specified time. With it, you will never forget to send an important email. Moreover, the extension has time zone support, so you can even schedule your emails if you’re sending them overseas. The extension lets you make sure people receive your emails at an appropriate time.

Read more: Addicitive tips
QR:

Posted via email from Jasper-net

Как Kinect встретился с Android

С развитием Интернета все мы узнали о том, что рядом с нами как-то незаметно живет целая армия изобретателей, или просто людей с креативным складом ума, которые видят окружающий мир в совершенно другом измерении ( причем не все из них работают в Microsoft ) и могут создавать вещи, которые простым смертным создавать не дано. О таких изобретениях идут передачи на каналах вроде Discovery , я уже писал о таких изобретениях и в этом блоге, например, BendDesk - сенсорный рабочий стол следующего поколения, Пивная пушка для доставки пива в кровать или к телевизору, или Android-устройство для кормления кошек . И вот не так давно в Сети появилось видео еще одной поистине адской конструкции ( в оригинале Badass tech ), о которой я не могу не написать.

Read more: PlainSourceCode
QR:

Posted via email from Jasper-net

Construct XAML Forms at Runtime with Resource Files

Sometimes different users need different UIs, or different sites where your application is installed need different UIs. You could add a bunch of logic that makes controls visible or invisible as needed (and best of luck testing that). Or you could just load the UI that your user or site needs. In that scenario, the ultimate form contains no content:

<Window x:Class="MainWindow"
    xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
    xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
    Title="MainWindow" Height="350" Width="525">

</Window>

At runtime, you'll now need to load the UI based on settings in a config file or the preferences of the currently logged on user. To support that, you can define each of those UIs in your XAML file, then paste each of them into a separate XML file. This example, in a file called MyGrid.xml, defines a Grid containing a DataGrid and two buttons:

<Grid xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
    xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
    <DataGrid Name="DataGrid1" … />
    <Button Name="UpdateBtn" … />
    <Button Content="DeleteBtn" … />
  </Grid>

By default, any XML file you add to your project is a resource file; and when your file absolutely, positively has to be present, a resource file is your best choice. A resource file is compiled into your executable and guaranteed to be distributed with it. If you have a limited number of configurations, you can set them up as individual resource files and compile them all into your executable.

However, if you don't want the file to be incorporated into your executable, you should select the XML file in Solution Explorer and set its Build Action property to Content. A content file won't be distributed with your application (at least if you use any of the standard distribution methods). Instead, it will be a separate file you must copy to the folder holding your executable, but can then replace or modify at your convenience.

To ensure that the file is copied to the folder with your executable (this makes referring to the resource in your code easier), set the file's Copy To Output Directory property. To ensure you get the most recent version of the file, set the file's Copy To Output Directory to Copy If Newer.

Accessing a Resource File
Now you're ready to write the code to load the UI appropriate for your user or installation. First you need to create a StreamResourceInfo class, passing the URI for your resource file. Next, create a XamlReader to pull the XAML from the file.

Read more: Visual Studio Magazine
QR:

Posted via email from Jasper-net

HijackThis gets all open. Download the VB6 (yes, VB6) code now...

HijackThis, originally created by Merijn Bellekom and later sold to Trend Micro, has now been released as Open Source by Trend Micro as of February 20, 2012. The originally written in Visual Basic is now hosted on SourceForge.net waiting to be manipulated and improved for the good.

In case you are now aware, HijackThis is a free scanning utility that scans and generates an in-depth report of registry and file settings from your Windows system. In addition to its scan and remove capability, HijackThis also comes with several tools useful in manually removing malwares from your computer.

HijackThis will not determine what’s good or bad, nor making any changes to your computer settings unless told too.

Read more: Greg's Cool [Insert Clever Name] of the Day
Read more: HijackThis
QR:

Posted via email from Jasper-net

Microsoft offers touch guidance to Windows 8 Metro-app developers

Since Metro-style applications for Windows 8 should all have a touch-first experience, Microsoft has recently released a brief but useful “Windows 8 Touch Guidance” documentation on how developers should think about touch in their applications.

The four-page PDF touches (pun) on some interesting touch characteristics of Windows 8 – including but not limited to drag-down/up for select/deselect, semantic zoom and panning and swipe from edge.

The document also establishes some useful guidelines on content and interactive element placements for different grip positions – landscape and portrait, and positions – one hand, two hand, rested on surface or on stand. Through user research, Microsoft has also found a 7x7mm touch target optimal for the average index finger width of 11mm.

Read more: i started something
QR:

Posted via email from Jasper-net

ZZFS + USB Device = Getting at local files, from across the web, even if the other PC is asleep... [Prototype from Microsoft Research]

Files on a home computer could soon be accessible from anywhere, even when the computer holding them is switched off, thanks to a prototype file-synching system developed at Microsoft's research labs.

The system is designed to demonstrate an alternative to a growing array of cloud services. "One of our underlying principles is that you don't always want to put all of your data in the cloud and give it to Google or some other corporation," said Michelle Mazurek, of Carnegie Mellon University, presenting the technology at the Usenix File and Storage Technology conference in San Jose, California, last week.

Cloud systems can synchronize data between computers to provide access from anywhere, but users have to plan in advance which data they want to sync, and they have to trust a third party with their files.

Mazurek and researchers at Microsoft's labs in Cambridge, U.K., built an alternative in the form of a simple application that makes all the data on one of a person's computers visible and accessible from any of their others. The user's devices act as personal cloud servers, and the software, called ZZFS, uses a novel hardware trick to wake up desktop and laptop computers that are in standby or sleep mode. This means that a file left on a closed laptop sitting on the couch at home can be retrieved from work.

...

A user can use the Windows Explorer file browser to see all the files and folders on other computers with ZZFS installed. Applications like Microsoft Office and iTunes can open those files normally, once they have been retrieved over the Internet.

A piece of hardware called Somniloquy is the reason this system works. The USB device, which acts like a smarter version of an ordinary network card that connects a computer to the Internet, can wake a sleeping computer and retrieve data from it before powering it back down. It has its own low-power processor and a few gigabytes of storage to cache files sent its way while a computer wakes up.

Read more: Greg's Cool [Insert Clever Name] of the Day
Read more: Sync Your Data without the Cloud
QR:

Posted via email from Jasper-net

WinUsbNet: A managed interface to WinUSB.sys

Project Description

The WinUsbNet class library gives .NET managed code direct access to USB devices through WinUSB, the generic USB device driver included with Windows. The project also includes tools to create & install WinUSB installation files, and a sample application.

Purpose

This project is intended for developers who are creating their own USB device. Using WinUsbNet eliminates the need to understand anything about Windows device drivers. If you know what a USB endpoint is and can use the .NET Framework class Stream, you know enough to transfer data between your application and your USB device.

This project could also be useful for someone who wants to make their own interface to an existing USB device. You will need to understand the data transfer protocols of the target device.

Read more: Codeplex
QR:

Posted via email from Jasper-net

Запароленный iPhone взломали канцелярской скрепкой

С защищенного паролем смартфона iPhone можно совершать звонки и отправлять SMS, утверждает группа разработчиков, которые называют себя iPhoneIslam. Пароль на смартфоне удалось обойти, но доступ к некоторым функциям остался закрытым. Видео пример взлома от русских коллег:

Как утверждают разработчики, для этой операции достаточно канцелярской скрепки или любого другого предмета, которым можно открыть отсек с SIM-картой.

Отмечается, что операция взлома возможна лишь в том случае, если на экране есть сообщение о пропущенном вызове.

Пользуясь скрепкой, нужно вытащить из аппарата лоток с SIM-картой, подождать несколько секунд, затем вставить его обратно и провести пальцем по сообщению.

После этих действий должно открыться телефонное приложение iPhone. С его помощью можно совершать звонки, отправлять SMS и электронные письма, а также просматривать и редактировать список контактов. Другие возможности телефона будут по-прежнему заблокированы.

Таким образом, можно взломать пароль на любом аппарате, на котором установлена iOS 5. Это может быть iPhone 4S, iPhone 4 и iPhone 3GS.

Read more: Habrahabr.ru
QR:

Posted via email from Jasper-net

Inside the Concurrent Collections: ConcurrentDictionary

Using locks to implement a thread-safe collection is rather like using a sledgehammer - unsubtle, easy to understand, and tends to make any other tool redundant. Unlike the previous two collections I looked at, ConcurrentStack and ConcurrentQueue, ConcurrentDictionary uses locks quite heavily. However, it is careful to wield locks only where necessary to ensure that concurrency is maximised.

This will, by necessity, be a higher-level look than my other posts in this series, as there is quite a lot of code and logic in ConcurrentDictionary. Therefore, I do recommend that you have ConcurrentDictionary open in a decompiler to have a look at all the details that I skip over.
The problem with locks

There's several things to bear in mind when using locks, as encapsulated by the lock keyword in C# and the System.Threading.Monitor class in .NET (if you're unsure as to what lock does in C#, I briefly covered it in my first post in the series):

    Locks block threads
    The most obvious problem is that threads waiting on a lock can't do any work at all. No preparatory work, no 'optimistic' work like in ConcurrentQueue and ConcurrentStack, nothing. It sits there, waiting to be unblocked. This is bad if you're trying to maximise concurrency.

    Locks are slow
    Whereas most of the methods on the Interlocked class can be compiled down to a single CPU instruction, ensuring atomicity at the hardware level, taking out a lock requires some heavy lifting by the CLR and the operating system. There's quite a bit of work required to take out a lock, block other threads, and wake them up again. If locks are used heavily, this impacts performance.

    Deadlocks
    When using locks there's always the possibility of a deadlock - two threads, each holding a lock, each trying to aquire the other's lock. Fortunately, this can be avoided with careful programming and structured lock-taking, as we'll see.

Read more: Simon Cooper
QR:

Posted via email from Jasper-net

Generics: The Better Method Match

This topic came up again in on one of the C# developer mailing lists I participate in.  Because there is still a reasonable amount of confusion on this topic, I thought I would post the rules and the reason behind those rules here.

Everything from this post is taken from Sections 7.5.2 (Type Inference) 7.5.3 (Overload Resolution) in the C# Language Specification (4th edition).

Consider these two overloads of a Log method:

static void Log<K,V>(K key, V value)
static void Log<K,V>(string key, IDictionary<K, V> values)

Suppose you called it with the following code:

class FooDict : Dictionary<string, int>
{
}

// create custom dictionary
FooDict fooDict = new FooDict();

// should *not* use the IDictionary<K,V>
Log("FooDict", fooDict);

// try a regular dictionary value
Dictionary<string, int> dict = fooDict;

// should *not* use the IDictionary<K,V>
Log("Dictionary", dict);

// now try the EXACT type
IDictionary<string, int> idict = fooDict;

// should use the IDictionary<K,V> - does
Log("IDictionary", idict);

The comments do explain what happens. But why?

Before doing anything else, the compiler searches for all the possible candidate methods for any method call. That list of candidate methods may include generic methods.  If the method call does not specify the type parameters, the compiler must infer them. Eric Lippert’s annotation in the spec is very pertinent here (emphasis his):

    The type inference algorithm is designed to answer one question: Given only the arguments and the formal parameter types, what is the best possible type arguments that can be inferred for each type parameter?

In the first case, Log<string, FooDict> is the best possible type arguments that can be inferred.

Now we come to the overload resolution algorithm.  There are two candidate methods. Using the inferred type parameters, the first is a better match, because it is an identify conversion: Log<string, FooDict> is an identity conversion from Log<string, FooDict>. In the second case, there is an implicit conversion from Log<string, FooDict> to Log<string, IDictionary<string, int>>, because FooDict implements IDictionary<string, int>. The identity conversion is a better match than a conversion to an interface.

Read more: SRT Solutions
QR:

Posted via email from Jasper-net

Canonical reveals Ubuntu for Android

Canonical is making good on its promise to bring its popular Ubuntu flavor of Linux to a broader range of devices by announcing Ubuntu for Android, a release that will enable a full desktop computing experience on a docked Android smartphone. More than just a virtualized app that behaves like Ubuntu, the developers have melded together the Ubuntu architecture with the Android 2.3 (Gingerbread) AOSP build at the kernel level. The result is, from what we’ve seen, a harmony between the two platforms that could make a lot of sense for demanding mobile users.

To begin the introduction to Ubuntu for Android, let’s start with what Ubuntu for Android isn’t: it’s not a new mobile OS. Rather than try to enter the arena to take on Apple, Microsoft, and Google, Canonical instead chose to build a package that leverages the popularity of Android. This means Canonical is building on top of the world’s fastest growing mobile platform as a value-add. It’s a move that allows Ubuntu to augment the Android experience as opposed to attempt to replace it. This new release is best understood as a convergence between your mobile and desktop computing environments.

Read more: ExtremeTech
QR:

Posted via email from Jasper-net

Hierarchical Data Into DataGridView in C#

Let us try a new kind of entry for DataGridViews.

What kind of new entry am I talking about?

I am talking about the hierarchical entry.

Is it possible that we can enter hierarchical entry into the DataGrdiView?

Yes of course, it's possible.

How?

Let's see.

Ok. First of all, what kind of hierarchical entry will we enter into the DataGridView?

See the following structure.

We will enter these hierarchical entries into the DataGridView.

Now for the coding part.

First of all we have to enter the columns into the DatGridView.
 

myDataGridView.Columns.Add("myColumn1", "Roll Number");
myDataGridView.Columns.Add("myColumn2", "Course");
myDataGridView.Columns.Add("myColumn3", "Subject");
myDataGridView.Columns.Add("myColumn4", "Marks(Out of 100)");

Here I have creating the four columns, but you can do as you need to.

After that we have to set the DefaultCellStyle for the DataGridView to display the entry in the hierarchical manner.

For that you have to use the WrapMode property. Using the WrapMode Property we can enter the data into the new line in the particular cell.

For that you have to set that WrapMode property as True like below:
 

myDataGridView.Columns[2].DefaultCellStyle.WrapMode = DataGridViewTriState.True;

myDataGridView.Columns[3].DefaultCellStyle.WrapMode = DataGridViewTriState.True;

In our case we have last the columns (column 2 & column 3) in which we will use that WrapMode property as true.

Now start entering the data into the DataGridView one by one.
 

myDataGridView.Rows.Add(new object[] { 1, "Course 1","Sub 1\nSub 2\nSub3", "90\n95\n85" });
myDataGridView.Rows.Add(new object[] { 2, "Course 2", "Sub 1\nSub 2\nSub3", "67\n57\n84" });
myDataGridView.Rows.Add(new object[] { 3, "Course 3", "Sub 1\nSub 2\nSub3", "64\n80\n92" });
myDataGridView.Rows.Add(new object[] { 4, "Course 4", "Sub 1\nSub 2\nSub3", "94\n90\n99" });
myDataGridView.Rows.Add(new object[] { 5, "Course 5", "Sub 1\nSub 2\nSub3", "45\n58\n97" });

Read more: C# Corner
QR:

Posted via email from Jasper-net

Visual Studio 11′s secret weapon for designers: PowerPoint Storyboarding

During today’s sneak peek announcement of the monochromatic Visual Studio 11 Beta to be released next week, Microsoft slipped in a new screenshot of the PowerPoint Storyboarding tool that will ship as part of Visual Studio 11.

The tool which ships as an add-in for PowerPoint will allow designers and developers to quickly mock up wireframe-based prototypes of their application using familiar presentation tools and animations, along with a host of UI controls which they can drag and drop to replicate a real application experience.

Windows desktop, Windows Phone mobile and web applications are all supported with a range of templates and controls suited to each scenario.

Read more: i started something
QR:

Posted via email from Jasper-net

Webinar on Building a User Interface in Mono for Android

I'll be doing a webinar on Tuesday February 28th on Building a User Interface in Mono for Android.  A little bit about this:

We will look at the basics of building a user interface for Android with Mono for Android. The user interface is typically the first thing that a user sees when they work with your application. They will often judge your application based on the user interface. We will examine the basic concepts of UI design with mobile devices, the Android XML based layout language, some of the UI design surfaces for Android, some basic Android controls and finally some suggestions on creating a successful Android User Interface.

Read more: More Wally - Wallace B. McClure
QR:

Posted via email from Jasper-net

Using Data Annotations in the .NET Framework

Starting with .NET 4 or MVC3, a developer could use a data annotation on a property to force data validation. This is extremely powerful especially for MVC developers. The same data annotations can also be used when building custom modules for Orchard CMS.

The annotations built into the framework include the following:

    Required – Allows you to mark a property as being required.
    StringLength – Allows a maximum string length to be specified for a property.
    Range – Validates the value of the specified property is between a range of values.
    RegularExpression – Allows you to specify a regular expression to validate the content against. A comprehensive list of regular expressions can be found at http://regexlib.com/.

In addition to these above, custom annotations can be built by inheriting from the base class ValidationAttribute.

An example of a custom data annotation is shown below. This sample asks for a start and an end date to be specified as strings. The assumption is that these strings will be in a correct date format. A property value will be specified as a string. The property value must be between the two dates specified.

public class DateRange : System.ComponentModel.DataAnnotations.ValidationAttribute
{
    public string StartDate { get; set; }
    public string EndDate { get; set; }
 
    public DateRange() {
        this.StartDate = new DateTime(1900, 1, 1).ToString();
        this.EndDate = new DateTime(2099, 1, 1).ToString();
    }
 
    public override bool IsValid(object value) {
        var valueToString = value as string;
            
        if (!string.IsNullOrEmpty(valueToString)) {
            DateTime dateTimeResult;
                
            if (DateTime.TryParse(valueToString, out dateTimeResult)) {
                return ((dateTimeResult >= DateTime.Parse(this.StartDate)) && (dateTimeResult <= DateTime.Parse(this.EndDate)));
            }
 
            return false;
        }
        return true;
    }
}

Read more: Jason N. Gaylord
QR:

Posted via email from Jasper-net

Red Hat Enterprise Linux 5.8 released

A little under five years since it was first released, Red Hat has provided customers with the eighth "minor release" of Red Hat Enterprise Linux (RHEL) 5. As well as bug fixes and improved hardware support, RHEL 5.8 also includes new virtualisation and power management features.

The H feature "What's new in Red Hat Enterprise Linux 5.8" gives an overview of the changes merged into the eighth update for RHEL 5, which Red Hat will continue to maintain for a further five to eight years.

Read more: The H Open
QR:

Posted via email from Jasper-net

Coded UI Test Automation Guidance

Project Description

This project delivers practical and scenario based guidance for the implementation of Coded UI Testing. Scenarios cover how to manage Coded UI Tests across projects and UI components.

Bookmark the Visual Studio ALM Rangers blog, using tag VSCUG for the latest information on this project.

Visual Studio ALM Rangers

This guidance is created by the Visual Studio ALM Rangers, who have the mission to provide out of band solutions for missing features and/or guidance. This content was created with support from Microsoft Product Group, members of Microsoft Services, Microsoft Most Valued Professionals (MVPs) and technical specialists from technology communities around the globe, giving you a real-world view from the field, where the technology has been tested and used.
For more information on the Rangers please visit http://msdn.microsoft.com/en-us/vstudio/ee358786.aspx and for a list of other Rangers initiatives please see http://msdn.microsoft.com/en-us/vstudio/ee358787.aspx.

What is included in the downloads?

The solution is divided in separate packages to give you the choice of selective downloads. The default download is the first of the listed packages:

    Guidance contains scenario based practical guidance, frequently asked questions and quick reference posters.
    Hands-on Lab contains the HOL that provides a walkthrough of the planning, based on the guidance
    HOL Package includes a setup part which prepares and configures your environment for this lab
    HOL Videos which showcase the hands-on labs and guidance in quick 5-10min videos

Read more: Codeplex
QR:

Posted via email from Jasper-net

Regions are not just for code anymore... XAML Regions

XAML Regions extension by Jacob Johnston helps you organize xaml code by grouping relevant elements and speeds up navigation by collapsing less important blocks of markup. You can create a region with two comment lines containing region/endregion keywords and then collapse and expand it as needed:

...

You can use any convention for the region keyword in a comment (region, Region, #Region), same with endregion (endregion, End Region, #EndRegion). The text after the region keyword forms visible region description.

The only suggestion I have for XAML Regions is to add a context menu command to the XAML editor to surround selection with a region (or add two commands to create and delete the region).

Read more: Greg's Cool [Insert Clever Name] of the Day
Read more: XAML Regions extension for Visual Studio 2010
QR:

Posted via email from Jasper-net

How to change the default command prompt color on Vista and above

If you like me don’t like the default green on black in the command prompt, you can change the default via registry:

Read more: Kirill Osenkov
QR:

Posted via email from Jasper-net

C#/.NET Little Wonders–The List Range Methods

Once again, in this series of posts I look at the parts of the .NET Framework that may seem trivial, but can help improve your code by making it easier to write and maintain. The index of all my past little wonders posts can be found here.

LINQ has added so many goodies that can be used to query IEnumerable<T> sequences that it can be easy to lose sight of some of the methods that are unique to each of the collection classes. This week, we will look at the range series of methods in the List<T> collection, which are useful for getting, adding, inserting, and deleting ranges to/from a List<T>.
AddRange() – Appends a sequence to end

Sometimes, you may have a list of items and need to append another sequence of items to the end of a List<T>. The AddRange() method can be used for this very purpose:

    AddRange(IEnumerable<T> sequence)
        Adds the elements of the sequence of type T to the end of the List<T>.

The elements of the sequence are added to the end of the existing list. If the list is empty, the elements from the sequence will be the only thing in the list. If the sequence itself is empty, the list will be unchanged.

   1: var primes = new[] {2, 3, 5, 7, 11 };
   2: var list = new List<int>();
   3: 
   4: // list was empty, now contains 2, 3, 5, 7, 11
   5: list.AddRange(primes);
   6: 
   7: // list still contains 2, 3, 5, 7, 11 since seqeunce empty
   8: list.AddRange(Enumerable.Empty<int>());
   9: 
  10: // list now contains 2, 3, 5, 7, 11, 13, 17
  11: list.AddRange(new[] { 13, 17 });

This method can be very handy if you are looking to consolidate the results from several methods that return sequences into one List<T>, you could construct a List<T> and then use AddRange() to add each subsequent result sequence at the end of the list:

   1: var allSymbols = new List<string>();
   3: foreach (var securityType in availableTypes)
   4: {       
   5:     IEnumerable<string> symbolsForType = GetSymbols(securityType);    
   7:     // AddRange() adds sequence to end of list   
   8:     allSymbols.AddRange(symbolsForType);
   9: }
  10: 
  11: // allSymbols now contains all of the results
  12: return allSymbols;

While AddRange() does not cause any elements of the existing List<T> to need to shift, it may cause a re-allocation if the new size of the list would exceed it’s current capacity. 

Read more: James Michael Hare
QR:

Posted via email from Jasper-net

An end-to-end WiX example...

A while ago, I needed to package and deploy an application and I did not want to use Visual Studio Setup and Deployment, I opened my firefox and decided to look for an alternative, what I got is WIX, windows installer xml.

So, I did some background check about WIX and I found out that its the right tool for what I needed to do, because it gives me full control as a developer to determine how my application is going to be installed on the clients' machines and gives full unrestricted access to Windows Installer functionality, but the learning curve associated with it is much and knowledge of xml is a prerequisite.

WIX is a free open source toolset that is used to build Windows installation packages from XML source code, originally it was developed by Microsoft but its now being maintained by Rob Mensching. It is written in C# and WIX itself is much like a programming language, but nothing to worry about, because with the knowledge of xml, the problem is half solved.

Now, dont let me bore you and lets get started, in this post, I am going to use WIX to deploy a c# contact manager application that saves and retreives data from an SQLite database. First of all you need to download the WIX toolset which contains visual studio plugin that install WIX project templates into visual studio, download the binaries here. After installing the toolset, it will install templates like this into visual studio.

Read more: Greg's Cool [Insert Clever Name] of the Day
Read more: Building Installation Packages with Windows Installer XML
QR:

Posted via email from Jasper-net

"Practical Windows Kinect In C#" series

Practical Windows Kinect In C# (Introduction To Kinect, Getting started with Windows Kinect SDK 1.0)

    This e-book is for Version 1.0 of the Kinect SDK together with the Windows version of the Kinect hardware. It brings together articles in the series Getting started with Microsoft Kinect SDK which was based on the final beta of the SDK. These articles are still available.
    Chapter List

        Introduction to Kinect
        Getting started with Microsoft Kinect SDK 1
        Depth (in preparation)
        Player index (in preparation)
        Depth and Video space (in preparation)
        Skeletons (in preparation)
        The Full Skeleton (in preparation)

    The Microsoft official SDK for Kinect version 1.0 is easy to use. Basically you download it, plug the Kinect into a free USB socket and start programming. You can create applications in C#, VB or any .NET language including C++. Its only disadvantage is that it only works with Windows 7 and 8.

    As well as being easy to use, the new SDK is also significantly more powerful than the open source alternatives. It has an improved body tracker and it supports the Kinect's sound hardware.

    You can also now use the SDK to create commercial applications which you can sell without the need to pay a license fee to Microsoft. The only downside is that you have to buy the Windows Kinect rather than the Xbox 360 version, and this is more expensive because it isn't subsidized by revenue from games.

Read more: Channel9
QR:

Posted via email from Jasper-net

XAML Language Specification (as in the in the full XAML, WPF and Silverlight XAML Specs)

The Microsoft Extensible Application Markup Language (XAML) technical documentation set provides preliminary technical specifications for this language based on Extensible Markup Language (XML) that enables developers to specify a hierarchy of objects.

• [MS-SLXV].pdf, 2.7 MB Download
• [MS-SLXV-2010].pdf, 4.2 MB Download
• [MS-VBAL].pdf, 3.7 MB Download
• [MS-WPFXV].pdf, 9.2 MB Download
• [MS-WPFXV-2010].pdf, 12.0 MB Download
• [MS-WPFXV-2012].pdf, 12.7 MB Download
• [MS-XAML].pdf, 2.8 MB Download
• [MS-XAML-2009].pdf, 2.6 MB Download
• [MS-XAML-2012].pdf, 2.6 MB Download
• MicrosoftComputerLanguages.zip, 34.6 MB Download

Read more: Greg's Cool [Insert Clever Name] of the Day
Read more: Extensible Application Markup Language (XAML)
QR:

Posted via email from Jasper-net

DOSarrest

Why Use DOSarrest?

DOSarrest are specialists in stopping DDoS and DoS attacks of all varieties. This is our sole purpose, and our anti DDoS network is built to handle the largest and most complex attacks.

DOSarrest was created to solve one problem from the start. It is not an add-on service or afterthought. We do not sell bandwidth or hosting services of any kind. We do not resell another network's DDoS protection service.

We have our own resellers, so ask your provider if they are an official DOSarrest reseller. Many major hosting operations regularly refer customers to us and they do it without making a cent. Our service speaks for itself.

This service is primarily for large E-commerce sites that do not want to have their sites disrupted by DDoS attacks or other malicious traffic. We have created, own and operate a state of the art DDoS protection service. All of our staff have extensive expertise in this field. When you talk to us you get the real goods, no folklore or nonsense. After all, we handle DDoS attacks daily, whereas some major networks may deal with this problem yearly! Experience is everything in this business.

More than half of our customers are with major tier 1 hosting providers and/or have tried other DDoS protection services. Our customers’ servers are located all over the world with many different hosting and DDoS protection service companies including: The Planet, Rackspace, Hostway, Peer1, DataPipe, Level 3, Prolexic and Verizon Business to name a few.  We take care of some major brands and household names. We are not for everyone, just those who cannot tolerate downtime.

We service websites representing the following industries: Health Care, gaming, online payment processing, banks, stocks/brokerage, government and affiliates, education, media, and numerous medium-large brand name E-commerce sites.

The DOSarrest advantage. We do not filter based on geography or other methods that filter out large blocks of IP address space. Our proprietary techniques and software only block malicious IP addresses, on a request by request instance and on a continuous basis. There is no third party black box with some unknown algorithm, deciding what is good or bad. We control every aspect of the cloud based DDoS protection service. This ensures zero false positives.

Most other DDoS mitigation services only have a proxy component. DOSarrest has both a proxy and caching component. This means that should you have a massive burst of legitimate traffic, our system is always ready for it. In essence the system acts as a CDN as well, able to distribute massive amounts of content to legitimate users. All this is done without any stress on your server.

Read more: DOSarrest
QR:

Posted via email from Jasper-net

RioRey

Dedicated DDoS
Protection is Our Business.
RioRey is the leader in dedicated DDoS protection.

Regardless of your network size, architecture or demands, we have solutions you need to effectively defend against the threat of DDoS.

RioRey Inc. is an innovative technology company that specializes in the design and manufacture of dedicated security solutions to protect networks against Distributed Denial of Service (DDoS) attacks. Our key focus is keeping our defense platforms comprehensive (protecting against all known types of DDoS attacks) while ensuring that detection and mitigation is automatic.

Read more: RioRey
QR:

Posted via email from Jasper-net

Primal Fear: Demuddling The Broken Moduli Bug

There’s been a lot of talk about this supposed vulnerability in RSA, independently discovered by Arjen Lenstra and James P. Hughes et al, and Nadia Heninger et al. I wrote about the bug a few days ago, but that was before Heninger posted her data. Lets talk about what’s one of the more interesting, if misunderstood, bugs in quite some time.

SUMMARY
INTRODUCTION
THE ATTACK
IT’S NOT ABOUT RON AND WHIT
WHO MATTERS
FAILURE TO ENROLL
THE ACTUAL THREAT
ACTIONABLE INTELLIGENCE
CONCLUSION

SUMMARY

    The “weak RSA moduli” bug is almost (and possibly) exclusively found within certificates that were already insecure (i.e. expired, or not signed by a valid CA).
    This attack almost certainly affects not a single production website.
    The attack utilizes a property of RSA whereby if half the private key material is shared between two public keys, the private key is leaked. Researchers scaled this method to cross-compare every RSA key on the Internet against every other RSA key on the Internet.
    The flaw has nothing to do with RSA or “multi-secret” systems. The exact same broken random number generator would play just as much havoc, if not more, with “single-secret” algorithms such as ECDSA.
    DSA, unlike RSA, leaks the private key with every signature under conditions of faulty entropy. That is arguably worse than RSA which leaks its private key only during generation, only if a similar device emits the same key, and only if the attacker finds both devices’ keys.
    The first major finding is that most devices offer no crypto at all, and even when they do, the crypto is easily man-in-the-middled due to a presumption that nobody cares whether the right public key is in use.
    Cost and deployment difficulty drive the non-deployment of cryptographic keys even while almost all systems acquire enough configuration for basic connectivity.
    DNSSEC will dramatically reduce this cost, but can do nothing if devices themselves are generating poor key material and expecting DNSSEC to publish it.
    The second major finding is that it is very likely that these findings are only the low hanging fruit of easily discoverable bad random number generation flaws in devices. It is specifically unlikely that only a third of one particular product had bad keys, and the rest managed to call quality entropy.
    This is a particularly nice attack in that no knowledge of the underlying hardware or software architecture is required to extract the lost key material.
    Recommendations:
        Don’t panic about websites. This has very little to absolutely nothing to do with them.
        When possible and justifiable, generate private key material outside your embedded devices, and push the keys into them. Have their surrouding certificates signed, if feasible.
        Audit smartcard keys.
        Stop buying or building CPUs without hardware random number generators.
        Revisit truerand, an entropy source that only requires two desynchronized clocks, possibly integrating it into OpenSSL and libc.
        When doing global sweeps of the net, be sure to validate that a specific population is affected by your attack before including it in the vulnerability set.
        Start seriously looking into DNSSEC. You are deploying a tremendous number of systems that nobody can authenticate.

Read more: Dan Kaminsky's Blog
QR:

Posted via email from Jasper-net

The Network Simulator - ns-2

Ns is a discrete event simulator targeted at networking research. Ns provides substantial support for simulation of TCP, routing, and multicast protocols over wired and wireless (local and satellite) networks.

Ns began as a variant of the REAL network simulator in 1989 and has evolved substantially over the past few years. In 1995 ns development was supported by DARPA through the VINT project at LBL, Xerox PARC, UCB, and USC/ISI. Currently ns development is support through DARPA with SAMAN and through NSF with CONSER, both in collaboration with other researchers including ACIRI. Ns has always included substantal contributions from other researchers, including wireless code from the UCB Daedelus and CMU Monarch projects and Sun Microsystems. For documentation on recent changes, see the version 2 change log.
Read this first:
While we have considerable confidence in ns, ns is not a polished and finished product, but the result of an on-going effort of research and development. In particular, bugs in the software are still being discovered and corrected. Users of ns are responsible for verifying for themselves that their simulations are not invalidated by bugs. We are working to help the user with this by significantly expanding and automating the validation tests and demos.

Similarly, users are responsible for verifying for themselves that their simulations are not invalidated because the model implemented in the simulator is not the model that they were expecting. The ongoing Ns Manual should help in this process.

Read more: ns-2
QR:

Posted via email from Jasper-net

Multi Server Simulator

Multi Protocol Device Simulation for Testing Purposes

For testing purposes, Multi Server Simulator simulates large, virtual HTTP, FTP, SMTP, or DNS server networks, as well as SNMP-based network switches using a standard Windows PC. It is an indispensable tool for the evaluation and testing of network management and network testing tools.
Create Virtual Test Networks In Minutes

Using a standard Windows PC you can create large virtual networks using Multi Server Simulator. You are able to create as many servers and virtual switches as desired - limited only by the number of available IP addresses and TCP ports (as well as network and system performance).

Available Virtual Device Types:

    SNMP based switches (with 8, 100 or 1000 switch ports each)
    HTTP server
    FTP server
    SMTP server
    DNS server
    Simple server (open TCP port that accepts connections)

Setting up a network 100 servers and 20 switches (with thousands of ports) network merely takes a few minutes, much faster than installing and configuring normal server software on a PC.

Read more: Multi Server Simulator
QR:

Posted via email from Jasper-net

WebGoat

Overview

The WebGoatV5 application is designed to illustrate typical security flaws within web-applications. It is intended to teach a structured approach to testing for, and exploiting such vulnerabilities within the context of an Application Security Assessment.

A full Application Security Assessment testing methodology is being documented by http://www.owasp.org/index.php/OWASP_Testing_Project and this will provide a superset of the issues demonstrated within the WebGoat. It may include a formal design and code review, for example. The WebGoat lessons aim to give practical training and examples relating to the Implementation Review phase of the OWASP Web Application Security Testing Methodology.

The WebGoatv5 Application provides a testing platform for a typical application security assessment. The assessor is given the same information and rights as a typical customer or client of an on-line application.

    The application is web based
    The attack simulations are remote

All of the described techniques may be performed from any connected location.

    The testing is black-box

Source code is not supplied, but it can be viewed and downloaded.

    Credentials and operational information is provided

Of course, the teaching aspect of WebGoat means that certain information will be revealed that would not typically be available. This makes it possible to guide the tester through an assessment process.

The current lesson plans provided in WebGoatv5 include:

HTTP Basics
HTTP Splitting and Cache Poisining
How to Exploit Thread Safety Problems
How to Discover Clues in the HTML
How to Exploit Hidden Fields
How to Exploit Unchecked Email
How to Bypass Client Side JavaScript Validation
How to Force Browser Web Resources
How to Bypass a Role Based Access Control Scheme
How to Bypass a Path Based Access Control Scheme
LAB: Role based Access Control
Using an Access Control Matrix
How to Exploit the Forgot Password Page
How to Spoof an Authentication Cookie
How to Hijack a Session
Basic Authentication
LAB: Cross Site Scripting
How to Perform Stored Cross Site Scripting (XSS)
How to Perform Reflected Cross Site Scripting (XSS)
How to Perform Cross Site Trace Attacks (XSS)
Buffer Overflow (TBD)
HTTPOnly Test
How to Perform Command Injection
How to Perform Parameter Injection
How to Perform Blind SQL Injection
How to Perform Numeric SQL Injection
How to Perform String SQL Injection
How to Perform Log Spoofing
How to Perform XPATH Injection Attacks
LAB: SQL Injection
How to Bypass a Fail Open Authentication Scheme
How to Peform Basic Encoding
Denial of Service from Multiple Logins
How to Create a SOAP Request
How to Perform WSDL Scanning
How to Perform Web Service SAX Injection
How to Perform Web Service SQL Injection
How to Perform DOM Injection Attack
How to Perform XML Injection Attacks
How to Perform JSON Injection Attack
How to Perform Silent Transactions Attacks
How to Add a New Lesson
The Challenge

Read more: WebGoat
QR:

Posted via email from Jasper-net

NEsper for .NET

NEsper is a CLR-based component for building CEP and ESP engines. NEsper is based upon the Esper baseline, but includes customizations that are specific to the .NET CLR.

NEsper is open-source software available under the GNU General Public License (GPL). The GPL v2 licenses you the right to redistribute NEsper under specific terms. Please contact us for any inquiry.

Guiding Philosophy

NEsper is derived from Esper and to that end we want to ensure that NEsper is inline with the design, spirit and influence that drives Esper. However, NEsper strives to provide a CEP-ESP component for .NET applications. To that end, we strive to ensure that the APIs, interfaces and other constructs that we use properly reflect the way that the CLR is designed.

NEsper and Esper share the same grammar. Users should find the two environments to be compatible. However, users should keep in mind that NEsper and Esper are case sensitive and canonization practices differ between the Java and .NET.

Features

All of the features found in Esper are also available in NEsper. A NEsper version is feature-equivalent to the same-version Esper (Java) component.
Summary

Like its namesake, NEsper was created to make it easier to build CEP and ESP applications. NEsper is open-source software available under the GNU General Public License (GPL) license.

Read more: NEsper
QR:

Posted via email from Jasper-net

Supporting 32-Bit I/O in Your 64-Bit Driver

Windows on Windows (WOW64) enables Microsoft Win32 user-mode applications to run on 64-bit Windows. It does this by intercepting Win32 function calls and converting parameters from pointer-precision types to fixed-precision types as appropriate before making the transition to the 64-bit kernel. This conversion, which is called thunking, is done automatically for all Win32 functions, with one important exception: the data buffers passed to DeviceIoControl. The contents of these buffers, which are pointed to by the InputBuffer and OutputBuffer parameters, are not thunked, because their structure is driver-specific.

Note   Although the buffer contents are not thunked, the buffer pointers are converted into 64-bit pointers.

User-mode applications call DeviceIoControl to send an I/O request directly to a specified kernel-mode driver. This request contains an I/O control code (IOCTL) or file system control code (FSCTL) and pointers to input and output data buffers. The format of these data buffers is specific to the IOCTL or FSCTL, which in turn is defined by the kernel-mode driver. Because the buffer format is arbitrary, and because it is known to the driver and not WOW64, the task of thunking the data is left to the driver.

Your 64-bit driver must support 32-bit I/O if all of the following are true:

    The driver exposes an IOCTL (or FSCTL) to user-mode applications.

    At least one of the I/O buffers used by the IOCTL contains pointer-precision data types.

    Your IOCTL code cannot easily be rewritten to eliminate the use of pointer-precision buffer data types.

Read more: MSDN
QR:

Posted via email from Jasper-net

Не стоит паниковать по поводу слабых RSA ключей — просто заботьтесь о своих P и Q

Вы возможно уже видели препринт опубликованный сегодня Ленстрой и др (обсуждение на хабре) о проблемах с энтропией в криптографических системах с открытыми ключами. Закир Дурумерик, Ерик Вустров, Алекс Халдерман, и Я (Надя Хенингер) ждали, чтобы раскрыть похожие результаты. Мы опубликуем полную статью после того, как все задействованные производители будут оповещены. А между тем мы хотим предоставить более полное объяснение того, что же реально происходит.

Мы смогли удалено скомпрометировать около 0.4 % от всех открытых ключей, используемых веб сайтами для SSL. Все скомпрометированные ключи были неправильно сгенерированы, с использованием предсказуемых «рандомных» чисел, которые к тому же ещё и иногда повторялись. Всего мы можем выделить два типа проблем: ключи, сгенерированные с предсказуемой рандомностью, и подмножество этих ключей, для которых нехватка рандомности позволяет атакующему быстро факторизовать открытый ключ и получить секретный ключ. Имея секретный ключ, атакующий сможет выдать себя за вебсайт и возможно сможет расшифровывать зашифрованный трафик направленый на этот сайт. Мы разработали программу которая за пару часов может факторизовать открытые ключи и выдавать секретные ключи для всех хостов уязвимых к этой атаке.

Тем не менее, не стоит паниковать, так как в основном проблема влияет на встраиваемые системы, такие как маршрутизаторы и VPN, и не касается полномасштабных серверов. (Во всяком случае это точно не причина терять доверенность к электронной коммерции, как это предполагает New York Times). К сожалению, мы нашли устройства с этой проблемой практически у каждого производителя и мы подозреваем, что около 200.000 устройств, представляющих 4.1% от всех ключей в наших данных, использовали плохую энтропию для генерации ключей. Любой найденный слабый ключ сгенерированный устройством предполагает, что весь класс этих устройств уязвим для атаки при должном анализе.

Мы не будем предоставлять полный список уязвимых устройств до того как мы свяжемся со всеми производителями, но используя уже опубликованные материалы можно довольно легко воспроизвести атаку. Поэтому мы сейчас работаем над веб сайтом, который позволит определить уязвимо ли ваше устройство.

Не волнуйтесь, ключ вашего банка скорее всего в безопасности.

SSL используется каждым большим сайтом в Интернете, но как показывает наш анализ, эти ключи не подвержены проблемам описанным в этом посте.

Read more: Habrahabr.ru
QR:

Posted via email from Jasper-net