Scott Hanselman

Hanselminutes Podcast 272 - Basics of Web Security with Barry Dorrans

June 29, '11 Comments [0] Posted in ASP.NET | Podcast
Sponsored By

3237164755_e34da6809e Scott sits down with Microsoft Security Engineer Barry Dorrans to get a general sense of the basics of Web Security in 2011. Who are the groups in the news most often? What threats are nailing websites most often today, and are they different from classic threats? Where do we start to protect our sites?

Download: MP3 Full Show

NOTE: If you want to download our complete archives as a feed - that's all 271 shows, please subscribe to the Complete MP3 Feed here.

Also, please do take a moment and review the show on iTunes.

Subscribe: Subscribe to Hanselminutes or Subscribe to my Podcast in iTunes or Zune

Do also remember the complete archives are always up and they have PDF Transcripts, a little known feature that show up a few weeks after each show.

Telerik is our sponsor for this show.

Building quality software is never easy. It requires skills and imagination. We cannot promise to improve your skills, but when it comes to User Interface and developer tools, we can provide the building blocks to take your application a step closer to your imagination. Explore the leading UI suites for ASP.NET AJAX,MVC,Silverlight, Windows Forms and WPF. Enjoy developer tools like.NET Reporting, ORM, Automated Testing Tools, Agile Project Management Tools, and Content Management Solution. And now you can increase your productivity with JustCode, Telerik’s new productivity tool for code analysis and refactoring. Visit www.telerik.com.

As I've said before this show comes to you with the audio expertise and stewardship of Carl Franklin. The name comes from Travis Illig, but the goal of the show is simple. Avoid wasting the listener's time. (and make the commute less boring)

Enjoy. Who knows what'll happen in the next show?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Using Code Signing Certificates to sign downloaded MSIs and build reputation with IE9 SmartScreen

June 27, '11 Comments [17] Posted in ASP.NET | Learning .NET | Musings
Sponsored By

First, let me start that if you want a lot of people to download something, make sure that the words "HTML5," "Support" and "Update" appear in the title. I'm sure if the folks that are making Diablo 3 called it "Diablo 3 HTML5 Support Update" that a metric buttload more people would download it.

That said, a bunch of folks in the Web Platform and Tools team created the Web Standards Update package with HTML5 Support for the Visual Studio 2010 Editor.

This Web Standards Update is something that anyone in the community could have released, just extending Visual Studio in a standard way. Like many other (most) extensions in Visual Studio Extension Gallery, it was not "signed." It was not a formal project done by Microsoft. Ratherthis was something that a bunch of us did for the community in our after work hours.  The only reason why this got in spotlight was because press caught the wind of it having HTML5 and CSS3 support. 

Certainly a lot of people wanted it because in 4 days it's now the #1 most popular thing in the Visual Studio Gallery. Take that NuGet! ;)

Here's where the trouble starts. Then, it was written about in the press as if it were a "gaffe." I admit that we (mostly I) did a lousy mediocre job of making it clear that this update was a "community update from the inside," as it were. It's not official, but we're hoping support like this will make its way into the next version of Visual Studio.

When you downloaded the MSI installer with IE9, as with all MSIs that aren't signed, you get a message like this:

Do you want to Run or Save this MSI?

And that's normal and quite lovely. Then we see this scary red bar (this is a shot from another gallery item):

SmartScreen Red (BAD) Bar

This is the IE9 SmartScreen system warning us, rightfully so, that this is not something downloaded all the time. In fact, this is a really useful feature of IE9 and is fairly unique amongst the browsers so far. It's using some special sauce (some hash, some math, some metrics) to make a non-biased judgment about this download. Even though it's coming from a Microsoft.com website it doesn't matter. SmartScreen is unbiased. It's never seen this before, and it's not trusted.

UPDATE: Looks like as of my test just now that SmartScreen now recognizes our download as safe!

At this point, if I click Actions, I see this. (Yes, I realize these screenshots aren't all up to snuff).

  (38)

In fact, for most people, they can't even click "Run Anyway" yet. They'll have to click More Options to see the Run Anyway button. (If I am a developer-type and click More Options all the time, presumably I either know what I'm doing, or I like to live dangerously and the More Options choice will stick open after several downloads. It'll save me a click, but all the other warnings remain.)

As the publisher, we have a few choices. We could sign the binary file (the MSI) with the Microsoft code certificate. However, that requires a big manager to sign off and says explicitly that Microsoft is releasing this code officially. It's a big deal. This wasn’t an official release and as such, we can't sign it as Microsoft. A code signing certificate guarantees that a file hasn't been tampered with and that a known and verified organization or individual stands behind it.

Eventually SmartScreen would figure out that our MSI was OK, but we have no way of telling how long that would take. Could be weeks, months, it all depends. Regardless, the right thing to do is to sign your code, even if you are an individual or small company. For example, if I download Eric Lawrence's Fidder or Rick Brewster's Paint.NET, they are both signed and I can see their names in the User Account Control (UAC) dialog. I can click and view their certificates and know I'm downloading a file that has someone vouching for it.

Be sure to check out Eric Lawrence's excellent post on Authenticode Code Signing. It's extremely detailed and worth your time.

Getting a Code Signing Certificate

I got a Code Signing Certificate from InstantSSL.com. There's many options, they are one. It's spendy, $180 a year, or $166 a year if you got for 3 years, but I can use it for other stuff.

There's a few gotchas in the process, no matter who you pick.

  • Use the same computer, same OS, and same browser (preferably IE, for this, no joke) when you sign up for the certificate. That's because half the certificate (a cert request cert) comes down when you request a certificate and they match them up when you actually get the certificate.
  • Have P.O. Box, corporate address or ask them via tech support to remove your address. Otherwise your full details may get embedded in the cert.
  • You'll need to prove who you are. More on that now.

You'll need to prove you are really you. I needed to give their verification people a copy of the first page of my passport, driver's license, two utility bills, including phone whose address matched my credit card's address, AND they called the phone number on my utility bill to confirm it was really me. It's non-trivial, it takes a while, and they aren't screwing around. Good for you, the consumer, hassle for me, the producer. Still, good stuff.

Certificate Manager with my new Cert

When my cert shows up, I need to Export it and save it in a safe place with all its details and a strong password. It's unique and should be protected.

Signing Code

The actual signing, once the cert shows up is not too hard. Here's a command line used with the signtool.exe that came with Visual Studio. You can also download it separately.

C:\DEV> signtool sign /t http://timestamp.comodoca.com/authenticode /f "C:\DEV\HanselmanCODESIGNINGCERT.pfx" /p SecretPassword '.\MySpecial.msi'
Done Adding Additional Store
Successfully signed and timestamped: .\MySpecial.msi

When someone tries to download the new signed MSI, they see this slightly less scary yellow bar. What? I don't get a free pass for signing my code?

SmartScreen Yellow Bar

Well, just like getting an SSL certificate doesn't make me a bank, getting a Code Signing Certificate doesn't make me more trustworthy.

  • SSL Certificates for HTTPS guarantee privacy, not trust.
  • Code Signing Certificates guarantee identity, not trust.
    • It guarantees it's me, but you have to decide if you trust me.

If you click Actions now, you'll see my name as the Publisher, and you can validate the certificate and decide if you trust me. But SmartScreen doesn't trust me yet. Why?

 My code signing certificate in the Run Dialog

That's because my Certificate, unlike the Microsoft one, hasn't built up a reputation*. The "Scott Hanselman" code signing cert will have to earn trust, just as Rick Brewster and Eric Lawrence and every other signed shareware or freeware author has built trust. But, having this MSI signed means you now that I (and Mads, and Vishal, and the folks working on this MSI) stand behind it. Hopefully soon (some # days or weeks vs. downloads?) SmartScreen will trust us also, and this will make future projects I sign be trusted faster. At that point, my signed code will be trusted and SmartScreen won't frighten you with this download.

Remember also that code signing certificates and the Windows experience and UI for running signed MSI and EXEs is a separate from SmartScreen. They work together and compliment each other though. Learn more about SmartScreen on their team blog or their FAQ.

Hope this helps! Surf smart, and think about what you download and who you trust.

* Now it appears that SmartScreen trusts me!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Hanselminutes Podcast 271 - Inside IronJS - A complete JavaScript/ECMAScript open source implementation on the .NET DLR

June 21, '11 Comments [8] Posted in DLR | Javascript | Open Source | Podcast
Sponsored By

p_IronJS[1] Scott talks to open source developer Fredrik Holmström about IronJS. It's a very complete implementation of JavaScript written in F# on top of the DLR. It's even faster than IE8 now and getting faster every day. How does something like this get built? What can you use it for? What are the Iron* languages used for and how can you get involved?

Links from the Show

Download: MP3 Full Show

NOTE: If you want to download our complete archives as a feed - that's all 271 shows, please subscribe to the Complete MP3 Feed here.

Also, please do take a moment and review the show on iTunes.

Subscribe: Subscribe to Hanselminutes or Subscribe to my Podcast in iTunes or Zune

Do also remember the complete archives are always up and they have PDF Transcripts, a little known feature that show up a few weeks after each show.

StackOverflow Careers InviteWe want to welcome StackOverflow Careers as a sponsor for this episode. They are offering a free Invite to Hanselminutes Listeners to check out the invitation-only StackOverflow Careers 2.0 site. I've setup my profile and you should too! Click here for your invite code to StackOverflow Careers 2.0.

The team at Stack Overflow created the Careers 2.0 service to provide you with access to great jobs and also introduce you to a bunch of great companies you might consider working for, even if you are not currently looking for a job. Think of Careers 2.0 as a programmer profile that gives you a platform to show you're awesome by featuring your proudest contributions to Stack Overflow, GitHub, SourceForce, Bitbucket, CodePlex…anything programming related.  Profiles on Careers 2.0 are invite only – they did this to keep out the spam and create a high quality environment. 

Telerik is also our sponsor for this show.

Building quality software is never easy. It requires skills and imagination. We cannot promise to improve your skills, but when it comes to User Interface and developer tools, we can provide the building blocks to take your application a step closer to your imagination. Explore the leading UI suites for ASP.NET AJAX,MVC,Silverlight, Windows Forms and WPF. Enjoy developer tools like .NET Reporting, ORM, Automated Testing Tools, Agile Project Management Tools, and Content Management Solution. And now you can increase your productivity with JustCode, Telerik’s new productivity tool for code analysis and refactoring. Visit www.telerik.com.

As I've said before this show comes to you with the audio expertise and stewardship of Carl Franklin. The name comes from Travis Illig, but the goal of the show is simple. Avoid wasting the listener's time. (and make the commute less boring)

Enjoy. Who knows what'll happen in the next show?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Review and Installation: Filtrete Touchscreen WiFi-Enabled Programmable Thermostat

June 17, '11 Comments [27] Posted in Reviews
Sponsored By

Ipod:  Filtrete Touchscreen WiFi-Enabled Programmable Thermostat It's amazing what you can automate around the house when you've got a nice, solid Wi-Fi network and a little ingenuity. And $100. That seems to be the gadget freak price point. If it's $100, we can buy it without the spouse totally freaking out. I've setup Alarm.com and automate our home security system from my smart phone. I've setup wifi cameras around the house and plugged them (wirelessly) into the Synology DiskStation as a composite image and 24 hour DVR. All this done with commodity parts and a VERY small amount of know-how. Stuff that only millionaires and folks on MTV Cribs (or Geek Developer Cribs) could have in the past, now we can have just by stopping by Home Depot.

This is how I came upon the Filtrete Touchscreen WiFi-Enabled Programmable Thermostat. My buddy John Batdorf walked by one of these at Home Depot and bought it on a whim. Later that evening he was like "dude!!!" and I did some research. What a clever idea! Not just a programmable thermostat, but one I can control from any connected device, the web or any phone (iPhone, Android, etc).

This opens up a lot of interesting scenarios where you can get the house ready before you get home, where you can keep it colder and save money if you forgot to turn off the heat before you left.

It was $99 at Home Depot and took about 20 minutes to install and we all know I'm not handy. There's only one catch, you really need to have a "C" wire. This is a standard wire that most furnaces have at least run between the furnace and the main thermostat.

However, it is possible you don't have it. In my case, I had the wire but it wasn't hooked up at the furnace. This meant I needed to turn off the power to the furnace at the main electrical switchbox temporarily, then connect the loose wire to the power of the furnace, and turn it back on. I tested it with a simple cheap multi-meter from Radio Shack (or Home Depot, of course). If you like, you can also run a new wire between the thermostat and the furnace. Finally, if none of that works, you can use a standard wall-transformer and plug it into the wall. It just won't be as sanitary.

The installation process was a little nerve wracking initially just because I'm not a wires guy but the installation PDF was pretty clear and the wires were clearly labeled.

Installing the Filtrete Thermostat, wires exposed Installing the Filtrete Thermostat, wires exposed and hooking them up

Once the wires were hooked up and I confirmed I had power and plugged in some backup AA batteries, it was just a matter of registering the thermostat with the Wi-Fi network. I was impressed that it supported WPA security as I've standardized on it. I wouldn't have used the thermostat if it only supported WEP. Nice to know that WPA and WPA2 have finally arrived in cheap consumer devices.

Installing the Filtrete Thermostat, complete Installing the Filtrete Thermostat, in the box

Of course there's a website to manage the thermostat (or any number if you have multiple) but there's also multiple phone applications. I usually access this from my phone. There's of course the ridiculous first world problem of changing the temperature of the house from bed (which is awesome, by the way.) The think I use it the most for is setting the house to "away" mode. I haven't yet measured if this has saved us money (as we in the past have left the house on 74 for YEARS at time without changing it) but I can only assume it has as there's no reason to heat an empty house.

All in all, a great and useful gadget if you're into Home Automation. It is inexpensive without being cheap. Recommended.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Introducing System.Web.Providers - ASP.NET Universal Providers for Session, Membership, Roles and User Profile on SQL Compact and SQL Azure

June 16, '11 Comments [65] Posted in ASP.NET | ASP.NET MVC | NuGetPOW
Sponsored By

UPDATE #2: Note that the NuGet package has changed its name from System.Web.Providers to Microsoft.AspNet.Providers.

UPDATE: Note that in MVC 4 and ASP.NET 4 and 4.5 the default hash is now HMACSHA256

Crazy random logo of evocative clipart combining the .NET Logo and some universal powerplugs into an unofficial logoI always like to remind folks of the equation ASP.NET > (ASP.NET MVC + ASP.NET WebForms). The whole "base of the pyramid" of ASP.NET has lots of things you can use in you applications. Some of these useful bits are Session State, Membership (Users), Roles, Profile data and the provider model that underlies it. Using these isn't for everyone but they are very useful for most applications, even ones as large as the ASP.NET site itself.

Today the Web Platform and Tools team (WPT) is  releasing an Alpha of the ASP.NET Universal Providers that will extend Session, Membership, Roles and Profile support to SQL Compact Edition and SQL Azure. Other than supporting additional storage options, the providers work like the existing SQL-based providers.

Today these are being released via a NuGet Package, but it's very likely that these Universal Providers will be the default in the next version of ASP.NET.

To enable the providers, the NuGet package adds configuration entries in the web.config file. The configuration for these providers is the same as the existing SqlMembershipProvider class, but the type parameter is set to the type of the new providers, as shown in the following table:

SQL Provider Types Equivalent Type for Universal Providers
System.Web.Security.SqlMembershipProvider System.Web.Providers.DefaultMembershipProvider
System.Web.Profile.SqlProfileProvider System.Web.Providers.DefaultProfileProvider
System.Web.Security.SqlRoleProvider System.Web.Providers.DefaultRoleProvider
(Built in provider) System.Web.Providers.DefaultSessionStateProvider

If you install these, the NuGet package will swap your defaultProviders in your web.config. You can certainly pick and choose the settings for each as well. Here we're changing Profile, Membership, RoleManager and SessionState. The latter is nice as it better allows your session-state-using Azure apps to scale with SQL Azure as the backend storage.

Install-Package Microsoft.AspNet.Providers

Using these Universal "Default Profile Providers" means all you have to do is set the right connection string and your  applications that use these services will work with SQL Server (plus Express), SQL Server Compact and SQL Azure with no code changes from you.













enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />













Selecting a Data Store

By default, the NuGet package sets the connection string to use a SQL Server Express database (wrapped here for readability):

"Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\aspnetdb.mdf;
Initial Catalog=aspnet;Integrated Security=True;
User Instance=True;MultipleActiveResultSets=True" providerName="System.Data.SqlClient"

If you want to use SQL Server Compact, change the connection string as shown in the following example:




If you want to use SQL Azure, change the connection string like this example (wrapped for readability):


providerName="System.Data.SqlClient"/>

Even though this release is primarily about extending support to all versions of SQL Server, I realize that y'all might not even know about what these things do, so I thought I'd spend a little time explaining. I notice also that there's some confusion on StackOverflow and other sites on how to use Membership and Profile and the like on ASP.NET MVC, so I'll use that for the examples.

Example of Membership, Roles and Profile in ASP.NET MVC (with the Universal Providers)

I'll fire up VS and File | New Project on a new ASP.NET MVC 3 Project. Then I'll right click on References and select Add | Library Reference. The NuGet package id is "Microsoft.AspNet.Providers." After this package is installed, I can also install SQL Compact Edition via NuGet if I like and set the connection string to SQL Compact as shown above.

Remember, this is a very functional Alpha, but there may be bugs (report them!) so it might be updated a few times before the next version of ASP.NET is released.

First, I'll run my app and click Register and make a new user named "Scott."

Making a new user

Adding Roles to a User

Next, from Visual Studio Project menu, I visit ASP.NET Configuration. (I could also write my own admin section and do this programmatically, if I liked).

Selecting ASP.NET Configuration site from the Project Menu

Then from the Security tab, under Roles, I'll create a new Role:

image

Then I'll find the Scott User and add him to the Administrator Role:

Giving the Scott User Administrator Role

I want to show something if a user is an Administrator. I'll add a little chunk of code to the default website's _LogOnPartial. cshtml so we'll see [Administrator] next to their name of they are one.

Welcome scott (Administrator)

I'll add a small line where I ask "User.IsInRole()" like this:

@if(Request.IsAuthenticated) {
Welcome @User.Identity.Name
@(User.IsInRole("Administrator") ? "(Administrator)" : String.Empty)
[ @Html.ActionLink("Log Off", "LogOff", "Account") ]

}
else {
@:[ @Html.ActionLink("Log On", "LogOn", "Account") ]
}



@if (ViewBag.Profile != null) {
Hey, your birthday is @ViewBag.Profile.Birthdate.ToString("d")! Congrats.
}

So now I have some Roles I can assign to users and check against. I can set whatever roles I want, like Bronze, Silver, Gold, etc.

Adding Profile Information to Users

Let's say I want Users to have a Birthday and I want that to be part of the User Profile. I can just use the Profile object and ask for things via string like this:

DateTime? birthday2 = HttpContext.Profile["Birthdate"] as DateTime?; //alternative syntax

However, perhaps I'd rather have a stronger typed syntax for my profile.

NOTE: I've already brought up the issue that User hangs off Controller in MVC 3 but Profile is simply missing. Perhaps that will be fixed in MVC 4. I believe it was a oversight. You shouldn't be digging around in HttpContext if you want your code testable

I'll make a small CustomProfile object like this that extends ProfileBase:

public class MyCustomProfile : ProfileBase
{
public DateTime? Birthdate {
get { return this["Birthdate"] as DateTime?; }
set { this["Birthdate"] = value; }
}
}

Alternatively, I could put the "getting" of the profile in the custom class in a static, or I could use Dependency Injection. It depends on how you want to get to it.

public static MyCustomProfile GetUserProfile(string username)
{
return Create(username) as MyCustomProfile;
}
public static MyCustomProfile GetUserProfile()
{
return Create(Membership.GetUser().UserName) as MyCustomProfile;
}

Then in web.config, I'll update the so the system know the derived Profile class I want used when I ask for one:


...

For older website projects, I can add properties in the web.config like this. There are attributes I can use like SettingsAllowAnonymous for custom derive classes in code.

..



Or I can even use IIS7's administration interface to edit the profile details in the web.config. You can have all kinds of profile properties, group them and it's all handled for you.

Using IIS Manager to edit User Profile schema

If I like, I can ask for the User's Profile (I've got it set for only authenticated users), and set a default as well. I save explicitly, but there is an auto-save option also.

if (User.Identity.IsAuthenticated)
{
var customProfile = HttpContext.Profile as MyCustomProfile;

DateTime? birthday = customProfile.Birthdate; //Because I made a strongly typed derived class

if (!birthday.HasValue) {
customProfile.Birthdate = new DateTime(1965, 1, 14); //cause that's everyone's birthday, right?
customProfile.Save(); //or set autosave if you like.
}

ViewBag.Profile = customProfile; //So the View can use it
}

At the very end I put the Profile in the ViewBag so it can be accessed from the View. I could also have added just the things I want to a larger ViewModel. Then I can use it later with some sanity checks:

@if (ViewBag.Profile != null) { 
@:Hey, your birthday is @ViewBag.Profile.Birthdate.ToString("d")! Congrats.
}

Expect to see more cloud-ready things like this in the coming months that'll better position your apps, new and old, to move up to Azure or even down to SQL Compact. Hope this helps. Enjoy.

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.