Thursday, 16 June 2011
Setting up DasBlog on Windows Server 2008

I've been meaning to do a quick blog article about this for some time so I don't forget. I found setting up DasBlog on Windows Server 2008 pretty difficult. I currently run DasBlog on a Windows Server 2008 server with the following app pool ".Net Framework v2.0 Application pool in Integrated Mode"

One of the issues I discovered was setting up the permissions so that DasBlog could read and write the to the content folders. To do this follow the steps you find here http://learn.iis.net/page.aspx/624/application-pool-identities/ 

Basically you need to give the Application Pool that DasBlog is running under, permission to these folders. So for example setting permission on the content folder to allow the following user IIS AppPool\[your app pool name] read and write access.

posted on Thursday, 16 June 2011 20:12:10 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Friday, 03 June 2011
My morning roundup

Hackers attack Sony network.again
According to the BBC website a group called Lulz Security hacked into a database containing unencrypted passwords, names, addresses and dates of births of Sony customers.  It appears they only targeted Sony Music Japan.

Hyper-V to run Linux?
Missed this one yesterday, it looks like Microsoft may soon be supporting Ubuntu, Debian, CentOS, RedHat and SuSE on its virtualisation stack. This could also include Azure.

Microsoft may buy Nokia
According to this article on CNET's website "..an industry insider has claimed a Microsoft offer for Nokia is already on the table"

Apple signs Universal Music to iCloud
It appears Apple has had more success with its new cloud service by getting some of the major players to sign up to it in comparison to Amazon and Google ".it will be the first among the big three to offer licensed music."

Read more on CNET and Neowin

posted on Friday, 03 June 2011 08:51:15 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Thursday, 02 June 2011
My morning roundup

Windows 8 First Look
A first look at Windows 8 and it seems to be a lot about "touch" my first impressions when seeing a video demo was "this looks a lot like Windows Phone". They appear to have reinvented the Start menu and it looks like a lot of thought has gone to usability it also appears as though some ideas have been influenced by the experience with the iPad.

See for yourself on  Neowin and Engadget  for some interesting commentary checkout this article on The Register

Hackers in China compromise Google e-mail accounts
According to the BBC website hackers from China have attempted to access the Google e-mail accounts of US Officials, military personal and journalists.

How clean is your keyboard?
Checkout this article on How-To Geek on how to clean your keyboard (without breaking it). Warning there are some gory infested keyboard images in the article!

UltraViolet (buy it once play it everywhere?)
Its the first time I have heard about it. UltraViolet is supposed to be a media service supported by all the big players in the industry (except Disney). Basically manufactures will create TV's, mobiles, etc that support UV. You as the user can purchase UV compatible content such as a BluRay or DVD disk containing a UV logo and will be able to watch the content on any UV compatible device (even if it doesn't have a DVD player).  It sounds as though the industry has realised the issue with having many different DRM formats where content I download on my PS3 won't necessarily work on my PC or mobile phone if I want to watch it on the train. See what you think?

posted on Thursday, 02 June 2011 09:55:22 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Tuesday, 31 May 2011
My morning roundup

BT upgrading its network to Multicast
According to this article on the Register's website. BT's network is suddenly going to become pretty IPTV friendly as BT upgrades its routers. I would imagine BT is getting ready for the launch of YouView?

ASUS's new Padfone at Computex in Taipei
Asus's new Padfone will be making an appearance at Computex computing show in Taipai, Taiwan. 

Not sure how I feel about this device. It appears to be phone that can become a tablet PC by plugging into the back of a tablet attachment. What happens when you upgrade your phone?

 

 

Google Chrome OS doesn't need anti-virus software
Interesting article questioning Google's claim that its new OS will not need anti-virus software. Saying that, it is an anti-virus company that is questioning that claim Smile

NASA finally pulls the plug on Spirit Sad smile
NASA has finally given up hope on its Spirit Rover which landed on Mars in 2004 and lasted much longer than its initially planned 3 month life.

A new Bionic Eye gets given the go ahead in Britain
Thousands of blind people have been given the hope of seeing again using an artificial retina implant according to this article on The Express.

Germany to shut down its nuclear power plants by 2022
Its a brave step and maybe Germany will lead the way in clean renewable energy. However I am not sure how Germany will deal with the shortfall not covered by renewable energy. Maybe they will become more reliant on imported gas?

posted on Tuesday, 31 May 2011 09:07:54 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Saturday, 02 April 2011
LizaMoon–Injection and Cross Site Scripting attacks

Following the news on the LizaMoon injection attacks which have been publicised a lot in the press lately really made me want to find out more. Being a technically minded person I wanted to scrape past the general media version of what was happening and get down to what this means to people who run websites that might be vulnerable.

Reading posts on Stack Overflow it seemed to be the same old vulnerabilities that have been around for a very long time were once again being exploited.   Even though I have checked many sites I have worked on in the past, you can't help but wonder if there is anything you have forgotten. Security vulnerabilities in websites is not something you can say "yes I fixed it" its an on going battle (a bit like an arms race) where you have to keep up to date with the latest vulnerabilities.

One of the classic vulnerabilities I have seen from such attacks in the classic query string SQL injection attack. Take for example the following url on a website.

readmessage.asp?messageid=234

or

readmessage.php?messageid=234

There is nothing wrong with the above urls as long as what happens behind the scenes makes sure that whichever SQL database you are using be it MySQL or MS SQL Server is protected from bad input. Basically you cannot trust any input you get from the web.

One of the things I like doing with the above type of input before I even reach SQL is to ensure that the query string I am being sent in this case messageid is an integer. So in what ever language you are coding in, a very simple step is if messageid is indeed intended to be a query string test it to make sure it is. If you find it is not a query string you can either boot the user back to the page they came from or just send them to a generic error page that basically says that you can't understand what they wanted to do. Never display a detailed error message that divulges SQL statements and lines of code.

If messageid is supposed to be a string such as say a GUID? Test that all the characters used in the GUID are in a whitelist of acceptable characters first so for example accept A-Z, a-z, 0-9 and -  and reject everything else. In addition you can also HTML Encode or escape the input before sending it along to your code that persists it to SQL. In your code that does SQL persistence you can also help prevent such attacks by trying to use parameterised SQL statements instead of building your SQL update or insert statements as strings.

Other methods I have seen being used (although not a fan of) is where no text input is expected is to literally remove words and symbols such as "update", ), (, ',"insert" and "delete" this however can only be done where you definitely know these words are not intended as text values in a table field. If not used properly this could backfire and you could end up loosing data in sentences a user may have been innocently entering into a system.

The other thing to remember is just because the content went into the database safely doesn't mean that when you display that same content back to the user its going to be safe. Take for example a message board that uses a SQL server to store its messages, its pretty easy to escape what a user enters so that its perfectly preserved in SQL. Lets for example say that happened to be some JavaScript and that the JavaScript functionality was to redirect a user to a malicious site.  If you do not HTML Encode the message board text when displayed in the users browser you are basically putting users that trust your site at risk. HTML Encoding what you display to the user ensures that the user sees text of what is being presented and that the browser doesn't suddenly kick in and starts to execute the code its been given. Remember that this is just about any text you display to the user including the browser title tag which may be  something like this..

<title>Does anyone know how to make green widgets?</title>

The above if not encoded could quite easily be changed to the following by a malicious user post on your message board.

<title>Does anyone</title><script>document.location='somesite'</script><title></title>

The code above could potentially redirect a user to a malicious site.

posted on Saturday, 02 April 2011 20:38:48 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Thursday, 10 March 2011
Cookie Trouble

I read the following news article with interest about the European Unions new laws that basically state you have to ask the users consent to place a cookie on their machine.  Reading through the new legislation I found the paragraph below, which appears to be the only paragraph that refers to cookies.

"Third parties may wish to store information on the equip­ment  of a user, or gain  access to information  already stored, for a number of purposes, ranging from the legiti­mate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spy­ware or  viruses). It is therefore of paramount importance that users be provided with clear and comprehensive infor­mation when engaging in any  activity which could result in such storage or gaining of access. The methods of pro­viding information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical  storage or access is strictly necessary for the legitimate purpose of
enabling the use of a specific service explicitly requested by the subscriber or user
. Where it is technically possible and effective,  in accordance  with the relevant  provisions  of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these require­ments should be made more effective by way of enhanced powers granted to the relevant national authorities.."

If you look at the second section of highlighted text it appears an exception to this rule is when placing a cookie onto the users machine is to do with the explicit working of the service the user was expecting. So for example if you log into your banks website with a username and password the placing of a cookie onto the users machine without their consent is legitimate as the service would not work without it as the user expected. This is basically how I understood this paragraph.

What I do think will be an issue are people that use analytics packages on their websites (it is unclear if this is covered), paid for advertising and  affiliate tracking programs. I can already think of several organisations such as Google, Yahoo and even MSN/Bing that may be affected by this. I don't feel much thought has gone into this legislation and I am not too sure how this legislation will be enforced. It will not stop affiliate or tracking sites that are not hosted in the EU. It could end up with companies hosting these services or making use of services from countries outside of the EU zone to get around this issue.

One thing that is incredibly difficult to do, and that is to govern how sites work on the Internet. It is not the job of governments but of International bodies how this should work.  What the legislation cannot protect against are spyware and illegal sites making use of this information or tracking users in this way. I also feel that not much thought has gone into how this legislation would be interpreted or if it could possibly destroy how some businesses work.

A rather funny take on this new legislation can be found here

posted on Thursday, 10 March 2011 00:25:18 (GMT Standard Time, UTC+00:00)  #    Comments [1]

 Thursday, 23 December 2010
The Fritz Box 7170

fritzI've always had a problem choosing ADSL modems. They've had a habit of letting me down and just being downright unreliable. As my wife works from home, reliable internet access is essential and we in the past have faced many issues with our Internet access, most of these issues being down to the BT Home Hub which for reasons only known to BT will drop the connection and suddenly choose to run an upgrade patch on itself. It did this without asking and with no thought to what important work was being done on the Internet at the time.

Other times Internet access would drop completely and the only way to get it back was to reboot the dreaded BT Home Hub. What was worse is that I had two SIP phone lines coming through my Internet connection. The BT Home Hub was awful at routing any traffic to the phones making them unreliable. 

Having put up with this issue for such a long time I told myself enough was enough and decided to trawl around the Internet to find the best solution. Just about everyone complained about the popular makes of ADSL routers when reading the reviews on Amazon. Then I spotted something called a Fritz! Box on Sipgates website, it was definitely more expensive than the others but doing more research found that people had nothing but good things to say about it. I decided to see if I could get it a bit cheaper. Searching Amazon I found the above model the 7170 for £73. It appeared to be an older model, but it still had many of the features found in the newer models so I placed my order.

The Fritz!Box was simplicity itself to setup. I moved the box over to the IP range I use at home unplugged by BT Home Hub, plugged in the Fritz!Box and it just worked! So far so good, I then decided to setup my SIPGate phone numbers on the box, in order to do this I turned advanced settings on the box on first. Then I entered my SIPGate details and tested calling the numbers, they worked first time and were crystal clear! There was no need to configure any ports on the box's in built firewall everything just worked out of the box. It was the first time I had ever managed to setup a SIP device so easily. I then decided to open port 80 on the firewall for my web server and that worked without any issues. The only thing I had left was my old BT Hub Phone number, after a little bit of research I found I was able to set this up on the Fritz!Box with no problems and it also worked first time. Not bad, not bad at all..

Looking through the screens for the Fritz!Box I realised it had a lot more to offer than I thought actually came with the box. It had built in multiple answer phones, a fax machine, NAS drive interface, UPNP Media Server, USB print server interface and a VPN client! The answer phone was easy to setup and I discovered I could also route calls based on caller id. So in theory I could route calls that withhold their numbers to an answering machine as they are more than likely sales calls.

A month on and the Fritz!Box has been nothing but reliable. Where we have had Internet problems the box has seamlessly detected them and reset the Internet connection in many cases without us even realising it. I suppose the old adage, you get what you pay for is so true with the Fritz!Box. The Fritz!Box has also reminded me just how reliable German engineering really is.

posted on Thursday, 23 December 2010 13:51:09 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Saturday, 04 December 2010
Southeastern trains – content is king

SevenoaksStation

I read and watched the interview with Sarah Boundy spokeswoman for Southeastern Trains defending Southeastern's appalling service during the heavy snow fall recently.  I suppose the main point for me was how keen she was to talk about the improvements they had made since last time to their website. Unfortunately if Sarah had been monitoring the #southeastern twitter tag before she came to the BBC interview she would have realised that the information on the site was wildly inaccurate compared to what people were experiencing on the ground.  I appreciate the fact that Southeastern had invested millions in its new website but if the content is useless, so is the website which was why most customers resorted to twitter instead of trust what was on the website.

Many of us get the fact that the third rail system doesn't work too well in snowy conditions, however what we can't get is just how bad the communication is from this company.

Joined up content channels
Even if the content had been accurate, and to be fair Southeastern started to pay more attention to their website when people got angry. All the other channels people receive content in National Rails Website and the Station PA System were showing wildly conflicting messages on what was going on.

Take for example Thursday 2nd December, I made my way down to Sevenoaks Train Station wading through knee high snow to catch a train I was told would be running at 5:30am to Charring Cross station according to National Rails website. I arrived at the station to find it closed and not a train on the platform. I decided to wait, and I did so for 20 minutes before I saw the first Southeastern staff enter the station. I waited another 15 minutes before more customers arrived at the door and finally the staff opened the door. The first thing we heard from the staff was "has anyone checked the site?" apparently the staff didn't even know what was happening.  I made my way to the platform and the train the National Rails website told me was waiting on the platform (I used National Rails iPhone app) wasn't there! The stations PA system was useless, the only message it told me was that there were adverse weather conditions. You don't need all your station displays to point out the bleeding obvious, what would have been nice was it tell me that the next train had been cancelled because it had become stuck on the tracks. One screen in the station told us to look at Southeasterns website! We are in the station surrounded by Southeastern staff and are told to go to a website. Why can't the systems sitting in place at the station give us this information?

sorry no serviceChecking Southeasterns website on my iPhone gave conflicting information which showed some services would be running from Sevenoaks station until one of the staff eventually got information (we know not where) and put up the following board, stating "Our website is incorrect and we are doing our best to get it sorted".

(Picture thanks to @Bobajobbob)

Southeastern really has to work on how it communicates the status of its service. National Rail and the iPhone apps were showing trains as running on time until the very minute the train was supposed to depart it was marked as cancelled or just disappeared from the site.

In an age where information is freely available to all through multiple devices and communication channels its key that the information you make available to your customers and your staff is the same information. Updating this information should not be difficult, make use of your staff at stations and the train drivers themselves to help drive your communication network. Actively watch twitter feeds as companies such as BT have been doing rather well to help with damage limitation. Don't post general announcements about difficulties running services, be honest if the service will run or not. Sending out a vague message makes people unsure, they have to make a decision on whether they contact their place of work and tell them they can't make it in today because of the lines. People also need to know if they will be able to make it back home. Southeastern failed not because of the third rail but because they didn't communicate well. I understand perfectly that other countries have suffered the same problems with their trains and that in many cases it just can't be helped. But what can be helped is a company that shows it cares and provides information to its customers.

Southeastern has been annoying its customers more and more, even before the the heavy snow. Trains are often not long enough for the amount of passenger because they are short of working rolling stock or trains don't run on time. When their service does work well as I remember it used to you could get from Sevenoaks to London within 23minutes which is a brilliant service when it works. For a company that charges their customers some of the highest fairs in Europe they really need to start investing more money into their network or face losing their franchise.

posted on Saturday, 04 December 2010 12:41:22 (GMT Standard Time, UTC+00:00)  #    Comments [1]