I have been working with VS 2005 a bit. One of the things I keep hearing people talk about, mainly a friend of mine who is using VB.NET 2005, is the “MY.OBJECT“. He was telling me how easy it is to grab a file and to check if the application can touch the network. So I figured I would give this a try. With that said, I should mention that I started with the new version of VS.NET 2005 using C#. I was excited to use the My.computer.network.isavailable. After about 30 min of messing around with help and intellisense to find the MY objects, I gave up and did a quick search. It was then I only realized that the “my objects” are only for VB.net.

Discovering this I was very confused. Why would Microsoft create these simple objects to gather information and not include them in c#? Very dissapointing.

I did some googling and found a few references to a helper object that will bring “MY” features to C#, called “that“. (download that)

After reading some of the comments out there, I found it would be easy to just reference vb and grab the MY logic. To do this you simply have to reference VB in your application “using Microsoft.VisualBasic.MyServices;” You then would have access to the My namespace.

Armed with that information and the joy of turning IISREPORTER PRO into a 2.0 C# app, I have completed about 40% of the re-write.

A friend of mine is currently in the process of writing a AJAX .NET book. He is expecting a May / June release. The publishing company released a summary of the contents of the book today. Head on over to Apress and view the upcoming “Pro Ajax and the .NET 2.0 Platform” summary.

Dan keeps his blog (www.danwoolston.com) up to date with upcoming AJAX topics

I have had a few people ask me questions on some open-source or alternative portal sites to sharepoint. I have seen a few linux based systems that perform similar tasks to sharepoint but nothing that was on the windows side. Until recently, I ran across (http://www.alfresco.org/)

Alfresco is a great project that allows for a good alternative. I was able to install in a few min (about 20) on windows. They also make a linux version. So go look at the site and view the flash demo.

My last blog post last week on Network Intrusion has generated a lot of traffic and emails. It was interesting to know that people actually read what I post. A lot of people responded in emails asking to know some more information on wireless security. I think this is due to the popularity of wi-fi, both in our municipalities and in hotspots such as coffee shops. I is amazing to see where wi-fi is available. You can catch a hotspot anywhere in our little town of Grand Rapids. If you are interested in finding a HotSpot near you head on over to grwifi.net, James has a great site that allows users to rate and discuss wi-fi hot spots.

Since my last post I have been thinking of ways to respond to the emails and feedback I have received. I think it may be best to do a 2 part series on wireless security. The first part will be to show what kind of information your laptop our application is sharing on the wireless network. I will just briefly walk through some typical situations where you may be sharing more information then you know about. In part one; I will discuss the common applications that may share information. I will also discuss the tools used to gather that information, to show how easy it is for someone to steal.

The second part of the series, I plan on discussing and showing methods to help prevent unknowingly sharing information to others. This will include software applications and techniques for securing your applications and systems.

It is amazing to me how many people are unaware of what their computer or applications do on the network. In reality your computer is very chatty, it likes to send information and it is up to the user to help secure and limit the amount of information that is sent. In the next few blog posts, I hope to show people what they can do to secure, encrypt, and defend when using their computers.

To keep everyone up to date from my last post. I did go back to the wi-fi hotspot and did not see the kid their sniffing the wireless network. But, if I do see him I plan on confronting him head on. I have not seen a clear argument that Sniffing a network is illegal yet, and plan on doing more research. It feels like it is illegal, but in a sense it is not much different than listening to people talk in a room.

Network Intrusion / Invasion

I typically stop at a local coffee shop to get some caffeine and use their wi-fi network to check email and surf the web. I am gathering this is not unlike most people out there in the business world. I tend to visit places that offer wi-fi because of their ease of use. But the other day I saw some thing that upset me. The story I am about to tell is not anything new, but rather just an eye opener for me.

As I was standing in line for coffee I noticed a fellow wi-fi user in the corner and happened to glance at his laptop. Being a tech geek I noticed he was running linux (you may ask how?), well I noticed etherape running and ethereal. These are both tools I use often. Especially when trouble shooting applications or networks.

At first I did not think anything about it. Then as I was firing up my laptop, I started to think why someone would be using ethereal and etherape here? Then it hit me. This guy was grabbing network traffic on the wireless network and sniffing, probably for passwords and usernames. At this point I came up with a plan. I looked around at the other 10 or so people on their computers and realized that they were unknowingly giving their information away. Usernames and passwords were floating in plain text all over that coffee shop. The girl next to me was on yahoo mail, the guy on my right had outlook express open. I figured that the kid had at least 10 or so usernames and passwords by now, and I was angry.

To see if my mind was just crazy or corrupt I decided to test my theory that he was sniffing usernames and passwords. I first ssh’ed into my box and created a new email account. I created a username called jvandenbon. I figured since I am in a Dutch area that a dutch username made sense. I created a password of Alice6232001, hopefully a real enough password. Then I hoped into my inbox using mutt and forwarded some of my spam emails into the jvandenbon user account. So now I had a real account that had some mail in it.

I then fired up ethereal and then thunderbird. First I took a quick capture of what was on the network, and as I suspected there were lots of POP accounts being used which show Username and PASS in clear text. I opened Thunderbird and checked my mail, I use SSL / TLS when I connect to my mail server so I was not worried about this kid grabbing my info. But I had to make sure that I was safe so I watched my traffic and sure enough it was encrypted with TLS. I closed ethereal, and created a new account in thunderbird using the above jvanderbon account name and told it to use POP as the means of communication. Again, I opened ethereal and then did a send receive to watch my fake username and password be sent across the wire. I then wrote an email and deleted some others to create traffic. I closed Thunderbird and waited. I set a string filter for Alice623001 in ethereal and watched. Sure enough in a few min later(about 10) I saw my fake username and password being sent over the wireless lan. I captured the kids source address.

This kid was trying to access my fake account. By this point I was angry. I got to thinking about what kind of stuff I could do to him. I easily could have kicked his ass; however I am not sure that it would have helped. All these people had been cheated of their info and privacy. That is when I started to think about legal options. I don’t even know if it is illegal to sniff a public network. I have never even thought about it. I did a quick google search and did not find much. I guess you can kind of relate this to yelling across the room to a friend with your username and password. Whoever happens to be in the room has access to that information. The analogy does not sit well with me. I would like to think that people can be safe or feel safe even when their trusted programs (outlook, outlookexpress, thunderbird, and hotmail) send their information in plain text over the network.

Right now I am just angry. If I do see this kid again, I plan on approaching him and asking what he plans on doing with all the usernames and passwords he stole. I can only guess he is going to just mess around. But, what happens when he comes across a guy who happens to have admin rights on a system and sends his username and password over the line. I realize this is a gray area of the law, but what about people privacy. I am not a malicious person by any means. I have sniffed networks in the past to gather information to help me learn how to protect them. But when I watched this kid and the speed of which he attempted to open my POP account, I am a bit worried. He must have had a program that would just take a username, password, and mail server and check validation.

I guess I am now asking the community what they think of this event. Do you know if you are secure? Do you go to a coffee shop and check mail via POP and send your info? Do you use ftp at the coffee shop to update your web site or worse; your corporate web site? I would love some feed back on what people think. Just think, if someone got your email password? Does it match your bank account password or your paypal password? These are the questions on my mind. And how can I do something against this punk kid. Should I just walk over and kick his ass or should I call the police? And if I call the police, what do I say?

Ever wonder what google index’s or does on your site? Well, here is some instructions on how to use this information.

http://www.sitepoint.com/blogs/2005/11/16/google-sitemaps/

It is some very good info and interesting stats. Somewhat like google analytics.

The Microsoft Patterns and practices is a useful control set for global logging, error handling and database connections. This tool set is great for development, but when you go to deploy it is not so fun.

I have added some references of how we were able to get Patterns and Practices on a production box.

One of the constraints of Patterns and Practices is that it requires / needs Visual Studio installed. This is great if you are developing on a box, but in the real world (i.e. Production boxes) you do not really want to install a development tool.

To make this happen you need to update a few things:
1. Move your compiled DLL files from your development box to the production box. This is everything under your C:\program files\Microsoft Enterprise Library\bin directory.

You need to move these files because it is not possible to build these dll files with out visual studio.

2. Modify the install script to accommodate for not having Visual Studio. I have made a few changes that just remove the 1) check for visual studio 2) change the path to the .NET framework folder.

The install service.bat (located at C:\program files\Microsoft Enterprise Library\src) needs some files out of the visual studio directory to register path settings. I have simply just removed a few statements and updated the path to use the .NET framework directory.

You can get a copy of the bat file here (installservice.bat.txt)

I hope this helps people trying to use Patterns and Practices.

There has been so much talk in the news about AJAX these days. It is strange, I have heard that AJAX is the Microsoft Killer, the new technology, or the wave of the future. I personally think that it is a great method of using technology to speed up a web application and also extend the usability.

It is hard for me to view AJAX as the next big thing. I think because the concept and idea has been around for a long time. Until someone coined AJAX, I don’t think people knew how to describe it or even where or why to use it.

Anyways, one of the guys I work with and NuSoft is writing a book on AJAX. You can read more about it here. (www.danwoolston.com)

I have been so busy at home and work I have not been blogging much. So I will try to pick up a bit.

With .NET version 2.0 out I have been busy with updating IISREPORTER and the next version. I have to admit, 2.0 is awesome to develop with. So far, I keep hearing people say that it is too buggy and has a few flaws. From my perspective I have not seen too many issues.

I did have an issue with updating the VB.NET version of IISreporter. But, that was VB, the C# version had no issues.

If you do a lot of file migration or exchange with Microsoft SQL server you have probably had to grab a file via ftp. In most cases if you have automated this task you may have done this by either a vbs file or a bat file, or a DTS package that calls an FTP client. Well, Dan Woolsoton (A new Co-worker) has found a great tool to replace the default DTS FTP calls. It is called SQLDTS, it has many features and settings you can dynamically replace. You can read Dans full article HERE

I am switching computers and needed to migrate my Thunderbird email client data to another machine. I did a little googling and did not find too much until I found Thunderstor It allows you to take your thunderbird account and exprt to eml files. Then import into system of your choice.

If you are moving from one thunderbird account to another you can also just move your profile. It is located at c:\documents and settings\yourusername\application data\thunderbird\profiles\****.default

I migrated those files and then pointed the profile.ini file to my old profile. All is well

You often hear about security and web services. How they need to be more secure and how they can pass unsecured information. Well, I recently had an issue with a client that felt they were exposing too much information with the web service provided. This web service allows for products to be returned based on some search criteria. Unfortunately the web service was located in the root of the main web site so the asmx file was available by going to (http://www.someurl.com/somefile.asmx). The client felt that the web service gave too much info out.

We had a few methods to resolve this issue. One was to move the web service to another virtual folder and only allow the specific ip address to access that location. This did not seem to be the logical choice for us because we had multiple applications obtaining information from this location. We would have to find and adjust all the linking applications. So we started to look at the asmx file.

After some googling we really did not find too much info on how to secure the asmx file. Because in it’s true sense it is meant to explain / expose the methods of the web service. In one of the searches we were able to find some information on how the asmx file was built and displayed on the server. Specifically how the can be changed to show the order of the methods.

Using this information we set out to modify the asmx file to not show information about the web service methods. To do this we needed to modify the DefaultWsdlHelperGenerator.aspx file. This file is located in %SYSTEMROOT%\microsoft.net\framework\v1.1.4322\Config

In this file it allows for description and display of all exposed methods on page load. By modifying the SHOWingMethodList function and replacing the list of methods with some text or links back to the site we effectively removed any information the asmx file displayed. The ShowingMethodList had a repeater listing, we removed the repeater and added some text and a url.

We also removed the header information that had the standard documentation and put some text in it’s place.

In the end we had a functional asmx web service page that only displayed the text we wanted. It was not the ideal way of securing a web service, but in our situation it was useful.

I have been trying to get a copy / beta of Microsofts new command shell - Monad. It is in the beta stage and you should be able to access it like any other beta software from beta.microsoft.com. However, unlike other software that I have used, this seems to be one of the most popular beta’s they have launched. I have read a lot about this new command line and it has only increased my desire to try and use it. Being an avid Linux user and command line junkie I am very excited to use this.

I just read a few articles in the news about Monad both bad. 1. that virus users are writing scripts to take advantage of it’s power. 2. that MS may not include this in the Vista relase.

I don’t have much to say till I can get in an test this hot software.

Well take all the above items and mix them up and you have what I have been up to. I have been coding a lot more lately, trying to get a new version of iisreporter out and also working on some custom dev software for a friend.

Work has been very stressful. We have a lot going on and a few upcoming deadlines. Visit the site soon and I will have to link out to our newest launch next week.

Running. Well this week I have been a bit lax on running. Since my 14/15 miler last weekend I have played 2 soccer games. One on Sunday right after the long run and the other on Tuesday. So I decided to take Monday and Wed off from running. Tonight, I was really tired and ready to go to sleep, but decided to go for a run with my sister-inlaw and brother-inlaw. I put in a nice 4.5 miler.

It’s funny that I can say 4 miles is a short run. I can remember the day of never going over 4 miles.

Here we go. Not only is there a battle for the best search engine, mapping software, free email, toolbar, and custom portal. We now have a battle for the best earth imaging program. Google has recently added overlay (hybrid) sites to show sat pictures and roads (http://maps.google.com) and now we have Microsoft playing in the mapping / sat images game. Not only with terraserver, but now Microsoft, with their MSN Virtual Earth (virtualearth.msn.com).

I have not done a full comparison of the two yet. However, I can tell you that my personal favorite is the Google solution. I have been playing with the customization of the google maps application for a while. I like the feel and the way you can modify it.

With that said, there is also an easy way to customize virtual earth with the use of .NET. I am a .NET programmer at work and the ease of intergration and use for anything .NET will be easy for me. So before I make any remarks I would like to try the new Virtual Earth and create my own opinion.