Signing assemblies with a .pfx file

From Version 2 of SN tool, there is support for creating strong name key files protected with a private key (that is a .pfx file). Though this is a great improvement over the old .snk file, it is a pain during the development. While opening or debugging the signed projects a dialog box opens that reads “Import Key File”, “This project includes a password-encrypted key used for signing. Enter the password for the key file to import the key file into the local crypto-store database for use.” Even if you enter the correct password, the error persists and says “Error importing key”, “Object already exists”. On building you get the following message error MSB3321: Importing key file “<keyname>.pfx” was canceled.

I faced this issue in VS 2008 on my Windows 7 machine and had to get rid of this error somehow. Accidentally I came to know that if UAC is turned off, the error vanishes. On researching (googling :)) I could find that this is a permission (UAC) related open bug in Visual Studio from VS 2005 through VS 2010 (not verified) and the one and only solution for the time being seems to be Delay Signing. By delay signing your assembly you can get rid of the nag window in Visual Studio and by signing the assembly with your key file before distribution you could achieve the security you want. This though comes with a catch. If you set the project for delay signing, you cannot debug your application as the verification of the strong name fails. To override this verification, you have to add your key file to the list of keys skipped for verification in your machine.

I could not find the steps for delay signing and verification skipping online easily. So I am just recompiling the steps for future reference 🙂

1. Open a Visual Studio command prompt.
2. Run the command sn -p <original-key>.pfx <public-key-file>.pk (Export the public key from your .pfx file using the SN tool.)
3. In the Project Properties Page, Select Signing Tab, Set the key file in Visual Studio to <public-key-file>.pk and check the Delay Sign only option.
4. To skip the strong name verification, you have two options. Configure the skipping of a particular assembly. sn – Vr <assembly name>
   1. Or Enable skipping for all the assemblies signed with the same key. Personally I preferred this method as there were 4 or 5 assemblies signed with the same .pfx file. To achieve this,
      1. First Run sn -T <assembly-name>. This gives us the public key token for the assembly.For example the output will be something like Public key token is bd91f093f07f35ac.
      2. Now Run sn -Vr *,<public-key-token>. For example sn -Vr *,bd91f093f07f35ac in my case.
5. When you finally want to ship your assembly Run sn -Rc <assembly-name> <original-key>.pfx

For this to work on 64bit, you need to do these extra steps:

1. Open a command prompt as Administrator
2. Go to C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\x64\
3. Run the same.. sn -Vr *,<public-key-token>

This is to add theverification skip to the 64 bit registry as well.

 

Jobhunt.in – Easiest Jobsite

“redefine: EASY”

This is what my friend and I had in mind when we decided to create a job site.

To make the “Easiest Job site”. A job site which I and most probably you will use without scowling.

With a lot of reusable stuff from Skillda and 2 months of planning and development we have come out with the beta version of our job site – www.jobhunt.in. What makes it the easiest is that you don’t have much to do either as a job seeker or a recruiter.

As a job seeker, Just upload your resume on the front page or just email it to post@jobhunt.in. Thats it! No more registration or filling up pages of boxes. Our automatic analyzing system picks up the data and tags your resume.

Recruiters too don’t have to pay and register or search for hours to dig up the resumes they want. Type in your filter tags and subscribe. You start getting daily mail from the site with matching resumes.

Isn’t this EASY?

 

A bad worker blames his tools. What if bad tool starts blaming?

I have spent my last 4 and a half months learning how you should never execute a (software) project. 🙂

Though a big disappointment and failure, the previous project had changed my view on a lot of stuff especially processes and documentation. I had always considered micro-level documentation to be an avoidable overhead and never believed in process. If you think like me, may be your opinion will change if you know my story.

A project without any proper documentation (scope, requirements, design, project plan…. the list goes on) and a very aggressive deadline. Two months from start of this project is where I landed to lead the project. Was anyone scared if the client will go bad then? Nobody was. Fast forward >> Client denies the original scope. Squeezes in double the agreed upon requirements into the scope. You know what happened in the end? He made us work for 6 months and coolly paid for just the original 3 months.

We were screwed big time just for the lack of process and documentation. You know.. I learned it.

 

Setting the value for a select list

We come across a lot of instances where we need to set the values of form elements programmatically using client side script. To set the value of a select list (in case of multiple select or single select), the best way to do it is to loop through the options, checking if the value matches and then setting [option].selected = true.

For example:
//here for simplicity i am considering a single select case

function setSelectValue(selectList, val) {
for (option in selectList.options) {
if (option.value == val) {
option.selected = true;
break;
}
}
}

This piece of code will work for almost all web browsers. But not so surprisingly there is a difference in the way IE and other browsers handle the select list. In Firefox a listitem given without a specific value attribute considers the given text as the value. Though IE also gives the same result on post back, while programmatically checking the value of an option it says its undefined. So you cannot use the setSelectValue function for <li>Hello</li> in IE. To make it work for IE you have to explicitly give <li value=”Hello”>Hello</li>.

Not a big deal but it cost me half a day 😉

 

The left-right dancing girl – optical illusion cracked

The myth of the left – right brain test and the rotating girl is an interesting read and is a good food for thought. The original post says that if you see her spinning clockwise you are imaginative, ….. or if you see her anti-clockwise you are logical, … and if you can see her spin both ways, you are a genius 😉

I got this forward from a friend and we figured it out and then googled to see what others were saying. Believe me you can find framewise analysis, physiological theories, to plain wonder.

Wanna know how to see the girl spin both ways? Just look at it from 2 different angles. Either tilt the monitor or move your head sideways. It is just a trick of optical angle.

My friend and I were looking at it and both of us always seem to see the exact opposite and then suddenly it occured to us to just turn the monitor towards the other guy, We discovered at that instant our perception of how the girl moved changed. It seems to be a trick with the angles.

But It still could have something to do with which half of the brain gets to process it first. Or it could be due to the differential delay in the propagation of the optical impulse to wherever it gets processed. 😉

Dont know what they call it. Hey we are just amateurs. 🙂

P.S. Incase you dont find the original post, you can check it out on my picasa album.

 

Follow your Heart or your Head?

I don’t know how others think. But for me decision making was always simple and fast. “Just follow the heart“. I never cared to think if it was right or wrong. And I forbid myself from regretting my past decision or choices. This thumb rule made me take decisions which at times others thought crazy and outrageous, but always kept me happy.

I have done things like, Starting a company while in college with practically no idea what I was doing, completely neglecting studies (not part of the main plan but just was not there among priorities), Not trying to get a job like “others”, Spending a couple of years after college penniless on the craziest of ideas, Quitting a regular and somewhat satisfying job just to get back to the dream project and millionaire dreams. So as you see life had always been like a roller-coaster ride and I enjoyed it. To be frank this was never easy. But I was following my dreams and passion. And that was my fuel, my cushion on the bumpy ride.

As my responsibilities got bigger, I started getting scared of the risks and decided to have a balance of both, to “Follow the Heart and the Head”. But 3 months from the decision, I hate to say it, I regret Following the Head. My work was my passion and now it has become just my ration.

So… “Here I go again on my own
goin’ down the only road I’ve ever known.
Like a drifter I was born to walk alone.
An’ I’ve made up my mind, I ain’t wasting no more time….“

 

Stealing Passwords had never been easier

I have already written once on how web security has taken a back seat thanks to the ever growing popularity of social networking websites. Recently I saw a trend in Orkut where people are setting their homepage to some http://meu.powerscrap.com/&#8230;. I tried one of those links and saw a replica of the person’s orkut profile over there. I even saw my pic in the friends’ list. But if I try to click on any of the links, a pop-up window comes and asks for my Orkut username and password to continue. To my surprise, all the images were directly from orkut.com and the exact ones used in Orkut.

I did a little bit of googling looking for any connection between orkut and powerscrap. But it seemed like people are using the latter as an alternative to Orkut in places where it is blocked and were all praise for powerscrap. I believe this must be a trusted site. But someone can use this technique just to snatch you off your username and password too. The sad part is that people are so desperate to network and don’t think twice when asked for username or password.

I think this now leads to the simplest form of social engineering. If you have a website and some web programming knowledge you can just walk away with thousands (at least hundreds) of usernames and passwords. You dont need content or users or even a database :). You can thrive on a popular website’s user-base and just enjoy the free passwords. As my title goes password hacking had never been easier.

1. Go buy a domain. Even a free sub-domain will do :).
2. Write code to pull data from Orkut or a similar website.
3. Send messages to a few giving your url and telling them the ADVANTAGE of using your website.

You are done. In a few days you might be honored for stealing passwords!!

 

CSS Style position:fixed and Internet Explorer

The CSS styling attribute position:fixed makes an HTML element stationary (does not move on scrolling) and absolutely positioned. If you are familiar with position:absolute, the fixed styling is quite similar except for that it remains in position even on page scroll.

Most of the modern browsers (IE7, Firefox, Opera etc.) support the fixed styling. But older versions of Internet Explorer (prior to IE 7) does not. The problem with older IE is that it completely ignores the fixed attribute and the default styling (position:relative) is applied. This can completely disrupt your page design.

Accepting the fact that IE6 still remains the most widely used web browser, we cannot ignore this issue. One way to solve this is by changing the value of position attribute to absolute (which is the closest to fixed) in case of IE older than version 7. To give the actual effect of fixed we also need to handle the scroll event or else this element will also move along with the rest of the page. In the scroll event you have to reload (hide and show) the element and you get the most closest fixed style implementation in IE.

You may download the complete working page source.

<script type="text/javascript">
/* <![CDATA[ */
   var isOldIE = false;
   function onPageLoad()	{
      if (navigator.appName.indexOf('Microsoft Internet Explorer') > -1)  {
         ver = navigator.appVersion.substr(navigator.appVersion.indexOf('MSIE ')+5,3);
         if (ver < 7) {
            document.getElementById('fixedDiv').style.position = 'absolute';
            window.onscroll = reloadFixedDiv;
         }
      }
   }

   function reloadFixedDiv()	{
      var d= document.getElementById('fixedDiv');
      d.style.display = 'none';
      d.style.display = 'block';
   }
/* ]]> */
</script>
<style type="text/css">
<!--
#fixedDiv	{
	position:fixed;
	right:0px;bottom:0px;
	height:72px;
	width:256px;
	background-color:#ABCDEF;
}
-->
</style>

and also

 <body onload="javascript:onPageLoad();">

Note: There will be a slight flickering on the element.

 

Javascript and Cross-browser Window focus

It is a common requirement in today’s highly interactive web applications to keep track if the browser window is currently in focus. Let me tell you one thing. If you take a look at the browser events and the very limited documentation, you might be tempted to believe that you are in safe hands. But thats not the case.

Catching the onblur and onfocus events is the most recommended way to know when a window gains or loses focus. But this does not work in all cases. The onfocus event is triggered correctly in almost all browsers. But onblur on the other hand is highly unpredictable. In Internet Explorer, every onfocus event is immediately followed by an onblur event even though the window is still in focus. On Firefox, the onblur will not be trigerred if the active element of the window is of input type.

Solution: IE has its custom events which works fine for it namely focusin and fosucout. For firefox, we need to check whether the active element has changed.

var isIE = (navigator.appName == "Microsoft Internet Explorer");
var hasFocus = true;
var active_element;

function setFocusEvents()	{
	active_element = document.activeElement;
	if (isIE)	{
		document.onfocusout = function() {	onWindowBlur();	      }
		document.onfocusin = function()	 {	onWindowFocus();     }
	}	else	{
		window.onblur = function()	  {	onWindowBlur();	         }
		window.onfocus = function()	 {	onWindowFocus();       }
	}
}

function onWindowFocus()	{
	hasFocus = true;
}

function onWindowBlur()	{
	if (active_element != document.activeElement) {
		active_element = document.activeElement;
		return;
	}
	hasFocus = false;
}

NB: I have tested mostly on IE 6+ and Firefox. So you might find my method incomplete for other browsers.

Update: This post has been updated (corrected) as per Lucent’s comment.

 

Social Networking and Web Security

Working on a professional networking website Skillda, I was always confronted with a question from my friends about a missing feature. In Skillda there is no option to import contacts from any of other networking sites or email account.

Almost all of us are familiar with the large number of automated invitations from the networking sites these days. Some of them even send mail repeatedly till you join the network. For doing this, these sites ask you to enter your username and password of a different website or email, then crawl through the website and get the contacts. This is exactly what concerns me. I just cannot believe how someone would entrust a third person with the username and password of their email account giving access to important documents like bank statements and other personal stuff. And that too just in exchange of the ease of importing your friends or contacts to a social networking site!!

I am wondering if the concept of web security has gone skewed over the years or is it that social networking boom is making people blind?