So I took advantage of the Free for One Year offer of Computers Assoc. ETrust EZ Antivirus that you can get when you install XP SP2 (seems to be if there isn’t already an anti-virus app on your system).

I noticed a week ago that I hadn’t in fact gotten any updates. The reason was timing. The EZAV software was starting up and running at the same time that my wireless was starting itself up. EZAV is faster and therefore trying to download the updates before I had internet access. But there were no messages that I noticed. I finally saw it in the log files “Could not contact webserver…” and nothing ever downloaded. Over and over again.

So I have to remember to do this manually now.

Peter Blum has taken his great know how with asp.net server controls and validation and combined that with the awesome lessons we have learned about securing ASP.NET websites, to create “Visual Input Security” tools (and it’s clever nickname: VISE). I haven’t had a chance to play with them yet, but did spend some time looking at the extensive and educational manual which kept making me go “wow!“

The basics:Visual Input Security™ is a formidable defense against SQL Injection, Script Injection (Cross Site Scripting), Input Tampering, and Brute Force attacks on your ASP.NET web sites.

The tools allow the flexibility of everything from locking down a whole page to explicitly defining how to secure individual controls.

There’s a demo and even 30 day guarantee on the product.

I plan to retro-fit one of my client’s sites with these.

btw – the peterblum.com website got a design overhaual and looks awesome – I love the logo – nice job all around Peter!!

I have used PaintShop Pro for years – I think since version 4. The features I use most are screen capture, image resize and brightness/contrast adjustment. Once in a while I will create little graphics with it, too.

A few versions ago, they decided to compete with the serious graphics applications and started dumping in so much stuff that I had no understanding of or use for (kinda like Excel 🙂 ). I never could got a handle for most of these features and often they get in my way. I still use it, though, just because it’s there and I have the license and it’s 4 gazillion trillion etc times better than MS Paint.

Scott Hanselman talks about the new Paint.NET and at the same time, expresses the exact same frustration with PaintShop Pro that I have always had. Nice to know it wasn’t just me. I guess I better go take a look at this Paint.NET, as Scott is the de facto guy when it comes to utilities!!

I always wondered about this one. Anil John points to an XP SP2 feature that helps with the ol’ copy-my-whole-hard-drive-to-my-itty-bitty-1 GB-thumb-drive problem.

I have not yet tried to cross this particular bridge in my experiments, but Scott Watermasysk did today. Because of the way UsernameTokens are implemented in WSE2, their encryption over the wire (hashing really) depends on the password that the user typed in to match the password in the database – meaning that the database needs to store clear text. Scott ran into this today and blogged about it. In response, someone pointed to some early July posts by Aaron Skonnard and Keith Brown discussing this particular issue. Aaron discussed the problem, Keith proposed a way around the problem.

Most of the rest of this is an explanation for people who may have no clue what they are talking about.

What they are talking about is this: Hopefully, you know by now that storing clear text passwords (plain ol’ readable text) in your database is a no-no. If your server is compromised, they are totally exposed. So what the recommended method (not Keiths for dealing with WSE, but in the general world of security) is to use a particular algorithm to store a user’s password as a hash, or even better a salted hash*. This is a one time event. Then when a user logs in to an application, you run the same algorithm against the password and look up the user by their user name and compare the hashed passwrod in the database to the hash of the password that the user just logged in with. This is instead of just doing a query on usernaem and password and seeing if the query returns at least one record – which is what so many people (myself included until I learned better) do.

So… the problem with WSE2 is that it automatically hashes the password that is entered by the user before it sends it to the webservice for authentication. On the other end, WSE automatically hashes the password from the database for comparison.

In Scott’s case, he already hashed the password before he stored it into the database.

So WSE2 is sending to the web service the hash of the actual clear text password that the user just typed in. The web service is taking an already hashed password and hashing it again. So, of course, there’s no match.

I looked at Hervey Wilson’s list of what was in the SP1 release of WSE2 which came out three weeks later than Keith & Aaron’s discussion but alas I don’t see anything regarding that.

Hervey talked about SP2 for WSE in an August 12th post, but no specifics beyond that there will “additions to the built-in tokens and token issuers in the product.”

*salted hash is explained in the DevDays content – asp.net track session 3 – defenses and countermeasures, now online. I know as I presented that session two times. 🙂