Wednesday, 27 February 2013

Lousy ABC cryptography cracked in seconds as Aussie passwords are exposed

Wednesday, 27 February 2013

45 seconds. That’s how long it took to crack 53% of the ABC’s now very public password database. That’s more than half of the almost 50,000 passwords that were publically exposed today. How the passwords (among other data) were exposed is yet to play out, but what we now know for sure is that the mechanism the ABC used to protect these credentials was woefully inadequate. Here’s how it was done:

Firstly, the dump comprises of 10 parts all listed over on Pastebin. All in all there are just under 50,000 records with the following attributes:

  1. user_id
  2. user_age
  3. user_town
  4. user_nick
  5. user_regip
  6. addedtomap
  7. user_email
  8. user_gender
  9. isModerator
  10. user_password
  11. user_updateip
  12. hhscore_score
  13. user_postcode
  14. postcode_state
  15. user_lastLogin
  16. user_statusText
  17. user_info_public
  18. user_regDateTime
  19. hhscore_testDate
  20. user_latitude_min
  21. user_latitude_max
  22. user_longitude_min
  23. user_info_approved
  24. user_longitude_max
  25. user_statusFlagged
  26. user_updateDateTime
  27. user_statusDateTime

Read more

Friday, 22 February 2013

What’s inside a Microsoft Surface Pro and can it really replace the laptop?

Friday, 22 February 2013

It’s pretty much the hottest new “device” on the block today and yes, there’s a damn good chance that it could replace or at least significantly supplement a laptop. And a tablet. And possibly a desktop PC too.

Scrolling back just for a sec, a couple of months back I sent Red Gate Software some tips on optimising ASP.NET web apps which then made their way into their free eBook titled 50 Ways to Avoid, Find and Fix ASP.NET Performance Issues (go and download it, I’ll wait). Turns out this was actually a competition for the best tip, also turns out the prize was a Microsoft Surface and also turns out that the winner was me. Happy days, plus of course a big “thank you” to Red Gate.

Microsoft Surface Pro

Given I’m over at MVP Summit at the moment, it was easy to go and collect the prize from one of the Microsoft stores here in Seattle. Well actually, it wasn’t easy – they had no stock and according to the press, the Surface has, well, only just started to resurface, so to speak. Multiple calls and walks over the road to the store and I finally to managed to grab a 128GB Pro model. I did a little “unboxing” and first impressions video which is here:

After playing with it for a day and getting all the usual stuff installed, I captured a Camtasia video which you’ll find here (apologies for the audio quality, there might be a bit of tuning required there):

If you’re genuinely interested, watch the videos. If you want the tl;dr version, here’s the key points:

  1. Very nicely built. Feels well made but not quite as well made as an iPad.
  2. You need to be looking at the Pro version if you want to significantly supplement a traditional laptop / desktop.
  3. You also want to be looking at 128GB – there was only about 89GB free on the disk when I opened it up.
  4. The type cover is a much better option than the touch cover (more tactile, feel like a keyboard).
  5. Pixel density is great, not quite Retina but well beyond the old 72 DPI paradigm.
  6. Many apps can’t take advantage of the pixel density and instead scale down the font or asset or render it at the correct size but with a lower DPI so it looks rough.
  7. I could run everything I usually do; Visual Studio, Camtasia, video encoding, etc. It all works well (everything in this post was done on the Surface).
  8. Works great with an external mouse (trackpad is a little small for me).
  9. Scrolling on the screen via touch is pretty nice particularly given the smaller controls can be fiddly.
  10. Whilst in Metro mode (yeah, I’m still calling it that), it makes a lot more sense than on a desktop machine.
  11. Flicking between Metro and desktop is still jarring; I’m still doing everything I can to avoid ending up in Metro when performing an action on the desktop (i.e. making VLC the default media player).

The final word: I’ll do a lot of stuff with the Surface Pro that I would have turned to a laptop to in the past but… I’ll still be using the iPad while kicking back on the couch.


Friday, 15 February 2013

Operating system SmackDown: Windows 8 blitzes XP on 7 year old hardware

Friday, 15 February 2013

A few weeks back I wrote about The impending crisis that is Windows XP and IE 8 and boy did I hear some opinions!

“Why should I be forced to upgrade?! I’m happy with my 11 year old OS dammit!”

“I’m sick of Microsoft always changing things!”

“Get off my lawn ya damn kids!”

But most interestingly:

“Why should I be forced to upgrade my hardware to run this new OS?!”

Really? I mean I know there’s this unwritten law that newer software requires more resources but my experience with Windows 8 has always been that’s it’s way faster certainly than Windows 7 was on the same hardware, but it’s my recollection that XP was never really as snappy as 8 is now on any hardware. So I dug up the oldest, crustiest hardware I could get my hands on and did some tests:


Read more

Tuesday, 12 February 2013

The ghost who codes: how anonymity is killing your programming career

Tuesday, 12 February 2013

He lurks quietly in the darkness emerging only to briefly churn out some markup during business hours. He has no face, no name, no records. His only weapon is his word. He is:

The Programmer - "The Ghost Who Codes"

This is not the work of fiction, these ghosts walk among us, blending seamlessly into their environment until one day they emerge, seeking a job somewhere else. And when they do, prospective employers look for them and… they can’t be found. Anywhere.

Yes, the “Ghost Who Codes” is real and you may even be one of them without realising what it’s doing to your career. But it’s not too late – you can still emerge from the shadowy darkness but it must be done promptly, it’s not something to delay.

Read more

Monday, 11 February 2013

Facebook fantasies: Press Like and type the number 1 and see what happens to the image!

Monday, 11 February 2013

I’ve seen a few of these going around now, usually with different photos with some sort of mystique:

Press Like and type the number 1 and see what happens to the image!

The implied promise is of something interesting happening once you’ve clicked the like button and typed the number 1. There was one with an attractive girl and a square superimposed over her shoulder doing the rounds a little while ago too. I’ve seen others where the instructions are more explicit in terms of words or phrases to type.

Here’s a good question: what usually happens when you like and comment on something in Facebook? The numbers go up (and you can see they’re already substantial) and it gets posted to your wall. Nothing magical about that and there’s definitely nothing exciting happening for the folks who fall into line behind the hundreds of thousands before them who’ve expectedly followed the instructions.

So what’s the upside for the original poster of the photo? Popularity via likes and comments. There’s a science behind all of this and certainly large volumes of likes, comments and shares is advantageous for perceived popularity. It’s not malicious insofar as it’s not going to serve you malware or charge your credit card, but it will implicitly announce to your followers that you’re gullible!

Oh, and that big freakin’ hole in the ground? It’s the one thing in that image which is actually legit.

Wednesday, 6 February 2013

5 minute wonders: Finding lazy loading nasties with ANTS Profiler

Wednesday, 6 February 2013

There will be those who disagree with me (hi DBAs!) but ORMs totally rock. Object Relational Mappers have been around for a while now and you may know them by names such as LINQ to SQL, NHibernate and Entity Framework (among others). The idea of ORMs is that all the plumbing between entities in the app and entities in the database can be abstracted away into a managed framework so that data access can become a no-mess, no-fuss affair.

As with many automated ways to build apps, ORMs have their pitfalls and one of the worst – and most common – is the dreaded “n+1” brought about by lazy loading. Here’s how an n+1 condition manifests itself:

  1. You query the database and get back a bunch of records in a table (this is one query)
  2. In your app code, you read through each record and refer to one or more attributes which need to be pulled from other tables
  3. Each record then causes the app to go off and make a heap of other queries in order to retrieve the attributes in the previous point (the n bit)

The lazy loading bit comes about as a result of that first query only returning the entity and not all the other attributes so it has to go back for in the third point (slacker). Think of it like this; let’s take this query:

SELECT * FROM dbo.Products

Now let’s image that every product has a category which is normalised out to another table and you want to display this to users which means that for every record you end up doing this:

SELECT * FROM dbo.Categories WHERE CategoryID = 1
SELECT * FROM dbo.Categories WHERE CategoryID = 2
SELECT * FROM dbo.Categories WHERE CategoryID = 3

And so on and so forth. This happens easily because ORMs are so simple to implement and query without actually seeing what’s going on underneath on the SQL Server. I’ve seen cases where a single page with 20 records on it was making 2,000 – yes, two thousand – queries to the DB. The developer didn’t realise it because it still performed well against a small set of data on a local DB with a single user but change any of those conditions and things are going to get very nasty very quickly.

The problem is identifying an n+1 condition in the first place and there a number of approaches to this. The other day I sent some performance tips over to Red Gate which where then included in their free (yes – free!) eBook titled 50 Ways to Avoid, Find and Fix ASP.NET Performance Issues. The tip I’m talking about here goes like this:

Always profile your ORM database hits with SQL Profiler during development. ORMs get away from you very quickly. Before you know it, you’ve run a query 2000 times in a loop, when you could have retrieved all your data with a single database hit.

SQL Profiler is one way of doing this but another tool that also does a great job of pointing out your database hits is ANTS Performance Profiler. In fact ANTS does a heap of other very useful stuff that gets right under the covers of your .NET app and profiles performance down to a very fine-grained level and it makes it dead simple (a classic Red Gate Software trait). So simple in fact that I thought it was worth adding to my 5 minute wonders series because it’s worth a video (a very quick video), to properly demonstrate how it works: