Author Archives: Tobint

South Carolina Business One Stop (SCBOS) news

A project my company designed, managed, and mostly developed was in the news over the weekend. The article doesn’t mention TiBA Solutions at all, but in fairness, they don’t mention the other players that participated in design review or some components of the development phase either. Its been a stressful project, but fairly rewarding. We implemented Wilson master pages since ASP.NET 2.0 was not available yet. We heavily relied on remoting and implemented a quasi-SOA architecture. (SOA purists are yelling at me right now, I’m sure). We’ve implemented a layered security model that is fairly adept at providing both proactive and reactive security measures.

Of course, as any good architect or developer should do, we’ve noted any mistakes in our design or development phases so we can improve on our next version. We’ve already hit the (re)drawing board on several components and I look forward to the next itteration!

Posted in: release / Tagged: ,

Pro .NET 1.1 Remoting, Reflection and Threading

I received 10 shiny copies of my new book that is now available at BarnesAndNoble.com (or amazon.com if you really must buy through them). Its a pretty interesting mix of technologies from .NET that helps bring a novice programmer up to date. While I’m much more of a C# programmer these days, based on my VB background this book was necessary. My reasoning can be found on the back cover of the book:

“Dear Reader,

Rapid Application Development has long been the purpose and strong point of a Visual Basic Developer. In the past VB versions, we had to solve more complex problems than the language designers ever intended. Of course, this fed the flames of those language elitists that said VB was an inferior language. With the introduction of .NET, many VB developers were overwhelmed with the task of learning programming in the object-oriented paradigm that was, perhaps, completely new to them; couple that with learning the .NET libraries, the CLR, and changes in the language we had been using for years, and many developers initially found it hard to shoulder the burden.

Coming from a VB background, I see firsthand how many developers barely have the time to grasp these concepts, let alone the additional intricacies of some of the more powerful features newly available to VB developers in the .NET world. Those powerful topics, as the book title suggests, are Remoting, Reflection and Threading. This book is compiled to help VB developers reinvigorate their learning by adding these powerful new skills to their tool belts. The topics in this book can help you take a standard application from satisfactory to out-standing. By adding background processing through threading, scalability with remoting, and extensibility with reflection, you can give your applications a uniquely professional touch. The details in this book will show you how to add these powerful features to your applications and will prepare you to compete head to head with other language developers.”

Anyway, I’m excited because this is my first hard cover book. Bill has already had his say on that topic. Donbt worry Bill, Ibm writing another book now in my spare time that will probably be written on tissue paper and covered with newspaper and finger-paint.

Posted in: resources / Tagged: , , , , , , ,

Friends Don’t Let Friends Use Wireless

It will never cease to amaze me how much people implicitly trust wireless connections. I see businesses from coffee shops to book stores offering free wireless connectivity in the hopes that people will stick around and spend money. This is a great idea for businesses, and the concept does work. However, I often wonder why you would so willingly trust this free service.

Imagine this scenario. You walk into your favorite Barnes & Noble book store to sip some coffee, eat some eclairs, and surf a bit. While surfing, you decide you want to check your hotmail account. You type in your usual “http://www.hotmail.com” as you always do. You then enter your username and password as you always do. “Login Failed? Huh?” You type it again “Username: eye_me_leet | password: h4x0r2u”… ” and just as quickly as the first response occurs, the same response comes back “Login Failed”. Thinking this may be a cache problem or just a bug with IE, you close your browser or perhaps reboot all together. You type in the site again aych-tee-tee-pee collon-slash-slash dub-dub-dub-dot-hotmail-dot-com [Enter]. But to your horror, as the pixels on the page change, they don’t turn to the standard looking hotmail screen, instead, these pixels spell words only a truly 1334 r00t *** would put on a site — “U’V b33n pwnt !”. What happened, other than some really bad clichC) leet-speak?

When you connected to the first access point, you didn’t realize you were connecting to someone else in the same room as you. They set up their very own wireless access point that acted as a proxy for the internet. This user was running Ethereal to sniff packets, but more importantly, he set up his own machine as the authority for hotmail.com. In doing so, you were directed to his mock site that simulated the look and feel of Hotmail. When you typed in your username and password, it didn’t go to hotmail to authenticate. Instead, it was captured by the “hacker” who immediately used your information to log into the real hotmail site and change your credentials. This hacker was at least kind enough to tell you that you were “had”. Your username and password may likely be the same across multiple services too. That same one you used for hotmail is most likely similar, if not the same as the one you are using on your windows machine. So the user then connects to your machine’s IP address and types in the same username / password information to gain access to administrative shares, read your documents or infect you with viruses. Alternatively, the hacker could read and send email from your box and perhaps use it to gain more information about where you do business, who you talk to and what kind of work (or play) you engage in. The possibilities are limitless and terrifying.

Remember this the next time you blindly walk into a business and connect to their network.

Posted in: technical / Tagged: , ,

Delegates in C# vs VB.NET down to the IL

So I found a post on a blog the other day from one of my friends. He is a recent convert from VB.NET to C# and he asked where his event handlers were. Anyone that has been coding in both VB.NET and C# knows exactly what the problem is. Many people tend to misunderstand where the .NET runtime ends and language syntax begins. Let’s remember that both languages must compile to Intermediate Language (IL). The way each language chooses to implement .NET’s features in sytax is totally up to the language designer. This post will attempt to show the differences in these languages and break down how this all works behind the scenes. I’ll show you how events are hooked up in VB.NET, then in C#. I’ll show you how these are compiled down to IL and then provide references where you can find more information if you really want it.

First off, lets look at how we implement event handlers for controls. When I double click on a control in a VB.NET Windows Forms project, the development environment drops me into VB.NET code and a newly created event handler. The event handler is hooked up as follows:

Private Sub Button1_Click(ByVal sender As System.Object, _
  ByVal e As System.EventArgs) Handles Button1.Click
End Sub

VB.NET knows that this event (Button1_Click) is handling the Click event of the Button1 object by the very aptly named “Handles” keyword followed by the dotted notation of Object.EventName. This, of course, follows the EventHandler delegate method signature. When I compile this code, the VB.NET compiler outputs the following IL:

IL_0037:  ldarg.0
IL_0038:  dup
IL_0039:  ldvirtftn
          instance void VBHandlers.Form1::Button1_Click(object,
             class [mscorlib]System.EventArgs)
IL_003f:  newobj
          instance void [mscorlib]System.EventHandler::.ctor(object,
             native int)
IL_0044:  callvirt
          instance void [System.Windows.Forms]System.Windows.Forms.Control::add_Click(
             class [mscorlib]System.EventHandler)

This IL is fiarly simple, the ldvirtftn field is pushing the pointer to the Button1_Click function’s implementation onto the stack. This first pushes the Button1 object onto the stack. The object instance is then popped from the stack and the address of the entry point to Button1_Click is retreived. That pointer is then pushed onto the stack. Next the event handler is created with the newobj call, and finally, the callvirt method adds the handler to the Click event. Notice that the click event implements an add_Click syntax. This is because there is a little known feature of .NET events which provide event accessors. Much like you can use Get and Set accessors for properties, you can implement add and remove accessors for events. You might also recognize the prefixed operation on the event is similar to the way that operator overloading looks in IL (i.e. op_Equal).

In C# we have the same convenience of double clicking a control to quickly implement the default event for that control. When we double click the same button in a C# Windows Forms project, we are aslo presented in a C# code window that has the following code:

private void button1_Click(object sender, System.EventArgs e) {
}

You can see that we have our method implemented that matches the delegate method signature, but where is our handler? How does the button know to hook this up? What happens if I rename my button? Does it just know to handle this method when the event is raised based on the method name? Not hardly. The development environment also adds a handler to this method, but it does it in a more object oriented manner. That is, it hooks up the event by an assignment operator. If you look at your C# windows forms code again, look for the “Windows Form Designer generated code” code region and expand it. You’ll notice in the InitializeComponent method, there is a section of this method dedicated to setting the values for the button1 button instance. At the end of this section is code similar to the following:

this.button1.Click += new System.EventHandler(this.button1_Click);

This code tells the event to append an EventHandler to the Click event. That event handler just happens to be our button1_Click method. When we compile our C# code, we get nearly the same IL output:

IL_005a:  ldarg.0
IL_005b:  ldftn
              instance void CSharpHandlers.Form1::button1_Click(object,
             class [mscorlib]System.EventArgs)
IL_0061:  newobj
              instance void [mscorlib]System.EventHandler::.ctor(object,
              native int)
IL_0066:  callvirt
              instance void [System.Windows.Forms]System.Windows.Forms.Control::add_Click(
              class [mscorlib]System.EventHandler)

Did you catch the difference between the C# and VB.NET IL output? We are no longer calling ldvirtftn, but instead, we are simply calling ldftn. This is the difference between VB.NET using a virtual dispatch sequence and C# using an instance dispatch sequence. Both are valid according to Ecma-335 standards. My guess is that if you don’t understand delegates, you won’t get the difference between these two fields. The main thrust of what most need to see is that both languages implement the same functionaility differently through their language syntax. It’s up to the compiler to interpret the syntax and output the appropriate IL code — which more often than not is nearly identical regardless of what language you use. For some languages it may make more sense to use a different IL construct within the same category, but the output is essentially the same. If you attempt to use a different .NET compatible language and you don’t see a feature that you were expecting to see, don’t give up. The feature is most likely implemented in a different way.

Posted in: technical / Tagged: , ,

Adventures in Stupidity: Retail Edition

There are some things in life that I just can’t understand. How corporations determine prices for products is one of those. I was surfing a computer manufacturer’s site today and I started to configure a system. I had the following options for a monitor.

  • 17 inch E773 (16 inch viewable) Conventional CRT
  • 15 inch E153F
  • P Analog Flat Panel [add $129 or $4/month1]
  • 17 inch E173FP Analog Flat Panel [add $229 or $7/month1]
  • Refurbished 17 inch E773 (16 inch viewable) Conventional CRT [subtract $31]
  • No monitor [subtract $20]

Notice that I can save $31 by selecting a refurbished monitor over a new one. Notice also that I only save $20 if I decide I don’t want any monitor at all. Of course I will never understand how Dell can justify the fact that it costs me less money to have them send me a refurbished monitor than to not take a monitor at all. Are they telling me that their monitors are so bad that they will give me $11 more off of my computer to rid them of it than to simply not take one at all? Granted, I’m going to pay a little more for shipping on a 17″ CRT, but seriously, what’s going on here? Retail is a strange business, but I can’t really see how logically this is better for Dell to give away an asset, let alone pay you to take it off their hands.

Posted in: personal / Tagged:

Bluetooth Viruses Attacking Bluetooth-enabled cars?

I came across this post somehow that I think is extremely cool. It details an attempt to attack a Toyota Prius with bluetooth viruses and known exploits. I’m happy to hear that nothing severely adverse was achievable, although there were some scary moments. Go check it out.

Posted in: technical / Tagged: , ,

Time Warner’s (un)Security

I wanted to make people fully aware of a problem I encountered today with Time Warner Telecom because it flies in the face of good privacy and security practices.

So here’s the background. I paid my cable bill online through Time Warner the other day. I typically pay through their web interface rather than use ebills like I do for everyone else. However, something happened this time, evidently, and my payment didn’t get processed.

Because my bill was now late, Time Warner gave me a “courtesy call” to tell me. Here’s how the conversation went (not exact, obviously, but this is the gist):

Me:          "Hello, this is Tobin."
Time Warner: "Yes, is Mr Titus in?"
Me:          "That's me, how can I help you?"
Time Warner: "We were calling to tell you that you are now
              past due on your cable bill."
Me:          "Really? I paid you the other day online."
Time Warner: "On our website?"
Me:          "Yes, ma'am. Let me check my bank account to see
              if it processed."
::I then checked online ::
Me:          "You are absolutely right, it didn't get processed.
              I'll go ahead and try to pay it online again."
Time Warner: "Sir, you don't have to do that. We can accept your
              credit card payment over the phone right now."
Me:          "I don't make a habit of giving my credit cards over
              the phone, particularly when someone calls me."

The fact that these guys offered to take my payment over the phone is bad enough. It should be the policy of every company to NOT accept payments when THEY call YOU because that opens up the door to fraud. If everyone knew that a company would not call you to ask you for your credit card information, there would be less Phishing attacks. This is why AOL specifically puts notices in their IM and Mail windows that says they will NEVER ask for your credit card information through those means.

So offering to take my payment right then and there is a huge problem already, but
here is where it get’s more interesting.

Time Warner:  "Sir, we can prove we are who we say we are. We have
               your last four digits of your social, your address,
               your phone number, etc"

!?!?!?!?!?!! WTF !!??!?!?!!!?

Me:           "So do all of my creditors. With all of the recent
               ID theft lately, my informaiton is all over the
               place. Anyone could have that. But do you mean to
               tell me that you would give me the last four digits 
               of my social and my address to verify that you are
               who you say you are? How do you know that I'm really
               Tobin and you wouldn't be giving that information                
               out to just anyone??"

I could hear this representatives wheels turning in her head. She finally tried to back track.

Time Warner:  "No, uhh, I , umm, I meant that you could give me
               your social and we could tell you if that's right
               or not."
Me:           "How would that prove anything to me. You'd say 'ok,
               what's your social?', I'd say '1234' and you'd say
               'yep, that's it, now give me your credit card number!'?"
Time Warner:  "No sir, that's not what I meant."
Me:           "You were going to read my social to me--a guy who you
               can't prove is Tobin Titus."
Time Warner:  "No sir, we didn't read your social security number."
Me:           "But you were going to!"
Time Warner:  "No sir."
Me:           "Either you were going to read my social or I was going 
               to blindly give it to you which would have proved nothing
               to me. Which is it?"

At this point, I finally told the lady “nevermind”and asked for her supervisor’s name. This was unreal. I can’t believe in this day and age people non-challantly ask for or provide information like this over the phone with untrusted and unverified individuals. It affects anyone that uses Time Warner and I feel if they don’t see the problems associated with this practice, then their customers need to know that their personal data is in the hands of bumbling idiots.

So how can companies solve this problem? Its fairly simple and I have some rules I think should be implemented by every company that keeps private data. They are as follows.

  1. Never ask for data when you contact a customer – This is just common sense. Hundreds of thousands of people have been suckered into giving up personal information in so-called phishing scams. If companies, as a general rule don’t ask for information when they contact you, people would be more sensative to thistype of attack.
  2. Never display sensative personal information to CSRs. – 80% of all “hacks” come from inside a company according to the 2003 CSI/FBI Computer Security Survey. If the CSR is to validate information, it should be typed in. For instance, instead of seeing the full address on the screen, a CSR should be prompted to type in the street number for the address. If the data matches that stored in the database, then and only then should the CSR get to read any of the account information.
  3. Never use a social security number as an identifier! – This is a pie-in-the-sky sort of request, but it is ultimately necessary if we are ever going to fix identity theft. Anyone who’s been alive since the original Andy Griffeth was on the air should know that Social Security numbers were never meant to be used as identifiers for ANYTHING other than for the social security program. The problem is that this has now become the closest thing to a federal ID we have. Sure its convenient, but this is the direct cause of so much identity theft. I have an entire post dedicated to how we can fix this later, but its out of place here. More to come…
  4. Hire competent people – Information is only as secure as the people who have access to it. If you are hiring the cheapest labor you can find (and that includes outsourcing your records off-shore — YIKES!), you are sure to have chinks in your armor. Case and point. if Time Warner had competent employees, they would think to themselves “Hmm, maybe I shouldn’t offer to give out this man’s personal data so he knows who we are.” In retrospect, I wonder what this employee would have done had I asked her to prove they were Time Warner by giving me her social security number.

Again, I have more to come, but this should cover the basics. Keep your data on a short leash. If someone asks for data you don’t think is appropriate to give out (particularly on applications), then don’t give it out. Verify the need for the data as well as the intent of use of the data before giving it out to anyone.

Posted in: technical / Tagged:

Dinner with the CLR team

Words really cannot describe the events that started a few weeks ago with a private invite to dinner with a few cool guys from the CLR team and ended just a few hours ago with a life changing experience for me. In your lifetime, there have probably been several times in your life where you have evaluated your skills and felt you were at the top of your game. Just the same, there have probably been other times where you just felt completely out of your league. Now, I’ve given a few presentations, written a few books and secured quite a few cool jobs in my lifetime so on my way to Atlanta to meet Brad Abrams, Kit George, Jason Zander, and Claudio Caldato from the CLR team, I was feeling pretty solid in my skill set. These guys, however, made this seasoned consultant feel like an end user.

To be perfectly honest, in context I am an end user. These guys are building the frameworks that I use to make money. By all definitions, I’m the guy that uses their stuff — ergo end-user. Now, before anyone gets the wrong idea, these were some of the most approachable and down-to-earth guys I’ve ever met. They didn’t belittle anyone or make any assumptions. They were truly engaging and were very interested in what feedback we had for them. They wanted to know what we were doing with .NET and how they could make our lives easier. The topics that I participated in ranged from talking with Kit about what’s new with security, to talking to Jason about all things memory management and the future of the CLR.

Now you may ask, “why was this a life changing experience?” I would of course have to answer thus: these guys got me excited about learning again. The brought back the same feeling I had years ago when I first started developing and everything was new and exciting. They reminded me about how much I didn’t know and how cool it could be to know that stuff. Two years ago, I caught myself falling down the “developer burn-out” stage that has happened to more than one developer that I know of in my life. I just couldn’t find it in me any longer to try REALLY hard to do my job. I bullied my way through that era and found myself interested in staying alive in the developer game.

But the group we talked to tonight had me more than just interested — I’m still jumping up and down in my heart. I’m excited again and I don’t think I’ll sleep for a solid month trying to play catch-up. I could have talked for months to these guys and I wouldn’t have blinked. If I say this appropriately, let me just say that I absolutely LOVED Jason Zander. Not that the whole team wasn’t brilliant, but this guy has been with Microsoft for 13 years. He’s been working with Microsoft since Windows 3.x and remembers compiling from OS2! As such, this guys has a wealth of knowledge that I couldn’t possibly pick up even if I didn’t have to make a living doing the grunt work.

I’m again looking at these words and finding myself , for once, unable to express even the slightest bit how in awe I am that these people know this much…

… just when you think you understand where the absolute top of the food chain is and think that maybe.. just maybe you could one day stand next to them and converse at their level, they start talking about the guys that “really know what they are talking about” that didn’t come to the dinner!!!

I just so happened to have had an old crappy 1megapixel camera in my truck glove box so I ran out and took the best pictures I could with the equipment I had. I had intended to drive all the way home tonight, get some sleep and blog about the dinner tomorrow. However, I’m so excited that I rented a room in a hotel in Greenville, ran to wal-mart to buy a new wi-fi card (since the motel I’m at has free wireless internet) and also a compact flash card reader. Please forgive the crappy photos, but I dumped them into a gallery for everyone’s amusement. Luckily, I was taking the pictures so I was out of most of them. 🙂

Guys thanks a million for showing up. Thanks a million for answering our questions. Thank you SO much for giving me a new bar to aim for. Thank you, thank you for bringing me back to life.

Posted in: events / Tagged: , ,

Charlotte Code Camp

I just got a moment to settle down and write a quick bit about the Charlotte Code Camp. It was a great experience despite the fact that I really only got to watch two presentations. Bill had a pretty cool presentation on speech server. Todd Fine (a Microsoft Regional Director) had a pretty cool presentation on Avalon. I have to say that every time I see this stuff I get very excited about the future of programming.

My presentation went over pretty well. I was hoping to have a larger crowd, but what do you expect when you are giving your presentation at the same time as Maxim Karpov , Doug Turnure, and Bill Ryan ? However, I was very surprised to see several evaluation forms with my code access security presentation picked as their favorite topic. Ibll be posting the presentation slides and source code on my blog here in a few days.

While Ibm thinking about it, if anyone is going to be in the Greenville, SC area on May 17th, we really need a GREAT turnout to the Microsoft MSDN event or we wonbt have Microsoft coming to town again. We need a turnout of 100 and we currently have just over 50 registered. We need about 130 registered to meet our goal and we only have a little over two weeks to do it! Please spread the word, we need attendance!

Posted in: events / Tagged: ,

Exploit using System.String? Not Really

I’ve been playing around in the CLR for some time just playing with quirks and oddities.  I  noted some time ago that non-printable characters were easily stored in strings.  This really wasn’t a suprise except that a null character (“”) could be stored and appropriately retrieved from a string.  If I embedded a null character in a string, it didn’t cause the string to truncate when I read it back.  This made me wonder just how the string class knew how large its buffer was. How did it know which null character was it’s terminator?

Since my upcoming book deals, in part, with Reflection, I decided to try some playing around with the string object using MemberInfo. I found something rather interesting.  The string class keeps track of how large its buffer is in a member variable called m_stringLength.  So I started to wonder, what would happen if I created a string and then used reflection to change the length?

I decided to make this interesting.  I first created an example class that would represent a class handling sensitive data.  My code was simple and was as follows:

using System;

namespace CodeWithSecrets {

  // Lets assume this is a class that handles connection strings
  // or other sensative data.
  class ConnectionStringGuardian {
     public ConnectionStringGuardian() {
        connect = "uid=sa;pwd=LoveSexSecretGod";
     }
  }
}

I put this class in its own class library assembly named “CodeWithSecrets”. Then came the code that I would use to exploit the “ConnectionStringGuardian” class. 

using System;
using System.Reflection; 
using CodeWithSecrets;

namespace MalCode{ 
  class Malware {
    [STAThread]
    static void Main(string[] args) {
      ReadPastBuffer();
    }
    private static void ReadPastBuffer() {
      // Storing some variable
        String stringObj = "12345"; 
      // Store an object with private data in it
        ConnectionStringGuardian obj = new ConnectionStringGuardian();
      // Getting the String Type
        Type stringType = Type.GetType("System.String");
      // Getting a reference to the private field in System.String 
        FieldInfo fi = stringType.GetField( "m_stringLength", 
          BindingFlags.Instance|BindingFlags.NonPublic);
      // Read the string object 
        Console.WriteLine( "Reflected String: '{0}'", stringObj );
      // Set the private variable that keeps track of string length;
        Object parameter = 255;
        fi.SetValue( stringObj, parameter );
      // Read the reflected string  
      Console.WriteLine( "Expanded Buffer: '{0}'", stringObj );
      Console.ReadLine();
    }
  }
}

To explain what I’ve done here, I created a typical string holding an arbitrary value.  I then create an instance of my class that holds secret data.  Using reflection, I then access the private m_stringLength member to increase the size of the string’s buffer to 255. Finally, I output my string to the console to see if I can read past my buffer in a managed string. As you’ll notice, I write the string’s value to the console before increasing the buffer size, and then I write the strings value to the console again after modifying the buffer size.  The following screen shot depicts the results:

Malicious Code

Notice that I was able to read past the buffer and into the memory where the sensitive data was stored.  (First person to name the movie the sample password comes from gets a free Apress t-shirt if you send me your address.)

Now this is not really an exploit other than the fact that I can read memory to possibly sensitive data.  I tried to do other things to the memory such as stomp on it by calling the private “NullTerminate()” method that I found using reflection as well.  NullTerminate writes a null terminator at the end of a buffer using the m_stringLength value to determine just where to put that value.  This, unfortunately, did not overwrite the data in memory as I was expecting.  Ultimately, I was thinking that I might be able to break the type safety of an assembly by stomping on memory belonging to an instance. 

The problem with this code (or perhaps the good thing to note if you are an MS security expert) is that I have to use reflection to pull this off. I wouldn’t be able to execute this in a partial trust environment. If I downloaded this code in the internet zone, the reflection permission is not permitted by default. This severely cripples my attempts to make this tidbit worthwhile.  As Michael Howard responded to me: “fully trusted code is fully trusted code.”  True enough.

In any case, I hope this serves as some sort of education in some more internals of the string class. Let me know what you think. 

(P.S. No need to make the obvious statement that sensitive data shouldn’t be stored in classes.)

Posted in: technical / Tagged: , ,