I wouldn’t normally post a rant article on my blog – but iTunes – grrrrr. I really wish I wasn’t forced to use iTunes to sync my Outlook Contacts and Calendar with my iPhone 3GS.

For the last few days I’ve been unable to sync my Outlook 2007 Contacts with my iPhone – and it was driving me nuts.

I tried reinstalling iTunes 9.1, tried the Edit –> Preferences –> Devices – Reset Sync History option. I tried checking all my recurring dates in Outlook – since this was reported in the past as a problem.

In the end – the answer was to roll back to iTunes 9.03 – by doing the following.

As per http://support.apple.com/kb/HT1923 …

Use the Control Panel to uninstall iTunes and related software components in the following order:

1. iTunes
2. QuickTime
3. Apple Software Update
4. Apple Mobile Device Support
5. Bonjour
6. Apple Application Support (iTunes 9 or later)

I then deleted ALL of the Apple and Apple Computer folders in all of the user profiles – under

<UserName>\AppData\Local
<UserName>\AppData\LocalLow
<UserName>\AppData\Roaming

Reboot my Windows 7 PC – and then downloaded a copy of iTunes 9.0.3 from here… http://www.oldapps.com/itunes.php

Installed 9.03 - rebooted again – and presto – it worked.

You’ve wasted nearly a day of my time Apple – which is worth more to me than your phone and your terrible software.

When the desired death of a browser makes it into a full-page editorial of IEEE Spectrum – you know that the issue is finally starting to gain some traction. The tech blogosphere communities have been making plenty of noise about this for a while now. And I’d love someone to do an ‘economic’ impact analysis for IE6 – both in terms of development and security related incidents.

I think the Spectrum article (and the referring blog post from Digg) does a good job of describing the issues – corporate restrictions being high on the list of reasons that prevent a user from upgrading. That said I’d rank Microsoft’s failed Vista strategy which resulted in downgrade options to Windows XP being offered by manufacturers, along with the number of illegal and non-updating XP installations out there as just as large a contribution.

Despite my earlier and naïve attempt to ban IE6 from my site I’ve now successfully bared the browser using IE conditional comments – which is the only reliable way you can detect this version of IE (you can’t sniff for it reliably). I then display the following :-)

I’ve been an IEEE and Computer Society member for a couple of years now. Trying to keep up with the IEEE publications along with my RSS Reader and tech news has been a challenge – so I’m sure I’ve missed some good stuff along the way.

However, an article in the September 2009 edition of ‘Computer’ caught my eye: “Formal Versus Agile: Survival of the Fittest” by Sue Black, Paul P. Boca, Jonathan P. Bowan, Jason Gorman and Mike Hinchey.

It’s a great article with good history and an insightful assessment of the current ‘methodologies’ landscape. Unfortunately the article is only available to subscribers of ‘Computer’ at the moment. I hope it will be published more widely in the near future since I think it has a wide appeal.

The author’s comparison of RAD and Agile was particularly interesting – and the following statement about Agile practises is worth quoting…

Most teams purporting to be doing agile software development are not applying the level of technical rigor necessary to succeed at it. Most ‘agile’ teams have actually only adopted Scrum’s project-management practise and have failed to effectively adopt ‘the hard disciplines’ like test-driven development, refactoring, pair programming, simple design (writing the simplest code possible to satisfy the customer’s requirements), and continuous integration.

Their description of the major misconception that ‘Agile = Fast’ was also insightful (when it should be about being responsive to ‘change’).

A great read if you can get hold of it.

Thanks to this post at .Net Dojo, here’s a utility method for getting a safe value from an XElement, returning a default value if the element was not found.

public static T GetElementValue<T>(XElement parent, string elementId, T defaultValue) where T : IConvertible
{
    XElement element = parent.Element(elementId);
    if (element != null)           
        return (T)Convert.ChangeType(element.Value, typeof(T), CultureInfo.InvariantCulture);           
    else
        return defaultValue;   
}    

I’ve been using this combined with .Net 3.0 object initializers to re-hydrate objects from Xml with safe values, like…

var myClass = new MyClass() 
{ 
    Name = GetElementValue(parent, "Name", String.Empty),
    IsDefault = GetElementValue(parent, "IsDefault ", true),
    YearsLeft = GetElementValue(parent, "Yearsleft", 100)
}

Earlier I posted about a compression filter for ASP.NET MVC that was the product of two other posts on compression and QValues. I’ve also seen a couple of posts describing different approaches to creating syndication content via ASP.NET MVC – RSS or Atom feeds. Here are two suggestions – one at DeveloperZen and the other at Stack Overflow that both use an RssActionResult subclass of ActionResult.

What was missing was a 304 Not Modified filter – so that feeds that have not changed can return a 304 Not Modified HTTP Response - saving bandwidth and improving performance of the consumer.

Here’s my attempt at putting it all together using a custom NotModifiedFilter, the CompressionFilter and a SyndicationActionResult class.

First the NotModifiedFilter. This article at the Embarcadero Developer Network was very helpful (along with the W3C standard for 304 Not Modified).

Here’s the filter.

public class NotModifiedFilterAttribute : ActionFilterAttribute
{
    public override void OnResultExecuted(ResultExecutedContext filterContext)
    {
        var response = filterContext.HttpContext.Response;
        var request = filterContext.HttpContext.Request;           

        if ((IsSourceModified(request, response) == false))
        {
            response.SuppressContent = true;
            response.StatusCode = 304;
            response.StatusDescription = "Not Modified";
            // Explicitly set the Content-Length header so the client doesn't wait for
            // content but keeps the connection open for other requests
            response.AddHeader("Content-Length", "0");
        }
    }
}

And here’s the helper method that tests for modified content.

private static bool IsSourceModified(HttpRequestBase request, HttpResponseBase response)
{                  
    bool dateModified = false;
    bool eTagModified = false;

    string requestETagHeader = request.Headers["If-None-Match"] ?? string.Empty;
    string requestIfModifiedSinceHeader = request.Headers["If-Modified-Since"] ?? string.Empty;            
    DateTime requestIfModifiedSince;                    
    DateTime.TryParse(requestIfModifiedSinceHeader, out requestIfModifiedSince);
    
    string responseETagHeader = response.Headers["ETag"] ?? string.Empty;
    string responseLastModifiedHeader = response.Headers["Last-Modified"] ?? string.Empty;
    DateTime responseLastModified;
    DateTime.TryParse(responseLastModifiedHeader, out responseLastModified);

    if (requestIfModifiedSince != DateTime.MinValue && responseLastModified != DateTime.MinValue)
    {
        if (responseLastModified > requestIfModifiedSince)
        {
            TimeSpan diff = responseLastModified - requestIfModifiedSince;
            if (diff > TimeSpan.FromSeconds(1))
            {
                dateModified = true;
            }
        }
    }
    else
    {
        dateModified = true;
    }

    //Leave the default for eTagModified = false so that if we
    //don't get an ETag from the server we will rely on the fileDateModified only           
    if (String.IsNullOrEmpty(responseETagHeader) == false)
    {
        eTagModified = responseETagHeader.Equals(requestETagHeader, StringComparison.Ordinal) == false;
    }

    return (dateModified || eTagModified);    
}

And lastly – here’s my SyndicationActionResult class which uses a Func<FeedData> delegate to get the feed data – and so can be used for any type of feed – Rss, Atom, Sitemaps etc. (FeedData contains the feed content as well as the last modified date and the ETag). Not sure if I’m guilty of cargo cult programming here since I was a little unsure about setting the ‘Last-Modified’ header manually instead of using response.Cache.SetLastModified() method. However the latter was not showing up in the HttpContext of the OnResultExecuted method in the filter. Maybe the runtime moves this value into the headers collection later in the pipeline.

public class SyndicationActionResult : ActionResult
{
    public Func<FeedData> ActionDelegate { get; set; }
    
    public override void ExecuteResult(ControllerContext context)
    {
        if (ActionDelegate != null)
        {
            var response = context.HttpContext.Response;
            var data = ActionDelegate.Invoke() as FeedData;
            if (data != null)
            {
                response.ContentType = data.ContentType;
                response.AppendHeader("Cache-Control", "private");
                response.AppendHeader("Last-Modified", data.LastModifiedDate.ToString("r"));
                //response.Cache.SetLastModified(data.LastModifiedDate);
                response.AppendHeader("ETag", String.Format("\"{0}\"", data.ETag));
                response.Output.WriteLine(data.Content);
                response.StatusCode = 200;
                response.StatusDescription = "OK";
            }
        }
    }
}

Note that we write the content to the response.Output stream - however if the NotModifiedFilter tells us nothing has changed – then this will be suppressed – (although it is important that the ETag remains).

And very lastly - here's the Action in my SyndicationController class that puts it all together, and in this case – is used to provide the aggregate Atom feed on my home page at http://www.58bits.com.

[AcceptVerbs(HttpVerbs.Get)]
[NotModifiedFilter(Order = 1)]
[CompressFilter(Order = 2)]
public SyndicationActionResult SiteFeedAtom()
{
    return new SyndicationActionResult() { ActionDelegate = SyndicationHelper.GetAggregateAtomFeed };
}

As Scott sometimes says -  it may be  “poo”… or it maybe useful. At least it seems to be working ok for me, although suggestions on how any of it might be improved would be greatly appreciated.

UPDATE 12/07/2009 - As Shirley Boyle sang - "I dreamed a dream". The exercise below was great for learning how to use the IIS7 Url Rewrite Module - but there is a long list of user agents that contain the string "compatible; MSIE 6.0;" including the MSN spider and some transparent proxies. Internet Explorer 6 is the browser that refuses to die. :-(

ORIGINAL POST - This one took a little while to figure out along with a careful read of the reference docs for the IIS7 Url Rewrite Module. I was banging my head against the wall for a few minutes with {USER_AGENT} before reading the fine print… the HTTP prefix bit in particular.

All dash (“-”) symbols in the HTTP header name are converted to underscore symbols (“_”).
All letters in the HTTP header name are converted to capital case.
“HTTP_” prefix is added to the header name.
For example, in order to access the HTTP header “user-agent” from a rewrite rule, you can use the {HTTP_USER_AGENT} server variable.

And here’s the result…

<rule name="BlockIE6" stopProcessing="true">
  <match url=".*" />
  <conditions>
    <add input="{HTTP_USER_AGENT}" pattern="MSIE 6" />
    <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
    <add input="{URL}" negate="true" pattern="ie6" />
  </conditions>
  <action type="Redirect" url="ie6" redirectType="Permanent" />
</rule>

It’s really really important that you do two things: 1) Prevent the redirect from redirecting static content – like script files and style sheets, ala the {REQUEST_FILENAME} negative condition, and 2) You also check the Url to see if it’s the redirected Url – i.e. they’ve already been redirected – otherwise you’ll get an endless redirect loop. In this case I’m sending them to the url “ie6” which is an action on a route in ASP.Net MVC – displaying a download page with some ‘alternatives’ :-)

What will those crazy folks at Apple think of next?

Charles Petzold’s book, Applications = Code + Markup - received some critical press for not being very pretty. And it’s true that there’s a lot of text and code listings but (and as you’ll see below), he was methodical.

I recently wanted to upgrade a Windows Live Writer plug-in I’d written to use the Windows Presentation Framework (WPF) – instead of WinForms and a custom UI library.

However my first attempt to compile the application as a Class Library resulted in the following error…

“Library project file cannot specify ApplicationDefinition element”.

Thankfully I’d remembered the opening chapters of Charles’ book where he spent considerable time explaining the creation of the application class and initial window. The trick in this case is to remove the App.xaml file. You then need to create your own start-up class – like Program.cs – as shown below, and the application will compile fine as either a Windows Application or Class Library. In the example below extra parameters are passed to the constructor of the main window which is opened as a Dialog – and then checked for the DialogResult value when the window is closed.

public class Program : Application
{
    [STAThread]
    public static void Main()
    {
        var app = new Program();
        app.Run();
    }

    protected override void OnStartup(StartupEventArgs args)
    {
        base.OnStartup(args);

        var window = new PreCodeWindow(new PreCodeSettings(), PreCodeWindow.Mode.StandAlone);
        window.ShowDialog();
        if (window.DialogResult.HasValue && window.DialogResult.Value)
        {
            System.Diagnostics.Debug.WriteLine("OK");
            Clipboard.SetText(window.Code);
        }
        else
        {
            System.Diagnostics.Debug.WriteLine("Not OK");
        }        
    }
}

The downside to this approach is that you no longer have an application level location for placing resource dictionaries and other shared objects - and so these will need to be placed in each window as required.

Yet another great feature of IIS7  - declarative static content cache settings. It took a little detective work to find the settings for this feature – including a helpful post from Jörg Jooss.

I wanted to be able to set the client cache settings for the static content of a site I host at ORCS Web. In the past – unless offered by the control panel of your shared hosting provider – this would have meant emailing support and asking them to set the client cache header settings for the required directory in IIS6. In IIS7 this can be set now in the <system.webserver> section.

Note: If you’re going to try this on your local machine first, you will need to unlock the staticContent section in IIS7 (from the machine level) using the following appcmd…

appcmd unlock config /section:staticContent

You can also use appcmd to create the static content cache settings as shown in Jörg’s post above, which will add the correct section to your web.config – or you can directly edit/create the web.config file for the required directory.

I chose to hand edit the web.config – creating a new web.config located in the directory with the static content (i.e. images, style sheets, script files – all under the ‘assets’ directory in my case)

<?xml version="1.0"?>
<configuration>
  <system.webServer>
    <staticContent>
      <clientCache cacheControlCustom="private" cacheControlMode="UseMaxAge" cacheControlMaxAge="3.00:00:00" />
    </staticContent>
  </system.webServer>
</configuration>

A couple of things to note about these settings. Firstly – you can add any custom cache control header setting using the cacheControlCustom attribute (e.g. no-store, must-revalidate, private, public etc). Secondly using the http 1.1 max-age setting – you can specify days – by using the 1.00 notation for the hours portion of the hh:mm:ss timespan value. So the setting above will set the max-age value to 3 days – or 259200 seconds when you see it in the response header.

Whew – well after a tough few months I’ve finally completed the coursework towards my masters degree in Information Security - taught by the Information Security Group (ISG) at Royal Holloway,  (via the University of London External System).

The online syllabus is available from the external system and the ISG also provides an overview of the programme here.

In addition to the syllabus and ISG’s introduction - I thought that a personal summary might be useful for those considering the programme.

As per the syllabus – there are four compulsory modules, two optional modules and a final project. A module is really a course, composed of roughly ten units, and lasts the full academic year – from October to the final exam in May.  Here’s a description of the compulsory modules (accurate as of 2008/09 academic year) along with my two chosen optional modules.

IC01 Security Management

This course addresses the major themes of security management, including people, processes and technology with particular emphasis on the role of policy in helping to shape an organisation’s security management strategy. The ISO 27000 series of standards (ISO 27001 and 27002 in particular) are covered in detail. COBIT, ITIL, ISF SOGP along with the DPA, RIPA, and relevant EU directives are examined. So too is the impact of industry specific regulations such as Sarbanes Oxley, Turnbull, Basel II, and HIPAA. Principles of risk assessment (quantitative/qualitative), compliance, audit, and management including excellent lectures from industry leaders help to round out what is probably the most important message of the course; namely the importance of creating organisational awareness and a culture of information security that includes all aspects of the business (and not just the technology). Some of the material on the course was a little dated but relevant nevertheless.  A ‘must read’ companion to this course is Bruce Schneier’s ‘Secrets and Lies.’

IC02 An Introduction to Cryptography and Security Mechanisms

This was a really great course in cryptography and security mechanisms. Pitched at just the right level for non-maths graduates the course explains the roles of all the major cryptographic primitives, including symmetric key cryptography (block and stream ciphers), hashes, message authentication codes, asymmetric (public) key cryptography and digital signatures. Historical algorithms along with well known algorithms like DES, AES, RSA, Diffie-Hellman and others are explained in detail (including worked examples of RSA modulus, public and private key calculations). The use of these primitives as mechanisms for providing higher level security services like data integrity, data origin authentication, entity authentication (unilateral and mutual authentication protocols) and non-repudiation is also explained in detail. If you can get a copy – you really should ready Stephen Levy’s book ‘Crypto - Secrecy and Privacy in the New Code War’ for a brilliant side-by-side narrative of everything that happened in the crypto world from 1975 onwards. It puts the course into perspective and explains exactly what was happening from the 70s to the 90s in the struggle between governments attempting to regulate crypto, and the commercial interests of the private sector. Simon Singh’s ‘The Code Book’ is also another great companion read.

IC03 Network Security

Also a great course on the fundamentals of network communications security including ISO 7498-2, as well as detailed analysis of network, transport, and application level security protocols (IPSec, SSL/TLS, SSH, Kerberos etc.) Other unit subjects included biometrics, email security, wireless networking, firewalls, GSM/UMTS security and an introduction to intrusion detection systems (IDS). One of the texts for this course is Douglas Comer’s brilliant book - 'Computer Networks and Internets (5th Edition)'.

IC03 Computer Security

A bit like IC02 above – there was some important history in this course in terms of the evolution of computer security, operating systems and formal security models including Bell Lapadula, Biba, Chinese Wall, and Clark-Wilson. For me at least – a real eye opener and it filled in a lot of important gaps – especially in terms of access control and some of the things I’d previously worked on in the areas of authorisation and workflow. Units on security in Pentium architecture, Unix/Linux, IBM z/OS and Windows helped to round off theory with real world and practical examples of applied computer security.

OPT5 Secure Electronic Commerce and Other Applications

I’d assumed (which turned out to be partially correct) that this course would be close to my comfort zone given my background in Web and e-commerce development. The course was ok – but I think could be structured better. It’s a pretty large subject (especially the ‘other applications’). The course’s primary objective is to link security specific methodologies to the traditional software development lifecycle as well as emphasise the different security approaches that might be required depending on the context of the application. Information flow analysis, threat modelling and application level risk assessment are covered in the opening units. The TETRA system is used as an initial case study, followed by units on Web application security, Web services security and an excellent unit on identity management. The final units introduce smart cards and the EMV standard. Lots of help from IC02 in this module as secure protocols are described in several units.

OPT12 Smart Cards/Tokens Security and Applications

This course was new to the distance learning programme this year (although taught at the ISG for several years). The accompanying text – ‘Smart Cards, Tokens, Security and Applications’ edited by two RHUL faculty members, Keith Mayes and Konstantinos Markantonakis – is a tour de force on all things in the smart card world. I’ll never look at my ‘chip and pin’ credit card the same way again. A really great course, benefiting hugely from being fresh and up-to-date. Topics included smart card production, smart card development, smart card for mobile communications (GMS/UMTS), banking and finance (EMV), RFID and contactless smart cards, smart cards in video broadcasting (DVB), an introduction to trusted platform modules (TCG/TPM), the Common Criteria (ISO 15408) for evaluation assurance, ID cards, e-passports and a fascinating unit on smart card attacks and countermeasures from Jacques Fournier at Gemalto.

In Summary

Looking back on the last two years, there were times when I wasn’t entirely sure how it was all going to fit together. With the benefit of hindsight I can clearly see the aims of the programme, and how the ISG has attempted to strike a balance between history, fundamentals, and applied techniques in information security.

The ISG has also put a lot of work into creating the distance learning version of this degree. They’ve experimented with multimedia and an online format which for the most part works well (although I still lean towards printed material and my trusty highlighter). Some of the material however (in particular a couple of the lectures in IC01) is starting to show its age and could do with a refresh – or at the least with a yearly update to the introduction for each module.

The course has totally changed the way I view the ‘information age’,  information security, and privacy (having now taken the ‘red pill’). I’m extremely glad I enrolled and looking forward to putting what I’ve learned into practise on future projects. Also looking forward to taking my time and working on my final project at a more relaxed pace over the next year or so.

To be continued…

Speechless really. I’m not often lost for words – but this presentation by Patrick Dixon of Siemens leaves me speechless. Thanks to RFIDs on the Brain from Boing Boing (and Douglas Rushkoff via ‘Joe’).