Wednesday, February 18, 2009

Developer survey from Microsoft. Each answer you put in displays a different cartoon reflecting your choice. Fill in the survey here.

image

posted on Wednesday, February 18, 2009 9:34:37 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

I'll post the slides from my AntiXSS talk later, once I've cleaned them up. In the meantime, here's a couple of links:

I will post the slides later.

Kirk

posted on Wednesday, February 18, 2009 9:20:27 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Friday, February 13, 2009

The twitter "don't click" messages are spreading like wildfire. It's a relatively benign form of clickjacking (analysis here) that tricks you into click a button when actually you're click on a hidden button on the twitter site that posts a tweet.

I've talked about clickjacking in Wellington, Auckland, Christchurch and Nelson, and while I don't know of a fool-proof way to protect yourself against click-jacking, you should do what twitter have done (and what I suggested at those talks) and include some frame-busting javascript at the top of every page in your site. Details are here: Framebusting in Javascript

Frame-busting works by unwrapping your site from being hosted inside an iframe. It won't stop all click-jacking attacks, and it won't protect all users, but like many security mitigations it's about layering several 90% solutions on top of each other to protect your users and your websites.

Kirk

posted on Friday, February 13, 2009 9:02:39 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Thursday, February 12, 2009

It was a nice sunny day in Nelson yesterday, and it was nice to have a little look at the scenery afterwards (thanks, Daniel!).

I presented a similar "Overcoming your web insecurity" talk that I gave in Auckland recently [slides], and it was good fun diving in to some depth in the extra time we had... hopefully I managed to scare some people!

 

Next Wednesday at the Wellington .NET Users Group, Owen Evans (who also works at Xero) and I will be presenting two sessions.

Owen will be doing a LINQ Refresher to get us up to speed with the LINQ syntax for selecting, grouping, where-ing and more.

I will be talking about the Anti-XSS library, which is now in beta. The library is pretty cool and helps a lot with encoding data before it ends up on your website :)

More details of the event are here: LINQ Refresher, Anti-XSS and SDE Libraries

 

Hope to see you on Wednesday!

Kirk

posted on Thursday, February 12, 2009 10:09:55 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Friday, February 06, 2009

Oisín Grehan has a good list of the new cmdlets in PowerShell 2 (currently in CTP3 and the Windows 7 beta):

http://www.nivot.org/2009/02/04/DifferencesBetweenPowerShell10RTMAndPowershell20CTP3Win7Beta.aspx

It's cool having a list of all 106 new cmdlets, including such useful ones as:

  • Test-Connection (ping)
  • ConvertFrom/To-CSV
  • Start/Stop/etc Jobs in the background
  • Get-Random (useful for drawing prize winners at user groups!)
  • ConvertTo-Xml

PowerShell 2 has a bunch of cool new features, and feels like it's getting real close now :)

Kirk

posted on Friday, February 06, 2009 9:32:39 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

I've got the afternoon off work this Wednesday 11 Feb, and am popping over to Nelson to present on web security (details below).

I hope to see you there!

Kirk

Daniel Ballinger wrote:
> Hi All,
>
> Kirk Jackson from the Wellington .NET user group will be in town on
> Wednesday the 11th of February and is giving a presentation.
>
> Title:
> Overcoming your web insecurity
>
> Abstract:

> As an ASP.NET developer, there are many things to think about while
> developing your web application. Come along to understand the
> fundamentals of developing a secure web application, and learn how to
> protect your site against the dangers of cross-site scripting, cross
> domain request forging and click-jacking.
>
> This session will be suitable for all levels of experience, and
> developers who use other web development platforms such as PHP or Java.
>

> Presenter:
> Kirk Jackson
>
> Useful links:
> http://pageofwords.com - Kirk's blog
>
> http://mscommunities.net.nz/ - The home of Microsoft communities in New Zealand
>
> When:
> Wednesday 11th February 2009
> Gather at 2:50 pm, starting at 3:00 pm.
>
> Approximately 1 hour 15 minutes plus pizza afterward.
>
> Where:
> FuseIT Ltd,
> Ground Floor,
> 7 Forests Rd,
> Stoke,
> Nelson
>
> (Off Nayland Rd and behind Carters)
> http://local.live.com/default.aspx?v=2&cp=-41.299774~173.236231&style=r&lvl=16&alt=-1000
> or
> http://maps.google.com/?ie=UTF8&om=1&z=17&ll=-41.299774,173.236231&spn=0.005239,0.010042&t=h
>
> If you are parking on site, please use the parks marked FuseIT that
> are at the back of the site.
>
> Giveaways:
> A single copy Microsoft Office 2007 Professional
>
> Catering: Pizza & Drinks
>
> Door Charge: Free
>
>
> RSVP to me if you are going to attend so I can guesstimate the food
> and drink requirements.
>
> However, feel free to turn up on the day though if you can't commit at
> the moment.
>
> Please feel free to invite anyone who may be interested in attending.
>
>
> Cheers,
> Daniel
>
> Daniel Ballinger
> Developer
> FuseIT ™

http://www.fishofprey.com/

posted on Friday, February 06, 2009 9:17:38 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, January 28, 2009

A story told through links to web2.0 sites that you know and love: http://blueful.com/

A clever way to tell a story, although it's a bit weird not having the urls hyperlinked.

(via the O'Reilly Radar)

posted on Wednesday, January 28, 2009 8:48:13 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, January 07, 2009

Wired's Threat Level blog compiles their list of the top 7 technology-aided crimes of 2008: The Seven Best Capers of 2008

The list is quite a humorous read.

Some of the crimes are caused by the silliness of the affected business, so it almost seems mean to prosecute the criminal :)

posted on Wednesday, January 07, 2009 12:29:28 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Tuesday, January 06, 2009

Very cool. Mindscape have updated LightSpeed so that you can store your data in Amazon SimpleDB: What’s coming in 2009 from Mindscape?

Kirk

posted on Tuesday, January 06, 2009 11:55:23 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Friday, December 19, 2008

[Update: Ooops! I should check the links that I paste into my blog posts!]

On the Flickr devt blog they've got some interesting experiences when building their IPhone version of the site that apply to building any light version of a website:

  • Don’t Use a JavaScript Library or CSS Framework - roll your own
  • Load Page Fragments Instead of Full Pages - ajax in the changed content, rather than reloading the whole page
  • Don’t Build for Just One Device - all the world is not an iPhone :)
  • Optimize Everything - trim file sizes and compress content
  • Tell the user what is happening - load indicators

Read more on the Fickr blog.

posted on Friday, December 19, 2008 11:42:04 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [2]
 Wednesday, December 17, 2008

That trip turned out to be a bit of a whirlwind. Sorry I had to dash straight after the presentation!

The talk was an introduction to cross-site scripting (XSS), cross domain request forgery (CDRF) and clickjacking, and used a common theme of "never trust users" to show how trusting GET, POST, Cookies, Headers or other user supplied data could be your downfall.

I've already posted the slides to this talk from back when I presented at the Christchurch Code Camp: Overcoming your web insecurity

There's a new beta of the Anti-XSS library that you should check out when encoding your user-supplied data for use in HTML or attributes. At the same link is the new CAT.NET tool that analyses your code for weaknesses.

The Anti-XSS library now includes the Security Runtime Engine, which will help when encoding ASP.NET controls. I'll be posting about it here soon, so subscribe to my RSS feed :)

posted on Wednesday, December 17, 2008 10:19:01 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Thursday, December 11, 2008

This is very illuminating reading: Browser Security Handbook

The set of web pages cover the standard concepts within web browsers such as how they treat urls, javascript and css, and then covers security features within each browser, such as same-origin policies.

This is the first time I have seen information about all the browsers in one place, and should be a useful resource to both understand the browser protection mechanisms, and how browsers differ in their implementation of security controls.

posted on Thursday, December 11, 2008 11:39:15 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

It's posts like this which are why I enjoy reading Ken Levine's blog ...by Ken Levine:

He's bleeding. Nurse, quick! Get me the Super Glue!!

Those sports stars are so clever...

posted on Thursday, December 11, 2008 11:16:39 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Tuesday, December 09, 2008

Just got back from sunny Napier, where I presented the seventh iteration of my Visual Studio Tips n Tricks talk. It's the last one I have scheduled, and 7 is the most I've repeated any presentation in the past -- it was quite nice to polish it that much :)

I think almost every tip is linked to in one of the following posts from my blog -- if not, leave a comment and I'll post it.

Cheers,

Kirk

posted on Tuesday, December 09, 2008 8:40:49 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Saturday, December 06, 2008

The SQL PASS Community Connection event is kicking off about now in Porirua (20 mins from Wellington). I'm not able to make it today, but I do plan to head along tomorrow.

Wake up, get up, and head on over!

posted on Saturday, December 06, 2008 8:05:06 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Friday, December 05, 2008

I'm in Napier presenting my Visual Studio Tips and Tricks talk to the Hawkes Bay .NET Users Group.

I think we're on at 3:30pm at the Taradale EIT Campus, but email me if you're thinking of coming, and I'll get you the info.

Kirk

[Update 8 Dec 2008: Added details below]

The session is at 3:30pm on Tuesday 9 December, at the following location:

Room C117
C-block (Computing building)
EIT (Eastern Institute of Technology)
Taradale end of Gloucester Street
Taradale, Napier

posted on Friday, December 05, 2008 10:29:04 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Thursday, December 04, 2008

I spent some time browsing the Givealittle site while eating my lunch today, and I'm struck by how great an idea it is.

JD from Mindscape posted about how they built the site, which is of course how I ended up there :)

When I've donated money in the past, or wanted to give a gift of donation for a wedding, birthday or Christmas, I've always spent ages on Google trying to find the project that 'fit' with the recipient (Are they religious? Do they like animals? etc). Givealittle lets you browse a whole bunch of charities on one site, and even give vouchers which let people choose charities of their choosing.

There's other features of Givealittle which are good news for givers and charities too, reduced costs of transactions, transparency over where the money is spent, collation of all your receipts so that tax time is easier and more.

A fantastic idea, and a site that I plan to use this Christmas.

Kirk

posted on Thursday, December 04, 2008 1:04:26 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [2]
 Wednesday, December 03, 2008

I had fun presenting on ASP.NET security tonight at the .NET Users Group. It was a bit of a whirlwind tour through some common security issues that you might come across when developing and deploying an ASP.NET application.

I've already posted the slides to this talk from back when I presented at the Christchurch Code Camp: Overcoming your web insecurity

posted on Wednesday, December 03, 2008 9:14:41 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Tuesday, December 02, 2008

I spent the evening at the Summer of Code user group event, along with James Hippolite and Scott McKenzie who are also from the Wellington .NET Users Group.

Summer of Code helps place students into companies over their summer break. At Xero we have James Sullivan currently working on Xero Labs samples on our Xero developer site.

The event tonight was to put students in touch with user groups around Wellington. It was great to see the cool user groups that are up and running, from PHP and Linux to WellRailed and SuperHappyDevHouse. Hopefully those students that were there got to see that there's a lot of good support if you're interested in learning new topics, and support for people that want help.

Go Wellington!

Kirk

posted on Tuesday, December 02, 2008 9:57:52 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Monday, November 24, 2008

The Security Development Lifecycle website has been updated, and they have launched a cartoon:

http://www.bakingsecurityin.com/

image

You can follow the adventures of Kevin and how he transforms into Kevlarr (presumably while learning to write secure code).

They've got an RSS feed for the comics: RSS (although strip 2 didn't work in the RSS for me, so you might want to go to the site)

posted on Monday, November 24, 2008 7:46:04 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Saturday, November 15, 2008

Next Wednesday we've got Chaks introducing us to Microsoft .NET Services, which are a set of building blocks provided by Microsoft in the upcoming Azure platform that will help you build your cloud computing applications.

The meeting will be held at Xero, starting at 6pm (details below). Please RSVP to kirkj@paradise.net.nz so we can make sure there's enough pizza for all!

Title: Microsoft .NET Services
When: Wed 19 Nov 2008, 6pm
Where: Xero, Level 1, 98 Customhouse Quay, Wellington (above Xero)
Presented by: Chakkaradeep Chandran

Microsoft .Net Services is a part of the recently announced Microsoft Azure Platform.

What does Microsoft .Net Services provide?

Microsoft .Net Services consists of three main components:

  1. Service Bus
  2. Access Control
  3. Workflow Services

They provide a hosting platform where you can develop connected, peer to peer applications that can speak to each other without considering the other complexities such as firewall rules and NAT etc,.

Chaks will cover these three components of .NET Services, and how you can use them in your applications.

Pizza and beer provided. Please RSVP to kirkj@paradise.net.nz

 

User group meetings are open to anyone to attend. Hopefully we'll see you there!

Kirk

posted on Saturday, November 15, 2008 9:04:15 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

Well that's good news: Server Core changes in Windows Server 2008 R2

Server Core will soon allow ASP.NET and PowerShell to be installed as options. They've partitioned the .NET framework and only install those parts that are needed (presumably to remove those parts that depend on the UI). I haven't seen any details, but I expect that things in the System.Drawing space may not be there either.

This is good news for people with a farm of web servers, and also for those that want better management of their server core installs.

Kirk

posted on Saturday, November 15, 2008 8:45:06 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Friday, November 14, 2008

I was pleasantly surprised by this.

I'm kind-of addicted to buying books from Fishpond. Part of it is because they're the best online bookstore in NZ that I've found, and part of it is all of these annoyingly good specials that they email me.

At the bottom of the latest shipping notification email (for my Framework Design Guidelines book, yay!), was this:

image

I was feeling happy at the book being shipped, so I thought I'd follow the link :)

At the end of the link was an extremely simple evaluation form:

Simple evaluation form

Only one click to answer, either Yes or No, no big survey.

Following that, this:

$5 coupon

A $5 voucher, for a single click. That's a good way to say thank-you for helping them improve their service, and really shows that they value the feedback.

Pleasantly surprised :)

Kirk

posted on Friday, November 14, 2008 5:46:00 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]

There's two handy Visual Studio features that you can't customise through the Tools -> Options settings.

Guidelines

This allows you to have a little dotted line that reminds you that your code is getting too long:

image 

Under [HKEY_CURRENT_USER]\Software\Microsoft\VisualStudio\9.0\Text Editor create a string value called Guides, and put a colour and the column position(s) that you want guides to appear at (e.g. Guides = RGB(128,0,0) 79, 119)

(from http://blogs.msdn.com/saraford/archive/2004/05/05/257953.aspx)

 

MRU Tab Ordering

Keep your most recent files at the left of your tab channel, rather than ordering them in the order that the files were opened in:

image

Under the HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\9.0 key, you can create a DWORD UseMRUDocOrdering = 1.

(from http://blogs.msdn.com/saraford/archive/2008/10/09/did-you-know-you-can-keep-recently-used-files-from-falling-off-the-file-tab-channel-331.aspx)

 

Cheers,

Kirk

Previous tips:

posted on Friday, November 14, 2008 5:31:22 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Tuesday, November 11, 2008

I had fun doing the tips'n'tricks talk in Christchurch today. Most of the keyboard shortcuts I showed are in this post of mine from a few months ago, where I have compiled the C# and VB equivalents: Visual Studio Tips n Tricks

The free plugins to Visual Studio that I recommended were:

There's also a cool File Explorer plugin for Visual Studio by the guys from Mindscape: VS File Explorer

I also have a series of other Visual Studio tips on this blog, as well as some C# tips. Subscribe to my RSS to hear more!

Kirk

Previous tips:

posted on Tuesday, November 11, 2008 8:10:17 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [4]
 Saturday, November 08, 2008

We've gone offline for an upgrade, and put a webcam in the office so you can see us work:

image

A little bit of fun with Craig acting for the camera :)

Kirk

posted on Saturday, November 08, 2008 11:08:32 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Thursday, November 06, 2008

Hi,

Many thanks to those who came along to our PDC Fireworks session last night. I hope you had an interesting time hearing about what's coming on the horizon, and that your families enjoyed meeting your geek friends!
A huge thank you to our speakers who presented on such a wide range of topics in a limited time. If you want to find out more or watch any sessions from the PDC, you could visit the Channel 9 PDC site, or visit the blogs of the presenters:

Also, a big thanks to those who helped set up and tidy up the room. Great job!

The .NET user group meets once or twice monthly, usually on the first and third Wednesday of the month. If you'd like to go on my mailing list for upcoming user group presentations, please email me.

If you're interested in the Wellington Sharepoint User Group, or the Wellington SQL User Group, make sure you follow the links to sign up to them.

Upcoming Sessions:

There's a few events coming up in Wellington that are free to attend:

Wed 19 Nov, 6pm - Microsoft .NET Services with Chaks Chandran [.NET User Group]

Microsoft .Net Services is a part of the recently announced Microsoft Azure Platform. What does Microsoft .Net Services provide ?

Microsoft .Net Services consists of three main components:

  1. Service Bus
  2. Access Control
  3. Workflow Services

They provide a hosting platform where you can develop connected, peer to peer applications that can speak to each other without considering the other complexities such as firewall rules and NAT etc,.

Venue: Xero, Level 1, 98 Customhouse Quay, Wellington

Please RSVP to kirkj@paradise.net.nz

Thurs 13 Nov, 1:10-5pm - MSDN Unplugged [Microsoft]

This free half day event, organised by Microsoft, sees JD Trask and myself talking on WPF, Silverlight and Visual Studio. More info here.

Sat 6 & Sun 7 Dec - SQL Pass Community Connection [NZ User Groups]

A free, all day event focussed on SQL and related technologies. Overseas and NZ speakers. Find out more at the event website.

Wed 3 Dec, 6pm - Overcoming your web insecurity [.NET User Group]

In this hour-long session, I'll be introducing you to some of the threats your ASP.NET website will face, and give you ideas on how to protect your users, company and yourself. This applies to public facing and internal (intranet) applications.

RSVP details will be sent out to the announcement list closer to the date.

 

Thanks for reading this far!

Kirk

posted on Thursday, November 06, 2008 9:47:02 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Sunday, November 02, 2008

I got a chance to watch a few great presentations at Code Camp yesterday:

Ivan Towlson - Thinking in WPF:

I've seen Ivan's talk already at the Auckland Code Camp, but I got a few new nuggets of WPF goodness out of it. It was fun watching people get up on the stage and act out the named parts pattern :)

John Rusk - Linq to SQL:

This was a really interesting dive into the good and bad of LINQ to SQL, and some of the stuff John and his co-workers have had to do to work around and extend it, including checking that the model matches the database, in memory save points and model inspection.

It sounds like they've got some really cool code that can be re-used by others -- now we just need to convince them to release it!

Jeremy Straub - IIS 7 Extensibility:

Jeremy gave a short talk about how easy it is to automate IIS administrative tasks, such as creating websites and setting properties, and showed how to do so from within C# and PowerShell. It's really nice how much you can do programmatically against IIS7.

Baroon Anand - Team Foundation Server:

Baroon's talk introduced TFS, and went through some of Intergen's customisation and uses of TFS within their business process and projects. A good overview with some interesting nuggets on running projects through TFS.

Lightning Talks:

I was being the dastardly timekeeper for the lightning talks which was a fun task. There were about 7 lightning talks @ 5 minutes each, on a variety of topics from C# to paper prototyping, solving real-world problems and PDC / Azure announcements. Well done to everyone who presented, there's at least an hour of content from each of that I'd love to hear!

Matt Smith - Productive Sharepoint Development:

Matt is a great presenter, I really enjoyed his talk. It was similar to his TechEd talk (which I didn't go to), so the above link will help you out if you want some tips on how to be a productive developer using Sharepoint (summary: ask your boss for a fast PC, and make your build/deploy as quick as possible).

A bunch of cool tools and tips punctuated by good humour :)

Kirk Jackson - Overcoming your web insecurity:

I can't really comment much on this talk, except to say that there's more stuff in the slides if you're interested :)

David Bales - Scrum Game:

This was a lot of fun. Rather than teaching Scrum via PowerPoint, David had us organised into groups trying to complete tasks by running a series of sprints. I think everyone in the room had a better understanding of the Scrum process and a little idea about the challenges you come across by the end of it.

Clarus is running a Scrum course in December.

 

Of course, there were other presentations through the day (there were two streams), so I didn't get along to all of the great Code Camp presentations. Well done to all of the speakers for great content, and to the organisers for a really interesting day!

Kirk

posted on Sunday, November 02, 2008 10:35:26 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

I had a fun time presenting my talk at the Christchurch Code Camp yesterday. I only fell off the stage once!

A collection of urls:

Here's the sanitised version of my slides:

posted on Sunday, November 02, 2008 7:55:50 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Saturday, November 01, 2008

I've arrived at the Christchurch Code Camp. Currently Ivan is presenting his kick-ass WPF talk "Thinking in WPF".

Today I'm doing a presentation on ASP.NET security, covering the basic threats and giving some of the quick wins that you can do to protect your application and users. I'll post the code up here shortly.

Looking forward to an information-packed day!

Kirk

posted on Saturday, November 01, 2008 8:50:03 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Friday, October 31, 2008

Ponoko is a pretty unique concept - an online shop for individualised goods, where you search a market place or upload designs to have something manufactured just for you.

It's pretty cool for geeks - you can create line art of where you want the laser to cut or etch, and they will cut your design from flat sheets of wood, acrylic or other materials. I have made a one-of-a-kind picture frame for my daughter, and toyed around with a bunch of interesting ideas that I haven't yet followed through with.

If you want a more free-style approach, you can even get them to cut based on your hand drawn sketch - all automatically (Photomake).

Anyway... the interesting news today is that they have broadened their set of materials to include bamboo, felt and plain old cardboard, which should lead to some more variety in the products people can make.

Materials gallery

Kirk

posted on Friday, October 31, 2008 8:23:04 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

Now that's cool.

Miguel demoed Mono running on the IPhone at PDC. He wrote about it a few months ago.

I guess the video will wind it's way up here on Channel9.

image

Kirk

posted on Friday, October 31, 2008 1:25:35 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]