Wednesday, November 28, 2007

CAPTCHA foiled by Mechanical Turk

An article on CGI Security about CAPTCHA highlights a very obvious flaw in the whole philosophy of CAPTCHA. For those who are too lazy to click the link and read the 2 paragraphs the article basically describes how some very inventive worm writers enlist the help unknowing participants who are visiting pornographic web sites to play a game that offers to reveal a pornographic image piece by piece as the user breaks a code (obviously the CAPTCHA the worm is currently observing at the site it is trying to create a bogus account for).

I have to concede this is a very clever use of the Mechanical Turk idea. CAPTCHA is designed to weed out humans who are genuinely trying to sign up to a site and create accounts from computer based worms that are trying to create bogus accounts for their writers evil ends. CAPTCHA actually stands for Completely Automated Public Turing test to tell Computers and Humans Apart, and there is the flaw... the Turing test is designed to distinguish between humans and computers, if you the computer you're testing can enlist on-mass large numbers of humans to take the test for it, then the test will be rendered redundant.

This raises some very interesting concerns for identity verification. Everyone wants their site to have the smallest possible barrier to entry, even the simplicity of CAPTCHA systems can sometimes prove to be a barrier eliminating a small number of false positives. So what's the alternative? I'm not quite sure, maybe something like Windows CardSpace, or a competing identity management protocol that allows a third party company trusted by both the provider and the client to validate credentials, but of course there would have to be overwhelming take up of the same protocol set by both providers and clients which seems to me to reduce to a chicken and egg kind of problem. Also the cost of maintaining this systems integrity by the trusted third party would need to recouped from either the client or the provider. I have to confess, I'm not really an expert on identity management, so I'd love to hear others thoughts.

Web Directions North

Well, it's official, I'm going to Web Directions North 2008. Last year I went to Web Directions South, and really enjoyed it, this year I was in Cyprus during Web Directions South, so I'll have to settle for Vancouver. It's a real pity because I would have loved to have heard Chris Wilson (IE Platform architect at Microsoft) presenting on Moving the web forward. I must say, he is a brave man as a lot of people in the crowd would not exactly have been Microsoft fans, and would blame IE's standards issues for making their jobs harder, but I think his slide deck, and his audio interview with Kevin Yank from Sitepoint, state the dilemma fairly well.

So what am I looking forward to at Web Directions North?

I decided that considering I am travelling so far for this conference, I should probably attend the workshops, so I've booked myself in for Transcending CSS, and Desgining really usable websites. As a developer I feel that one of my weaknesses is web design, and as such I think that these workshops will be hard, but rewarding.

As far as the conference sessions go, all of them sound really interesting, but I'll just highlight a few that I am really excited about. Being interested in security, the Ajax Security session is looking good, it will be interesting to see Silverlight and Adobe Air compared, given my background in PDA development, I am interested to see where Mobile Web Design & Development is going to go, and given the presenters (Dave Shae and John Allsop), Where's your web at should be very interesting indeed.


Technorati tags:

Speaking on Visual Studio 2008

I have become a big subscriber to the Chris Hewitt school of self education. I have been working with Chris at Readify for bout 3 years now, and I remember back when I first joined he told me "If you want to learn a new technology, simply book yourself in to do a presentation on it in 2 months time". It is so true, the fear of making a complete fool of yourself in front of your peers is ample encouragement to get yourself across any topic. I have done this a few times now with technologies like Ajax, Vista, and SQL Server. I am now doing it for Visual Studio 2008 which has just RTM'ed. I have been playing with the beta versions of VS2008 for a while now, and today I am now installing the RTM version. I am speaking at Victoria .Net SIG in December. There are about 5 speakers doing 20 minute segments on "What's new in Visual Studio 2008 ...",  I am doing "What's new in Visual Studio 2008 IDE".

Check the Victoria .Net SIG web site closer to the date for more details, both the date and place are still up in the air at the moment.

Tuesday, November 27, 2007

ASP.Net and Standards (cont.)

My collegue Damian Edwards pointed me to an article on MSDN (ASP.Net and XML) that explains the behaviour I described in my previous post on Asp.Net and Web Standards . From the article...

"If you submit an ASP.NET Web page to a validation service such as the W3C Markup Validation Service, ASP.NET might render a version of the page that does not conform to XHTML standards. This is because the validator service does not report itself as a browser type that ASP.NET recognizes, such as Internet Explorer or Mozilla. When ASP.NET cannot recognize the browser type, it defaults to rendering downlevel markup, which does not include XHTML-conformant elements and attributes, or features such as cascading style sheet styles."

The article also discusses how to configure ASP.Net using a browser capabilities file to force it to render valid XHTML. I'll have a play with this tonight when I get home.

Cross Site Scripting Detection Tool

Just discovered a very interesting tool from Microsoft to combat Cross Site Scripting Vulnerabilities.

The XSS Detect Code Analysis tool has been released in beta, and does static code analysis to determine potential XSS Vulnerabilities within ASP.Net applications. I ran it on my standard XSS test application and managed to detect the standard XSS mistakes. I will say this though, it is still in beta, and when I tried to run it over our real site, the tool managed to crash Visual Studio. I can't wait til it RTM's, I'll be following this tool with a lot of interest.

Saturday, November 24, 2007

ASP.Net and Web Standards

We were having a discussion the other day on our internal tech list about Web Standards and validation, and I made the comment that I like to treat web standards validation like compiler warnings, in production code ideally you should not have any, because even though the vast majority of them are benign, and browsers will happily ignore them, they could be hiding 1 or 2 that are going to cause you grief. A colleague of mine Darren Neimke, challenged me to show any of my production code that I had that would stand up to this test. So I hurriedly tried to search around for something and ended up sending him a link to my, very much work in progerss site that I set up to play around with some ajax stuff, just to show him that I do try to put my money where my mouth is. Of course I did double check to see if the front page validated, in fact I checked a few of the links, and all that I checked validated fine. What I hadn't quite expected was for Darren to take the time to go through all of my links until he found one that didn't. On one of my ajax playground pages I had 6 validation errors. Ok, my bad, so what was I doing wrong? Well it turns out that 2 of those errors were due to me using a code syntax highlighting control, that in and of itself produces standards compliant html, but when you wrap it inside a <pre> tag, as it suggests in the sample that comes with it, you get an error saying <pre><div> aren't aloud to go together in xhtml transitional. Ok, simply change the <pre> to a <div style="white-space : pre"> and the problem goes away with no loss of formatting... Yay, but what about the other 4 errors?

What was really weird is that when I did my usual test of openning it up in IE from my dev environment, viewing the source and then pasting the source into the validator, it validated perfectly. So confident that I'd fixed ALL the issues I uploaded it to my website. I then used the validator to test the url,  and lo and behold 4 errors... doh! it took me a while to figure out what was going on, but eventually after realising that some controls in ASP.Net can emit different html depending on the user agent that is requesting the page, and a quick little test later on my own machine and sure enough, if the user agent is IE (or firefox for that matter), the calendar control emits perfectly standards compliant xhtml transitional code, but for reasons best known to a small group of developers at Microsoft, if the user agent is "Unknown" or whatever the W3C validator claims as the user agent, it emits non standards compliant html. So I am currently trying to figure out the best way to fix this issue so that even unknown user agents receive valid html.

I now understand why people who are really serious about standards often end up writing their own ASP.Net in place of the standard Microsoft ones.

Oh and by the way Darren, don't bother checking to see if my blog validates, because it doesn't, and it is simply due to laziness that I have just selected a standard template from blogger,and haven't attempted to beat it into standards compliance. One of these days....

Tuesday, November 20, 2007

Vote below the line campaign (more info)

I Found a really good article in The Age that explains just how important your preferences are.

Friday, November 16, 2007

Slow and steady fixes the bug

I just recieved a notification from Microsoft that a bug I reported in the XML subsystem of SQL Server 2005 in March of 2006 has finally been fixed and will be shipped with the RTM (I assume SQL Server 2008 RTM). It took them a while, but they eventually got onto it. It was an extremely obscure bug, but it seems as though I wasn't the only one to see it.
Unfortunately because I no longer work for that client any more, I will not be able to verify the fix, I guess that's part of being a consultant.

Thursday, November 15, 2007

Ballarat .Net SIG

Big thanks to Damian for inviting me to speak at the Ballarat .Net SIG, there was a small but responsive group of people a good venue, and of course Pizza and Soft drink, all the ingredients for a good user group meeting. I am always amazed at just how much you learn when you speak at these kinds of events.

Sunday, November 11, 2007

Performing at the Hispanic Fiesta


Niki & I are performing again, this time as part of the the Spanish Club's participation in the Hispanic Fiesta (otherwise known as the Johston Street fiesta or the Spanish festival).


where : Hogar Espanol (The Spainsh Club) 59 - 61 Johnston Street Fitzroy

when : 3:30 pm, Saturday and Sunday the 17th and 18th of November 2007.

Pose #4

Vote below the line campaign (cont.)

The group voting tickets for the 2007 Federal election are now available on-line at the AEC website, and I urge anyone who has read my previous post on the topic of voting below the line and is still thinking of voting above the line to download the group voting ticket for their own state to see just how their preferences are being re-distributed. Even if you are going to vote below the line, it is good to have a look at who different parties are preferring. As I take a quick look over the Victorian paper, I can't help but wonder at some of the deals that must have gone on under the hood, or even at the reason that some of the parties even exist in the first place.

Friday, November 09, 2007

Speaking in Ballarat

I was just doing some research for my presentation next week at the Ballarat .Net Special Interest Group, and was trying to get some information on running Visual Studio 2008 on Vista (I usually only run Beta software on VPC's, so I have no first hand experience of this as yet), when I clicked on one of the links from my search only to find that it was a blog post by Charles Sterling advertising said event which reminded me that I should probably put in a plug for it on my blog, so that all two people who read my blog (yes that includes me), know what I'm up to. So here it is :


Vista as a Software Development Platform”
with Scott Baldwin from Readify


“What’s new for Web Developers in Visual Studio 2008”
with Dave Glover from Microsoft Australia

When: Wednesday 14th November, 5:30pm for light dinner and drinks followed by presentations from 6:00pm to 6:30pm and 6:40pm to 7:40pm

Where: COMMANDER CENTER, BALLARAT, 1 Ripon Street North


I find it funny that the last time I did this very same talk back in June, it was also in partnership with Dave Glover, but last time he was talking about power shell, this time Visual Studio 2008 enhancements.