CMDBuild

Posted by jasper22 at 10:35 | Thursday, January 19, 2012

CMDBuild® is a configurable web application to model and manage a database containing assets (CMDB stands for "Configuration and Management Data Base") and handle related workflow operations.

The aim is to let the operators have full control of the assets used, knowing exactly composition, position, functional relations and history.

CMDBuild® is a centralized management module working with databases and external applications: automatic inventory, documents management, text processing, directory services, e-mail, monitoring systems, intranet portals and other information systems.

CMDBuild® is a flexible and user-upgradeable system and uses the best practices defined by ITIL (IT Information Library).
CMDBuild® is released with GPL license.

‘MegaSearch’ Aims to Index Fraud Site Wares

Posted by jasper22 at 10:05 |

A glut of data breaches and stolen card numbers has spawned dozens of stores that sell the information. The trouble is that each shop requires users to create accounts and sign in before they can search for cards.

Enter MegaSearch.cc, which lets potential buyers discover which fraud shops hold the cards they’re looking for without having to first create accounts at each store. This free search engine aggregates data about compromised payment cards, and points searchers to various fraud shops selling them.

According to its creator, the search engine does not store the compromised card numbers or any information about the card holders. Instead, it works with card shop owners to index the first six digits of all compromised account numbers that are for sale. These six digits, also known the “Bank Identification Number” — or BIN — identify which bank issued the cards. Searching by BIN, MegaSearch users are given links to different fraud shops that are currently selling cards issued by the corresponding bank.

I first read about this offering in a blog post by RSA Fraud Action Research Labs. It didn’t take much time poking around a few hacker boards to find the brains behind MegaSearch pitching his idea to the owners of different fraud shops. He agreed to discuss his offering with me via instant message, using the search service as his screen name.

Xpra

Posted by jasper22 at 09:19 |

Xpra is 'screen for X': it allows you to run X programs, usually on a remote host, direct their display to your local machine, and then to disconnect from these programs and reconnect from the same or another machine, without losing any state.
Xpra is "rootless" or "seamless": programs you run under it show up on your desktop as regular programs, managed by your regular window manager.

Reflection Scan: an Off-Path Attack on TCP

Posted by jasper22 at 09:14 |

The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. The attacker sends to a victim a sequence of identical spoofed segments. The victim responds to each segment in the sequence (the sequence is reflected by the victim) if the segments satisfy a certain condition tested by the attacker. The responses do not reach the attacker directly, but induce extra load on a routing queue shared between the victim and the attacker. Increased processing time of packets traversing the queue reveal that the tested condition was true. The paper concentrates on the TCP, but the approach is generic and can be effective against other protocols that allow to construct requests which are conditionally answered by the victim. A proof of concept was created to asses applicability of the method in real-life scenarios.

Read more: Cornell University Library
QR: 1201.2074

Posted via email from Jasper-net

Microsoft’s “Picture Password”: A Breath Of Fresh Air On The Lock Screen, Of All Places

Posted by jasper22 at 18:10 | Wednesday, January 18, 2012

Remember that feeling you got back when Steve Jobs was unveiling the iPhone, and he did the “slide to unlock” gesture for the first time? I remember the way he said it – “You like that? Want to see it again?”

Since then I haven’t seen a lock screen interface that has made me feel that same “how obvious, how elegant!” feeling – until today at the NVIDIA press conference, and later at the Microsoft keynote here at CES. It sounds a little silly, sure, making such a big deal of such a small feature, but it’s just nice to see a genuinely natural and new way of doing something we’ve all done thousands upon thousands of times over the last few years.

Microsoft’s picture password is simple. You start up your device and lift the little “veil” common to Metro devices, and you are presented with a picture. Your password is to touch and slide along certain parts of the picture: tap your dogs in a certain order, or slide your finger along the outside of your house.

How obvious! How elegant! Windows 8 may have some design decisions I don’t agree with (mainly on the “traditional” side, not on the Metro side), but it also has some legitimately new and interesting UI ideas and this is one of them.

Video Hosting & Sharing Service Vimeo Releases Its Android App

Posted by jasper22 at 17:49 |

Vimeo is an award-winning online video sharing service with high-quality video content in its rich repository. Although the official iOS client of Vimeo has been available in the iTunes App Store for quite some time now, the Android variant has just been released to the Market. The news is surely going to please users of said service who, up until now, had to resort to unofficial Vimeo apps to access and share videos from their Android devices. The app provides the users with an option-packed dashboard that helps them instantly capture and upload their videos, search and watch all featured Vimeo videos, archive videos that they wish to watch later, keep a close tab on their subscriptions, detailed stats, personal profile and lots more. Read on to find out more.

Untitled

Posted by jasper22 at 17:27 |

How many times have you found yourself in need of sending a large file, any type or size, and ended up using burned CD's or Disk on Key?

zeZebra is a tool, which provides an extremely simple large transfer solution. zeZebra provides total availability – enabling transfer of any file type at any size to anyone.

zeZebra has been established by the Total Availability team, a group of internet addicted users who realized it is way too difficult to send files, any kind of files, to friends; whether costly, complicated, slow, not private, limited in size or not safe, there is no single solution which is as cool, simple and free as zeZebra. We have put together the best minds in the industry to come up with a cool product that actually works.

Read more: zeZebra
Read more: newsGeek
QR:

Posted via email from Jasper-net

MiniPwner Is a Cheap Penetration Tester and Portable Wi-Fi Node

Posted by jasper22 at 16:38 |

MiniPwner is an inexpensive and portable device designed to allow the user to quickly gain access to a wired network for penetration testing or do a little war-walking to discover open Wi-Fi networks.

It’s a rather clever little DIY project that cobbles together a portable Wi-Fi router, a USB flash drive, a micro-USB backup battery intended for cellphone use, and a software configuration package. Once you’ve got it all hooked together, what can you do with it? From the MiniPwner guide:

Pen Testing Drop Box: In this mode, the MiniPwner used to establish rogue access to a target network during a penetration test. The penetration tester uses stealth or social engineering techniques to plug the MiniPwner into an available network port. (common locations include conference rooms, unoccupied workstations, the back of IP Telephones, etc.)

Once it is plugged in, the penetration tester can log into the MiniPwner and begin scanning and attacking the network. The MiniPwner can simultaneously establish SSH tunnels through the target network, and also allow the penetration tester to connect to the MiniPwner via Wifi.

The MiniPwner can run some software directly from the box, such as nmap to map the target network or the samba client to connect to windows shares. Other tools, such as Metasploit or Nessus can be run through the box using a VPN tunnel.

TI's wireless charger for tablets does amazing things with electrons, sticky tape

Posted by jasper22 at 16:29 |

Either TI has the hots for Arduino in a big way, or its latest wireless charging kit isn't quite ready for mass production. When it does arrive, however, it promises to do away with those cumbersome specialized sleeves and back covers that are currently needed for inductive charging. Instead, it'll deliver efficient in a package that's small enough to be installed as part of a device's internal circuitry. In addition to the Qi-standard 5W version we glimpsed a while back, the company is also working on a 10W variant for the iPad 2 and other tablets, which could wipe the smile off LaunchPort's face and perhaps make MicroUSB 3.0 superfluous before it even gets here.

Sweden Experiments With Public Twitter Takeover

Posted by jasper22 at 15:52 |

BBC reports that Sweden is allowing one citizen per week to take control of its official Twitter feed, in what's been described as 'the world's most democratic Twitter experiment.' Adam Arnesson, a 21-year-old organic sheep farmer, is said to be the biggest star of the project so far, uploading photos and videos of life on his family's farm; while a female minister in the Church of Sweden and a Bosnian immigrant have also posted on the feed. The Swedish Institute and VisitSweden launched the experiment in December, which has helped to double Sweden's Twitter followers in the past month.

SEAndroid

Posted by jasper22 at 15:42 |

What is SE Android?

Security Enhanced (SE) Android is a project to identify and address critical gaps in the security of Android. Initially, the SE Android project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps and in order to enforce separation guarantees between apps. However, the scope of the SE Android project is not limited to SELinux.

SE Android also refers to the reference implementation produced by the SE Android project. The current SE Android reference implementation provides a worked example of how to enable and apply SELinux at the lower layers of the Android software stack and provides a working demonstration of the value provided by SELinux in confining various root exploits and application vulnerabilities.

SE Android was first publically described in a presentation at the Linux Security Summit 2011. The slides from that talk can be found at http://selinuxproject.org/~jmorris/lss2011_slides/caseforseandroid.pdf.

Some distinctive features of our SE Android reference implementation in comparison to prior efforts of which we are aware include:

    Per-file security labeling support for yaffs2,
    Filesystem images (yaffs2 and ext4) labeled at build time,
    Kernel permission checks controlling Binder IPC,
    Labeling of service sockets and socket files created by init,
    Labeling of device nodes created by ueventd,
    Flexible, configurable labeling of apps and app data directories,
    Userspace permission checks controlling use of the Zygote socket commands,
    Minimal port of SELinux userspace,
    SELinux support for the Android toolbox,
    Small TE policy written from scratch for Android,
    Confined domains for system services and apps,
    Use of MLS categories to isolate apps.

How do I get the SE Android code?

First, you should make sure that you are able to successfully download, build and run the Android Open Source Project (AOSP) source code by following the instructions starting from http://source.android.com/source/initializing.html.

You should clone the master branch of AOSP as SE Android is based on it. The AOSP instructions are for Ubuntu or MacOS X users; we are building on 64-bit Fedora (14-16 are known to work, with minor modifications). Some Fedora-specific notes can be found further below. Ubuntu should also work, but you must have checkpolicy installed in order to compile the policy on the build host.

Israel Faces Escalating Cyberwar

Posted by jasper22 at 14:37 |

The NY Times describes what may be the beginning of an actual cyberwar between a pro-Palestinian group and Israeli companies, specifically El Al and the Tel Aviv stock exchange. From the article: 'A hacker identifying himself as oxOmar, already notorious for posting the details of more than 20,000 Israeli credit cards, sent an overnight warning to Israel's Ynet news outlet that a group of pro-Palestinian cyberattackers called Nightmare planned to bring down the sites in the morning.' Though the article is skimpy on technical details, the group appears to have engaged merely in a DDOS attack. Hamas praised the attack as opening 'a new resistance front against Israel.' Is this the first acknowledged cyberwar?

Read more: Slashdot
QR: israel-faces-escalating-cyberwar

Posted via email from Jasper-net

Software Microsoft introducing ReFS file system with Windows server 8

Posted by jasper22 at 14:36 |

Hungry for a shiny new file system? Windows 8's got your back, or at least, Windows server 8 will. In his latest Building Windows 8 post, Steven Sinofsky introduces the Resilient File System, or ReFS, as a "next generation file system" built on the foundations of the NTFS. By reusing NTFS' API / semantics engine, ReFS hopes to retain a high level of compatibility with NTFS features. Underneath the existing semantics engine, the new file system introduces a new storage engine that hopes to protect against latent disk errors, resist data corruption, uphold metadata integrity, grant large volume, file and directory size -- and well, just build a better storage system in general. It's all quite complicated, but if you feel up to the technical snuff, click through the source link below.

[CVE-2012-0207+Exploit]Linux IGMP Remote Denial Of Service && Video

Posted by jasper22 at 14:15 |

La descrizione tecnica:

IGMP denial of service in Linux (CVE-2012-0207)

IGMP

IGMP is part of the IPv4 protocol suite, supporting multicast routing. Every multicast address corresponds to a dynamic set of hosts, called a multicast group. Multicast routers can send query messages asking which hosts belong to which groups, and hosts using multicast report back at intervals. Routers can then limit forwarding of multicast packets to the interfaces where the group has members. More sophisticated switches can also snoop IGMP and use it to limit their multicast forwarding. There are unfortunately three different versions with semi-compatible message formats. In version 1, the maximum reporting interval (Max Response Time) is fixed as 10 seconds, but from version 2 it is specified in query messages.

The Linux IGMP implementation supports all three versions. It distinguishes query messages as specified in RFC 3376 section 7.1: v3 messages are longer than v1 or v2; v2 messages have a non-zero Max Response Time whereas v1 messages always have zero. It is possible to force use of a specific protocol version, but normally if there are multiple multicast routers using different protocol versions it will respond according to the earliest protocol version in use so that all routers can understand its responses.

Source and fix for the bug

Linux 2.6.36 included two fixes to the version selection logic. Unfortunately, the second of these introduced the bug in question. While v2 query messages cannot possibly have zero Max Response Time (as that would make them v1), v3 query messages can. What this means is unspecified, but the Linux IGMP code previously treated it as the minimum valid value of 1/10 second. But in the case where a v3 query is received and a v2 query has also recently been received, this is no longer done. This results in a reporting interval of 0 seconds and a division by zero when deciding the initial random delay.

Read more: ClsHack
QR: exploit-linux-igmp-remote-denial-of-service.html

Posted via email from Jasper-net

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

Posted by jasper22 at 14:14 |

Status of this Memo

   This document specifies an Internet Best Current Practices for the
   Internet Community, and requests discussion and suggestions for
   improvements. Distribution of this memo is unlimited.

Abstract

   Recent occurrences of various Denial of Service (DoS) attacks which
   have employed forged source addresses have proven to be a troublesome
   issue for Internet Service Providers and the Internet community
   overall. This paper discusses a simple, effective, and
   straightforward method for using ingress traffic filtering to
   prohibit DoS attacks which use forged IP addresses to be propagated
   from 'behind' an Internet Service Provider's (ISP) aggregation point.

Table of Contents

    1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2
    2. Background . . . . . . . . . . . . . . . . . . . . . . . . 3
    3. Restricting forged traffic . . . . . . . . . . . . . . . . 5
    4. Further capabilities for networking equipment. . . . . . . 6
    5. Liabilities. . . . . . . . . . . . . . . . . . . . . . . . 6
    6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 7
    7. Security Considerations. . . . . . . . . . . . . . . . . . 8
    8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 8
    9. References . . . . . . . . . . . . . . . . . . . . . . . . 8
   10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 9
   11. Full Copyright Statement . . . . . . . . . . . . . . . . . 10

Ferguson & Senie Best Current Practice [Page 1]

RFC 2827 Network Ingress Filtering May 2000

1. Introduction

   A resurgence of Denial of Service Attacks [1] aimed at various
   targets in the Internet have produced new challenges within the
   Internet Service Provider (ISP) and network security communities to
   find new and innovative methods to mitigate these types of attacks.
   The difficulties in reaching this goal are numerous; some simple
   tools already exist to limit the effectiveness and scope of these
   attacks, but they have not been widely implemented.

   This method of attack has been known for some time. Defending against
   it, however, has been an ongoing concern. Bill Cheswick is quoted in
   [2] as saying that he pulled a chapter from his book, "Firewalls and
   Internet Security" [3], at the last minute because there was no way
   for an administrator of the system under attack to effectively defend
   the system. By mentioning the method, he was concerned about
   encouraging it's use.

   While the filtering method discussed in this document does
   absolutely nothing to protect against flooding attacks which
   originate from valid prefixes (IP addresses), it will prohibit an
   attacker within the originating network from launching an attack of
   this nature using forged source addresses that do not conform to
   ingress filtering rules. All providers of Internet connectivity are
   urged to implement filtering described in this document to prohibit
   attackers from using forged source addresses which do not reside
   within a range of legitimately advertised prefixes. In other words,
   if an ISP is aggregating routing announcements for multiple
   downstream networks, strict traffic filtering should be used to
   prohibit traffic which claims to have originated from outside of
   these aggregated announcements.

   An additional benefit of implementing this type of filtering is that
   it enables the originator to be easily traced to it's true source,
   since the attacker would have to use a valid, and legitimately
   reachable, source address.

OVAL

Posted by jasper22 at 12:30 | Tuesday, January 17, 2012

Open Vulnerability and Assessment Language (OVAL®) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language.

An Open Language

The OVAL community has developed three schemas written in Extensible Markup Language (XML) to serve as the framework and vocabulary of the OVAL Language. These schemas correspond to the three steps of the assessment process: an OVAL System Characteristics schema for representing system information, an OVAL Definition schema for expressing a specific machine state, and an OVAL Results schema for reporting the results of an assessment.

Repositories for Sharing Content

Content written in the OVAL Language as XML-based OVAL Definitions is located in one of the many repositories found within the community. One such repository, the OVAL Repository hosted by The MITRE Corporation, is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate OVAL Definitions. Each definition in the OVAL Repository determines whether a specified software vulnerability, configuration issue, program, or patch is present on a system. Other repositories in the community also include OVAL content.

A Community Effort

The information security community contributes to the development of OVAL by participating in the creation of the OVAL Language on the OVAL Developers Forum and by writing definitions for the OVAL Repository through the OVAL Community Forum. An OVAL Board consisting of representatives from a broad spectrum of industry, academia, and government organizations from around the world oversees and approves the OVAL Language and monitors the posting of the definitions hosted on the OVAL Web site. This means that OVAL, which is funded by the National Cyber Security Division of the U.S. Department of Homeland Security for the benefit of the community, reflects the insights and combined expertise of the broadest possible collection of security and system administration professionals worldwide.

OVAL in the Enterprise

When enterprises use information security products and services that have adopted OVAL to protect their networks and systems they have confidence that the software vulnerabilities, compliance issues, programs, and patches being tested for by those products are present on the system with a far higher degree of certainty, and fewer false positives, than products that have not adopted the community-developed OVAL standard. Enterprises may also leverage the interoperability of OVAL-enhanced tools that exchange OVAL content. For example, a vulnerability assessment product deployed by the enterprise can leverage a vulnerability research service to quickly and automatically check for the latest vulnerabilities. Similarly, a compliance checking engine can leverage government security guidance to automatically monitor compliance without the need to translate traditional prose based guidance. This allows you to streamline your processes and improve your security posture, significantly enhancing your ROI

Posted via email from Jasper-net

Iterating Over a Tuple in .NET

Posted by jasper22 at 12:23 |

While I'm thinking about tuples and .NET I figured I should take the subject one step further. One of the things that I referenced in my previous post (see this) was that you can't iterate over a tuple in .NET. System.Tuple doesn't implement IEnumerable. Some people might ask why you would want to? I'll be honest I haven't given it much thought. At this point it's all academic as I haven't encountered a problem that screams for a tuple let alone the ability to iterate over it. But let's say you have and you want to iterate over the values of a tuple.

Well you can't. Not by default anyway. Remember, no IEnumerable. Oh bother, what to do?

CREATE AN EXTENSION METHOD!

Now I haven't spent too much time on this, and there might be a better way (please enlighten me) but I simply created an extension method that converts a tuple to a generic list of "dynamic" objects. Why? Well a tuple can be composed of various data types so I figured that "dynamic" was a safe bet.

So without further ado, here is my extension method (multiple overloads to account for all available signatures of System.Tuple).

using System;
using System.Collections.Generic;

namespace Tombatron.Sugar.Extensions
{
   public static class TupleExtensions
   {
     public static List<dynamic> ToList<T1>(this Tuple<T1> targetuple)
     {
       return BreakTupleApart(targetuple);
     }

     public static List<dynamic> ToList<T1, T2>(this Tuple<T1, T2> targetuple)
     {
       return BreakTupleApart(targetuple);
     }

     public static List<dynamic> ToList<T1, T2, T3>(this Tuple<T1, T2, T3> targetuple)
     {
       return BreakTupleApart(targetuple);
     }

     public static List<dynamic> ToList<T1, T2, T3, T4>(this Tuple<T1, T2, T3, T4> targetuple)
     {
       return BreakTupleApart(targetuple);
     }

     public static List<dynamic> ToList<T1, T2, T3, T4, T5>(this Tuple<T1, T2, T3, T4, T5> targetuple)
     {
       return BreakTupleApart(targetuple);
     }

Read more: tombatron.com
QR: Iterating-Over-a-Tuple-in-NET

Posted via email from Jasper-net

PHP Vulnerability May Halt Millions of Servers

Posted by jasper22 at 11:51 |

Contents

What is the Hash Collision Vulnerability?
What You Can do to Prevent eventual Attacks?
Shall I Upgrade my installed PHP version?
What if I Cannot Upgrade my installed PHP Version?
Protect your PHP installation with the Suhosin extension
Conclusion

What is the Hash Collision Vulnerability?

Arrays are very popular data types in PHP and any other scripting languages. These are data types that allow you to store a variable number of entries of any type. You can store as many entries in array as you want. This is the main problem of a vulnerability known as Hash Collision.

In PHP and several other languages used to implement Web applications, arrays are used to store the values of request variables such as $_GET, $_POST, $COOKIE, etc.. IF you receive a request with a large number of request values, until recent versions PHP may run into trouble.

Let me explain superficially what is the problem. The PHP runtime engine that implemented is in C reads the HTTP request data and builds arrays to store request variables. This happens even before any PHP code starts being executed.

In C and other languages, arrays are implemented as data structures called hash tables. In simplistic terms, hash tables are arrays of linked lists of entries. These arrays have a fixed size.

Every time you want to add a new entry to an hash table you need to compute an hash value for the new array entry key. That hash value is an integer value that determines into which linked list the new array entry will be added.

Once the hash table code determines into which linked list the new entry belongs, it determines if there is already an entry with the same array key in that linked list. If there is no entry with the same key value, the new array entry value is added to the linked list. Otherwise, the new entry value will replace the old entry with the same key.

This is a process that it is reasonably fast if the number of entries in the array is relatively small. However, if the array has a very large number of entries the performance of inserting new entries starts degrading.

This problem can be seriously aggravated if the values of the keys to be added in the array have the same hash value, meaning they will be added to the same linked list.

What some security researchers have found is a way to easily determine a large number of arrays keys that can be used to craft an HTTP request with many request variables (GET, POST, COOKIE, etc..) that can make PHP take hours or maybe more to handle a single HTTP request just by making PHP consume all the CPU it gets to build the request variable arrays.

This means that with even a relatively small number of requests an attacker may make PHP consume all the CPU it gets until the machine practically halts, unless something kills the affected PHP processes.

As mentioned, other languages are also affected by this problem because they use similar hash table algorithms. The matter of PHP is actually worse because PHP is an extremely popular Web programming language. According to the researchers, 77% of the Web servers run PHP.

Despite this explanation is already very technical, it is still a bit simplistic. If you want to know more about the low level details, you may want to watch this video of a conference on which the security researchers have presented the vulnerability

Read more: PHP Classes blog
QR: 171-PHP-Vulnerability-May-Halt-Millions-of-Servers.html

Posted via email from Jasper-net

SQL Server – T-SQL – Different ways to generate a comma-separated string from a table

Posted by jasper22 at 11:50 |

Recently, someone in the team faced a fairly common requirement - to generate a comma-separated string from values stored in a table. This being the last post of the year, I thought of sharing the 2 most-commonly used methods I know of implementing this requirement.

Do you know any other? If you share it on this post, I will publish it with due credit on my blog.

----------------------------------------------------
--WARNING: THIS SCRIPT IS PROVIDED AS-IS AND WITHOUT
--         WARRANTY.
--         FOR DEMONSTRATION PURPOSES ONLY
----------------------------------------------------
--Step 01: Generate Temp table to store source data
DECLARE @NamesTable TABLE (Id INT,
                            Name NVARCHAR(50))

--Step 02: Generate test data
INSERT INTO @NamesTable VALUES (1,'A'),
                               (2,'D'),
                               (2,'C'),
                               (3,'E'),
                               (3,'H'),
                               (3,'G')

--Option 01: My favourite
DECLARE @listStr VARCHAR(MAX) --DO NOT initialize this one!

SELECT @listStr = COALESCE(@listStr + ',' ,'') + nt.Name
FROM @NamesTable nt

SELECT @listStr

--Option 02: Using XML
; WITH CommaSeparatedXML (CommaSeparatedXML)
AS (SELECT CAST((SELECT (',' + nt.Name)
                 FROM @NamesTable nt
                 FOR XML PATH('')) AS NVARCHAR(MAX))
   )

Read more: Beyond Relational
QR: sql-server-t-sql-different-ways-to-generate-a-comma-separated-string-from-a-table.aspx

Posted via email from Jasper-net

What are TCHAR, WCHAR, LPSTR, LPWSTR, LPCTSTR etc?

Posted by jasper22 at 11:47 |

Many C++ Windows programmers get confused over what bizarre identifiers like TCHAR, LPCTSTR are. Here, in brief, I would try to clear out the fog.

In general, a character can be 1 byte or 2 bytes. Lets say 1-byte character is ANSI, using which English characters are represented. And lets say 2-byte character is Unicode, which can represent ALL languages in the world.

VC++ support char and wchar_t as native datatypes for ANSI and Unicode characters respectively.

What if you want your C/C++ program to be Character-mode independent?

That means, instead of replacing:

char cResponse; // 'Y' or 'N'
char sUsername[64];
// str* functions

with

wchar_t cResponse; // 'Y' or 'N'
wchar_t sUsername[64];
// wcs* functions

You can simply code it:

#include<TCHAR.H> // Implicit or explicit include
TCHAR cResponse; // 'Y' or 'N'
TCHAR sUsername[64];
// _tcs* functions

Thus, when your project is being compiled as Unicode, the TCHAR would translate to wchar_t. If it is being compiled as ANSI/MBCS, it would translated to char. Likewise, instead of using strcpy, strlen, strcat (including the secure versions suffixed with _s); or wcscpy, wcslen, wcscat (including secure), you can simply use _tcscpy, _tcslen, _tcscat functions.

When you need to express hard-coded string, you can use:

"ANSI String"; // ANSI
L"Unicode String"; // Unicode

_T("Either string, depending on compilation"); // ANSI or Unicode
// or use TEXT macro, if you need more readability.

The non-prefixed string is ANSI string, the L prefixed string is Unicode, and string specified in _T or TEXT would be either, depending on compilation.

Read more: Codeproject
QR: What-are-TCHAR-WCHAR-LPSTR-LPWSTR-LPCTSTR-etc

Posted via email from Jasper-net

Struct vs. Class, Safety vs. Speed

Posted by jasper22 at 11:46 |

While at CodeMash, I had an interesting conversation with Cori Drew regarding some code in Effective C#, and some comments from Jon Skeet in our combined async talks. These comments involve breaking some common recommendations, and performance.

In our talk, Jon described how the C# compiler creates a mutable struct when it builds the state machine that handles async continuations. Jon discussed that the nested struct was faster than a nested class. Contrast that with code in Effective C#, where I showed the following code:

public class List<T> : IEnumerable<T>
{
    private class Enumerator<T> : IEnumerator<T>
    {
        // elided
    }

    public IEnumerator<T> GetEnumerator()
    {
        return new Enumerator<T>();
    }

    IEnumerator IEnumerable.GetEnumerator()
    {
        return new Enumerator<T>();
    }
}

Well, Cori asked, why didn’t I make the Enumerator<T> a struct (which is what the BCL does):

public class List<T> : IEnumerable<T>
{
    private struct Enumerator<T> : IEnumerator<T>
    {
        // elided
    }

    public IEnumerator<T> GetEnumerator()
    {
        return new Enumerator<T>();
    }

Read more: Bill Wagner
QR: StructvsClassSafetyvsSpeed

Posted via email from Jasper-net

XML-databinding in WPF using Blend 4

Posted by jasper22 at 11:45 |

This tutorial shows how easy it is to use XML-databinding in Blend without writing a single line of code and mostly using the drag-and-drop magic of Blend. We will create a very simple rss-reader that shows the content of a single rss-feed. This post was inspired by the great talk by Isabel Gomez Miragaya and Katrien De Graeve they gave at TechDays 2011 Belgium titled “Designing and Building a Windows Phone 7 Application end-to-end” (video of the talk).
Adding the XML-source

In the upper right corner, click the Data tab and then click the Icon in the upper right of this tab (Create Data Source) and choose “Create XML Data Source…”

Point to the XML you wish to use.

In this example we’ll use the RSS-feed of this blog (If you choose an external XML-file, a small delay might occur after clicking ok.)

Read more: Windows Phone 7
QR: xml-databinding-wpf-using

Posted via email from Jasper-net

Command line switches for .NET Framework 4 setup that you might not have known about

Posted by jasper22 at 11:43 |

Because of some of the posts I’ve written in the past, I often get asked about how to install various products in silent or unattended mode. In some cases, I am familiar with the product and know how to answer the question. However, in a lot of cases, I don’t, and in those cases, I try running the installer with the /? command line switch to see if it will display a usage dialog to describe the available options. This technique doesn’t always help because some installers do not list any command line switches or they only list a selected subset of their supported switches. However, it has provided some very useful information in the past, and it is worth trying if you are having trouble finding documentation for setup command line switches.

For example, if you download the installer for the .NET Framework 4 and run it with the /? switch, you will see a lot of information about available command line switches. There are several standard options that are pretty well documented (silent/unattended install and uninstall), and there are several other useful options that you may not have been aware of:

    /CEIPconsent – allows you to opt into sending customer experience feedback about .NET Framework 4 setup back to Microsoft.
    /lcid – force setup UI to appear in a specific language instead of the user’s Windows UI language.
    /log – sets the name and location to use for setup log files.
    /msioptions – sets parameters (such as MSI properties) that are passed through to each of the .msi files installed as a part of the .NET Framework 4 setup.
    /pipe – connect a communication channel to allow an installer that chains the .NET Framework to receive installation progress messages. There is an MSDN article that explains this option in more detail and provides code samples as well.

Read more: Aaron Stebner's WebLog
QR: 10256984.aspx

Posted via email from Jasper-net

Performance Analysis of Logs (PAL) Tool

Posted by jasper22 at 11:42 |

Project Description
Ever have a performance problem, but don't know what performance counters to collect or how to analyze them? The PAL (Performance Analysis of Logs) tool is a powerful tool that reads in a performance monitor counter log and analyzes it using known thresholds.
Features

    Thresholds files for most of the major Microsoft products such as IIS, MOSS, SQL Server, BizTalk, Exchange, and Active Directory.
    An easy to use GUI interface which makes creating batch files for the PAL.ps1 script.
    A GUI editor for creating or editing your own threshold files.
    Creates an HTML based report for ease of copy/pasting into other applications.
    Analyzes performance counter logs for thresholds using thresholds that change their criteria based on the computer's role or hardware specs.

To use PAL
The PAL tool is primarily a PowerShell script that requires arguments/parameters passed to it in order to properly analyze performance monitor logs.
Requirements

Operating Systems
The tool is tested only tested on Microsoft Windows 7 64-bit. If you encounter problems with the tool on other operating systems, then consider reusing the tool on Windows 7 64-bit.
Required Products (free and public):
- PowerShell v2.0 or greater.
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft Chart Controls for Microsoft .NET Framework 3.5

Read more: Yuval Sinay
QR: performance-analysis-of-logs-pal-tool.aspx

Posted via email from Jasper-net

Zipping using System.IO.Compression

Posted by jasper22 at 11:42 |

To use System.IO.Compression, you need to add a reference to WindowsBase.dll.

The following code snippet shows how to use some of the provided functionalities...

using System;
using System.Collections.Generic;
using System.IO;
using System.IO.Packaging;

public static class ZipHelper
{
    public static void ZipFiles(string path, IEnumerable files, CompressionOption compressionLevel = CompressionOption.Normal)
    {
        using (FileStream fileStream = new FileStream(path, FileMode.Create))
        {
            ZipHelper.ZipFilesToStream(fileStream, files, compressionLevel);
        }
    }

    public static byte[] ZipFilesToByteArray(IEnumerable files, CompressionOption compressionLevel = CompressionOption.Normal)
    {
        byte[] zipBytes = default(byte[]);
        using (MemoryStream memoryStream = new MemoryStream())
        {
            ZipHelper.ZipFilesToStream(memoryStream, files, compressionLevel);
            memoryStream.Flush();
            zipBytes = memoryStream.ToArray();
        }

        return zipBytes;
    }

    public static void Unzip(string zipPath, string baseFolder)
    {
        using (FileStream fileStream = new FileStream(zipPath, FileMode.Open))
        {
            ZipHelper.UnzipFilesFromStream(fileStream, baseFolder);
        }
    }

    public static void UnzipFromByteArray(byte[] zipData, string baseFolder)
    {
        using (MemoryStream memoryStream = new MemoryStream(zipData))
        {
            ZipHelper.UnzipFilesFromStream(memoryStream, baseFolder);
        }
    }

Read more: Codeproject
QR: Zip-using-System-IO-Compression

Posted via email from Jasper-net

Backdoor для Cisco IPS

Posted by jasper22 at 11:39 |

В этой статье я хочу рассказать о том как можно обмануть систему аутентификации на Cisco IPS (Cisco IPS 4200 или AIP-SSM). Статья не претендует на то, что мы осуществляем полноценный взлом устройства, нам все-таки необходимо выполнить ряд предварительных действий.

Предыстория

Все мы знаем о том, что когда мы достаем новенький Cisco IPS из коробки в системе уже есть пользователь cisco/cisco для первоначальной конфигурации устройства. К слову сказать, удалить данного пользователя нельзя, можно только менять пароль и группу пользователей к которой он принадлежит.

На Cisco IPS при добавлении нового пользователя мы должны определить группу к которой он относится: Administrator, Operaror, Viewer, Service. Ниже приведен синтаксис команды для добавления нового пользователя:

sensor# username user name password password privilege group name

О группе Service хотелось бы рассказать подробнее, она необходима для исправления разного рода косяков в системе непосредственно через оболочку Linux — Bash. Мало того при добавление пользователя в такую группу есть еще пару нюансов:

В системе такой пользователь может быть только один (это правда если вы добавляете такого пользователя через Shell IPS или Cisco IME)
Пароль данного пользователя заменяет пароль пользователя root в системе

Готовим backdoor

Добавляем сервисного пользователя:

sensor# username service password ser123vice privilege service

На локальной машине генерируем пару ключей (приватный/публичный) для SSH:

zsh# ssh-keygen -t rsa
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/simple/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/simple/.ssh/id_rsa.

Sorry state of dynamic libraries on Linux

Posted by jasper22 at 11:39 |

Last week, we identified a bug in Qt with Olivier‘s new signal-slot syntax. Upon further investigation, it turns out it’s not a Qt issue, but an ABI one. Which prompted me to investigate more and decide that dynamic libraries need a big overhaul on Linux.
tl;dr (a.k.a. Executive Summary)

Shared libraries on Linux are linked with -fPIC, which makes all variable references and function calls indirect, unless they are static. That’s because in addition to making it position-independent, it makes every variable and function interposable by another module: it can be overridden by the executable and by LD_PRELOAD libraries. The indirectness of accesses is a performance impact and we should do away with it, without sacrificing position-independence.

Plus, there are a few more actions we should take (like prelinking) to improve performance even further.

Jump to existing or proposed solutions, Google+ discussion.
Details

Note: in the following, I will show x86-64 64-bit assembly and will restrict myself to that architecture. However, the problems and solutions also apply to many other architectures, like x86 and ARM, which should make you consider what I say. The only platform that this mostly does not apply to is actually IA-64.
The basics

Imagine the following C file, which also compiles in C++ mode:

extern void *externalVariable;
extern void externalFunction(void);

void myFunction()
{
externalFunction();
externalVariable = &externalFunction;
}

tiqr

Posted by jasper22 at 10:05 |

Welcome to tiqr

Welcome to tiqr, the open source authentication solution for smart phones and web applications. For the first time, security and ease-of-use go hand in hand! Explore this site and discover how easy it is to use tiqr as an end-user or how you can integrate it into your web application with just a few bits-and-pieces that can be downloaded from the site.

And even better: tiqr is free! All source code can be downloaded from this site as well and is released under a BSD-style licence.

Google Sesam

Posted by jasper22 at 10:02 |

Remember this url: https://accounts.google.com/sesame . next time you want to check your gmail on a public computer, don't trust even the incognito window because an installed keylogger can record your keystrokes, which unsurprisingly, include your password. use your phone to scan the qrcode on the sesame web page and hit the resultant url -- the desktop browser will automagically redirect to your logged-in gmail without entering your password. yes, i think you do need an android phone with a properly configure google account for this to work.

Read more: Google Plus +Walter Chang
QR: DCdBqZX3bvQ

Posted via email from Jasper-net

inMon

Posted by jasper22 at 09:56 |

Complete network visibility and control

Traffic Sentinel™ is the first of a new class of performance management tools specifically designed to meet the challenge of convergence. Traffic Sentinel makes use of the multi-vendor sFlow standard to provide scalable, real-time visibility across the entire networked infrastructure, delivering the integrated picture of network, storage, server and communications performance needed to ensure optimal service delivery in a converged infrastructure.

    Manage network, server, storage and communications performance from a single "pane of glass"
    Identify network, computing and storage hot spots
    Monitor performance of scale-out storage, compute and switch clusters
    Track network, server and application dependencies
    Eliminate congestion and ensure quality of service
    Identify underutilized resources and improve efficiency
    Account for usage

Traffic Sentinel makes use of embedded instrumentation within switches, routers and servers. The breakthrough technology, sFlow®, provides the richest information, greatest scalability and is supported by the largest number of vendors (see sFlow Capable Devices). However, Traffic Sentinel also accepts IPFIX) and a number of proprietary monitoring technologies, including: Cisco NetFlow, Juniper J-Flow, Hewlett-Packard Extended RMON) and Riverstone LFAP. The use of embedded switch and router monitoring eliminates the need for probes, providing a cost effective way of providing detailed, network-wide coverage.

View the product walkthrough to see some examples of the ways in which continuous site-wide traffic monitoring can change the way you manage your network.

Enable C++ project system logging

Posted by jasper22 at 14:00 | Monday, January 16, 2012

The new Visual C++ project system in Visual Studio 2010 leverages the .NET System.Diagnostics trace logging feature to help users investigate why certain operations have failed or just to better understand what is happening behind the scenes.

Here are some features that VC++ logs lots of messages about so you can diagnose any bad behavior:

    Design-time build failures, such as project, COM, or assembly references that won’t resolve
    Project filters
    IDE build up-to-date check

In order to avoid negatively impacting performance in the common case where you don’t care to review the trace logs, we only emit the trace messages when a user “opts in” to logging these messages. To enable logging in the Visual C++ project system you just have to add a snippet to a .config file:

    Since it can be difficult to recover from a damaged devenv.exe.config file, consider copying the file to devenv.exe.config.original before modifying it so you have a backup copy you can revert to if things go awry.
    Open a text editor with admin privileges.
    Open your %PROGRAMFILES%\Microsoft Visual Studio 10.0\Common7\IDE\devenv.exe.config file. Note this will be in %ProgramFiles(x86)% on 64-bit Windows.
    Add this snippet to your devenv.exe.config file just below the <configSections /> block:

    <system.diagnostics>
      <switches>
        <add name="CPS" value="4" />
      </switches>
    </system.diagnostics>

Save the text file.

You can find out more about setting traceswitch verbosity levels on MSDN. Why the name “CPS” for our trace switch? Just an implementation detail for this release.

Read more: VS Project Team Blog
QR: enable-c-project-system-logging.aspx

Posted via email from Jasper-net

6 Mistakes That Will Kill Your Product Launch

Posted by jasper22 at 12:50 |

Over the past 10 years I’ve created many businesses. If you looked at my business life on a timeline you would see that my first few businesses didn’t do too well, however, as the years went on I slowly became more successful.

Why? Because I’ve learned from my mistakes.

One mistake I learned to avoid is that you have to move fast when it comes to a product launch. Dragging your feet will kill your launch. Here are six common mistakes that lead to procrastination, and how to avoid them.

1. Not Working Fast Enough

Not meeting your product launch deadline can be deadly. A lot of people are anticipating the launch, including the press and your investors, and if you fail to meet it and don’t have a really good reason, people may doubt your ability in the future.

Even if you and your team think that six months or nine months or whatever time you’ve promised seems like a long time…don’t waste it! Get to work right away as soon as you can. It’s much better to finish before your deadline than it is to finish after.

I think we are all probably guilty of wasting time when we think we have a lot of it. Here’s my recommendation to avoid doing that:

    Give your team an internal goal – this is the goal that you are not sharing with the public. The purpose of this goal is to keep your team motivated early on.
    Give yourself time to re-evaluate – Your internal goal should be far enough from the real deadline to give you time to evaluate. As things may not go well.
    Give yourself meaningful landmarks to hit – Your internal goal should be made up of five or six landmark goals that gauge your progress in a meaningful way. For example, you could set a goal for prototypes, user testing round one, etc.

2. Unsure About The Problem

A slow product launch might be caused by you and your team not understanding the problem your product is supposed to fix. This could lead to a number of problems:

    Confusion – Not everyone is on the same page, so when you communicate to your team what you want, they hear one thing because they understand the problem differently.
    Conflict – There’s a chance if you and your team don’t truly understand the problem that you’ll end up fighting. It may even come across in subtle ways, like not putting in long hours or turning in sloppy work.
    Control – In a really bad situation you may find yourself fighting for control of the product with other team members. This will surely sink any kind of effort.

What I’ve learned from my experience and mentors is to over communicate! If you don’t feel like your team understands the problem, ask them how they see it. Do they have it right and do you have it wrong?

It’s important to always ask questions and never assume. It can be easy for entrepreneurs to ignore people or advice, and forge forward without taking in consideration what the people around them are saying. Remember, arrogance diminishes wisdom.

Silverlight: Navigation Framework tip: using the XAML escape sequence

Posted by jasper22 at 12:48 |

With all the Windows 8/Metro/WinRT hype on the internet today, I decided it was time for a quick tip concerning the XAML escape sequence and the good old navigation framework present in Silverlight 4 and Silverlight 5. I only learned about the XAML escape sequence until recently and I can image that there quite a number of people out there that are still unfamiliar with it. The nice thing is that you can also use the XAML escape sequence in WPF, Windows Phone and WinRT, if you like to do so.
The problem

When you use the navigation framework in Silverlight, you probably also want to use an UriMapper, to shield your users from the complete path of the XAML files and the .xaml extension. Such an UriMapper could look something like this:

<uriMapper:UriMapper>

<uriMapper:UriMapping Uri="Home" MappedUri="/Views/Home.xaml"/>
<uriMapper:UriMapping Uri="About" MappedUri="/Views/About.xaml"/>

</uriMapper:UriMapper>

A small bug in the navigation framework activates the browser’s back button when the user navigates to your Silverlight application for the very first time. This isn’t that bad, except for the exception when the user actually presses the back button:

A well known workaround for this problem is to change your UriMapper like this:

<uriMapper:UriMapper>

<uriMapper:UriMapping Uri="" MappedUri="/Views/Home.xaml"/>
<uriMapper:UriMapping Uri="Home" MappedUri="/Views/Home.xaml"/>
<uriMapper:UriMapping Uri="About" MappedUri="/Views/About.xaml"/>

</uriMapper:UriMapper>

Which causes your application to navigate when the entered uri is empty, which happens when the user presses the back button of the browser when he first visits your application. While this does fix the exception in case of an empty uri, this doesn’t fix the exception that occurs when the user manipulates the uri (after the pound sign in the browser’s address bar) directly and enters an invalid one. This is where the XAML escape sequence comes into play.

The solution

What I essentially want to do is to change the UriMapper like this:

Silverlight: Navigation Framework tip: using the XAML escape sequence

Posted by jasper22 at 12:48 |

<uriMapper:UriMapper>

<uriMapper:UriMapping Uri="Home" MappedUri="/Views/Home.xaml"/>
<uriMapper:UriMapping Uri="About" MappedUri="/Views/About.xaml"/>

</uriMapper:UriMapper>

A well known workaround for this problem is to change your UriMapper like this:

<uriMapper:UriMapper>

<uriMapper:UriMapping Uri="" MappedUri="/Views/Home.xaml"/>
<uriMapper:UriMapping Uri="Home" MappedUri="/Views/Home.xaml"/>
<uriMapper:UriMapping Uri="About" MappedUri="/Views/About.xaml"/>

</uriMapper:UriMapper>

The solution

What I essentially want to do is to change the UriMapper like this:

One project, one declarative language, two platforms - A side-by-side XAML project on Silverlight 5 and WinRT

Posted by jasper22 at 09:57 |

Let’s get a bit creative this week.

I have this vision in my head of a wall of glittering sequin’s, you know what a sequin is right?! like what was big in the ‘disco’ era, and still is big today ?!..

For this post I want to start out simple and create a basic shimmering wall of sequins Smile , nothing too complex!

My ulterior motive for doing this is to compare , what I’m guessing will be, GPU/CPU intensive animations between Silverlight 5 & WinRT XAML.
SILVERLIGHT 5 Approach

Let’s first do this in Silverlight …
WinRT XAML Approach

Let’s now take the Silverlight app and port it to WinRT XAML …
Conclusion:

You can definitely achieve great results with Silverlight 5 if you take care with your visual tree and know how to optimize and use the provided tooling to debug/trace performance issues.

BUT WinRT definitely is showing signs of being an amazing GPU Accelerated framework that let’s you achieve levels of performance greater than anything Silverlight can offer today. And that’s not to say that Silverlight is bad, it’s all about using the right technology for the job.

Posted via email from Jasper-net

How do I print non-error messages during compilation?

Posted by jasper22 at 09:57 |

Commenter Worf remarked, "My one wish is that #warning would be supported."

I always find it interesting when people say "I wish that Microsoft would stop following standards," since the #warning directive is nonstandard.

The Microsoft C/C++ compiler implements the feature in a method compatible with the standard, namely via a #pragma directive.

#pragma message("You really shouldn't be doing that.")

If you want to warn people away from deprecated functionality, you can use the #pragma deprecated() directive or the even more convenient (but more standards-troublesome) __declspec(deprecated) declaration specifier. The declaration specifier is much more convenient than the preprocessor directive because you can use it in a macro, and you can attach it to specific overloads of a function. (It's also more standards-troublesome because, while it is still permitted by the standard because it begins with a double-underscore, it is also not required to be ignored by compilers which do not understand it.)

Read more: The old new thing
QR: 10256146.aspx

Posted via email from Jasper-net

Archive

Random sites

Followers

Search This Blog

Subscribe To