Tuesday, 29 September 2009

Hotmail accounts hacked for sending iPhone spam

I've had a few family and friends now who have apparently had their hotmail email accounts hacked for the purpose of sending spam to all the people in their contacts (including me!)

The spam (who's grammar should make it obviously not from the original sender) takes the form of

hi,
how are you?
recently, I got a nice site: www.nottheoriginalsite.com
I brought some items from them. Wow, it is very nice.
low price and good quality (iphone new model 3GS 16 GB only 385 euro)
they also sell Wii, DJ, TV, laptop,camera and so on.
how do you think? login and have a look at it!
yours truly,

As best I can tell, they've done this either via guessing passwords or maybe via some kind of phishing attack. One reason for this belief is that for one incident I saw, the spam was saved in the sender's "Sent Items" folder, just like other regular email that they had sent.

If you have a hotmail account, I'd strongly recommend you ensure your password is long enough to be extremely difficult to guess. A passphrase instead of just a password is probably the best way to do this.

Tuesday, 22 September 2009

Why Websense is stupid (and I told them so)

One of the vendors who happened to be exhibiting at TechEd Australia this year was a company called Websense.

They were giving away T-shirts, so it was only after I had received my free shirt from them that I then proceeded to tell them how stupid and horrible their software was.

This seem to take the Websense staff a bit by surprise and they tried to defend their product assuring me with words to the effect that their software was wonderful and couldn't possibly be faulty and had the "largest database". Well let me assure you "quantity" definitely does not equate to "quality", and it may be no coincidence that their company name rhymes with "nonsense" :-)

Don't believe me? Well take a look at this example:

Try and browse http://www.opensource.org/licenses/bsd-license.html through Websense and you are greeted with this response:

Reason:

The Websense category "Entertainment" is filtered.

 

URL:

http://www.opensource.org/licenses/bsd-license.html

Presumably the legal department must have a fair bit of influence at Websense, Inc. as I don't think anyone else would consider reading software licenses 'Entertainment'.

It just goes to reinforce the enhancement Mitch Denny made in his Software Development Pitfalls talk to point 5 of Jeff Attwood's Programmer's Bill of Rights :

Every programmer shall have a fast, unfiltered internet connection

Ah, we can but dream.

Thursday, 17 September 2009

BinScope and MiniFuzz

Following on from seeing Michael Howard at TechEd last week, here's a couple of new tools to help with analysing your applications for security issues.

"BinScope is a verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations"

"MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviours"

Sunday, 13 September 2009

Tech-Ed 2009 – Friday

Highlights

  • Talking to Virtual PC Guy (Ben Armstrong) about his home HyperV machine that also runs Windows Home Server
  • Watch Pete Calvert compete in one of the crazy competitions in the Mobile Smackdown

2008 R2 Virtualisation with Ben Armstrong

  • Live migration – 1-1.5 seconds
    • Copies config, then up to 5 passes copying memory, then finally state (CPU etc)
  • Cluster shared volumes – allows direct access to NTFS
  • Intel i7 – Hyperthreading is ok (not bad and may be good)
  • VMQ – networking optimisation (feature of NIC)
  • VM Memory Management
    • Uses shadow page tables to emulate page tables for each VM (avoids software emulation)
    • For i7, AMD gen3 Quad
    • Huge positive impact for 75
    • Solves performance issue with 3D video support
  • Deferred procedure calls (used by device drivers) now run on local core instead of core 0.
  • Power efficiency
    • Core parking (really processor parking)
  • Timer coalescing
    • align Windows timer ticks
    • Allows processor to deep sleep/save power
  • Native VHD
    • Don't need to use passthru for performance anymore
  • VHD Boot
    • WIM2VHD (Codeplex)
    • Create VHD through Disk Management

.NET 4 Parallel Extensions with Corneliu Tusnea

  • Need to watch out for locking
  • Parallel extensions now part of .NET Framework
  • Parallel.For/Parallel.ForEach
  • New concurrent collections
  • Automatically allocate work to to each core
  • Task, Task<>
  • PLinq
    • Need to partition data to cores
    • Depends on underlying type – eg. List or IEnumerable
    • AsParallel()
    • AsSequential() – to revert to single core
  • Debugging
    • Parallel tasks window

Big Algorithms in F# with Joel Pobar

  • Functional Programming avoids state and mutable data
  • Increase modularity and composability
  • F# interactive
  • Search
  • Recommendation engine (Netflix)
    • Nearest Neighbour algorithm

Mobile Smackdown

This was bizarre and quite crazy in a mostly good way. Because I'd won a token from the WCF talk, I got get a front-row (well second to front) seat and got a pile of goodies on my seat.

The basic rule of the smackdown was that anytime a demo failed assorted pieces of "swag" would be thrown into the audience.. Hence the audience were keen to see things fail!

Quite a few new Windows Mobile phones, headsets, mice and other nice prizes were given way.

I was also pleased to see that this year, no cat food was involved in any of the competitions (unlike the session from last year)

Final thoughts

So did I get my money's worth? Yes, I think so. I felt I learned or was exposed to new things in almost every session I attended. It was also great to catch up with lots of friends and familiar faces.

While the Gold Coast isn't the most convenient venue to get to from Adelaide, I do think the convention centre does an excellent job looking after and catering for everyone. No complaints about the food!

The HP Mini 2140 netbook is really nice. I think it was quite innovative to allow all delegates to be able to participate in the conference in an online fashion. Wireless network access at the convention centre worked pretty well considering how many concurrent users it had to cope with. Depending on which way the wind blew, I could sometime connect even when I returned to my motel room (which was just across the road). I've given my netbook to Narelle and I think she's pretty impressed already.

Maybe I missed them in the crowd, but I wonder if the days of UniSA sending >10 delegates are over as I didn't bump into any old colleagues this year. It did feel different not having Gary, Dat, Mark around or bumping into familiar faces from IT.

Finally I do especially appreciate the sacrifice my family made (both in my time away from home and financially) to allow me to attend.

Tech-Ed 2009 – Thursday

I woke up Thursday morning feeling pretty good, until I sneezed.

Unfortunately the sneeze triggered another back spasm, so by the time I got over to the conference centre, I was not feeling super-comfortable. I felt a little better as the day progressed but it meant I did end up having to stand for most of the sessions to avoid aggravating things even more.

Highlights

  • Discovering Michael Howard also has a "Mr Happy" T-shirt – just like the one I was wearing during his session.
  • Mitch has great clip-art in his presentations
  • Winning a token to the Mobile Smackdown by answering a question in the WCF talk (don't call WCF proxies in a 'using' block as the Close() method can raise exceptions)

Software Development Pitfalls with Mitch Denny

  • Reality – software development is hard
  • 68% of projects still fail (2004)
  • Failure #1 - "Customers must understand all requirements"
  • Failure #2 - "Fixed price solutions"
  • Define the vision
  • Roles
  • SketchFlow
  • "It's about value, not frameworks"
  • Minimise waste
  • Villan #1 – Scope Creep
  • Villan #2 – Big "A" architect (doesn't have Visual Studio installed)
    • Planning Poker
    • Keep team stable
    • Pick team members for how they relate to the rest of the team
    • Resourcing not just about people
  • Villan #3 - "Pony-tail network admins"
    • Developers are different
    • Need a good PC
    • Developers' Bill of Rights
    • Rent servers by the hour

What's new in .NET 4 and VS 2010 with Adam Cogan

Visual Studio 2010

  • Add references improved performance (kind of)
  • Multi-line editing
  • Code navigation
  • Call hierarchy
  • SharePoint support

C#

  • Optional parameters
  • Named parameters

VB

  • Less requirements for line continuation character "_"

ASP.NET

  • SEO (Routing), RedirectPermanent
  • Live data-binding – two-way binding
  • MVC
  • Query extensions
  • Deployment

SDL with Michael Howard

SDL Goals:

  • Reduce vulnerabilities
  • Reduce severity of missed vulnerabilities

 

  • Identify primary security/privacy contact
  • Security training
  • Track security bugs
  1. Strong signing and ACPTA
  2. Secure Crypto
    1. configurable algorithms (use a factory class)
    2. Use standard libraries
    3. Use appropriate algorithms
  3. Firewall
  4. Threat models
  5. Support UAC
  6. Granular feature control
  7. Grant minimal privileges (drop privileges on service startup)
  8. Use minimum code gen suite (eg. latest compiler)
  9. Use /GS
  10. Use Safe Exception Handling
  11. MIDL
  12. Use ASLR
  13. Use DEP
  14. Defect heap corruption
  15. No writable PE segments
  16. Don't use banned APIs
  17. Encode long-lived pointers
  18. Use FxCop
  19. Use /analyze
  20. Use SAL
  21. Use /W4
  22. Native code XML Parsers
  23. XSS
  24. Safe tags without attributes
  25. Use ViewStateUserKey
  26. Don't use JavaScript eval()
  27. Safe redirects
  28. SQL execute only
  29. Use parameterised queries
  30. Use stored procedures
  31. Don't depend on NTLM
  32. Don't swallow all exceptions (rethrowing is ok though)
  33. Safe error messages
  34. Fuzz testing
  35. Application Verifier
  36. Device drivers

Security for Developers with Michael Howard

  • How do I sell security to management?
    • Sell privacy and reliability
  • #1 skill developer should have
    • All data is evil unless proven otherwise
  • #1 skill testers should have
    • fuzz testing
    • !exploitable (WinDBG)
  • #1 skill designers/architects should have
    • threat modelling
  • What does the bad guy control?
  • The Turkish "I" problem
  • Why should I not use RC4
  • Don't use ECB mode

WCF Scaling with Chris Hewitt

  • Instance management (PerCall)
  • Service throttling 3.5/4.0
  • Threading IIS6/7
  • Cache the channel factory and channel
  • Proxies can explode
    • Use proxy wrapper
  • Don't really need wrapper for basicHttp binding as there are no sessions
  • Large data – stream mode
  • Binary encoding – even over HTTP
  • PerSession with durable services
  • SSL load balancing behaviour
  • "Dublin" – WAS extensions

Thursday night a whole stack of coaches drove all 2,500 delegates to Dreamworld. I'm not big on rides, but it was nice to have a look around, grab some tea, and catch up with Nigel, then bump into Jason and a couple of the guys from GraysOnline (Australia's biggest online retailer, which I'd never heard of until a few months ago).

Tech-Ed 2009 – Wednesday

Wednesday morning's keynote started the conference off at 8.15am. Highlights of some of the new features of Windows 7, Server 2008 R2 and Visual Studio 2010 were demoed.

They also took some photos of the attendees which have ended up as a deep-zoom photo. See if you can spot that guy near the front in the orange (actually bright red) shirt :-)

I attended the following sessions. Bullet points are transcripts of the notes I wrote for each session, so they may or may not make much sense sometimes!

SQL 2008 R2 with Mark Souza

  • Base engine is basically unchanged
  • "Gemini" add-in for Excel can efficiently process millions of rows of data in memory
  • Data-tier Application Component
    • unit of deployment
    • virtualise connection strings
    • can be moved between servers
    • supports updating and running custom scripts
  • Complex event processing

The DAC stuff looked interesting, and appears as though it will be a useful way to deploy and update database schemas.

ASP.NET MVC with Damien Edwards

  • Sample site hooizdat.com
  • Model-binding instead of data-binding
  • Unit testing
    • arrange-act-assert
  • Includes AJAX javascript library and JQuery
  • Mobile
    • restrictions on cache size
    • mdbf.codeplex.com – mobile device compatibility
    • mobile-aware view engine
  • Optimistion
    • Reduce HTTP requests
    • PowerShell post-build script to strip/compress/optimise javascript and CSS files
    • Switch to condensed javascript file (single file instead of multiple includes) in release mode

The optimisation stuff was interesting – concatenating multiple js files into one to reduce the number of HTTP requests.

WCF and WF in .NET 4.0 with Graham Elliot

  • Simplified configuration
    • Able to figure out default endpoints from bindings
    • Set default behaviours by omitting names in configuration
  • Service discovery
    • Dynamic endpoints
      • ad-hoc – good within a subnet
      • managed – uses a discovery proxy
    • Routing
  • Improved REST support
  • WF 4
    • XAML-only
    • Activity library
    • No state machine support

IIS 7.5 New Features with Jorke Odolphi

  • Support for Server Core on R2 – 64bit only
  • Use DISM to install ASP.NET on Core
  • FTP
  • WebDAV
  • Media Services (more integrated into IIS now)
    • smooth streaming
    • demo of HyperV live migration whilst streaming video
  • Web deployment tool

Live migration of virtual machine whilst streaming video was impressive.

SQL High Availability with Nicholas Dritsas

  • 2008 SP1 can finally uninstall updates and service packs
  • Support for HyperV – 1-2% impact if using newer hardware
  • Mirroring enhancements
    • recover from I/O errors by copying from mirror
    • log stream compression
  • ServiceU case study
    • Cluster at primary and DR sites
    • Log shipping and async mirroring
  • Connection string
    • use "Failover Partner=servername;"
  • Clustering new features
    • rolling node upgrade/patching
  • Can use replication to migrate to a new server and have the ability to roll back to the original server should the upgrade fail.

SQL Certification 70-432 Cram Session with Greg Low

  • Installing and configuring
    • Don't need Browser service running if using fixed port numbers
    • Database mail depends on Service Broker
  • Maintain SQL Server instances
    • Transparent database encryption – need to backup the certificate and private keys too
  • Performing data migration tasks
    • Filtered INDEX can include a WHERE clause
  • Monitoring and troubleshooting
  • Optimise SQL Performance
  • Implementing High Availability
    • Log shipping can be a good way to upgrade to a new server

Not sure if I'll do this exam, but Greg did a nice job giving an overview of the required knowledge, and we got tea as well.

Tuesday, 8 September 2009

Tech-Ed 2009 Arrival

The day almost didn’t happen when I realised I'd left my wallet in the car after being dropped off at the airport. Some frantic phone calls managed to catch Narelle before she'd driven too far! Boy did I feel silly!

The flights to Melbourne and then to Brisbane were uneventful, and made a bit more comfortable by being upgraded to exit seats (my legs appreciate the extra room). I'd had some of my Melbourne flights automatically upgraded when I was flying over to see Nanna before she died and for her funeral, and I also discovered that often you can ask to be moved to an exit seat – if you don't ask, you won't get.

Next the AirTrain down to the Gold Coast. I took advantage of booking the taxi when I collected my tickets at Brisbane airport, so they were there to pick me up from the train station and drive me directly to my motel.

The motel is directly opposite the convention centre, so you can't get a more convenient location. My priorities were to get something as cheap as possible, and it probably is a case of getting what you pay for. The room is very simple – bed, TV, bar fridge and bathroom. No, it isn't the Sydney Hilton by any means, but as I'm paying for it out of my own pocket, I'm quite content.

After dropping of my bags in my room, I wandered across the road and met up with Rob. Wearing our shirts we looked like the Lobsterpot Solutions Twins :-)

There was a nice dinner on offer as part of the welcome party (I do have good memories of conference catering at the Gold Coast!) and a chance to be introduced to many of Rob's contacts, survey the expo stalls and grab a few freebies for the kids.

One interesting thing I learned while chatting to one of the guys (I think it was Vaughan Knight) was that he had to change the topic of his talk because Microsoft were dropping the Live Services Framework – including Live Mesh. I've been using Live Mesh a bit (including as a way for the band-members of sevenfold to collaborate and share lyrics, recordings and other documents), but apparently it will shortly be no more, which is a real shame.

Monday, 7 September 2009

Catching up

It's been a little while between posts, and there's been a couple of reasons for that..

  • That back injury has been persisting a lot longer that I'd hoped
  • My Grandma (Nanna) Jean was hospitalised and then passed away recently

Nanna was 96, and had pretty much been living independently in her house right up until she suffered a massive stroke. She hung on long enough for the family to travel interstate to Geelong Hospital to spend time with her before she died.

I flew over to say goodbye to her (she wasn't able to speak but was alert and had limited movement), and then returned to Geelong a week later to attend the funeral service. Then last week her body was brought back over to Adelaide where she was buried.

My back injury seemed to be healing well initially but a work field trip (spent largely sitting in a car) was not helpful and things seemed to plateau for too long. I've taken to avoiding sitting as much as possible – including standing on the bus to/from work and even standing in some meetings.

Some more "enthusiastic" (aka painful but effective!) treatment from my Chiro and a follow-up remedial massage session seem to be helping. I'm sure my work colleagues would prefer to see me being able to sit down for most of the day rather than doing yoyo impersonations :-)

Ironically my iPod Shuffle appears to have succumbed to the dreaded "flashing LEDs of death" – annoyingly on the flight home from the Geelong funeral service, so all those podcasts will have to wait until I come up with a replacement plan.

And to top it all off, tomorrow I'm heading off to the Microsoft TechEd Conference 2009 at the Gold Coast Convention Centre. I well may be the conference delegate who stands up in the sessions rather than taking a seat.

Oh, and additional congratulations to LobsterPot Solutions, as they are now a Gold Certified Partner. Was it that long ago they were just plain Certified?! I'll be proudly wearing a LobsterPot shirt at TechEd and lending my support to raise the profile of Rob's company.

No doubt I'll be posting more about TechEd in the next few days..