Lazycoder

DevDays 2004 – qiuck post of my notes

Here are my unedited notes from the DevDays 2004 Seattle show. I typed these into my Treo 90 so they aren’t the best notes in the world.

I’ll post more of my impressions this weekend. Overall impression, I didn’t really get much out of it but there were enough people in the audience that were surpised by the simple things that I think MS should keep beating the drum harder and everywhere they go.

pl = Paul Litwin
ds = Doug Seven

paul and jims Demo app didn’t notify the end user that the update failed

Is anyone still concatinating sql strings? Probably.
Sql injection talks are boring though. nothing I haven’t seen or written about before.
How did pl determine the name of the table? Should have explained how hackers determine you data structure. Select from master, navigate around the systables using “not in(‘tablenames you already know’)”. Error pages that display sql string. he does finally in the querystring and a union query. This would have worked in the form demo.An xp_cmdshell demo is always nice. Nothing like shutting down your demo web server through an injection attack to really make an impression.

Pl just showed the xss attack to many “ooohhs” near me. Are people, especially developers, still ignorant of these types of attacks? This has been around for 3 or 4 years.

Ds- dpapi doesn’t mean squat if the attacker has obtained access to your server, it’s not your server anymore. If they gain access with admin level privilages, which is the most common level that an attacker gains, they can access your acl controlled dpapi encrypted key.

windows auth in sql server – worker process , if your attacker gains access under your worker process profile, which they probably will since they don’t want to try and guess what other accounts are on your machine/domain they want to take over the one that is accesible, then they automatically gain access to your database. Did they already talk about limiting the worker process access and database access? I might have missed it during my search for wifi.

Hardening of web apps – all stuff I already knew. Should I start advertising myself as a security expert? Hashed passwords, param commands, salted hashes.

Scary cookies – long life cookies are bad m’kay. Shorten their lifetime. This was a big “they did what?” when I found out about this.I have no idea why they set the default cookie lifetime to 50 years. That’s just dumb. Essentially they way to secure your cookies is not to use the default ms authentication methods. evidence of bad design.

Validate viewstate – on by default in asp.net 1.1 Encrypting viewstate.

Session service uses port 42424. Cookieless session bad, can grab session Id and spoof.

Pretty much just staying for the drawing now. See if we get any more swag, if not I want at least $40 back out of my $75.

Overall: there are probably people in the audience that will get something out of this. I’m not one of them.

Dear SharpDevelop team

I really want to use your product. I mean I really, really do. I’ve been trying for about a year now. It’s just not working. With the latest version (0.99b) I was finally able to add my source files to a combine without it crashing, but the friggin IDE has a 90+MB footprint on my system! If you can make that footprint smaller, I’d be able to move forward with it and see if it will meet my needs.