Well, what did I learn while at Code Camp last weekend.?

• Wellington .NET dev community is passionate and quite diverse
• Objective C is more smalltalk-ish than I realised from previous snippets I had seen
• Xcode IDE is less 'integrated' than Visual Studio
• I now know more about CRM and other Microsoft solutions
• A panel discussion (Usability or Security) can be fun when the audience participates
• How to make my code slightly more maintainable
• Code contracts gel with me more than Spec# did. and I like them
• F# continues to be awesome and yet awe-inspiring
• Sync framework looks like a good solution for occasionally connected apps, with a good set of functionality out of the box
• And I demoed a beta IDE in a beta VM on a beta OS (VS2010 in Windows Virtual XP on Windows 7)

Sponsors are awesome!

• Whitireia Community Polytechnic (in particular, the Bachelor of Information Technology staff) were very accommodating hosts
• Mindscape surprised by offering prizes of 2 LightSpeed licenses and one "bundle of everything"
• Microsoft NZ sent through prizes, and the Microsoft MVP Programme sponsored some of the costs
• INETA APAC, the International .NET Association also sponsored some of the costs
• Xero also sponsored towards the costs
• DTS provided internet for the weekend

Go Go Gadget. Karting!

I had fun at the go-karts. The winners of the team event were Simon and Bert:

I'm looking forward to the Code Camp this weekend. We've got an interesting range of talks lined up over the two days, and I'll be doing a short talk on what's coming in Visual Studio 2010.

As well as organising the finances and food, I've organised the social event for Saturday night. It's going to be fun!

Code Camp Social Event

6:30pm, Sat 13 June @ North City Indoor Raceway 3 Raiha St, Porirua http://bit.ly/g6gLf

Food at 7pm, racing shortly after. Finish by 9pm.

A family-friendly go-kart race, with geek-against-geek action.

The karting is at the North City Indoor Raceway: http://www.ubd-online.co.nz/indoorkarting/ (see "The Races")

There will be a team race where each team will relay through each driver 3 times, giving 30 laps of racing per person. Everything is computer-timed to find out which team wins, and spectators are welcome to watch.

The food will be BBQ/Salad/Chips, and you can BYO drinks (I'll hopefully have some money left to bring a little along).

Karting plus food: $40
Food only: $10

Spouses and older kids are welcome to kart at the above prices, or come along just for food and cheer your team on!

Many thanks to our sponsors: Whitireia, Xero, Microsoft MVP, INETA, DTS

I visited Napier at lunchtime today to present at the Hawkes Bay .NET User Group.

The presentation was a mixture of my earlier web security talk and the talk I gave recently on the Anti-XSS library which helps when you need to encode untrusted data.

• The Microsoft Anti-XSS Library (use instead of HttpUtility.Encode)
• Security Runtime Engine - automatically encode ASP.NET control properties
• The Classifieds web site starter kit
• Which ASP.NET Controls Automatically Encode?
• Clickjacking video
• Framebusting:
  http://pageofwords.com/blog/2008/10/06/FrameBustingInJavascript.aspx
• OWASP - The Open Web Application Security Project - http://www.owasp.org

Subscribe to my blog: http://pageofwords.com

Cheers!

Kirk

When is it not safe to load an XML file into an XmlDocument object?

Any time the source is untrusted, it turns out:

Tom Hollander: Protecting against XML Entity Expansion attacks

That's one I haven't heard of before, and shows why every input from an untrusted source should be treated with care.

It reminds me of the zip expansion attacks that used to break mail servers 8 or so years ago:

Zip expansion attack. A large uniform file (for example 1 Gbyte of Zeros) is zipped and e-mail. AV or content filtering products attempt to unzip the attachment for checking, but are unable to do so because of lack of disc space. [ecommnet]

The old expanding file trick. What will they think of next?

Kirk

While it's not always like this...

... it's true that Rod does zoom around the office (although not always on the Segway).

[Rod on the Telecom Business Hub]

Kirk

I presented a talk at the Wellington and Auckland .NET user groups this month titled "Best Practices -  Caching". The goal of the talk was to discuss why we might need to add caching to our applications, and the way that we typically add it to each layer:

• Client-side: reducing data flowing to the server, enable caching through expiry etc
• ASP.NET: stashing data; page-level, fragment, IIS caching
• Business layer: cache objects to avoid computation
• Data layer: cache raw data from the database; identity maps
• Database: reduce hits on disk

The difficult part when caching at any layer is invalidating the redundant data that is stored in the cache when the source data changes. It's easier depending on the type of the data:

• Reference - shared reads (e.g. Catalog)
• Easy to cache and distribute
• Activity - exclusive write (e.g. Cart)
• Can cache each user's data separately
• Resource - shared, concurrency read/write, large number of transactions (e.g. Auction bid)
• Caching is hard
• DB is best source of data, with careful caching

The second half of the talk we looked at two caching technologies - memcached and Velocity.

The presentation: Caching.pdf 

Some links:

• Microsoft Project code named Velocity
• Steve Souders - High performance web sites
• YSlow

Kirk

I appreciate good humour more than I appreciate politics, and most of the credit I gave to our former prime minister Helen Clark was for her sharp wit.

It's great that we have a funny guy as our prime minister in New Zealand:

Hat tip to Rod on our Xero blog

Kirk

I've just been awarded Cobol Developer of the year for 2009!

It has been a great ride at Xero, from releasing our first beta little more than 2 years ago, to racking up our 6000th customer this week.

Some people doubted us for picking a VSE/ESA environment and the IBM compiler, but the support for 31 bit addressing and dynamic calls really accelerated our development of a Web 2.0 software product.

I'd like to thank all the other forward thinking members of our team for choosing and building on a great platform, and encouraging me to achieve this award.

Kirk

Deleting your POP3 mailbox using telnet, since Gmail doesn't do it properly :)

I'm using Gmail to check and download my Paradise (ISP) email. This means I can read (almost) all of my personal email in one place.

Gmail appears to only have one option for deleting mail: "Leave a copy of retrieved messages on the server". If you set this option it immediately deletes your mail from the POP server after downloading it to Gmail, which means that you can't check it with an alternate client.

Other mail clients allow you to leave mail on your mail server for a number of days, so I normally set this to 7 days so that if I need to fire up a different client or use my ISP's mail, then I can see recent email. Gmail doesn't have this option, which means if you don't delete mail from your POP account, it will eventually fill up.

For completeness, the sequence of commands to type into telnet to delete a bunch of your mail:

> telnet pop3.paradise.net.nz 110

USER <username>  // Your POP username
PASS <password>  // Your POP password

STAT                        // Lists the number of messages (e.g. +OK 1108 19255723, which means 1108 messages)

// Then for each message
DELE 1
DELE 2
...                         // I used a spreadsheet to quickly generate a list of DELE's from 1 to 1108)

Mission accomplished. An empty POP mailbox without installing (or writing) any extra code :)

Kirk

Well done to the SilverStripe team for getting into the new Microsoft Web Platform installer:

The installer helps people get web applications up and running in a flash, and it's great to see SilverStripe alongside 9 other big-named web apps. This should be great for the initial out-of-the-box experience for their users, and for exposure to new users.

See Nigel's blog for more details.

Jeff Moser writes How .NET Regular Expressions Really Work.

I've got a soft spot for regular expressions (programming Perl can do that to you), and while I understand backtracking and greedy / lazy matching, I've never actually read the source code for a regex library before.

If you haven't either, and want to benefit from someone else's description of the 14,000 lines of .NET regular expression library, you'll enjoy this post.

Kirk