ASP.NET Security Hole

Encrypted applications on Microsoft’s .NET framework are vulnerable without the patch.

From Microsoft website:
“An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server.”

Wow!

I can’t believe Microsoft was so slow to produce a patch.

Patch here:
http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx

Also, discussion about the vulnerability here:
http://www.schneier.com/blog/archives/2010/09/new_attack_agai_1.html

Bad Microsoft!!
Andy

The "Drobo FS" is Garbage

The Drobo FS is garbage.

Note: I updated the “Drobo FS” and the Drobo software to the latest version first.

Here’s why it’s junk.

1). The device DOES NOT allow you to update the WORKGROUP name or the DEVICE name. If you want to setup //DROBOGROUP/ANDYSDROBO you CANNOT do this. Despite the options being there in the software utility your changes after restarting the device are not saved to the device.

2). Proprietary and unfriendly software – To maintain file share names and settings the software requires Microsoft’s .NET service. You must also install the software on a PC in the same subnet (i.e. not remote administration). Good luck with a Linux Network!!!

3). The email notifications setup DOES NOT work!!!

4). Misleading – The simplicity of the device would suggest the software to manage it would also be simple (i.e https administration). Nope, you have to install the software on a local PC.

Finally, why did they call it the “FS”? I suppose for “File Sharing”, but that’s pretty obvious because it’s a NAS device with an Ethernet cable. Who was Marketing this thing?

Saturday Morning Run – May 8, 2010

Went on a grueling run this morning with the Tamalpa folks.

What a great way to start a Saturday!

I should back up a little. The run started harmless enough until I decided to run to Stinson Beach after running about 7 miles down through Muir Woods. This post is mainly to share photos. There’s more info about the run at http://www.saturdaymorningrun.com/.

Here’s the elevation and distance profile. According to my Garmin 305 I had 8,525 of total vertical ascent. Ouch… Although, I think it was more like 6,500.

Here’s the route I took, Stinson Beach is on the left, Mill Valley is on the right. The highest peak is Mt. Tam’s East Peak .

Tamalpa Folk:

One of many bridges:

Creek near Muir Woods:

Coastal Fire Road sign near the top of Cardiac, also by the Ranger Station:

Tamalpa Folk Running down to Muir Woods visitor center:

North West View to Pt. Reyes from the top of Cardiac:

South View near Cardiac:

Sign before heading back up from Stinson:

Totals:

Lucas Valley Mountain Climb April 24, 2010

What an incredible place I live.

Ran to the top of the “Big Cat” today. Just an awesome incline run, the start of the steep hill is at about 300 ft. elevation and the top is about 1,200 feet. It’s not quite a 1,000 foot climb but since my house is at 180 feet I think it’s fair to say it’s 1,000.

I’m looking to buy the Alterra soon, from what others have said only a barometric device can accurately give you your elevation. I’m also getting tired of charging my Garmin 305.

Super Cuul…

Here’s Honey Brown and I at the top of the ridge:

Also, here’s a few view from the top:

Sorting two columns in a single table using MySQL

So, someone might say that to sort two columns in a single table using MySQL the statement would look like this:

SELECT * FROM table ORDER BY column1,column2 ASC

This would ONLY sort by “column1” first and then “column2”. This is hardly what we’re after.

Say you had a column called “time” (that is also built using “time”) and a column called “date” (that is built using “date”). If we wanted to truly sort the rows in this table by date AND time we need to do a join like this:

SELECT * FROM (

( SELECT * FROM events ORDER BY date ASC)
UNION
( SELECT * FROM events ORDER BY time ASC)

) AS WOWZER WHERE some_column=’some_criteria'”;

Let’s break it down. First, we start a typical select statement (first line). Then we have a VERY simple join that says I want the date column and time columns joined as a column called “WOWZER”. Finally we only want certain criteria for this select.

This is how to truly sort using two columns, unfortunately ORDER BY will not work correctly with just a comma between the two sorts because the items being sorted would be independent of one another.

-Andy

Outlook + Thunderbird + OpenLDAP = Fail

So, I’ve tried to build an OpenLDAP directory that can be viewed by both Outlook and Thunderbird clients.

The idea is simple enough, but Microsoft’s insistence on re-writing standardized protocols makes the task VERY difficult. This makes sense, why would Microsoft’s Active Directory want to be compatible with an Open Source system that’s free?

Here’s the breakdown, Outlook 2007 searches for the following fields when accessing an LDAP, diregard the first line, that’s the connection:

conn=521 op=1 SRCH attr=
cn
commonName
mail
roleOccupant
display-name
displayname
sn
surname
co
organizationName
o
givenName
legacyExchangeDN
objectClass
uid
mailNickname
title
company
physicalDeliveryOfficeName
telephoneNumber
homephone
Telephone-Office2
facsimileTelephoneNumber
mobile
Telephone-Assistant
pager
info

And here’s Thunderbird’s query:
conn=0 op=1 SRCH attr=
o
company
mail
mozillaUseHtmlMail
xmozillausehtmlmail
mozillaCustom2
custom2
mozillaHomeCountryName
ou
department
departmentnumber
orgunit
mobile
cellphone
carphone
telephoneNumber
title
mozillaCustom1
custom1
mozillaNickname
xmozillanickname
mozillaWorkUrl
workurl
fax
facsimiletelephonenumber
mozillaSecondEmail
xmozillasecondemail
mozillaCustom4
custom4
nsAIMid
nscpaimscreenname
street
streetaddress
postOfficeBox
givenName
l
locality
homePhone
mozillaHomeUrl
homeurl
mozillaHomeStreet
st
region
mozillaHomePostalCode
mozillaHomeLocalityName
mozillaCustom3
custom3
birthyear
mozillaWorkStreet2
mozillaHomeStreet2
postalCode
zip
c
countryname
pager
pagerphone
sn
surname
mozillaHomeState
description
notes
modifytimestamp
cn
commonname

The funny part is the free and open source search by Thunderbird is much more detailed and thorough. Outlook’s search on the other hand defies standards. The “Company” field for Outlook is “company” in the LDAP. However this is INCORRECT. The field Outlook should put in as the company is “organizationName” or “o”. A newbie reading this might think Microsoft is just being intuitive. Nope, their encouraging their proprietary systems so they cannot interact with open source systems.

As far as I know LDAP has been around a very long time and Microsoft should not ignore the basic schema and standards currently in place. At the very top (the core.schema) the organizationName (or ‘o’) has been there for a very long time.

Anyway, a work around is to define the ‘o’ for open source as the same as ‘company’ for the mega evil giant, Microsoft.

-Andy