CMAP Code Camp and Richmond Code Camp

cmap Saturday was the Spring ’08 CMAP Code Camp. Lots of good sessions there, lots of fun as well! I presented on “SQL Server 2008” and “What’s new in C# 3.0” as a replacement for Jay Flowers since he wasn’t able to make it. A big congratulations to Chris Steener and Randy Hayes for putting together a fabulous code camp.


RCC2008 Also, coming up on the 26th is the Spring ’08 Richmond Code Camp. I hope to see a lot of new people there, as well as all of the ones I already know. The tentative schedule as been posted, which you can see here. It’s going to be a good one! I’ll be re-presenting my “SQL Server 2008”.

I’d like to report a negligence

Safe I’ve always been interested in software security, and it’s always been a number one priority for me. Software security is really honoring the trust of the people that use your software. I’ve also been fortunate to be the lead developer of a security product. I myself also tend to keep an eye on the security of other products.

We use a few applications in house that we really like. I decided poke around at the security of some of these products. I won’t say any of the product names because they really are, good products sans some poor security. If I find a security bug in a piece of software, I will report it to support or the development team. I feel like I’ve done all that I can, and I’ll leave it to them to fix it.

Though the one thing that there really is no excuse for is storing a password in clear text. While doing my digging, I found that two products we use stored passwords in clear text. One of them was attempting to hash a login password using String.GetHashCode, which isn’t a good idea, but much better than a clear text. However, this product also stored some other passwords in clear text. They needed to be two way, so a hash wouldn’t work; rather a symmetric encryption would be better off. The other system just used clear text for all passwords. This is really just neglecting security, it’s not even a bug. It’s just not caring.

It’s not too hard to encrypt data in .NET, it’s pretty easy and there are a lot of tutorials on it, and there are a few usergroups around that talk about it as well, too.

Seeing this makes me think a couple of things. The first being, are my standards too high? I don’t think so honestly. I don’t see any reason for storing a password in plain text other than reducing developer effort. The second thing is, how common is this? If two applications that we use have this issue, should I lose trust in all of the applications I use? It’s not a comfortable thought; knowing that some software abuse the trust that we give them. The third thing is, I know one of these products is extremely popular. I’m surprised no one has caught this before. Am I really the only one that tinkers around with other software’s security?

Off topic, but I am trying to get back into the swing of blogging again. I’ve set a goal of trying to blog every other day or more often. We’ll see how it goes.

MVC Framework

MVC Pattern The MVC framework is the new “hot” thing in the ASP.NET world for developers. As such, everyone has at least one blog entry about it. So, I think it’s time I jumped on that ship. Though, I wanted to voice a few concerns with the MVC Framework, or at least how people perceive it.

The MVC design pattern is by no means new. It’s been around since around 1979, and .NET is certainly not the first framework that supports the MVC Pattern, and nor is Microsoft’s MVC Project the first for .NET. Spring is a very popular MVC solution for Java developers, and there is a .NET port of it as well. Though, I’m not here to give a history lesson either.

I often hang out at the ASP.NET Forums as a moderator and contributor. The MVC Framework is a pretty hot forum over there at the moment. Though after reading several posts, I can’t help but get the feeling that several people aren’t certain as to what the MVC design pattern is trying to solve.

So, at it’s core, MVC is a design pattern that was originally used in SmallTalk-80. The original paper is up for interpretation, but at it’s core theory, MVC’s original goal was clean separation between layers of your application.

Yes, MVC gives you cool features like Routing, and a big  bonus of Unit Testing. Anyone that has been using unit testing before knows that good separation of your code is important to achieve practical unit tests, especially those who also practice Test Driven Development; but the true goal of MVC (or MVP for that matter) is decoupling logic.

Some people originally made the claim that the current ASP.NET model (before the MVC project) was an MVC model. Well… mmmnnn…ooo. Not quite. It could be argued that it was, but the “not quite” was the event processing in .NET. The initial argument was that the event handles on controls coupled the code behind too tightly. A better solution would be to have the event handles work with a presentation model.

OK, I’ve been rambling on a little bit. What’s my point (if any)? I suppose that Microsoft’s MVC is pretty cool. I am a little perplexed as to why everyone got so excited about MVC since Microsoft announced they were providing a Framework when there are frankly, better and more mature MVC Frameworks around, and I’ll circle back around to Spring for that one. Spring has been around since .NET 1.1, and since it is a Java port, they have a lot of experience from there, too. I get concerned that some people really aren’t using MVC for the purpose of decoupling and improving their code; rather for some of its specialized features, such as Routing.

Though, in all honestly I tend to lean towards the MVP pattern myself. Not quite as popular, I still prefer it because the view is not as coupled with the model. A good MVP project is Stormwind NMVP.


This is my first post to the web site. I decided to move my blog from

So, I thought I would start off by talking about something a little obscure that a co-worker turned me onto.

Captain Hook - Image used under Fair Use.OK, different captain hook. We’re not talking about Dustin Hoffman, either. No, I am talking about the .NET Subversion hook framework from Phil Haack. Phil and his company released a nice .NET Framework Library on Source Forge.

OK, a bit of information, first.

I’m a big fan of Subversion. It’s what we use at our company for all of our source control, and we use it for a lot of things besides maintaining our code. Documents, Code, etc. It’s by far my favorite Source Control solution, and the details of that are another blog post.

Aside from Subversion, we also use an Agile planning and estimation program called TargetProcess. It’s very useful for Agile shops. But for the purpose of this post, think of it as any other tracking system, like Bugzilla or FogBugz (we use FB too for a client).

One of my favorite features of TargetProcess is that it integrates with Subversion cleanly. When I commit with Subversion, all I have to do is put a pound (#) and then the ID of the “story” (think of that like a bug) and then I can track it from TagetProcess, view diffs, and read commit messages to that given story. For example:

KJ – #1234 – Fixed minor typo in Administration screen.

Now when I look in TargetProcess at #1234, I can see the commit message, and the files that changed.

So, the problem I am trying to solve on the team is forgetting to put a number in the commit message. Fortunately, Subversion allows us to hook pretty easily. Specifically in this case, we want to use a pre-commit hook.

Despite Subversion’s ease of hooking, it can be a little tricky in .NET. And unlike the movies, CaptainHook is the protagonist for this. I’m not going to go into details of how captain hook actually works, but I will go into detail of what’s great about it.

Subversion allows hooking at the repository level. So, for a given repository, there are several types of hooks. The one I am keen on is the pre-commit. If you look in a repository, there is a directory called “hooks”. When a commit is made, it will start a file named “pre-commit” It can be a BAT file, executable, perl script, what have you. If the exit code does not equal zero, the commit will not go through.

CaptainHook, in a nutshell, is an executable that probes a directory for assemblies with “hooks” in them. It executes the hooks, and if any of the hooks return false, CaptainHook exits with a non-zero code, probably 1.

So, what we want to do is put a regular expression on the commit message… something like “#\d+”. What does one of these hooks look like?

public class RequireTargetProcessNumber : PreCommitHook
     protected override bool HandleHookEvent(ITransactionInfo commit)
          string commitMessage = commit.LogMessage;
          if (!HasTargetProcessNumber(commitMessage))
               this.Context.Output.WriteError(“TargetProcess Number was not specified in commit message.”);
               return false;
              return true;


     public bool HasTargetProcessNumber(string commitMessage)
          return Regex.IsMatch(commitMessage, @”#\d+”);


So there are a few things going on in here… we are overriding the HandleHookEvent from our base class, PreCommitHook. This gives us an ITransactionInfo, which provides us with information about the current transaction. We test the commit message for our regular expression, and if it doesn’t match, we fail. I extracted that regular expression to unit test it. If HandleHookEvent was public I could probably test it that way with a mock test as well.

Anyway, that’s all there is to it. I can create as many assemblies of these as I want to modularize them, and drop them in a configurable path that CaptainHook looks for.

I highly recommend this for anyone that uses Subversion. It has a lot of other practical uses, such as emailing when a commit is done, or writing to an RSS feed on a successful commit.