Archive

Archive for the ‘Web / Internets’ Category

Microsoft releases new WP7 Tools & IE9 RC!

February 11th, 2011 No comments

I’m a little late on this one, but Microsoft has released Windows Phone Developer Tools January 2011 update recently. From their own list

The Windows Phone Developer Tools January 2011 Update includes:

  • Windows Phone Emulator Update – Exposes copy/paste functionality in the Windows Phone 7 emulator. For more information, see How to: Test Copy and Paste in Windows Phone Emulator. End users can use the copy and paste functionality only after receiving the corresponding update to the Windows Phone 7 operating system.
  • Windows Phone Developer Resources Update – Fixes a text selection bug in pivot and panorama controls. In applications that have pivot or panorama controls that contain text boxes, users can unintentionally change panes when trying to copy text. To prevent this problem, open your application, recompile it, and then resubmit it to the Windows Phone Marketplace.
  • Windows Phone Capability Detection Tool – Detects the phone capabilities used by your application. When you submit your application to Windows Phone Marketplace , Microsoft performs a code analysis to detect the phone capabilities required by your application and then replaces the list of capabilities in the application manifest with the result of this detection process. This tool performs the same detection process and allows you to test your application using the same list of phone capabilities generated during the certification process. For more information, see How to: Use the Capability Detection Tool.
  • Windows Phone Connect Tool – Allows you to connect your phone to a PC when Zune® software is not running and debug applications that use media APIs. For more information, see How to: Use the Connect Tool.
  • Updated Bing Maps Silverlight Control – Includes improvements to gesture performance when using Bing™ Maps Silverlight® Control.

WPDT Fix includes:

  • Windows Phone Developer Tools Fix allowing deployment of XAP files over 64 MB in size to physical phone devices for testing and debugging.

The BingMap updates were quite welcome too! There are two bits to this update, first grab the Windows Phone 7 January Patch, then install the Visual Studio 2010 tooling update.

Today also marked the release of Internet Explorer 9 Release Candidate which brings a nice bunch of (much needed) updates to IE9 and standards in general with a cool smooth UI.  Ars has a great write up on IE9 RC too which will be far better than what I can write up.

Windows 7 x86 | x64 for the lazy few!

{lang: 'en-GB'}
Share

Microsoft updates ASP.NET Flaw CVE-2010-333 with fix

September 29th, 2010 No comments

As mentioned earlier, the ASP.NET Session Security flaw has been keeping all .NET developers and Microsoft on the ball about possible exploits with their applications. Microsoft have updated their security advisory CVE-2010-333 with more information about the severity of the flaw – its taking Exchange and Sharepoint down with it too.

See Microsoft Security Bulletin MS10-070 for affected products and download the update fix for your setup 🙂

For ease of downloading, some configurations for you:

{lang: 'en-GB'}
Share

ASP.NET Session Cookie Crypto Attack Exploiting

September 20th, 2010 No comments

If the Linux CVE-2010-3081: 64bit Linux Kernel Root Exploit didn’t get you, then this little birdy might. It seems the implementation of the AES encryption algorithm which protects the integrity of the Session Cookies in ASP.NET has a weakness which could enable an attacker to hijack sessions – Which bank? The idea behind the use of AES is to ensure that the crypt’d data hasn’t been tampered with – and hence decryptable, but unfortunately the flawed implementation of the use of AES and how it handles errors gives out some much needed clues for an attacker to pursue.

From TheThreatPost article:

In this case, ASP.NET’s implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified. If the ciphertext has been changed, the vulnerable application will generate an error, which will give an attacker some information about the way that the application’s decryption process works. More errors means more data. And looking at enough of those errors can give the attacker enough data to make the number of bytes that he needs to guess to find the encryption key small enough that it’s actually possible.

There is a Microsoft Security Advisory (2416728) which gives some workarounds until a proper fix is made available. What’s really concerning is this little tidbitt from Thai Duong about Using their tool the Padding Oracle Exploit Tool or POET:

“It’s worth noting that the attack is 100 [per cent] reliable, [that is], one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes.”

What’s really interesting is seeing the video of the exploit in action on dotnetnuke (don’t close your eyes). ScottGu has blogged about this exploit which goes into far more detail than I can, but if you’re keen there’s a nice document on using the Padding Oracle exploit and includes discussions regarding the JSF View state, cracking CAPTCHA schemes as well as some juicy details on CBC-R.

{lang: 'en-GB'}
Share

Google opens up VP8 with WebM Project

May 20th, 2010 2 comments

You kind of knew it was going to happen but the mighty Google has open-sourced On2’s VP8 codec and set it free (in the form of a BSD-style license). Don’t forget to read an intro to the WebM VP8 SDK and get the code (the files). Some of the companies backing it and the ideas behind WebM are posted on the first blog entry.

So what is WebM?

WebM includes:

  • VP8, a high-quality video codec we are releasing today under a BSD-style, royalty-free license
  • Vorbis, an already open source and broadly implemented audio codec
  • a container format based on a subset of the Matroska media container

Wonder what MSFT and Apple are going to do? In either case, interesting times ahead for video.

Oh hai, I almost forgot, from their FAQ, some interesting points – besides the Licensing bits.

If I have a video card that accelerates video playback, will it accelerate VP8?

The performance of VP8 is very good in software, and we’re working closely with many video card and silicon vendors to add VP8 hardware acceleration to their chips.

Will WebM files play on my TV, set-top box, PVR, etc.?

Stay tuned! The WebM community is working with hardware manufacturers to bring WebM support to a wide range of devices.

When will other Google products support WebM and VP8?

WebM support in Android is expected in the Gingerbread release (currently planned for Q4, 2010). We expect many other Google products to adopt WebM and VP8 as they prioritize it with their other product requirements. Keep an eye on the WebM blog for announcements.

Man, Google rocks!

{lang: 'en-GB'}
Share

The Gospel according to Jobs: Thoughts on Flash

May 3rd, 2010 2 comments

Got to give it up for Steve Jobs, he responds to his followers when things are a muck in his church. But putting aside my dislike for Apple antics, I do agree with most of his comments.

Flash was great in the early days, we had the birth of the XaoXao videos and interactivity on the web, but in the past 5-6 years, the hip cool designers of the world have transformed the browsing experience to be  fully Flash driven – which drives me nuts. Do they not realise that content would not be indexable by search engines nor useful for anyone who doesn’t have Flash? Whats more, I’m not after their fancy dancy effects, I’m after content – the exception of Flash being used for animation in addition to content (like slideshows, video presentations or marketing bits) or navigation around a site.

One recent (2006) example is the Eclipse home page, back when I got the AVN6000 installed, I wrote a little blurb on the (then) DeveloperFusion blogs and sure enough took the bulk of the traffic for the keyword AVN6000. The entire site was flash driven up until 2008 and no-one had indexed the content of the site.  As the unit was installed a week after release, it got quite a bit of traffic – nice for me.

I have FlashBlock installed to avoid uninvited flash content (especially annoying opening up a bunch of news articles and one of them is playing a video!) and have no _real_ need for Flash on my mobile devices – youtube works. Android 2.2 (Froyo) will ship with some flash support but it doesn’t excite me as much as the JIT functionality. Gotta JIT that, Gotta JIT that

There are a few points you can criticise Jobs on (HTML5, CSS+JS is no where near the functionality of Flex nor Silverlight – gasp! but it has time and momentum to grow) and everything about Apple is proprietary (sure they have a few good open-source projects – DTrace & WebKit) but their business nature to lock you into fruity loops. I still haven’t got a decent way of avoiding installing iTunes if I want to use an iPod which is the only device my (ironically) AVN6000 supports. As for the latter, overall a job well done I say and well justified move for not having Flash on their devices.

Just like to point out one thing having come from working with the On2 VP6/VP7 bits whilst at Vividas.

Although Flash has recently added support for H.264, the video on almost all Flash websites currently requires an older generation decoder that is not implemented in mobile chips and must be run in software.

What he’s talking about here is that Adobe utilises the On2 VP6 for their video rendering in Flash (as of Flash Player 8) and as such there’s no standard accelerator for the On2 codec (yet!) – its all CPU bound (and prior to 2008 quite intensive to decode!). The VP6 and VP7 codecs (though quite differently utilised) powered (or still powers) the Vividas format (could be different now, I left in 2008). Compared to Flash Player 7, the enhancements that On2 VP6 brought to Flash Player 8 effectively meant that a lot of media was encoded optimised for VP6. Newer versions of Flash Player 9 Update 3+ support h264 however.

Don’t forget that JavaFX also utilises VP6. While you’re there, checkout Gosling rant on Android and his thoughts on the Apple OS X Secret API hooks for the JVM.

With Google having purchased On2 Technologies earlier this year, there’s a bit of excitement and worry about the future of VP8 and whether it will become open-source and what will happen to h264 or Theora (a derivative of On2 VP3 which On2 open-sourced).

Having said all that, I can’t leave you without leaving something to ponder about when it comes to Apple and its many evangelists enthusiasts – maybe you’re one of them?

It’s funny because its true (!), don’t Think Different. Be different 🙂

I guess its time for Adobe to chime in and see their take on things, it better be something flashy!

{lang: 'en-GB'}
Share

FIX: WordPress Older Posts not working in IIS with Permalinks

April 28th, 2010 2 comments

I spent some time tweaking my blog today after moving it to some fresh hardware. You may find that everything is loading much faster now which can be attributed to two plugins in addition to the hardware upgrade – wp-super-cache and wp-widget-cache.

I’ve also fixed a long standing bug with my particular configuration of WordPress that runs on IIS which causes the “Older posts” link at the bottom does not function for the second page. The WordPress generated URL for this is

http://www.thushanfernando.com/index.php/Index.php/page/2

Which is a bit problematic, this ofcourse can be reproduced only on IIS from my musings (serves me right eh?). There are a couple of suggestions by people on the forums already, but I wasn’t too keen on them as they seemed too high-level fixes.

I’ve enabled Permalinks with this format:

http://www.thushanfernando.com/index.php/2010/04/28/sample-post/

So I looked through the sources to see why this was happening. After a bit of snooping about I got to the get_pagenum_link function in wp-includes/link-template.php file.

Heres a bit of source for reference – this is with WordPress 2.9.2:

function get_pagenum_link($pagenum = 1) {
	global $wp_rewrite;

	$pagenum = (int) $pagenum;

	$request = remove_query_arg( 'paged' );

	$home_root = parse_url(get_option('home'));
	$home_root = ( isset($home_root['path']) ) ? $home_root['path'] : '';
	$home_root = preg_quote( trailingslashit( $home_root ), '|' );

	$request = preg_replace('|^'. $home_root . '|', '', $request);
	$request = preg_replace('|^/+|', '', $request);

	if ( !$wp_rewrite->using_permalinks() || is_admin() ) {
		$base = trailingslashit( get_bloginfo( 'home' ) );

		if ( $pagenum > 1 ) {
			$result = add_query_arg( 'paged', $pagenum, $base . $request );
		} else {
			$result = $base . $request;
		}
	} else {
		$qs_regex = '|\?.*?$|';
		preg_match( $qs_regex, $request, $qs_match );

		if ( !empty( $qs_match[0] ) ) {
			$query_string = $qs_match[0];
			$request = preg_replace( $qs_regex, '', $request );
		} else {
			$query_string = '';
		}

		$request = preg_replace( '|page/\d+/?$|', '', $request);
		$request = preg_replace( '|^index\.php|', '', $request);
		$request = ltrim($request, '/');

		$base = trailingslashit( get_bloginfo( 'url' ) );

	if ( $wp_rewrite->using_index_permalinks() && ( $pagenum > 1 || '' != $request ) )
		$base .= 'index.php/';

		if ( $pagenum > 1 ) {
			$request = ( ( !empty( $request ) ) ? trailingslashit( $request ) : $request ) . user_trailingslashit( 'page/' . $pagenum, 'paged' );
		}

		$result = $base . $request . $query_string;
	}

	$result = apply_filters('get_pagenum_link', $result);

	return $result;
}

This function (from reading through) essentially generates the links for the page numbers & page navigation taking into account Permalinks if configured. This is all fine and dandy for Unix hosts but for Windows, unfortunately this bit of code fails us.

...
$request = preg_replace( '|page/\d+/?$|', '', $request);
$request = preg_replace( '|^index\.php|', '', $request);
$request = ltrim($request, '/');
...

As the preg_replace is case sensitive, it will not replace the invalid Index.php that is seen on IIS. So the easiest fix is to tweak the regex pattern a little bit and tell it be case insensitive.

...
$request = preg_replace( '|page/\d+/?$|', '', $request);
$request = preg_replace( '/|^index\.php|/i', '', $request);
$request = ltrim($request, '/');
...

This will then generate the (invalid) urls and the preg_replace will remove any additional Index.php’s from the request URL as its already mentioned in the $base variable a few lines below:

...
if ( $wp_rewrite->using_index_permalinks() && ( $pagenum > 1 || '' != $request ) )
$base .= 'index.php/';
...

Once you make the change and upload the files, your “Older posts” will start working again. I’ll submit a patch to WordPress I’ve submitted a patch to WordPress Trac, now its just a wait and see what they say, in the meantime here’s a patch file if you don’t want to modify sources manually. If there any issues, post a comment 🙂

{lang: 'en-GB'}
Share

Office 2010 and SQL Server 2008 R2 (soon) available on MSDN!

April 26th, 2010 No comments

If you haven’t heard already, Microsoft have RTM’d both Office 2010 and SQL Server 2008 R2 and Office is already available for MSDN Subscribers with SQL Server 2008 R2 arriving soonishly – you can look at the download page for SQL Server 2008 R2 and download it from MSDN now (03/05/2010). There’s also a great ebook titled “Introducing SQL Server 2008 R2” available in XPS and PDF format 🙂

I’m one of those who love the ribbon UI, its made things easier for me (helps that I really wasn’t a heavy MSFT Office user back in the days). Now everyone’s getting on board the ribbon train, even the beloved WinZip!

Don’t forget the Office 2010 Movie from last year.

{lang: 'en-GB'}
Share

Google shows the power of HTML 5, ports Quake II to run in browser!

April 3rd, 2010 No comments

The title says it all. Using the Jake2 port of Quake II (to Java) the bright sparks at Google have used GWT to bring Quake II to HTML 5.

We started with the existing Jake2 Java port of the Quake II engine, then used the Google Web Toolkit (along with WebGL, WebSockets, and a lot of refactoring) to cross-compile it into Javascript. You can see the results in the video above — we were honestly a bit surprised when we saw it pushing over 30 frames per second on our laptops (your mileage may vary)!

At first I thought it was an April fools joke, but as cruel as that may be, it wasn’t. Download the source and give it ago, I nearly fell of my chair.

At the moment you have to build from source and mess about a bit, but fear not, I followed the guide on OSNews by Kroc on our MacBook Pro and it worked quite well, yet to try it on Linux.

{lang: 'en-GB'}
Share

ASP.NET MVC 2 released!

March 14th, 2010 No comments

Quick note that ASP.NET MVC 2.0 was released on Friday, still yet to play with the RTM, but don’t let me stop you. Go for it!

Link dump – mostly from Scott Hanselman’s announcement:

Exciting and just in time for a fairly large project we’re working on right now 🙂

{lang: 'en-GB'}
Share

Chrome 4.0 is out with extensions support

January 26th, 2010 1 comment

Well finally Google has released Chrome 4.0 and with it extensions support amongst the many other features which finally brings some much needed juice to the browser. I’ve been running Firefox and Chrome simultaneously (Chrome for gmail & google apps, firefox for daily browsing) but I have a feeling I may change to using Chrome full time now.

Some cool extensions to try (most are from Firefox)

  • Xmarks Bookmarks Sync – I’ve been using FoxXmarks to sync my bookmarks for a while now, so its only natural I install this for Chrome. You can also stick with the standard Bookmark sync via Google which you’ll need a Google account for.
  • Google Mail Checker / Google Alerter – there’s also the One Number extension that brings more than just checking gmail.
  • AdBlock – probably the number one reason most people wanted extensions in Chrome!
  • Forecastfox Weather – My weather extension I use in Firefox.
  • FlashBlock – Can’t stand videos playing automatically when you load a gazillion tabs and wonder WHO THE EFF is talking?
  • Goo.gl URL Shortner – none others required.
  • Firebug Lite – Not as feature packed as Firebug, but then why would they call it Lite?
  • IETab – Sometimes you gotta.

Chromed. There’s lots more if you’re into Facebook, Twitter and all the other fancy things these days, even one for uTorrent! Download the latest build and give things a go!

PS. You don’t need to restart Chrome to install extensions either!

{lang: 'en-GB'}
Share