Here's the home page for Christoph who did the OpenHack demo at DevDays in Houston.

Here are some recent entries - he is following up from his talk (and questions he was asked) at DevDays and with more info and how-to's

• DevDays:Restricting access to IIS websites.
• DevDays: A simple way to configure a domain account to access the database
• DevDays: OpenHack and encrypting the encryption key

Infragistics recently scooped up Jason Beres (lucky them) and he moved from Florida to New Jersey. Tomorrow they are sending Jason, who is also an INETA speaker, to speak at Vermont.NET. Jason will fly in in the early afternoon, get a quick tour of Burlington, do the meeting then we'll head back downtown to check out some of our famous college bars. Of course, it's monday night - things are a little quiet. But all are free to join us. I know - there are *SO* many bloggers in Burlington. Actually there is Dave Burke and Roman Rehak. We used to have Joy (sniff sniff I miss her) “Cleverhack” Larkin who moved to PA to go to law school.

My user group is VERY spoiled. Read this prior post to see our list of hot .NET speakers who have come and are planning to come to Vermont.

Here's the scoop on tomorrow's meeting:

Who: Jason Beres
When: Monday March 8th 6pm-8 or 9pm
Where: KnowledgeWave, 300 Community Drive, So. Burlington, VT
Topic: Writing an N-Tier Windows Form Application
This presentation will look at the Tracker reference application and eBook as a real world example using key Microsoft technologies: Web Services Enhancements WS-Security, allowing secure authentication from the Windows Forms application to a web service for data access Microsoft Data Access Application block Microsoft Exception Management application block Microsoft Application Updater application block Multithreaded Windows Forms application for data access Structure for implementing online and offline data access without using Datasets XML Web Service data access or data access directly to SQL Server
Why: Well d'uh - to learn a lot, to eat free pizza to get great swag (courtesy of Infragistics)

Jason will be the next victim to stay at our house on the mountain and will then head up to Montreal on Tuesday to speak at GUVSM.

MSDN was very generous in purchasing a booth at each DevDays event for local user groups to share in order to let attendees know about the user groups.

If you are a user group leader and are NOT set up to do this and want to be for an upcoming DevDays event, contact ugrelations@ineta.org asap.

If your user group is about to do a booth and has any questions, needs to talke with other local u.g. leaders or whatever, let us know and we will help you.

Lastly, if you already have done this at a now past DevDays event, again, let us know how it went!

Well that quote comes from this post (On the Road to Indigo - is .NET REmoting Dead?) by Microsoft's Rich Turner and it caught my eye. In it, Rich explains the future of .NET Remoting.

I personally don't have a lot of (well...any) experience with .NET Remoting. Once I got through the learning curve of web services (since that was what MS was pushing at the beginning of .NET) I got lazy and used web services even in situations where I knew that .NET remoting would have been more efficient.

So when I was at PDC listening to Don Box talking about Indigo and saying that if you want to use indigo, just keep using web services and and forget about remoting. I felt so justified. But according to Rich, I (like many, I am sure) missed the point.

So if you are using .net remoting and concerned about it's future, go checkout Rich's post because I am NOT the person to be explaining this to you.

Now that my awareness is up about the issues with XP SP2 from this Infoworld article, I caught this article from Microsoft Watch that has some more information. (I really have not had time to look into this so I am grateful for Joris Evers and Mary Jo Foley's articles on this topic). Mary Jo notes that there will be some service packs for VS.NET 2002 and 2003 in the wings to help with some of the breaking changes. However, everything else seems to be up to us - oh all of those VB6 apps I have out there...sniff sniff. I wonder about my older FrontPage and ASP sites and my friends who run their businesses with Access database.

Though I'm sure she  didn't invent the phrase, Mary Jo Foley's article on the MVP Summit is the first time I ever heard anyone refer to MVPs as the volunteer army. That's pretty funny. My husband probably wouldn't laugh though. The common joke around our house is that Microsoft has become my favorite charity organization, though the image of the red bucket and little bell doesn't seem to fit.

A new article in InfoWorld highlights the issue of breaking changes FOR DEVELOPERS in the SP2 release of WinXP. According to Pat Hynds (New England RD and CTO at Critical Sites) if we a) are paying attention to the security messages for developers such as at DevDays and b) take note of the information that is on this MSDN page that is for developers to prepare, things shouldn't be so terrible.

Apparently Microsoft has been getting the word out to developers. I actually hadn't noticed that yet. I know we are getting lots of info on how to write secure apps (and I am sharing that as well). I just hadn't heard yet that this is a breaking change.

I think what it means for me is 2 3 things:

1) I have to test ALL of the apps I have in production against SP2 before any of my clients start upgrading (ugggh...)

and

2) I need to be aware of what I will need to do differently in my development environment. Hopefully, this is akin to dealing with the change from IIS5 - ASPNET account to IIS6 - Network Service account. That wasn't so horrible.

3) (added) Oh yeah, and I don't have a spare computer that I dare install the SP2 on to do all of this testing. This is a big problem. I have whidbey on my laptop and need it to work for learning and for upcoming presentations. I already have the Lonestar beta on my tablet and have to assure that I can use that to do my DevDays demos at Boston, plus I don't feel like installing all of my apps and dev tools on there anyway. My husband uses his computer for doing paperwork for his business. So I'm kind of up a creek right now anyway.

From that page (link is above):

To developers these technologies will have impacts on the applications that they create and the tools they use. This page contains resources to assist developers in dealing with these impacts.  

From the article (quoting someone from MS)

Large vendors of software are getting help from Microsoft to make sure their applications are compatible with SP2, Goodhew said. Smaller vendors and others, such as enterprise software developers, need to do their own testing. "It is really up to developers to do the due diligence," he said.

If developers do find that SP2 breaks their applications, it most likely means that they were not following best practices in terms of security when writing their applications, according to Goodhew.

Definitely pay attention to this!!!

In the long run it is a good thing of course. I just wish someone from Microsoft would come to *my* home office and make sure everything is still working! Pancakes and maple syrup anyone??

I was thinking about the Whidbey bits in the DevDays bags. This is not the same audience of leading edge developers that go to PDC. I wonder if it's just “yet another cd” in the bag or if people are tripping over themselves to get home and install the bits and check out Whidbey. Has anyone heard any type of buzz about this from attendees?

PASS will be in Orlando this year. Roman Rehak says there is one more week for proposals. More info at his blog here. Roman was the track chair in 2003. I'm guessing he is again for 2004.

My jam-packed session at DevDays - Defenses and Countermeasures - shows a huge amount of solutions of things you can do to try to keep the hackers out. It was frustrating not to be able to get into the details of all of the great information that was in there due to the time limitation.

I think it would be interesting to look at all of those lessons in tiers.

The first tier would be basic, easy to remember, somewhat easy to implement solutions like:

• never use sa as the account to access your database
• use integrated security to access your database when you can, however if you *must* use uid & pwd your db access strings, hide them. THere are a number of ways including: use the configuration applicaton block which has this ability built via a wrapper to DPAPI OR encrypt the string yourself before putting it in your web.config file (in .net 1.x you will need to build your own little dpapi library to help you do this as well as to decrypt) OR encrypt to string and stuff it into the registry
• check query strings in URLs to make sure they don't include possible sql injection strings - this is pretty easy to just do in the page load
• use stored procedures FIRST, paramaterized queries as a 2nd option and concantenated queries never
• validate data entry to limit possiblity of characters that are used for sql injection or cross-site scripting attacks
• never use the system account for your web application
• htmlencode all output back to the browser

Even with this top tier list, there are two audiences. The first audience only needs the list and either know how to accomplish these things or knows how to find them. That audience just wants a check list, then you can also talk about a LOT more things. THe other audience would need this list to be the entire one hour presentation so you can really dig into each thing - how to do the encryption, looking at the difference between the effect of a query string with a sql injection attack and a stored procedure with the same attempted sql injection attack, experiment with the variety of other ways to prevent nasty input.

I will be thinkig about all of this a lot until the next DevDays  (in Boston) where I will presenting this session again.

Peter (Tabula PC) drops a hint about upcoming Tablet PC goodies...but says don't get too excited, it's not a big deal. Funny, but regardless of his caveat, I'm still awfully curious!

I am getting some great feedback in my last two security related posts from people who have been thinking about, working with and dealing with asp.net security a lot longer than I have.

DEFINITELY read the comments by Steve Smith and Sam Gentile in my last post.

And don't miss the comments by Anil John and Andrew Duthie in my post on  the RequestValidation feature in ASPNET 1.1.

There is no ONE solution to security. Threats are coming at you from many many angles. You have to protect yourself in many many ways and then you still won't be done.

One of the points that is made in the Defenses and Countermeasures session that I am doing for DevDays is that what we are doing with all of these steps is not assuming that we are eliminating all security problems, but instead, we are continuously raising the bar for potential hackers. Making it harder and harder for them to do their deeds.

Don't we all? Isn't it what we were told to do. ASP.NET protects the web.config file so nobody can browse to it and see your connection strings, logins and passwords and whatever else you have hidden in there. Right?

But guess what, that's just not good enough anymore! Hackers who know how to get into your webserver and get around asp.net can get at the web.config file.

This is one of the things we are talking about in the DevDays ASP.NET Security track.

One of the ways to protect the strings is to encrypt them (which isn't so hard) but decrypting them *is* (and should be, if you think about it...). DPAPI (a win32 api - not managed code) is used to handle the keys for encrypting and decrypting your data but it is pretty confusing to use especially if you are not used to dealing with unmanaged code. (In that case, if you want to get more comfy with that, keep up with Sam Gentile's MSDN series on COM Interop.)

Enter the Configuration Management Application Block for .NET . Among it's features is it's ability handle this encryption/decryption for you.

How does the Configuration Management Application Block improve the security and integrity of application configuration data?

Regardless of the type of data or the store in which the data is held, you can configure the Configuration Management Application Block to use the data signing and encryption services provided by a Data Protection Provider. The Configuration Management Application Block provides two Data Protection Provider implementations and the extensible architecture of the Configuration Management Application Block means that you can easily seamlessly integrate your own Data Protection Provider implementation

Phew! (You'd be saying that too if you looked at the code for working with DPAPI.)

Also - Whidbey will have a managed wrapper for DPAPI so a lot of this will be easier to do yourself down the road. My understanding is that this is actually related to the work that was done for the App Block. (Or maybe the other way around?)

Did you know that ASP.NET v1.1 automatically checks for possible scripting attacks when users enter info into you forms? I didn't! I learned it in my prep for my DevDays session.

So this:

(with Errors =”Off” in web.config) results in this: (click to enlarge)

This protection is on by default. It is controlled in a few places. See this article on Microsoft's ASP.NET site for more details.

Peter Rysavy LOVES infopath (here and here). His love is noted by Robert Scoble.

Dave Burke is not so in love with infopath. Dave's opinion was noted by Joris Evers of IDG and Dave was interviewed for this article about InfoPath in InfoWorld!

Having been a developer for over 20 years, I appreciate what Clemens is talking about in this discussion.

1) Where do you want to go, Aiden

2) Free stuff vs. Free Stuff

Makes my day. The owner of my favorite/biggest client treats me like a business partner. He tells me his visions and let's me do whatever I think it takes to make them a reality. He pays me plenty. I love the company and over the past 7 years of working with them have a great sense of ownership of what goes on there and am very proud of my contributions. But still, he pays me plenty. So to have him stop to tell me “thanks for everything” means so much to me. He said what we have accomplished in the past year is now setting his company up for another fantastic growth spurt. He knows that my dedication to his company goes much deeper than my billables. I am *so* incredibly fortunate to have a client like this.

Building relationships with clients is what keeps you in business. Every time I have ever been asked to talk about this side of my business (I have been a contractor for nearly 18 years now) this is always the most important factor that I highlight.

Avonelle, James, Andrew, Scott - I absolutely respect everything you are saying which is why I am leaving your comments in tact.

I do not have the energy or heart to keep trying to fix what I have written to express properly what I am saying so that it does not insult anyone other than possibly the one person I was writing about - nor do I have the courage to even attempt to debate this with you. I am not expressing myself well. You all are very clear with what you are saying.

this is pretty funny!

I'm sure it was a hardware problem...

Even though some long haired freak came by and made faces at me while I was doing this interview, it actually sounds pretty good! (I think). http://www.sys-con.com/story/?storyid=43782.