Is Security Research Always Useful?

Anyone involved in the computer industry likely spends some amount of time reading about the latest security issues in books such as Security for Web Developers. Administrators and developers probably spend more time than many people, but no one can possibly read all the security research available today. There are so many researchers looking for so many bugs in so many places and in so many different ways that even if someone had the time and inclination to read every security article produced, it would be impossible. You’d need to be the speediest reader on the planet (and then some) to even think about scratching the surface. So, you must contemplate the usefulness of all that research—whether it’s actually useful or simply a method for some people to get their name on a piece of paper.

Some of the attacks require physical access to the system. In some cases, you must actually take the system apart to access components in order to perform the security trick. Unless you or your organization is in the habit of allowing perfect strangers physical access to your systems, which might include taking them apart, you must wonder whether the security issue is even worth worrying about. You need to ask why someone would take the time to document a security issue that’s nearly impossible to see, much less perform in a real world environment. More importantly, the moment you see that a security issue requires physical access to the device, you can probably stop reading.

You also find attacks that require special equipment to perform. The article, How encryption keys could be stolen by your lunch, discusses one such attack. In fact, the article contains a picture of the special equipment that you must build to perpetrate the attack. It places said equipment into a piece of pita bread, which adds a fanciful twist to something that is already quite odd and pretty much unworkable given that you must be within 50 cm (19.6 in) from the device you want to attack (assuming that the RF transmission conditions are perfect). Except for the interesting attack vector (using a piece of pita bread), you really have to question why anyone would ever perpetrate this attack given that social engineering and a wealth of other attacks require no special equipment, are highly successful, and work from a much longer distance.

Another example of incredibly weird security research is found in the article, When the good guys are wielding the lasers. I have to admit it’s interesting in a James Bond sort of way, but we’re talking about lasers mounted on drones. This attack at least has the advantage of distance (1 km or 0.6 mi). However, you have to wonder just how the laser was able to get a line of sight with the attack object, a printer in this case. If a device is critical enough that someone separates it from the Internet, it’s also quite likely that the device won’t be sitting in front of a window where someone can use a laser to access it.

A few research pieces become more reasonable by discussing outlandish sorts of hacks that could potentially happen after an initial break-in. The hack discussed in Design flaw in Intel chips opens door to rootkits is one of these sorts of hacks. You can’t perpetrate the hack until after breaking into the system some other way, but the break-in has serious consequences once it occurs. Even so, most hackers won’t take the time because they already have everything needed—the hack is overkill.

The articles that help most provide a shot of reality into the decidedly conspiracy-oriented world of security. For example, Evil conspiracy? Nope, everyday cyber insecurity, discusses a series of events that everyone initially thought pointed to a major cyber attack. It turns out that the events occurred at the same time by coincidence. The article author thoughtfully points out some of the reasons that the conspiracy theories seemed a bit out of place at the outset anyway.

It also helps to know the true sources of potential security issues. For example, the articles, In the security world, the good guys aren’t always good and 5 reasons why newer hires are the company’s biggest data security risk, point out the sources you really do need to consider when creating a security plan. These are the sorts of articles that should attract your attention because they describe a security issue that you really should think about. Likewise, reading articles such as, Software developers aren’t implementing encryption correctly and 4 fatal problems with PKI help you understand why your security measures may not always work as well as anticipated.

The point is that you encounter a lot of information out there that doesn’t help you make your system any more secure. It may be interesting if you have the time to read it, but the tactics truly aren’t practical and no hacker is going to use them. Critical thinking skills are your best asset when building your security knowledge. Let me know about your take on security research at John@JohnMuellerBooks.com.

 

Source Code Placement

I always recommend that you download the source code for my books. The Verifying Your Hand Typed Code post discusses some of the issues that readers encounter when typing code by hand. However, I also understand that many people learn best when they type the code by hand and that’s the point of getting my books—to learn something really interesting (see my principles for creating book source code in the Handling Source Code in Books post). Even if you do need to type the source code in order to learn, having the downloadable source code handy will help you locate errors in your code with greater ease. I won’t usually have time to debug your hand typed code for you.

Depending on your platform, you might encounter a situation the IDE chooses an unfortunate place to put the source code you want to save. For example, on a Windows system it might choose the C:\Program Files folder (or a subdirectory) to the store the file. Microsoft wants to make your computing experience safer, so you don’t actually have rights to this folder for storing your data file. As a result, the IDE will stubbornly refuse the save the files in that folder. Likewise, some IDEs have a problem with folder names that have spaces in them. For example, your C:\Users\<Your Name>\My Documents folder might seem like the perfect place to store your source code files, but the spaces in the path will cause problems for the IDE and it will claim that it can’t find the file, even if it manages to successfully save the file.

My recommendation for fixing these, and other source code placement problems, is to create a folder that you can access and have full rights to work with to store your source code. My books usually make a recommendation for the source code file path, but you can use any path you want. The point is to create a path that’s:

  • Easy to access
  • Allows full rights
  • Lacks spaces in any of the path name elements

As long as you follow these rules, you likely won’t experience problems with your choice of source code location. If you do experience source code placement problems when working with my books, please be sure to let me know at John@JohnMuellerBooks.com.

 

Security = Scrutiny

There is a myth among administrators and developers that it’s possible to keep a machine free of viruses, adware, Trojans, and other forms of malware simply by disconnecting it from the Internet. I’m showing my age (yet again), but machines were being infected with all sorts of malware long before the Internet became any sort of connectivity solution for any system. At one time it was floppy disks that were the culprit, but all sorts of other avenues of attack present themselves. To dismiss things like evil USB drives that take over systems, even systems not connected to the Internet, is akin to closing your eyes and hoping an opponent doesn’t choose to hit you while you’re not looking. After all, it wouldn’t be fair. However, whoever said that life was fair or that anyone involved in security plays by the rules? If you want to keep your systems free of malware, then you need to be alert and scrutinize them continually.

Let’s look at this issue another way. If you refused to do anything about the burglar rummaging around on the first floor while you listened in your bedroom on the second floor, the police would think you’re pretty odd. More importantly, you’d have a really hard time getting any sort of sympathy or empathy from them. After all, if you just let a burglar take your things while you blithely refuse to acknowledge the burglar’s presence, whose fault is that? (Getting bonked on the back of the head while you are looking is another story.) That’s why you need to monitor your systems, even if they aren’t connected to the Internet. Someone wants to ruin your day and they’re not playing around. Hackers are dead serious about grabbing every bit of usable data on your system and using it to make your life truly terrible. Your misery makes them sublimely happy. Really, take my word for it.

The reason I’m discussing this issue is that I’m still seeing stories like, “Chinese hacker group among first to target networks isolated from Internet.” So, what about all those networks that were hacked before the Internet became a connectivity solution? Hackers have been taking networks down for a considerable time period and it doesn’t take an Internet connection to do it. The story is an interesting one because the technique used demonstrates that hackers don’t have to be particularly good at their profession to break into many networks. It’s also alarming because some of the networks targeted were contractors for the US military.

There is no tool, software, connection method, or secret incantation that can protect your system from determined hackers. I’ve said this in every writing about security. Yes, you can use a number of tools to make it more difficult to get through and to dissuade someone who truly isn’t all that determined. Unfortunately, no matter how high you make the walls of your server fortress, the hacker can always go just a bit further to climb them. Headlines such as “Advanced Attackers go Undetected for a Median of 229 Days; Only One-Third of Organizations Identify Breaches on Their Own” tell me that most organizations could do more to scrutinize their networks. Every writing I read about informed security is that you can’t trust anyone or anything when you’re responsible for security, yet organizations continue to ignore that burglar on the first floor.

There is the question of whether it’s possible to detect and handle every threat. The answer is that it isn’t. Truly gifted hackers will blindside you can cause terrifying damage to your systems every time. Monitoring can mitigate the damage and help you recover more quickly, but the fact is that it’s definitely possible to do better. Let me know your thoughts about security at John@JohnMuellerBooks.com.

 

Using My Coding Books Effectively

A lot of people ask me how to use my books to learn a coding technique quickly.  I recently wrote two articles for New Relic that help explain the techniques for choosing a technical book and the best way to get precisely the book you want. These articles are important to you, the reader, because I want to be sure that you’ll always like the books you purchase, no matter who wrote them. More importantly, these articles help you get a good start with my coding books because you start with a book that contains something you really do need.

Of course, there is more to the process than simply getting the right book. When you already have some experience with the language and techniques for using it, you can simply look up the appropriate example in the book and use it as a learning aid. However, the vast majority of the people asking this question have absolutely no experience with the language or the techniques for using it. Some people have never written an application or worked with code at all. In this case, there really aren’t any shortcuts. Learning something really does mean spending the time to take the small steps required to obtain the skills required. Someday, there may be a technology that will simply pour the knowledge into your head, but that technology doesn’t exist today.

Even reading a book cover-to-cover won’t help you succeed. My own personal experiences tell me that I need to use multiple strategies to ensure I actually understand a new programming technique and I’ve been doing this for a long time (well over 30 years). Just reading my books won’t make you a coder, you must work harder than that. Here is a quick overview of some techniques that I use when I need to discover a new way of working with code or to learn an entirely new technology (the articles will provide you with more detail):

  • Read the text carefully.
  • Work through the examples in the book.
  • Download the code examples and run them in the IDE.
  • Write the code examples by hand and execute them.
  • Work through the examples line-by-line using the debugger (see Debugging as An Educational Tool).
  • Talk to the author of the book about specific examples.
  • Modify the examples to obtain different effects or to expand them in specific ways.
  • Use the coding technique in an existing application.
  • Talk to other developers about the coding technique.
  • Research different versions of the coding technique online.
  • View a video of someone using the technique to perform specific tasks.

There are other methods you can use to work with my books, but this list represents the most common techniques I use. Yes, it’s a relatively long list and they all require some amount of effort on my part to perform. It isn’t possible to learn a new technique without putting in the time required to learn it. In a day of instant gratification, knowledge still requires time to obtain. The wisdom to use the knowledge appropriately, takes even longer. I truly wish there were an easier way to help you get the knowledge needed, but there simply isn’t.

Of course, I’m always here to help you with my books. When you have a book-specific question, I want to hear about it because I want you to have the best possible experience using my books. In addition, unless you tell me that something isn’t working for you, I’ll never know and I won’t be able to discuss solutions for the issue as part of blog post or e-mail resolution.

What methods do you use to make the knowledge you obtain from books work better? The question of how people learn takes up a considerable part of my time, so this is an important question for my future books and making them better. Let me know your thoughts about the question at John@JohnMuellerBooks.com. The same e-mail address also works for your book-specific questions.

 

Cross Platform Functionality for .NET

Microsoft has recently announced that it will port the .NET Framework to the Mac and Linux platforms. This is welcome news because more and more of my readers have expressed an interest in developing applications that run on multiple platforms. It’s the reason that I cover Windows, Linux, and Mac requirements in books such as Beginning Programming with Python For Dummies. Until now, I usually had to include some mention of alternative solutions, such Mono, to help my readers achieve cross-platform functionality. (For readers with older versions of my books, Mono is actually delivered by Xamarin now, see my announcement in the An Update About Mono post.) Even though Mono makes a valiant effort to make cross-platform a reality, it does have limits, so the Microsoft announcement is welcome. Now we have to see whether Microsoft actually delivers on its promises.

There has been a lot of analysis about the announcement. You can find some general information about the product on eWeek. The information is pretty much a reworded version of the Microsoft announcement, but I found it clear and succinct. The InfoWorld writeup provides additional information and takes Microsoft to task for not completely opening the .NET Framework. There are still some licensing issues to consider. For my part, I wonder when Microsoft will make it possible to fully use C# on any platform. At some point, Microsoft must make it possible to develop applications on a platform other than Windows or developers will continue to lose interest.

One of the biggest questions I’ll need to answer for you is whether any of my book examples will run on other platforms. Given how Microsoft has done things in the past, it seems unlikely that you’ll be able to use any of my existing book examples on other platforms. The code might possibly work, but the downloadable source would have to be redone to make it possible to compile the examples with the new tools. So, for now, I’m saying outright that you need to continue to use my books with the version of Visual Studio for which they are written and not assume that the examples will work on other platforms.

I do find the news exciting because there is finally a chance that I’ll be able to address your needs better when it comes to working with languages such as C#. Yes, working with solutions such as Mono did allow you to perform certain tasks across platforms, but there is not a potential for writing complete applications of nearly any type and having them work anywhere, which is where the world as a whole has been headed for a long time. I applaud Microsoft’s efforts to move forward.

Please do contact me with your questions regarding cross-platform functionality in .NET and how it affects by books at John@JohnMuellerBooks.com. No, I can’t answer your question about how Microsoft will implement cross-platform functionality in the new versions of .NET, but yes, I do want to hear about your ideas for book updates based on this technology. What I want to do is help you use this new functionality as soon as is possible.

 

API Security and the Developer

As our world becomes ever more interconnected, developers rely more and more on code and data sources outside of the environment in which the application runs. Using external code and data sources has a considerable number of advantages, not the least of which is keeping application development on schedule and within budget. However, working with APIs, whether local or on someone else’s system, means performing additional levels of testing. It isn’t enough to know that the application works as planned when used in the way you originally envisioned it being used. That’s why I wrote API Security Testing: Think Like a Bad Guy. This article helps you understand the sorts of attacks you might encounter when working with a third party API or allowing others to use your API.

Knowing the sources and types of potential threats can help you create better debugging processes for your organization. In reality, most security breaches today point to a lack of proper testing and an inability to debug applications because the inner workings of that application are poorly understood by those who maintain them. Blaming the user for interacting with an application incorrectly, hackers for exploiting API weaknesses, or third parties for improperly testing their APIs are simply excuses. Unfortunately, no one is interested in hearing excuses when an application opens a door to user data of various types.

It was serendipity that I was asked to review the recent Snapchat debacle and write an article about it. My editorial appears as Security Lessons Courtesy of Snapchat. The problems with Snapchat are significant and they could have been avoided with proper testing procedures, QA, and debugging techniques.This vendor is doing precisely all the wrong things—I truly couldn’t have asked for a better example to illustrate the issues that can occur when APIs aren’t tested correctly and fully. The results of the security breach are truly devastating from a certain perspective. As far as I know, no one had their identity stolen, but many people have lost their dignity and privacy as a result of the security breach. Certainly, someone will try to extort money from those who have been compromised. After all, you really don’t want your significant other, your boss, or your associates to see that inappropriate picture.

The need to test APIs carefully, fully, and without preconceived notions of how the user will interact with the API is essential. Until APIs become more secure and developers begin to take security seriously, you can expect a continuous stream of security breaches to appear in both the trade press and national media. The disturbing trend is that vendors now tend to blame users, but this really is a dead end. The best advice I can provide to software developers is to assume the user will always attempt to use your application incorrectly, no matter how much training the user receives.

Of course, it isn’t just APIs that require vigorous testing, but applications as a whole. However, errors in APIs tend to be worse because a single API can see use in a number of applications. So, a single error in the API is spread far wider than a similar error in an application. Let me know your thoughts on API security testing at John@JohnMuellerBooks.com.

Using Hypermedia to Your Advantage

Many developers are familiar with the task of making a request to a server and receiving a response. We’ve been performing the same task since before the PC even appeared on the scene. So, it’s hard to imagine that anything new has come up. Hypermedia is that new thing, but before we go to far, let me fill in a few details.

When working on the Web, these requests normally go through a Web service that relies on a technology such as SOAP or REST. The essential idea is always the same—send a request, receive a response to that request (even when the response is an error). Of course, the Web adds it’s own wrinkles to the process. For example, most Web services rely on text-based data transfers, rather than the binary transfers used in the past.

The problem with this request/response scenario is that it assumes that the Application Programming Interface (API) used to make the transfer of information happen is well-documented by the provider and also well-understood by the developer. Unfortunately, documentation is often poor and understanding is even poorer. Wouldn’t it be nice if along with the response to a request, a developer also received a list of things that the result allows. Hypermedia performs precisely that task. When you make a request to a service that provides hypermedia support, not only do you get the information you requested, but you also get a list of things you can do with that information.

Hypermedia has just started picking up steam in the last year, so it doesn’t appear in any of my current books (you can bet it will in the future). However, I recently wrote an article about it entitled, Working with Hypermedia APIs. The article provides you with a good overview of what hypermedia APIs can do for you, why they’re an important new way of working with services, and what you can expect from them. Still, hypermedia APIs are in their infancy and I’ll eventually need to provide additional information about them.

Precisely what I do depends on your response to the article and to this post. For example, it may eventually be a good idea to get into the design criteria for hypermedia APIs. On the other hand, it may be better to start with existing hypermedia API services so that you can better see how they work. I’d like to hear from you about your interest level in the topic so that I know how to proceed. Make sure you write me about hypermedia APIs at John@JohnMuellerBooks.com or provide a comment to this blog post.

 

TVF Example in Chapter 10

At least one reader has encountered a problem with the Table-Valued Function (TVF) example in Chapter 10 of Microsoft ADO.NET Entity Framework Step by Step when working with Visual Studio 2013. Before you begin this example, make absolutely certain that you have setup and configured SQL Server for use with the book. You can find the required instructions in these posts:

In addition, you must start the SQL Server Browser. Otherwise, the example will never work.

First, the good news—the example does in fact run. If you use the downloadable source code, rather than trying to type the example in by hand, you can see it function and work through the example using any technique you like (such as the debugger). However, as I pointed out in Entity Framework Examples – Visual Studio 2013 Update, this book really is designed to work best with Visual Studio 2012, so it’s not unexpected that you may encounter problems if you don’t follow the guidelines in the System Requirements section of the Introduction (page xxii).

The bad news really isn’t that bad. You may see an error, “Error 3027: No mapping specified for the following EntitySet/AssociationSet – ObtainClientsEntities” when you compile the example.  The example will still work, but the error message is disconcerting. Unfortunately, I haven’t been able to reproduce it on my system using Visual Studio 2012. You may be able to rid yourself of this error message by erasing the .suo files in the example file and doing a complete rebuild of the example.

In addition, when you open the Rewards2Model.edmx file in the XML editor, you may see “Error 11007: Entity type ‘ObtainClientsEntity’ is not mapped.” Again, I haven’t been able to reproduce this error. There is some discussion that you really must create the table before creating the example application in order to avoid this error. However, taking that step would reduce the usefulness of the technique. Again, the example works just fine even with this error in place.

What is need to know is whether these two errors are common and what I need to do to reproduce them. It may be that there is a quick fix that has so far eluded notice. In the meantime, it’s safe to ignore the two errors because the example does run, even when you’re working with Visual Studio 2013. Please contact me with your findings at John@JohnMuellerBooks.com.

 

Coding Schools and the Learning Process

There are three essential ways to begin a career as a developer. The first is to get a college degree in the subject, which is normally a Bachelor of Computer Science or a Bachelor of Information Technology (amongst other degrees). The second is to teach yourself the trade, which means spending a lot of time with books and in front of your screen working through online tutorials. The third is a new option, coding school. The third option has become extremely popular due to limitations in the first two techniques.

The cost of a college education has continued to skyrocket over the past few decades until it has started to elude the grasp of more than a few people. I’ve read estimates that a college degree now costs between $20,000 and $100,000 in various places. How much you actually pay depends on the school, your personal needs, and the electives you choose. The point is that many people are looking for something less expensive.

A college education also requires a large investment in time. A four year degree may require five or six years to actually complete because most people have to work while they’re going to school. A degree is only four years when you can go full time and apply yourself fully. Someone who is out of work today and needs a job immediately can’t wait for five or six years to get a job.

Teaching yourself is a time-honored method of obtaining new skills. I’ve personally taught myself a considerable number of skills. However, I’m also not trying to market those skills to someone else. My self-taught skills usually come in the areas of crafting or self-sufficiency (or sometimes a new programming language). The problem with being self-taught is that you have no independent assessment of your skills and most employers can’t take time to test them. An employer needs someone with a proven set of skills. Consequently, self-teaching is extremely useful for learning new hobbies or adding to existing (proven) skills, but almost valueless when getting a new job. In addition, few people are actually motivated enough to learn a new skill completely (at the same level as a college graduate) on their own.

Coding schools overcome the problem with self-teaching because they offer proof of your skills and ensure you get a consistent level of training. You get the required sheepskin to show to employers. They also address deficiencies in the college approach. The time factor is favorable because most of these schools promise to teach you basic development skills in three months (compared to the five or six years required by a college). In addition, the cost is significantly less (between $6,000 and $18,000). So, it would seem that going to a coding school is the optimum choice.

Recently people have begun to question the ability of coding schools to fulfill the promises they make. It’s important to consider what a coding school is offering before you go to one. The schools vary greatly in what they offer (you can see reviews of three popular code schools at http://www.mikelapeter.com/code-school-vs-treehouse-vs-codecademy-a-review/). However, there are similarities between schools. A coding school teaches you the bare basics of a language. You don’t gain the sort of experience that a college graduate would have. In addition, coding schools don’t teach such concepts as application design or how to work in a team environment. You don’t learn the low-level concepts of how application development works. I don’t know if building a compiler is still part of the curriculum at colleges, but it was one of my more important learning experiences because I gained insights into how my code actually ended up turning switches on and off within the chips housed in the computer.

I see coding schools as fulfilling an important role—helping those who do have programming skills to build competence in a new language quickly. In addition, a coding school could provide an entry point for someone who thinks they may want a computer science degree, but isn’t certain. Spending a short time in a coding school is better than spending a year or two in college and only then finding out that computer science isn’t what the person wants. Coding schools could also help people who need to know how to write simple applications as part of another occupation. For example, a researcher could learn the basic skills require to write simple applications to aid in their main occupation.

People learn in different ways. It’s the lesson that readers keep driving home to me. Some people learn with hands on exercises, some by reading, and still others by researching on their own. Coding schools can fulfill an important role in teaching computer science, but they’re not even close to a complete solution. In order to get the full story about computer science, a student must be willing to invest the required time. Until we discover some method for simply pouring information into the minds of people, the time-consuming approach to learning must continue as it has for thousands of year. There really aren’t any shortcuts when it comes to learning. Let me know your thoughts about coding schools at John@JohnMuellerBooks.com.

 

Entity Framework Examples – Visual Studio 2013 Update

Microsoft has a habit of making updates between versions of Visual Studio applications difficult. For example, the simple act of opening a solution (.SLN) file using a different version of Visual Studio than the one used to create it can be difficult or impossible. Most technology updates contain breaking changes that mean older code requires tweaks in order to continue working. Even the Visual Studio IDE interface changes, which means step-by-step instructions no longer work properly. Unfortunately, all of these sorts of changes have affected the examples in Microsoft ADO.NET Entity Framework Step by Step. This book is written to support:

 

  • Visual Studio 2012 Professional (or above)
  • Entity Framework 5.x

It doesn’t surprise me that Visual Studio 2013 developers are encountering problems with the book. Changes to the IDE mean that the step-by-step instructions won’t work as stated and there isn’t an easy method of fixing this problem short of rewriting the book. Likewise, changes to the Entity Framework mean that some assemblies such as System.Data.Entity don’t even exist any longer, so some book explanations won’t make sense.

However, it’s still possible to open the examples and see how they work. Instead of opening the .SLN file associated with an example, open the C# Project (.CSProj) file. For example, when looking at the example in Chapter 1, you open the SimpleEF.csproj file found in the \Microsoft Press\Entity Framework Development Step by Step\Chapter 01\SimpleEF\SimpleEF folder instead of the SimpleEF.sln file found in the \Microsoft Press\Entity Framework Development Step by Step\Chapter 01\SimpleEF folder when using Visual Studio 2013.

Much of the theoretical, usage, and general functionality information in the book (about half of the book) is still useful to the Visual Studio 2013 developer as well. So, there is still a lot of value to obtain by reading my book, but readers are right to point out that not every feature will work as written. Please accept my apologies in advance if you purchased the book and were disappointed with it. I did provide clear instructions about the products to use with the book in the book’s Introduction, but such information can be easy to miss.

As always, I try to provide every reader with a great reading experience. Should the publisher decide to update this book, you’ll learn about the update here when I start looking for beta readers. Please let me know about your other book-specific questions at John@JohnMuellerBooks.com.