carlos

Back to Profile: carlospinedag

Comments

  • C++ in Visual Studio 2015

    @chrisaverage: thanks a lot.

  • C++ in Visual Studio 2015

    Is the same semantic of pre-increment and post-increment operators in C++ and C#?

    The following C++ program displays 6, either if you compile including the "/clr" option or without this option:

    #include <stdio.h>
    void main()
    {
      int i = 1;
      printf("%i\n",++i + ++i);
    }

    But the following code in C# displays 5:

    using System;
    class P1
    {
      public static void Main()
      {
        int i = 1;
        Console.WriteLine(++i + ++i);
      }
    }

    Also Java displays 5:

    class P1
    {
      public static void main(String[] args)
      {
        int i = 1;
        System.out.println(++i + ++i);
      }
    }

     

  • Application Lifecycle Management, Dev/Test & DevOps

    Microsoft uses Team Foundation Server, Release Management, and App Insights for develop its products (like Windows, Office, Azure, etc)?

  • .NET 2015 & Managed Languages

    Any plan to support IL development (assembly language for the CLR) in future versions of Visual Studio?

  • ASP.NET 5 (Panel Discussion)

    Visual Studio Community 2013 still includes Silverlight development,

    What is the future of Silverlight?

  • Keynote: Developers in the ​mobile-​first, cloud-first era

    Is a great news the launch of .NET to the Linux and Mac worlds, at the end of the day, Unix is not a strange world for Microsoft, remember Xenix.

  • ASP.NET Identity

    @Caesar:

    Hi Caesar, yes there are some options for certificates, ok with $5 USD you can buy a domain verified certificate, if you need business validation, you could spend more, depends on your business needs.

    Email and Phone are not effective for authentication because these channels can be (and in fact are) listened by a "man in the middle". Security is a serious concern for business. In fact, finantial and banking systems do not use Email or Phone for access to the user's accounts because this channels are not enought secure, and money is a serious matter.

    Authentication by social networks is not two-factor authentication, because social account is not "something only the user has". Social networks use the user information in a variety of ways, for instance: "who access, what app, when, from where".

    Social experiments consist in modify the social network behavior and observing the response of users. Social networks could perform experiments on the access to your app. Also, social networks can sell the information of who, when and from where the people access your app. What about privacy?

    How secure can be a system? In my opinion the answer is binary: nothing or high-secure.

    If you use password-only or password with email/phone/social authentication, in both cases your system is an easy objetive for hackers, for this reason is very important to include the maximum level of security that you can reach.

    Two-factor authentication with token is a very good solution in terms of cost/benefice. You can buy one token device (OTP) by $10 USD or use a virtual token for free.

    Is easy to implement your own two-factor authentication system based in tokens TOTP (Time-Based One-Time Password), the algorithm is public, see: RFC 6238  http://tools.ietf.org/html/rfc6238 This document includes the algorithm implemented in Java,

    Regards

  • ASP.NET Identity

    What about the following article?

    "Critical design flaw in Active Directory could allow for a password change", Jul 15, 2014

    http://www.csoonline.com/article/2453930/data-protection/critical-design-flaw-in-active-directory-could-allow-for-a-password-change.html

  • Get Started with the Cloud: Learning & Demos for New Users and Startups

    Which is the better option for developers and testers in terms of cost/benefit?

    1. With AWS EC2 you pay per hour. AWS offer new low cost EC2 Instances with burstable performance starting with 1 GB in RAM. Very good option in terms of cost-performance.

    2. With Google you pay per minute.(minimum 10 minutes). Google offer two configurations with shared cores (614 MB and 1.7 GB RAM). With the "Sustained Use Discounts" you can reach an effective discount of 30%

    3. With Azure you pay per minute. Azure offers only one configuration with shared cores (768 MB in RAM). But SQLServer needs at least 1 GB in RAM...

    The "shared core" option is less expensive because you pay ONLY when your VM is consuming cycles of CPU (in other words, when App Server and DBMS are running; non waiting for requests).

    Could Azure offer more configurations with shared cores and more memory?

  • ASP.NET Identity

    @Caesar:
    The pillars of security are a strong authentication followed by a fine grained authorization. But the most important factor is "to be paranoic".

    Both email and phone are not trusted communication channels for two-factor authentication.

    Talking about costs... identity services are not cost free, see: https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/

    If you have a web server, you must buy a certificate in order to implement https. You can buy a strong certificate by $5 USD/year, cheap or not?

    Identity services using social networks are cost free, but are not enough secure, consider the recent security issues of some social networks (remember the massive "password hacking" in some social networks).

    What about the recent "social experiments" carried out by some social networks? would you like that your App be part of experiments in social networks? what about privacy?

    Best Regards.

  • ASP.NET Identity

    Two-Factor authentication must comply, at least:

    1) "something only the user knows" (aka password)
    2) "something only the user has" (for instance, a token device)

    Two-Factor authentication with phone or email ARE NOT effective because communication can be "known" by the service provider. Phone and email are not "something only the user has"

    A token-code generated by a Mobile App works well, but the "secret seed" (which is needed for generate token-codes) must be encrypted using a PIN code. This PIN can be seen by a third person while you are typing into your Mobile device.

    Hardware tokens (OTP: One.Time Password) are more secure because the "secret seed" is stored in a secure memory, no-one can see this secret key. Those devices are used by users of banking and financial systems to access their accounts.

    OTP also are used for login into a Cloud (for instance Amazon AWS).

    By other hand, Why Banks & Financial Services do not implement login using social networks? Can you trust social networks to access your money? Consider the recent security issues of some social networks.

  • State of .NET (Keynote)

    Could Microsoft offers a complete JSON support for .NET?  What about BSON?

    Ok, you can use Json.NET but this external package depends on donations, to date -only- $4,111 USD since 2006.

    In my opinion is better to use Microsoft's DataContractJsonSerializer because this framework have full Microsoft's support. See;

    "How implement JSON using .NET framework, including byte[] and Datetime ISO8601"  https://social.msdn.microsoft.com/Forums/vstudio/en-US/338899fc-e53c-40fe-a586-06d54d4cceea/c-google-gson-for-rest