Aggregated Intelligence

Comcast releases data usage meters for high speed customers

2010-03-11T23:08:00.001-07:00

Comcast has implemented a 250gb per month limit on the amount one can transfer over their high speed connection.

Go to https://customer.comcast.com/Secure/UsageMeterDetail.aspx, login and you will see your usage history.

Comcast has had a usage limit since about October 2008, but without a usage meter, I always felt like the Comcast usage police might come knocking at my door. Having a usage meter is a step in the right direction. I wish they would add some kind of alert system, that I could use to signal to me when usage goes over by a certain amount (that way I can keep track of my data usage and if any pirate is trying to steal my bandwidth).

Here is what data usage meter looks like.

What’s A Startup? First Principles.

2010-03-11T21:06:00.001-07:00

What’s A Startup? First Principles.

a startup is an organization formed to search for a repeatable and scalable business model.

A good post by Steve Blank on what a Business Model is and other good stuff that any business person should be cognizant of.

How Does Customer Development, Agile Development and Lean Startups Fit?
The Customer Development process is the way startups quickly iterate and test each element of their business model. Agile Development is the way startups quickly iterate their product as they learn. A Lean Startup is Eric Ries’s description of the intersection of Customer Development, Agile Development and if available, open platforms and open source. (This methodology does for startups what the Toyota Lean Production System did for cars.)

http://steveblank.com/2010/01/25/whats-a-startup-first-principles/

Mapping Business Entities to Data Transfer Objects

2010-03-11T17:49:00.001-07:00

DTOs???? Why???

Here is an example: You wish to open up some processing to external callers via a web-service. Should your business entities also become your data-contracts?

Well, in my opinion (and from what I am seeing on the Internet), the answer is no. The answer is two-fold: separation of concerns and stability of your webservice. Enter data-transfer-objects (DTOs).

Typically you create your DTO in your service interface layer (they layer where you write your web-service). Your business entities are hydrated from your repository by your resource access layer. The business logic layer processes requests, gets the business entities from the resource access layer and provides it to the service interface layer.

The service interface layer then converts the business entity object to the DTO and then passes it back over the wire to the client calling the webservice.

Why is this good? For one – if your business entity changes, your web-service does not have to change (a good thing, especially if your webservice is publically accessible) and if your business entity had extra methods, fields, etc, they dont get pushed down the wire as your DTO is typically a very simple and clean object.

Why this post?

Well it turns out that the mapping between business entity objects and DTOs can be very boring, time consuming, pain to maintain, etc….

Enter Automapper. Automapper is an open source CodePlex project that performs mapping between objects using conventions. So as long as your DTO objects and BE objects share the same property and field names, the transfer of data will be nice and simple.

The code couldnt be simpler:

Mapper.CreateMap<SourceClass, DestinationClass>();
DestinationClass destinationObject = Mapper.Map<SourceClass, DestinationClass>(sourceObject);

Automapper also supports flattening (taking a complex object and converting it to a simpler object).

Hacme and WebGoat

2010-03-07T23:29:00.001-07:00

Hacme and Webgoat are 2 reference implementation applications that have been deliberately made insecure so as to teach developers how to create secure applications.

WebGoat (OWASP project): http://code.google.com/p/webgoat/

Hacme: (McAfee): http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm

Complex Numbers

2010-03-07T16:46:00.001-07:00

I had forgotten all my complex number theory and this post by Steven Strogatz refreshed all that: Finding your Roots.

Incidentally – complex numbers have become a first class citizen of the .Net 4.0 framework with the introduction of the Complex type (found in System.Numerics namespace).

Microsoft U-Prove SDK

2010-03-07T14:49:00.001-07:00

Microsoft released a preview of the U-Prove cryptographic technology at this year’s RSA Conference. As part of the preview, Microsoft has released a C# reference implementation to allow testing/learning about this new technology.

The C# SDK can be found at : http://code.msdn.microsoft.com/uprovesdkcsharp

The CTP information can be found at: https://connect.microsoft.com/content/content.aspx?contentid=12505&siteid=642

The spec details can be found at: https://connect.microsoft.com/site642/Downloads/DownloadDetails.aspx?DownloadID=26953

This looks like an early CTP release that Microsoft is using to discover what the security community as a whole thinks about U-Prove and I am sure the SDK and the specs will change quite a bit. I am not sure what the road map for U-Prove and hence dont know what the time line looks towards a full-fledged release of the technology.

Market penetration of .Net

2010-03-07T11:10:00.001-07:00

From: “.Net in Mission Critical Applications”

Windows Server has #1 server OS share (52.7%) for deployed mission-critical applications

Windows Server and .NET are the #1 (54.1%) deployed application server

.NET usage exceeds Java across all sizes of enterprises

Windows Server is the #1 OS used (46%) by deployed mission critical Java applications

SharePoint leads (over IBM WebSphere) as the #1 portal used by enterprises’ primary mission-critical application

SQL Server leads (over Oracle) as the #1 database used by enterprises’ primary mission-critical application

BizTalk Server leads (over Oracle) as the #1 process integration technology used by enterprises’ primary mission-critical application

Microsoft leads as the #1 (58.6%) vendor for service oriented architectures

JQuery Tutorials:

2010-03-05T07:39:00.001-07:00

Very nice JQuery tutorials: http://vandelaydesign.com/blog/web-development/jquery-one-page-portfolios/

Some of the cool ones linked from the page are:

Slideout menu: http://tympanus.net/codrops/2009/11/30/beautiful-slide-out-navigation-a-css-and-jquery-tutorial/

Using Form labels as text field values: http://cssglobe.com/post/2494/using-form-labels-as-text-field-values

JQuery lightbox: http://leandrovieira.com/projects/jquery/lightbox/

Microsoft’s Anti-XSS Library

2010-03-03T12:17:00.001-07:00

I first came across the Anti-XSS library while reading the following post: Cross site scripting and ways to code against it on the IT_Country blog.

So what is it?
According to Microsoft:

AntiXSS 3.1 helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine

Doesnt “System.Web.HttpUtility.HtmlEncode” do that already?
Yes, but there is a difference. The biggest is that HttpUtility.HtmlEncode uses a blacklist, whereas AntiXss.HtmlEncode uses a whitelist. (A whitelist is basically a list of allowed attendees at a party and a blacklist is a list of unallowed people to a party). Obviously a white list is more restrictive and hence more safe. According to Syed Aslam Basha, (Tester on Microsoft’s Information Security Tools Team), these are the differences:

Anti-XSS uses the white-listing technique, sometimes referred to as the principle of inclusions, to provide protection against Cross-Site Scripting (XSS) attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). System.Web.HttpUtility.HtmlEncode and other encoding methods in that namespace use principle of exclusions and encode only certain characters designated as potentially dangerous such as <, >, & and ' characters.
The Anti-XSS Library's list of white (or safe) characters support more than a dozen languages (Greek and Coptic,Cyrillic,Cyrillic Supplement, Armenian, Hebrew, Arabic, Syriac, Arabic Supplement, Thaana, NKo and more)
Anti-XSS library has been designed specially to mitigate XSS attacks whereas HttpUtility encoding methods are created to ensure that ASP.NET output does not break HTML.
Performance - the average delta between AntiXss.HtmlEncode() and HttpUtility.HtmlEncode() is +0.1 milliseconds per transaction.

from: Differences Between AntiXss.HtmlEncode and HttpUtility.HtmlEncode Methods

How do you use it?
Its simple really:

AntiXss.GetSafeHtml: Returns well formed HTML that is XHTML compliant. (if <html> or <body> tags are missing they are added back in).

AntiXss.GetSafeHtmlFragment: Returns well formed HTML fragments (does not try and add <html> or <body> tags).

The AntiXSS library also provides other methods that can be used depending on where you are going to be using the user input data. For example:
AntiXss.HtmlAttributeEncode – used when user input is being used as an attribute inside a HTML tag.
AntiXss.JavaScriptEncode – used when user input data is being used inside <script> tags.
AntiXss.UrlEncode – used when user input is being used in a url.

Correct Sequence of Usage:

According to the documentation, the correct sequence is not to perform the encoding as soon as you start working with the user provided data, but just before presenting the user provided data back to user.

Here is an example from the documentation:

// Correct Sequence **** 
protected void Button1_Click(object sender, EventArgs e) 
{ 
    // Read input String Input = TextBox1.Text; 
    // Process input ... 
    // Encode untrusted input and write output 
    Response.Write(”The input you gave was” + Microsoft.Security.Application.AntiXss.HtmlEncode(Input)); 
}

// Incorrect sequence!!!
protected void Button1_Click(object sender, EventArgs e)
{
    // Read input
    String Input = TextBox1.Text;
    // Encode untrusted input
    Input = Microsoft.Security.Application.AntiXss.HtmlEncode(Input);
    // Process input
    ...
    // Write Output
    Response.Write(”The input you gave was” + Input );
}

AntiXSS Members:

Name	Description
GetSafeHtml	Returns a safe version of HTML page by either sanitizing or removing all malicious scripts.
GetSafeHtmlFragment	Returns a safe version of HTML fragment by either sanitizing or removing all malicious scripts.
HtmlAttributeEncode	Encodes input strings for use in HTML attributes.
HtmlEncode	Encodes a input string before safely sending it to a browser client.
JavaScriptEncode	Encodes input strings for use in JavaScript.
UrlEncode	Encodes input strings for use in universal resource locators (URLs).
VisualBasicScriptEncode	Encodes input strings for use in Visual Basic Script.
XmlAttributeEncode	Encodes input strings for use in XML attributes.
XmlEncode	Encodes input strings for use in XML.

More Info:

CodePlex: AntiXSS
CodePlex Discussion: http://antixss.codeplex.com/Thread/List.aspx.
AntiXSS 3.2 download: http://www.microsoft.com/downloads/details.aspx?familyid=051EE83C-5CCF-48ED-8463-02F56A6BFC09&displaylang=en
Security Tools Team Blog: http://blogs.msdn.com/securitytools/archive/tags/Anti-XSS/default.aspx
OWASP XSS Prevention Cheat Sheet: OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet

Use the 404 page to find missing children

2010-02-28T00:24:00.001-07:00

Scott Hanselman blogged about an excellent idea that he had seen where a PHP developer had created a 404 page that displayed a list of missing children.

In my opinion this is a great idea – as people always end up seeing a 404 page and by displaying a list of missing kids – who knows, we might just be able to find a missing kid. Scott created a 404 page using only Javascript (the original used server side PHP). Scott’s implementation uses the ASP.Net AJAX Library and specifically uses the DataView control.

I wanted to make a few modifications to Scott’s implementation of the 404 page:

Make the page so that it is a lot more easier for someone to download the code and reuse it.
Use only JQuery
Geolocate the user using their IP address.

The reason I wanted to use only JQuery was that I didnt think it was necessary to download an extra javascript library just to display the data, when JQuery could do it all. (In addition, I used direct references to jQuery – instead of the $, as it makes it easier to include on a DotNetNuke site).

The biggest improvement in my opinion is the use of the client’s IP address to geo-locate them. By geo-locating the end user, I can customize the list of children to the state from where the user is. This in my opinion increases the probability of finding missing children as the list is smaller and more relevant to the user.

For geo-locating the user, I use two techniques. Because JQuery is loaded using Google’s content delivery network I can use Google’s API to try and determine the location of the user. If this fails (and it does many times), I use IPInfoDB’s webservice to try and geo-locate the user.

Here is where you can take a look at my implementation of the 404 page with geolocation capabilities: http://www.aggregatedintelligence.com/404.html

Note:

As I use the Google API, you will need to generate a Google API key to use the code on a webserver (if you are testing – you dont need to do anything). To get the key go to : http://code.google.com/apis/ajaxsearch/signup.html. Once you generate the key, plug it into the file at line: 33 (or search for “YourGoogleApiKeyHere” to find the location).

Download the 404 page from: Google Docs FileShare

Encrypting/Decrypting using DigitalCertificates using C#

2010-02-26T16:31:00.001-07:00

Here is some quick code I wrote up that allows you to perform Asymmetric encryption using the RSA algorithm. The keys used are from a digital certificate stored in the local user’s cert store (the code to create a certificate for testing is also included in the sample.

using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

namespace X509Certificate2_Encryption_Example
{
    class X509Certificate2_Cryptographer
    {
        //creating the certificate
        //makecert -r -pe -n "CN=WWW.AGGREGATEDINTELLIGENCE.COM" -b 01/01/2005 -e 01/01/2020 -sky exchange -ss my
        public static void Main()
        {
            try
            {
                X509Certificate2 x509_2 = LoadCertificate(StoreLocation.CurrentUser, "CN=WWW.AGGREGATEDINTELLIGENCE.COM");
                //DisplayX509CertificateInfo(x509_2);
                
                string plaintext = "HelloWorld";
                Console.WriteLine("Plain text: " + plaintext + Environment.NewLine);
                
                string encryptedstring = Encrypt(x509_2, plaintext);
                Console.WriteLine("Encrypted text: " + Environment.NewLine + encryptedstring + Environment.NewLine);
                
                string decryptedstring = Decrypt(x509_2, encryptedstring);
                Console.WriteLine("decrypted text: " + decryptedstring + Environment.NewLine);                
            }
            catch (Exception e)
            {
                Console.WriteLine("Error: {0}", e.Message);
            }
            Console.ReadLine();
        }
        
        public static X509Certificate2 LoadCertificate(StoreLocation storeLocation, string certificateName )
        {
            X509Store store = new X509Store(storeLocation);
            store.Open(OpenFlags.ReadOnly);
            X509Certificate2Collection certCollection = store.Certificates;
            X509Certificate2 x509 = null;
            foreach (X509Certificate2 c in certCollection)
            {
                if (c.Subject == certificateName)
                {
                    x509 = c;
                    break;
                }
            }
            if (x509 == null)
                Console.WriteLine("A x509 certificate for " + certificateName + " was not found");
            store.Close();
            return x509;
        }
        
        public static void DisplayX509CertificateInfo(X509Certificate2 x509)
        {
            if (x509 == null)
                throw new Exception("A x509 certificate must be provided");
                
            Console.WriteLine("{0}Subject: {1}{0}", Environment.NewLine,x509.Subject);
            Console.WriteLine("{0}Issuer: {1}{0}", Environment.NewLine,x509.Issuer);
            Console.WriteLine("{0}Version: {1}{0}", Environment.NewLine,x509.Version);
            Console.WriteLine("{0}Valid Date: {1}{0}", Environment.NewLine,x509.NotBefore);
            Console.WriteLine("{0}Expiry Date: {1}{0}", Environment.NewLine,x509.NotAfter);
            Console.WriteLine("{0}Thumbprint: {1}{0}", Environment.NewLine,x509.Thumbprint);
            Console.WriteLine("{0}Serial Number: {1}{0}", Environment.NewLine,x509.SerialNumber);
            Console.WriteLine("{0}Friendly Name: {1}{0}",Environment.NewLine,x509.PublicKey.Oid.FriendlyName);
            Console.WriteLine("{0}Public Key Format: {1}{0}",Environment.NewLine,x509.PublicKey.EncodedKeyValue.Format(true));
            Console.WriteLine("{0}Raw Data Length: {1}{0}", Environment.NewLine,x509.RawData.Length);
            Console.WriteLine("{0}Certificate to string: {1}{0}", Environment.NewLine,x509.ToString(true));

            Console.WriteLine("{0}Certificate to XML String: {1}{0}",Environment.NewLine,x509.PublicKey.Key.ToXmlString(false));
        }
        
        public static string Encrypt(X509Certificate2 x509, string stringToEncrypt)
        {
            if (x509 == null || string.IsNullOrEmpty(stringToEncrypt))
                throw new Exception("A x509 certificate and string for encryption must be provided");
                
            RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)x509.PublicKey.Key;
            byte[] bytestoEncrypt = ASCIIEncoding.ASCII.GetBytes(stringToEncrypt);
            byte[] encryptedBytes = rsa.Encrypt(bytestoEncrypt, false);
            return Convert.ToBase64String(encryptedBytes);
        }
        
        public static string Decrypt(X509Certificate2 x509, string stringTodecrypt)
        {
            if (x509 == null || string.IsNullOrEmpty(stringTodecrypt))
                throw new Exception("A x509 certificate and string for decryption must be provided");
                
            if (!x509.HasPrivateKey)
                throw new Exception("x509 certicate does not contain a private key for decryption");
                
            RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)x509.PrivateKey;
            byte[] bytestodecrypt = Convert.FromBase64String(stringTodecrypt);
            byte[] plainbytes = rsa.Decrypt(bytestodecrypt, false);
            System.Text.ASCIIEncoding enc = new System.Text.ASCIIEncoding();
            return enc.GetString(plainbytes);
        }
    }
}

Notes:

RSACryptoServiceProvider: http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx

MakeCert: http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx

X509Certificate2 Class: http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.aspx

Example of Rijndael based encryption/decryption in C#

2010-02-26T15:32:00.001-07:00

from: http://www.obviex.com/samples/Code.aspx?Source=EncryptionCS&Title=Symmetric%20Key%20Encryption&Lang=C%23

Uses plain text for its initialization vector and password. Which means that you can store those values in your web.config (which you would obviously have to encrypt – see exportable encryptio)

///////////////////////////////////////////////////////////////////////////////
// SAMPLE: Symmetric key encryption and decryption using Rijndael algorithm.
// 
// To run this sample, create a new Visual C# project using the Console
// Application template and replace the contents of the Class1.cs file with
// the code below.
//
// THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED 
// WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
// 
// Copyright (C) 2002 Obviex(TM). All rights reserved.
// 
using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;

/// <summary>
/// This class uses a symmetric key algorithm (Rijndael/AES) to encrypt and 
/// decrypt data. As long as encryption and decryption routines use the same
/// parameters to generate the keys, the keys are guaranteed to be the same.
/// The class uses static functions with duplicate code to make it easier to
/// demonstrate encryption and decryption logic. In a real-life application, 
/// this may not be the most efficient way of handling encryption, so - as
/// soon as you feel comfortable with it - you may want to redesign this class.
/// </summary>
public class RijndaelSimple
{
    /// <summary>
    /// Encrypts specified plaintext using Rijndael symmetric key algorithm
    /// and returns a base64-encoded result.
    /// </summary>
    /// <param name="plainText">
    /// Plaintext value to be encrypted.
    /// </param>
    /// <param name="passPhrase">
    /// Passphrase from which a pseudo-random password will be derived. The
    /// derived password will be used to generate the encryption key.
    /// Passphrase can be any string. In this example we assume that this
    /// passphrase is an ASCII string.
    /// </param>
    /// <param name="saltValue">
    /// Salt value used along with passphrase to generate password. Salt can
    /// be any string. In this example we assume that salt is an ASCII string.
    /// </param>
    /// <param name="hashAlgorithm">
    /// Hash algorithm used to generate password. Allowed values are: "MD5" and
    /// "SHA1". SHA1 hashes are a bit slower, but more secure than MD5 hashes.
    /// </param>
    /// <param name="passwordIterations">
    /// Number of iterations used to generate password. One or two iterations
    /// should be enough.
    /// </param>
    /// <param name="initVector">
    /// Initialization vector (or IV). This value is required to encrypt the
    /// first block of plaintext data. For RijndaelManaged class IV must be 
    /// exactly 16 ASCII characters long.
    /// </param>
    /// <param name="keySize">
    /// Size of encryption key in bits. Allowed values are: 128, 192, and 256. 
    /// Longer keys are more secure than shorter keys.
    /// </param>
    /// <returns>
    /// Encrypted value formatted as a base64-encoded string.
    /// </returns>
    public static string Encrypt(string   plainText,
                                 string   passPhrase,
                                 string   saltValue,
                                 string   hashAlgorithm,
                                 int      passwordIterations,
                                 string   initVector,
                                 int      keySize)
    {
        // Convert strings into byte arrays.
        // Let us assume that strings only contain ASCII codes.
        // If strings include Unicode characters, use Unicode, UTF7, or UTF8 
        // encoding.
        byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
        byte[] saltValueBytes  = Encoding.ASCII.GetBytes(saltValue);
        
        // Convert our plaintext into a byte array.
        // Let us assume that plaintext contains UTF8-encoded characters.
        byte[] plainTextBytes  = Encoding.UTF8.GetBytes(plainText);
        
        // First, we must create a password, from which the key will be derived.
        // This password will be generated from the specified passphrase and 
        // salt value. The password will be created using the specified hash 
        // algorithm. Password creation can be done in several iterations.
        PasswordDeriveBytes password = new PasswordDeriveBytes(
                                                        passPhrase, 
                                                        saltValueBytes, 
                                                        hashAlgorithm, 
                                                        passwordIterations);
        
        // Use the password to generate pseudo-random bytes for the encryption
        // key. Specify the size of the key in bytes (instead of bits).
        byte[] keyBytes = password.GetBytes(keySize / 8);
        
        // Create uninitialized Rijndael encryption object.
        RijndaelManaged symmetricKey = new RijndaelManaged();
        
        // It is reasonable to set encryption mode to Cipher Block Chaining
        // (CBC). Use default options for other symmetric key parameters.
        symmetricKey.Mode = CipherMode.CBC;        
        
        // Generate encryptor from the existing key bytes and initialization 
        // vector. Key size will be defined based on the number of the key 
        // bytes.
        ICryptoTransform encryptor = symmetricKey.CreateEncryptor(
                                                         keyBytes, 
                                                         initVectorBytes);
        
        // Define memory stream which will be used to hold encrypted data.
        MemoryStream memoryStream = new MemoryStream();        
                
        // Define cryptographic stream (always use Write mode for encryption).
        CryptoStream cryptoStream = new CryptoStream(memoryStream, 
                                                     encryptor,
                                                     CryptoStreamMode.Write);
        // Start encrypting.
        cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);
                
        // Finish encrypting.
        cryptoStream.FlushFinalBlock();

        // Convert our encrypted data from a memory stream into a byte array.
        byte[] cipherTextBytes = memoryStream.ToArray();
                
        // Close both streams.
        memoryStream.Close();
        cryptoStream.Close();
        
        // Convert encrypted data into a base64-encoded string.
        string cipherText = Convert.ToBase64String(cipherTextBytes);
        
        // Return encrypted string.
        return cipherText;
    }
    
    /// <summary>
    /// Decrypts specified ciphertext using Rijndael symmetric key algorithm.
    /// </summary>
    /// <param name="cipherText">
    /// Base64-formatted ciphertext value.
    /// </param>
    /// <param name="passPhrase">
    /// Passphrase from which a pseudo-random password will be derived. The
    /// derived password will be used to generate the encryption key.
    /// Passphrase can be any string. In this example we assume that this
    /// passphrase is an ASCII string.
    /// </param>
    /// <param name="saltValue">
    /// Salt value used along with passphrase to generate password. Salt can
    /// be any string. In this example we assume that salt is an ASCII string.
    /// </param>
    /// <param name="hashAlgorithm">
    /// Hash algorithm used to generate password. Allowed values are: "MD5" and
    /// "SHA1". SHA1 hashes are a bit slower, but more secure than MD5 hashes.
    /// </param>
    /// <param name="passwordIterations">
    /// Number of iterations used to generate password. One or two iterations
    /// should be enough.
    /// </param>
    /// <param name="initVector">
    /// Initialization vector (or IV). This value is required to encrypt the
    /// first block of plaintext data. For RijndaelManaged class IV must be
    /// exactly 16 ASCII characters long.
    /// </param>
    /// <param name="keySize">
    /// Size of encryption key in bits. Allowed values are: 128, 192, and 256.
    /// Longer keys are more secure than shorter keys.
    /// </param>
    /// <returns>
    /// Decrypted string value.
    /// </returns>
    /// <remarks>
    /// Most of the logic in this function is similar to the Encrypt
    /// logic. In order for decryption to work, all parameters of this function
    /// - except cipherText value - must match the corresponding parameters of
    /// the Encrypt function which was called to generate the
    /// ciphertext.
    /// </remarks>
    public static string Decrypt(string   cipherText,
                                 string   passPhrase,
                                 string   saltValue,
                                 string   hashAlgorithm,
                                 int      passwordIterations,
                                 string   initVector,
                                 int      keySize)
    {
        // Convert strings defining encryption key characteristics into byte
        // arrays. Let us assume that strings only contain ASCII codes.
        // If strings include Unicode characters, use Unicode, UTF7, or UTF8
        // encoding.
        byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
        byte[] saltValueBytes  = Encoding.ASCII.GetBytes(saltValue);
        
        // Convert our ciphertext into a byte array.
        byte[] cipherTextBytes = Convert.FromBase64String(cipherText);
        
        // First, we must create a password, from which the key will be 
        // derived. This password will be generated from the specified 
        // passphrase and salt value. The password will be created using
        // the specified hash algorithm. Password creation can be done in
        // several iterations.
        PasswordDeriveBytes password = new PasswordDeriveBytes(
                                                        passPhrase, 
                                                        saltValueBytes, 
                                                        hashAlgorithm, 
                                                        passwordIterations);
        
        // Use the password to generate pseudo-random bytes for the encryption
        // key. Specify the size of the key in bytes (instead of bits).
        byte[] keyBytes = password.GetBytes(keySize / 8);
        
        // Create uninitialized Rijndael encryption object.
        RijndaelManaged    symmetricKey = new RijndaelManaged();
        
        // It is reasonable to set encryption mode to Cipher Block Chaining
        // (CBC). Use default options for other symmetric key parameters.
        symmetricKey.Mode = CipherMode.CBC;
        
        // Generate decryptor from the existing key bytes and initialization 
        // vector. Key size will be defined based on the number of the key 
        // bytes.
        ICryptoTransform decryptor = symmetricKey.CreateDecryptor(
                                                         keyBytes, 
                                                         initVectorBytes);
        
        // Define memory stream which will be used to hold encrypted data.
        MemoryStream  memoryStream = new MemoryStream(cipherTextBytes);
                
        // Define cryptographic stream (always use Read mode for encryption).
        CryptoStream  cryptoStream = new CryptoStream(memoryStream, 
                                                      decryptor,
                                                      CryptoStreamMode.Read);

        // Since at this point we don't know what the size of decrypted data
        // will be, allocate the buffer long enough to hold ciphertext;
        // plaintext is never longer than ciphertext.
        byte[] plainTextBytes = new byte[cipherTextBytes.Length];
        
        // Start decrypting.
        int decryptedByteCount = cryptoStream.Read(plainTextBytes, 
                                                   0, 
                                                   plainTextBytes.Length);
                
        // Close both streams.
        memoryStream.Close();
        cryptoStream.Close();
        
        // Convert decrypted data into a string. 
        // Let us assume that the original plaintext string was UTF8-encoded.
        string plainText = Encoding.UTF8.GetString(plainTextBytes, 
                                                   0, 
                                                   decryptedByteCount);
        
        // Return decrypted string.   
        return plainText;
    }
}

/// <summary>
/// Illustrates the use of RijndaelSimple class to encrypt and decrypt data.
/// </summary>
public class RijndaelSimpleTest
{
    /// <summary>
    /// The main entry point for the application.
    /// </summary>
    [STAThread]
    static void Main(string[] args)
    {
        string   plainText          = "Hello, World!";    // original plaintext
        
        string   passPhrase         = "Pas5pr@se";        // can be any string
        string   saltValue          = "s@1tValue";        // can be any string
        string   hashAlgorithm      = "SHA1";             // can be "MD5"
        int      passwordIterations = 2;                  // can be any number
        string   initVector         = "@1B2c3D4e5F6g7H8"; // must be 16 bytes
        int      keySize            = 256;                // can be 192 or 128
        
        Console.WriteLine(String.Format("Plaintext : {0}", plainText));

        string  cipherText = RijndaelSimple.Encrypt(plainText,
                                                    passPhrase,
                                                    saltValue,
                                                    hashAlgorithm,
                                                    passwordIterations,
                                                    initVector,
                                                    keySize);

        Console.WriteLine(String.Format("Encrypted : {0}", cipherText));
        
        plainText          = RijndaelSimple.Decrypt(cipherText,
                                                    passPhrase,
                                                    saltValue,
                                                    hashAlgorithm,
                                                    passwordIterations,
                                                    initVector,
                                                    keySize);

        Console.WriteLine(String.Format("Decrypted : {0}", plainText));
    }
}
//
// END OF FILE
///////////////////////////////////////////////////////////////////////////////

Google Tasks - Bookmarklet

2010-02-24T16:29:00.001-07:00

Here is a bookmarklet that opens Google Tasks in its own little window:

javascript:newwindow=window.open('http://mail.google.com/tasks/ig','','resizable=1,toolbar=0,location=0,status=0,menubar=0,scrollbars=1,width=400,height=600');newwindow.focus();

Just create a bookmark, open its properties and paste the above code into the address field. Move the bookmark to your toolbar for easy access.

DotNetNuke Zero Day Vulnerability (semi-colon bug)

2010-02-23T22:54:00.000-07:00

There is a major security loop hole in DotNetNuke versions 4.9.2 and below where DNN will allow an unauthorized user to upload almost any file onto the server. This loop hole combined with the IIS 5/6 zero day multiple extension exploit can allow a hacker complete access to your website.So if you are a DNN version that is not 4.9.4 and up – read on as this is huge hole in your website.

The DNN Issue:

If you browse to the following sub-folder on your DNN site “Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx”, you will see a page that looks like this:

The above page on its own is not too bad. But if you now paste the following javascript code into the address bar and hit enter: “javascript:__doPostBack('ctlURL$cmdUpload','')” you will see the following browse dialog which will allow you to upload almost any file onto the website (restricted to the list of files allowed by FCKEditor – typically images, documents, etc).

The above hack will typically lead to hackers dropping small txt files that have some kind of a notice saying that your website has been hacked!

It is hard to do anything substantial with this hack alone.

But wait there is more…..

The IIS Issue:

On December 25th of 2009, an “Ethical” hacker found a vulnerability in IIS 5 and IIS 6 called the “semi-colon” bug or the “multiple extensions IIS/ASP bug”. Read More.

The semi-colon bug allows any file that has .asp in the file name to execute as an ASP file. This bug occurs in all versions of IIS 6 and prior. This means that a file named “innocusFile.asp;.jpg” will be executed like an ASP file.

The big scary picture:

The 2 bugs on their own were bad, but it still would be hard for anything bad to happen. But together – they open up a can of worms that is going to make everyone in your organization pulling every fire alarm in the building. Here is the big picture:

1. Hacker fabricates an ASP file that uses COM objects such as the FileSystemObject to get complete access to your computer.
2. Hacker names the asp file as “myHack.asp;.jpg”.
3. Hacker navigates to the “Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx” file in his browser and uses the DNN loop hole to upload his myHack.asp;.jpg file. DNN complies because it thinks it is a simple jpg file. This is because DNN looks only at the last extension it finds in a file name.
4. The file uploads to the DNN website to the folder (WITHHELD – to protect unprotected DNN sites).
5. The hacker browses to the file that he uploaded. The file is delivered to the ASP processing engine by IIS and a page that opens up the entire computer to the hacker is displayed. This is because IIS has been coded such that it recognizes a file type based on its extension even if the extension is not the last part of the file name!!
6. The hacker uses his ASP page to get full control of your website (and I mean full control – all disk drives, connection strings, databases, registy, etc.). Nothing is safe after this.
Here is a sample ASP file called the “Smart Shell”, that basically shows the capabilities that an hacker can get over your website: (This kind of an ASP file is also called the 3fexe ASP hack).

How to mitigate:

Because there is no known fix, there are only ways to mitigate this attack (and hence it is a zero-day hack).

1. Rename the fcklinkgallery.aspx file
As fcklinkgallery.aspx is the entry point for this hack attack, the first thing to do is to rename this file. I suggest using a random file name – like a guid. After you rename the file, you will need to update the “LinksGalleryPath” setting in your config file. This will be found in the <dotnetnuke><htmlEditor><providers><add name="FckHtmlEditorProvider"> section. Just look for “LinksGalleryPath” and update the value to the newly named file name.
If the hacker cannot browse to the fcklinkgallery.aspx file, he will not be able to upload a ASP file onto your DNN site.

2. Remove Execute permission on the Portals folder of your DNN site.
The sub-folder “Portals” in your DNN site typically does not need to be able to run ASP files or any other files. So remove “Execute” permissions on that folder.
Open up IIS.
Expand the website node for your DNN site.
Select the Portals node in the explorer view on the left.
Right click on the Portals node and open the Properties dialog.
Chose the Directory Node.
Set Execute Permissions to “None”.

3. Remove access to FileSystemObject.
This falls into the excessively precautious as it is not really required for you to do. An important note: Do not do this if you know that you have some ASP apps on your site and if those ASP apps use FileSystemObject – you might end up hosing those apps.
There are 2 ways to do this: Remove access to this COM object from the security principal used to run your IIS website (typically ASPNET) or to completely unregister the dll.

1. Registry access:
Open registry editor.
Browse to “HKEY_CLASSES_ROOT\Scripting.FileSystemObject”, right click and under permissions deny access to the ASPNET user.

2. Completely disable FileSystemObject
Run regsvr32 scrrun.dll .u in the C:\windows\System32 folder.

Remember – step 3 is really not required to be done.

The only Fix:

The only “true” fix is to upgrade to IIS 7 or higher and a DNN version of 4.9.4 or higher.

Notes:
Securing IIS 6.0:
http://technet.microsoft.com/en-us/library/cc875829.aspx

One way hacking (which is what the above type of hack is known as):
http://www.net-square.com/papers/one_way/one_way.html

Restricting information available to anonymous users:
http://support.microsoft.com/kb/143474

DNN LinkGallery Remote File Upload without Extension:
http://securityreason.com/exploitalert/6234

DNN Failure to revalidate file and folder permissions correctly for uploads:
http://www.dotnetnuke.com/News/SecurityPolicy/SecurityBulletinno17/tabid/1162/Default.aspx

IIS Security Vulnerability and DNN
http://www.dotnetnuke.com/Community/Forums/tabid/795/forumid/108/postid/347394/scope/posts/Default.aspx

SQL Server and External Connector Licenses

2010-02-23T17:41:00.001-07:00

If you have a web-application that uses a SQL Server database then you might have to buy an external connector license (this I did not know before today – luckily we have a licensing guy in our org.)

From http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx:

External Connector Licensing:

An external user is a person who is not an employee or similar personnel of the company or its affiliates, and is not someone to whom you provide hosted services. An EC license assigned to a server permits access by any number of external users, as long as that access is for the benefit of the licensee and not the external user.

Anyways, the only time you wont need an external connector license for your SQL Server database is when your installation is licensed by the processor.

Per Processor Licensing

Under the Per Processor model, you acquire a Processor License for each processor in the server on which the software is running. A Processor License includes access for an unlimited number of users to connect from either inside the local area network (LAN) or wide area network (WAN), or outside the firewall (via the Internet). You do not need to purchase additional server licenses, CALs, or Internet Connector Licenses.

Response.Redirect cannot be called in a Page callback

2010-02-22T12:13:00.001-07:00

If you are getting the “Response.Redirect cannot be called in a Page callback” then you are most probably using AJAX and you are using a Response.Redirect (or Server.Transfer) in an event that was fired from within an AJAX panel.

The reason this does not work is that there is only a partial post-back that occurs with controls that are within an AJAX panel and you cannot perform a Redirect from within a partial post-back.

Fixes:

1. Dont do a redirect in an event that is fired due to a partial post-back!

2. In the event, instead of doing a redirect, register a javascript method that will perform the redirect from the client’s browser. eg:

string script = string.Format("document.location.href = '{0}');", "pageToRedirectTo.aspx");
ScriptManager.RegisterClientScriptBlock(Page, typeof(Page), "redirect", script, true);

MousePath – create your own art

2010-02-20T06:39:00.001-07:00

Came across this very cool app that tracks your mouse and draws out lines on a large canvas. The app is called MousePath and was created by Anatoliy Zenkov.

MousePath is a Java app and can be downloaded for the PC (dl.dropbox.com/u/684632/mousepath.exe.zip) and Mac(dl.dropbox.com/u/684632/mousepath.jar)

You run the app and leave it in its maximized state and then go about doing your daily work. And when you are happy with the art created just hit the S button and it will create a file in the same folder where the app is running.

Here is my mousepath art created after 30 minutes:

BBC Redesign

2010-02-19T19:56:00.001-07:00

Here is a post on how the BBC is redesigning their new website. I found it an interesting study in design and how through their project was (setting guidelines on underlying grids, color palettes, embedding of audio/video, etc).

Also as some one who is completely bereft of the ability to choose good colors that go well with each other, there are palettes on the page that I could use on my web-pages (as well as other design pointers).

http://www.bbc.co.uk/blogs/bbcinternet/2010/02/a_new_global_visual_language_f.html

Keeping Employees Motivated

2010-02-19T19:08:00.001-07:00

From a Harvard Business School article:

First step: stop demotivating employees

According to the author there are just three important factors that matter most when it comes to keeping employees motivated:

Equity: To be respected and to be treated fairly in areas such as pay, benefits, and job security.
Achievement: To be proud of one's job, accomplishments, and employer.
Camaraderie: To have good, productive relationships with fellow employees.

Interestingly, the author found that if one of the above factors is missing, then they cannot be substituted with another factor (for e.g: higher pay).

And here are the main things the author says managers can do in different areas:

Achievement related

Instill an inspiring purpose
Provide recognition
Be an expediter for your employees
Coach your employees for improvement

Equity related

Communicate fully
Face up to poor performance

Camaraderie related

Promote teamwork

All three areas (Achievement, Equity and Camaraderie)

Listen and involve

Read the entire article as it elaborates on the above listed points.

http://hbswk.hbs.edu/archive/5289.html

Artisteer – Create templates for some common content systems

2010-02-17T23:37:00.001-07:00

I have written many times on this blog that the one skill that I lack is that of an artist. Colors, layout, etc are hard for me to just create. But when I see good design, I know it. It just appeals to me. If I have to work with a good designer, then I can come up with some cool UIs – but a good designer is a luxury that isnt always available on all the projects that we work on. This is especially true for personal projects.

Today I came across a tool called Artisteer. It looks very promising as a template creation engine, that makes it extremely easy to create design templates for CMSs like DotNetNuke, Blogger, etc.

I plan on writing more about my experience with Artisteer.

Today I tested it out with Blogger and I realized that I needed to backout the change. While exporting a template, Artisteer displayed a message about saving a backup of the existing template. But when the time came to revert back to the old design, I could not find it on my machine. Here is where you can find it:

Windows 7: C:\Users\<USER_NAME>\AppData\Roaming\Artisteer\Artisteer2\Library\BloggerBackup

Windows Vista: C:\Documents and Settings\<USER_NAME>\Application Data\Artisteer\Artisteer2\Library\BloggerBackup

Disclosure: I requested a demo license from Artisteer creators to test out the capabilities of the tool when it comes to Blogger blogs and DotNetNuke. The above instruction, as well as any others that I create related to Artisteer, will be based on my testing with a Artisteer version activated by a free license key provided by the developers of the app.

Recycled Material Art

2010-02-17T23:14:00.001-07:00

Recycled material/art I came across

DNN Redirect Loop

2010-02-17T17:07:00.001-07:00

I was setting up a local dev edition of our DNN site and I went through the usual cycle:

1. Copy site to local machine

2. Set the permissions on the folder

3. Create a website in IIS

4. Copy the database to the local SQLServer Express instance

5. Update the Portal Alias table to point to the localhost

6. Update web.config’s connection strings and SiteSQLServer settings as well as the “SecureDomains”, “RedirectUrl’, and “DisplayServer” to point to the localhost.

7. Test

Hmmph!

The homepage was ending up in an infinite redirect loop (IE does not complain and just keeps on going in the loop. Chrome is smarter about this and complains and stops with an error page).

Weird thing was that I could hit a page alright if I had the correct tabid. But I could not just go “http://localhost/”

I checked the usual suspects – the PortalAlias table and also made sure that none of the entries ended with a “/” – all that was fine.

Finally found out the issue was occuring because the RedirectUrl setting in the web.config file had a trailing “/” (http://localhost/"). DNN does not like that!

Comcast XFinity

2010-02-17T15:28:00.001-07:00

Heard about Comcast’s XFinity upgrade today (it isnt yet available in my neck of the woods in Denver), but the features look interesting:

From Xfinity.com:

50Mbps downloads today, increasing to 100+ Mbps and even faster in the future
100+ HD channels, 5,000+ HD choices, and the best HD picture quality available
50 to 70 multi-cultural channels
Approaching 20,000+ Video On Demand titles
Fancast XFINITY TV, with 19,000+ movies, top shows, and other content available online, at home or on the go
New cross-platform and mobile features like: remote DVR, Universal Caller ID, an interactive home telephone, apps for iPhones and the ability to use a remote control to order products and services while watching TV

Comcast’s service has overall been good. My only problem with them has been the price that they think their customers are willing to pay. I am seriously considering cutting out cable the next time I have to renew my services at a higher fee.

Denver DNN User Group Meeting

2010-02-16T20:55:00.001-07:00

The next DNN user group meeting will be held at the City and County of Denver’s Webb Municipal building…. more info:
http://denver.dnnug.com/news/itemId/40/February-2010-Meeting-2232010--Chris-Hammond-.aspx

Our disaster recovery plan….

2010-02-14T11:30:00.001-07:00

http://www.amazon.ca/Disaster-Recovery-Plan-Goes-Something/dp/0740715674