Security flaw in MySQL, MariaDB allows access with any password—just keep submitting it

When the latest release of MariaDB was announced in April by MontyProgram AB founder and MySQL creator Michael "Monty" Widenius, it came with a warning from Widenius that a severe security bug had been discovered in previous versions of both MariaDB and MySQL. Oracle subsequently released a patch for MySQL. Now the details of the flaw, and the extent of the vulnerability, have been revealed: it could allow anyone who knows a valid user account on the database to connect using any password with a brute-force attack.

The affected versions of both databases have a flaw in their authentication system caused by a variation in how the memcmp() function—which compares two values stored in memory to see if they are equal—is implemented in some Linux compilers. When a user connects to the database and submits a password, the authentication system of the databases creates a token from the submitted password using a Secure Hash Algorithm and a randomly generated string of text as the key. The resulting token is compared to a hash made from the stored password in the system using the memcmp function, which returns a value of zero if they're the same; if they're not, the function is supposed to return a positive or negative integer. A return of "0" would mean the password is correct.

But in the affected versions of MariaDB and MySQL, as MontyProgram's Sergei Golubchik wrote in a list posting on June 9, the database can be fooled into accepting a password even if it doesn't match. "Because of incorrect [type] casting [in the code]," he wrote, "it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case, MySQL/MariaDB would think that the password is correct even while it is not."

Because of the random key strings used, Golubchik said the probability of exploiting the flaw on any given attempt "is about 1/256"; with enough attempts, even using the same password over and over again, an attacker could gain access just by knowing a valid account name (such as "root"). Given that it takes less than a second to submit hundreds of login attempts, the hole essentially renders password protection worthless.

Read more: arstechnica

QR: 

Posted via email from Jasper-net

New .NET Diagnostic info added to Process Explorer

In this post, we will look at a new feature in Process Explorer, the popular SysInternals tool, which enables developers and IT Pros to collect accurate stack traces for .NET applications.

Adding .NET Stack frames to Process Explorer

A few months ago, a few of us on the .NET Team were looking at how we could improve Process Explorer to provide better diagnostic information for .NET applications. Process Explorer is a very useful tool for investigating why something is going wrong. We know that millions of developers and IT Pros use Process Explorer, so it would seem that even small improvements for .NET would be pretty useful.

After a little conversation, we decided that adding support for .NET frames in Process Explorer’s Stack window would be the most valuable improvement that we could make. We reached out to Mark Russinovich to pitch the idea. For those of you that don’t know, Mark is the creator and maintainer of Process Explorer, and is a Technical Fellow at Microsoft. Mark was immediately supportive of the idea, and gave us the go-ahead to make the changes in the Process Explorer code. That work is now done, and available as part of Process Explorer v15.2 (or later).

What can you do with this new support?

Developers typically reach for Visual Studio when one of their applications starts doing the wrong thing. As the developer of an app, you can reproduce the issue on your own, attach to a badly behaving live repro or look at a dump. You have the source, and can easily go from there. Visual Studio 2012 is great for that scenario.

Sometimes you are a developer working with a customer on their machine and don’t have access to your tools or your application source. You could also be an IT Pro who supports an application that someone else built. In either case, Process Explorer can help you quickly collect diagnostic information, such as call stacks, that can give you an early lead.

Read more: .NET Framework Blog

QR: 

Posted via email from Jasper-net

In the blink of an eye: There goes your AES key

In the blink of an eye: There goes your AES key

(DRAFT of 28 May 2012)

Sergei Skorobogatov

University of Cambridge

Cambridge, UK

e-mail: sps32@cam.ac.uk

Abstract—This paper is a short summary of a real world AES key extraction performed on a military grade FPGA marketed as 'virtually unbreakable' and 'highly secure'. We demonstrated that it is possible to extract the AES key from the Actel/Microsemi ProASIC3 chip in a time of 0.01 seconds

using a new side-channel analysis technique called Pipeline Emission Analysis (PEA). This new technique does not introduce a new form of side-channel attacks (SCA), it introduces a substantially improved method of waveform analysis over conventional attack technology. It could be used to improve upon the speed at which all SCA can be performed, on any device and especially against devices previously thought to be unfeasible to break because of the time and equipment cost. Possessing the AES key for the ProASIC3 would allow an attacker to decrypt the bitstream or authenticate himself as a legitimate user and extract the bitstream from the device where no read back facility exists. This means the device is wide open to intellectual  property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan. We show that with a very low cost hardware setup made with parts obtained from a local electronics distributor you can improve upon existing SCA up to a factor of x1,000,000 in time and at a fraction of the cost of existing SCA equipment.

Read more: PDF

QR: 

Posted via email from Jasper-net

How to call WinRT APIs from C# Desktop applications – list the installed Metro packages

As Jaime Rodriguez detailed in April, Windows 8 Excellence Labs are made to help Metro developers to get a token which allows them to submit their application to the Windows Store with high confidence. I’m lucky enough to be part of this Microsoft effort and I hope meeting some of you soon :^)

A tool has been built to help Microsoft engineers to more easily check some basics of a Metro App such as implemented contracts or logos. This is a WPF Desktop application written in C# and its first task is to enumerate the installed Metro App packages.

I can imagine other scenari where you will certainly be interested in automatically checking that your application is well installed. This post will detail how a .NET developer could leverage WinRT from his Desktop application.

How to see the WinRT APIs in VS/.NET Decompiler

When you create a blank Metro App in C# with VS 2012 RC, two references are added to the project:

The first one allows you to use .NET types and the second one is the .NET view of the WinRT APIs. When you display the properties of the latter:

you end up in the C:\Program Files (x86)\Windows Kits\8.0\References\CommonConfiguration\Neutral\ folder where Windows.winmd waits for you. As explained by Martyn Lovell during his Lap around the Windows Runtime BUILD session, the WinRT team decided to keep the metadata format used by .NET assemblies to define their types and members.

Read more: Anything about WinRT

QR: 

Posted via email from Jasper-net

Visual Studio 2012 New Features: Quick Launch

In the past, finding things deep in the IDE has been a challenge. Visual Studio 2012 introduces search abilities at virtually every level of the product. Perhaps the biggest change is the introduction of Quick Launch (CTRL + Q) which specifically addresses how to dig inside Visual Studio to find features you need. Let’s take a look.

 

Quick Launch: Basic Use

You can find Quick Launch in the upper right corner of the IDE:

The most basic scenario for using Quick Launch is finding an item that you have forgotten (or don’t know) the location of. Let’s say you are interested in something deep in the menu system like viewing your white space. You know what it’s called but can’t remember where it is at. Just press CTRL + Q and enter the word white:

All searches are contains operations so the results will show anything that has the word white anywhere in it. The results are grouped into categories and you simply either select the item from the list using your keyboard, mouse or, if there is a keyboard shortcut listed, take advantage of the shortcut. In this case, you could press CTRL+R, CTRL+W to show the white space and then go on with your work.

Categories

There are four categories that your results will fall into when using Quick Launch. Let’s take a look at each of these categories.

Read more: The Ultimate Visual Studio Tips and Tricks Blog

QR: 

Posted via email from Jasper-net

NHibernate 3.2 mapping by code

NHibernate 3.2 will come with its own embedded mapping by code.

If you want know it is not based in fluent-interface, instead it is based on “loquacious”. That said you should understand that it has nothing related with Fluent-NHibernate.

The main idea under the NHibernate’s “sexy mapping” came from my dear ConfORM. In the past year the no conformist red man was running a lot and now I’m ready to transfer most of ConfORM’s intelligence directly inside NHibernate. To continue reading this post you have to run this song.

It’s simple (I’m too sexy)

Simple model

public class MyClass

{

    public int Id { get; set; }

    public string Something { get; set; }

}

Simple mapping

var mapper = new ModelMapper();

mapper.Class<MyClass>(ca =>

{

    ca.Id(x => x.Id, map =>

    {

        map.Column("MyClassId");

        map.Generator(Generators.HighLow, gmap => gmap.Params(new { max_low = 100 }));

    });

    ca.Property(x => x.Something, map => map.Length(150));

});

 

It’s flexible (I’m too sexy for my application)

You can organize your mapping as you want, class-by-class, different concerns about a class in different places and so on… (yes!! if you are a ConfORM user you know the concept)

var mapper = new ModelMapper();

mapper.Class<MyClass>(ca =>

{

    ca.Id(x => x.Id, map =>

    {

        map.Column("MyClassId");

    });

    ca.Id(x => x.Id, map =>

    {

        map.Generator(Generators.HighLow, gmap => gmap.Params(new { max_low = 100 }));

    });

    ca.Property(x => x.Something);

    ca.Property(x => x.Something, map => map.Length(150));

});

Read more: HunabKu

QR: 

Posted via email from Jasper-net

Foolish consistency is foolish

Once again today's posting is presented as a dialogue, as is my wont.

Why is var sometimes required on an implicitly-typed local variable and sometimes illegal on an implicitly typed local variable?

That's a good question but can you make it more precise? Start by listing the situations in which an implicitly-typed local variable either must or must not use var.

Sure. An implicitly-typed local variable must be declared with var in the following statements:

var x1 = whatever;

for(var x2 = whatever; ;) {}

using(var x3 = whatever) {}

foreach(var x4 in whatever) {}

And an implicitly-typed local variable must not be declared with var in the following expressions:

from c in customers select c.Name

customers.Select(c => c.Name)

In both cases it is not legal to put var before c, though it would be legal to say:

from Customer c in customers select c.Name

customers.Select((Customer c) => c.Name)

Why is that?

Well, let me delay answering that by criticizing your question further. In the query expression and lambda expression cases, are those in fact implicitly typed locals in the first place?

Hmm, you're right; technically neither of those cases have local variables. In the lambda case, that is a formal parameter. But a formal parameter behaves almost exactly like a local variable, so it seems reasonable to conflate the two in casual conversation. In the query expression, the compiler is going to syntactically transform the range variable into an untyped lambda formal parameter regardless of whether the range variable is typed or not.

Read more: Eric Lippert’s Blog

QR: 

Posted via email from Jasper-net

Let the moose run free...! Mighty Moose, a Continuous Testing Tool, is now free (as in free)

As some of you may know Svein (@ackenpacken) and I have decided to make Mighty Moose free. This is not a decision that is being take lightly and much thought has gone into it. This post is to explain why we went free and the future

...

Mighty Moose is from this point forward free. Not “free in beta” or “free with a bunch of functionality turned off” but free (license is being updated as I write this). We announced this rather quietly at NDC.

Many people have asked me “why would you go free? you could charge for what you have.”. This is true. Continuous Testing tools will be taking off and yes we could charge for it however its not quite as simple as that.

Read more: Greg's Cool [Insert Clever Name] of the Day

QR: 

Posted via email from Jasper-net

10 *MORE* Things you Probably Didn’t know about Windows 8

Introduction

Back in April 2012, I shared a list of “10 Things you probably didn’t know about Windows 8.” I had a lot of great feedback through Twitter and Facebook, so I decided to share 10 *MORE* things you probably didn’t know about Windows 8. So, in no particular order here we go again.

Grabbing the Bits First

Let’s get started:

1) If you’re not a fan of the lock screen or just want to quickly get past it and get to work, then you can hit keys on your keyboard such as the space bar or enter key to get to the sign on screen. This is a lot easier in my opinion, then swiping up with the mouse, if you are not on a touch-enabled pc. If you want to disable it altogether then just follow this guide.

2) If you move your mouse to the lower left-hand corner of your screen (in Metro or Desktop mode), then you will be presented with an icon of either Metro or Desktop screen (depending on what you are in). If you move  your mouse upwards, then you can get a quick glimpse of all the applications currently running as shown below. This is an easy way to switch between applications.

Read more: Michael Crump

QR: 

Posted via email from Jasper-net

What’s New in Visual Studio 2012 and C# 5.0

בתאריך 18.6.12 קיימנו במיקרוסופט יום עיון בנושא פיתוח אפליקציות באמצעות VS 2012 ו- C#5.

הגירסא הבאה של Visual Studio הבאה עלינו לטובה מכילה שיפורים רבים, החל ממשק המשתמש, דרך עבודה עם קוד ועד יכולות עריכה של מודלים תלת מימדיים וניפוי שגיאות.

בהרצאה זו התבוננו בחידושים ב-Visual Studio בסביבה, בעולם ה-Client, ה-Web ועוד. כמו כן הכרנו את החידושים בשפת C# 5.0, כשהעיקרי בהם היא תמיכה במודל תכנות אסינכרוני קל לשימוש, ללא המורכבויות המוכרות של התחלת פעולה, רישום לסיום, תפיסת שגיאות ועוד.

קהל יעד: מפתחי C# וראשי צוותים

רמה: 300

חלק ראשון -  מה חדש ב- Visual Studio 2012

בחלק זה התבוננו בחידושים בסביבת הפיתוח המוכרת שעוברת מתיחת פנים כלפי חוץ, עם הרבה שיפורים קטנים בפנים, הבאים לידי ביטוי במגוון יכולות חדשות ומשודרגות.

Read more: Channel9 [Part1], Channel9 [Part 2]

QR: 

Posted via email from Jasper-net

Generic Variance in C# 4.0

Although I’m not cool enough to actually go to PDC, I’ve been watching some of the things that have been announced. One of the things I’m most excited about is co- and contra-variance in generics, which is something that the CLR has lacked since generics were first introduced in 2.0. (Note: some of the examples on here are pulled from the excellent description of new features release by Microsoft.)

In versions of C# prior to 4.0, generics were invariant. For example, consider this simple type definition:

public class Foo<T>

{

  //...

}

Since the generic type parameter T was not constrained, the compiler understands that T should be treated as type object. That means that since a string is an object, a Foo<string> is functionally equivalent to a Foo<object>. However, because of generic invariance, ian instance of Foo<string> cannot be assigned to a variable of type Foo<object>.

C# 4.0 introduces the ability to declare covariant and contravariant generics. For example:

public class Foo<out T>

{

  //...

}

This class is covariant in T, meaning that if you create a Foo<string>, you can use it effectively as a Foo<object>, since a string is a subclass of object. The example given is the new IEnumerable<T> interface that comes with the BCL in C# 4.0:

public interface IEnumerable<out T> : IEnumerable

{

  IEnumerator<T> GetEnumerator();

}

public interface IEnumerator<out T> : IEnumerator

{

  bool MoveNext();

  T Current { get; }

}

Since these interfaces are covariant in T, an IEnumerable<string> can be used as an IEnumerable<object>. The same is true for List<T>, so you’ll be able to do this, which was previously impossible:

IList<string> strings = new List<string>();

IList<object> objects = strings;

Note, however, that you can only declare that your type is covariant for generic type parameters that appear in output positions — basically, return values.

Like the out keyword, you can also use the in keyword:

public interface IComparer<in T>

{

  int Compare(T left, T right);

}

Read more: Discord&Rhyme

QR: 

Posted via email from Jasper-net

Using Custom Web.config Transformations in MSBUILD

Web.config transformations have been around for a while now, and a lot of developers use them in their staple day-to-day environment deployment strategies – hell, Scott Hanselman was spouting about them way back in the beginning on 2010 with his “Web Deployment Made Awesome: If you’re using XCOPY, you’re doing it wrong” post. As usual though, one size does not fit all – and in the case of Continuous Integration fans out there that may have specific build-configuration-based build and deployment scenarios (such as myself), there is the need to have finer grained control over the Web.config transformation process. If this sounds like you, then this post is aimed to deliver.

What a second… what the hell are “Web.config Transforms”?

ASP.net has had a few features that that been around for what seems like forever when it comes to abstracting away or alternating between different configuration data for your website (i’m talking about configSource functionality mostly). The features were very minimal and usually created a less-than-ideal solution for developers working on big websites in multiple environments. With the advent of Visual Studio 2010 Microsoft kindly helped us all out by taking note that “hey maybe not all websites are being built for a single server with a single configuration”… Smart guys. They created web.config transformations to help deal with this problem and Jokes aside, the feature is actually pretty cool and allows you to write a base web.config file as you normally would and then transform it for each of your environments.

Your base web.config:

<?xml version="1.0"?>

<configuration>

    <appSettings>

        <add key="ExampleApplicationSetting" value="Value being replaced by Transform"/>

    </appSettings>

    <connectionStrings>

        <add name="MyConnectionString" connectionString="..." providerName="System.Data.SqlClient" />

    </connectionStrings>

    <system.web>

        <customErrors mode="Off"/>

        <compilation debug="true">

        </compilation>

    </system.web>

</configuration>

Your web.config transform (note the change to my connection string, my custom errors and my compilation mode):

<?xml version="1.0"?>

<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">

    <appSettings>

        <add key="ExampleApplicationSetting"

                 xdt:Transform="SetAttributes(value)"

                 xdt:Locator="Condition(@key='ExampleApplicationSetting')"

                 value="The new value to replace after transform"/>

    </appSettings>

    <connectionStrings>

        <add name="MySolutionDatabase" xdt:Transform="Replace" xdt:Locator="Condition(@name='MySolutionDatabase')"

                 connectionString="... My New Connection String ..." providerName="System.Data.SqlClient" />

    </connectionStrings>

    <system.web>

        <customErrors xdt:Transform="Replace" mode="RemoteOnly" />

        <compilation xdt:Transform="SetAttributes(debug)" debug="false" />

    </system.web>

</configuration>

Read more: DZone

QR: 

Posted via email from Jasper-net