Thursday, April 23, 2009

Security Hall of Shame: Lenovo

Summary: What is wrong with password rules at Lenovo?

The winner of today's Security Hall of Shame Award in the category Stupid Password Rules (subcategory: We want you to think that we support strong passwords, but we don't, ha-ha) is... Lenovo.

When you register at Lenovo IBM Shareholder Purchase Program, you are not allowed to specify the password (not sure why, but whatever). Once you submit the registration info, you will receive an e-mail with your user name and random password (not that smart to send password along with user name, but whatever). Now the logical step is to change the password to the one you can remember, so you click the My Account link (not easy to find on the page, but whatever), and then click Change Account Information (would be better to separate security info -- user name, password -- from regular account info -- address, phone, etc. -- but whatever).

Okay, let's change the password. This is not a financial site, so make a new password, which is:
  • 8 characters long, with
  • upper-case letters,
  • lower-case letters, and
  • a number.
This should be good enough, so save changes... and... o-ops, error:
"The password is too simple. It must contain at least two numbers."
Hmm, among the passwords I use, none of them has two numbers, but let me try this:
  • 9 characters long, with
  • upper-case letters,
  • lower-case letters,
  • a number, and
  • a special character.
This one complies with most password security guidelines, so save changes... and... da-ang:
"The password contains special characters. Only letters (a-z) and numbers are allowed."
Hmm, okay let's try this:
  • hello123
Save changes... and... no hay problema. Bravo, Lenovo! You know your security.

Now, kids, remember that Lenovo will lose its Security Hall of Shame Award when it changes password rules to:
  1. allow special characters (such as: +-*#@!~&%), and
  2. not require two numbers (this is not a bad rule, but it's not common).
See also:
What is strong password? by Webopedia
Strong passwords: How to create and use them by Microsoft

Wednesday, April 22, 2009

Technobrief #7

Summary: Recent findings of software, articles, tips, podcasts, and more.

ArticlesBooks
  • Almost Perfect by W. E. Peterson (a story of the rise and fall of WordPerfect Corporation from the author's point of view; free online/PDF version)
Browser add-ons, bookmarklets
  • Ask & Record Toolbar lets you download, record and convert all kinds of Internet Video and Audio, right from within your browser.
  • PriceProtectr browser toolbar helps you monitor prices, keep track of your purchases, and get rebates when prices drop.
  • Readability bookmarklet removes clutter around text on web pages making it easier to read.
  • Web Development Helper browser extension for Internet Explorer that provides a set of tools and utilities for the AJAX and ASP.NET developers.
Humor
  • From ManagementSpeak by Bob Lewis:
    ManagementSpeak: Work space will be designed to create an environment that promotes teamwork and effectiveness, while improving space utilization.
    Translation: We’re going to cram twice as many employees into the same floor space.
Quotes
  • From How to Do Things Your Customer Didn't Ask For by Jurgen Appelo:
    "The underpromise, overdeliver principle tells us that we should manage our customer's expectations in such a way that we are able to deliver more than the customer asked for."
  • From How to be a program manager by Joel Spolsky:
    "There are so many development organizations where specs are a monument to mindless bureaucratic paperwork that entire movements sprung up organized around the idea of not writing specs. These people are misguided. Writing a functional specification is at the very heart of agile development, because it lets you iterate rapidly over many possible designs before you write code."
  • From Make It Simple vs. Do It Simple by Jurgen Appelo:
    "It's a complicated thing to build stuff that is simple. It's a simple thing to build stuff that is complicated."
  • From Out with objectives, in with technique? by Bob Lewis:
    "Measuring employees is a bad idea because employees have a remarkable talent for gaming the system. They can: Work the system so the numbers look good; behave in ways that make the numbers look good while circumstances deteriorate; or just falsify the data outright. I pointed this out once in an executive meeting, and one of the participants recommended firing any employee who would behave this way. Interesting concept, as I was referring to a very large number of American CEOs."
Software
  • Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks.
  • Greenshot creates screenshots.
  • Ken Rename is a capable a multi-file rename utility.
  • RichCopy offers comprehensive file copying capabilities.
  • SEAMonster can resize images with minimal pixel loss (see seam carving).
  • Starter is an application startup manager which also provides extended process info (similar to Task Manager), as well as service and driver manager.
  • UnlockMe enables you to delete, move or rename files or folders that are temporarily locked by other processes.
TipsTutorialsVideos/podcastsWeb tools
  • AlternativeTo suggests alternatives to popular applications.
  • AnyClient is a web-based file transfer application that supports all major file transfer protocols including FTP/S, SFTP and WebDAV/S.
  • StyleNeat organizes and standardizes your CSS in a structure that makes it easier to define page areas and see how they relate to each other.
  • When is Good offers an easy way to find out when everyone is free for your next meeting or event.

Convert a string to a table in T-SQL

Summary: Transact-SQL function that converts a string of comma-separated numbers to a table of integers.

Here is a common SQL programming scenario. Your code receives a string holding comma-separated values (CSVs), such as IDs of records stored in a table (say "98,256,17,34"). Now it needs to retrieve these records from the database. How do you do this?

[Note: For the sake of simplicity, I use a comma-separated value (CSV) holding numbers, but the string can contain other values, such as dates, or other strings, which can be separated by semicolons or other delimeters.]

Option #1. Use EXEC (not recommended).
The obvious option would be to generate a dynamic SQL query and execute it via an EXEC statement. For example, you can do the following:
USE AdventureWorks

DECLARE @ProductIDs varchar(256)
DECLARE @Query      varchar(256)

SELECT @ProductIDs = '1,350,400,440'

SELECT @Query =
'select
  ProductID,
  [Name],
  ProductNumber
FROM
  Production.Product
WHERE
  ProductID in (' + @ProductIDs + ')'

exec(@Query)
There are two major problems with this approach. First, generating the query -- in this example it's a SELECT query, but it can be any query -- as a string will degrade readability: you will lose syntax highlighting and IntelliSense (if you're using a new SQL Server 2008 IntelliSense feature or some other third-party tool, such as SQL Prompt). Second, and even more important, this approach is prone to SQL injection attack. Even if you use a command parameter to pass a comma-separated value (CSV) to the stored procedure, since you're simply appending it to dynamic SQL, you must make sure that it does not contain suspicious characters. Whether you do it in T-SQL code or in the application code (C#, or whatever), it's a hassle.

Option #2. Convert string of values to a table of values (recommended).
A better alternative would be to convert the CSV to a table of numbers (again, I use numbers in this example, but the values can be of any type). You can accomplish this with the help of a user-defined function (UDF), such as this one:
CREATE FUNCTION [dbo].[ConvertCsvToNumbers]
(
  @String AS VARCHAR(8000)
)
RETURNS
  @Numbers TABLE (Number INT)
AS
BEGIN
  SELECT @String = 
    LTRIM(
      RTRIM(
        REPLACE(
          ISNULL(@String, ''), '  ' /* tab */, ' ')))

  IF (LEN(@String) = 0)
    RETURN

  DECLARE @StartIdx       INT
  DECLARE @NextIdx        INT
  DECLARE @TokenLength    INT
  DECLARE @Token          VARCHAR(16)

  SELECT  @StartIdx       = 0
  SELECT  @NextIdx        = 1

  WHILE @NextIdx > 0
  BEGIN
    SELECT @NextIdx = CHARINDEX(',', @String, @StartIdx + 1)

    SELECT @TokenLength =
      CASE WHEN @NextIdx > 0 THEN @NextIdx
      ELSE LEN(@String) + 1
    END - @StartIdx - 1

    SELECT @Token = 
      LTRIM(
        RTRIM(
          SUBSTRING(@String, @StartIdx + 1, @TokenLength)))

    IF LEN(@Token) > 0
      INSERT
        @Numbers(Number)
      VALUES
        (CAST(@Token AS INT))

    SELECT @StartIdx = @NextIdx
  END
  RETURN
END
Now you can reference this UDF in a query, such as:
SELECT
  ProductID,
  [Name],
  ProductNumber
FROM
  Production.Product prod,
  dbo.ConvertCsvToNumbers(@ProductIDs) numbers
WHERE
  prod.ProductID = numbers.Number
In addition to improving readability and security, this method lets you treat data contained in the CSV as a regular table. If you want to try this approach, you can download the script generating the UDF, which is more robust than the listing above (the script sets the permissions and contains code for repeated compilation):See also:
How To: Protect From SQL Injection in ASP.NET

Friday, April 10, 2009

Best of MIX09

Summary: My favorite presentations from the MIX09 conference.

If you are interested in design and web technologies, but did not have a chance to attend MIX09 (the annual Microsoft conference focusing on design and web technologies), here are some of the free online presentations that I would recommend.

Best talks

If you do not have much time, just watch just these two presentations (they both focus on design):
  • Web Form Design (74:36)
    by Luke Wrobleski, Senior Director of Product Design, Yahoo!
    This session focuses on the most common design mistakes and introduces 10 best practices for web form design. The presentation covers such topics as form organization, alignment rules, input validation, using help and tips, progress indicators, error reporting, and more.

  • Ten Ways to Ensure RIA Failure (39:34)
    by Anthony Franco, President, EffectiveUI
    Great (and short) talk focusing on what NOT to do in web design and development. My favorite points include:
    "If you're looking to fail, trust developers to make good design decisions."
    As well as:
    "If you're looking to fail, value the process over the product."
The following presentations mostly focus on design, development, deployment, and security:

DesignDevelopmentDeploymentSecurity
  • Securing Web Applications (75:30)
    by Eric Lawrence, Security Program Manager (Internet Explorer), Microsoft
    This talk is more about IE 8 features, but it still raises a few interesting points about web application security.