I always wondered about this one. Anil John points to an XP SP2 feature that helps with the ol’ copy-my-whole-hard-drive-to-my-itty-bitty-1 GB-thumb-drive problem.
BCL for ASP.NET Developers
Delete, Delete, Delete.
That’s what I’m doing to my poor What’s new in the BCL in .NET 2.0 presentation as I prepare it for an ASP.NET focus for ASP.NET Connections.
System.IO.DriveInfo…..delete…not too interesting over the web
System.Console ….delete (sorry Kit, I know this is one of your faves!!!)
System.IO.SerialPort … delete.. (ditto, Kit)
And I think I’ll bring the System.Net changes right up to the top of the deck to really get their attention!
Hmmm…I think the whole Friend Assemblies part is going to have to go. It’s compelling, but I’ve found it not that exciting when I’ve given this talk in the past.
WSE2 Security and Hashed Passwords in your database
I have not yet tried to cross this particular bridge in my experiments, but Scott Watermasysk did today. Because of the way UsernameTokens are implemented in WSE2, their encryption over the wire (hashing really) depends on the password that the user typed in to match the password in the database – meaning that the database needs to store clear text. Scott ran into this today and blogged about it. In response, someone pointed to some early July posts by Aaron Skonnard and Keith Brown discussing this particular issue. Aaron discussed the problem, Keith proposed a way around the problem.
Most of the rest of this is an explanation for people who may have no clue what they are talking about.
What they are talking about is this: Hopefully, you know by now that storing clear text passwords (plain ol’ readable text) in your database is a no-no. If your server is compromised, they are totally exposed. So what the recommended method (not Keiths for dealing with WSE, but in the general world of security) is to use a particular algorithm to store a user’s password as a hash, or even better a salted hash*. This is a one time event. Then when a user logs in to an application, you run the same algorithm against the password and look up the user by their user name and compare the hashed passwrod in the database to the hash of the password that the user just logged in with. This is instead of just doing a query on usernaem and password and seeing if the query returns at least one record – which is what so many people (myself included until I learned better) do.
So… the problem with WSE2 is that it automatically hashes the password that is entered by the user before it sends it to the webservice for authentication. On the other end, WSE automatically hashes the password from the database for comparison.
In Scott’s case, he already hashed the password before he stored it into the database.
So WSE2 is sending to the web service the hash of the actual clear text password that the user just typed in. The web service is taking an already hashed password and hashing it again. So, of course, there’s no match.
I looked at Hervey Wilson’s list of what was in the SP1 release of WSE2 which came out three weeks later than Keith & Aaron’s discussion but alas I don’t see anything regarding that.
Hervey talked about SP2 for WSE in an August 12th post, but no specifics beyond that there will “additions to the built-in tokens and token issuers in the product.”
*salted hash is explained in the DevDays content – asp.net track session 3 – defenses and countermeasures, now online. I know as I presented that session two times. 🙂
BCL Team Program Manager position
Horrified
…by what is going on in Russia with the elementary school siege. I’m glad that CNN finally is putting it as their lead story. International news so often gets buried behind our own stupid politics.
Life beyond the System.Web namespace
One of the three talks I am doing at ASP.NET Connections is What’s new in the BCL 2.0 for ASP.NET Developers (that’s an abbreviation of the title).
I am taking my “What’s New in the Whidbey Base Class Libraries” presentation that I have been doing since February and turning it on its’ ear a little bit. I thought of doing this because I had a conversation with an ASP.NET guru who was giving me grief for focusing on the BCL so much this winter. “Dude!,” said I, ” System.Web.NUTHIN’ don’t WORK without the BCL!”
So while many ASP.NET developers are spending their time focusing on the cool personalization and caching functionality in ASP.NET 2.0 or the ability to drag & drop your way to a website, I am going to try to call their attention to some key goo in the BCL that will help them write better code and write it more simply.
WSE2 – do you believe in magic?
Well, I don’t. That is why I am spending a lot of time trying to learn how the pieces of cryptography that are being used by WSE work. And appreciating how hard the designers of the WS-Security and WS-Trust and WS-SecureConversation specs have worked out all of the what-if’s and come up with lots of cool ways to prevent them. Derived Keys are a great example of that.
But my problem is this: if you define a chair to me and said “well, it has a seat and 4 legs and a back”, I’m going to ask you what legs are and what is a back and what is a seat. That is exactly why I have been driving myself a little nutty with WSE2. Once I understand what legs are, how they were made and how they work, I am going to be a LOT more comfortable sitting in that chair.
Derived keys are made up of a combination of things. I need to know what these pieces all are and where they have come from, so I just keep reading and reading until I find an explanation that doesn’t just say derived key is made up of a few things and then move on. (Oh, if you’re curious, there are some great explanations: here and of course, here). Having looked this over, now I don’t mind just using the DerivedKeyToken class and passing it my security context token that I have created for a secure conversation and being done with it. (oh thank you Microsoft for WSE2)
I just don’t like it all being “magic under the covers stuff”. How about you?
.NET finally being taught in our local college!
Champlain College has some .NET classes. I believe it’s in the continuing ed school. I couldn’t find the classes in the regular curriculum. They are one of the colleges in Burlington. I was happy to hear this. What it means to me is that .NET is finally really taking wing here.
Chanterelles
Found a great spot in the woods with gobs of Chanterelles on our dog walk today. If this is my last post ever, you’ll know I was mistaken! 🙂 (Don’t worry, I have books and triple check everything on the web.) There are also some gem-studded puffballs (also choice) in here.
Huge report files created by Crystal Reports
My Crystal report files get bigger and bigger for no reason. I found this discussion of the problem on their website but as it suggests “unchecking the Save Preview Picture” option, which has never been checked in any of my reports, that didn’t help. Just because…I checked it, saved, built, unchecked, saved, built. My files are getting up to 2MB.
If anyone knows what is up with this, I’d be happy to know and to share the info here.
Google didn’t get me far.