Miscellany – not security – Page 3 – Tales from the Crypto

Miscellany – not security

New Windows Phone 8. Something to love, something to hate.

Given in to phone envy, Alun?

No, not really – although I will say it was interesting to be around so many Windows Phone 8 users at the Microsoft MVP Summit last week.

But the HTC HD7 I originally bought, which spent a half-hour in a hot-tub (syncing), then a week in a bucket of Damp-Rid, then a year (working) in the hands of my teenaged son, finally bit the dust in the middle of the MVP Summit.

Says the storage card is corrupted.

So, I can’t afford the time to take it apart, mess with the drive and possibly even discover that it is truly dead.

I have to take advantage of the “upgrade” pricing that comes with committing to another year of service from T-Mobile, and upgrade him to a Windows Phone 8 system.

Then my wife gets interested in the phone, and before you know it, we’re all getting new phones.

No problems, then – everything’s good!

Yes and no.

It’s always good to get a new phone, sure, and to enjoy the fun of new features. But you’ve got to reinstall, and in some cases, re-buy (my wife went from a Blackberry to an HTC 8X) all your apps. And the data is all gone. High-scores, messages, settings, there’s no good path to take data from a WP7 to a WP8, let alone from a Blackberry to a WP8.

Some apps, of course, save their data to the cloud – all my OneNote files came with me.

It’s not so bad in the future, because there’s apparently a better upgrade path from WP8 to other WP8 phones. Messages get backed up, as well as your app list and settings.

How’d you get your apps back, then?

The interface to reinstall has improved over the years, from the first version, in which I only found the ability to restore apps installed directly from the Zune software; to a later version, which required a bunch of different click-through pages for each app you want to reinstall. Now, the reinstall interface is so much easier. Just go to the Windows Phone "Purchase History” page, scroll down the list of apps and click “Reinstall” on each app you want to go onto your new phone. No clicking through, no re-checking boxes about allowing location, etc.

Despite the name “Purchase History”, this page lists even those apps which I downloaded for free, whether as Trial software, or because the software was free in the first place.

That’s the good part, and that’s how I got some of my apps back. But the bad part is that this list doesn’t contain all of my free apps, just a limited, and somewhat random, selection. For instance, although it lists Amazon Fresh, the Purchase History page is missing Amazon Kindle, and Amazon Mobile, as well as the majority of my other free apps. This is not good customer experience, and if I was the author of any of the apps that aren’t easily reinstallable, I’d probably raise a big stink.

So now, I have to go one by one through my old phone’s list of apps, finding out which aren’t on my new phone, searching for them in the store, finding them in the search results, clicking on them, then clicking “Reinstall” (the store knows I have already installed them before). This makes me more likely to not reinstall these apps, and since the majority of these are ad-funded apps, whose authors won’t make a dime unless I run them, I think that app developers have a strong incentive to ask Microsoft to fix this behaviour.

And how’s the podcast experience?

Oh, you knew that I’d have something to say about that. Well, this post’s long enough already, so I’ll leave that until next time. For now, I have to say I do like my new phone, but I’m really tired of this whole update process already.

That “are you kidding me?” moment in customer support

So, my Sunbeam electric blanket died yesterday. Second one in a year.

As a dutiful consumer, I’d really like to report this to the manufacturer, get a replacement and move on. I fill out the “Contact Us” form. Then I get this ludicrous error:

image

So, you’re going to ask your customers to contact you when they have problems, and then you’re going to actually limit the characters they’re allowed to use in the QUESTION that they’re asking you?

Asking me to avoid using quotes, colons and semicolons in written English is completely ludicrous.

And yes, I know why they do this. It’s because they attended a course on secure programming which told them how to do input validation.

Input validation is not the shizzle

I am constantly amazed as to how frequently I have to ram this point home to developers who have learned one trick to protect against injection attacks.

“Validate ALL input – reject the bad characters!” – I’ve heard this from a number of people, including security professionals.

When you CAN do strict input validation based off a restricted whitelist, of course, that’s great – “input a whole number between one and ten” is good for input validation. “Input your name” generally isn’t, because names have a habit of containing characters that are known to be ‘bad’ characters in a number of cases, such as “O’Donnell”. Apostrophes are bad in numerous cases. “Input your question”, as in this case, is likely to elicit all kinds of funky characters.

And, as I ask the candidates on my phone screen interviews, what do you do in the case when you have a web app which stores to a SQL database, and its task is to store XSS and SQL injection attacks. <sigh> Clearly, you have to use acceptable output encoding. Apparently, Sunbeam’s web developers are not good enough to know when to stop using input validation, and start using output encoding.

Even less smart

My suspicions are confirmed when, after typing in a correctly formed question, the model number of the blanket (which, curiously, isn’t anywhere on the blanket or its controllers), the date code on the plug, and my contact details, the web page unerringly provides me with this as its response:

image

So, I think our next step is to contact Amazon to resolve this customer service issue properly. And not buying from Sunbeam again.

Removing capabilities from my first Windows Phone app

So, I thought I’d write a Windows Phone app using Visual Studio 2012 the other day. Just a simple little thing, to help me solve my son’s algebra homework without getting into the same binds he does (failure to copy correctly, fumbled arithmetic, you know the thing…)

And I run into my first problem.

The app uses no phone capabilities worth advertising – you know, things like the choice to track your location, so that the app’s install will ask the user “do you want to allow this app to have access to your location”, and you say either “allow”, or “why the hell does a flashlight application need to know where I am?”

And yet, when I run the “Automated Tests” under the Store Test Kit, I get the following:

image

If you can’t read the image, or you’re searching for this in Google, I’ll tell you that it wants me to know that it’s validated all the capabilities I’m using, and has noticed that I’m using ID_CAP_MEDIALIB and ID_CAP_NETWORKING.

Weird, because I don’t do any networking, and I don’t access any of the phone user’s media.

It’s just my son and me using the app right now, but I can picture some paranoid person wondering why I need access to their media library or networking simply so I can solve the occasional simultaneous or quadratic equation!

Quite frankly, I was mystified, too. Did a bit of searching across the interWebs, but all the articles I found said the same thing – the MediaLib capability must be because you’re using something with the word “Radio” or “Media” in it somewhere (I’m not), and the Networking capability because you’re doing something across the network. I removed all the “using System.Net” lines from all of my code files, but still no joy.

[A quick tip: to find all these rules yourself, look in C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v7.1\Tools\Marketplace for the file “rules.xml”, which will tell you what the capability detection code is looking for]

Nothing in my own code seemed to be actually causing this, so I took a step back and had a look at other references being included by the compiler by default.

System.Net seemed to be an obvious offender, so I removed that, to no effect (quite right, too, because it isn’t the offender, and doesn’t, on its own, cause ID_CAP_NETWORKING to be detected).

No, here’s the culprit:

image

Microsoft.Expression.Interactions – what on earth is that doing there?

It’s not something I remember including, and quite honestly, when I went looking for it, I’m disappointed to find that it’s associated with Expression Blend, not something I’ve actually used EVER. [Maybe I should, but that’s a topic for another time].

Removing this reference and rebuilding, the XAP tests clear of all capabilities. Which is nice.

So, now I have my “Big Algebra” app in beta test, and it doesn’t tell the user that it’s going to need their media library or their network connection – because it’s not going to need them!

Could Google prompt Microsoft to provide easier syncing?

As a Windows Phone user, and trying to persuade my wife to one day become one (instead of the Blackberry she totes around), I’m constantly stopped by the prospect that there is no way to sync my calendar and contacts without going through some online service.

This is a very strange situation, because even Apple’s iPhone can apparently synchronise Outlook contacts and calendar entries over the USB connection.

Microsoft’s answer to date has always been that we should rent or borrow an Exchange Server of some sort, push our calendar and contact details to that server, and then fetch them down later. Not exactly secure (you’re sharing a high-value target, possibly operated by a company with whom you compete, as your mail server), and free under generally limited circumstances.

Maybe I’m too paranoid, but I don’t really fancy that level of reliance on someone else’s service to host and protect information that, up until now, I’ve held physically on only a couple of devices. So, I make do without my contacts on my phone, and I rarely have a firm idea of my calendar commitments until I’m back at home base.

There are solutions, of course, because there always are – and they rely, essentially, on setting up something that pretends to be Exchange on your local WiFi.

Not exactly secure, and not exactly cheap. Certainly not free.

Then comes the bad news – Google has decided to close down Exchange connectivity to GMail, so that Windows Phones will not be able to use GMail any more. I’m sure that’s not the reason they give in press releases, but it seems likely that’s at least seen as a handy side-benefit. [Does this mean Google sees a threat from Windows Phone?]

Rather uncharacteristically, but in a welcome move, Microsoft turned around and, instead of turning it into a raging war of words, said that if they couldn’t get at GMail that way any more, they’d support one of the other ways of getting at GMail – this means that they’ll start supporting IMAP and the Calendar and Contact sync formats supported by GMail.

That changes everything

Because now, you don’t have to find an Exchange lookalike in order to sync locally – all you need is IMAP support, and support for the two formats, CardDAV and CalDAV.

These are simpler formats, and more widely documented and supported, than the Exchange protocols previously insisted upon by Microsoft. I can see that when they open up IMAP support, a lot of Windows Phone users will be opened up to their email accounts, and when CardDAV and CalDAV are added, we should see very quickly some solutions that allow for syncing of contacts and calendar while connected by USB.

2013 should be a good year to be a Windows Phone user.

And yes, I’m still waiting for my carrier to push Windows Phone 7.8.

UDP and DTLS not a performance improvement.

Saw this update in my Windows Update list recently:

http://support.microsoft.com/kb/2574819

As it stands right now, this is what it says (in part):

image

OK, so I started off feeling good about this – what’s not to like about the idea that DTLS, a security layer for UDP that works roughly akin to TLS / SSL for TCP, now can be made a part of Windows?

Sure, you could say “what about downstream versions”, but then again, there’s a point where a developer should say “upgrading has its privileges”. I don’t support Windows 3.1 any more, and I don’t feel bad about that.

No, the part I dislike is this one:

Note DTLS provides TLS functionalities that are based on the User Datagram Protocol (UDP) protocol. Because TLS is based on the Transmission Control Protocol (TCP) protocol, DTLS performs better than TLS.

Wow.

That’s just plain wrong. Actually, I’m not even sure it qualifies as wrong, and it’s quite frankly the sort of mis-statement and outright guff that made me start responding to networking posts in the first place, and which propelled me in the direction of eventually becoming an MVP.

Nerd

Yes, I was the nerdy guy complaining that there were already too many awful networking applications, and that promulgating stupid myths like “UDP performs better than TCP” or “the Nagle algorithm is slowing your app down, just disable it” causes there to be more of the same.

But I think that’s really the point – you actually do want nerds of that calibre writing your network applications, because network programming is not easy – it’s actually hard. As I have put it on a number of occasions, when you’re writing a program that works over a network, you’re only writing one half of the application (if that). The other half is written by someone else – and that person may have read a different RFC (or a different version of the protocol design), may have had a different interpretation of ambiguous (or even completely clear) sections, or could even be out to destroy your program, your data, your company, and anyone who ever trusted your application.

Surviving in those circumstances requires an understanding of the purity of good network code.

But surely UDP is faster?

Bicycle messengers are faster than the postal service, too. Fast isn’t always what you’re looking for. In the case comparing UDP and TCP, if it was just a matter of “UDP is faster than TCP”, all the world’s web sites would be running on some protocol other than HTTP, because HTTP is rooted in TCP. Why don’t they?

Because UDP repeats packets, loses packets, repeats packets, and first of all, re-orders packets. And when your web delivery over UDP protocol retransmits those lost packets, correctly orders packets, drops repeated packets, and thereby gives you the full web experience without glitches, it’s re-written large chunks of the TCP stack over UDP – and done so with worse performance.

Don’t get me wrong – UDP is useful in and of itself, just not for the same tasks TCP is useful for. UDP is great for streaming audio and video, because you’d rather drop frames or snippets of sound than wait for them to arrive later (as they would do with TCP requesting retransmission, say). If you can afford to lose a few packets here and there in the interest of timely delivery of those packets that do get through, your application protocol is ideally suited to UDP. If it’s more important to occasionally wait a little in order to get the whole stream, TCP will outperform UDP every time.

In summary…

Never choose UDP over TCP because you heard it goes faster.

Choose UDP over TCP because you’d rather have packets dropped at random by the network layer than have them arrive any later than the absolute fastest they can get there.

Choose TCP over UDP because you’d rather have all the packets that were sent, in the order that they were sent, than get most / many / some of them earlier.

And whether you use TCP or UDP, you can now add TLS-style security protection.

I await the arrival of encrypted UDP traffic with some interest.

iCan’t sync with iTunes; iCan’t sync without iTunes…

OK, so that’s a horrible stretching of a song to cover a point, but it’s kind of the way I feel right now – torn between a rock and a hard place.

Some time ago now, I let you readers know that I’d won an iPad at the Black Hat security conference, and that I’d be trying it out to let you know what I thought.

First, let’s consider my usage case, and what I am comparing it against.

The iPad is, to my mind, a potential killer device for a few things I like to do:

  1. Watching movies and TV shows on the bus on my way to work
  2. Reading comics and books
  3. Using Twitter and Facebook to keep up with people around me
  4. Skype to my parents in England
  5. Surfing the web in places where my laptop is too bulky

In checking out these behaviours, I’m implicitly comparing them to not only my own Windows Phone 7, but also my wife’s Kindle Fire.

Movies and TV shows

In common with many people, I have a lengthy commute – at least 40 minutes each way of which is on a bus, so I can happily watch videos. My comparison device in this use case is my Windows Phone – an HTC HD7 (I’d link to it, but apparently it’s not being sold any more).

The iPad is bulkier, for certain, and I can hold my phone in one hand comfortably for some time. However, making up for this is the fact that the iPad is a larger display and therefore easier to see at a comfortable distance. But watching on the phone isn’t bad either.

Syncing to the iPad is accomplished through Apple’s piss-poor iTunes software (of which, more later), which seems to require that my videos be already in a suitable format for the iPad. Syncing to the HD7 requires the Zune software, which is configured by default to convert video and audio in the background without any further assistance from me.

Note that – Zune converts the videos to the right format automatically when necessary, the iTunes software simply shrugs its shoulders like a Frenchman and refuses to cope.

Because of this, I can sync to the HD7 from more sources, and more easily and automatically than to the iPad.

However, the winning step that the iPad has for me comes from a combination of its viewing size, and the fact that it can play the audio from my videos to my Bluetooth headset, something that the HD7 currently does not. I have to use a Bluetooth dongle on the HD7 to hear my videos – and that’s not right, when I already paid for a phone with Bluetooth support.

It’s worth noting, however, that because the iPad seems to pretend to be a phone, I can’t have the appropriate level of Bluetooth support, allowing incoming phone calls to pause my video and let me answer the phone.

So, a narrow win for the iPad there. But keep reading. [Add Bluetooth support for video watching, and the Windows Phone will easily surpass the iPad]

Reading comics and books

Killer app, no doubt – the size and colours make the iPad superior for reading comics. For other books, you can’t really beat a Kindle, because it’s the size and shape of a book. The iPad does seem to suffer in daylight as well, not that we get much of that around Seattle – but we clearly get enough for this to be a noticeable problem for me.

The Kindle Fire is a more subtle device than the iPad in this use as well, since it doesn’t take up as much space. The battery life, as well as the use of standard charging cables (read: I already have dozens of the things, as opposed to having to look for the one wonky, too short cable that came with the iPad) makes the convenience factor that much greater.

However, I’ve even read my comics on the Windows Phone. It’s not that bad a format, because the display is so high a resolution.

Winner: Kindle Fire. Of course, I would say that. But since the Fire has no Bluetooth audio, I can’t use it on the bus as comfortably for my videos.

Using Twitter and Facebook

The iPad is certainly convenient for this, with free Twitter and Facebook apps, as well as a web browser to use the online versions. The iPad’s desire to keep pushing text further and further to the right of the screen, in ever-decreasing strips of window, make it incredibly difficult to read some items.

In comparison, while the Windows Phone does have a free Twitter and Facebook app, and access to the web, it doesn’t actually need any of these, because there are the “Me” and “People” tiles, through which you can read notices from all your social media sources (Twitter, Facebook, Linked-In, MSN Messenger in my case). This gives a more natural, integrated feel to the communication, and it feels more like I’m sharing with my friends than I’m using this or that app.

Winner: Windows Phone, hands down. [But it would be nice to have Bluetooth keyboard support]

Skype to the UK

OK, the iPad wins hands-down on this one. There’s a Skype app in beta for the Windows Phone, but my HD7 has only a rear-facing camera, and the Fire of course doesn’t have one.

Winner: iPad (but only because I have a 1st-gen Windows Phone)

Surfing the web

The iPad has no Flash support – but then nor does the Windows Phone.

The iPad uses a webkit-based browser, which comes with a fresh batch of security flaws once a month (as does iTunes). The Windows Phone comes with Internet Explorer – but without the same set of flaws that get patched in your regular Windows update. I strongly believe that the Windows Phone gives me the most secure browsing of any device that I have. But it is a little hard to read.

Winner: iPad

Sounds like we have a clear winner, then?

Yabbut no.

I got the iPad for free, so I have to bear in mind that for most people, they pay $500 to have it. It’s not that much better than the Windows Phone. I got the Windows Phone for practically free – one cent on Amazon Wireless, with a two year commitment. But then I was going to get a phone anyway, and the two year commitment is common for phones.

Irritations

As with every Apple product I have ever used, it seems like they skimped a little on the “fit and finish” of the software. This leads to small – but constant – irritations. There have been many times I’ve been tempted to throw it to the floor and stomp on it. So far, the iPad has survived largely because I know that if I want to get rid of it, there are numerous people who would happily take it from me. And then I settle down.

So, what are my irritations?

  1. User interface
  2. iTunes
  3. iTunes
  4. iTunes

User interface

There are some areas where it’s clear that the Apple design philosophy hasn’t been communicated well – even to writers of the native apps.

Delete an item

A clear example – how do you delete an item? In iBooks, you swipe to the right, which causes a delete button to appear. You press this button, and the item goes away. In Videos, you hold your finger on an item until a little “x” appears. You press the “x”, and are asked if you really want to delete the video. I guess videos are more important than books, that you have to be prompted.

I should say that this is how videos are supposed to be deleted. What actually happens is that you hold your finger on a video for a while. The “x” fails to appear, because you wiggled your finger a little (really common on a bus). So you let your finger up, and the video opens up. So you close it down again, and hold your finger on the video again. Now the “x” appears – albeit sometimes in a different place than you expect. So you press it. Damn, missed, because the bus must have hit a bump, so the “x” goes away. Bring it back! Bring it back! Okay, here it is again, so I can press it finally. And then I get asked if I’m sure. Am I sure? Am I sure? I’ve only spent the last ten minutes trying to get the damn “x” up on screen and hit it – of course I’m sure! And I remind myself not to throw the iPad to the floor and stomp on it.

Yes, I know about the “Edit” button, and that shortcuts one part of the process, but makes it more likely that you’ll accidentally delete the wrong video, because it puts an “x” above each one.

[A short note – the “x” appears in one of two places – either immediately on the top left corner, or a good half-inch above that. I can see no logic in why it does this.]

Detail view

In the Videos app, there are three kinds of video. “Movies”, “TV Shows”, and “iTunes U”. The “TV Shows” and “iTunes U” items all come from iTunes, so all the videos I put on my system end up in “Movies”, no matter what metadata I put on the file. Whereas I never metadata I didn’t like, iTunes clearly never metadata. For the iTunes U and TV Shows tabs, each item is listed with details – length, a title, and a description. This is great, although it would also be nice to see which ones I’m part-way through watching.

For the Movies tabs, however, there’s only two things showing – a thumbnail, which is the first frame of the movie (oh, and so often, that means it is plain black), and the curtailed title of the video. So, “Have I Got News for You: Series 42, Episode 5” is displayed as “Have I Got News for You:…” – as is every episode of every series of that show. Same thing for “The Sarah Jane Adventures…”, or “Who Do You Think You Are…” Yeah, the BBC could choose shorter titles, but the iPad could pay attention to the Subtitle field in the metadata for the episode information. Oh, yeah, that’s right, metadata is to be ignored.

And there’s no details on the video – no duration, no description, no indication of whether or not I’ve been watching this video file at all. I’d like to say “hey, this component of my bus ride is going to take another twenty-five minutes, so I’d like to watch something that length or shorter”.

Notifications – or scrubbing

When watching a video, you can ‘scrub’ through it by dragging a little slider at the top of the screen. Except when the slider is near the middle of the top of the screen, because then you’re going to actually be pulling down the notifications window. If anyone writing this software actually used an iPad, they’d be experiencing this frustration, and it would have been fixed by now.

Back, back, back – no, store!

To go backward in the user interface of an app, you click the button in the top left. Except that sometimes, the button in the top left takes you somewhere else, like the iTunes store.

Delete doesn’t actually free up space

You can delete videos all you like, bus joggling allowing, and when you’re done, your storage usage hasn’t gone down at all. There is no room for more videos. This one confused me for some time, until I remembered that you never actually close apps when you switch between them. The storage is released, not when you delete the movie, but when you close the app.

That would make sense, if you could actually undelete the movie while the videos app runs, but no. That doesn’t happen.

And on and on…

I could carry on, but I just get angrier and angrier. The difference between editing the list of apps you can run, versus editing the list of apps currently running, for instance. One is dismissed by a tap, the other requires that you hit the home button, and I can’t remember which one.

iTunes

So, the first complaint I have about iTunes is the one I have made from the beginning – it includes way too much, and it screws up my system way too badly. What do you get when you install iTunes?

Well, first you get a file called “iTunes64Setup.exe”. This installs iTunes into “C:\Program Files (x86)” – uh, yeah, that means the “64 bit” version of iTunes is actually all 32-bit. Then it tells you:

SNAGHTML1f848dc

The wha?

What does iTunes have to do with Outlook? That’s crazy.

And then, what does it install? Only another four applications.

SNAGHTML76b36b0

iTunes

When syncing videos to the iPad with the Windows version of iTunes, they are synced with at least one default setting not correctly set.

That’d be fine if it was an unimportant setting, but no. The setting is “resume from where I left off”. That means that every time I switch videos, or close the video application (see previous discussion of why I need to do this to recover storage), the video I want to watch starts again from scratch.

There is a simple fix to this – for every video I upload to the iPad, I have to go into iTunes, select the video, right-click it, select “Get Info”, open the “Options” tab, uncheck the box that says “Remember Playback Position” (or if I selected multiple videos, set to “No” the drop-down arrow labeled “Remember Position”), hit “OK” (there is no “Apply”), wait for this action to sync to the iPad, then right-click the video(s) again, select “Get Info”, open the “Options” tab, and then recheck the box (or set the drop-down box to “Yes”), hit “OK” and sync once again.

iTunes

For weeks I’ve been complaining that every USB device on my system has been unreliable – I have to plug and unplug simple USB flash drives a half dozen times before they finally get recognised in Explorer.

Then it finally dawned on me.

One device has been steadfastly reliable, always becoming active and ready to use within seconds of plugging it in. Yes, it’s the iPad.

Acting on this hunch, I removed iTunes, Apple Mobile Device Support, Apple Application Support, Apple Software Update, Bonjour, and even QuickTime (not sure how that got on there). Suddenly all my USB devices connect first time, every time. With the exception of the iPad, of course, which sulks if it doesn’t have iTunes (though the same charge can be leveled against my Windows Phone requiring Zune – although that hasn’t yet caused all my other USB devices to become unavailable).

Adding iTunes back in to the mix, strangely, has yet to reproduce the same unreliable behaviour. I strongly distrust software acting randomly.

If I could just drag my videos into a folder using Explorer without installing iTunes (since iTunes doesn’t actually properly do any of the other things that an intermediate program should do, such as converting video formats, extracting and using metadata, or setting the “resume from where you left off” option), I’d be happy without iTunes on my PC at all.

And other reasons…

There are other reasons not to like the iPad – it’s too trendy, for one; and it’s not really a $500 product. There are, as I point out above, too many areas where it’s clear that the developers have not finished the job.

I use the iPad simply because it’s free, and has a large display.

I’d far rather use a tablet that works in a more predictable and controlled manner, where the applications on the device and to sync the device have the flavour of being finished.

But I didn’t get one of those for free.

I got an iPad.

And I’m grateful.

Even if, once in a while, I want to dash it to the floor and stomp it into pieces.

Multiple CA0053 errors with Visual Studio 11 Beta

I hate it when the Internet doesn’t know the answer – and doesn’t even have the question – to a problem I’m experiencing.

Because it was released during the MVP Summit, I was able to download the Visual Studio 11 Beta and run it on a VS2010 project.

There’s no “conversion wizard”, which bodes well, because it suggests that I will be able to use this project in either environment (Visual Studio 2010 or the new VS11 beta) without any problems. And certainly, the project I selected to try worked just fine in Visual Studio 11 and when I switched back to Visual Studio 2010.

Unfortunately, one of the things that I noticed when building my project is that the code analysis phase crapped out with fourteen instances of the CA0053 error:

imageAs you can see, this is all about being unable to load rule assemblies from the previous version of Visual Studio – and is more than likely related to me installing the x64 version of Visual Studio 11 Beta, which therefore can’t load the 32-bit (x86) DLLs from Visual Studio 2010.

Curiously this problem only exists on one of the projects in my multi-project solution, and of course I couldn’t find anywhere in the user interface to reset this path.

I thought for a moment I had hit on something when I checked the project’s options, and found the Code Analysis tab, but it didn’t seem to matter what I did to change the rule set, there was no place to select the path to that rule set.

Then I decided to go searching for the path in the source tree.

There it was, in the project’s “.csproj” file – two entries in the XML file, CodeAnalysisRuleSetDirectories and CodeAnalysisRuleDirectories. These consisted of the simple text:

<CodeAnalysisRuleSetDirectories>;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Static Analysis Tools\\Rule Sets</CodeAnalysisRuleSetDirectories>

<CodeAnalysisRuleDirectories>;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Static Analysis Tools\FxCop\\Rules</CodeAnalysisRuleDirectories>

As you can imagine, I wouldn’t normally suggest editing files by hand that the interface normally takes care of for you, but it’s clear that in this case, the interface wasn’t helping.

So, I just closed all currently open copies of Visual Studio (all versions), and edited the file in notepad. I kept the entries themselves, but deleted the paths:

<CodeAnalysisRuleSetDirectories></CodeAnalysisRuleSetDirectories>

<CodeAnalysisRuleDirectories></CodeAnalysisRuleDirectories>

Errors gone; problem solved.

You’re welcome, Internet.

In June: Happy Birthday to me–World IPv6 Launch Day

I’d like to thank ISOC (the Internet Society) for making my birthday later this year into World IPv6 Launch Day.

This year is a special one for anniversaries – my 45th birthday, 20 years since I arrived in the USA, 10 years since beating cancer – seems like the perfect time for ISOC to honour me by switching everyone to IPv6.

Now, if only I could persuade Comcast to deliver IPv6 to my house, where we are still using Hurricane Electric’s Tunnel Broker.

What else I did at Black Hat / DefCon–the Core DataMatrix Contest

Black Hat, and its associated sideshow, DefCon, consists of a number of different components. Training, Briefings, Exhibition and Contests, all make up part of Black Hat, and DefCon is a looser collection of Workshops, Events, Parties, Talks, Villages, Contests and numerous other things besides(*).

Perhaps the thing that gave me the most fun this year was the contest that I entered at Black Hat and at DefCon. The contest was run by Core Labs, a part of Core Security Technologies, and featured the theme of reverse engineering.

Reverse Engineering is the skill of looking at someone else’s code – in source code or binary form – and figuring out what the code does, and more importantly, how best to make it do what you want. This often involves exceeding the original design specifications – which is perhaps the simplest and most inclusive definition of “hacking”.

In the DataMatrix contest, the code (or at least, a portion of it) is given to you in source form, in C#. You are told that this code is running as part of a server, and you are given access to the server in the form of two webcams and an output screen. The output screen displays a score sheet, the views from each webcam, and a ‘debug’ output window. I’ve lost the link to the Black Hat version of the code, but here’s the DefCon code.

The webcams are the only form of input to the server that are available to the contestants. Each contestant is given a DataMatrix containing their activation code. This is a bitmap (kind of like a two-dimensional barcode) with some “registration” values around the edge, and squares either black or white in the middle.

And that’s it – that’s all the help you get.

But then, that’s probably all the help you’ll need.

The first challenges

The first challenges are relatively easy. First, you activate your userid by showing the webcam your initial card, and then you see there’s a function called “process_activate” – that sounds like it’s the function that was used to activate your card.

It’s fairly simple to see that this must use the single byte command (in the “cmd” variable) “1”, along with your two byte userid and four byte password, to register you in the system as an active user. It also increases a user-specific value, “score”. To make this easy to understand, we’ll call this “scoring a point”.

Then you see a function “process_free” – from the code, this is clearly a free point. All you need is a command “10”, and your userid, to score a point.

Another function, “process_pieceofcake”, is almost as easy. Command 11, and your userid, plus another four bytes which are simply the two’s-complement of your userid. Easy. In fact, in the Black Hat version, this was even easier, if I remember correctly, but I don’t have the code handy.

“process_name” is clearly one to call early on, because it gets you the bragging rights of putting your own name in the high score table. Plus, it gives you five points more. Pretty good, huh? By now you should have eight points.

Some more interesting challenges

“process_regalo” took my interest next, since it talks about a “gift_list”. Regalo is, apparently, Spanish for “gift”. This one’s strange, because the process has some activity even when the command code isn’t the code expected.

So, I took a look at what that path does. Checks four bytes for the user’s password, and if the “data_regalos” value for this user is less than 10, increments it, and then assigns an extra point to a randomly selected member of the gift list.

Having figured that out, I realised that the quicker I get on the gift list, the quicker I start racking up the points. So, I solved the little coding conundrum (did you figure that one out yourself?) in the other path of process_regalo, and added myself to the gift list.

Five times.

Yeah, five times – did you spot that in the code?

“process_fabe” and “process_fabe13” – those were a little harder. You have to not only crack an MD5 hash (not difficult, but hard), but in the “fabe13” case, figure out what the appropriate “encode” is for the “decode” function. [ROT13, if you didn’t get it]

“process_enqueue” – nasty, this one sends a message to an email address at mailinator.com that you have to figure out for yourself. I still haven’t figured it out. So, I also haven’t got the points from “process_claimMessage”.

“process_sync” was one function where I knew I had an advantage. It requires the use of a .NET Random function, and because I spend a fair amount of my development time in .NET, I knew that I could use my own system to figure out what times the sync function was expecting me at. Occasionally, the webcams weren’t reading my cards quickly enough, but that’s OK. I didn’t necessarily need a whole lot of those points.

Ladies and Gentlemen, we have a winner!

So, as you’ve probably guessed by now, using these functions I managed to rack up quite a number of points, and as it happened, I conquered the Black Hat competition. 60 points to me, 27 to my nearest opponent.

As a result of this, I am now the proud owner of an iPad. Yes, I know, all those things I’ve always said about Apple, and here I am, walking away from a competition with an iPad 2. The irony is almost unbearable. I’ll tell you later what I think of the iPad.

Then comes DefCon

DefCon started out much the same – I was streaking ahead of the competition, largely because the contest was better attended, and I’d already got my foot into the gift_list early on.

Then I saw the part of the server code that was new – it allowed you to write a limited form of program to execute on the server, that would randomly add points to your score. I entered that, and sure enough, I got a pile of points very quickly – about twice as many as I had at Black Hat.

I thought that meant I was going to win the prize.

Sadly, I hadn’t taken into consideration that this was DefCon. The people there are sometimes more devious (though there are also an awful lot of wannabes).

Sure enough, two of my competitors executed the portion of code that allowed them to dump out the list of executing code, as well as to remove the code sample I had submitted. That way, they could copy my code in order to give themselves points, and remove my ability to add points.

In a way, I almost felt like this was kind of cheating – what, they couldn’t write their own code? But, realistically, this was simply a part of the challenge – if I had been as good at reverse engineering as I felt I was, and a little less cocky, I would have spotted this functionality and taken advantage of the means with which to prevent it.

As it was, I came in third, and won a t-shirt. But the joy of winning the Black Hat contest is still something I’m proud of, and grateful to Core for letting me play their games.

NCSAM/2011–Post 3–Don’t share your passwords with other people

“Alice sends the message by encrypting it with Bob’s private key”

– from Microsoft Official Curriculum training material for Windows Server 2003.

Because of this one sentence, we know that Alice and Bob share a less-than-casual relationship, and could send secret messages to one another in pillow talk at night, without needing cryptography.

But seriously, sharing your passwords with other people is truly a bad idea.

Way back when, I was asked to find out who was causing the SQL Server to fail over to its secondary server. [Jargon translation: Something somewhat bad, but not fatal, was happening, and I had to find out who did it, so as to stop it from happening]

I found out who was causing it, and reported back: It’s this guy called “SQLAdmin”.

Yes, a shared account, with shared passwords. So the re-education camp trip was applied to the whole team.

Not really, but the team did have some questions to answer as a whole, where it would have been far easier to just address the one person responsible.

If things get more serious – an example would be an investigation into fraud, for instance, you don’t want to be put in the position of having to demonstrate that you aren’t actually the only one who uses your account, so that you can clear your name.

But what about convenience?

It honestly isn’t worth it. You may think it’s awfully clever to give your sec^H^H^Hexecutive assistant your password so that they can access your files, but it’s actually far easier just to open those files up for access, or have the IT department do it for you.

No, your password is yours and yours alone, with one shining exception that I’ll get to later this week.