58bits - tech

Charles Petzold’s book, Applications = Code + Markup - received some critical press for not being very pretty. And it’s true that there’s a lot of text and code listings but (and as you’ll see below), he was methodical.

I recently wanted to upgrade a Windows Live Writer plug-in I’d written to use the Windows Presentation Framework (WPF) – instead of WinForms and a custom UI library.

However my first attempt to compile the application as a Class Library resulted in the following error…

“Library project file cannot specify ApplicationDefinition element”.

Thankfully I’d remembered the opening chapters of Charles’ book where he spent considerable time explaining the creation of the application class and initial window. The trick in this case is to remove the App.xaml file. You then need to create your own start-up class – like Program.cs – as shown below, and the application will compile fine as either a Windows Application or Class Library. In the example below extra parameters are passed to the constructor of the main window which is opened as a Dialog – and then checked for the DialogResult value when the window is closed.

public class Program : Application
{
    [STAThread]
    public static void Main()
    {
        var app = new Program();
        app.Run();
    }

    protected override void OnStartup(StartupEventArgs args)
    {
        base.OnStartup(args);

        var window = new PreCodeWindow(new PreCodeSettings(), PreCodeWindow.Mode.StandAlone);
        window.ShowDialog();
        if (window.DialogResult.HasValue && window.DialogResult.Value)
        {
            System.Diagnostics.Debug.WriteLine("OK");
            Clipboard.SetText(window.Code);
        }
        else
        {
            System.Diagnostics.Debug.WriteLine("Not OK");
        }        
    }
}

The downside to this approach is that you no longer have an application level location for placing resource dictionaries and other shared objects - and so these will need to be placed in each window as required.

Yet another great feature of IIS7  - declarative static content cache settings. It took a little detective work to find the settings for this feature – including a helpful post from Jörg Jooss.

I wanted to be able to set the client cache settings for the static content of a site I host at ORCS Web. In the past – unless offered by the control panel of your shared hosting provider – this would have meant emailing support and asking them to set the client cache header settings for the required directory in IIS6. In IIS7 this can be set now in the <system.webserver> section.

Note: If you’re going to try this on your local machine first, you will need to unlock the staticContent section in IIS7 (from the machine level) using the following appcmd…

appcmd unlock config /section:staticContent

You can also use appcmd to create the static content cache settings as shown in Jörg’s post above, which will add the correct section to your web.config – or you can directly edit/create the web.config file for the required directory.

I chose to hand edit the web.config – creating a new web.config located in the directory with the static content (i.e. images, style sheets, script files – all under the ‘assets’ directory in my case)

<?xml version="1.0"?>
<configuration>
  <system.webServer>
    <staticContent>
      <clientCache cacheControlCustom="private" cacheControlMode="UseMaxAge" cacheControlMaxAge="3.00:00:00" />
    </staticContent>
  </system.webServer>
</configuration>

A couple of things to note about these settings. Firstly – you can add any custom cache control header setting using the cacheControlCustom attribute (e.g. no-store, must-revalidate, private, public etc). Secondly using the http 1.1 max-age setting – you can specify days – by using the 1.00 notation for the hours portion of the hh:mm:ss timespan value. So the setting above will set the max-age value to 3 days – or 259200 seconds when you see it in the response header.

A little experimenting with Microsoft’s new search engine Bing - and I’m sold.

Even TechCrunch thinks it’s a hit.

What’s more – it comes in four different flavours!

When was the last time you searched and felt refreshed and relaxed too! Not even Google can compete with this one. Google in a bottle? Refreshing Google? Not even close...

Have a Bing today…. :-)

NOTE: Not kidding about the ‘fast’ part. Don’t know what’s up with Google over the past few months – both their regular search page and access to features such as analytics and webmaster tools are crawling. Bing – so far at least – has been super quick.

Whew – well after a tough few months I’ve finally completed the coursework towards my masters degree in Information Security - taught by the Information Security Group (ISG) at Royal Holloway,  (via the University of London External System).

The online syllabus is available from the external system and the ISG also provides an overview of the programme here.

In addition to the syllabus and ISG’s introduction - I thought that a personal summary might be useful for those considering the programme.

As per the syllabus – there are four compulsory modules, two optional modules and a final project. A module is really a course, composed of roughly ten units, and lasts the full academic year – from October to the final exam in May.  Here’s a description of the compulsory modules (accurate as of 2008/09 academic year) along with my two chosen optional modules.

IC01 Security Management

This course addresses the major themes of security management, including people, processes and technology with particular emphasis on the role of policy in helping to shape an organisation’s security management strategy. The ISO 27000 series of standards (ISO 27001 and 27002 in particular) are covered in detail. COBIT, ITIL, ISF SOGP along with the DPA, RIPA, and relevant EU directives are examined. So too is the impact of industry specific regulations such as Sarbanes Oxley, Turnbull, Basel II, and HIPAA. Principles of risk assessment (quantitative/qualitative), compliance, audit, and management including excellent lectures from industry leaders help to round out what is probably the most important message of the course; namely the importance of creating organisational awareness and a culture of information security that includes all aspects of the business (and not just the technology). Some of the material on the course was a little dated but relevant nevertheless.  A ‘must read’ companion to this course is Bruce Schneier’s ‘Secrets and Lies.’

IC02 An Introduction to Cryptography and Security Mechanisms

This was a really great course in cryptography and security mechanisms. Pitched at just the right level for non-maths graduates the course explains the roles of all the major cryptographic primitives, including symmetric key cryptography (block and stream ciphers), hashes, message authentication codes, asymmetric (public) key cryptography and digital signatures. Historical algorithms along with well known algorithms like DES, AES, RSA, Diffie-Hellman and others are explained in detail (including worked examples of RSA modulus, public and private key calculations). The use of these primitives as mechanisms for providing higher level security services like data integrity, data origin authentication, entity authentication (unilateral and mutual authentication protocols) and non-repudiation is also explained in detail. If you can get a copy – you really should ready Stephen Levy’s book ‘Crypto - Secrecy and Privacy in the New Code War’ for a brilliant side-by-side narrative of everything that happened in the crypto world from 1975 onwards. It puts the course into perspective and explains exactly what was happening from the 70s to the 90s in the struggle between governments attempting to regulate crypto, and the commercial interests of the private sector. Simon Singh’s ‘The Code Book’ is also another great companion read.

IC03 Network Security

Also a great course on the fundamentals of network communications security including ISO 7498-2, as well as detailed analysis of network, transport, and application level security protocols (IPSec, SSL/TLS, SSH, Kerberos etc.) Other unit subjects included biometrics, email security, wireless networking, firewalls, GSM/UMTS security and an introduction to intrusion detection systems (IDS). One of the texts for this course is Douglas Comer’s brilliant book - 'Computer Networks and Internets (5th Edition)'.

IC03 Computer Security

A bit like IC02 above – there was some important history in this course in terms of the evolution of computer security, operating systems and formal security models including Bell Lapadula, Biba, Chinese Wall, and Clark-Wilson. For me at least – a real eye opener and it filled in a lot of important gaps – especially in terms of access control and some of the things I’d previously worked on in the areas of authorisation and workflow. Units on security in Pentium architecture, Unix/Linux, IBM z/OS and Windows helped to round off theory with real world and practical examples of applied computer security.

OPT5 Secure Electronic Commerce and Other Applications

I’d assumed (which turned out to be partially correct) that this course would be close to my comfort zone given my background in Web and e-commerce development. The course was ok – but I think could be structured better. It’s a pretty large subject (especially the ‘other applications’). The course’s primary objective is to link security specific methodologies to the traditional software development lifecycle as well as emphasise the different security approaches that might be required depending on the context of the application. Information flow analysis, threat modelling and application level risk assessment are covered in the opening units. The TETRA system is used as an initial case study, followed by units on Web application security, Web services security and an excellent unit on identity management. The final units introduce smart cards and the EMV standard. Lots of help from IC02 in this module as secure protocols are described in several units.

OPT12 Smart Cards/Tokens Security and Applications

This course was new to the distance learning programme this year (although taught at the ISG for several years). The accompanying text – ‘Smart Cards, Tokens, Security and Applications’ edited by two RHUL faculty members, Keith Mayes and Konstantinos Markantonakis – is a tour de force on all things in the smart card world. I’ll never look at my ‘chip and pin’ credit card the same way again. A really great course, benefiting hugely from being fresh and up-to-date. Topics included smart card production, smart card development, smart card for mobile communications (GMS/UMTS), banking and finance (EMV), RFID and contactless smart cards, smart cards in video broadcasting (DVB), an introduction to trusted platform modules (TCG/TPM), the Common Criteria (ISO 15408) for evaluation assurance, ID cards, e-passports and a fascinating unit on smart card attacks and countermeasures from Jacques Fournier at Gemalto.

In Summary

Looking back on the last two years, there were times when I wasn’t entirely sure how it was all going to fit together. With the benefit of hindsight I can clearly see the aims of the programme, and how the ISG has attempted to strike a balance between history, fundamentals, and applied techniques in information security.

The ISG has also put a lot of work into creating the distance learning version of this degree. They’ve experimented with multimedia and an online format which for the most part works well (although I still lean towards printed material and my trusty highlighter). Some of the material however (in particular a couple of the lectures in IC01) is starting to show its age and could do with a refresh – or at the least with a yearly update to the introduction for each module.

The course has totally changed the way I view the ‘information age’,  information security, and privacy (having now taken the ‘red pill’). I’m extremely glad I enrolled and looking forward to putting what I’ve learned into practise on future projects. Also looking forward to taking my time and working on my final project at a more relaxed pace over the next year or so.

To be continued…

Well I figured since the RC was generally available – I’d test the upgrade process from Windows Vista to Windows 7. I chose my ThinkPad T61p as the victim. This is my fully loaded portable dev environment including BitLocker encrypted volumes - and I was a little sceptical at first. A new OS usually means re-paving the machine, but I thought I’d try the upgrade and see how it went.

Get Ready

After a complete system backup to a removable drive I launched the setup program from the DVD – from within Vista (not via a booted DVD). Windows 7 setup reported MagicISO, LifeCam, and Skype as software that might not work after the upgrade – so I uninstalled these first. BitLocker had to be disabled as well (not volume decrypted – just disabled). SQL Server 2005 was also on the list of ‘might not work’ after upgrade, but I decided to try upgrading to SQL 2008 Developer Edition afterwards.

Make Yourself a Coffee

First word of advice – make yourself a coffee – grab some donuts too – and find something to read, or watch. The upgrade took over three hours to complete. The ‘Gathering files, settings, and programs’ stage took over an hour alone. At 18% of ‘Expanding Windows files’ – the PC rebooted and continued to expand files – but not before 30 minutes of ‘Gathering additional information before expanding files…’

Transferring files, settings and programs – 1,138,187 files, settings, and programs to be exact – took another hour (and two reboots).

Incredibly – it worked!

First Impressions

I’ve not been following the Windows 7 story that closely – but most of the reviews report performance improvements, and I like the new task bar and general UI improvements a lot. Will be interesting to see how it goes over the next few days of general use and abuse. A couple of noticeable changes though – disabling Windows Search – also removes the search function from the start menu – it didn’t used to. Also Superfetch – which was on my list of disk thrashing culprits, is enabled by default – and so I’ve turned this off again (the I/O at start-up because of Superfetch was horrendous in Vista – will have to experiment to see if it’s any better in Windows 7)

UPDATE: If you’ve upgraded from Vista as I have – and have previously installed a LifeCam VX-700 – uninstall the LifeCam software before the upgrade and be sure to delete the following file as well C:\Windows\inf\OEM16.INF (check that this is the LifeCam driver inf file) – otherwise the installation of the LifeCam will fail in Windows 7 when it finds the previous LifeCam inf file.

More soon…

Speechless really. I’m not often lost for words – but this presentation by Patrick Dixon of Siemens leaves me speechless. Thanks to RFIDs on the Brain from Boing Boing (and Douglas Rushkoff via ‘Joe’).

I’d previously created a compression processor for dynamic content – using this excellent post for QValues by Dave Transom. Also just just discovered this post on creating an action filter for compression by Kazi Manzur Rashid.

So combining the two and we have:

public class CompressFilter : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        HttpRequestBase request = filterContext.HttpContext.Request;

        // load encodings from header
        QValueList encodings = new QValueList(request.Headers["Accept-Encoding"]);

        // get the types we can handle, can be accepted and in the defined client preference
        QValue preferred = encodings.FindPreferred("gzip", "deflate", "identity");

        // if none of the preferred values were found, but the
        // client can accept wildcard encodings, we'll default
        // to Gzip.
        if (preferred.IsEmpty && encodings.AcceptWildcard && encodings.Find("gzip").IsEmpty)

            preferred = new QValue("gzip");

        HttpResponseBase response = filterContext.HttpContext.Response;
        // handle the preferred encoding
        switch (preferred.Name)
        {
            case "gzip":
                response.AppendHeader("Content-encoding", "gzip");
                response.Filter = new GZipStream(response.Filter, CompressionMode.Compress);
                break;

            case "deflate":
                response.AppendHeader("Content-encoding", "deflate");
                response.Filter = new DeflateStream(response.Filter, CompressionMode.Compress);
                break;

            case "identity":
                break;
            default:
                break;
        }
    }
}

Which when applied as below to any action method will enable compression if it’s supported by the browser.

[AcceptVerbs(HttpVerbs.Get)]
[CompressFilter]
public ContentResult SiteMap()
{
    return new ContentResult
               {
                   Content = SyndicationHelper.GetAggregateSiteMap(),
                   ContentType = "application/xml; charset=UTF-8"
               };
}

Download here: QValueAndCompressionFilter.zip

This is weird – was looking at some of the reports in the Webmaster Tools I use from Google – and there were a lot (several hundred) Web crawl 404 not founds. Google reports that its spider was failing to find pages that I’ve never published – and which contain values that are incrementing over a range as parameter inputs in the url – 692-708 in the snapshot below.

Trying to find a good ASP.Net web hosting company that represents the balance I need between cost and features turned out to be harder than I thought.

I recently signed up with Discount ASP.Net – and you know what – for just ten dollars a month – they offer excellent value for money, great support, a good in-house control panel and good bandwidth. They’ve kept their setup very simple and standard – with just one type of account (Computer security design principle number three – assurance vs. complexity).

On a single account, you have one root site – one domain and as many additional domains pointing to that ‘same’ root content as you like. You cannot point domain names to subdirectories – so you’ll need to re-write yourself if you want another domain name pointing to different content.

But then I discovered their ‘standard’ application pool recycle settings, which are: 1) You are idle for twenty minutes, 2) the worker process exceeds a 200MB working set, or 3) CPU utilization exceeds 70% for more than 3 minutes. To be honest these are all more than adequate for a single site, blog, or the standard five page company website. But dasBlog is a little memory hungry, and with two blogs and a photo gallery – my app pool was doing flip-flops many times a day.

So I searched and searched – and was generally unimpressed with the list of hosting companies ranked by some of the reviews. Sites were either unprofessional – or there was enough mixed reviews to put me off. Others were just too vague about what was in the package and others were not on W2K8/IIS7 yet (and I need IIS7).

So it came down to ORCS Web Hosting who are in a Peak 10 data centre – and Server Intellect – who are in a data centre located in the the Infomart Hotel in Dallas – now a part of DCI Technology Holdings.

Server Intellect truly impressed me with their pre-sales support and they were super keen to get the business (even if it was just me). And their Tier 2 plan allows for multiple wwwroot directories and domain names – which is sweet. However not yet having a shared plan on W2K8/IIS7, combined with a personal recommendation for ORCS Web Hosting from this guy, swung me towards ORCS Web.

ORCS Web Platinum Shared Hosting is not that different from the Discount ASP.Net setup in so far as you get a single root site and unlimited additional domain and mail aliases, but that’s where the similarities end. The app pool has no idle time limit, no CPU limit, and an 800MB working set threshold. Data transfer allowance is 100 GB/month – and the site is in a data centre with fat pipes from…

...multiple Tier-1 Internet carriers with multiple fully-lit OCx connections.

…served in part by Level 3 Communications.

So that’s where I am now… although – it was a bumpy start. ORCS appear to have built, or had built, a new control panel which was err… buggy. Support was fine though and we got the wrinkles ironed out.

So ORCS Web hosting is my new home in cyberspace for the moment; nice view, plenty of room, and fast  - will be here until the clouds come along :-)

Alex Gorbatchev has done a great job with version 2.0 of his excellent JavaScript SyntaxHighlighter. And I’ve just updated my code snippet plugin for Windows Live Writer – with SyntaxHighlighter 2.0 support, as well as a new desktop application – useful for pasting code snippets into other apps.. like stackoverflow.com (CTRL-A to select all – and then >> to indent four spaces before pasting into stackoverflow).

The updated plugin is at http://www.codeplex.com/precode