Bind("AmountCharged", "{0:C}")

While this displays just as you'd expect (e.g., $200), it doesn't do so well when you submit an edit that includes the same value ($200):

Input string was not in a correct format.

I searched around and didn't find much in the way of a clean solution, but I did solve the problem with just a few lines of code. The trick is to handle the data-bound control's Updating event. Since I was working with a GridView, my solution looked a bit like this:

<asp:GridView DataSourceID='myDataSource'
              OnRowUpdating='FixFormatting'
              AutoGenerateColumns='false'
              CellPadding="3" ...>

Notice the OnRowUpdating handler that I've installed in my grid view. That code looks like this:

protected void FixFormatting(object sender, GridViewUpdateEventArgs args)
{
    decimal amountPaid = ParseDecimal((string)args.NewValues["AmountPaid"]);
    args.NewValues["AmountPaid"] = amountPaid;
}

When you handle this event, you're given a dictionary of old and new values, which appear to come directly from the controls (in my case, a TextBox was used to gather the updated data AmountPaid, so the type of object that I found in NewValues["AmountPaid"] was a string. I wrote a little helper method called ParseDecimal that parses a string into a decimal value, allowing currency characters, decimal points, and thousands separators. I also allowed a blank value to indicate zero:

public static decimal ParseDecimal(string value)
{
    if (string.IsNullOrEmpty(value))
        return 0;
    return Decimal.Parse(value,
        NumberStyles.AllowThousands |
        NumberStyles.AllowDecimalPoint |
        NumberStyles.AllowCurrencySymbol,
        CultureInfo.InstalledUICulture);
}

This solved the problem quite nicely. Now two-way binding works with formatted data.

So I got my iPhone 3G on Friday morning and have been using it for a few days now. I have never used one before, don't use an iPod or even a Mac computer.  The iPhone was incredibily easy to use and without using and manuals quickly had a most everything working and downloaded a bunch of apps from the app store. 

Over all, the iPhone just is really nice to use and in many ways very easy, polished and intuitive. In other ways, it is still missing some key features in my book:

1. Sort and filter email be date, sender, etc.
2. Select more than one mail at a time to delete, move, copy.  Yes I know you can go to edit and select messages to work on, but you still have to select them one at a time. In Windows Mobile you can just run your finger over multiple messages to complete this.
3. Deleting duplicate contacts in bulk.  Doing them one at a time is just painful
4. A task manager. I would like to see some list that shows me which apps are running, how many resources they are using, battery usage and stuff like that.  Also to shut down running apps
5. Better calendar integration. I tried to click on and open calendar items, but just does not seem to work.
6. The battery sucks! I am not getting more than about 6 to 7 hours of battery time. I think I have to turn off the push for my Exchange email.  This is much less that I was getting on my Windows Mobile phone.

I do like the phone, the iPod MP3 and camera and the overall "feel" of the phone. Went to the Apple store in the maill (which was jam packed) and bought a rubberized case, but was unable to get a phone car charger for it yet.  I ordered one for 5 bucks on Amazon and will see it if works.

All in all, things are OK but I am going to withhold my final verdict for a while yet.

So I got my iPhone 3G on Friday morning and have been using it for a few days now. I have never used one before, don't use an iPod or even a Mac computer.  The iPhone was incredibily easy to use and without using and manuals quickly had a most everything working and downloaded a bunch of apps from the app store. 

Over all, the iPhone just is really nice to use and in many ways very easy, polished and intuitive. In other ways, it is still missing some key features in my book:

1. Sort and filter email be date, sender, etc.
2. Select more than one mail at a time to delete, move, copy.  Yes I know you can go to edit and select messages to work on, but you still have to select them one at a time. In Windows Mobile you can just run your finger over multiple messages to complete this.
3. Deleting duplicate contacts in bulk.  Doing them one at a time is just painful
4. A task manager. I would like to see some list that shows me which apps are running, how many resources they are using, battery usage and stuff like that.  Also to shut down running apps
5. Better calendar integration. I tried to click on and open calendar items, but just does not seem to work.
6. The battery sucks! I am not getting more than about 6 to 7 hours of battery time. I think I have to turn off the push for my Exchange email.  This is much less that I was getting on my Windows Mobile phone.

I do like the phone, the iPod MP3 and camera and the overall "feel" of the phone. Went to the Apple store in the maill (which was jam packed) and bought a rubberized case, but was unable to get a phone car charger for it yet.  I ordered one for 5 bucks on Amazon and will see it if works.

All in all, things are OK but I am going to withhold my final verdict for a while yet.

Stephouse steps into Portland, Ore., void: Local firm Stephouse has built out 5 sq mi of business-grade wireless availability in downtown Portland and 2 sq mi in an underserved part of north Portland using Proxim gear for both Wi-Fi and WiMax service. Wi-Fi use is $20 per month or 1 free hour per day up to 10 free hours per month. The offering seems to focus on the business side, though, in competition with services like Towerstream. Prices aren't listed on the company's site.

Hartford drops Wi-Fi effort: Connecticut's trouble capital city has given up on city-wide Wi-Fi. No surprise. No firms ready to build for free, no money, no tangible goals. My wife grew up in the suburb to the west--West Hartford, prosaically enough--and speculates that the lack of county-oriented government in Connecticut has doomed Hartford to be a civic wasteland. It's recovering a bit as housing affordability goes up, and there's more going on in the city than there used to be. But there won't be Wi-Fi. Incidentally, the Mark Twain House & Museum in Hartford, home of one of the world's first bloggers, is near financial ruin. It's a great piece of American history; I'm hoping it's saved again--it's had many lives since Twain built it and went bankrupt.

Your first real lesson about locking down a host was how to reduce its attack surface. You learned how to disable services using /etc/inetd.conf. Then you learned about rc.d and how to prevent unnecessary services from being launched at startup. Next, maybe you configured the Xserver to disallow remote connections or moved on to removing setuid permissions from files. As you worked, you’d periodically re-scan the box to gauge progress, asking yourself “have I removed everything I don’t need?” The underlying motivation, of course, is that an attacker can’t hack something that isn’t there.

You learned how to extend those concepts to the network — configuring firewall rules, router ACLs, VLANs, etc. Segmenting the network. Creating a DMZ. No need to dwell on this, you get the idea.

Eventually, people realized that applications had an attack surface too. Web servers and application servers got a lot of attention, followed closely by custom web applications. “What do you mean you can execute SQL queries against my database? That’s impossible, I have a firewall!”

Some companies, the ones who could afford it anyway, started to build security into their development cycle. Doing threat modeling during the design phase made sense, because hey, it’s much cheaper to fix security holes in a whiteboard drawing than it is to rewrite your authorization module from scratch after it’s in production.

Let’s talk strictly about custom web applications now. What I’ve observed is that most development groups, even the ones who actively engage in threat modeling, do not understand their web application’s attack surface. The lead architect can whiteboard a high-level diagram of all the major components and how they interact. Individual developers can go a bit deeper, telling you which files they touch, what database permissions they need, or how various pieces of data are encrypted in storage. At the end of this exercise you have a complete picture of the processes, data flows, protocols, privilege boundaries, external entities, and so on, and you’re well on your way to understanding all of the potential attack vectors.

Or are you?

What often gets overlooked or glossed over is the impact of external libraries or packages. Nobody writes everything from scratch. A typical list of third-party libraries for a Java-based Web 2.0 application might include DWR, GWT, Axis, and Dojo, plus about 30 other libraries to do everything from logging to parsing to image manipulation. Nine out of ten times, the libraries will be installed in full, using the default configuration from page one of the README file.

Why is this relevant? Because just as those old Unix boxes exposed unnecessary services, libraries expose unnecessary code. Let’s say you installed Dojo to simplify the process of creating an HTML table with rows and columns that can be sorted on demand. Did you remember to remove all the .js files you didn’t need? Or maybe you installed Axis or DWR or anything else that has its own Servlet(s) for processing requests. Have you compared what that Servlet can do against what you need it to do?

A fictitious example may help illustrate further. Imagine you just downloaded a new library called WhizBang. You follow the installation instructions to define and map two servlets in your web.xml file, WhizServlet and BangServlet, and you configure it to integrate with your web app. After a bit of trial and error, it’s functional. Yay! This is where most developers stop.

Nobody asks, “how much of this do I actually need?” Case in point, what if your application only uses WhizServlet? BangServlet is still exposed, and you don’t even use it! Similarly, what if WhizServlet takes an “action” parameter which can be either “view”, “edit”, or “delete”, and your application only uses “view”? You’re still exposing the other actions to anybody who knows the URL syntax (pretty trivial if it’s open source). You wouldn’t expose large chunks of your own code that you weren’t using, so why should it be any different with libraries?

This post is getting kind of long so I’m going to split it up. In the next post, I’ll continue the discussion of attack surface minimization, as well as some of the tradeoffs that go along with this approach.

It’s a hump day miracle. I’ve made it half way through the week and I’m not completely psychotic from a lack of REM sleep.

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1. UK citizens’ portal exposes edit kit interface | The Register
2. Setting the stage for the latest PCI deadline | SC Magazine
3. Banks are confusing consumers on PC security | ZDNet Australia
4. Watchdog urges firms to lock up customer digital data | The Globe and Mail
5. Secret Bits: How Codes Became Unbreakable | InformIT
6. New security frontier is all about data | The Sydney Morning Herald
7. Worm hits several SA sites | ITWeb South Africa
8. US raises entry bar with online database for visitors | Times Online

Tags: News, Daily Links, Security Blog, Information Security, Security News

The problem we have is finding the time to do the post-production on the recordings to turn them into podcasts. We could, of course, just slap a generic intro and outro on a recording and throw it out there in the feed... but I think you all know that we don't want to waste your time! For instance, including the Q&A portion of a panel session where you can't hear the audience questions is pretty useless. Or including the part of the interview where announcements came over an intercom and you can't hear the interviewee is rather silly. So we want to take the time to go through a recording and see how we can "tighten it up". Remove breaks or big gaps of silence... speakers setting up laptops... interruptions to interviews etc. We don't remove every "um" or pause... we do want it to feel natural, after all, but we try to edit out the big gaps, errors, interruptions, etc.

The challenge of course is that to do this you have to listen all the way through a podcast, editing along the way. Sometimes you don't have to make many edits at all. Sometimes there a bunch of things to edit out. But it takes time... if the panel is 45 minutes you've got to have at least that much time (and probably double if you do much editing and keep stopping/starting). Unfortunately time is something neither Jonathan nor I are finding a whole lot of these days. I now have a queue of probably 10 or 12 recordings we've made over the past 6 months that are just sitting there waiting for me to get the cycles to turn them into Special Editions. Some are 20-minute interviews. Some are 45-minute or hour-long panels from conferences.

So therefore our request in show #24:

we're looking for a few good production assistants!

• I get to you the WAV file of the recording as well as the intro/outro.
• You edit the file in whatever audio tool you prefer: Audacity, Garage Band, SoundForge, whatever... (I use Audacity)
• When you are done, you export to a MP3 and get the MP3 to me.
• I do a final check, set the ID3 tags, etc. and upload the MP3 file, create the show notes, etc.

The good news about most of the recordings we make is that they are not overly time-sensitive. We want them up as soon as we can, but if it takes some time to do the post-production as you fit it in around other work, that's generally perfectly fine.

Obviously if you have experience with audio editing that's great. If it's something you've been interested to try your hand with, we're open to having you give it a try. (Please do realize that I'm a control-freak and audio quality stickler, so it's a new thing for me to even *consider* letting other people work on our files... but I've reached the point where I think it's more important to get the content *out*! So I'm willing to try it out... :-)

We can't offer you any money or anything like that (this is a labor of passion, not profit!) but we're certainly glad to give credit in show notes, Blue Box website, etc. You'll also be helping the greater community of security professionals interested in VoIP by getting more content out there in a more rapid manner. (i.e. faster than if we're waiting for me!) You may also gain skills in audio production (if you don't already have them) that may assist you in other endeavors.

Anyway, if you are interested, drop us an email with the subject line "Production assistance" and with a little bit of background about yourself. Sometime in the next week or two (probably after March 20th) we'll start seeing what we can do if there are people interested.

Thanks - and thanks for your patience, too.

Dan & Jonathan ]]> Fri, 07 Mar 2008 10:59:16 +0000 audio production audio takes time takes time overly time-sensitive panel sessions sessions mp3 file Looking for a few good audio production assistants...