3 minutes read

Missing Drive Space? Check IntelliTrace Files

My laptop has a relatively old SSD, so it only has about 128 GB of space.  This works out nicely because I like to keep projects and extraneous files on an external drive.  However, when you’ve got Visual Studio 2005-2010 installed, 2 instances of SQL Server installed, and god knows what else installed, space gets a little tight with 128 GB.  As a result I tend to keep an eye on space.  It came as a surprise to find out I lost 20 GB over the course of a week or two without downloading or installing anything substantial. To find…

4 minutes read

Vulnerabilities in Twitter’s OAuth Implementation

Earlier this week Twitter disabled Basic Authentication for clients, and switched over to their new OAuth implementation.  It turns out though that OAuth is fairly weak in a few areas, as it hasn’t really become a mature standard.  While this isn’t the end of the world, it does leave each implementer to their own devices to cover the weak points. This is just a quick overview of the one of the WTF’s that is Twitter OAuth, but Ars Technica has a great article on this in detail. One key point that Twitter seemed to miss entirely is how they handle…

0 minutes Less than a minute read

Bizarre Error Message from Explorer

Interesting error found in explorer.exe.  I tried hitting [Windows] + [E] and got this message: Kinda bizarre.  I blame solar flares.

2 minutes read

ADFS 2.0 Windows Service Not Starting on Server 2008

I’ve been working on getting a testable ADFS environment setup for evaluation and development.  Basically, because of laziness (and timeliness), I’m using Windows Virtual PC to host Server 2008 guests for testing.  I didn’t have the time to setup a fully working x64 environment, so I couldn’t go to R2. One of the issues I’ve been running into is that the Windows Service won’t start properly.  Or rather, at all.  It’s running into a timing issue when running as Network Service, as its timing out while waiting for a network connection.  More Googling with Bing returned the fix for me…

4 minutes read

AntiXss vs HttpUtility – So What?

Earlier today, Cory Fowler suggested I write up a post discussing the differences between the AntiXss library and the methods found in HttpUtility and how it helps defend from cross site scripting (xss).  As I was thinking about what to write, it occurred to me that I really had no idea how it did what it did, and why it differed from HttpUtility.  <side-track>I’m kinda wondering how many other people out there run in to the same thing?  We are told to use some technology because it does xyz better than abc, but when it comes right down to it,…

3 minutes read

Visual Studio Step Up Promotion…The Headache

A few months ago some friends of mine at Microsoft told me about a step-up promotion that was going on for the release of Visual Studio 2010.  If you purchased a license for Visual Studio 2008 through Volume Licensing, it would translate into the next version up for the 2010 version.  Seems fairly straightforward but here is the actual process: So we upgraded our licenses to benefit from the step up.  Problem was, we couldn’t access any of the applications we were licensed to use (after RTM, obviously).  After a week or so of back and forth with Microsoft we…

8 minutes read

Bad User Interfaces are Insecure

The Best of Intentions So you’ve built this application.  It’s a brilliant application.  It’s design is spectacular, the architecture is flawless, the coding is clean and coherent, and you even followed the SDL best practices and created a secure application. There is one minor problem though.  The interface is terrible.  It’s not intuitive, and settings are poorly described in the options window.  A lot of people wouldn’t necessarily see this as a security issue, but more of an interaction bug — blame the UX people and get on with your day. Consider this (highly hyperbolic) options window though: How intuitive…

16 minutes read

Six Simple Development Rules (for Writing Secure Code)

I wish I could say that I came up with this list, but alas I did not.  I came across it on the Assessment, Consulting & Engineering Team blog from Microsoft, this morning.  They are a core part of the Microsoft internal IT Security Group, and are around to provide resources for internal and external software developers.  These 6 rules are key to developing secure applications, and they should be followed at all times. Personally, I try to follow the rules closely, and am working hard at creating an SDL for our department.  Aside from Rule 1, you could consider…

1 minute read

Deleting Temporary Internet Files from the Command Line

A quicky but a goody.  Sometimes you just need a quick way to delete temp files from IE.  In most cases for me its when I’m writing a webapp, so I’ve stuck this in the build properties: RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8 RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2 RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1 RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16 RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32 RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255 RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351 It doesn’t require elevated permissions, and has been tested on Vista and Windows 7.  Each command deletes the different types of data: temp files, stored form info, cookies etc.  Enjoy.

10 minutes read

Security, Security, Security is about Policy, Policy, Policy

The other day I had the opportunity to take part in an interesting meeting with Microsoft. The discussion was security, and the meeting members were 20 or so IT Pro’s, developers, and managers from various Fortune 500 companies in the GTA. It was not a sales call. Throughout the day, Microsofties Rob Labbe and Mohammad Akif went into significant detail about the current threat landscape facing all technology vendors and departments. There was one point that was paramount. Security is not all about technology. Security is about the policies implemented at the human level. Blinky-lighted devices look cool, but in…