David Boike's Blog

Wanted: C# Property Initializers

Posted by David Boike on January 11, 2012 2 comments

I love to write code and I’m a great typist, but I hate typing if it’s not necessary. I’m a big fan of syntactical sugar and I think it’s high time C# got some more of it.

By now we’re all used to seeing this:

public string MyProperty { get; set; }

This eliminates the need to separately declare a private member variable and public property, because the compiler takes care of it for you.

What it doesn’t do is give you the option to set the initial value, like you could with a private member variable. Instead we have to do this:

public class MyClass
{
    public string MyProperty { get; set; }

    public MyClass()
    {
        MyProperty = "initial value";
    }
}

This really becomes more of a pain point now that I have delved into NServiceBus and RavenDB. With NServiceBus, I create a lot of message classes, and when the message includes a collection, it’s usually a good idea to initialize the empty collection so that I don’t get annoying null reference exceptions when I try to use them. The same is true of RavenDB when creating objects with collections to persist to the document store.

What if we could do this?

public string MyString { get; set; default "initial value"; }

public List<int> MyList { get; set; default new List<int>(); }

It would personally save me a LOT of time.

Implementing Global Log Off

Posted by David Boike on January 9, 2012 None comments

Every year users are conducting more of their lives online, but they’re also doing so from more screens than ever before. It’s not uncommon for me to access the same web application from my work computer, home computer, iPhone, and iPad, and those are just the devices that I consider “mine”. (Not that I own my work computer, but that I am its only user.)

If your web application contains anything of real value, the real danger comes from public computers that your users may use. It’s all too easy for a user to forget to log off from a website, and most webapps make it impossible to log off those sessions remotely.

I believe it’s becoming more important to allow your users the ability to globally log off from your website, clearing not only local credentials stored in cookies, but invalidating all the user’s sessions across all devices.

Destroying Security by Increasing Security

Posted by David Boike on November 23, 2011 1 comments

I have a friend. Let’s call him “Steve”.

Steve was recently complaining to me about the password requirements imposed on him by Corporate IT. He was using all sorts of words to describe them. The only one suitable for reprinting was “stupid”. They went downhill from there rather quickly.

Here are the password requirements Steve has to live with:

Must contain at least one uppercase letter A-Z.
Must contain at least one lowercase letter a-z.
Must contain at least one numeral 0-9.
Must contain at least one special character
Must be longer than 6 characters. (So >= 7)
Must be shorter than 9 characters. (So…7 or 8, but not 9)
Must begin and end with an alpha character A-Z or a-z.
The change periods (how often you must reset) vary.
You may not use any password you have used in the last year.

Seriously, did they just check every available box in the security setup? They may think they’re making things more secure, but in fact, the addition of all these options, especially with the addition of the very restrictive length requirement (7 or 8 characters, really?) conspires to drastically reduce security.

It reminded me a lot of this XKCD comic:

When you take social psychology into account, you can pretty much bet the farm on the following:

The requirements to change passwords several times a year and never repeat passwords in one year means that the month and date have to be in there.At the time of this writing, it is November 2011, so if I were trying to break a password on this system I could be reasonably sure that the password contains either 1111, 1011, 1110, 0911, 1109. That’s 5 possibilities.
It’s pretty safe to assume the date-based string of 4 characters will appear at the end of the password, but the fact that an alpha is required at the end means users will back it up one character. Therefore the password probably fits the regex [0-9]{4}[A-Za-z]$. The addition of the letter (26 * 2 for caps) possibilities means there are only 26*2*5 = 260 likely possibilities for the last 5 characters of the password.
If we assume 8 character passwords (would be stronger than 7 after all) then there are 3 characters left. It wouldn’t be ridiculous to assume:

First character caps: 26 possibilities
Second character lowercase: 26 possibilities
Third character a symbol easily reachable from a Shift+NumberKey sequence (there are 10) plus I’ll throw in a few more for good measure that are accessible by the right pinky finger. Let’s say 20 possibilities.
Total possibilities for the first 3 chars = 26 * 26 * 20 = 13,520

Total likely passwords to attempt = 13,250 * 260 = 3,515,200.

3.5 million possibilities. Using XKCD’s assumption of 1000 guesses/second, that’s less than an hour! I sure hope they have some lockout routines on top of that password policy. Considering that they must have checked every box, I suppose I can assume they did.

You may disagree with my math or my assumptions, but that the point is that adding additional security requirements doesn’t always increase security. So get it out of your head that your users are going to pick truly random passwords and think about how they are likely to act before you consider your system to be secure.

Robust 3rd Party Integrations with NServiceBus

Posted by David Boike on November 3, 2011 2 comments

A common question about NServiceBus is how to use it to integrate with an external partner. The requirements usually go something like this:

The third party will contact us via a web service, passing us a transaction identifier and a collection of fields.
If we successfully receive the message in the web service, we respond with a HTTP 200 OK status code. If they do not receive the acknowledgement, they will assume a failure and attempt to retry the web service later.
Once we receive the message from the third party, we need to distribute (think publish) the contents of the message to more than one internal process, each of which are completely independent of each other.
We need to logically receive each message once and only once. In other words, it would be a “Very Bad Thing” for one of the internal subscribing processes to receive the same notification more than once.

This was most recently asked in this StackOverflow question, where it became difficult to explain more within the 600 character comment limit. The best explanation is example code, so here it is.

Hidden iOS URL Keyboard Gem

Posted by David Boike on August 28, 2011 1 comments

For a long time I thought that the addition of a “.com” button on the iOS keyboard was a fantastic idea. But what about .net, .org, and .edu domains? Where’s the love for them?

I got to thinking, wouldn’t it be awesome if you could hover over the .com button and get a popup with options for the other common top-level domains?

Turns out the Apple engineers were way ahead of me. Give it a shot sometime!

On my iPad (set to English/US keyboard layout of course) hovering over the .com button gives me additional options for .net, .org, .us, and .edu. It does make me wonder if I would get something like .co.uk if I had a British keyboard setting.

What you apparently can NOT do is take a screenshot with the popup menu activated.

System.Security.Cryptography and Thread Safety

Posted by David Boike on July 26, 2011 1 comments

Are you experiencing either of these exceptions?

System.Security.Cryptography.CryptographicException
Padding is invalid and cannot be removed.

System.IndexOutOfRangeException
Index was outside the bounds of the array.

System.IndexOutOfRangeException
Probable I/O race condition detected while copying memory. The I/O package is not thread safe by default. In multithreaded applications, a stream must be accessed in a thread-safe way, such as a thread-safe wrapper returned by TextReader’s or TextWriter’s Synchronized methods. This also applies to classes like StreamWriter and StreamReader.

Well at least the last one is descriptive, but that is the LEAST likely to occur.

If you’re seeing any of these exceptions, there’s a good chance you’ve run afoul of a secret of the System.Cryptography namespace. Almost nothing is thread safe.

It’s an easy error to make. We know encryption is processor intensive, and it seems like it would be smart to incur the costs of setting up ICryptoTransform objects for encryptors and decryptors once and then store them in a static variable. Any state they might share would seem to be reference data like keys and salt and init vectors, so as long as we use a new CryptoStream for each operation, what could go wrong?

Well, lots.

Internally, the implementations of ICryptoTransform (and I assume other objects) use objects from the System.IO namespace like buffers and streams that we would never think of sharing between threads, but it’s hard to know that from a simple call to ICryptoTransform.TransformBlock().

So, if you run into any of the exceptions above, try either creating your System.Cryptography objects each time you need them, or mark them with the ThreadStaticAttribute. Remember that with [ThreadStatic], a static initializer will not execute for each thread, so check it for null before you use it, then initialize if null.

Stuck between Netflix and a hard place

Posted by David Boike on July 13, 2011 3 comments

There are two types of people in the world right now: those who are angry at Netflix and those who don’t have Netflix.

Like everyone else, I received the email yesterday notifying me that as of September 1, 2011, my $10 Netflix plan that includes 1 DVD at a time and online unlimited streaming will be discontinued. Instead, they offer separate plans for DVDs and for streaming. 1 DVD at a time will now cost $8, and unlimited streaming will now also cost $8. There is no discount for bundling, so if I want to continue the same level of service, it will now cost me $16 per month.

It’s not the money that bothers me. Prices were bound to go up. Maybe this is a pretty severe jump all at once, but it’s not completely unexpected.

What bothers me is the false choice it represents. If money does indeed talk (and I believe it does) then Netflix is asking me to choose from these options:

I like getting DVDs from you, but I don’t care for your streaming service. Please take my money and keep the DVDs coming.
I love your streaming service, but DVDs in the mail is so 2003. Please take my money and let me stream to my heart’s content, but don’t make me walk out to the mailbox.
I like DVDs and I also like streaming, and I’m willing to pay more money for both.
Netflix, you suck. Cancel my subscription.

I don’t believe that any of these four options correctly captures my real intent:

I would be willing to pay $16 per month, maybe even more, just for the streaming service, provided that the streaming selection didn’t suck.

Flexible Reporting with LINQ and C# 4.0 dynamic keyword

Posted by David Boike on July 10, 2011 None comments

It’s commonly very difficult to question business people about reporting requirements. It’s not really their fault either – they just can’t know exactly what they want until they’re trying to answer a question and can’t easily do it with the reports you’ve given them.

This is why it’s good to make reports as flexible and updateable as possible, but with as little developer required to update the reports as possible.

If you’re operating in an environment where all database access must be via stored procedures, this is a really big problem. It’s really unlikely that the changes requested by business can be implemented with the same stored procedure you naïvely created for your first attempt. I’ve seen scenarios where a database has stored procedures with the suffixes GetReport, GetReport2, GetReport3, GetReport4, etc. Yuck.

Even if you’re using Entity Framework, LINQ to SQL, or some other data layer framework that enables more free-form access to the database, you can’t always ensure that all report queries will result in good execution costs and actually be performant.

This is why it can sometimes be a good idea to perform a very basic database query (via stored procedure if necessary) to get a base set of data, and then perform more conditional operations on it in memory with LINQ. It’s a pain to do a “Name Contains” filter in a stored procedure (especially if there are a dozen other options) but with LINQ it’s no big deal.

IEnumerable<DataItem> data = GetBaseData();

if (!String.IsNullOrEmpty(nameFilter))
	data = data.Where(d => d.Name.IndexOf(nameFilter, StringComparison.OrdinalIgnoreCase) >= 0);

This is really great for simple filters, but gets difficult when we want to do more complex grouping and aggregating functions, such as grouping by Hourly/Daily/Weekly/Monthly and/or by other data points.

The remainder of this article will show how this can be done with static code, and then how we can drastically increase the maintainability of this same code by employing the dynamic keyword introduced in C# 4.0.

Backing up Hudson, with Hudson

Posted by David Boike on July 9, 2011 None comments

At work we use Hudson Continuous Integration for our build servers because, among other reasons:

It’s FREE!
It runs on Windows (for our C# builds) and on Mac/Linux (for our iOS/Android builds).
It has a web-based GUI that is MUCH easier to use than the XML-driven config used by CruiseControl.NET, which we used before switching to Hudson.
It has a rich system of plugins for adding functionality.
Did I mention it’s FREE?

The one nice thing about CruiseControl.NET was that because it had one complex XML configuration file, I would only edit that file in source control so that I could back out my changes if I screwed it up. Now I need a way to back up the Hudson configuration files so that if one of my build servers goes up in flames, I can get my team back in business quickly.

A good backup solution needs to be automatic and offsite, and due to the magic of distributed version control and the inherent job execution nature of Hudson, we can back up Hudson with Hudson. If this isn’t the ultimate in universe folding in on itself awesome, I don’t know what is.

Adventures in Screen Scraping with YQL

Posted by David Boike on July 5, 2011 3 comments

When coding for work, everything of course has to be done the Right Way®. This isn’t always super exciting, so it is sometimes liberating to cut loose and work on a side project that mashes together a whole bunch of technologies without worrying too much about stability, reliability, scalability, or even if it will continue to run tomorrow. These R&D projects will never have even a single line of code directly pushed into even a development repository, but more often than not I find that I take concepts learned and tested during these coding sessions and apply them in some later project. Even if the entire project is thrown away in relatively short order, some concept of value survives for the long haul.

Plus, it’s just fun.

Recently my wife and I got the very exciting (and scary!) news that we were pregnant with our first child. The little guy or girl’s arrival is still over 5 months away, but already we’re wrestling with tons of difficult questions, and one particularly overwhelming one is “How are we going to decide where to send our child for day care?”

We live in the great state of Minnesota where the Department of Human Services maintains a searchable Licensing Info Lookup website for all sorts of things, including (but not limited to) family child care. Anyone with a child care license can be found here, along with address, phone number, if they can accept newborn infants and how many, etc.

Just one problem. We live on the border of two big suburbs, so you do a search for both cities and together you get over 150 results, and no map.

This is where my inner geek starts to get excited. I’ve got a copy of Visual Studio. I can fix this problem. Let’s do it.