Jul 23

exchange for the rest of us? i don’t think so. i signed up to try this out a couple of days ago and its disappointing. starting with email – this is simply an IMAP email account yourname@me.com. So it doesn’t work with existing accounts, and certainly doesn’t synchronise anything since the imap protocol manages messages on the server. the syncing software itself is actually provided as part of iTunes (why? this ought to be an explicit install surely?) and syncs calendar, contacts and bookmarks. Contact synchronisation suffers from the problem that on a target pc in outlook, though the contacts are in outlook, adding them as recipients in email messages results in an error and the message wont send. i’ve had to open the contact cards, and copy and paste the email addresses over one by one to get this to work. calendar synchronisation suffers from this hugely irritating and frequent message:

mobileme message

thing is, this happens even though i’ve not updated any calendar entries, yet every 15 minutes or so this pops up. which leads me to suspect that synchronisation does not occur automatically or is driven by changes – instead it must be on a timed interval basis. in addition, if you have another pc booted up, then you’ll also get this message too:

mobileme message

rubbish. especially for a £60 per year subscription. instead this looks much more promising…

Jul 18

after many months without a desktop pc (limited exclusively to my marvellous, but just too small for development, Tz laptop), i finally got round to purchasing this new toy. Having had a sony all-in-one previously, I knew this was just the sort of thing i was after – large screen, multi-media device that i can also use as a tv. And there simply isn’t anything nicer looking than the lovely, lovely new 24″ iMacs


A 3.06GHz Core 2 Duo, 4GB RAM, 500GB HDD although slightly more expensive than the equivalent competition from Dell and Sony is better specified. Whilst the Sony comes ready equipped with twin tv tuners and acts as a PVR, this has its own annoyances as it means a) getting an ariel from tv/digibox to the pc (which isn’t in the same room) b) having recordings in multiple places. not major problems i admit. A reasonable alternative, it seems to me, is to use a slingbox from digibox/PVR, which negates the need for on-board tuners. Still, why the iMac doesn’t come with such is clearly remiss of apple given the excellent screen and graphics. in fact that, flash storage input and limited integrated connectivity (usb, firewire & mini-dvi out are essentially it) seem to be the only downsides so far. but then lack of basic connectivity is why i chose sony over the macbook air. time will tell.

now I exclusively run Vista on this, and it was truly easy to set such up, boot camp is brilliant - with all the vista drivers included on the leopard disks. And it’s not slow…

vista performance

the only problems I’ve had to date is getting used to the iMac keyboard layout, some shortcut keys dont seem to work within Office, but if i just cant get used to it, I can always replace it. For the hardcore mac user, i may have said several blasphemies in this post; but the iMac really is an excellent Vista PC…

Jul 13

Admittedly 5 hours behind the curve on this one, but I just randomly stumbled on this on google trends. looks like someone’s got a new googlehack on the go - in the form of the clever upside down ǝlƃooƃ noʎ ʞɔnɟ. what is interesting is that this term doesn’t seem to have existed prior to today, so to get it into the top search spot in just a few hours is significant. a deliberate mass google search? would need an impressive bot-network to pull off the millions of hits required though (or a viral network of lots of people with time on their hands). perhaps a google trends vulnerability then? hmm. either way, having hit the top spot – i’d now expect blogs to punt the search frequency back up after this initial spike. which is perhaps the real hack…

today’s googlehack

Jul 12

Sandisk TrustedSignins

So, back in 2006 Sandisk, RSA and Verisign together released something called TrustedSignins for U3. Instead of a dedicated token, a multipurpose U3 usb stick would do the same job, indeed it could securely manage multiple tokens, and it’d also be a usefully encrypted usb drive. ubiquitously and cheaply available at retail outlets everywhere, the advantages seem obvious. so when Verisign offer a free two-factor VIP for their OpenId PIP, I popped into town and bought a cruzer, since any SanDisk U3 drive will do the trick it seems:

Verisign supports SanDisk U3

Activation is simple, just plug in the cruzer, open the U3 LaunchPad and click on TrustedSignins:

Activate Verisign VIP on U3

Except the U3 LaunchPad doesn’t have a TrustedSignins option. I check the cruzer has the latest software installed, and spend a good couple of hours searching and finally emailing verisign, sandisk an u3 support. Now, the Sandisk doco says, “A benefit of TrustedSignins over dedicated tokens is that your company does not need to bear the expense of stocking and supplying them to your customers. After an employee or customer buys a standard SanDisk device at any of the 185,000  retail locations, it is registered with their account at your company. As an incentive, your company can even offer a rebate.

But when I bought the cruzer, I just picked one off the shelf, I was neither asked to register nor offered a rebate. And it doesn’t work. So what is going on here? Turns out there are two types of SanDisk U3 – retail and OEM, and only the OEM version can be programmed with the TrustedSignins utility. also the OEM version is not available from retail outlets. This is certainly not what either Verisign or Sandisk are claiming though, is it? Why has Sandisk not made the TrustedSignins available on all its U3 devices? Why does Verisign not make it clear that only a very select few SanDisk U3 drives are actually compatible with their VIP. Am I really the only person in the last 2 years to try and activate a Verisign VIP on a SanDisk U3?

Jul 09

that time of year, then, for the little known european data protection awards, otherwise known by the snappy ‘Prize to Data Protection Best Practices in European Public Services (fifth edition)‘. Scorchio! Last year the ICO supported the nomination of my current project, which was pretty well received. it’s awarded by Madrid’s regional data protection agency – not a European level body by any means, yet the awards have become the de-facto European honour in terms of data protection. partly, i suspect, as it has avoided becoming a nepotistic, bureaucratic back-slapping exercise.

Jul 08

one thing about brinkster that cannot be criticised is their support. over the last 7 years i’ve had nothing but responsive - 24/7 – usually within minutes by email and now instantly via their live support. not only is it quick, its also technically knowledgeable – even at the first line. when there are issues, they get escalated very quickly to technical specialists who, in my experience, sort things out there and then. having wasted a good hour searching for how to make wordpress permalinks pretty on brinkster’s IIS, i asked them the question. you cant…

Hello, For security reasons on iis we do not install a url re – write engine.  

Thank you

Really? Ah, that’d be why then.

Jul 08

after several years of meaning to, i finally sat the OMG Certified UML Professional fundamental (OM0-100) exam. Although the UML is now a large and gratuitously complex language, there is actually a dearth of material available for this exam, so i thought i’d jot down what i found useful.

A trusty copy of Fowler’s UML Distilled is always a good place to start with UML. However, for this exam, which tests fundamental knowledge of the UML language, rather than how to model OO concepts, it is not particularly useful I’m afraid. Instead, you’ll need:

The UML Reference Manual - a dictionary. This is to UML what the Oxford is to the English language. Hugely useful to disambiguate - and even occasionally clarify – the particular meaning of UML words and concepts. A reasonable number of questions in the exam test vocabulary (often by way of “which of the following statements is true of x“, where x might be a term such as ‘constraint’ or ‘namespace’, for example).

The UML User Guide - a grammar. Whereas Fowler brilliantly provides the 20% you need to know to model 80% of everything you’ll ever need to model; the User Guide presents the other 80%. ahem. that is, the official, more complete and more syntax focused coverage of the usage of the UML you’ll need to pass the exam. Hugely useful in describing, illustrating and coordinating the concepts presented in the Reference Manual. These books are certainly not cheap, however i justified the cost to myself in that these are the two primary reference sources needed for all three levels of the exam. Google will, of course, provide you with pdfs of these e.g. here and here; though i personally don’t find such usable as reference materials.

Finally, the entirely essential UML 2 Certification Guide, without which a pass is unlikely. Even though i have 10 or so years practical UML modelling experience, I wouldn’t have passed without this, and that’s because the exam simply doesn’t test modelling ability or knowledge of vernacular UML. It’s testing understanding of the grammar, syntax and core concepts of the language – the UML metamodel - as described by the UML Specification itself, not its everyday use. So, unless you want to wade through the version of the specification used in the exam, using only the awful coverage maps as your guide to what to focus on; you need this. Its translated from the German, certainly written by a German at least, as every once in a while the English used makes it unclear as to what is meant (that’s where the Reference Manual and User Guide are lifesavers). Over at SlideShare you’ll find a series of presentations that appear to be a summary of the certification guide pretty much verbatim:


As for the exam? Well, there is plenty of time, I was done in just under an hour and managed 78/80; though i admit to being hugely, hugely overprepared. apologies to everyone during the week prior to the exam, and especially my partner for waking her, and child, up at 5am in the morning during last minute cramming. Now for the Intermediate…

Jul 07

well now, first post in almost 5 years – and no, I’m not between contracts! I’ve just finished migrating the both the company site and my blog over to use Expression and WordPress respectively. Previously, I’d hand-crafted both myself, which partly explains why I’d only ever update/blog on those rare occasions I had the time. in a previous post i complained about lack of standards compliance in tools, and that was the primary why (in 2001) I chose to do it myself. Luckily things have moved on since then, and I’m impressed by Expression which is a perfectly nice little tool that permits full control over the output. indeed it sells itself on its standards support and, as it’s available via msdn subscription, i thought I’d give it a try. Remarkably, it generates output identical to that previously, but provides simplified management via templates and master pages. i use a single .dht (dynamic html template) in which one defines static content (which applies to all pages associated with the template) and then those areas where each instance page can override template content. it works with .aspx also, meaning dynamic and static content can share the same html basis, without recourse to using master pages just for textual layout. clearly designed for non-programmers - it’s a doddle to use.

As for WordPress, my choice was admittedly made for me by my hosting provider, who support it, but it seems perfectly adequate after a days use. It imported the rss output from my old handcrafted blog without any problem, and I’m sure I could style the output to closely match the look and feel of my old blog and current company site. if I had the time and inclination. but hopefully i’ll have time to blog, rather than write xhtml and css in future though…

Aug 30

Writing Secure Code, Second Edition

Some years ago i worked for a software house with over 30 developers, of which only one other had read the first edition of this book. I don’t think that was uncommon. Few developers cared about application security in general terms, their encounters with security being an inconvenience that either ‘broke’ code or (often post-exploit) resulted in ‘extra work’ bug-fixing. I use the past-tense, but i’ve really no evidence to suggest that things have changed all that much. Hopefully the wider distribution and publicity granted this second edition will help change that.

The book is organised into four major sections.

The first provides background material that outlines the need to secure systems and techniques for designing secure systems. It is carefully written, appropriately illustrated and has only two very small code examples (one of which pseudo-code, the other a couple of lines of asp), making it good for photocopying and distribution to project managers…

The second and third sections provide the bulk of the book – secure coding techniques. As you’d expect buffer overruns, acls, least privilege, crypto, canonical mistakes, sql injection, cross site scripting, dos attacks, to name a few are all covered, and there are chapters on internationalisation, sockets, rpc, and one – surprisingly small – on .net. I say surprisingly because a good part of the marketing for this book was that it was updated to cover .net, which it has – but not to the extent you’d think. If you’re looking for an in-depth analysis of .net security, this work doesn’t have it. But it doesnt needs it – if there is one single message in the second and third sections it is that there is no replacement for responsible, informed programming regardless of the syntax or technology used. The chapter entitled ‘All Input Is Evil’ makes that point well, it – like the others – applies whether you use .net or not.

The final section covers ‘everything else’ – testing, code reviews, installation, error messages, and a good – but brief – chapter on privacy and data security, and an excellent chapter on general good practises.

Part of what made the first edition a classic, to my mind, is that it addressed the security fundamentals *every* programmer on a microsoft platform should be aware of. After reading it i was in doubt of the importance of application security, the core principles, threats and coding countermeasures, and i went on to apply those in subsequent projects. This edition builds, updates and expands on the first and is, simply, required reading. unlike many sequels, it does not disappoint.

Aug 12

thanks to google and recent newsgroup posts, the hits on this site have gone through the roof over the past week, using more bandwidth in a day than was previously used in a month. so to conserve that expensive resource i’ve consolidated the site a bit and zipped up all stray documents. in an uncharacteristic act of madness, I also removed the old files, which will mean some broken external links (doh!).

preload preload preload