Archive for August, 2006

Charities moving online

Aug 31

Recently I have started donating to more charities. What I have really liked is that most of them support online donations now which I love.

I recently sponsored my sister in the breast cancer walk here in Edmonton online through a very well done site (Congrats to my step-sis and step-mom for doing a 60km walk over two days for this good cause btw). The site showed how much the person had raised towards their goal. A nice feature was that you could leave a message with your donation that appeared on the persons profile page which was nice. A little competitive feature was that you could optionally show how much you donated so I had to make sure I donated a non-cheapskate amount.

Steven Rockarts is looking for sponsors for the upcomming parkinsons walk. There site was also quite easy to donate on as well. The donation only took a few minutes and was so simple to do which is key in my books. It did not have all the bells and whistles of the cancer walk site but that is also a good thing as I want more of my donation to go to research than to website development of course.

I really applaud charities that have moved to online donations. It makes it way easier to donate (and get a tax receipt too). I also like it from the security perspective. If someone comes to your door asking for a sponsorship how do you really know that person is not just taking your money and not giving it to charity? So all in all I love charities for doing this and I hope to see more of it in the future.

Filed Under: Uncategorized

The problem with deadlines

Aug 29

Everyone has deadlines which keeps us motivated to work. Personally I can not seem to work without one. The problem is that when a deadline approaches quality seems to decline. You start coding faster, testing less, and missing some of the minute points of spec in my experience. Although it is semantics I like to have a target window for a task that allows the developer to feel they have a bit of room to move other than a set date in time.

Clients and deadlines are when things get ugly. When something does not get delivered by that date then you are in trouble. I do give my clients a completion date for their problem but if I feel that there is a delay I tell them so that they are prepared when it is not ready for the initially expected date. For most projects I recommend to give a deadline past when you think you will have it done. If something is delivered a little early the client is usually happier (if it is months early they will feel ripped off though).

Filed Under: Rants

Donate CPU cycles to a good cause

Aug 28

a few years ago I discovered a great project called the world community grid. The project is a distributed computing project that uses your free cpu cycles to help solve some of our major problems.

Distributed computing is basically the breaking up of a task to run on multiple computers. So instead of needing an expensive teraflop server to analyze something for years, it can be run on thousands of slower computers but when combined do a massive amount of calculations.

Two projects have already been completed. The first project was analyzing differnt smallpox cure candidates. The second project was analyzing human proteome folding to further understand human proteins (not soo exciting but more knowledge is always better) and did the equivalent of 26,645 YEARS of processing (it took only 1.5 actuall years to acheive this).

Currently there are several running in parallel including fighting cancer, AIDS drug research, and human proteome folding 2. The software works quite well and I have not noticed any impact on performance (the process runs at low priority) of my system for the two years I have been running it.

They even made it a little fun to run it. Based on how many results you return you get awarded points and fit into a global ranging system. You can also create and join teams and compete against others. I am currently a part of team Alberta which has very few members but fun nonetheless. The other thing I really liked is that I can have multiple computers running under one user account and contributing stats.

So go download it and contribute to a good cause by doing nothing other than donating unused CPU cycles.

Filed Under: Uncategorized

Security Series: Password Cracking

Aug 26

For many years I have had trouble with people thinking that passwords were the answer to security. Granted they make it so that joe user can not log onto your computer  without knowing or guessing your password. But for anyone with skills passwords are circumventable and the circumvention gets quicker / easier all the time. I am going to focus on cracking windows passwords for this article but the techniques are the same in almost any situation.

Password Overview

NT based opperating systems store your password in an encrypted hash on the disk. This used to be done by taking the password and storing it in two hashes. The first is the Lan Manager hash which has been around for ages and is broken into two hashes that are  seven bytes each. If your password is under seven characters only the first hash will be filled but if it is ten characters the first hash will have seven characters and the second will have three characters in it. This is a weakness in itself as now you can take one of the two hashes and crack it and guess the second part quite easily (e.g. if the first hash is cracked to “waterme”. I would guess that the password is “watermellon”). The second hash is the NTLM (Nt Lan Manager) hash which is an MD4 encrypted hash that should hold about 128 characters. Much stronger method of storing the password Most servers implement both for backwards compatibility with win9x clients but LM passwords can be disabled.

Cracking Methods

1. Guess and test method. Basically try things like kids names, birthdays, etc. supprisingly effective still
2. Brute force. Throw a dictionary at it (note: throwing a physical dictionary does not work). L0phtCrack was the most famous one and could crack simple passwords in seconds and then start brute forcing random letter / word combinations.
3. Resetting the password. If you have physical access to the server there are some tools out there that allow you to boot and change the password. I have used the offline password & registry editor for this before with mixed success.
4. If you just want the data and have access to the hardware simply put the drive into a computer that supports NTFS and ta-da you have access to the data
5. Use a rainbow table (the whole point of this article).

Brute Forcing and Rainbow Tables

Brute forcing means that you take a password, hash it, then compare it to the hash on the computer you are trying to crack. If they match then you have found the right password. While an effective way of getting a password it is quite slow even with todays computing to crack complicated passwords.

Rainbow tables is basically a huge database of pre-compiled hashes so to find a password all you have to do is query the table based on the hash you are trying to crack and there is the password. It is sooo fast that I just cracked a complicated password Righ46sdf943 for example in 10 seconds using ophcrack. Granted I needed physical access but it just shows how quickly a password can be cracked using this technique. I beleive the rainbow table I was using was 400mb so that is quite a large database but easy to fit on a cd.

Salting

Salting a password is basically the practice of adding a random bit of data to the password so that if two people have the password of “tomatoe” by adding a random salt to each the hashes will be different.

Password Hash w/o salt Salt Hash w/ salt
tomatoe         0864fc6aaef3b802abe9b88946ad2f61 2457j5476 cb8c202015fc93f1cc49753fb725d3d4
tomatoe 0864fc6aaef3b802abe9b88946ad2f61 e33aga26 000395b229652f67039b5648cc3f1c91

By adding a salt value we effectivley change the hash which makes it harder to get it out of the database. If we were to run the salted hashes (that sounds tasty for some reason) we would get out a password of tomatoe2457j5476 for our first record so it is easy to spot the salt added onto the string. Now rainbow tables are only going to have hashes in them for average length passwords to keep size down and speed up. Therefore, if you add a large enough salt you should be able to create a hashed password that is too long to be in most rainbow tables yet allow the user to have a short password. It will just be a matter of time before someone builds a larger database though.

Conclusion

Passwords are not the be-all end-all solution which is becomming more apparent everyday. Migrating towards a biometric or smart card solution seems to be the next step but those are also circumventable but usually harder than getting around a password.

Filed Under: Security

Rockstar

Aug 23

Seeing as how I have been partying like a rockstar lately (hence the lack of posts). I thought I should at least look the part. So I picked myself up this:

… now I just need to learn how to play more than a few notes.

Cheat Commando’s Rock Rock On!

Filed Under: Uncategorized

VS 2003 SP1 is here!

Aug 18

 Service Pack 1 for vs2003 is finally here and all 156mb can be downloaded from ms’s site here. A list of bugs fixed can be found here.

Filed Under: General

2005 Internet Stats

Aug 15

Stats for internet usage for 2005 were just released and so I thought I would share some of the interesting facts. Full article can be read here. Also I have a thing against stats so I will play a bit of devils advocate on it.

-Alberta has the second highest internet usage in the country at 71%. This does not mean that people use it often. It could mean that someone had used the internet once.

-88% of hoseholds with an income over $86,000 use the internet. Compared to 61% below that line. I assume that most people surveyed are under this income line (I could be wrong) so the distribution of data could totally throw this stat out the window.

-Not supprisingly the biggest use of the internet at home is email. I agree with this stat as email is the gateway program that leads to surfing, chatting, and ebay.

-The broadband usage stats are confusing but what I took away was that 18% of users are on dial up connections. This makes sense as rural users have no access to broadband connections but have kids (an earlier stat suggests that homes with children usually have internet access)

-One interesting point was that 12% of people who had a computer and did not use the internet said they did not because it was too hard to use. I am supprised at this as my grandma uses the internet and her self cleaning oven is too hard to use but who am I to judge?

Stat Bashing

As I stated I have a thing against stats as they get abused so I try to look at them a little more arbitrarily. But here are some fun ones:

-In ww1 the number of head injuries jumped dramatically after the introduction of helmets. The reason for this is that head fatalities were not counted as injuries so now the helmets were saving lives but the soldiers were still being injured.
-Most car accidents occurr within 10 blocks of home or work. Leading people to beleive that they get lazy close to their typical destination. Well statistically you are within 10 blocks of home or work most of the time so therefore a much higher chance of being in that area and being in an accident.
-MY favorite stat is always the 9 out of 10 insert profession here agree stat. If you shrink your sample size down to 10 people you will get this stat easily or it is just as easy to change the parameters on the data to filter it in the best way. i.e. filter the data to be dentists between the ages of 30 and 31 and ta-da the most favorable number appears.

A few quotes

Lies, damn lies and statistics.
- Mark Twain

47.3% of all statistics are made up on the spot.
– Steven Wright

Filed Under: Rants

.NET Design Patterns

Aug 12

I have been reading the ever-classic “Design Patterns: Elements of Reusable Object-Oriented Software”. I am a bit behind the times on picking this one up as it was published in 1995. Still a good read if you have no idea about patterns. All the examples are in c++ which is a little hard on the some of the pure .NET developers who have read it. Also some patterns use multiple inheritance which we don’t have in the .NET world. I did happen to come accross this site which has all the patterns from the book updated to use .NET and .NET 2.0 examples. I think they should just republish the book with .NET in mind as a lot of developers I know supprisingly have never programmed in c or c++.

Filed Under: General

Debugging Javascript

Aug 10

One thing I have noticed is that there are numerous ways to debug javascript with visual studio. I thought I would share some of them that I have found over the years.

  1. In internet explorer you can go to view->script debugger->Break
    at next statement. This will cause the debugger to run when the next
    javascript statement runs in the browser. This is not a feature that is
    enabled by default. To enable it you will need to go to the advanced
    tab in internet options and uncheck the “Disable Script Debugging”
    option and restart IE. This is the method I use most often.
  2. Force javascript to call the debugger. You can do this like so in your javascript:
        function DoTask()
        {
           debugger;
           return 3+7;
        }
    when the browser encounters the debugger statement it will lanch vs and you can step through your code.
  3. In visual stuido attach the debugger to the Internet Explorer property
    and select script as what you want to debug. On the right hand side
    where solution explorer is you should see a tab called running
    documents. Select the document to debug and set any breakpoints you
    wish to step through.
  4. Use Firefoxes javascript console to spot errors. It is the icon in the top right hand corner and will show a list of javascript errors on the page which is quite handy at a glance.
  5. If you are a firefox user you can also call Ghost Busters. By that I mean install the Venkman Javascript debugger for firefox that allows you to debug firefox (get it here: http://www.mozilla.org/projects/venkman/). I have only used it once and perfered using the IE methods myself. But if you don’t have a script debugger installed on your machine this is a good solution.

Filed Under: Web

The web must die

Aug 1

I hate hate hate web development and for some reason I do it all day and night. Maybe I do it so others don’t have too. I am such a hero.

The reason I hate it is that it was never meant to do what we are doing with it now. The sheer amount of technology introduced to accomplish such a simple thing as showing someones email inbox takes thousands of lines of code and multiple technologies. I know that I have been on projects that get extended way past there initial design (the current app of 3 years I am working on started as a 4 month project). But there came a point where we stopped and said that the app was stretched to far and needed to revise the way we structured some of the app/database to allow it to expand. Unfortunately I don’t ever see this happening with the web unless smart clients take off huge and can run on any platform with zero issues.

To that end here is my technology required list for developing an average website vs. windows app

Web Development Windows Development
HTML
Javascript
asp.net
CSS
Working in a stateless environment
Browser & Resolution compatibility
Cookies (thankfully we don’t have to use cookies that often anymore)
Accessability
Xhtml
Search engine optimization (on sites that are public)
Deployment (usually means how to use FTP)
Managing session timeouts
Security
Ajax / Atlas / whatever		 a .NET language
Security
deployment knowledge (i.e. build an msi or xcopy)
Resolution compatibility
Filed Under: Rants
Next Page »