Email
Pages
Archives
Categories
- computer security (6)
- Logs (4)
- Physics (3)
- programming (20)
- Random (5)
- Uncategorized (4)
- ZX-6R (1)
Meta
Stacking PostBack Events
February 11th, 2011 - Be the First Comment!
The other day at work I was working through a problem with a coworker. The short of it is that he had something going on that I didn’t even know could happen. I made a small project to experiment with this and it attached for download if you want to try it out. It is in ASP.NET and C#. He was stacking postbacks (accidently, causing strange behavior). He had a checkbox with an OnCheckChanged event specified, but it also had AutoPostBack=”false” on it.
Check the checkbox first, then click the Submit button.
/* Front End Code
* One check box has a normal postback the other creates
* a stacked PostBack.
*/
<div>
<asp:CheckBox ID="cb1" Text="CheckBox 1 (AutoPostBack=false)" OnCheckedChanged="cb1_CheckChanged" AutoPostBack="false" runat="server" />
<asp:CheckBox ID="cb2" Text="CheckBox 2" OnCheckedChanged="cb2_CheckChanged" AutoPostBack="true" runat="server" />
<br />
<br />
<asp:Label ID="lblTarget" runat="server" />
<br />
<br />
<asp:Button ID="Submit" Text="Submit" runat="server" OnClick="Submit_Click" />
<asp:Button ID="Reset" Text="Reset" OnClick="Reset_Click" runat="server" />
</div>
/* Back End Code
* The back end code just adds the name of the ID of the button lblTarget
*/
protected void cb1_CheckChanged(object sender, EventArgs e)
{
if (lblTarget.Text.Equals(lblTargetText))
{
lblTarget.Text = " cb1 ";
}
else
{
lblTarget.Text += " cb1 ";
}
}
Effectively he was doing something that requires a PostBack then saying not to PostBack. This leads to a stacking effect (which was unknown to us until recently). On the next PostBack the method for the OnCheckedChanged event was fired then the actual item that caused the PostBack’s method is executed. I never realized you could queue up PostBack events. Hopefully this will help someone else out.
[ Tags ]: asp.net, c#, oncheckchanged, PostBack, Programming, Stacking Events, Strange Behavior
[ Category ]: programming
Passwords: Beating the Dead Horse
December 14th, 2010 - Be the First Comment!
Edit: Any comments expanding on password security would be great.
It seems that everyone who is security oriented in computing knows that everyone who isn’t security oriented in computing doesn’t manage passwords properly. It is even the case that some people who do know a lot about security manage their passwords poorly as well. In my eyes the main reasons for poor passwords is 3 fold.
- Poor enforcement
- Lack of education
- Loss of Convenience
Poor enforcement and loss of convenience I believe are the developers fault and I will discuss them later. Lack of education is not entirely the developers fault in my opinion. There is no reason this issue still plagues the internet. We have classes in school about learning basic computer skills and yet we don’t cover password security. To me it is as important or more important then learning things like Excel and Word. A mere day of password security in school could go a long way.
Rolling your own
First and foremost I blame developers for the state of password based security. Developer’s are the front line when it comes to security. If we don’t contemplate security, it is likely the rest of the organization won’t either. Gawker’s recent password debacle is a prime example of what not to do. It is amazing to me that a network that has technically oriented sites like LifeHacker can use such horrible password procedures (DES with 8 char max). Here are the results and some evidence of encryption failures.
If you are going to roll your own password security at least look into a little bit before you develop a million plus user database. Three of the basics everyone should know are:
- Use hashes, not encryption to store your passwords. Also you’ll probably want to use SHA2-512 or SHA3 once it is available. MD5 and SHA1 are both vulnerable to collision based attacks already and it will only get worse as time progresses. In PHP it is as simple as
hash('sha512', $pswd) - Salt the passwords before hashing. Salting is adding a “secret” phrase to the password.
$pswd = "secret".$pswd."phrase";
- Password Complexity Requirements. Passwords like “password” or “password1″ should never be used. You should enforce some type of password complexity requirement on your site that prevents them from being used. Including symbols, numbers, as well as upper and lower case letters with a minimum length of 12 is what I would consider secure.
To create a very basic authentication system using these concepts you would have a user input their password, then append your salt (secret phrase) to it, and last hash the password. This hashed result is stored (if they’re signing up) or compared (if they’re logging in) to the user information stored in the database. There are many other things to consider when developing an authentication system, but those are basics ANYONE should know (except Gawker apparently).
OAuth, the Single Sign On (SSO) of the internet
All of that being said, I support using OAuth. They may have their weaknesses, but I believe it is the most effective way to create a secure internet infrastructure. One reason I believe so is that it eliminates the convenience problem discussed below. By making it more convenient for users you may be able to encourage them to use more secure passwords. Since you are basically using a SSO for the entire internet, you can create more complex password policies on the SSO and add very little inconvenience which then translate into better security for all the websites involved. It also centralizes the focus of security on the large OAuth suppliers like Google. Eventually we may be able to complete solve the password problem, but until then I think OAuth are a step in the right direction.
Convenience is the enemy of most security. This is really unfortunate because it encourages people to be less secure to regain convenience. Passwords are something everyone has and most people hate. Even I hate when my domain credentials at work need to be changed. Coming up with a decently secure password that you can remember is a pain. OAuth allow you to only have one painful password instead of many.
Note: OpenID is another similar concept to OAuth that could also work.
Reality
OAuth aren’t widely used yet.
The solution I use involves creating individual passwords for most sites, and a common password for sites I don’t care about. I then store these passwords for recovery purposes in an encrypted database that I can retrieve. Although it might sound complicated to some, it isn’t. It is however inconvenient. You can use programs like KeePass to help you manage and encrypt your passwords if this interests you, but for most it won’t because it is still inconvenient.
Hopefully someone will be touched by this post and understand a little more about password security and the basic concepts surrounding it.
[ Tags ]: 512, Gawker, keepass, LifeHacker, md5, oauth, openid, password, passwords, security, sha1, sha2
[ Category ]: computer security, programming
ASP.NET Masterpage, JavaScript, and ResolveUrl
October 6th, 2010 - Be the First Comment!
Today was an interesting day for many reasons. The one I’m going to share with you has to do with javascript and the ResolveUrl method in ASP.NET Masterpage. I recently added jQuery to our web project at work. We have a strange setup and using /Script/jQuery.js in the script tags src attribute won’t work. For that reason I decided to use ResolveUrl() which gets the URL of a file you pass it (i.e. ResolveUrl(“~/Script/jQuery.js”) ). This worked great until I was going through the application working on something else and randomly received this error message:
System.Web.HttpException:The Controls collection cannot be modifiedbecause the control contains code blocks (i.e. <% … %>).
It only happened on a couple of pages and the others would load fine which added to the confusion. Honestly, this error made little to no sense when I first saw it, so I did what any resourceful individual would. I googled it. Luckily the first result was the answer to my issue! The fix is to use data binding (<%#) instead of writing it out (<%=). It is strange, but it resolves the problem. This is the wonderful explanation and solution: http://leedumond.com/blog/the-controls-collection-cannot-be-modified-because-the-control-contains-code-blocks/.
[ Tags ]: asp.net, c#, data binding, javascript, jQuery, master page, masterpage, ResolveUrl, script
[ Category ]: programming
Life
July 20th, 2010 - Be the First Comment!
I have experienced a lot of changes lately. I moved from the Midwest to the the West Coast. I got a programming in ASP.NET and C#. I even accomplished one of my long term goals, buying a motorcycle. All of this excitement has been keeping me very busy. I am still looking for a place to rent where I am living which takes up my time. I have also been very busy at work. If anyone actually reads this, I hope you’re doing well.
[ Category ]: Uncategorized
Excitement.
June 30th, 2010 - Be the First Comment!
Well, I have wrote very much on my blog for a pretty long time. I graduated finally and got a job as a DoD contractor in California. I develop in C# and ASP.NET. It is great! I’m excited about my new life. I also bought myself a motorcycle! A 2006 Kawasaki ZX-6R. It is awesome. Unfortunately, it didn’t include the owner’s manual so I found it on the Kawasaki site. It was in a bunch of different piece so I combined it. 2006 ZX-6R Owner’s Manual
[ Tags ]: 2006, kawasaki, manual, motorcycle, owner's manual, ZX-6R
[ Category ]: ZX-6R
I’m student employee of the month
March 30th, 2010 - Be the First Comment!
Woo woo!
Thank you to the Office of Web and New Media and University Relations at Missouri State University.
[ Category ]: Uncategorized
Tiny MCE Comments – Problems on iPhone
March 30th, 2010 - 4 Comments
Today at work we realized that Tiny MCE doesn’t work properly on the iPhone. At least MCEComments for WordPress doesn’t This prevented users from commenting from a mobile device on the MSU blogs. I fixed this pretty simply by doing browser detection in PHP before loading the files for MCEComments. I modified the loaders for the plugin. Only two modifications of the tinyMCEComments.php was neccesary.
// Line 311
function mcecomment_init() {
global $post;
if (strpos(strtolower($_SERVER['HTTP_USER_AGENT']), "iphone") === false) {
$loadJS = false;
if (is_plugin_page()) {
$loadJS = true;
} else if (is_singular()) {
if (comments_open() && ( !get_option('comment_registration') || is_user_logged_in() )) {
$loadJS = true;
}
}
if ($loadJS)
mcecomment_getInitJS();
}
}
// Line 350
function mcecomment_loadCoreJS() {
global $post, $mce_locale;
if (is_singular() && (strpos(strtolower($_SERVER['HTTP_USER_AGENT']), "iphone") === false))
{
if (comments_open() && ( !get_option('comment_registration') || is_user_logged_in() )) {
wp_enqueue_script('tiny_mce', get_option('siteurl') .
'/wp-includes/js/tinymce/tiny_mce.js', false, '20081129');
wp_enqueue_script('tiny_mce_lang', get_option('siteurl') .
'/wp-includes/js/tinymce/langs/wp-langs-' . $mce_locale . '.js',
false, '20081129');
wp_deregister_script('comment-reply');
wp_enqueue_script( 'comment-reply', get_option('siteurl') .
'/wp-content/plugins/' . plugin_basename ( dirname ( __FILE__ ) ) .
"/comment-reply.dev.js", false, '20090102');
}
}
}
[ Tags ]: javascript, MCEComments, tincymcecomments, tiny MCE, wordpress
[ Category ]: programming
Friday Update
March 26th, 2010 - Be the First Comment!
I am still working with integrating MediaWiki with our SSO. I’m trying to use a CAS plugin for MediaWiki that already exists, but we have a slightly modified configuration. I also did some site maintenance on the public affairs website. I added a section for them to embed videos into the speaker biographies and fixed some admin back end reports that weren’t working correctly. The SQL statement wasn’t properly joining the ids of hosts to their names located in another table.
[ Category ]: Logs
Weekly
March 31st, 2010 - Be the First Comment!
I’m still excited about being the employee of the month, but heres what happened in the rest of my week:
This week I continued my work on integrating MSU SSO with the MediaWiki login. It now is able to effectively use the CAS server to authenticate users. I made a properly functioning logout for our requirements too. I also made it so after the login is completed LDAP/AD is queried for information about the user to setup their MediaWiki account. I the login process to update the users information from LDAP/AD on each login though. I also fixed a problem with MCEComments. It loaded for iPhone which for some reason doesn’t work with Tiny MCE preventing users from leaving comments on their iPhone. I talked about how I fixed it in a post on my blog already. This was only a three day week so I feel I made a lot of progress.
[ Tags ]: Active Directory, LDAP, MCEComments, MediaWiki, TinyMCE
[ Category ]: Logs, programming