This is a mirror of official site: http://jasper-net.blogspot.com/

Is Stack Overflow “secure”? Kind of…

| Tuesday, August 7, 2012
I had an interesting question pop up on my “SSL is not about encryption” blog post this weekend:

I have a question about logging to site like StackOverflow which doesn't use SSL at all.
If I am login to SO via Google. Is this secure in this case?

This is actually a very good question for a number of reasons so I thought it deserved a little more attention than just the short response I gave on the blog. The question implies there is some sort of absolute state to security (probably unintentionally) where a site such as Stack Overflow is deemed to be either “secure” or “insecure” (hence the quotes in the title).

The reality is that there are a few more twists to it than that and Stack Overflow in particular is an interesting case study due to their use of a third party authentication provider. What this blog post will show you is that in this particular case, we’re really looking at two different security domains with different levels of protection and in the case of Stack Overflow, yes, it’s kind of secure – but then it’s also kind of insecure too…

Stack Overflow and the role of OpenID
I’ve followed the evolution of Stack Overflow from the very early days and one thing that Jeff Atwood was always adamant about was the role of OpenID. Jeff has many, many good points and probably the most significant one from a security perspective is that it makes the job of keeping credentials safe the responsibility of someone else. This is a good thing, particularly when you consider the work organisations like Google they’ve done around two factor authentication. Now of course there are other OpenID providers who are not quite as well equipped, but certainly they still do a very good job of implementing secure authentication mechanisms.

There are opponents of OpenID, but the arguments are more about the logistics of implementing it and dealing with customers having accounts with all sorts of different providers. These are perfectly valid concerns, but they’re not about security; all the OpenID implementations I’ve seen adhere to all the sorts of good account management practices I regularly talk about such as no restrictions on password length or structure, well implemented password reset processes and of course everything is done over HTTPS.

But what we need to remember is that OpenID is being used by Stack Overflow solely for the purpose of authenticating the users. What happens after this is a whole new ballgame.

Stack Overflow and HTTPS
Here’s what you currently see on Stack Overflow today:

Inline image 1

This is really what Marek was referring to in the initial question which sparked this blog post and as he has rightly observed, there is no use of HTTPS. But is this a problem? I mean I’ve already logged on via OpenID so my credentials have been sent securely already, what’s the risk?

To answer that question, let’s start by taking a look at the cookies set by the site. Why? Because cookies are how our logged in state is persisted across multiple requests over HTTP which is a stateless protocol, that is each request is made over a new connection totally independent to the other requests. In other words, HTTP itself doesn’t know we’re logged in, it needs help from cookies.

Read more: Troy Hunt's Blog
QR: Inline image 2

Posted via email from Jasper-net

How Apple and Amazon Security Flaws Led to My Epic Hacking

|
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

Those security lapses are my fault, and I deeply, deeply regret them.

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

This isn’t just my problem. Since Friday, Aug. 3, when hackers broke into my accounts, I’ve heard from other users who were compromised in the same way, at least one of whom was targeted by the same group.

Read more: Wired
QR: Inline image 1

Posted via email from Jasper-net

Microsoft .NET Framework Undersized Glyph Buffer Remote Code Execution Vulnerability

|
CVE ID
CVE-2012-0162

CVSS Score
7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Vendors
Microsoft

Affected Products
.NET

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the .NET Framework. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within Microsoft .NET handling of XAML Browser Applications (XBAP) graphics components. It is possible to cause an undersized allocation for a buffer which is populated with user-supplied glyph data, resulting in memory corruption which can be leveraged to remotely execute code.

Vendor Response
Microsoft has issued an update to correct this vulnerability. More details can be found at: 

Disclosure Timeline
2011-12-07 - Vulnerability reported to vendor
2012-08-03 - Coordinated public release of advisory

QR: Inline image 1

Posted via email from Jasper-net

DaRT 8 Tutorial Videos

| Monday, August 6, 2012
The Microsoft Diagnostics and Recovery Toolset (DaRT) is a powerful set of tools that can help you diagnose and troubleshoot computers. This video introduces the features available in version

DaRT 8 Overview - Diagnose, Troubleshoot PC Issues  TechNet

Create Boot Meda with DaRT 8
Start a Computer with DaRT 8
Reset Passwords with DaRT 8
Analyze Crash Dumps with DaRT 8
Disable Device Drivers with DaRT 8
Recover Files with DaRT 8
Repair Disks Using DaRT 8
Explore the PC Using DaRT 8
Repair System Files with DaRT 8
Scan for Malware with DaRT 8
Remove Hotfixes with DaRT 8
Wipe Disks with DaRT 8

Read more: Bink.nu
QR: Inline image 1

Posted via email from Jasper-net

Native shell

|
Inline image 1

Native shell — программа, написанная мной для экспериментов в Native-режиме Windows семейства NT (NT/2000/XP/2003/Vista/7). Этот тот режим, в котором запускается утилита chkdsk, когда ей надо проверить и исправить ошибки в системном разделе. Сам режим (его ещё называют загрузочным режимом) представляет собой синий экран (в Windows XP синий, в других версиях другого цвета), который появляется до появления окна логина в систему. Выглядит этот режим так (нажмите картинку, чтобы увеличить):

Программа распространяется на условиях лицензии GNU General Public License, часть исходников по GNU Lesser General Public License. Упоминания о других авторах исходного кода смотрите в исходных текстах программы. Исходные коды доступны по адресу

...
...

Список консольных команд

Постепенно будут добавляться команды, которые будут реализовывать те или иные функции, которые я хотел бы опробовать в Native-режиме. Если аргумент команды содержит пробел, его надо брать в кавычки (кроме команды cd, она понимает пути без кавычек).

если команда не совпадает с одной из описанных ниже, считается, что это имя исполняемого файла для запуска (чтобы программа запустилась, имя исполняемого файла нужно указывать обязательно вместе с расширением)
cd X - сменить каталог на X
md X - создать каталог X
copy X Y - копировать файл X в Y
move X Y - перенести или переименовать файл X в Y
poweroff - выключить ПК
shutdown - выключить ПК
dir - показать содержимое каталога
pwd - напечатать название текущего каталога
del X - удалить файл X
reboot - перезагрузить ПК
devtree - вывести дерево процессов
exit - выход в Windows
sysinfo - показать информацию о системе
lm - показать исполняемые модули в памяти
vid - проверка вывода символов на экран
lp - вывод запущенных процессов

Read more: Hex.pp.ua
QR: Inline image 2

Posted via email from Jasper-net

Делаем свою Time Machine для Линукса

|
После интенсивного пользования time machine на маках и пару ситуаций когда она реально пригодилась (были варианты когда пришлось поставить систему из бэкапов и варант когда пришлось откатывать назад после проблем), возникла мысль а собственно почему такой удобной системы нет на линуксе. После исследования вопроса и опроса знакомых линуксоидов оказалось что:

1. сделать такую систему можно просто за пару минут на коленках
2. странно, но как-то никто собственно не в курсе что это можно поднять настолько быстро.
3. наша time machine для линукса будет с маджонгом и гейшами.

Как раз был ненужный appletv первого поколения из которого было решено сделать небольшой сервер на hardeded linux для сбора логов и всяких вспомогательных целей. После установки hardened gentoo как раз и возник вопрос как его бы бэкапить чтобы весь и сразу диск - чтобы можно было при полном отказе накатить бэкап на новый диск или на полностью новый appletv (хм, если потом такой найду конечно), или выборочно востанавливать удалённые или потерянные файлы просто ссылаясь на опеределенную дату.

Как работает time machine? Довольно просто, первый слепок системы просто копируется как файлы со всеми атрибутами в Backups.backupdb/hostname/YYYY-MM-dd-hhmmss, +делается симлинк Latest указывающий на последний слепок. А уже при втором слепке происходит следующее: сравниваются даты файлов и если файл не поменялся то вместо новой копии файла делается hardlink на файл из предыдущего слепка. Тогда если нет изменений файлов то весь новый слепок будет полностью ссылаться на предыдущий. Слепки будут отличатся только новыми/модифицированными/удалёнными файлами. В результате можно просто удалить любой слепок (каталог типа YYYY-MM-dd-hhmmss) и ничего не поламается. Самая ближайшая ассоциация - умный указатель в c++ например: когда пропадает последняя ссылка на файл (из всех слепков) он и удалится с дисков. 

Очень удобная система с точки зрения просмотра предыдущих файлов, их востановления, удаления старых бэкапов итд. Вплоть до восстановления всей системы из слепка.

После исследования всех известных мне систем бэкапа под линукс, они были отброшены как немного не то что нужно. Зато нашлось простейшее решение с rsync в одну строчку.

rsync имеет чудесную опцию --link-dest которая как раз и делает всю выше описанную логику по сравнению с предыдущими слепками и создания hardlink-ов. Опция -x исключит все примонтированные файловые системы как /proc /sys /dev итд. --delete будет удалять файлы которые пропадут.

Вся time machine будет одним скриптом как:

#!/bin/sh
date=`date "+%Y-%m-%d-%H%M%S"`
SRC=/
DST=/mnt/backup-hdd/Backups.backupdb/atv

rsync -ax \
--delete \
--link-dest=../Latest \
$SRC $DST/Processing-$date \
&& cd $DST \
&& mv Processing-$date $date \
&& rm -f Latest \
&& ln -s $date Latest

Копируем скрипт в /etc/cron.hourly и вуаля у нас бэкапы как в time machine.
Если наша система слетела, мы можем загрузтся со флешки, отформатировать раздел, и запустить тот же rsync в обратную сторону, потом перегрузится или сделать chroot и система опять рабочая.

Read more: Habrahabr.ru
QR: Inline image 1

Posted via email from Jasper-net

Using Custom Markup Extensions in Silverlight 5

| Sunday, August 5, 2012
The first beta of Silverlight 5 was announced at MIX this week and is available for downloading. As such, I’ll be blogging about the new features in weeks to come. I’ll also be delivering sessions on Silverlight 5 at several upcoming conferences, including Microsoft TechDays in Belgium, Microsoft DevDays in the Netherlands, Devscovery in Redmond, WA, and Microsoft TechEd in Atlanta. If you plan to attend any of those conferences, I’d love to see you in my sessions!

One of the most exciting features that Silverlight 5 introduces – and one that has been a long time in coming to the platform – is custom markup extensions. My fellow coconspirator and Silverlight MVP Jeremy Likness presented a custom markup extension that uses MEF to satisfy imports on object instances declared in XAML. I’d like to present a custom markup extension of my own – one that retrieves RESX localization resources and simplifies the task of adding localization support to Silverlight applications.

In the past, RESX-based localization was usually performed in Silverlight XAML with the help of the built-in {Binding} markup extension. To demonstrate, the following example declares an instance of the ResourceManager wrapper class named Resources (which is generated by Visual Studio from Resources.resx), assigns the Resources instance to the DataContext property of a TextBlock, and uses a data-binding expression to set the TextBlock’s Text property equal to the Greeting property of the Resources instance:

 
<Grid>
  <Grid.Resources>
    <local:Resources x:Key="Localize" />
  </Grid.Resources>
  <TextBlock Text="{Binding Greeting}" DataContext="{StaticResource Localize}" />
</Grid>
 
It works, but it makes you wonder why you have to resort to data binding to make localization work when localization is such a common task in Silverlight applications.

You can make this work a little more cleanly by writing a custom markup extension. Such an extension might be applied this way:

 
<Grid>
  <TextBlock
    Text="{local:Resx ResxKey=Greeting, ResxType=Resources, Default=Welcome}" />
</Grid>
 
In this example, Resx is the custom markup extension, ResxKey identifies the localization resource to be loaded, ResxType identifies the ResourceManager wrapper class that provides access to that resource, and Default is an optional default value that’s used if the specified localization resource doesn’t exist or can’t be retrieved. Better, is it not? And it’s just one of a million different applications for custom markup extensions.

QR: Inline image 1

Posted via email from Jasper-net

Silverlight (and WPF): How to make items stretch horizontally in a ListBox

|
Sometimes we need to use controls like TextBox, TextBlock etc (that set their width automatically depending on content) in a ListBox’s ItemTemplate. If we need to draw Borders or assign Background colors to each such controls then we may end up having non-equal rows. Here’s a sample markup:

<ListBox ItemsSource="{Binding MyList}" >
    <ListBox.ItemTemplate>
        <DataTemplate>
            <TextBox Text="{Binding}" Background="LightYellow"  />
        </DataTemplate>
    </ListBox.ItemTemplate>
</ListBox>

Here’s the output for the above XAML:
Inline image 1

A quick thought would be to assign HorizontalContentAlignment property to Stretch for the TextBox but this wont work. We need to specify this property for the ListBoxItem that encapsulates our DataTemplate. Here’s a quick syntax for doing this using a style:

QR: Inline image 2

Posted via email from Jasper-net

Six years of WPF; what's changed?

|
Prior to working full time on Octopus Deploy, I spent a year building a risk system using WPF, for traders at an investment bank. Before that I worked as a consultant and trainer, mostly with a focus on WPF. I've lived and breathed the technology for the last six years, and in this post I'm going to share some thoughts about the past and future of WPF and the XAML-ites.

Six years ago, I wrote an article about validation in WPF on Code Project. I also wrote a custom error provider that supported IDataErrorInfo, since, would you believe, WPF in version 3.0 didn't support IDataErrorInfo. Later, I worked on a bunch of open source projects around WPF like Bindable LINQ (the original Reactive Programming for WPF, back before Rx was invented) and Magellan (ASP.NET-style MVC for WPF). I was even in the MVVM-hyping, Code Project-link sharing club known as the WPF Disciples for a while.

As I look back at WPF, I see a technology that had some good fundamentals, but has been really let down by poor implementation and, more importantly, by a lack of investment. I'm glad those days are behind me.

Back in 2006, here's what the markup for a pretty basic Window looked like (taken from an app I worked on in 2006):

<Window x:Class="PaulStovell.TrialBalance.UserInterface.MainWindow"
  xmlns:tb="clr-namespace:PaulStovell.TrialBalance.UserInterface"
  xmlns:tbp="clr-namespace:PaulStovell.TrialBalance.UserInterface.Providers"
  xmlns:system="clr-namespace:System;assembly=mscorlib"
  Title="TrialBalance" 
  WindowState="Maximized"
  Width="1000"
  Height="700"
  Icon="{StaticResource Image_ApplicationIcon}"
  Background="{StaticResource Brush_DefaultWindowBackground}"
  x:Name="_this"
  >

I mean, look at all that ceremony! x:Class! XML namespace imports! Why couldn't any of that stuff be declared in one place, or inferred by convention?

Fortunately, it's now 2012, and things have come a long way. Here's what that code would look like if I did it today:

<Window x:Class="PaulStovell.TrialBalance.UserInterface.MainWindow"
  xmlns:tb="clr-namespace:PaulStovell.TrialBalance.UserInterface"
  xmlns:tbp="clr-namespace:PaulStovell.TrialBalance.UserInterface.Providers"
  xmlns:system="clr-namespace:System;assembly=mscorlib"
  Title="TrialBalance" 
  WindowState="Maximized"
  Width="1000"
  Height="700"
  Icon="{StaticResource Image_ApplicationIcon}"
  Background="{StaticResource Brush_DefaultWindowBackground}"
  x:Name="_this"
  >

Spot the difference? Of course not, it was a trick question, nothing has changed since 2006 that would have made that less verbose.

Read more: Paul Stovell
QR: Inline image 1

Posted via email from Jasper-net

C# Heap(ing) Vs Stack(ing) in .NET: Part IV

|
Even though with the .NET framework we don't have to actively worry about memory management and garbage collection (GC), we still have to keep memory management and GC in mind in order to optimize the performance of our applications. Also, having a basic understanding of how memory management works will help explain the behavior of the variables we work with in every program we write.  In this article we'll look into Garbage Collection (GC) and some ways to keep our applications running efficiently.

Graphing

Let's look at this from the GC's point of view. If we are responsible for "taking out the trash" we need a plan to do this effectively. Obviously, we need to determine what is garbage and what is not (this might be a bit painful for the pack-rats out there). 

In order to determine what needs to be kept, we'll first make the assumption that everything not being used is trash (those piles of old papers in the corner, the box of junk in the attic, everything in the closets, etc.)  Imagine we live with our two good friends: Joseph Ivan Thomas (JIT) and Cindy Lorraine Richmond (CLR). Joe and Cindy keep track of what they are using and give us a list of things they need to keep. We'll call the initial list our "root" list because we are using it as a starting point.  We'll be keeping a master list to graph where everything is in the house that we want to keep. Anything that is needed to make things on our list work will be added to the graph (if we're keeping the TV we don't throw out the remote control for the TV, so it will be added to the list. If we're keeping the computer the keyboard and monitor will be added to the "keep" list).

This is how the GC determines what to keep as well. It receives a list of "root" object references to keep from just-in-time (JIT) compiler and common language runtime (CLR) (Remember Joe and Claire?) and then recursively searches object references to build a graph of what should be kept. 

Roots consist of:

  • Global/Static pointers. One way to make sure our objects are not garbage collected by keeping a reference to them in a static variable.
  • Pointers on the stack. We don't want to throw away what our application's threads still need in order to execute.
  • CPU register pointers. Anything in the managed heap that is pointed to by a memory address in the CPU should be preserved (don't throw it out).
Inline image 1

In the above diagram, objects 1, 3, and 5 in our managed heap are referenced from a root 1 and 5 are directly referenced and 3 is found during the recursive search.  If we go back to our analogy and object 1 is our television, object 3 could be our remote control. After all objects are graphed we are ready to move on to the next step, compacting.

Compacting

Now that we have graphed what objects we will keep, we can just move the "keeper objects" around to pack things up.

Read more: C# Corner
QR: Inline image 2

Posted via email from Jasper-net

THE open source WinForm & WPF docking library gets overhauled and a new version two, AvalonDock v2's!

|
Inline image 2

Welcome to the first release of AvalonDock 2.0

Finally I can upload the new release of AvalonDock. This new release is stable and includes many new features if compared to 1.3:
AvalonDock 2.0 has been completely rewritten to take full advantage of the MVVM design.
The layout model is now completely separated from the view controls; integration with frameworks like PRISM is easier and faster.
I worked a lot to get the best performance especially when user move panes in floating window or set them as auto hidden.
Floating windows can now be arranged together as it's possible in VS2010.
The library itself is lighter because use only standard controls restyled like the TabControl or the Grid panel.
Since first beta I fixed a lot of bugs; this version should be stable enough for most of the projects.
Comes with two additional themes: VS2010 and Aero theme.

QR: Inline image 1

Posted via email from Jasper-net