This is a mirror of official site: http://jasper-net.blogspot.com/

.Net Framework Tilde Character DoS

| Thursday, July 5, 2012
Security Research - .Net Framework Tilde Character DoS

I. BACKGROUND
---------------------

"The .NET Framework is a software framework developed by Microsoft that runs primarily on Microsoft Windows.
It includes a large library and provides language interoperability
across several programming languages." (Wikipedia)

II. DESCRIPTION
---------------------

Vulnerability Research Team discovered a  vulnerability
in Microsoft .NET Framework.

The vulnerability is caused by a tilde character "~" in a Get request, which could allow remote attackers
to Deny the functionality of the server.

III. AFFECTED PRODUCTS
---------------------------

.Net Framework 1.0 Windows XP
.Net Framework 1.1 Windows 2003
.Net Framework 2.0 Windows 2003 R2
.Net Framework 3.0 Windows 2008
.Net Framework 3.5 Windows 2008 R2
.Net Framework 4.0 Windows 2008 R2,Windows 7

IV. Binary Analysis & Exploits/PoCs
---------------------------------------

In-depth technical analysis of the vulnerability and a functional exploit
are available through:

V. SOLUTION
----------------

There are still workarounds through Vendor and security vendors.

Read more: ExploitDb
QR: Inline image 1

Posted via email from Jasper-net

NVIDIA Nsight Tegra — плагин VS для нативной разработки Android приложений

|
На прошедшем недавно мероприятии Google I|O компания NVIDIA представила интересный плагин к VisualStudio, позволяющий разрабатывать и дебажить приложения непосредственно из этой среды.

Inline image 2

1. Импорт существующих проектов в Visual Studio.
2. Управление нативными андройд проектами как обычными.
3. Сборка нативного кода Android проектов используя vs-android, ndk-build или make-файлы. 
4. Параллельная компиляция как для файла так и для проекта.
5. Увеличение производительности нативного (C/C++) Android кода на 20-30%.
6. Улучшенная поддержка NEON.
7. Link-time optimization (LTO).

Read more: Habrahabr.ru
QR: Inline image 3

Posted via email from Jasper-net

Cancelling Tasks Started with Parallel.Invoke

|
Cancelling Parallel.Invoke Tasks
Cancellation of tasks started using Parallel.Invoke uses the same cancellation token approach as when cancelling other parallel operations. Before you start the parallel execution, you must create a CancellationTokenSource object, from which you can request a CancellationToken. This token is passed to the Parallel.Invoke method's first parameter, with the Action array becoming the second parameter. However, the token cannot be provided directly as when creating cancellable Task objects. Instead, you must instantiate a ParallelOptions object and set its CancellationToken property to the generated token.

With the cancellation token provided, you can call its Cancel method from within any of the Action delegates. To avoid problems with early termination, cancelling the tasks does not immediately stop their execution. Any tasks from the array that have not already begun executing will not be started. Any tasks that have already started will continue to run until they complete normally or throw an exception. For particularly long-running tasks, you may also check the cancellation token source's IsCancellationRequested property. If this is true, you can gracefully exit from a task early to improve performance.

When the tasks are cancelled, an OperationCanceledException is thrown, as it would be when you cancel tasks manually. You should generally catch this exception to ensure that it does not cause your software to exit abnormally. Other exceptions will be wrapped in an AggregateException and should be handled appropriately.
To demonstrate cancellation, first we need a cancellation token source that is visible to the entire program. Add the following declaration to the class, outside of any member.
static CancellationTokenSource _tokenSource;

We'll also add a new method that cancels the operation. This will be called by one of the Action delegates.

static void CancellingTask()
{
    Console.WriteLine("Cancelling {0}", Task.CurrentId);
    _tokenSource.Cancel();
}

Read more: BlackWasp
QR: Inline image 1

Posted via email from Jasper-net

Decrypting SSL packet dumps

|
We all love transport security but it can get in the way of a good tcpdump. Unencrypted protocols like HTTP, DNS etc can be picked apart for debugging but anything running over SSL can be impenetrable. Of course, that's an advantage too: the end-to-end principle is dead for any common, unencrypted protocol. But we want to have our cake and eat it.

Wireshark (a common tool for dissecting packet dumps) has long had the ability to decrypt some SSL connections given the private key of the server, but the private key isn't always something that you can get hold of, or want to spread around. MITM proxies (like Fiddler) can sit in the middle of a connection and produce plaintext, but they also alter the connection: SPDY, client-certificates etc won't work through them (at least not without special support).

So here's another option: if you get a dev channel release of Chrome and a trunk build of Wireshark you can run Chrome with the environment variable SSLKEYLOGFILE set to, say, /home/foo/keylog. Then, in Wireshark's preferences for SSL, you can tell it about that key log file. As Chrome makes SSL connections, it'll dump an identifier and the connection key to that file and Wireshark can read those and decrypt SSL connections.

Read more: ImperialViolet
QR: Inline image 1

Posted via email from Jasper-net

#593 – AddHandler Method Can Add Handler for Any Event

| Wednesday, July 4, 2012
If you’re adding an event handler from code, rather than specifying the handler in XAML, you can just use the += notation for an event that is defined for the control in question.  For example, the Button control defines a Click control, so you can do the following:

myButton.Click += new RoutedEventHandler(Button_Click);

But let’s say that you want to add a handler for the Click event to a StackPanel control, which does not define the Click event, and you want to do it from code.  You can then use the AddHandler syntax:

myStackPanel.AddHandler(ButtonBase.ClickEvent, (RoutedEventHandler)HandleTheClick);

QR: Inline image 1

Posted via email from Jasper-net

Почему бы я не рекомендовал Atmel или о непонимании успеха Arduino

|
Хочу немного поделиться негативным опытом использования микроконтроллеров Atmel в промышленной разработке.

Atmel как целевую платформу выбрал заказчик, хотя мы его и отговаривали (еще даже не зная, что нам предстоит — интуиция, что ли?). Ну что же, «заказчик всегда прав».

В продукте было два контроллера — 32-битный UC3A3 и 8-битный ATMega164. В качестве дебаггера выбрали AVR One!, в качестве среды разработки — AVR Studio 5.0 (последняя версия на момент старта).

И началось!

У двух из трех купленных AVR One! в течении первого же месяца отвалились JTAG-коннекторы. У одного из них пропадал контакт питания. Каждый дебаггер, к слову, стоит около 600 евро!

При первом подключении дебаггера к компу с установленной AVR Studio 5.0 последняя захотела обновить ему прошивку. И не просто захотела, а отказывалась работать без этого. Процедура обновления прошивки благополучно зациклилась в «обновление — ожидание готовности устройства — обновление завершено неуспешно — обновление...», произвести ее удалось только после долгих танцев с бубнами.

На начальной стадии работа ведется на Evaluation платах. Были такие и у Атмела. Вот только на «готовых» эвалкитах к большинству пинов процессора банально не было доступа! А универсальный пакет STK600, позволяющий «воткнуть» в него практически любой контроллер при помощи переходника (решение реально супер, если бы не одно но), имел маленький недостаток — его схема была недоступна ни в открытом доступе, ни за деньги! Блин, вот реально — тулкит, предназначенный для экспериментов с платформой, поставлялся без схемы! И схема его охранялась очень и очень тщательно, судя по многочисленным веткам на AVR freaks. Поскольку мы не могли представить себе, как же можно работать без наличия схемы, мы разумно отказались от покупки этого тулкита (который ни разу не дешевый, к слову!).

Еще веселее стало, когда приступили собственно к написанию и отладке кода. 

Самым веселым оказалось то, что пошаговая отладка оказалась в принципе невозможной. Дело в том, что поставив где-нибудь в коде брейкпоинт, дождавшись остановки программы в этом месте и выполнив «шаг вперед», ты оказывался… в обработчике прерывания! (Естественно, в прерывании при этом никаких брейкпоинтов не было!). А поскольку прерывания в системе были всегда (таймеры и т.п.), процесс отладки выглядел следующим образом: приходилось ставить следующий брейкпоинт на следующей строке и нажимать Run вместо Step Over. Особенно весело это было, когда надо было отследить if или switch. Или же выполнить Step Into, а не Step Over…

Read more: Habrahabr.ru
QR: Inline image 1

Posted via email from Jasper-net

ASP.NET MVC, Web API, Razor and Open Source

| Monday, July 2, 2012
Microsoft has made the source code of ASP.NET MVC available under an open source license since the first V1 release. We’ve also integrated a number of great open source technologies into the product, and now ship jQuery, jQuery UI, jQuery Mobile, jQuery Validation, Modernizr.js, NuGet, Knockout.js and JSON.NET as part of it.

I’m very excited to announce today that we will also release the source code for ASP.NET Web API and ASP.NET Web Pages (aka Razor) under an open source license (Apache 2.0), and that we will increase the development transparency of all three projects by hosting their code repositories on CodePlex (using the new Git support announced last week). Doing so will enable a more open development model where everyone in the community will be able to engage and provide feedback on code checkins, bug-fixes, new feature development, and build and test the products on a daily basis using the most up-to-date version of the source code and tests.

We will also for the first time allow developers outside of Microsoft to submit patches and code contributions that the Microsoft development team will review for potential inclusion in the products. We announced a similar open development approach with the Windows Azure SDK last December, and have found it to be a great way to build an even tighter feedback loop with developers – and ultimately deliver even better products as a result.

Very importantly - ASP.NET MVC, Web API and Razor will continue to be fully supported Microsoft products that ship both standalone as well as part of Visual Studio (the same as they do today). They will also continue to be staffed by the same Microsoft developers that build them today (in fact, we have more Microsoft developers working on the ASP.NET team now than ever before). Our goal with today’s announcement is to increase the feedback loop on the products even more, and allow us to deliver even better products.  We are really excited about the improvements this will bring.

Learn More
You can now browse, sync and build the source tree of ASP.NET MVC, Web API, and Razor on the http://aspnetwebstack.codeplex.com web-site. 

The Git repository on the site is the live RC milestone development tree that the team has been working on the last several weeks, and the tree contains both the runtime sources + tests, and is buildable and testable by anyone.  Because the binaries produced are bin-deployable, this allows you to compile your own builds and try product updates out as soon as they are checked-in.

You can also now contribute directly to the development of the products by reviewing and sending feedback on code checkins, submitting bugs and helping us verify fixes as they are checked in, suggesting and giving feedback on new features as they are implemented, as well as by submitting code fixes or code contributions of your own. Note that all code submissions will be rigorously reviewed and tested by the ASP.NET MVC Team, and only those that meet an extremely high bar for both quality and design/roadmap appropriateness will be merged into the source.

Read more: ScottGu's Blog
QR: Inline image 1

Posted via email from Jasper-net

Quake 3 Source Code Review

|
  id Software has a history of releasing the source code for their older games under the GPL. Coder Fabien Sanglard has been taking it upon himself to go through each of these releases, analyze the source code, and post a detailed write-up about it. He's now completed a review of the Quake 3 source code, diving into the details of idTech3. It's an interesting read — he says he was impressed in particular by the 'virtual machines system and the associated toolchain that altogether account for 30% of the code released. Under this perspective idTech3 is a mini operating system providing system calls to three processes.

Read more: Slashdot

Posted via email from Jasper-net