Monday, August 31, 2015

The Page_Load event is going to fire even on a callback in the DevExpress paradigm.

That kinda makes my head want to explode, but it is what it is. The page will not postback, and yet the Page_Load event will rerun. If you are using the Page_Load event to set up controls which then affect an ASPxGridView and you want to set up the controls in the Page_Load event but not reset the controls on every callback, pehaps you should call a callback on the ASPxGridView itself and not a callback on a ASPxCallbackPanel wrapping everything.

a ASPxComboBox in DevExpress is their DropDownList

<dx:ASPxComboBox ID="WhichEnvironment" ClientInstanceName="WhichEnvironment"
      runat="server" ToolTip="View Roles">
   <Items>
      <dx:ListEditItem Text="Quality Assurance" Value="3"></dx:ListEditItem>
      <dx:ListEditItem Text="Production" Value="1" Selected="True"></dx:ListEditItem>
   </Items>
   <ClientSideEvents SelectedIndexChanged="function(s, e) {
         ReportGrid.PerformCallback();
      }" />
</dx:ASPxComboBox>

Subversion conflicts (a better way?)

The formal way to deal with this is to use TortoiseMerge. Selects blobs of red where conflicts exist and right-click to pick options such as "Use this text block" or "Use text block from 'mine' before 'theirs'" and when all of the red is cleaned up click "Save" at the upper left and then say OK to "Mark as resolved" to finish up. Every line in every swath of red needs to be accounted for, even empty spaces, so you will want to drag a selection over the whole of red area before dealing with it.

the Settings inside a DevExpress ASPxGridView

This tag may have a multitude of concerns jammed into it or may just be left out. ShowGroupPanel is going to allow you to group by any row the way one groups by a row here while ShowFilterBar allows users to build their own filters.

<Settings HorizontalScrollBarMode="Visible" ShowFilterRow="True"
      ShowFilterRowMenu="True" ShowFooter="True" ShowGroupPanel="True"
      ShowFilterBar="Visible" />

Friday, August 28, 2015

add a horizontal scroll bar to a DevExpress ASPxGridView with many columns and thus much horizontal real estate

<dx:ASPxGridView ID="MyGrid" runat="server" Width="1057">
   <Settings HorizontalScrollBarMode="Visible" ShowFilterRow="True"
         ShowFilterRowMenu="True" />

 
 

Addendum 9/22/2015: This is also legit:

<Settings VerticalScrollBarMode="Visible" VerticalScrollableHeight="400" />

Don't store the last four digits of a credit card number as an int.

What if there is a leading zero? Or two? You'll have to do wacky stuff to compensate, right? This data point should be a nchar(4) at MSSQL and a string at C#. (This touches on the difference between nchar, char, varchar, and nvarchar. The items with the leading n can store Unicode characters (and thus they take up much more memory) while the others cannot. The items with var in the name are of variable length can be up to their specified length in length and can also be less while the nchar and char settings are going to use storage space for all x of their slots even if you use less than x.)

set the AutoPostBack setting to true at a asp:DropDownList to reload the Page_Load event in web forms

...whenever the dropdownlist is changed.

footer!

I was going to solve this problem this way:

$(function() {
   var footer = $("#MyFooter").find('tbody:first').html();
   var recordsContainer = $("#MyGrid").find('tbody:first').find('tbody:first');
   recordsContainer.append(footer);
}

 
 

I would try to understand ASPxGridView.ProcessColumnAutoFilter Event in the name of refreshing the footer row after a search at the DevExpress ASPxGridView column headers, but my boss pointed out to me that my JavaScript hack was... a hack. We found a better way:

<dx:ASPxGridView ID="Foo" runat="server">
   <Columns>
      <dx:GridViewDataColumn FieldName="TeaName" VisibleIndex="1" />
      <dx:GridViewDataTextColumn FieldName="PriceOfTeaInChina" VisibleIndex="2">
         <PropertiesTextEdit DisplayFormatString="${0}" />
      </dx:GridViewDataTextColumn>
   </Columns>
   <Settings ShowFooter="True" />
   <TotalSummary>
      <dx:ASPxSummaryItem FieldName="TeaName" SummaryType="Custom" />
      <dx:ASPxSummaryItem FieldName="PriceOfTeaInChina" SummaryType="Sum" />
   </TotalSummary>
</dx:ASPxGridView>

 
 

Average, Count, Max, Min, and None are the other options for SummaryType in this approach and the Custom summary type really needs some love to get it to work. On the C# side you need to wire up an event like so:

Foo.CustomSummaryCalculate += Bar;

 
 

The event itself might look like...

protected void Bar(object sender, DevExpress.Data.CustomSummaryEventArgs e)
{
   switch (((ASPxSummaryItem)e.Item).FieldName)
   {
      case "TeaName":
         e.TotalValue = _data.Select(x => x.TeaName).Distinct().Count();
         break;
   }
}

 
 

Addendum 9/15/2015: The switch statement immediately above should really be wrapped in:

if (e.SummaryProcess == CustomSummaryProcess.Finalize)
{
   
//switch goes here
}

 
 

...as otherwise the switch statement will run for each row in the ASPxGridView and create unneeded memory overhead.

Thursday, August 27, 2015

"Provider" instead of "Repository"

Provider seems to be another term for repository in an application I'm looking at which has the common repository pattern afoot which appears in the Onion Architecture quite often, when CQRS is not used instead I suppose. This kinda touches on very distinct differences between the two, but honestly I don't see why the terms can't be interchangeable in a murkier sense.

iisreset

...as a command line command in Windowsland is going to stop and then restart ISS. You should see as console feedback/affirmation:

Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted

 
 

A coworker asked me about this today I so suppose it should get its own blog posting like every other stray thought that passes through my head.

takeaways from a lunch and learn on security which was at work today

  1. SIEM is pronounced "sim" and stands for Security Incident and Event Monitoring Suite and Splunk is a not-quite example on a SIEM.
  2. Airwatch allows device events to be recorded and it can tell if your employees are password protecting their smartphones.
  3. In PCI 3.1, SSL will not be allowed and TLS must be used instead and not just any TLS. The first two versions are seen as weak (I think).
  4. Sarbanes–Oxley makes corporate executives legally liable for their reporting. SSAE 16/SOC1 seems to be a standard for reporting.
  5. ITIL is Information Technology Infrastructure Library and is a set of good practices.
  6. SSO stands for Single Sign On.
  7. EU Safe Harbor is a standard for keeping data secure.

 
 

Addendum 9/30/2018: IT by itself is Information Technology. Duh.

Wednesday, August 26, 2015

conflicted files in Subversion merges

If you just open the file you'll see some markup added to the bit Subversion couldn't make sense of. It will look like so:

<<<<<<< .mine
   foo = bar;
=======
   foo = baz;
>>>>>>> .r57978

 
 

I recommend just getting on the other side of TortoiseSVN's process (don't try to clean this up in Tortoise) and then manually fix things in Visual Studio. Manually delete the goofy extra files that Subversion made right next to the conflicted file in the same folder and then commit your change. The state should flip back to green. Don't expect Subversion's clean up commands to help you.

Tuesday, August 25, 2015

Add a FooterTemplate to a GridViewDataTextColumn?

I haven't tried this yet...

<dxwgv:GridViewDataTextColumn FieldName="ProductName" VisibleIndex="2">
   <FooterTemplate>
      <span style="font-size:6px;"><%# GetSummaryText(Container)%></span>
      <span><%# GetSummaryValue(Container)%></span>
   </FooterTemplate>
</dxwgv:GridViewDataTextColumn>

 
 

...but if you have a DevExpress ASPxGridView which lists, for example, a bunch of line items in an order and you wish to show a total in an extra row down at the bottom of the grid, this might be the way to go. I'll know for sure tomorrow. Other links along these lines are:

Addendum 8/27/2015: I can't get this to work. I'm going to give up on it. I was going to try to attempt this approach to dress up an ASPxGridView at the column headers as well, but not anymore. I'm just going to use a plain Jane web forms repeater to build an HTML table with the bells and whistles I need. Wait, I've changed my mind. I'm going to use an ASPxGridView after all and just shove in a footer row for totaling prices at line items and the like by way of JavaScript. There is too much to give up otherwise... sorting, pagination, etc. I don't want to recreate the wheel in a repeater. That would be more hacky than what I'm scheming.

Addendum 8/28/2015: This is bunk. See this please.

Monday, August 24, 2015

Vagrant and WebdriverIO

I saw the film "Trainwreck" with some peeps yesterday and afterwards when we all shot the breeze in conversation I learned of:

  • Vagrant lets you spin up a VM from a single command line command and the environment can be predictable/reproducible.
  • WebdriverIO, which I think was built out from WebdriverJS, is another automation testing tool like Selenium and WatiN. "Sauce Labs" is behind it.

Sunday, August 23, 2015

DevExpress file upload controls

Alright, here is the simplest example I can think of. It is a one page web form app with an ASPxUploadControl which will allow you to upload a .txt file. The contents of the text file will then get put to an ASPxLabel. If you type "Hello World" into a .txt file and then upload it, "Hello World" will end up on the web page as copy. Get it? The code behind for the web form just looks like this:

using System;
namespace Uploady
{
   public partial class Default : System.Web.UI.Page
   {
      protected void Page_Load(object sender, EventArgs e)
      {
         Label.Text = Session["message"] as string;
      }
      
      protected void Uploader_FileUploadComplete(object sender,
            DevExpress.Web.FileUploadCompleteEventArgs e)
      {
         Session["message"] =
               System.Text.Encoding.Default.GetString(e.UploadedFile.FileBytes);
      }
   }
}

 
 

Well, what if the user doesn't pick a .txt file? That would sabotage the app, correct? We'd better put in place a safeguard to tell our hackers to chill when they overstep. We do that in the web from itself. The ASPxUploadControl does its own magic to bring up some red copy by way of its own AJAX with "That's not a text file junior." as the contents when things go wrong. The markup just looks like this:

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs"
      Inherits="Uploady.Default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
   <head runat="server">
      <title>Whatever</title>
   </head>
   <body>
      <form id="form1" runat="server">
         <dx:ASPxUploadControl ID="Uploader"
                OnFileUploadComplete="Uploader_FileUploadComplete" runat="server"
                FileUploadMode="OnPageLoad" ClientVisible="true"
                ValidationSettings-AllowedFileExtensions=".csr">
            <ClientSideEvents TextChanged="function(s,e){s.Upload();}">
            </ClientSideEvents>
            <ClientSideEvents FilesUploadComplete="function(s,e){refresh(s,e);}">
            </ClientSideEvents>
            <ValidationSettings AllowedFileExtensions=".txt"
                    NotAllowedFileExtensionErrorText="That's not a text file junior." />
         </dx:ASPxUploadControl>
         <div>
            <dx:ASPxLabel runat="server" ID="Label"/>
         </div>
      </form>
      <script type="text/javascript">
         function refresh(s,e) {
            var state = document.getElementsByClassName("dxucErrorCell_DevEx")[1];
            if (state.innerHTML.indexOf("junior") === -1) {
               document.location.href = "Default.aspx";
            }
         }
      </script>
   </body>
</html>

 
 

What do the two ClientSideEvents do? Well without the TextChanged event the act of attempting an upload does nothing. On the other side of picking a file our sanity checking and the success and failure scenarios downstream of that never happen without the TextChanged wire up. I stole this out of an existing app at work. The FilesUploadComplete logic is my own. I needed a way to tell if sanity check failed and to redirect the page to itself if it did not. I know this is hacky as hell. I'm sniffing the DOM based upon a class name which is exactly the sort of brittle thing which would break when one upgrades DevExpress (maybe) and the sort of thing my boss would call me out for, but, again, I'm just trying to keep things simple for this example.

Saturday, August 22, 2015

black day at Black Hat

Jennifer Granick, the lawyer who has represented both Michael Lynn (who quit his job at a previous Black Hat to give a talk on Cisco vulnerabilities that his employer tried to gag) and the late Aaron Swartz, gave the keynote speech at this year's Black Hat and warned us all of a dark future in which the web is watered down by corporate policies, government controls, and the whole "What's socially acceptable?" thing to the point where it is as worthlessly safe as television. One of her slides had a quote from "The Master Switch" by "Tim Wu" reading: History shows a typical progression of information technologies from somebody's hobby to somebody's industry, from jury-rigged contraption to slick production marvel; from a freely accessible channel to one strictly controlled by a single corporation or cartel – from open to closed system. Jennifer predicts that, in IoT (the internet of things), anonymous cars that drive by themselves will prompt lawsuits when they crash and the age old loophole for escaping software liability wherein if you just don't misrepresent what the software does you're not accountable is going to be challenged as a bad standard and will be dissolved. Once this happens software liability is going to make the cost of doing business balloon, hurting startups. We'll find ourselves in a stagnant state where we cannot progress and the real innovators will run to a different space. Beyond what the future holds, Jennifer suggests legal troubles of the right now include:

  1. CFAA is the Computer Fraud and Abuse Act and it makes it a crime to obtain information from a computer that is of a financial institution or the U.S. Government. Aaron Swartz of RSS fame was faced with violating this rule after he wrote a script that automated the process of downloading and analyzing internet articles as, I suppose, some articles resided in the hosting of the U.S. Government. Under the pressure of facing over three decades in prison for the act, he took his own life.
  2. DMCA or Digital Millennium Copyright Act is copyright law that tries to keep trade secrets secret and makes it a crime for one to try to bypass a purposeful deterrent to reverse-engineering a technology to see how it works. If you buy an alarm clock at Wal-Mart you may take it home, beat it into pieces with a hammer, and then take a look at all the gears that spill out and muse and at how they behaved to begin with, but you can't break open software in a similar way, even if it's "yours" and you bought it.
  3. USAPA is, yes, The Patriot Act. Once J. Edgar Hoover was dead it soon became illegal for America's government to spy on its own citizens as they spin up brouhaha political movements (think Martin Luther King, Jr., think Malcolm X) but now all that is back! In the name of fighting terrorists George W. Bush gives us... this! Many of the original previsions have been allowed to expire but others have been extended. The government may spy on your electronic communications.
  4. FAA stands for FISA Amendments Act and it is, I guess, a piece of the Foreign Intelligence Surveillance Act. It allows for warrantless surveillance of individuals with the one restriction that they must be overseas. Awesome! (that's sarcasm)

In circling back to the future from the right now, well, expect more of the same. Jennifer suggests the trend is not trending in the right direction. Expect more controls. In the book "The Black Box Society" Frank Pasquale suggests that our technology will reach a walled-off state where it might as well be magic because we won't know what is in it or what it really does and that is basically a pitfall of our legal situation. He sees us in life or death situations wherein we just shake the Magic 8 Ball, fingers-crossed. Please let this work! John Perry Barlow, lyricist for the Grateful Dead, wrote: Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of the Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather. This "Declaration of Independence of Cyberspace" appeared on another of Ms. Granick's slides to take us out of both the right now and the dark future back to the 1990s to try to stir our sense of ideology about what the internet should be in contrast with what it has become. For all of the clapping the audience did, I still feel helpless. Realistically, how could we as a society reverse course? At least I typed up this article.

Friday, August 21, 2015

RCE (Remote Code Injection) unlike XSS (Cross-Site Scripting) can directly attack web servers!

This was the premise of a talk by James Kettle that I saw at Black Hat, much of which seems to be repeated in his own notes here. RCE takes shape in shoving server-side code into template engines and getting it to run in lieu of pushing sinister JavaScript comparably into online forms to have it ultimately do wacky frontend manipulations. In both circumstances, the data entered by the user will bubble back up to the screen elsewhere in the application and when it does... lookout! The JavaScript can cause a certain set of problems for anyone visiting the content, but the RCE approach will run code against the server itself not necessarily with any end goal of affecting the page it is run at as it is displayed. (It has its eye on bigger things.) RCE is also not SQL injection where one is trying to have at the database. No, one is trying to have at the server. If you can sense that an app is running the Smarty template engine for PHP and you can hack it, you can run your own PHP scripts at the same place the scripts to run the web site are run. That will ultimately let you mess with the database and so much more. In other examples that were harder for me to follow James was able to get a shell running at the server when hacking against different template engines. To start with in hacking try entering ${7*7} and {{7*7}} and a handful of other markup-escapes-out-of-markup-and-into-code that I wasn't smart enough to write down in my notes during the talk into template content to see if you can get a 49 back wherever the markup bubbles back up to the web site. When you have narrowed in on which variant actually gives the 49 you have also narrowed in on which particular popular template engine is being used under the hood at the hosting you are trying to break into. Smarty is pretty ease to break/hack once you know it's Smarty. There is also Smarty (Secure) which is less ghetto, but it too has holes. James found Smarty_Internal_Write_File as a part of Smarty (Secure) and this allowed him to write PHP files to the server and execute code and that was that. He has told the Smarty (Secure) keepers about this particular loophole and it is now fixed but... other exploitable virgin territory beckons.

Rally has a recycling bin for recovering the tasks that dumb guys like me inappropriately delete out of stories.

Lucky me!

XMLStarlet

...is command-line tool for manipulating XML gunk.

At "Task List" beneath the "View" menu in Visual Studio 2015 you may see all of the "TODO" comments listed at to-dos.

This particular comment is special and I don't mean that in a condescending "you're special" way.

Thursday, August 20, 2015

pseudopolymorphism

In the fourth chapter of this & OBJECT PROTOTYPES, Kyle Simpson suggests there are two types of mixins (hacks to mix one object with another) to fake a "child" inheriting from a "parent" in JavaScript:

  1. Explicit Mixins take shape when two objects are handed into a function which loops through all of the properties of the "parent" by key and assigns all of those properties to the "child" save for those for which a key with the same name already exists at the "child" allowing a "child" property to overpower the "parent" property as would be the reality in real inheritance (and by overpower I really just mean that the "child" gets to keep what it had to begin with without the "parent" stepping on it). If foo has a bar method and baz is a "child" of foo which has its own bar method, yet baz wants to call out to foo's bar method either from within its own bar method or perhaps elsewhere (the qux method?) then it may do so like so: foo.bar.call(this); ...and, in such an approach this is scoped to baz and not foo. As much is crucial to avoid wacky behavior. Note that all of the properties the "child" gets are copies and a change, after the mixing, to a "parent" property will not affect the counterpart "child" property (even if it is an "inherited" property) so, yes, this isn't really inheritance in a normal sense. It's all very ghetto yo. An exception to this rule is that a function copied from "parent" to "child" is not really a copy and both methods have pointers to the same function which was never really tied to the "parent" to begin with beyond the "parent" pointing at it. A change to a function in this setting will affect the same gunk at both "parent" and "child" and you could thus use this as a hack to make changes cascade from one to the other.
  2. Implicit Mixins just have "child" objects independent from "parent" objects save for calls out to them like so: foo.bar.call(this); ...and these allow the "child" to use a "parent" thing while scoping this to the "child" so that if a method incremented a number and returned it, for example, and that's Kyle's example, the count at the "child" and the "parent" would be independent assuming the thing incremented was this.somethingerother or something else hanging off of this.

DRM is digital rights management.

It is access restrictions for eBooks and the like so not just anyone may see them or redistribute them.

There is a way to snapshot a copy of a Chromebook's hard disk.

PassMark Software seems to have a write up on such. It lists twelve distinct variations of Chromebook:

  1. Acer AC700
  2. Acer C720
  3. Acer C7
  4. Chromebook Pixel
  5. Cr-48
  6. HP Chromebook 11
  7. HP Chromebook 14
  8. HP Pavilion Chromebook
  9. Lenovo Thinkpad X131e Chromebook
  10. Samsung ARM Chromebook
  11. Samsung Series 5 550 Chromebook and Series 3 Chromebox
  12. Samsung Series 5 Chromebook

Uncaught TypeError: Cannot read property 'msie' of undefined

I got this error in Google Chrome's console when I tried to use jquery.alerts and this offers the following hack to fix it:

jQuery.browser = {};
(function () {
   jQuery.browser.msie = false;
   jQuery.browser.version = 0;
   if (navigator.userAgent.match(/MSIE ([0-9]+)\./)) {
      jQuery.browser.msie = true;
      jQuery.browser.version = RegExp.$1;
   }
})();

 
 

You'd put this upstream of the act causing the error, you know? The second of the two links I provide in this blog posting suggests that $.browser has been yanked out of modern jQuery and such is the source of this pain. The hack I steal puts something like it, whatever it was, back in scope.

aspxAddHoverItems is not defined

I got this in a DevExpress application that was trying to make sense of a ASPxGridView along with comparable errors such as...

aspxAddDisabledItems is not defined

 
 

...which appeared over and over again in Google Chrome's console. (maybe one entry for each row in the grid?) It turned out that the app's web form and the Web.config file were referencing differing versions of DevExpress. This touches on that a little bit and how to fix it.

Wednesday, August 19, 2015

Change your password at Google.

Go to "My Account" (at the upper right when you click on your Google+ photo) which will take you to a splash page for your account. Herein click "Sign-in & security" which will take you to another page yet and there shall be a link for "Password" therein at the right partway down the page.

A closure is just a function inside of a function in JavaScript.

This was one of many insights from Sean Park, a senior malware scientist at Trend Micro, who gave a talk at Black Hat on hacking banks that I could only partially follow. It had a lot to do with MIPS (MICR Image Processing System wherein MICR is Magnetic Ink Character Recognition) which had not heard of before. I was expecting a talk with more of focus on banking web sites, though this talk did have aspects of that too. For example...

$("#submit").on("click", function(){
   var id = $("signin-id").val();
   var pw = $("signin-password").val();
   console.log(">> DOM Inject: "+id+":"+pw);
});

 
 

...was given as some jQuery code that could accompany the login control at the gate of a banking portal. Clearly, if you can inject something sinister like this you can do all sorts of "wonderful" things with the usernames and passwords of those who log in to check their finances. This was called DOM injection in his slides, but this is clearly not XSS because user-driven content is not going to be bubbling back to the screen at the same locale as that box with two form fields the public uses to log into the web site with. So how would such a script even get in place to do its job? That has to do with MIPS and I'd be lying if I said I really understood it. His slides that I took photos of show someone hacking MIPS and then MIPS pushing bad stuff to the web front end. Mitigate this with a process of self-auditing, looping through all functions in your JavaScript comparing what is to a whitelist of what should be. Do this at identified entry points assuming that a hacker may have augmented your existing JavaScript. Also, rootkits, which are toolkits for hacking, may also just drop some of your existing JavaScript functions so compensate by making sure everything in your whitelist still exists too. Moreover, be sure the jQuery library itself has not been hacked. Sean mentioned opaque predicates in his talk which was a term I had not heard of before, I suppose these are expressions which either evaluate to true or false, or, perhaps in JavaScript's context, truthy or falsy.

When edits to a web form seem to also cause changes to the wrong designer.cs file...

...look at the "CodeBehind" setting in that first tag at the top of the web form's markup. It is probably just referencing the wrong .cs file.

Tuesday, August 18, 2015

I dropped my iPhone today.

Luckily, I put an OtterBox case on it after I got back from Las Vegas so the glass pane on the back did not crack. The iPhone 4, 4S, and, I think, 5 are all designed to have a pane of glass on the back which is going to shatter when dropped to the floor. It's an awful design. The OtterBox is a good safeguard against the glass breaking. Also, while I haven't owned an iPhone 5 or 6, I can say that the 4 and 4S get really hot in the hand and the OtterBox will also hide the effect of the heat from you too.

Monday, August 17, 2015

Error installing Microsoft Visual Studio 2010 Shell

Get around this error when installing MSSQL 2014 by installing:

  1. Microsoft Visual Studio 2010 Shell (Isolated) Redistributable Package
  2. Service Pack 1 for Visual Studio 2010

Bonus: I got around this problem by installing MSSQL 2014 on Windows Server 2008 R2 (at a VMware VM) where it was much easier to just turn on the 3.5 stuff.

an impossible-to-follow lecture on Internet Explorer's memory management

This talk was given by Abdul-Aziz Hariri (left), Simon Zuckerbraun (center), and Brian Gorenc (right), and it was the easily the toughest talk to follow that I saw at Black Hat! I'm a C# developer not a security professional and maybe that's the whole problem, but honestly I wonder if the security professionals at my work wouldn't have been a little baffled too. "Using MemoryProtection as a way to bypass ASLR" (where ASLR is address space layout randomization) was the name of this thing. The premise was that as of the middle of last year attackers were giving up on trying to use Internet Explorer to attack corporations and were instead shifting their focus to Adobe Flash vulnerabilities. This is because the isolated heap was introduced in June of 2014 to IE. Now why older versions of IE could not just be used anyways for mischief (sidestepping the security), I do not know. Maybe the attacks attack installs of IE itself in lieu of coming from IE? Don't expect what follows to be too followable, and, yes, I know followable is not a real word. The isolated heap does a good job of separating the memory management scope of DOM objects from other types of allocations. MemoryProtection is... um, I think a separate but complementary upgrade introduced at the same time to Internet Explorer. It introduces a deallocation delay from memory so that the garbage collection cannot just clean up deallocated memory, but instead memory lingers even when it is irrelevant for a spell before it may be wiped not unlike flags being set at half-mast for weeks whenever a U.S. President dies keeping that person in our thoughts for a window yet even though they themselves are quite finished. It's memory Purgatory for souls doomed to an atheist afterlife. Anyhow, the isolated heap and the MemoryProtection basically make things better, but the three super-smart individuals on the panel have found a new loophole in the MemoryProtection that opens up a new vulnerability. Microsoft baited the public to find something wrong with the isolated heap and MemoryProtection with a $25,000 prize and these three guys won the prize with their findings. They then turned around and recommended to Microsoft solutions to correct the problem and Microsoft did not act on their suggestions so the security hole in modern Internet Explorer that I'm getting to still exists, but I wouldn't get too excited because there is no way Average Joe is gonna understand it to exploit it. Maybe Microsoft just thought they could let it be. I dunno. Alright, if you bombard the heap to the point that it is full with noise predictably in one megabyte blobs of memory usage and you wait for garbage collection to clean up a one megabyte blob of memory, when you next shove in the next one megabyte blob of memory, it is reasonable to assume that it will land in the one and only available empty one megabyte slot for memory that the last actor just left. If you cannot put it in there that tells you that the last actor has not left, perhaps because it is in use, but also perhaps because MemoryProtection just hasn't let go of it. With this you can narrow in on an address space of MemoryProtection, but don't ask me how because I'm already lost, and from there you may move onward to more sinister things (armed with that knowledge) but I couldn't follow what comes next either. That's it. That's the whole talk. During the presentation, the guy sitting next to me held up a piece of paper with the number ten on it for the panel to see as if he were a judge judging a beauty contest and he were awarding the highest honor. He seemed to be directly attempting to rattle the speakers as if to say "Good job with the geek out. We're all lost." and I looked at him and smiled and shrugged at the over-our-heads content and he smiled back as if to affirm, yes, it was all too much. Afterwards, I realized there is a guy like him at every talk and the 10 just lets the speakers know that they only have 10 minutes left and it's not a prank that one individual orchestrated as my imagination deduced. Where my imagination went kinda says something though. Good job Abdul, Simon, and Brian. You're smarter than Microsoft and certainly smarter than me.

Monad

Wikipedia says: "In functional programming, a monad is a structure that represents computations defined as sequences of steps"

Sunday, August 16, 2015

I helped a friend with code today and, wouldn't you know it, I ended up learning a few things myself.

In the Sencha flavor of ASP.NET MVC there are no .cshtml views. Instead all views are purely JavaScript files! Autofac is another IoC tool. You may get your current timezone hour offset from UTC time in MSSQL like this:

SELECT datediff(hour, GETUTCDATE(), getdate())

 
 

Offset a datetime's hours in MSSQL, perhaps as if casting a UTC time to local time, like so:

SELECT dateadd(hour, -5, @whatever)

 
 

If you were casting UTC time to local time you'd have to account for the possibility daylight savings time somehow...

SELECT dateadd(hour, (-6 + @daylighsavingsoffset), @whatever)

 
 

Something I told my friend which I might as well write about is that if you are looking at two files with two partial C# classes that make up one class and one of the partial classes inherits from a parent while the other doesn't, as only one has to, odds are that the partial class which calls out the inheritance is the "primary" of the two files so to speak and the other file is the red-headed stepchild which is extending it or perhaps in the case of a .designer.cs is tucking away unsightly noise. Of course, it could be the other way around too. This is more of a perceived nuance than anything concrete as really all partial classes in a class are equals and there is no "primary" partial, not in the strictest sense. In terms of thinking about what came first and what is going on when reserve-engineering someone else's stuff however, my mind tries to find a primary.

Big Game Hunting: The Peculiarities of Nation-State Malware Research

This was yet another Black Hat talk I saw and a Ms. Marion Marschalek (left) and a Mr. Morgan Marquis-Boire (right) gave it. A Claudio Guamieri was supposed to be there too, but was absent. In early 2010 Google announced it had been hacked by China. Silicon Valley has been hacked by China. Everyone has been hacked by China. Big countries are using hacking as a form of espionage and small countries wish they were. Malware has become a threat to the intelligence industry. Intruders now go into networks and observe them rather than act maliciously and get out right away. Ways the bad can get in include:

  1. threat intelligence (analysis on existing exposed data which reveals something new)
  2. telemetry data (data collected from infected endpoints which have been hacked)
  3. leaked documents (think Edward Snowden)
  4. infected machines
  5. gossip

The talk was basically on reverse-engineering who might be a responsible party (which nation?) for an attack. The example of Babar, a piece of malware the government of France introduced in Canada to spy on individuals there, was used. In the case of Babar, its binary tied into other binaries (sometimes indirectly by way of a daisy-chaining effect) which had reared their ugly heads before in malicious circumstances. If one looked at the other pieces of malware and where they had been used before, the finger of blame pointed to France. In short, how you hack says a lot about who you are. You may be signing your name without realizing it. Things investigators may look at to deduce a "signature" for a setup include string constants (Error messages, String formatting style, English grammar mistakes, C&C commands, Timestamp formatting), implementation traits (Memory allocation habits, Use of global variables, Multi-threading model, Software architecture and design, Constructor design, Dynamic API loading technique, Exception handling, Usage of public source code, Programming language and compiler, Compilation time stamps and time zones), custom features (Obfuscation techniques, Stealth and evasion techniques, Use of encryption and compression algorithms, Encryption keys, Re-used source code, Malware specific features, System infiltration, Propagation mechanisms, Artifact naming schemes / algorithms, Data exfiltration techniques, System / OS version determination technique, C&C command parsing implementation), and infrastructure (C&C servers, Countries / languages used for domain hosting and naming, Beaconing style, Communication protocol and port, Communication intervals). What do some of these terms mean? C&C stands for command and control and in the space of malware is of infrastructure such as virtual or physical servers used to facilitate attacks. Data exfiltration is the transfer (stealing) of sensitive data. When traffic exits a network on regular intervals it makes a "beacon" (or heartbeat). Artifacts are evidence of the hack lingering after the fact. A binary is a file, maybe an executable, maybe a .dll, but not a human readable text file.

Saturday, August 15, 2015

Ajit Gaddam spoke on "Securing Your Big Data Environment" at Black Hat.

He is a CISSP (Certified Information Systems Security Professional), VISA's Chief Security Architect, and a coauthor of Hadoop in Action 2. This talk largely focused on the world of Hadoop and how to deal with it, what some of the surprises may be, etc. When you engage with a vendor to get a Hadoop rollout, expect a vendor to add their own way of doing things into the mix with the Hadoop deployment to such a degree that another vendor won't be able to augment their work. Hadoop in and of itself is open source but what you will end up buying will likely not be truly open source. This is a variation of this making-people-pay-for-free-stuff trickery I suppose. Hadoop will, if worthy of the indulgence, contain sensitive data and needs to be approached carefully. Beyond your own ability to sleep easy at night you may be subject to regulatory compliance as if your ETL is moving cardholder data it may be in scope for a PCI audit. Plan your defenses around a potential category of attacker based upon who would likely attack you. Threat model your environment such that sensitive data can be broken off into one cluster (set of connected servers), for example, independent of non-sensitive data in another cluster, for example. Circling back to cardholder data, credit card numbers are useless by themselves if they fall into the wrong hands. Supporting data has to accompany them in order for the numbers to be worthwhile to a hacker so perhaps the numbers and the other data points should be kept in very different places. Understand how your end-to-end data flows, especially the ingress and egress methods from your big data cluster. Bake that into your threat model. Why is our data compressed with gzip? Storage is cheap. Just buy storage in lieu of compressing data. In cryptography, Format-Preserving Encryption (algorithmically tokenizing one credit card number as another credit card number) is still evolving and there are no real standards yet. NIST (The National Institute of Standards and Technology) has FFX (Format-preserving, Feistel-based encryption, with the X reflecting the multiple instantiations based upon the number of parameters handed in) and BPS (Eric Brier, Thomas Peyrin, Jacques Stern) as its finalists.

What are the timezones?

This has the following table which I will put blind faith in.

MIT Midway Islands Time GMT-11:00
HAST Hawaii Standard Time GMT-10:00
AKST Alaska Standard Time GMT-9:00
AKDT Alaska Daylight Saving Time GMT-8:00
PST Pacific Standard Time GMT-8:00
PDT Pacific Daylight Saving Time GMT-7:00
MST Mountain Standard Time GMT-7:00
MDT Mountain Daylight Saving Time GMT-6:00
CST Central Standard Time GMT-6:00
CDT Central Daylight Saving Time GMT-5:00
EST Eastern Standard Time GMT-5:00
EDT Eastern Daylight Saving Time GMT-4:00
PRT Puerto Rico and US Virgin Islands Time GMT-4:00
CNT Canada Newfoundland Time GMT-3:30
AGT Argentina Standard Time GMT-3:00
BET Brazil Eastern Time GMT-3:00
CAT Central African Time GMT-1:00
UTC/GMT Universal Coordinated Time/Greenwich Mean Time GMT
WET Western European Time GMT+0:00
WEST Western European Summer Time GMT+1:00
CET Central European Time GMT+1:00
CEST Central European Summer Time GMT+2:00
EET Eastern European Time GMT+2:00
EEST Eastern European Summer Time GMT+3:00
ART (Arabic) Egypt Standard Time GMT+2:00
EAT Eastern African Time GMT+3:00
MET Middle East Time GMT+3:30
NET Near East Time GMT+4:00
PLT Pakistan Lahore Time GMT+5:00
IST India Standard Time GMT+5:30
BST Bangladesh Standard Time GMT+6:00
ICT Indochina Time GMT+7:00
CTT China Taiwan Time GMT+8:00
SGT Singapore Time GMT+8:00
AWST Australia Western Time GMT+8:00
JST Japan Standard Time GMT+9:00
ACST Australia Central Time GMT+9:30
AEST Australia Eastern Time GMT+10:00
SST Solomon Standard Time GMT+11:00
NZST New Zealand Standard Time GMT+12:00
NZDT New Zealand Daylight Saving Time GMT+13:00

I saw Natalie Silvanovich give a talk titled "Attacking ECMAScript Engines with Redefinition" at Black Hat.

So what is redefinition? Let's say we wanted to redefine, per Natalie's example, this...

alert("hello");

 
 

...which manifests like this...

 
 

Well, an eye-opener that I've had this summer is that any of ECMAScript's keywords may be set like variables to be something else. In Natalie's example a function and an assignment were added upstream of the alert like so:

function f(mystring) {
   document.write(mystring);
}
alert = f;
alert("hello");

 
 

...giving:

 
 

...for me in Google Chrome. Do you see how alert now writes something instead of throwing up an alert? If you could slip in the function and the assignment in an XSS attack you could make this fairly mundane change occur at a web site and, thus, write to the browser all alerts downstream of your injection point. Natalie was quick to caution that the effect I describe above is what mostly happens in the JavaScript space. In some browsers the alert will still be an alert and in other browsers neither the alert nor the document.write will be tripped. In this later scenario, nothing happens at all. Anyways, beyond this silly example, if you use your imagination/creativity you can probably come up with some ways to do some real harm. I put my hand up and asked about the effects on JavaScript frameworks such as AngularJS and Natalie in response suggested that her personal testing and research in advance of the talk really instead focused on the ActionScript of Adobe Flash. Apparently there are plenty-o-vulnerabilities of this shape in ActionScript 2.0 and she had numerous slides with numerous examples. __resolve apparently may be run when a property or method is undefined. If you can overpower __resolve with your own madness, well... yikes! Another way to hack is to subclass an existing object. Properties on a "class" can sometimes be overwritten by extending the class. When I close my eyes and try to picture the hack I suppose this would allow for some internal mechanics of the thing being tampered with to continue to behave while others get redefined. ActionScript 3.0 has a lot of the pitfalls filled in to prevent you from falling down a hole and hurting yourself, but Natalie suggested there were still problems with ActionScript 3.0 too. I don't know what injection attacks look like in the Flash space. Does one enter stuff into a form in a Flash app only to have something interpreted as a string get reinterpreted as ActionScript? I don't know and Natalie didn't delve into how to push attacks in. She did suggest that one thing that could be done to make redefinitions harder to obtain was to put wrappers around functions as suggested here. Using a fuzzer to bombard your engine to find weakness (should it exist) was also recommended. IDA in particular was mentioned by name.

Friday, August 14, 2015

Google Chromebook?

This suggests that Chromebooks are of Linux under the hood but that all of the files are encrypted! This suggests that different users will have different encryption implementations and that there is no way to spy on one user's doings by ripping the files out of the hard drive to have at them.

Thursday, August 13, 2015

Cell Phone Screen Cleaner Swag

I came away from this year's Black Hat with a bunch of swag and I gave it to my immediate teammates. One coworker wondered aloud what his strange keychain was today and I didn't know myself. Our superior somehow figured out that it is this thing which looks like this:

0.2 + 0.1 – 0.3 in JavaScript gives 0.00000000000000005551115123125783 in Firefox, Safari, and Internet Explorer!

...but just a plain zero in Opera and Chrome. Programming languages can only handle a certain amount of precision. I saw Fernando Arnaboldi give a talk called "Abusing XSLT for Practical Attacks" at this year's Black Hat, and a quote from the talk was "God is real, unless declared integer." which winked at the damage one may do when transforming a floating point number at one server to a floating point number at another. If one moves a 101 decimal place number to a new locale that only accounts for 100 decimal places one may transfer funds from one bank account to another, for example, in tiny amounts repeatedly in a manner that makes one grotesquely rich making something out of nothing by way of exploiting the rounding. 100 and 101 are exaggerations in this example, but, you get the idea. This must be why BAI2 files display currency values at one hundred times what they actually are as to have the first two decimal places baked into an integer in a roundabout way. The convention probably exists to strictly enforce a two point precision while enjoying the safety integers afford. Then again, maybe there are better ways to do this. I guess I don't know. XML vulnerabilities are fun, and they may get you some passwords! An XSLT lets you receive an XML document and then output an XML, HTML, or text document. There are now three different versions of XSLT (v1, v2, v3) and v1 is the most implemented and the most supported by web browsers. Fernando's talk eluded that there is a way to do XSLT injections at a web browser, but I did not come away with an understanding of how. Command Line Interface (CLI) standalone server-side processors for XSLTs include Libxslt, Xalan, and Saxon. There may be a problem with generating random numbers in XSLTs too as the numbers may not be really random if they are driven by an implementation based upon the ticks and two calls happen back to back. There are apparently loopholes for getting a random number and then thus knowing what a random number will be in the immediate split second window of time and taking advantage of as much although I really couldn't follow the example given myself.

Hmmm... I just tried the calculation in Chrome's console and I got the long answer instead of the zero. Was this speaker wrong?

.StartEditRow returning an "Object reference not set to an instance of an object." error at a DevExpress ASPxGridView even when .AddNewRow works just fine

At the markup for ASPxGridView something between...

<Templates>
   <EditForm>

 
 

...and...

 
 

   </EditForm>
</Templates>

 
 

...something could be jacked up. For me however, when this happened, the HtmlEditFormCreated event was calling .GetRowValues on the ASPxGridView at a code behind and handing in bad values.

two PostgreSQL tools and a one PostgreSQL note

pgAdmin and DbVisualizer are tools. PostgreSQL doesn't have users, just roles.

Wednesday, August 12, 2015

ATLM is Automated Testing Lifecycle Management or Automated Testing Lifecycle Methodology.

Some links:

the InPrivate browser!

This says: "InPrivate Browsing enables you to surf the web without leaving a trail in Internet Explorer." and you may open the InPrivate browser from within Internet Explorer 11 at Windows 7 by pressing: Ctrl-Shift-P

What is an expression-bodied member in C# 6.0?

This...

public System.Web.UI.Page WebPage => this;

 
 

...is basically the same as this...

public System.Web.UI.Page WebPage
{
   get
   {
      return this;
   }
}

 
 

...per this.

RedGate SQL Compare has options for subtleties, such as whitespace, to just leave out of the SQL it writes.

David Atkinson tweeted to me: "There's also an Option to Ignore users' permissions and role memberships that you might want to enable" ...and, at the "New Project" dialog box these seem to be at the Options tab. You set this stuff upfront.

I saw Ahamed Nafeez give a talk on debugging modern JavaScript frameworks.

The talk was at Black Hat and of modern JavaScript frameworks React, AngularJS, Knockout, and Meteor were given as examples. If you look at the code base for AngularJS, for example, it is a rat's nest of spaghetti and whenever you work with Angular and you run into a bug if you step through code you will find yourself, very often, leaving your implementation, bouncing around inside of AngularJS's code one hundred times, and then eventually getting an error message that is impossible for mortal man to relate back to the pain point. The error message will be opaque and ungoogleable. Static analysis is becoming harder for client side JS code, so how may one undertake pen tests (penetration tests, attacks looking for weakness) against the modern frameworks without an impossible plumbing chore? DOMinatorPro is one tool for this challenge. Hookish! is a Google Chrome plugin that Ahamed wrote himself for WRT (Wireless RouTer) pen tests. Other interesting things said on this subject were:

  • JSX is an extension for ECMAScript which allows for XMLesque syntax.
  • The thing one is trying to guard against in this space is DOM XSS, cross-site scripting attacks in which one slips in some JavaScript content into a form's entry and it bubbles its way back up into displayed content causing drama. As far as terminology goes, "sources" are data entry points and "sinks" are the areas of reemergence where the injected code is executed.
  • damnvulnerable.me is a web app that one may experiment attacks against.
  • public-firing-range.appspot.com has some examples of some sinister code.
  • Direct ways to cast a string into code in JavaScript include eval(), selfTimeout, Function(x)(), and execScript(x) while indirect ones include document.write, Element.setAttribute(x), Element.innerHTML=x, and the $(x) of jQuery.
  • One may get a stack trace in Google Chrome's V8 Engine like so:
    var functionCallTracer = function() {
       this.error = new Error('Deliberate!');
       this.stack = this.error.stack;
    }

Tuesday, August 11, 2015

There are a series of checkboxes at the left nav of RedGate SQL Compare 11.

I recommend leaving checked Function, Schema, Stored Procedure, Table, View, and perhaps also DDL Trigger and/or Role, but unchecking everything else. (Everything is checked by default.) This will prevent you from comparing everything and having a bunch of unwanted SQL for adding and dropping users.

Monday, August 10, 2015

I couldn't get this to work, but it is interesting.

I was trying to reset the password for a local administrator at a VMware VM.

  1. Per this, download and install the Spower software here and then run it.
  2. Once "Password Recovery Tools 2012 Trail" is installed pick "Windows Password Reset" at the left which should expose the "Spower Windows Password Reset" option.
  3. Burn the software to a USB drive. If the software can't see your drive, close the application and reopen it.
  4. Add "bios.bootdelay = 20000" as a line of copy to the .vmx for the VMware VM to edit the password for as suggested here in Notepad.
  5. At "Removable Devices" beneath the "VM" menu of should see the ability to connect the USB device to the VM.
  6. Log into the BIOS for the VM and try to set the boot order to allow for booting from the USB drive.
  7. If the doesn't work use MagicISO to make an .iso of the USB drive's contents and then set this .iso to be the CD in the CD drive of the VM by altering the CD/DVD (SATA) setting for the VM. (Click the "Show or hide console view" icon to expose the left nav of options for the VM.) Note that you must explictly save the .iso in MagicISO or else it will end up empty inside.
  8. Perhaps you'll need an autorun.inf file with something like this in it at the .iso...
    [autorun]
    OPEN=SETUP.EXE
    ICON=SETUP.EXE,0

honeypot

It's a trap.

Sunday, August 9, 2015

What is BGP? It's border gateway protocol.

"which is the routing protocol different networks use to find communication paths to each other" per: this

If you press F7 in Windows 8 at the command prompt's little black window you should get a list of all commands run.

If you do not, it is because you have not yet run a command. This stuff is session specific and not a history of all commands run at the command prompt ever.

have spooled Func expressions return a count?

I thought today of spooling up Actions in an observer pattern as described here and wondered if there would ever be any reason to use Funcs instead of Actions. (In C# a Func returns something while an Action is identical save that it returns void.) I guess you could return true as a Boolean example in a ceremonial display of, yes, this worked, or you could return the time for logging, though you could just get the time when logging too. In circling back to the first circumstance, what if you returned a number and the number came from a global variable which kept a count of how many Funcs had been run and this number was being incremented as each Func in the chain ran? (In a spool of Funcs the value returned is that of the last Func ran begging the question: What is the merit of a collection of concatenated Funcs?) Such a number could then be used to sanity check if the appropriate number of Func expressions ran. Of course, you could just pull this number from the global variable if you did the same thing with Actions instead of Funcs. Well, whatever. I suppose you could compare the global variable to the thing returned by the last Func as a sanity check. We are sort of back to the return value being ceremonial in this circumstance though.

Black Hat!

I went to the Black Hat security convention this year in Las Vegas and attended nine talks. The tenth of the nine talks was the keynote of Alejandro Mayorkas, our (America's) Deputy Secretary of Homeland Security, at DEF CON which was titled "Working Together to Keep the Internet Safe and Secure" and which was an apologetic reaction to what he had experienced at Black Hat and an unabashed attempt to try to extend an olive branch from the government to the distrustful hacker community. The only specific idea that Alejandro suggested was to form an advisor board from the hacker community which could interface with our government. This seemed like a good idea to me. Alejandro had spoken at Black Hat and must have faced some abrasion as this talk seemed to be entirely about doing damage control. He acknowledged a woman in the audience sitting near me who had told him that Wassenaar (information sharing between nations on the distribution of arms to other nations) was a train wreck at Black Hat in trying to sight examples of the fact that the government was listening and wanted to listen to the hacker community. Alejandro acknowledged that a divide of distrust had grown between "the two groups" (government peeps and hackers) over recent years. He didn't mention Edward Snowden or Bradley Manning by name but clearly this was about the bigger picture they are a part of and the whole sense of 1984esque watching-over-your-shoulder ubiquitous gloom that is so much on everyone's mind. The government needs the trust of hackers and their embrace (patriotism) and such trust is not going to be rebuilt overnight. He asked that we start somewhere and try to find a place of acceptable risk within which to take a chance on being vulnerable and, thus, trustful. In the wake of this or perhaps just before, some of the DEF CON staff walked onto stage with him and told him that he had to have a shot of Jack Daniel's in front of the crowd as an initiation into DEF CON given that he was a first time speaker. Of course, given his tiptoeing and how-can-I-win-your-trust-pretty-please projections there was no way for him to say no. He negotiated that the shot be small and mentioned whatever party it was that he had to meet on official government business immediate after to try to rationalize the shot being small. He had a small shot of Jack Daniel's which may have been inappropriate as could be if he was working for the government officially in that moment. In return I will trust that the government did not hack my laptop while I was at Black Hat. There was a time, a few days earlier, when I jumped on Four Seasons' wireless which required no password for a moment to check email and when I did the command prompt's little black window on my laptop flickered open/closed twice before I powered my laptop off in reaction. I'm going to have faith that this wasn't Uncle Sam Mr. Mayorkas. At the end of the talk, when he took questions, a member of the audience tried to get Alejandro to denounce the imposition of backdoors asserting that it was stupid for commerce. This was a theme I saw at Black Hat. No one likes the backdoors and the golden keys. Alejandro said that he knew what the problem was with respect to the threat of terrorists and that he did not know what the solution was. He did not denounce the backdoors and the crowd did not boo him either. I guess he did OK. So what is Black Hat? I once had a coworker give a presentation on the six thinking hats which Wikipedia describes like so:

  1. Managing/Blue what is the subject? what are we thinking about? what is the goal?
  2. Information/White considering purely what information is available, what are the facts?
  3. Emotions/Red intuitive or instinctive gut reactions or statements of emotional feeling (but not any justification)
  4. Discernment/Black logic applied to identifying reasons to be cautious and conservative
  5. Optimistic Response/Yellow logic applied to identifying benefits, seeking harmony
  6. Creativity/Green statements of provocation and investigation, seeing where a thought goes

...but black here goes just back to black versus white thematic good versus evil I think. There used to be a separate White Hat convention (I've heard) for the security professionals and then Black Hat was an independent convention for the hackers they tried to keep out, but they got combined into one annual event. I have always heard stories, and now, I've been. As mentioned, there were another nine talks I saw and if you'll be patient I'll type up blog postings for all of them.

Saturday, August 8, 2015

Harbinger Down

Today I drove from Las Vegas to Las Cruces and on the way I stopped at the AMC Arizona Center 24 in Phoenix to see the film Harbinger Down. As far as made for pennies science fiction films go, I liked this film better than Primer (2004) but not as good as Coherence (2013) and I'm still up for more cheapo Sci-Fi yet! All of the acting is great. I didn't catch any real mistakes. I wanted to see it because it "starred" Lance Henriksen, but it turns out that he really has a supporting role and not even the best of the supporting roles. The film stands on its own by way of a cast of unknowns just fine. At one point Lance says "this thing has been frozen since the '80s" in reference to a reentered soviet satellite that the heroes come across to their detriment (a monster awaits within) and I wondered if he was breaking the fourth wall a little and talking about perhaps

  1. himself, or
  2. this subgenre, and in particular this subgenre is of old school rubber suit movie monsters without any computerized digital touch-ups to what is filmed.

This romanticism for the queso of a bygone exploitation age is both formulaic and, yet, more original than you'd think when you get down to some of the smaller details. I like this little movie. Milla Bjorn (left) and Camille Balsamo (right) are the real stars. They are pictured here:

Saturday, August 1, 2015

use SSMS Red Gate SQL Prompt to complete a join

If you just type a space after the ON, the IntelliSense will most likely suggest the join that makes sense.

Windows 10!

On Wednesday, July 29 of 2015, Windows 10 was released and I went to a tech talk on it one day later (July 30) at the Microsoft Center in Austin's Domain mall which was partially coordinated by Ryan Joy pictured here. Over five million Windows Insiders have been testing Windows 10 up until now so it is hardly super mysterious or new. Why no Windows 9? Ryan explained that there is a lot of old Java code that tried to match on the first piece of a string for "Windows 9" to try to distinguish Windows 95 and Windows 98 from Windows NT. It is pretty easy to roll back an upgrade from Windows 8.1 to Windows 10. There is now a start menu again, but it isn't much like the Windows 7 start menu. Basically, when one opens the menu one sees something like that home screen full of Metro tiles that one sees at Windows 8 only now this new screen is three quarters of the whole screen and sort of sits on top of the desktop at the lower left. At the leftmost edge of this thing is a list of programs in a shape sort of like the Windows 7 start menu, only the hierarchy only drills one tier deep past the initial hierarchy. There is no deep nesting. There is a feedback option baked directly into the start menu to allow users to easily/quickly give feedback to Microsoft on Windows 10. A user profile sits at the upper right of the start menu three-quarters screen thingy. You may access it there. Microsoft Edge is now the default browser at Windows 10. It interfaces seamlessly with Microsoft Office. One may take a web page, "draw over it" with One Note to make whiteboardesque notes on top of it, and then send it on via email, I guess as a flattened screen grab plus. Three dots in a horizontal row at the upper right of Edge are its equivalent to the hotdog menu of Google Chrome. You use that button to break into the settings. Microsoft has a goal of continuum in which users get a consistent look a feel at a desktop/laptop, tablet, or phone, but that said there is a specific control to toggle between desktop/laptop and tablet modes and the tablet mode has more of Windows 8 feel. I myself am not overly excited for Windows 10. I can't imagine we will use it at work anytime soon. It seems like everyone just really liked Windows 7 and wished it would stay. :(

Before the event there was a meet and greet where we, the guests, were fed and we socialized some. Someone I spoke to suggested that he had seen installs which made him think that the program was trying in vain to put stuff in the start menu in a hierarchy more than two tiers deep and the stuff beyond the first tier was just getting flattened into the second. This individual, Jeff, said that one of his frustrations with Windows 8 was that at a list of programs he often saw a swath of multiple items with long names which each started out the same, but which each got truncated in the name of screen real estate before they could be told apart. He said that while this problem still exists in Windows 10's menu system too, one may now mouse over such a listing to see a tooltip revealing the full name. Jeff said that the AOSP (Android Open Services Project?) was the open source core logic that Google itself did not control (open source, remember?) that was the centerpiece of every Android device. Some Chinese vendors sell dumbed-down Android phones that have just the AOSP baseline and nothing more. Anyways, Windows 10 for Windows Phone is very likely to soon work with AOSP allowing Android app store apps to run on the Windows Phone which could save the Windows phone from obscurity/irrelevancy. Think of the apps you use on your iPhone or Galaxy. Does it have a counterpart in the Windows Phone space? No, it does not, not that app for your bank. No one builds apps for that platform and that keeps the platform from being competitive. Jeff said that Objective C is to be interpreted by Visual Studio 2015 and that "sitting is the new smoking" and encouraged me to get a standing test, but I'm not delving into that silliness. No thank you. This was my first time in a Microsoft Store and I was intrigued. The Microsoft Stores have existed for six years and the Austin locale for three. The staff does first-line-of-support Geek Squadesque work for its clientele. The Microsoft Store sure reminded me a lot of the Apple Stores I've been in. There is a difference however, even when Microsoft pretends to be fluffy feel good like Apple, it is making the real tools for work and not the toys. I went there. Challenge me?

Addendum 8/2/2015: AOSP really stands for Android Open Source Project.