I will be presenting at the Edmonton .NET User Group tommorow night. My talk will be on common hacking vectors as well as protecting secrets via cryptographic techniques.
Date: Thursday, February 28th 2008
Time: 6:00pm
Location: Milner Public Library
Hope to see you there!
In a former life I was a network guy. In that time I saw the rise switches instead of hubs for networks. For those of you who were not networkers here is the definition:
Hubbed Network
The hub is a device that acts as a repeater out to the other connected computers. If I am trying to talk to Joe’s computer every other computer receives that information. The other computers investigate the packet and drop it as it is not destined for them. Joe’s computer accepts the packet as he says it is for him.
Switched Network
The switch is a smarter device that knows which computers are connected to it and which port on the switch they are plugged into. When a packet is sent the switch looks up the destination and sends the proper destination port.
For those of you that have run a packet sniffer on a hubbed network you will see all the traffic from all computers. Some of these things include email messages and passwords (yes POP3 sends your password in plain text over the wire), instant messaging conversations, oh and maybe some actual work documents being passed around.
When you run a sniffer on a switched network all you see is the traffic from your computer to the destination. This is because the switch is being the traffic cop and redirecting everything properly.
Switches were invented to be traffic cops, not security cops. It is actually fairly trivial to trick the switch into thinking that either you are the intended destination (via ARP poisoning in the initial traffic notification) or to convince the router that one computer is hooked up to the switch twice (via MAC address duplication). It is also possible to flood the switch until it crashes and fails open into a hub configuration until the flood stops.
If you want more technical details sans.org has a good article here:
http://www.sans.org/resources/idfaq/switched_network.php
While .NET does a lot of great security things for us one of the things it lacks is an easy way to do input validation. To that end I created a control with some common validations built right in (note that these are server side validations that are only evaluated on post back).
It is easy to provide your own custom validation as well:
By default if validation fails the control will throw an exception upon postback. You can change this behaviour by changing the notification type to raise an event or do nothing (doing nothing is not recommended and is in place in case you wish to temporarily disable validation).
I also built a http module for this project that will throw an exception if a textbox is found on any page before it is sent to the browser. This forces me to use the validating text box all the time (which I should be doing anyway). This is more of a development module and I would remove it for production myself to avoid the performance impact of inspecting every form before it is sent to the browser.
<httpModules> <add type="Solidhouse.Validation.WebControls.ValidationEnforcementModule, Solidhouse.Validation.WebControls" name="ValidationEnforcementModule" /> </httpModules>
TODO
-Add logging functionality. There will be a dialog where you can add logging channels upon a validation error. This is helpful to spot either a validation that is too restrictive or to see if someone is trying to exploit your site.
Again this is alpha software I came up a few nights back so use at your own risk. All feedback is appreciated.
In a lot of my talks I harp on the fact that using Random.Next() is not actually all that random. The data for Random.Next() is based off of seed data. If the same seed is specified (as you can do in the constructor for Random()) you will get the same outputs every time.
Random random = new Random(27); for (int i = 0; i< 5; i++) { Console.WriteLine(random.Next(50)); }
Every time I run this code I get: 41, 36, 32, 16, 19
The reason for this is that the generation of the next random number is based on the last number generated (or the seed data if no number has been generated yet).
Now I have not dug into the source code of .NET but I assume like most other languages it uses the linear congruental method that will allow the creation of a fairly randomly distributed range of numbers.
Here is a home grown random class using this method:
Public Class Random
{
private int lastNumber;
public void Random(int seed)
{
lastNumber = seed;
}
public int Next()
{
lastNumber = lastNumber * 106 + 1283
return lastNumber % 6075;
}
}
Now in .NET the Random() constructor has an option to take no parameters. It internally generates a seed for us. Many other programming languages default the seed to 0 if not specified which would just generate the same numbers over and over again.
This is why I state not to use Random() if you need strong random numbers.
Now the cryptographically strong random numbers are generated in a slower but more…. random fashion by incorporating more entropy into the system (entropy is the disorder or randomness in a closed system). Some of these include:
-The process/thread ID
-Current Time
-Some performance counters
-System info (cpu/memory/page file state/about 100 more)
-About 10 more items
By using all this we get seed data that should statistically never happen again. But by polling all of these sources there is the performance hit.
If you need strong random data please use the System.Security.Cryptograhy.RNGCryptoServiceProvider
In the last year I have had the pleasure of attending many speaking events both as a presenter and an attendee. To that extent I would like to point out some tips that may be helpful to other people planning events.
Note that I have never planned an event myself. This is just my outside view of things.
Do have wireless access for everyone. I have never heard more complaints than events that don’t have Internet access.
Do provide lunch. Especially when in a remote area where it is not easy to find lunch.
Do not order in a hot lunch. Getting that much hot food co-coordinated could possibly fail. Having something like sandwiches or wraps is easy to have pre-made and less prone to having issues
Do have a map to the facility. People like to know where they are going
Do have the building the event is in clearly marked. If it is in a non obvious area have signage directing attendees through the building
Do have feedback sheets for the presenters. These help presenters improve there talks and are also required for some funding and awards.
Do not change the schedule a lot. If there are going to be lots of changes do not release it until it is mostly stable
Do pre-release the schedule to speakers before the general public. Many speakers will need to re-arrange their times due to flights or wanting to attend other speakers talks.
Do have backup speakers. There will always be a few speakers that need to withdraw from the event so having people lined up to fill in is essential.
Do not change the schedule the night before the talk. I would recommend having it set in stone one week before the event.
Do get all the speakers contact information before the talk. If there is some last minute change you can then contact them.
Do give out your contact information to speakers in case they need to notify you of a last minute change.
Do try to get a group rate at a hotel if you are expecting speakers/attendees from out of town.
Do not have an event at unseasonable times. Extremely hot/cold times of the year will discourage speakers/attendees. Also avoid times when lots of people are on vacation.
Do have someone that ensures speakers get hooked up to the projectors and running in a timely manner. Having technical delays can be a pain for all so having someone who can quickly get a speaker up and going is great.
Do have someone go into the presentations and give a five minute warning. This is great for keeping speakers and the event on time.
Do have a green room for speakers that is locked/guarded at all times. Having a place where speakers or even attendees can leave there valuables is a great feature to have. Also being able to work on last minute talk changes/fixes in a quiet place is great.
Do have an event for the speakers. Going out for dinner/drinks after the event is a great way to reflect on your event and is a nice way to thank the speakers for their time.
Do not expect an event to go off without a hitch. Lots of things can go wrong and something always will. Try to plan for things and adapt.
Do have an army of volunteers. Many hands make light work sure is true. If things go wrong it is easy enough to have 5 people try to find an extension cord than just yourself.
Do have swag to give away. Everyone likes to win something.
Do have at least the grand prize draw picked from evaluations. This encourages attendees to fill them out.
Maybe have tickets for other swag draws. This cuts down on trying to read someone’s name off a sheet that may be hard to read or pronounce.
Do get feedback for not only the speakers but the event itself so it can be improved for the next time.
Do keep the standard format for talks. For code camps these are 1 hour and 15 minutes and user groups are 2 hours. Most speakers craft their talks for these durations. If your sessions are going to be shorter make sure everyone knows well in advance.
Do not start your event at a time that is hard for people to make. Weekday events should start 1 hour after 5pm (or later if people have to make long commutes). Code Camps should start as late as possible as it is weekend time and we all like to sleep in a bit on weekends.
Maybe have a keynote. This can be good for explaining the happenings for the day or to introduce something that everyone will want to see. If there is something everyone wants to see no one else will want to speak in that time slot.
Do ensure that all session materials are available to attendees.
Do have the schedule printed out and available to all attendees as they come in the door.
Do mark the rooms so they correlate to the schedule.
That is right today is the one and only Igloo Coders birthday! Justice asked us to write our favourite story of Donald today. I figured I would tell a mostly true story about DevTeach Montreal.
Now Don and I found this great little place called Ye Olde Get Way To Drunk And Try To Find Your Way Home… or something to that effect. This is usually the place we started and ended up at.
The staff were great and Don did not have to explain what a “double neat scotch” meant in both English and French at this pub (by the way “double neat scotch” is all the French Don knows).
So by the end of the week we knew a lot of the staff and had a bit of an impromptu sendoff.
What this meant was lots of scotch and I think a few rounds of shots for good
measure.
One of the waitresses was this really cute girl named something or other. Now Don had a bit of a thing for this girl and he has pretty good taste I must admit.
So Don being the good Albertan he is makes sure that she drinks all of her beer.
And it seems to pay off… ok well I paid her off but that paid off in the long run as it allowed me to embarrass Don.
Don then manages to keep up the image by blatantly talking to Victoria’s chest. But by this point between us buying the bar drinks and the bar buying us drinks we were a little…. soused
For those of you know Don know that he can hold his liquor quite well (with few exceptions). Now as you may notice in this picture Don’s pose.
Now these pictures were taken about an hour apart. Not much had changed actually. This is actually the same glass of scotch from the earlier picture. By this point Don had reached his limit and had the age old debate of drink it down or put it down. Both of these were not acceptable in Don’s brain and it stayed poised in his hand while I talked to our waitress for about an hour. I think they eventually made him put it down as the bar was now closed and we had to find the hotel.
But we managed to be the first people back in the morning for breakfast…. and by breakfast I mean…..
Happy Birthday Don!
A while back I found Sara Ford’s blog (it actually says weblog in the title…. weird… what is a weblog?). Unlike everyone else, Sara just posts tips on the IDE. From shortcut keys, docking tips, to other hidden little gems. I find it a really refreshing and helpful blog especially for those of us addicted to shortcut keys.
Recent Comments