November 30, 2002

LAN Party Cancelled :(

Well, blog month is almost over. Have you guys been keeping up?

I was supposed to go to a LAN party today, but a certain wanker bailed with some fiddle faddle about not enough people. Peshaw. You only need a few to kill each other ;-) Of course, I have no clue how well Age of Mythology plays multi-player yet, as I am still fighting the campaigns.

Work has been uneventful in the last little bit. We are just sitting and waiting for the sales side to product a few contracts so we can finish off the i18n stuff. We are integrating a home grown tech support system which I really don't like, as its to much focused on the support engineer instead of the customer. It is supposed to be about the customer, but its not my department to have any say in it. Guess thats the way it goes. Ever wonder why its called "Customer Relationship Management" (CRM) software? Its SUPPOSED to be so the company can manage the relationship with the customer better. But like anyone around here cares to actually focus on that so the customer can be impowered. *sigh*

Well, I need to go shower and wake up. I got to start thinking about getting Christmas lights up. Oh the joy.

Posted by SilverStr at 05:49 PM

November 28, 2002

Age of Empires

Damn you Andrea. Damn you to the deeps of Posidon's urinal. You have me addicted to Age of Mythology. I am not one for these strategy games, but I just can't seem to shake the AOM out of my fingers. I really like this game. Only wish I had more time to play it.

Speaking of time... I don't have any to be writing in my blog. I need to get to bed as I need to drive my wife to work in 6 hours. TTYL.

... 3 hours later

CURSE YOU FIREFLY!!!! I need to go to sleep... I gotta get up in three hours. ARG. (For anyone who cares, I just finished the 9th campaign)

Posted by SilverStr at 08:47 PM

November 26, 2002

Merry early fsking Xmas

In one month XMas will be over. Yahoo! Sorry if I sound like the grinch, but I get tired of the commercialization of a season that obscures what its really about. Tell me this, if we are supposed to allow for everyones religion (which I am ok with), how come religions that DON'T include Jesus get the time off... AND their particular holiday as well? The schools now have to be careful when doing their shows to ensure they don't offend "particular religions". Gimme a break. If you believe in the birth of Jesus Christ, then celebrate it properly. Instead of blowing tonnes of money on presents for your children and family, focus on the good that was brought when Jesus came into this world and use that money for the needy. Its Christmas. Take $10 dollars, find someone that needs a helping hand and take them to lunch. DON'T give them the money. Make sure they get food in their belly. I do this every year, and to see someone get a decent meal for a change is nice. It is good for them, and to
be honest, you will feel good to.

Chris Botti has a Christmas album out, which from the teasers sounds interesting. I am not one for his singing, but his golden tones from his trumpet, mixed with his contemporary Jazz style gives a unique flair to the seasonal tunes. Not sure if I want to buy this CD or not. Will be interesting to see what I decide. I do know I want his DVD of his concert though. But alas, I think I will save that money and perhaps take a few people for lunch and help out.

Since I seem to be in a weird mood anyways today, I guess I will go on alittle religion bashing. Not the religion itself, but how people apply it. I have a new disgust for people who call themselves "christians" who routinely practice their faith, and then blatently lie to others. Who then talk about people behind their backs and overall use the "vail of christianity" as a shield to make them feel protected, but don't actually walk in the path. Now, many of you are going to say ... "ya but what gives you the right?". Nothing does. But that doesn't mean I don't understand it, or know about it. Here is a small fact most of you don't know. I almost became a youth pastor. Thats right, I was scheduled to go to Trinity Western University, majoring in music and was going to devote my life to god, and being a vessel for his word to the youth through music. Circumstances around me changed my life, and I ended up joining the military as I could not afford to pay for school at Trinity. It was then that I was exposed the the "vail of christianity" that was not about "walking the path of god", but rather "acting like it" in the right company. I was severely emotionally scarred when I saw how others could act, and lash out at my decisions, and how they felt they were better than me because of the path I took. Who even knows if this wasn't what the path HE had for me all along. One thing I have learned over the years is that it isn't getting better. It is so easy for people to break their bonds and stray. We all do it. We are human. But it really disgusts me to see people use their christianity like that. If you are devote christian... you don't continuiously LIE to people. Its not right. You don't back stab people. You don't berate them. You love them. You befriend them. You live your life to the fullest, which includes everyone, and everything you touch. Atleast, thats my opinion of it.

Anyways, enough bashing. My apologies to those in the crowd this doesn't apply to. For you, I hope you have a great christmas to celebrate Jesus's birthday, and truely feel the joy of giving to others. Have a joyous holiday season.

Posted by SilverStr at 05:46 PM

November 24, 2002

Sushi!

Had lunch with Alan and Andrea, enjoying some Abby sushi yesterday. Tried a new roll called the ninja roll which is basically fried tuna with avacato, and some other stuff. Not to bad. Alan tried this thing called the philidelphia roll which is salmon and cream cheese. Not for me. I live in the greatest province with salmon abound... and I can't stand it. *ick* Fish is not for me.

Spent the evening watching movies with the family. We started by checking out a kids flick called Big Fat Liar which has one of my daughters favorite actors, Amanda Bynes in it. That was followed up with my guy Sandler in Mr. Deeds. This morning, I am finishing off a movie by myself called Reign of Fire. As a huge dragon fan, this was one I wanted to enjoy by myself, and didn't think its something the family should be watching anyways.

Been trying to get XP to burn CDs for me. I found an awesome ISO Recording Power Toy that allows you to right click on ISO files and burn them directly to CD without any 3rd party software. Really slick. Just can't seem to get it going because my IMAPI CD Burning service has been screwed when I removed the EZCD Creator trial from my system. *grrrrrrrrrrr* I hate sloppy uninstallers like that. Hopefully I will get that fixed soon.

Going to spend the rest of the day catching up on some reading on .NET Security. I have been neglecting this latest book as its really dry, and has a lot of stuff I am not really to interested in. I don't expect to be doing any ASP.NET crap any time soon, and would rather focus on building a foundation of knowledge in the .NET achitecture itself, rather than a single implementation on top of it.

On that note, I think I will go sit by the fireplace, drink some Ruby Mist tea with brown sugar, and enjoy the afternoon. TTYL

Posted by SilverStr at 05:43 PM

November 22, 2002

It's not my fault!

Well, I sorta blew Blog month... but not on purpose. I was attempting to update my blog last night over the wireless while watching Penny get punted... but I could not maintain a wireless signal. I really need to snake some CAT5 upstairs and put the access point up there, since that is where I use the laptop the most. I have a couple of dead areas by the fireplace and on the third floor.

Anyways, work is starting to get frustrating. I am doing this i18n stuff and finding that we opened up a whole new can of worms with unicode fonts for things like chinese. It is easy to write intelligent routines to check and recheck values in the utilities package... but it totally SUCKS when you use a different character set. Let me give you an example. Passwords are in 7bit universal ascii. Of course, UI components in Java are in unicode. So a password of "foo" is something like \u4e00\u4e00\u4e00 (not the real conversion but you get the idea), and when crypted will have a TOTALLY different key combo then actually hitting f, o, and o again. *sigh* VPN tunnels need 7bit ascii as tunnels can only support letters and an _. So guess what.. not supported in the chinese character set. So now what? Well thats the frustration. Try finding good articles on this. I don't actually SPEAK chinese or READ it.. so I need to have someone translate everything. Including any correspondance with Sun China. Not fun.

So I can support normal keystrokes AND chinese characters on the UI... but I have no idea what a chinese keyboard types out. Are numers the same? Extended characters? And of course, no one is willing to buy me a chinese computer with a Chinese version of XP to let me find out. *sigh*

Posted by SilverStr at 05:41 PM

November 19, 2002

Love the LUG

Had our monthly FVLUG (Fraser Valley Linux User Grroup) meeting last night. Showed the group how to effectively run cygwin in XP, and how to set it up on NTFS to use native DACL security as a way to deal with Unix security within the envrionment. Talked abit about the environment variables and how the work when wanting to set up a remote service, such as SSH, within XP.

Once that was done, Alan installed RedHat 8.0 onto Collin's harddrive, which went by REALLY smoothly. I must admit, RH has it done right in that regard. I was even impressed with the new admin tools to deal with LDAP, Kererbos etc. The fonts/application loads etc were pretty good looking, and sure puts us Debian folks to shame when it comes to installation. Wim tried installing Caldera 3.1.1 .. but it puked out when he tried to switch the mouse. In the end he gave up and tried some other wacked out distro that was basically Caldera under the hood with a new name. Can't remember it off the top of my head, but they used to call it "Redmond Linux".

Afterwards we did the customary Finnigan's run, and pigged out on wings (it was .19 cent wing night) and beer. Discussed the follies of VB and the woes we all have dealing with Windows environements for programming *sigh*.

Now that the web site has been done, at work I am now rewriting and refactoring some of the master sources in preperation of some Internationalization we will be doing to simple chinese. Ever wonder what i18n means? It means there is 18 letters between the i and the n in "internationalization". So guess what l10n is? Localization! I always wondered how they came up with those. Now you know.

Anyways, to do the i18n I had to prune through the resource bundles and find dead keys. When yer paying over 14 cents a word for translation, you don't want to translate text you don't need to. Well, after writing a sweet little perl script to deal with it, I found over 1800 useless keys and a lot of those had paragraph phrases. Nice utility for future use. Never realized how bad we left some of the resource bundles when we refactored/cleaned up stuff over the summer until I ran the script. Originially I thought I must have a bug in the script. But as I verfied the keys.. sure enough... they were all dead.

Anyways, my wife is calling me to dinner. Feeling kinda hungry. Gotta go. TTYL.

Posted by SilverStr at 05:39 PM

November 17, 2002

Happy Birthday Arcterex

Well, lets start this day off right.

HAPPY BIRTHDAY ARCTEREX!

I want to get you the The Sadies "Stories Often Told" CD but I called 3 record stores and none of them seem to have it in stock, or even heard of the band. Maybe I will just order it online or something. Any way you look at it... expect it SOME day.

As I mentioned yesterday we checked out the Chamber of Secrets. Pretty good movie... and the detail in which we learn more about Hogwarts castle is quite kewl. It was neat to see more of the place in a more detailed kinda way. Loved the winter snowing scene in the great hall.

They had one blunder I think. Ron's clumsy owl. How come he wasn't clumsy in the first movie when dropping off mail? I am sure its a little issue... but the clumsy owl is a nice touch. Gives Ron's family a bit more character.

Its a nice enough afternoon I think I will go absorb some more reading into the latest .NET security book I am reading. I am finding this one a bit dry as I really have no care to build ASP.NET services and couldn't give a damn about them. Lots of references to it is kinda boring, but the overall concepts still make it a good read. On that note, I'm off. TTYL.

Posted by SilverStr at 05:37 PM

November 16, 2002

Harry Potter

Took my daughter to go see Harry Potter and The Chamber of Secrets. Pretty good movie. Thoroughly enjoyed it. It will be interesting to see how they will deal with Dumbledore in the next movie, since the great actor who plays as him has passed away.

In Langley right now over at a friends partying it up, and realize its much drier than it is in Chilliwack. Of course, it IS much louder with all the traffic. Anyways, need to get back to the party, will talk more tomorrow.

Posted by SilverStr at 05:34 PM

November 14, 2002

Life Re-evaluation

In your minds eye, it is so easy to hate. Anger and frustration swells and can gain enough momentum that it pushes you over the edge. With me, that vexation come apparent when trust is broken. I guard my friendships closely because of this, and when trust is breached, it is very hard to regain it again. Almost impossible. I can't go into it here, but in the past year I sure have learned who I can trust, and who I can call my friends.

I am reaching a point in my life where I am starting to re-evaluate myself, my friends and my surroundings. In the military, we used to have a phrase called "blading buddy", which as you can imagine is not used to talk fondly of others. Well, frankly... I've had enough of it. Now I just need to reflect on everything and decide what to do.

No one should have to go through this sh*t. Life is to short to simply stand by and mope, stay angry or whine. I think I am learning that the hard way. Atleast, some of my closest friends are there to help me through this. Its people like Tim, who I haven't heard from in ages, that drops my a nice phone call last night to remind me who I am, and what I am capable of. I appreciate it dude.

Well lunch is half over, and I need to get something to eat and then get back to work. TTYL

Posted by SilverStr at 05:35 PM

November 12, 2002

Rain, Rain go away

Wow did it ever rain today. Had to drive to the school and get my daughter, as there is no way in hell she should have to walk in that kinda weather. Was nuts. Guess winter is now upon us.

Spent some time tonight playing some Urban Terror with the guys. As usual, Cadilois has a horse shoe reemed so far up his a** when he is sitting with the SR8, it isn't even funny. That guy sure has good aim and fast reflexes. Watched Muckheads head fly right off with a PSG1 (silenced) at somewhat close range. He ducked for cover right in front of me.. tsk tsk. Overall was pretty good, except for the occasional ping lag issue.

I officially now have a love hate relationship with Photoshop. I mean, its got some REAL kewl stuff, but I like how EASY The Gimp is. Things like the state of feathering between projects gets annoying when Photoshop remembers it sometimes, and not others. Gimp never has those issues. By the end of the week I should be done using Photoshop and can get back to some coding issues. I need to do some localization to simple chinese. If you can recommend a good firm that does translations for software companies, please let me know.

So, how are you guys doing with blog month?? I am noting a few are starting to get behind. Tsk tsk.

Posted by SilverStr at 05:32 PM

November 11, 2002

We Remember

I hope you are using this day to reflect on how lucky we all are to be alive and free. It is sad that this day seems to become less and less about remembering the sacrifice that was given to us by those in the services, and more about "another day off". While I am alive, that will not happen with my family. To my fellow servicemen .... Chimo!

Finished Writing Secure Code yesterday, and moved on to start reading .NET Framework Security. Where the first book is about how to write secure code in general, this new one is about how to do it with the .NET platform. It gets down and dirty about the inner workings of the.NET security framework, and is NOT for the faint of heart. Looks like I am going to be learning a lot from this book.

If asked which book to recommend, it would be Writing Secure Code. The reason is a Unix developer can still gain a lot from that book, as the material presented can still apply. Overflows are overflows. Canonicalization is still just that, even if its fired against an Apache server. etc etc. You should buy this book. Period. This .NET security book is not for the faint of heart. If you intend on actually applying what you learn, then you really need to be prepared to "get into security". There is no half-vast way of doing it. Either you do, or you don't. There is no middle ground. What you learn can be applied to writing better quality software designed with security in mind with the tools .NET provide. You WILL find you will be writing more code to deal with security, but that can be offset with languages like C# that can minimize the amount of work it takes. I am just getting into it... but it looks pretty good.

Well, in a few hours the Rememberance Day services are going to begin. I need to go get ready and take my daughter down to the cenotaph. TTYL

Posted by SilverStr at 08:30 AM | Comments (1)

November 09, 2002

Lazy Developers

So in an effort to get more squash partners, I took my wife yesterday to play squash. She loves the game! BONUS! Of course, just like we all were, the first few times coordination is an issue :) She'll get better. I have been TRYING to get a regular game going with Wim, but we seem to always miss each other. When we do get to play though, its quite fun. Atleast right now... cuz I am winning ;-) If anyone else would like to play squash in Chilliwack during the lunch hour, please let me know.

Work has been interesting. Been having to update the website and have thus been in the bowels of Photoshop for some time. Hopefully this thing will go live in a week or so to help aid in the sales effort. Its funny to hear such praise from previous customers who are now coming to NetMaster to upgrade. I just love it. We make kewl stuff. Just wish more people knew about it. :(

Today with any luck I will be able to get some more reading done. I am about half way done Writing Secure Code and hope to be done next week some time if I get a chance to get into the book more this weekend. As I said before it is a well written book. As I get into it I find its more and more "Windows-centric", but that has to be accepted as its a Microsoft Press book. Overall, the concepts are great. Always nice to get a refresher in an entertaining way. Learning about some of the serious security flubs at Microsoft really helps to re-emphasize a point on how easy it is to break good security development techniques. Although, I gotta admit I hope they fired one employee for this one:

Every developer in a particular project were told they MUST NOT provide NULL DACL in their work. Everything required a valid ACL associated to it. The release manager wrote a perl script to run through the tree every night and make sure the field would not be NULL. If it was, a bug was reported. So this would NOT be allowed:


SetSecurityDescriptorDacl( &sd, TRUE, NULL, FALSE );

So one developer, (lets call him Mr. Lazy) decided to get around this by doing:


SetSecurityDescriptorDacl( &sd, TRUE, ::malloc( 0xFFFFFFFF ), FALSE );

So, this silly, but clever stunt would try to allocate 4,294,967,295 bytes of memory. None of us have that sort of memory available, and malloc fails.... with a NULL.

It is these kinds of stories that I find entertaining, but show how HUMAN we all are. If you think that type of story is MS specific you are wrong. In the last 5 years I have seen simlar things in code I have worked with. When you KNOW something is wrong, and you even go so far as to COMMENT the fact, you should just go fix the damn thing. Yet we all do it. Human nature I guess. Wim would probably say thats what refactoring is for. *slap* But hey, as a society of developers we ARE getting better. Lets hope so. Would suck to have our anit-matter cars blow up cuz someone tried to malloc 10 gigs of mem to set a null only to find that last upgrade now has 11 gigs available, and we thus flood the memory banks, and crash into Utopia prime. That reminds me... a new Star Trek movie should be out soon. Can't wait.

On that note, I should finish up here so I can go get absorbed in my book. Its quiet here for a few hours yet, so I should really take advantage of that. I think I will put some Botti on the stereo, brew some nice Earl Gray tea and read a book by the fire. Sounds really good. I'm outta here.

Posted by SilverStr at 05:28 PM

November 07, 2002

Embedded Data Signals

Sometimes new technology comes out that could have interesting opportunities for security. Good and bad. Slashdot recently had an article about embedding data signals in white noise. The idea is a company called Intrasonics could push data signals within the spectrum of frequencies your speakers can put out and allow devices to decode this on the coupled audio signal and get data. Possible commercial applications include sending web urls on the radio, or even to include the artist name/title etc. in the signal.

In classic /. style people bitch about it without understanding its real potential. How about the ability to send a special key to authenticate yourself to a device from a particular ring tone on your phone? So if you want a coke, you could use the sound coming from your cell, pick it up in the vending machine, and charge your account. Why need bluetooth, which requires extra hardware on the consumer device, when you can simply add software to embed the signal (which most phones can do now) and then simply add a microphone to pick it up on the machine. Of course, you need some way to protect the signal (how about some simple crypto) and provide directional control so that you don't accidentally buy the chocolate bar instead of the coke.. but you get the idea.

Anyways back from that tangent on how this could be good/bad for security. Sigint work (signal intelligence) has been dealing with this very thing for a LONG time. This process isn't new. Moons ago the NSA used to do research on the "Whistler" which was a way of using covert channels to send data over other media. The problem they found was that when used, it could simply be detected when the dogwent nuts. So Russians could simply bring their pooch to "sniff" the covert signal in a round about way. What makes this approach different is that its in a spectrum of white noise which as humans we just ignore. Or so you think. This has real potential as it could provide mechanisms for data delivery, and not care if its covert. Sigint would be able to detect it, but if the bandwidth is large enough, the signal can be encrypted in a way to provide the security that is needed while delivering the information. So if you wanted to get a signal out of a country, you could use packet radio, and piggyback it from a tower with white noise for data delivery. How could this be useful? Well, all of a sudden you can track people by the tower that would simply piggy back the main signal with a GPS coordinate of the tower. Now you have a "round about" method of knowing where the signal came from, even if it bounces off the ionisphere. Sigint could more easily trace any signal that can piggyback white noise. See the potential?

If you can not see the potential for tagging here, consider this. You are in the music business and you want to know which radio stations are "pirating" songs by not paying for distribution. Perhaps they go out and buy a CD, but have not actually bought rights to redistribute. Redistributable songs could have a tag that is trackable. The music industry could quite simply track and tag signals from broadcasters, and then follow up and charge them for illegal use of songs. How? Cuz the hidden signal shows its a end user copy... not a track for radio to play.

Anyways, it will be interested to see if they can make this work commercially. You could get TV shows like Barney update the doll and make it more "interactive" during the show. Of course, like every other media the pr0n industry will probably find a way to embedd it in Debbie Does Dallas XVIII and have it be interactive with your Real Doll. *sigh* Hopefully we will see good things from it in the future.

Posted by SilverStr at 05:24 PM

November 06, 2002

Founding Father

I am far from being an Americian.... but Foz pointed to an interesting quiz. Someone needs to do one of Prime Ministers.

Posted by SilverStr at 05:20 PM

November 05, 2002

The Powers of the ACL

The powers of the ACL. One of the biggest beefs I have had with Windows environments has been the fact you can't simply change perms on files (ie: chmod 750 foo) as you can in Unix environments. On the flip side, I have always thought Windows Access Control was much easier to understand. However, whenever you need to programmatically change access control, Win32 has been a NIGHTMARE to create ACLs. Well, in exploring the bowels of VC++ and cross referencing that with the latest book I am reading I found some good ATL template libs that make it CONSIDERABLY easier. Some background for myself later, and hopefully something worth showing you guys.

An ACL is an Access Control List. This is basically a container holding Access Control Entries or "ACE entries". These are in a canonical order which is quite easy to understand. Anyways, you build as many ACE entries as you need and make it part of the ACL. The ACL then is applied to
a Security Descriptor and is finally hooked in with any Security Attributes. Finally... these Security Attributes can be passed to your file/pipe/registry/sockets functions with the fine grained security you created to it. Walla. Sound easy? Well in old Win32 code I have, this took about 40 lines of code EACH TIME I wanted to do that.

Well, in the new IPSec client I am writing I was able to shorten that considerably. Here are the amazing objects to make life easier:


  • CSid - Security Identifier Object
  • CDacl - Discretionary Access Control List Object
  • CSecurityDesc - SECURITY_DESCRIPTOR wrapper
  • CSecurityAttributes - SECURITY_ATTRIBUTES wrapper

So, instead of 30-40 lines of ugly Win32 code... I can get it down significantly, and make it easier to read and understand. Lets take an example. Lets say I want to allow Alice to be able to read a particular directory on the accounting server. Bob on the other hand is allowed full access as he is an administrator. Guests... they should have no access. Knowing this, it is easy to set up the proper access control on Windows environments.


#include <atlsecurity.h> // The hidden secret jem
.
.
.

// In some function that needs a discretionary ACL

try {
CSid sidAlice( "cogscompany\\alice" );
CSid sidAdmin( "BUILDTIN\\administrators" );
CSid sidGuests( "Guests" );

// Create an ACL and apply ACEs. Due to the canocial nature of the ACL,
// DENY rules must go before ACCEPT ones.
CDacl dacl;

dacl.AddDeniedAce( sidGuests, GENERIC_ALL );
dacl.AddAllowedAce( sidAlice, GENERIC_READ );
dacl.AddAllowedAce( sidAdmin, GENERIC_ALL );

// Create the SD
CSecurityDesc sd;
sd.SetDacl( dacl );
CSecurityAttributes sa( sd );

// Create the directory on the accounting server
if( CreateDirectory( "c:\\payroll", &sa ))
AfxMessageBox( "Directory created correctly" );
}
catch( CAtlException e ) {
// Some witty error here
}

.
.
.


Well, now you can easily apply discretionary access control to basically anything that will take security attributes within just a few lines of code. Of course, this will only work on volumes that support it. So Win95/98 is right out. Of course.... since MS has EOL it anyways... no big whoop.

On that note, I should get back to work. I need to crack some HEX that MS is hiding deep in the registry so I can figure out what the heck they are hiding in their ipsecData fields. They are all REG_BINARY and there is NO documentation to the struct of the raw data. *sigh*. TTYL

Posted by SilverStr at 05:18 PM

November 04, 2002

Programming Tip

Well, didn't get to spend much time on the book after I left the computer. I thought my daughter was going out to play with her friends, but that didn't end up happening. So we spent the day together.

The book has reminded me of a lot of fundamental programming techniques that are lost in the school system. My favorite is brain dead easy stuff that we all do, and we shouldn't. The easiest one I can think of is about "failing securely". This is the addage where in case of fault you should fail to a secure state, and not vice-versa. Let me give you an example.

int ret = isAllowedAccess( ... );

if( ret == ERROR_ACCESS_DENIED ) {
// Error message here... tell the user
}
else {
// OK, do something since you are allowed access
}

If you closely examine that psuedo code, it looks ok. On the surface, the code works flawlessly because if will either alert them if they are not allowed access, or process it if they are. Looks good right? Wrong. When coding we need to expect that we are in a hostile environment and it may fail. Code that doesn't fail well can cause lots of problems. Look at the above example. What would happen if during the call to isAllowedAccess it returned ERROR_NOT_ENOUGH_MEMORY? Whoops. You just authenticated someone incorrectly. We all have done this. And we need to remind ourselves that is not the way to handle it. The better way would be to fail well. Something like this:

int ret = isAllowedAccess( ... );

if( ret == SUCCESS ) {
// Ok, do something since you are allowed access
}
else {
// Error message here. Could be ANYTHING. Tell the user
}

Now, I could make it more programmer safe if I switched the if statement around a bit to:


if( SUCCESS == ret )

But this is an issue to cover when discussing coding style. Why would I write it that way? Well, if I accidentally forgot a single equal sign, I would be setting ret to a SUCCESS status which may again give access when it shouldn't. Further to this... if the variable is used later on, it will be in the wrong state. In the end, many developers are ok with putting the var first, and that is ok to as long as you are careful.

Anyways, that ends my "Writing Secure Code" tutorial for the day. I need to get going to work. I am going to go check my work and make sure some of my own code fails securely. TTYL

Posted by SilverStr at 05:14 PM

November 03, 2002

Trip to Chapters

So the Langley trip was pretty good; picked up a couple of my books, and watched my daughter and wife go nuts in a book store with lots of stuff for them to. ScoobyD blogged about the couches, but I was sure they still had comfortable chairs. I was wrong. Now they got these hard, cold wooden chairs that you would NOT want to sit in for a long period of time. But maybe thats the point. They no longer want you reading books in the store. Of course, that IS what MADE Chapters. So easy it is to forget. Oh well.

So I started reading the first book which is Writing Secure Code from Microsoft Press. Now before you start babbeling about how that just HAS to be an oxymoron, consider this. Microsoft has some of the brightest minds in computing on their payroll as it related to security. But the weakest link is still the human factor. As much as the security division can preach about security, if application developers don't FOLLOW it... its doomed to fail. And in the past, that has been the issue at Microsoft. Atleast in my opinion. And I gain that from private conversations with friends at Microsoft that were frustrated with how hard it was to get security engineering as a principle at the design level, and not something bolted on after. Security isn't supposed to be a flavouring you sprinkle on the top of your "dish". It should be "baked" in. But they are getting better. Ever since Bill's memo Microsoft has been trying to make some changes. Now, I won't get into the thread about this being a marketing ploy... but atleast the world knows they are making an attempt. From my POV, the memo was very much like Bill's memo about IE. It was more of .. "ok.. the big boys are here... you can start the party now". The next few years should be interesting to see.

Anyways, back on track, the book is awesome. I am already a quarter of the way through it and THOROUGHLY enjoying it. Most of it I already know... but its good to see how they lay it out and explain it. I originally started looking into getting this book when Bill mentioned it in his memo. Hell, if Gates thinks all his developers should be reading it... I should consider atleast opening my mind to
it. Then I heard more about this on some of the security mailing list. So I bit the bullet and bought it... and am happy with the purchase.

I noticed Arc is trying moveable type. Let me know what you think of it. Like you, this journal is more for me to reflect on what is going on, while letting friends know what I am up to in a round about way. Not sure how I would feel about others commenting. I kinda like it when people email me if they have comments. Much more personal. But alas, each to their own.

Anyways, on that note... that book awaits me. I am going to veg and read most of the day and just enjoy the peace and quiet. TTYL

Posted by SilverStr at 05:09 PM

November 01, 2002

Blog Month Begins

And it begins. The unoffical BLOG Month. Your mission, should you chose to accept it, is to try to blog atleast every other day. Hard for most of us, unless you eat really weird things before bed, or can't stay focused at your work enough to blog all day. For most of us, it will be a challenge.... lets see what happens!

Halloween was pretty uneventful. Had about 120 kids come to the house. The haunted house sounds were a hit again this year. Actually watched a little one run terrified when a ghostly scream happened just as I opened the door. Her father was laughing so hard he fell on his ass. I gave him some extra treats for that one. No real damage to the neighbourhood, hold that to fireworks that almost lit some trees on fire. I wish parents would watch their kids. I mean, I was just like them having roman candle fights when I was a kid... but we never aimed for the head. And we worn blue jeans and heavy jackets that couldn't catch fire. Geeeeez.

Decided to write a complete script before I continue with the Flash. I was finding myself doing to many changes as I didn't have a clean direction for the demo. I am about 75% done the script, and then will try to pass it by the guys and see if this is the right message to get across. With any luck, I can have this thing done in a week or two and actually have a useful tool for the sales effort at work. Guess time will tell on that one.

Going to spend this weekend catching up on some reading. A few books I ordered arrived at Chapters so we are going to enjoy some family time in Langley browsing the store, having some hot drinks and sitting in their loungers. Online book stores are so cold and formal... I like being able to just browse a bit... even if my books are already paid for and behind the counter. And... my daughter thoroughly enjoys reading... so this is a treat for her. I like outings like this.... family fun yet educational.

Posted by SilverStr at 05:07 PM