This ain’t my first rodeo, this ain’t the first I’ve seen this dog and pony show. I first wrote about virus call centre scammers back in October along with my recording titled Anatomy of a virus call centre scam. I followed up a couple of months ago with Scamming the scammers – catching the virus call-centre scammers red-handed which screen recorded the entire process right up to where they attempted to commoditise the scam, or in other words, get cash out of me.

Imagine my pleasure when they called me back last night! I use the term “they” very colloquially; it’s always the same scam run against the same run-sheet but there seem to be a number of companies behind this special brand of evil. This time it was a group called “E-Protection” and it doesn’t take long to establish that these guys have a bit of a record.

This time I decided to see how effectively they could support the Windows 8 Consumer Preview virtual machine I had running. The sheer incompetence of particularly the first operator I spoke to is quite astounding, not just technically but the fact that very little of what I was saying was actually absorbed. By the time I got to the second guy at about the 29 minute mark I thought it might be time to inflict some of the pain they’ve been dishing out to their victims back onto them. Enjoy :)

It already seems like a lifetime ago, but it was only last month that I was over in Seattle at the 2012 MVP Summit. While I was there, I had a short chat on video with Dave Giard for his Technology and Friends blog. We predominantly spoke about ASP.NET security and in particular, cryptographic storage of credentials and transport layer security so it’s a little more focussed than many of my talks.

The original post is over on Dave’s blog under Episode 207: Troy Hunt on ASP.NET Security and on the video on Viddler. Big thumbs up for Dave’s choice of soundtrack, I think I’m going to have to use that myself in future presentations!

This is a rant; an unapologetic, no holds barred rant on why something that I hold in such high esteem – my iOS devices – could have come from the evildoers who created this spawn of Satan: iTunes. I love my Apple TV, my iPad, my iPhone, my wife loves her iPhone, heck, even our two year old loves his hand-me-down iPhone. They all rock – big time. They’re the best damn devices I’ve ever owned, without exception.

But the otherwise joyous experience of ownership is continually crippled by the searing pain that is iTunes. Not every other day, not once or twice a day but many times every single bloody day. It’s a rare occasion I tweet about “bloody iTunes” and don’t receive a chorus of support from other disenchanted, otherwise happy Apple customers. It’s not just me folks, oh no.

Rather than suffer in silence or be comforted by the occasional mere “me too” tweet, a few months back I started capturing the litany of problems that iTunes threw my way, dropping a collection of the more painful examples into the blog post below. Oh – and just before the comments about “it works fine on my machine because I have a bejillion MB of RAM and a flux capacitor CPU”, all my experiences to follow are across many machines with lots of GBs of RAM and cores in CPUs and no moving parts in disks. It ain’t me folks!

Fresh from the 2012 MVP summit with lots of enthusiasm and grand ideas, I thought it would be worthwhile repeating my 25 illustrated examples of Visual Studio 2010 and .NET 4 post with the technologies of today (or should that be tomorrow?) albeit a few weeks later than I had planned. There are some very, very exciting new things in the pipeline which I’d like to share while they’re fresh in my mind and analogous with that post from two and a half years back, I’d like to actually show you what’s happening.

There’s so much great new stuff in Visual Studio 11 that it deserves its own post! If I can create the time, I’ll also try and get around to covering ASP.NET specifically. Keeping in mind I’m a very web-centric guy, let me show you some of the features which have gotten me a bit excited about what’s coming in the very near future.

A few weeks back there was a great document released by Verizon (yep, the big American telco) titled Verizon 2012 Data Breach Investigations Report. This weekend at the OWASP Appsec Asia Pacifica Conference, I sat in on a talk from Mark Goudie from Verizon who helped put the whole report in perspective. Now this is a really interesting report because rather than talking about vulnerabilities (i.e. potential risks), they’re actually looking at exploits; this is hard facts, people!

This report is based on 855 incidents in 2011 (don’t be confused by the year in the title!) and because Verizon does this each year, there’s lots of data on how trends are changing. It’s also 80 pages of hard facts which can be rather a lot to digest. But there are some really interesting nuggets in there for those who take a bit of an interest in security. Let me cherry-pick a few of the good ones.

A couple of days back I wrote about how 67% of ASP.NET websites have serious configuration related security vulnerabilities. In the post, I drew on figures collected by ASafaWeb and observed that small misconfigurations in config files could very easily disclose information that could be leveraged to exploit the application.

Quite a bit of discussion ensued through the comments, via Twitter and on Reddit. I found it slightly amusing that some camps felt these weren’t vulnerabilities at all as they couldn’t directly be exploited. Frankly, that’s a semantic argument; there’s a significant risk in what’s classified as “security misconfiguration”, this is why OWASP includes it in the Top 10.

Today I inadvertently stumbled across a perfect illustration of security misconfiguration which whilst not related to ASP.NET, was just what I needed to provide some perspective. This example comes courtesy of kogan.com who just a few hours ago, had a homepage which looked like this:

Let me pose a question: What’s the difference between these two URLs:

1. http://[mydomain]/?foo=<script>
2. http://[mydomain]/?foo=<script>

Nothing, right? Let’s plug that into two different browsers and see what they think:

Actually, it’s even worse than that – it’s really 67.37% – but let’s not split hairs over that right now. The point is that it’s an alarmingly high number for what amounts to very simple configuration vulnerabilities. The numbers come courtesy of ASafaWeb, the Automated Security Analyser for ASP.NET Websites which is a free online scanner at asafaweb.com.

When I built ASafaWeb, I designed it from the ground up to anonymously log scan results. The anonymity means I don’t know which sites are being scanned or who is doing the scanning, but I do know the result of each scan which allows me to aggregate these into some meaningful data.

Let me walk you through these results and offer a bit of insight as to where things are going wrong when ASP.NET web sites are published. Hopefully this will be a bit of a “call to action” which helps developers understand where they might need to do a bit of tweaking in their apps.

Around this time last year I was talking about becoming an accidental MVP. Not this year; instead of it sneaking up on me, I – like many I know – was counting down the days. My now annual April Fool’s Day email made its way through last night:

Congratulations! We are pleased to present you with the 2012 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Developer Security technical communities during the past year.

The odds of renewal were probably tipped in my favour this year after a bumper blog season, the free eBook on the OWASP Top 10 for .NET devs and a good bit of speaking here and there. The MVP of the Year award last month certainly had me optimistic about renewal, but it’s always nice to get the email.

So more of the same (but different) for the coming year. There’s writing and speaking material plus a heap of stuff on ASafaWeb absolutely overflowing from my headspace lately so expect to continue seeing lots of material on this here blog. And of course, I get to keep the shiny logo:

Finally, the award is only possible due to the engagement and support of the community so let me steal a piece I’ve written before and again thank everyone who downloaded, RT’d, +1’d, liked, emailed and otherwise said nice things about my work!