April 2009 Blog Posts
Vittorio has a new starring role in a shampoo and conditioner commercial Channel9 show, The ID Element. The first episode has Stuart Kwan, the Federated Identity PM talking about Geneva in all its glory, server, framework and client. I know, none of you aside from Dominick and Travis will care, but you should. Honestly. (because it’ll give me another presentation to do at DDDs if nothing else!) Technorati Tags: Geneva,Federated Identity,Big Hair
In my WebDD09 talk on Saturday I mentioned SQL injection and LINQ. I’ve had a query about what exactly is the problem with LINQ as I was constrained by time and only mentioned it in passing. Microsoft asserts that LINQ stops SQL injection attacks: LINQ to SQL avoids such injection by using SqlParameter in queries. User input is turned into parameter values. This approach prevents malicious commands from being used from customer input. This is generally true, however LINQ has a problem method – ExecuteQuery. This methodexecutes queries directly on the server which...
After DDD Belfast came WebDD09 where I was presenting on the OWASP Top Ten Project (well I could hardly present at DDD Belfast, I was organising, that seems just a little too egotistical *grin*). You can download the PowerPoint [905kb] and the sample code [432k]. For the person who asked you can download Fritz Onion’s ViewState Decoder. For further reading on XSS Russ McRee republishes his Anatomy of an XSS attack article from the ISSA journal and NG Software have two PDFs, Advanced SQL Injection and More Advanced SQL Injection. With the added bonus of discovering coffee beans...
Alex Mackey tweeted yesterday that his book was available for pre-order on Amazon so vanity got the best of me – so I checked and mine is available too. It grows ever more real and scary, although not as scary as the cover (which is now on its third iteration but I still can't convince them to use Oliver's alternative version) … Pre-order from Amazon UK Pre-order from Amazon US Technorati Tags: ASP.NET,Wrox,Vanity
It’s been reported that Labour would like the proposed UK ID cards to plug into the Chip and Pin network. This is a commercial network that has security that has never been verified, and a bunch of folks at Cambridge reverse engineered and showed massive cryptographic flaws in it, such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. This is the same network that a leaked report showed had higher instances of fraud associated with it that were expected. This was a system designed, not for security, but for moving the consequences of...
Well that was fun :) 150 people, 15 speakers, 3 organisers, 2 Microsoft folks and swag from Wrox, TechSmith, DevExpress, RedGate, Jetbrains and a special offer from Innerworkings for free ASP.NET MVC training. And then there was the Wrox lollipops… I have my pictures up on flickr; here is just a small sample. Obviously I’d like to thank all our speakers, our sponsors, the venue folks and of course Microsoft Ireland. And I’d like to thank our attendees, I hope you all got something out of it. You’ll be receiving details of the feedback web...
Not content with the south we’re heading h’up north to Manchester, Cheadle to be exact (so your hubcaps may be safe). The group is being run by local developers Steve Robbins and Andy Wilkinson . The group will have it's first meeting on 20th May 2009 between 7.00pm and 9.00pm in the Pennine House, Carrs Road, Cheadle SK8 2BL. The headline speaker is to announced but the subject will be as topical and exciting as the other NxtGenUG events that are held monthly around the country. There will be the usual NxtGenUG activities of eating Pizza and throwing...