Friday, March 28, 2008

It's Friday and Darth Loves You

PWN To OWN

Article here.

Charlie Miller sounds like quite an accomplished hacker, and not a big Apple fan.  I really, really enjoy my Mac (I have several posts about it coming soon), but I also appreciate having articles like this handy when confronted by an “M$”-hater or a Mac bigot.

Thursday, March 27, 2008

Google Calendar Sync

Great Googley moogley!  Can’t wait to go home and use this.  My real goal is to sync up my phone to my Google calendar, and then it is just so I can see events on the Today screen.  I’m kind of going around the block to get next door, isn’t it? I’m sure this will all get worked out just fine with Android.

Guice

Per Ben’s recommendation, I have been listening to the Google Developer Podcasts. They have a Google group here and you can easily subscribe in iTunes. The first one covers Guice, which is a Java Dependency Injection framework. The user guide is a good, quick read on the concept of dependency injection.

Tuesday, March 25, 2008

Building a Partially Trusted Web Application

I have created a new guide to demonstrate the process of configuring the Code Access Security policy for an ASP.NET web application using built-in ASP.NET policies. This guide has been a while in the works, and it is one of the primary inspirations for this blog. I put together a rather lengthy proof of concept for this and decided that it was entirely too much work to allow it to disapear without being documented somewhere. The information is inspired by Stefan Schackow's excellent book, Professional ASP.NET 2.0 Security, Membership, and Role Management. I highly recommend his book. My guide is, at best, a cheap cliff-note of one section of his book.
By default, Visual Studio (all versions through 2008) creates web applications that run as "Fully Trusted" .NET applications. A Fully Trusted application is one that bypasses all Code Access Security checks. This can be a security risk for a number of reasons. Conversely, a "Partially Trusted" application is one that reduces the attack surface of the application by reducing the available code that can be called by an application. As an extreme example, you can reduce the risk of SQL injection attack to near 0% (I'm not brave enough to use the word always) by making it impossible to make any type of data access calls in the first place.
If you have ever toyed around with Code Access Security policy, you know that it can be a bit of a daunting and counterintuitive task to intelligently configure a secured application. There are surprisingly easy steps that can be taken to bring a pretty significant level of security to an ASP.NET web application. One of Stefan's highest recommendations is to, at the very least, move a web application from a fully trusted application to "Highly Trusted" application. High Trust disables calls to the unmanaged Win32 API as well as calls to .NET components that are not decorated with the AllowPartiallyTrustedCallersAttribute. I will demonstrate going a step further and making the web application a "Medium Trust" application, which is more suited for internet facing applications or applications in shared environments.

Get the guide here, and the sample code here.

Thursday, March 20, 2008

Stored Procedure Digger

Here's a handy little trick if you are digging out stored procedures from multiple databases and you aren't sure where they are (or don't want to dig for them). Paste this code into a SQL Server SSMS or Query Analyzer, change the value of @sprocName, change the output type to text ([CTRL] + T), execute the command then copy the output to another query window and execute that.


DECLARE @sprocName NVARCHAR(100)
SET @sprocName = 'sp_MyLostStoredProcedure'

/************************************************/

DECLARE @DbName sysname
DECLARE @command NVARCHAR(MAX)
DECLARE DbEnum CURSOR FAST_FORWARD FOR
SELECT [name] FROM sys.sysdatabases

OPEN DbEnum
FETCH NEXT FROM DbEnum INTO @DbName

WHILE @@FETCH_STATUS = 0
BEGIN

SET @command = N'USE ' + @DbName + '
GO
'
SET @command = @command + N'IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N''[dbo].[' + @sprocName + ']'') AND type in (N''P'', N''PC''))
BEGIN'
SET @command = @command + N' PRINT ''' + @DbName + '.dbo.' + @sprocName + '''
'
SET @command = @command + N' EXEC sp_helptext ' + @sprocName + '
END
'
PRINT @command
FETCH NEXT FROM DbEnum INTO @DbName
END
CLOSE DbEnum
DEALLOCATE DbEnum

Friday, March 14, 2008

Future of XML

Don Box has at least twice (here & here) referenced this article: The future of XML

The section headed "Oneiromancy" is particularly well written.

Another new keyboard shortcut

I just accidentally discovered that in Visual Studio [CTRL+D] copies a line of text and inserts it on the line below. In a text file (code, config, html, etc.), place the cursor on a line and hit [CTRL+D]. Not sure how this http://blogs.msdn.com/saraford/archive/2005/03/16/397076.aspx relates.

Tuesday, March 11, 2008

Layout and Firebug

Meaningful posts have been interrupted by layout designs for the site. I started off trying to get a train or train wreck theme. I didn't really like them, but then I had to rethink that. I decided that instead of portraying a train wreck, I wanted to portray the reporting of a train wreck. Hence, I put together a layout that is supposed to resemble an old newspaper clipping. I borrowed the tedium of CSS and crazy Blogger.com XSL~ish type stuff from a layout called "Kubrick". All the rest of the art I did myself. I made pretty good use of a cool Firefox add-in called Firebug. Check it out at http://www.getfirebug.com. It is really handy for quick style edits.

The layout seems to work well enough on Firefox 2.0 and Safari 3.0 for Mac as well as Firefox 2.0 and IE7 on PC.