Saturday, 28 March 2009

Hard-Coded Passwords Gotcha

Everyone agrees we should give to charity but not that many people do. In the same way everyone agrees we should write secure software but I’ve seen again and again web applications that you could break with a Swiss army knife and a bent paper clip. I think part of the problem that security advice seems overwhelming and hectoring. Reading the recent list of CWE/SANS Top 25 Most Dangerous Programming Errors is like been nagged at by your office manager. I can’t disagree but I can’t take in anymore.

The best way to know and appreciate something is to see it. CTW-259 warns of hardcoded passwords. It was only when I downloaded reflector that I realised how much of a problem this was.

Consider this fragment of a class
public class TestClass

{

 private string _password = "supersecretpasswordnoonecansee";

 private int _testInt;



 /// <summary>

 /// Test Int

 /// </summary>



 public int TestInt

 {

  get { return _testInt * 6; }

 }



 //etc....

}
That password is secure as houses when complied. Well once it’s loaded into Reflector and disassembled then probably not


That took me about 30 seconds to break. Reflector is a free download so it’s not even costly for the hacker. Bit more costly for the victim though.
Posted by at No comments:
Labels: , ,

Wednesday, 25 March 2009

IT Demographics: Finger Length, Gender and IT


There’s an awful lot more male software developers than women. It’s a truth so self-evident that it would take some-one of delusional levels of political correctness to deny it. Therefore counting the number of ladies of a coding persuasion in your office will lead to blinding obvious results i.e. there ain’t that many. However counting the number of man brains in your office may well be of more importance to the nascent science of IT demographics.

Logic would dictate that if you’re a man then it’s a man brain for you and visa versa for women. Not so Horiatio. A significant minority of men have lady brains and the converse for women.

You will be gladdened to know that there is no need for radical surgery to identify a man brain. A none-invasive technique is available. Simply look at a person’s hand and measure the relative lengths of their forefinger and their ring finger (nearest to the little finger).


  • If the ring finger is bigger than the forefinger – you are a proud owner of a man brain.

  • If the ring finger is shorter than the forefinger – then you are well endowed with a fashionable ladies’ brain.

So get out there and do it. Seize the hands of all the coders in your office and get measuring. I won’t sully the scientific endeavour by speculating on the result however I wouldn’t be surprised if coders of either gender orientation excel at tasks such as reading maps and putting together flat pack furniture.
Posted by at No comments:
Labels:

Saturday, 21 March 2009

The Sad Deletion of Jeff Atwood

It’s a modern day tragedy. I was browsing wikipedia this week when I just happened to check out the entry for my favourite blogger Jeff Atwood. I was shocked and dismayed to discover that the entry has been deleted - Mr Atwood has been deemed as being too trivial. In the tawdry old real world Jeff’s star seems very much in the ascendant with the release of the programmer’s wiki-portal stackoverflow (very much worth a browse). Sadly things appear not to be going so well for him online.

So whatever next for Jeff? Will all his blog posts be erased? Will his facebook account be defaced? Will his twitter tweets be expunged? Will all signs of his online life be purged from the Internet? It will be worse than online death. It will be obliteration. It will be extinction. It will be like he never existed at all. He will just be left with that shallow, dreary existence we have come to call the real world. What a truly tragic fate for a truly geeky man.
Posted by at 1 comment:
Labels:

Monday, 16 March 2009

Reflector: Disassemblement for the Masses

I appreciate it’s probably an unpopular pastime for many of us geeky developer types but sometimes talking to colleagues does have its benefits. Once we’d finished discussing the latest BattleStar Galactica episodes and reminiscing about tabletop war gaming our conversation turned to tools of a cool nature, particularly reflector.

Reflector is a disassembler for .Net provided by the lovely people at Redgate. It’s so good that it seems almost magical in its power. Previously if I wanted to poke around in a dll then I’d use MSIL disassembler (ildasm.exe) and then feel all manly that I was interfacing directly with the intermediate language code. Since I was feeling all scientific I whipped up a quick test class to compare the two.

The test class
using System.Collections.Generic;
using System.Text;

namespace TestProject
{
 /// <summary>
 /// Test Class
 /// </summary>
 public class TestClass
 {
  private int _testInt;

  /// <summary>
  /// Test Int
  /// </summary>
  public int TestInt
  {
   get { return _testInt * 6; }
  }

  private string _testString;

  /// <summary>
  /// Test String
  /// </summary>

  public string TestString
  {
   get { return _testString; }
   set { _testString = value; }
  }
 
  /// <summary>
  /// Test Class
  /// </summary>

  public TestClass()
  {
   _testString = "TechSplurge";
   _testInt = 99;
  }

  /// <summary>
  /// Test Method
  /// </summary>
  /// <param name="maxCount"></param>
  /// <returns></returns>
  public void TestMethod(int maxCount)
  {
   for(int i=0;i<maxCount;i++)
   {
    Console.WriteLine(_testString + i.ToString());
   }
   Console.WriteLine("End");
  }
}
}
With Ildasm

It’s a bit cryptic in there. Let’s look at the manifest






OK I can see namespaces but the rest is mysterious


With Reflector



Wow – the scales have fallen from my eyes and I see real code buried in the dll.

In fairness it’s a little like comparing apples with oranges. Ildasm.exe is for looking at what the code actually does once it’s been compiled - useful when really going for performance tweaks. Reflector is for seeing what the programmer intended and for seeing how on earth that third party dll works.
Posted by at No comments:
Labels: ,

Saturday, 14 March 2009

Star Wars Interviews


There’s all kinds of theories about how to get good programmers. You could separate Sheep from Goats with Jeff Atwood or experience the madness which is Interview 2.0 with extra riddles. Alternatively you could trust yourself to the force with Tech Splurge.


The methodology is simple but breathtakingly effective. When you contact a candidate with perhaps some direction to the interview or a pre-screening test simply append this simple line to the end of the mail


Use it wisely and only for good.


Any true geeky tech spod will immediately recognise the Star Wars-ness of the statement and will not be able resist replying in the same vain. So if the response is a boring old “Thank you for your response and I look forward to seeing you in due course” then I’m sorry you haven’t passed the test and we won’t be pursuing your application. However if the response is permeated with references to light sabres, X-wings and Princess Leila then you’ve found your ideal candidate. Employ immediately.


I’ve already done the ground work and test ran the phrase with developer colleagues and we are talking an impressive 100% hit rate. Every one of them replies with a Darth Vader image, a Yoda impression or some other Star Wars ephemera. It’s eerily effective.
Posted by at No comments:
Labels: ,

Saturday, 7 March 2009

Sony Reader


A few weeks ago Mrs Tech Splurge and myself were have a coffee in Waterstones when I happened upon a stand of Sony’s new eBook – Sony Reader. Against all expectations I was impressed. It felt good in the hand, the screen was attractive and very like a book and the battery only appeared to drain on page refresh so would last for ages. However even though I’m a technology fan, was impressed by the product and I like a good book I still didn’t buy it. Why on earth not?

I believe that eBooks themselves are fundamentally flawed particularly as compared to MP3 players which must be the business model that Sony is trying to follow.

The Flaws


  1. You need earlier adopters and tech evangelists to push your product. While geeky nerdy types will get excited about audio systems or home cinemas the enthusiasm for a home library system surely would be more muted

  2. With music I’ve maybe got 20-30 CDs that I would regularly listen to. I can’t carry them all around with me so an MP3 player is the ideal solution. With books I’ve only maybe got 2-3 on the go at any one time. So picking one and carrying it round with me isn’t a fantastic hardship that cries out for a technological solution.

  3. I would imagine that demographics of book readers includes a lot more older readers than music fans or film buffs. A decent proportion of these would be late adopters and outright refusers of new technologies.

  4. If I was an author I wouldn’t licence my work for electronic distribution. As soon as it’s out there then I’ll be in the Peer2Peer copyright hell that musicians are currently dwelling in.
Even though the idea has flaws I don’t think it’s a stinker. It’s just more niche than Sony would probably want. There are a couple of circumstances when it would have real value.

Niches


  1. I spend inordinate amounts of time deciding which books to bring on holiday. With an ebook reader – no problem, bring them all.

  2. I like to have an IT book or two on the go but I’m not going to carry them round with me. However if they were nestled inside an ebook reader I might.

  3. There is probably a good model for magazine subscriptions buried in the ebook reader. Throw in a bit of wireless connectivity (i.e. Kindle) and you could get an update of your favourite publication when you’re in Café Nero enjoying your mocha chocca double expresso latte.
Overall, I reckon that ebooks will never be the killer app and disruptive technology that MP3 players were. No matter how cutesy, leather bound and easy on the eye they become they’ll always remain a solution looking for a problem.
Posted by at No comments:
Labels: ,

Friday, 6 March 2009

Lab Lit


I’m a bit of a frustrated scientist at heart. Never mind that I spent my final year at University sulking over Petri dishes, leaving expensive reagents out of the fridge to spoil and breaking centrifuges. There is still a part of me that truly believes that my natural environment is in a lab surrounded by poisonous chemicals and glassware. So I was fascinated by the LabLit site.

As a may have mentioned before (ad nauseum) I’m a bit of a science fiction geek. So LabLit is a new concept for me. It’s fiction about science Jim but not as we know it. Lablit doesn’t concern itself about spaceships, killer robots and little green men. Rather it is literature with realistic depictions of science. Sometimes this is the same as science fiction but often it is not. It turns out that as a frustrated scientist my sci-fi faves are often also LabLit.

My lablit recommendations are

Contact – Carl Sagan. Lab coats, spectacles and radio astronomy
Timescape – Gregory Benford. Lab coats, environmental disaster and worried looks
Speed of Dark – Elizabeth Moon. Lab coats, clever maths and autism
Blood Music – Greg Bear. Lab coats, nanotechnology and quantum freakiness

And to prove I’m a well rounded individual (I’m not) here’s a lablit recommendation that isn’t sci-fi

Thinks – David Lodge. Lab coats, psychology and academic flirting
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)