Entries for Maurits

Gettin' a blue badge [Gettin' a blue badge]

Maurits — Tue, 20 Jun 2006 01:12:01 GMT

Started at Microsoft today. Gettin' my badge tomorrow.

in reply to Gettin' a blue badge

MSDN Wiki launches beta [MSDN Wiki launches beta]

Maurits — Fri, 09 Jun 2006 22:27:18 GMT

Add code samples and content alongside MSDN docs.

Somasegar's announcement of MSDN Wiki

in reply to MSDN Wiki launches beta

Windows 98 security vulnerability won't be fixed [Windows 98 security vulnerability won't be fixed]

Maurits — Fri, 09 Jun 2006 22:17:41 GMT

Christopher Budd of the Microsoft Security Response Center blogs about why the vulnerability in MS06-015 will not be fixed for Windows 98... even though security support doesn't officially end until July 11^th.

in reply to Windows 98 security vulnerability won't be fixed

Net Neutrality amendment struck down in House [Net Neutrality amendment struck down in House]

Maurits — Fri, 09 Jun 2006 16:56:44 GMT

http://news.bbc.co.uk/1/hi/technology/5063072.stm

"An amendment to the Act tried to add clauses that would demand net service firms treat equally all the data passing through their cables.

...

The amendment was defeated by 269 votes to 152"

Good. Let Adam Smith's invisible hand do its thing. I don't need my Vista download to be delayed because my ISP is scared that my neighbor's spam-spewing-zombie machine will sue for equal service.

in reply to Net Neutrality amendment struck down in House

Lock Computer and Windows login [Lock Computer and Windows login]

Maurits — Thu, 25 May 2006 16:27:41 GMT

I locked my computer (in Ctrl-Alt-Delete fashion,) left and came back.
Then I tried to log in and couldn't... because my Caps Lock key was on.

The error I received even asked me to check that the Caps Lock key was on.

So I turned it off and was able to log in.

But here's my question.

Why can't Windows just check to see if the Caps Lock key is on? There's all kinds of things it could do based on that knowledge. It likely has my credentials cached, so there's little danger of locking my account out by retrying the password as-if-I-had-Caps-Lock-off.

in reply to Lock Computer and Windows login

Windows Live Mail down [Windows Live Mail down]

Maurits — Mon, 15 May 2006 21:11:56 GMT

http://mail.live.com/

Directory Listing Denied

This Virtual Directory does not allow contents to be listed.

EDIT: Going in through www.live.com works, though.
EDIT2: mail.live.com works again.

in reply to Windows Live Mail down

Spot the Bug: Perl's XML::SAX::PurePerl.pm [Spot the Bug: Perl's XML::SAX::PurePerl.pm]

Maurits — Mon, 08 May 2006 18:54:06 GMT

XML::SAX::PurePerl is a perl XML parser.

Most of the time it works. But occasionally there are problems extracting large CData sections. I ran into this bug in a document that looks like this:

<foo><![CDATA[ ... lotsa data here... ]]></foo>
<bar><![CDATA[short string]]></bar>

The error it gave me was "End tag mismatch (bar != foo)"

It would only error on less than 1% of such files -- but it would error consistently on those particular files.

Here's the relevant subroutine:

sub CDSect {
    my ($self, $reader) = @_;

    my $data = $reader->data(9);
    return 0 unless $data =~ /^<!\[CDATA\[/;
    $reader->move_along(9);

    $self->start_cdata({});

    $data = $reader->data;
    while (1) {
        $self->parser_error("EOF looking for CDATA section end", $reader)
            unless length($data);

        if ($data =~ /^(.*?)\]\]>/s) {
            my $chars = $1;
            $reader->move_along(length($chars) + 3);
            $self->characters({Data => $chars});
            last;
        }
        else {
            $self->characters({Data => $data});
            $reader->move_along(length($data));
            $data = $reader->data;
        }
    }
    $self->end_cdata({});
    return 1;
}

This is a straightforward bug... it doesn't rely on any Perl magic.

To explain the regexes:
$data =~ /^<!\[CDATA\[/ means:
    data begins with <![CDATA[

$data =~ /^(.*?)\]\]>/s means
    look for the first occurence of ]]> in $data
    capture everything before the ]]> and store it in $1
    consider newlines to be an ordinary part of the string

in reply to Spot the Bug: Perl's XML::SAX::PurePerl.pm

tohex.bat - batch file to print a number as hex [tohex.bat - batch file to print a number as hex]

Maurits — Thu, 04 May 2006 23:38:48 GMT

Inspired by Matthew Chaboud's comment in Raymond Chen's blog post, Doing quick arithmetic from the command prompt

C:\>tohex -999
-0x3E7

in reply to tohex.bat - batch file to print a number as hex

Sender ID, SPF RFCs are live! [Sender ID, SPF RFCs are live!]

Maurits — Fri, 28 Apr 2006 20:29:56 GMT

Spammers, your days are numbered!

RFC 4405 MAIL FROM ... SUBMITTER=
RFC 4406 Sender ID
RFC 4407 Purportedly Responsible Address
RFC 4408 SPF Classic

Shameless plug... the toplabel ABNF in RFC 4408 is mine :)

in reply to Sender ID, SPF RFCs are live!

Bug in IIS? Or HTTP + CGI? [Bug in IIS? Or HTTP + CGI?]

Maurits — Sun, 23 Apr 2006 04:52:32 GMT

David Wang made a very informative post on Thursday regarding a feature added to IIS 6.

The feature adds support for ISAPI programs, ASP, and ASP.Net to be able to access headers that contain an underscore (like SM_User:)

The CGI spec says that most headers are to be added to the "environment" of a CGI program, with the HTTP_ prefix prefixed, with "-" replaced by "_" throughout, and with lowercase letters uppercased.

And sure enough, an ASP script can call Request.ServerVariables("HTTP_ACCEPT_ENCODING") and get the value of the Accept-Encoding: header.

~~Reportedly (I have not yet confirmed this, though I plan to:)~~
ASP can not call Request.ServerVariables("HTTP_SM_USER") and get the value of the SM_User: header (note the underscore in the header name.)

David considers this a flaw in the spec. As I noted in the comments to the post, I disagree. It seems to me to be simply a bug in IIS. IIS is, in my view, not correctly implementing the CGI spec. This is probably due to a misreading of the spec, rather than intentional sabotage.

What do you think? Is the bug in IIS, or in the spec?

EDIT: confirmed. Repro and analysis posted.

in reply to Bug in IIS? Or HTTP + CGI?

Digest Auth fix for IIS 5 [Digest Auth fix for IIS 5]

Maurits — Sat, 15 Apr 2006 17:24:55 GMT

IIS 5 has a security warning for Basic Authentication.

So on the advice of Microsoft Product Support Services, I have written a small ISAPI filter to work around this bug in IIS 5.

If you have an IIS 5 server, and want to offer Digest Authentication to non-IE browsers, this may be of use to you.

I offer this to anyone who wants to use it, with no obligation.

Caveat: if it hoses your server, I claim no responsibility. Bear in mind that once an ISAPI is loaded successfully, IIS won't release the lock on the DLL until you restart the IIS Admin service.

In the interests of early release, there are some known issues...

The design isn't the prettiest. For example, strlen(FIND_IN_HEADER) is calculated on every request, even though that's a constant string. (Hopefully the compiler is smart enough to optimize that one out.)

I used the MFC ISAPI wizard, but I'm not sure whether the MFC bit is necessary. So this could probably be lightened up.

The rewriter doesn't check to see whether the Authorization: header is really a Digest header (should start with Digest.) This would be an easy fix... I'll implement it soon.

EDIT 4/17/2006
* Removed MFC stuff after reading David Wang's unrecommendation of MFC ISAPIs
* Check that header begins with "Digest "
* Change algorithm=MD5 -> algorithm="MD5" as well as qop=auth -> qop="auth"

in reply to Digest Auth fix for IIS 5

IE animation on a dead page [IE animation on a dead page]

Maurits — Sat, 15 Apr 2006 00:22:45 GMT

I have a search page that posts to a results page.

Sometimes the results page takes a while to load.

So I requisitioned an animated GIF, whipped up some text animation javascript, and put an onsubmit event for the form that would show a nifty little "your search is processing" animation with text and graphics.

It works great.

Except in IE.

In IE, the animated GIF refuses to animate, while the text animates fine.

I can't decide whether this is really a "bug" though. Is it reasonable to expect an image to continue animating while another page is loading?

in reply to IE animation on a dead page

"Vista neatness" and Firefox ["Vista neatness" and Firefox]

Maurits — Fri, 14 Apr 2006 23:38:36 GMT

This is currently on the msdn.microsoft.com home page:

(screenshot taken from Firefox 1.5.0.2)

It seems to be some kind of interaction between the standard_text and strong_link CSS in the main stylesheet. It's not clear to me whether Firefox or IE is wrong.

I thought this was rather ironic...

in reply to "Vista neatness" and Firefox

IE gets a bugzilla [IE gets a bugzilla]

Maurits — Fri, 24 Mar 2006 18:11:36 GMT

IE blog post

in reply to IE gets a bugzilla

Twin bugs in IIS, IE... unfair competitive advantage? EDIT: SOLVED [Twin bugs in IIS, IE... unfair competitive advantage? EDIT: SOLVED]

Maurits — Thu, 16 Mar 2006 23:45:42 GMT

The IE blog had a very interesting post yesterday about security tweaks.

If a website requests Basic HTTP authentication over a non-SSL connection, text is added to the Username/Password box to the effect that "this username and password will be transmitted insecurely."

Which is all very well and good. Except that IE doesn't¹ support Digest HTTP Authentication, which was designed to cover this shortfall in Basic Authentication.

... unless it's connecting to an IIS server. Then Digest HTTP Authentication works just fine.

So we have the following situation:

IE6 <-Basic-> IIS: works fine
IE6 <-Digest-> IIS: works fine
IE6 <-NTLM-> IIS: works fine
IE6 <-Basic-> Apache: works fine
IE6 <-Digest-> Apache: ~~DOES NOT WORK~~² works fine (Apache accepts IE6's incorrect headers)
IE6 <-NTLM-> Apache: works fine
Firefox <-Basic-> IIS: works fine
Firefox <-Digest-> IIS: DOES NOT WORK (IIS does not accept Firefox's correct headers)
Firefox <-NTLM-> IIS: works fine
... and now...
IE7 <-Basic-> IIS: UGLY WARNING
IE7 <-Digest-> IIS: works fine
IE7 <-NTLM-> IIS: works fine
IE7 <-Basic-> Apache: UGLY WARNING
IE7 <-Digest-> Apache: ~~DOES NOT WORK~~ works fine
IE7 <-NTLM-> Apache: works fine

So as I read this, if you want to use IIS, you're stuck with either:
* Sticking your IE7 consumers with a big ugly warning
* Shutting out your Firefox consumers
* Using NTLM

I'm in favor of adding the warning. I agree that plaintext not-over-SSL is a bad way to transport passwords.

But... and this is my point... I think Digest Authentication should be fixed FIRST³. Otherwise this is just a way to push NTLM, no?

Thoughts?

¹Microsoft claims it does. But see my comments on the blog post. (I believed them at first, and mistakenly thought what I was seeing was a Firefox bug. But then I read the RFC.)
²See http://www.eweek.com/article2/0%2C1895%2C1500432%2C00.asp
³Note that fixing IE7's Digest Authentication will probably entail fixing IIS's Digest Authentication first.

So the critical path is:
1) Fix IIS Digest Authentication (release patches for downlevel IIS servers...)
2) Fix IE Digest Authentication (release patches for downlevel IE clients...)
3) Add the Basic Authentication warning.

EDIT: According to David Wang this bug is fixed in IIS 6.

in reply to Twin bugs in IIS, IE... unfair competitive advantage? EDIT: SOLVED

Idea to prevent C9 spam [Idea to prevent C9 spam]

Maurits — Wed, 15 Mar 2006 17:20:19 GMT

I thought of an idea to defeat bot-style spam sent through the Channel 9 "email this user" feature:

When building http://channel9.msdn.com/User/SendEmail.aspx?UserId=8999
generate a one-time-use key, and store it in the session:

emailkey = generate_random_string();
Session("emailkey") = emailkey;

Then, create a hidden input whose name is "emailkey" and whose value is the random string

When processing the postback:
Check Session("emailkey")

If it's empty there's a problem... DON'T SEND THE MAIL
This is most likely a standard Community Server dictionary attack... they didn't even bother to load the form

If it doesn't match Request("emailkey") there's a problem... DON'T SEND THE MAIL
This could be a replay attack, or someone could have hit "Back" and tried to reuse the form

If it's nonempty, and it matches Request("emailkey"), everything checks out.
Clear Session("emailkey") (to avoid replay attacks)
Send the mail.

in reply to Idea to prevent C9 spam

Sender ID, PRA, SPF - RFCs in AUTH48 [Sender ID, PRA, SPF - RFCs in AUTH48]

Maurits — Mon, 13 Mar 2006 22:24:59 GMT

Drafts of almost-RFCs:

Submitter parameter
http://ftp.rfc-editor.org/in-notes/authors/rfc4405.txt

Sender ID
http://ftp.rfc-editor.org/in-notes/authors/rfc4406.txt

Purported Responsible Address (PRA)
http://ftp.rfc-editor.org/in-notes/authors/rfc4407.txt

Sender Policy Framework (SPF)
http://ftp.rfc-editor.org/in-notes/authors/rfc4408.txt

Though the numbers have been assigned, these are not RFCs yet. The authors still have a chance to make proofreading corrections.

Also, even when published, these will be "Experimental" RFCs.

in reply to Sender ID, PRA, SPF - RFCs in AUTH48

Web Publishing SDK [Web Publishing SDK]

Maurits — Thu, 09 Mar 2006 00:53:57 GMT

Anyone know where I can get a copy of the Microsoft Web Publishing SDK? I checked download.microsoft.com...

I'm trying to compile the KBBar sample in Visual Studio 2003 but it doesn't recognize the IInputObjectSitePtr type.

in reply to Web Publishing SDK

Dell "Open Source Desktops" - no OS [Dell "Open Source Desktops" - no OS]

Maurits — Thu, 09 Mar 2006 00:07:40 GMT

Now we're talking!

"In order to boot this system, you must install an operating system"

in reply to Dell "Open Source Desktops" - no OS

Scoble renew your domain [Scoble renew your domain]

Maurits — Tue, 07 Mar 2006 19:28:04 GMT

www.scobleizer.com no longer redirects...

EDIT: Oops meant to post in CoffeeHouse

in reply to Scoble renew your domain

Probably for the best [Probably for the best]

Maurits — Fri, 03 Mar 2006 06:14:04 GMT

Wow, I log off for a few hours and Beer28's banned, and all the "Beer28 is banned" threads are locked.

Guess I'll have to start my own then.

I want to say up front -- I think that Charles did the right thing. There were a lot of hateful words being thrown around, and many of them were posted by Beer28. That kind of behavior is far too destructive to be allowed to continue. Without restraint and decorum there can be no dialog.

That said, I think that Beer28 has also made valuable contributions to the forum, and I'm sad to see it come to this. I would have hoped he could have risen above the petty name-calling and childish squabbling and stuck to technical discussion.

But he didn't.

Ah well. C'est la vie.

(this thread has released all resources and is ready to be locked...)

in reply to Probably for the best

Google brings US national video archive to the web [Google brings US national video archive to the web]

Maurits — Sat, 25 Feb 2006 00:55:00 GMT

http://news.yahoo.com/s/afp/20060224/tc_afp/usinternethistory

Sweet...

in reply to Google brings US national video archive to the web

"no money" thread DID have a point... ["no money" thread DID have a point...]

Maurits — Thu, 23 Feb 2006 17:48:47 GMT

Easy on the "lock" button, there, JonathanH...
My "

in reply to Windows Live this, Windows Live that...