Archive for February, 2009

The Entity Framework Review Take 2

Feb 24

My last post was a bit of a joke and I should explain why after only a few hours of playing with EF that I think it is a horrible technology. Some might say that a few hours is not enough time to completely write off a technology but I have to disagree. I spent a few hours with nHibernate and loved it. a few hours with EF and I wanted to start drinking.

First the good things about it:

It is integrated into Visual Studio so the whole team is already able to start using it
You can generate entities off an existing database which is convenient
The generated items include rules about nullability, type, length, etc.
You have MS behind it for support (<sarcasm> yippie! </sarcasm>)
It is quick to get up and running on it
It would appear to have first class support for mapping to stored procs (I did not try it though as I am not a fan of stored procs for the most part)
The entities track changes made to them so that when you save you don’t have to worry about missing inserting/updating/deleting a record

Now that I have that out of the way. The bad things:

I tried to look for good things in the EF. I really did but it became obvious to me after 10 minutes that this was not the tool for me. The whole underlying idea is wrong in my opinion. The Entity Framework is really a way to bring your database up into your code (does this remind anyone of datasets?) which is 100% wrong. The database is simply a place to store the state of your business, that is all. It is up to code to define that business, it’s rules, and to persist the data between sessions/reboots/upgrades. This datacentric model that MS seems to constantly promote seems to be like saying that you should build a grocery store based on the dimensions of the shopping cart which is a totally backwards idea (but our industry has no shortage of those).

The designer is flashy and terrible. It initially impressed me that I had my model laid out infront of me but then realized that this is unnecessary, the concept of having a visual designer seems silly to me for this kind of task. For one I am a big keyboard user, if I can’t do something with a keyboard then it is not worth doing and the EF designer is mouse centric. I found it also to not be intuitive. I spent a lot of time hunting around trying to do things but it took me so long to just find/do simple things. Also if you have a database with more than a few tables you can not easily locate a table on the designer. Not being able to quickly find and change a mapping is the biggest killer for me in terms of usability. I found that anything beyond the very simplistic I had to open up the model with an xml editor and do it there which made the designer feel useless.

The framework is so not ready for the real world yet. I generated a model of an existing database and then deleted some of the tables/entities that were not required for my application. This resulted in foreign key issues in the model as it could no longer relate to that table which I could not resolve through the designer. Eventually I had to go into the raw xml of the model and delete the constraint from there. I also tried the update model functionality to re-add these tables but apparently it felt that there was nothing different between the model and the database but generated a bunch of new crap that caused more compile errors so I ended up deleting the whole model and starting over.

The framework generates some nasty looking objects for us that are not persistence ignorant. The “business” objects that the framework generates are highly coupled to the database when they are supposed to be highly coupled to OUR BUSINESS! They are implemented as partial classes so you can add business rules onto them but most developers find partial classes reduce the readability and discoverability of what is happening where in code. This leads to rules that should be in the business objects being placed elsewhere leading to architecture/reusability/consistency issues.

The amount of code that is generated is huge too. For my sample application I have 60 tables which resulted in 18,000 lines of code which is about 300 lines of code per table. In our application that uses this same database and fluent nHibernate it averages out to 24 lines per class (granted the EF is doing lots of work to track changes for us though). I found that this additional code slowed down my build more than I considered acceptable.

The lazy loading story is a complete joke. In other OR/Ms you can have child objects load from the database only when they are accessed which could save a lot of unnecessary database calls or loading logic (i.e. we can take a customer object and just go customer.Orders in our code and behind the scenes the OR/M will load the customers orders at that moment in time). In the entity framework they have deferred loading (deferred in that they will do a better job later). Using EF if you went customer.Orders you would get a null back, what you were supposed to do is go customer.Orders.Load() and then make a call to customer.Orders. This just floored me. The idea of lazy loading has been around for many many years and is simple to implement. One of the biggest issues with the EF implementation is that your business code now has to check if a collection is null and then call load on it when the business code should not care at all about state. If my code saw that customer.Orders was null it would say to me that the customer has no orders. Calling customer.Orders.Load makes zero sense to business code.

I also found it clunky to work with in code and found some unexpected results. For example calling model.Permits.Count returns me how many permits are in our database but model.Permits(0).PermitNumber throws an exception. I also found that you would explicitly have to call save changes all the time which was easy to forget:

Dim model as New Model

Dim permit As New Permit

permit.PermitNumber = 100

permit.Discipline = “B”

model.AddToPermit(permit) <-add it to the Permit table

model.SaveChanges() <-commit the change

model.DeleteObject(permit) <-delete

model.SaveChanges() <-commit the change

I find always having this unit of work idea a bit of a pain myself, especially on a simple application. In more complicated persistence scenarios it could be a nice feature though.

Another issue I had was there was no way to globally write out all the SQL that was being executed to a console/debug stream. You could to see what one query is going to do by running query.ToTraceString() but I could not find a global flag to turn this on. I have found with using other frameworks that have this feature has led me to discover lots of issues when running unit tests and seeing some of the unexpected SQL that is being generated.

Another interesting issue is source control and the EF. EF generates one big class file and one big XML file for the model. If you have a team of more than one person chances are that multiple people will be working on the model at the same time which is going to inevitably lead to a locking/merging nightmare. Having many small files reduces this problem.

The thing that really bugs me about this product is the apparent attitude of the team behind it. There are many good evolved OR/M tools out there already and it feels like they looked at none of them. The team has also apparently not taken any of the community feedback from the betas (or a very very small amount of it) and incorporated it in. My outside impression of the EF team is that they are disconnected from the real world, the community, and the competition to their framework.

The thing that stopped me from looking at EF any further was the refactoring support. I am a big big resharper user and it does not play with EF. I renamed one property of an object generated by EF and everything compiled just fine. When I ran the application and tried to save/load the entity I got the lovely error of “The Member ‘Location’ in the conceptual model type ‘Model.Permit’ is not present in the OSpace type ‘EntityFramework.Stub.Permit’”. Refactoring is a fact of development now days and for EF to fail on a simple rename like this ruled it out for me.

Designing a domain driven application gives us limitless possibilities in how we can express a business and its rules. The application and the database are not a homogenous system, they each have their own roles. A database is just a bucket we store the state of things in. The entity framework makes it feel like my application has to adapt to that bucket so therefore my business is a bucket which in turn makes my application work like a bucket and most clients don’t want a bucket application. The fact that there even is an Entity Framework Vote Of No Confidence that hundreds of developers have signed is good evidence that this product missed the mark and will continue to unless they make some massive changes. Overall I found the EF to be overly complex, frustrating, and not nearly flexible enough for me and I will avoid it at all costs on future projects.

Filed Under: General

Entity Framework Review

Feb 18

My mother always said that if you can’t say anything nice then don’t say anything at all………

</endPost>

Filed Under: General

Annoying Brute Forcers

Feb 17

Had an interesting thought today. If someone tries to brute force your login screen then why not after so many failed logins redirect them to a page that looks legitimate. This would cause the tool they are using to report that they cracked the password and logged in. The attacker would then have physically verify the login only to see some garbage page and start all over again. This would probably make a script kiddie attack some other site as they would probably not have the programming knowledge to alter the brute forcing engine.

I would have it so that after 10-20 failed logins to redirect to the fake page so that legitimate users have a very low change of being redirected to it.

Just an interesting thought / theory.

Filed Under: Security

Building Your Own Password Based Authentication System

Feb 16

Many times we need to have a way for users to authenticate with a system and that is usually done with a username/password combination. A lot of times we have to build our own or use some pre built system (i.e. Forms Authentication).

Now I am not a fan of passwords. I find that they are usually easy to guess and brute forcing them has become faster and faster. Passwords are dying and there are other options but they will differ from implementation to implementation.

If you have to build a password based authentication system then there are some minimum requirements that I feel are required:

Require Complex Passwords
Complex passwords drastically increase the difficulty of breaking a system. Allowing users to put in dictionary words means that it can be broken into in minutes with a dictionary brute force tool. Be careful of your rules though. Having password requirements that result in passwords too complex to remember means more people will write it down.

Store Passwords Properly
So many people store passwords in plain text. Use a hashing algorithm with a good random salt (for more info see my post on hashing for passwords) . Better yet use an iterative hash that will hash your hash multiple times that makes it take a huge amount of time to crack.

Ensure That Data Is Encrypted In Transit
There are many many sites that have a login page unprotected by SSL/TLS. If the credentials are transmitted in plain text to the server then it is easy to sniff the data off the wire. SSL certs are cheap and a quick way to protect data in transit!

Also be careful what happens with the data once it arrives at the server. Does it go across the wire in your network to the database server? Is that connection encrypted?

Password Change Policy
Passwords are getting easier to crack and if you have all the time in the world it becomes much easier. Brute forcing a password over the web may take months (or it may take minutes) but forcing users to change their password every X number of days helps prevent this.

Record and Monitor Failed Login Attempts
Most people don’t log failed logins and even those that do rarely look at the log of failed attempts. If you don’t know that people are trying to break into your system then how can you hope to prevent them from succeeding? If you see someone trying to brute force in you can respond by blocking their IP address and prevent any other attacks they may try.

Don’t Let People Try To Break In Forever
If a user fails to login successfully for X times in a set period something should prevent them or slow them down from trying again.

Account lockout is one way to do this but an attacker could intentionally lock out an account and deny service to a legitimate user that way! Also the lockouts need to be cleared by an administrator which could take time to contact that person and have them clear the flag. Also if an attacker goes after the admin account this could cause a lockout of the only person that can clear the flag! This is why in Windows the Administrator account has no lockout policy. This is a crappy scenario as the one account you REALLY want to crack has no lockout while the crappy accounts with fewer privileges do have a lockout policy.

A better technique in my opinion is tar pitting. Tar pitting is a technique of slowing attempts down. So if someone fails to login more than 3 times we may delay processing another login request for 10-15 seconds. If they keep failing we may increase that timeout. We would not want to algorithmically grow the timeout though (i.e. for each failed login add a 2 second delay). If we did then an attacker may fail logins on purpose so that a legitimate user would have to wait 26 days until they could login (which would also hold server resources for that period too which could lead to a much broader denial of service attack).

Ensure The Password Reset Mechanism Is Secure
One area that is exploited more and more is the password reset ability. The systems where it asks you to answer 2-3 personal questions are fairly easy to attack if you know something about the victim. For example Sarah Palin’s account was hijacked because the personal questions she chose were all over the media (i.e. Where did you go to high school? What was your Mothers maiden name? What is your favourite book?). These “personal” questions are also fairly easy to retrieve via social engineering as people don’t feel that their favourite book is something they should consider sensitive information.

I personally like how ING bank does PIN resets. I need to provide personal information like a SIN plus the amount of my last transfer/deposit to my account. Once I reset my pin I get both an email and a physical letter mailed to me notifying that my PIN has been changed. It is really important to pick a methodology of password resets that use information an attacker could not guess or easily learn.

Conclusion
Those are my BASICS for a login system. It will take a lot of time and resources to build a system that does all of this and that is why I like either leveraging windows authentication or other technologies (like certificates, cardspace, smart cards, passkey devices). It is really not an easy task to build something like this. The authentication used in Windows has been developed and evolved by countless developers over the years and they have though about this kind of stuff way more than we would ever want to.

There is also a great chapter on password systems in the book 19 Deadly Sins Of Software Security that goes into much greater depth (yes there is way more on this subject) then I have.

Filed Under: Security

Storing Credit Card Information In Canada

Feb 13

Talking with other developers and clients it amazes me how many people store credit card numbers in their systems. There is usually no need to store a full credit card number in your own database. It should be forwarded on to the processing gateway and then the information should be purged from your system the instant the transaction is complete.

The Credit Card Companies Stances

Contrary to popular believe you are allowed to store credit card information. The companies do have standards that you need to follow if you are storing this information. More information on this standard can be found on the Payment Card Industry Security Standards Council website. By not complying with these standards the credit card company may impose fines and/or restrictions on your credit card processing ability.

More info can be found here:
http://www.visa.ca/ais
http://www.mastercard.com/sdp

I contacted both VISA and MasterCard to ask what kind of costs we were looking at but they only replied with a generic message that basically said “if you don’t protect data you will be responsible for what happens to it”

The Customers Stance

From my reading it would appear that if a company discloses credit card (or other personal information) they can be held liable for damages. This could be a lot of money for a company.

The Laws Stance

There are many laws governing the disclosure of private/personal data. They do seem geared towards what a company can do with your information and a lot less towards what if someone steals the information.

For Canada there is the Personal Information Protection and Electronic Documents Act (PIPEDA) that could be applied to credit card information disclosure. This could yield fines of $10,000 to $100,000.

Here in Alberta we have the Personal Information Protection Act (PIPA) that could be applied to the disclosure of credit card information. If a company is found in breach of this they could be fined up to $100,000. This law is similar to PIPEDA and may be applied instead of PIPEDA depending on the situation. Quebec and British Columbia have also passed similar privacy laws.

Filed Under: Internet Law, Security

Speaking At Victoria Code Camp This Saturday (Feb 7th, 2009)

Feb 5

I will be doing two talks at Victoria Code Camp this weekend

Passwords Are Dying – A talk about the problems with passwords, how they are currently attacked, and alternatives to password based authentication

Threat Modeling – Learn how to model your applications under different lenses to find security vulnerabilities and potential weaknesses in your application

More info on the Victoria Code Camp Site

Filed Under: Speaking

David Woods