[SecurityRatty] tag: thread

Learning From Sarah Palins Yahoo Mail Compromise

Thu, 18 Sep 2008 09:31:56 +0000

The password reset functionality of any online service is a major source of risk. They are especially problematic when they use only a “secret question” concerning personal information only and don’t tie back to another email account or a text message. Another account or cell phone number is something “out of band” from a direct transaction with the online service. It becomes 2-factor authentication.

When an alternate email account or cell phone number is not tied to an account, online services often use personal information, supposedly only known by the account holder, to verify identity and reset a password. The risk here is the personal information is often known to other individuals and if the account holder is a public figure then the information may be easily researched. Birthdays, names of pets, locations of homes, schools, and events can often be discovered online or guessed.

Paris Hilton’s T-Mobile account, and thus all her Sidekick cell phone contents which were mirrored online, was compromised when someone “guessed” the answer to her secret question. The secret questions was, “What is your pet’s name.” The answer of course was, “Tinkerbell”. Something easily researched. Many people would not have their pet’s name online but friends, family members, or perhaps an ex would know the answer. Using a pet’s name is a very bad security practice.

Now we have Sarah Palin, another public figure, having her online account compromised because someone used the password reset functionality and guessed the answer to Sarah Palin’s secret question. This is how the attacker says he found out her personal information and guessed the answer to her secret question. He details this on 4chan.org:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

Best practices for setting up the password reset functionality of any online service:

Tie an account to another email account or cell phone number if that is an option. This will cause the service to send an out of band message and in essence make the password reset a 2-factor authentication.
Do not use any personal information that can be guessed as the answers to secret questions. Treat these answers like passwords. Don’t use dictionary words. Add some numbers or symbols to the answer. For example is Sarah Palin had used “Wasilla high 1964″ or “!Wasilla high!” it is far less likely it would be guessed. Pick a scheme to modify your secret answers so they aren’t guessable.
Try resetting your password. See if there are downgrade attacks which make it easier to reset the password. Yahoo for instance will allow you to specify that you don’t have access to the email address tied to your account and thus not send a password reset email. Since an attacker can do this the safety of using another account is eliminated thus making the answers to the secret question all that more important.

The opt-out from hell

Tue, 16 Sep 2008 15:22:03 +0000

One problem with making your email address available (which I will continue to do, don't worry) is that folks with something to sell assume you're interested in their stuff. To wit, let's consider an email I received today (copied, headers and all, after my griping).

Note that if I want to opt out of further communications, I have to do two separate things -- which actually becomes three things.

First I have to click the last link to opt out of future TechTarget spam. (Yes, I deleted the actual links. But certainly none of my trustworthy readers would attempt to re-subscribe me, right...?
But that isn't enough -- I also have to separately opt out of future Avaya spam! (Why does the no-more-from-Avaya link live on a techtargetmail.com server? Whatever.) Clicking on that link eventually does land me on an avaya.com page, where I have to confirm my email address and indicate they don't have my permission to send me spam. Hmm, too difficult to embed my email in that link, when the other techtargetmail.com link did embed my email?
Then after submitting it, another page pops up telling me that I'll soon receive an email with additional instructions! In this email there's a link -- to avaya.com with my email address embedded -- that I must click, I guess to double plus confirm that yes, I really really really do wish never to hear from you again. Clicking that link takes me to a page that promises my "permissions have successfully been set. Thank you."

A pox on both your houses, TechTarget and Avaya. I never asked for your stuff. Go away.

Spam, my friends, is only going to get worse. It was so easy to ban junk faxes in 1991. But even those regulations were weakened in 2005. So do you really think we'll see anything even remotely logical for outlawing spam? I doubt it, unless we the citizens foment a revolt. Let's get cracking!

Received: from SVC-EXGWY-E801.partners.extranet.microsoft.com (10.251.24.242)
by tk5-exhub-c102.redmond.corp.microsoft.com (157.54.18.53) with Microsoft
SMTP Server (TLS) id 8.1.291.1; Tue, 16 Sep 2008 11:27:56 -0700
Received: from mail139-wa4-R.bigfish.com (216.32.181.113) by
mail04.microsoft.com (10.253.160.184) with Microsoft SMTP Server (TLS) id
8.1.291.1; Tue, 16 Sep 2008 11:27:55 -0700
Received: from mail139-wa4 (localhost.localdomain [127.0.0.1])    by
mail139-wa4-R.bigfish.com (Postfix) with ESMTP id 018C11184C2    for
; Tue, 16 Sep 2008 18:27:50 +0000 (UTC)
X-BigFish: ps16(zz18c1K1936K2b7wcak69jzzzz2af1jz2fh6bh5eh65h)
X-Spam-TCS-SCL: 4:0
Received: by mail139-wa4 (MessageSwitch) id 1221589667478982_28100; Tue, 16
Sep 2008 18:27:47 +0000 (UCT)
Received: from pp.techtargetmail.com (pp.techtargetmail.com [65.211.80.227])
    by mail139-wa4.bigfish.com (Postfix) with SMTP id 46566978071    for
; Tue, 16 Sep 2008 18:27:47 +0000 (UTC)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pp.techtargetmail.com; b=iOmibOrM91/1Ugy2gj3QbWo74T2m3GuhmwxZCXJQpFT+nwRES8QKg+4vjt48SNp7WWJExG61Ge+DtnKD3KVI3KwqTKzkPRVrEBF0DCHhYot6VAG/EyEr5vb5RhBz+91yvNhbIqITzGnuQ+uBDJzyc6gU0FHfBl0Fa3S/phcPELM=;
Message-ID:
Date: Tue, 16 Sep 2008 14:27:47 -0400
thread-index: a818b044.724694.236c8ee748f7dd97.1.n.4
Reply-To: Avaya
From: Avaya
To: Steve Riley
Subject: 7 Tips to Ensure Readiness for UC Deployment
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Return-Path: a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com
X-MS-Exchange-Organization-PRD: pp.techtargetmail.com
Received-SPF: Pass (SVC-EXGWY-E801.partners.extranet.microsoft.com: domain
of Avaya@pp.techtargetmail.com designates 65.211.80.227 as permitted sender)
receiver=SVC-EXGWY-E801.partners.extranet.microsoft.com;
client-ip=65.211.80.227; helo=mail139-wa4-R.bigfish.com;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.6916.600;SV:3.3.6916.813;SID:SenderIDStatus Pass;OrigIP:65.211.80.227
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-SenderIdResult: PASS

The following message was sent to you as a subscriber to third party offers from a TechTarget property, including our network of Search sites, Bitpipe.com, CIO Decisions Magazine, Information Security Magazine, Storage Magazine, KnowledgeStorm, TheServerSide.com and/or TheServerSide.NET. To unsubscribe, see below.
____________________________________________________________

How should you evaluate the move to unified communications (UC)? Who within which parts of an organization will benefit? Will UC reduce the time to market? Read this E-Guide for answers to these questions and a better look at how the value of UC will, at first, be less of a financial issue and more of a productivity improvement issue that translates into financial benefits. Download this white paper now: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

When implementing unified communications, there are a number of important issues to think about and questions to ask. This E-Guide analyzes seven phases to ensure you reap the full benefits of UC in each. If you're ready to take the plunge but you're not sure your business or your infrastructure is - download this E-Guide now.

Click here to learn more: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

"If you do not wish to receive future promotions directly from Avaya please forward this e-mail to {link removed} ; please note that there is a separate opt-out procedure below to be removed from the list from which this email originated."
____________________________________________________________

Please do not reply to this email. To unsubscribe from all future third party offers from all TechTarget properties, simply click here: {link removed}

TechTarget | 117 Kendrick Street, Suite 800 | Needham, MA 02494

A Costly Crush

Tue, 02 Sep 2008 11:24:54 +0000

I've seen a few blog posts over the last couple of days, with people complaining about an application on Facebook charging them crazy amounts of money. Certainly, there's a lot of angry Facebook users out there:

Click to Enlarge

Some more complaints? Sure, I can do that:

There are many, many more like the above comments out there. One slight problem with all of this is that the complaints are scattered across a whole range of different Crush application forums - in short, they're all being blamed, but they can't all be doing this, can they? What's the alternative, though?

A short while ago, I wrote about deceptive advert placements with regards another facebook application. It seems we have a similar situation here, where an "enterprising" Ad network is placing Facebook-style buttons onto installer pages and hoping people will be fooled. As it turns out, it seems to be working. While attempting to install one randomly selected Crush application, I noticed the following advert at the top of the installer splash (highlighted in red):

Click to Enlarge

It's easy to imagine a regular Facebook user thinking this is part of the application install and clicking "Ok". Do that, and you're taken to a site called Amazingchat(dot)net that throws up a fake message regarding you having "7 New Crush Messages" (and uses geolocational technology to point a targeted message your way). If you look like you're in the UK, you'll see this:

Click to Enlarge

Wow, FOUR of my (fake and non-existent) messages are from Sheffield! How about if I look like I'm in the States? You've guessed it....

Windy City, here I come!

Not. It's looking promising so far, though. If we can just go to the next screen and see something utterly useless advertised in exchange for lots of money....

Click to Enlarge

Horoscopes for only ?9 / $15 a week? WOW!

Also, there go your savings.

Could this be the site at the heart of so many complaints? Well, let's quickly check who runs it...

"Sms-helpdesk", eh? I do believe I've seen a long thread concerning people having issues with large bills for phone messages. Indeed, a rep from sms-helpdesk actually appears to be posting there:

Shame it seems some people can't even get through to the supposed helpline. Perhaps "Denise" would be better off tackling the deceptive placement of adverts made to look like installer buttons, not to mention non-existent crush messages based around geolocational targeting?

Just a thought...

The Bot Hunter: An Event Processing Challenge

Fri, 15 Aug 2008 05:35:00 +0000

Recently we penned The Attack of the Spiders from the Clouds where we mentioned how cloud computing infrastructures can be used to stage malicous or accidential network attacks.

Today I challenge our CEP/ESP/EP vendors (or SIs) to create the following solution to detect and block rogue bots on Apache web sites. I will install and test each submitted solution on The UNIX Forums and post the results here.

Here are some basic requirements:

Your solution must run on Linux and be installable and configurable remotely with SSH or HTTP. There will be no physical access to the server. No exceptions.
Preferrably, the configuration can be done with a Web-Based Interface (WBI) - a browser.
Your solution will listen to continuous updates to the Apache2 access log, exact location configurable in your solution, and identify robots ( bots), also known as spiders, from the log.
Your solution will provide a confidence metric, key indicator (KI), for each bot detected, from 0 to 10, where 10 indicates “absolutely a bot,” 0 is “absolutely not a bot.”
Your solution will update the IP address of each bot and KI you identify in a file/table called, for example, ./bot_scorecard.txt where each line is an IP address of a bot, followed by a semicolon (or other delimiter of your choice) and the confidence factor, for example, 10.0.0.1;10 means that 10.0.0.1 is a bot, 100% sure.
Your solution must compare bots detected to a file/table called, for example, ./bots_allowed.txt and ./bots_denied.txt that are in the format IP address/mask, for example 10.0.0.1/24, or 10.0.0.1/32.
If the KI “confidence factor” of the IP address of your detected bot is higher than the tunable “is a bot” KI, then your solution should update the tables/files and then call iptables and block the bot.
It should send an email to one or more email addresses with a message, for example: “New Bot Detected - Confidence 8″ with IP address, etc. in the message. Another example would be an email, “Bot Blocked” - with details, etc.
You cannot automatically block any traffic that is not a bot. Blocking one “non-bot” results in failure, no exceptions.
The Prize: The winner will get their logo (w/link) on this site in a block called “Bot Hunter Winner” (or something like that.)

These are some basic requirements; I don’t want to restrict your thinking or solution, so be creative! Feel free to ask any questions in the comment section of this thread.

Remember, sometimes you may have to manage the state of IP addresses for days, or hours, before you can accurately deterimine if it is a bot based on behavior alone. So, you will need to work with both long and short time windows. Latency is not important. Detection accurate is importance.

Anyone care to submit a solution for testing?

BlackHat Recap

Tue, 12 Aug 2008 18:43:18 +0000

Another BlackHat has come and gone. As usual, it was a very busy week juggling customer meetings, recruiting, conference planning, vendor parties, and, oh yes, the actual BlackHat presentations. I had a fantastic time catching up with old friends and finally getting the opportunity to meet more of the Security Twits and others in the security community. I didn’t submit a talk this year, but nevertheless, fake Dan Kaminsky was still excited to see me.

My favorite talk, as expected, was the Sotirov/Dowd talk on How To Impress Girls With Browser Memory Protection Bypasses. The attack is a conceptually simple, yet completely reliable technique for exploiting vulnerabilities in web browsers. Of course, the media has sensationalized the impact of their findings, but ultimately, this is still significant as far as browser-based exploits are concerned. It’s worth mentioning that part of the technique allowing them to load a .NET DLL at an arbitrary location under Vista was reliant on an implementation bug wherein the OS disables ASLR if the version in the .NET COR header was below a certain value. However, the address space spraying and stack spraying techniques are likely to be extended to other platforms utilizing similar memory protection mechanisms.

As for the girls? I can report first-hand that the ladies at TAO on Wednesday night were hanging on Alex’s every word. They were particularly impressed when he whipped out the laptop for a live demo. Unfortunately, none of the dozen iPhone owners in the immediate vicinity thought to snap a picture (too busy Twittering). Oh well.

I also enjoyed Hovav Shacham’s talk on return-oriented programming. Simply put, he described a generalization of the return-to-libc shellcode approach with the intent to demonstrate that one could achieve Turing-complete computation using “found code” in process images. By chaining together series of mini-computations ending in return (RET) instructions, it was possible to build higher-level programming constructs such as branches and loops. The nature of the x86 instruction set provides some flexibility because instructions are interpreted differently depending on how you align the instruction pointer (i.e. the old shellcode trick of searching the process image for any JMP EBX instruction and using that as your EIP). In RISC architectures such as SPARC, however, you don’t have that luxury; if your %pc isn’t aligned properly you get a bus error. So it was quite interesting to see that they were able to extend the concept to RISC. The practicality of the attack technique is limited by the fact that the shellcode is tuned to a particular binary image — if the shellcode was built using instructions extrapolated from glibc 2.3.5, it won’t work for a system running glibc 2.4.

I thought Scott Stender’s talk on Concurrency Attacks in Web Applications was interesting as well. In a nutshell, spewing thousands of simultaneous requests at web application transactions that are not thread-safe can create interesting problems. In the presentation, Scott ran his demo against a VM running on the attack machine. I found myself wondering how effective the same attack would be over the Internet — would it be significantly less reliable (or not at all)? Race conditions are generally easier to exploit locally than remotely due to more predictable execution conditions. Certainly this is an under-tested vulnerability class though.

One presentation I wasn’t able to attend but want to follow up on is Nate McFeters, John Heasman, and Rob Carter’s talk which discussed the GIFAR attack I’ve been hearing so much about lately. The gist is that you can create a file that is both a valid GIF and a valid JAR, then use some Java applet tricks to initiate HTTP requests on behalf of the victim.

Finally, the Pwnie Awards didn’t fail to disappoint. Drama ensued over the Most Overhyped award, but at least this year some of the winners showed up to claim their awards! Halvar rapping Symantec lyrics was also quite memorable.

All in all, a fun and informative week, but as usual, I was relieved to get the hell out of Vegas and head home on Friday morning.

P.S. For a much more entertaining BlackHat/Defcon Recap, read Jennifer Jabbusch’s account of the week’s events. It’s my favorite one so far!

BlackHat Recap

Tue, 12 Aug 2008 18:43:18 +0000

My favorite talk, as expected, was the Sotirov/Dowd talk on How To Impress Girls With Browser Memory Protection Bypasses. The attack is a conceptually simple, yet completely reliable technique for exploiting vulnerabilities in web browsers. Of course, the media has sensationalized the impact of their findings, but ultimately, this is still significant as far as browser-based exploits are concerned (here is a more accurate report). It’s worth mentioning that part of the technique allowing them to load a .NET DLL at an arbitrary location under Vista was reliant on an implementation bug wherein the OS disables ASLR if the version in the .NET COR header was below a certain value. However, the address space spraying and stack spraying techniques are likely to be extended to other platforms utilizing similar memory protection mechanisms.

All in all, a fun and informative week, but as usual, I was relieved to get the hell out of Vegas and head home on Friday morning.

P.S. For a much more entertaining BlackHat/Defcon Recap, read Jennifer Jabbusch’s account of the week’s events. It’s my favorite one so far!

Fun Reading on Security - 6

Thu, 07 Aug 2008 14:01:00 +0000

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #6, dated August 7th, 2008.

DNS + Karma = Boom! Enuf said. Also, hear Pete Linstrom squeal.
Fun essay on "blocking" and risk. Is it our job to stop'em from using Facebook?
MS Exploitability Index. Smart ... or misguidedly focused on "vulnerability release" (and not creation)
Chip-n-PIN, a PCI killer? I don't think so!
Mike R revisits "good enough security" - read it, then review your IR plans (...for you will be 0wned)
Very fun RSA survey here; data leakage beats malware again, people still not report incidents (to whom???)
More and more and more people point at idiocies of academic security research... Read the whole w00t 08 thread here. Weep. Laugh.
Neosploit has a bad quarter... breaks support "contracts" ... shuts down? Ah, the economy :-)
Awesome stuff from Richard Bejtlich: CAER.
"The Network Firewall is a Consensual Hallucination" :-)
More GRC-ball-kicking: here, here ("IT-GRC "vendors" are not IT-GRC vendors") - both are pretty insightful for GRC-lovers and GRC-haters)
More SIEM-ball-kicking: here ("underwhelming","ridiculous", "missing the point"), here ("dead ...unless","cripple")
Fun DLP portal launches.
Final word (?) on TerryChilds-gate here. "When management starts controlling the actions of admins, things start to fall apart." Huh? When management loses control of the business, it dies. Folks, IT vs IT security gap IS real. I never quite believed it, but this taught me a lesson. Some common security sense for a change (also here).

Enjoy.

Better exception reporting in ASP.NET part 2

Mon, 04 Aug 2008 10:11:14 +0000

This is the third post in a series.

The first post described the problem: ASP.NET wasn't reporting inner exception stack traces.

The second post described my solution.

This post shows the code I used to solve the problem: a custom email provider for the Health Monitoring system in ASP.NET. Enjoy!

Here's the provider. Note that I opted *not* to build a buffering provider to keep things simple:

public class MyMailWebEventProvider : WebEventProvider
{
    string to;
    string from;
    string subjectPrefix;

    public override void Initialize(string name,
        NameValueCollection config)
    {
        base.Initialize(name, config);

        to = GetAndRemoveStringAttribute(config, "to", true);
        from = GetAndRemoveStringAttribute(config, "from", true);
        subjectPrefix = GetAndRemoveStringAttribute(config,
            "subjectPrefix", false);
    }
    public override void ProcessEvent(WebBaseEvent raisedEvent)
    {
        SendMail(raisedEvent);
    }

    private void SendMail(WebBaseEvent raisedEvent)
    {
        string subject = ComputeEmailSubject(raisedEvent);
        string body = ComputeEmailBody(raisedEvent);

        MailMessage msg = new MailMessage(from, to, subject, body);
        new SmtpClient().Send(msg);
    }

    private string ComputeEmailBody(WebBaseEvent raisedEvent)
    {
        WebRequestErrorEvent errorEvent =
            raisedEvent as WebRequestErrorEvent;
        if (null != errorEvent)
            return ErrorEventFormattingHelper.FormatRequestErrorEvent(errorEvent);
        else return raisedEvent.ToString();
    }

    private string ComputeEmailSubject(WebBaseEvent raisedEvent)
    {
        StringBuilder subjectBuilder = new StringBuilder();

        // surface some details in subject about error events
        WebBaseErrorEvent errorEvent = raisedEvent as WebBaseErrorEvent;
        if (null != errorEvent)
        {
            Exception unhandledException = errorEvent.ErrorException;

            // drill through reflection exceptions to show the root cause
            TargetInvocationException invocationException =
                unhandledException as TargetInvocationException;
            if (null != invocationException)
            {
                Exception innerException =
                    DrillIntoTargetInvocationException(invocationException);
                subjectBuilder.AppendFormat("{0}",
                    (innerException ?? invocationException).GetType().Name);
                if (null != innerException)
                    subjectBuilder.Append(" (via reflection)");
            }
            else subjectBuilder.Append(unhandledException.GetType().Name);
        }

        // if we've not got anything better
        // just show the event type in the subject
        if (0 == subjectBuilder.Length)
            subjectBuilder.AppendFormat("Event type: {0}",
                raisedEvent.GetType().Name);

        if (!string.IsNullOrEmpty(subjectPrefix)) {
            subjectBuilder.Insert(0, ' ');
            subjectBuilder.Insert(0, subjectPrefix);
        }
        return subjectBuilder.ToString();
    }

    /// 
    /// Reflection often hides exception details, so we try to drill down
    /// through the plumbing exceptions to find a likely cause
    /// 
    private Exception DrillIntoTargetInvocationException(
        TargetInvocationException outerException)
    {
        Exception innerException = outerException.InnerException;
        TargetInvocationException innerInvocationException =
            innerException as TargetInvocationException;
        if (null != innerInvocationException)
            return DrillIntoTargetInvocationException(innerInvocationException);
        else if (null != innerException)
            return innerException;
        else return null;
    }

    private static string GetAndRemoveStringAttribute(NameValueCollection config,
        string attributeName, bool required)
    {
        string value = config.Get(attributeName);
        if (required && string.IsNullOrEmpty(value))
            throw new ConfigurationErrorsException(string.Format(
                "Expected attribute {0}, which is missing or empty.",
                attributeName));
        config.Remove(attributeName);
        return value;
    }

    public override void Flush()
    {
        // nothing to do - this is not a buffering provider
    }

    public override void Shutdown()
    {
        // nothing to do here either
    }
}

Here's a helper class that formats the error messages the way I want to see them. Note that I've omitted some fields that I personally didn't care about, and I've reordered things a bit, so you might want to tweak this if you're going to use it in your own system.

internal static class ErrorEventFormattingHelper
{
    internal static string FormatRequestErrorEvent(
        WebRequestErrorEvent errorEvent)
    {
        CustomEventFormatter formatter = 
            new CustomEventFormatter();

        formatter.AppendLine(string.Format(
            "Unhandled Exception in {0}:",
            WebBaseEvent.ApplicationInformation
            .ApplicationVirtualPath));
        formatter.Indent();
        EmitExceptionAtAGlance(formatter, 
            errorEvent.ErrorException);
        formatter.RevertIndent();

        formatter.AppendLine();
        formatter.AppendLine("Exception stack trace(s):");
        EmitExceptionStackTrace(formatter, 
            errorEvent.ErrorException);

        formatter.AppendLine();
        formatter.AppendLine("Event information:");
        formatter.Indent();
        EmitEventInfo(formatter, errorEvent);
        formatter.RevertIndent();

        formatter.AppendLine();
        formatter.AppendLine("Application information:");
        formatter.Indent();
        EmitApplicationInfo(formatter, 
            WebBaseEvent.ApplicationInformation);
        formatter.RevertIndent();

        formatter.AppendLine();
        formatter.AppendLine("Process/thread information:");
        formatter.Indent();
        EmitProcessInfo(formatter, 
            errorEvent.ProcessInformation);
        formatter.RevertIndent();

        formatter.AppendLine();
        formatter.AppendLine("Request information:");
        formatter.Indent();
        EmitRequestInfo(formatter, 
            errorEvent.RequestInformation);
        formatter.RevertIndent();

        return formatter.ToString();
    }

    private static void EmitEventInfo(
        CustomEventFormatter formatter,
        WebBaseEvent theEvent)
    {
        formatter.AppendLine(string.Format(
            "Event code: {0}",
            theEvent.EventCode.ToString(
            CultureInfo.InvariantCulture)));
        formatter.AppendLine(string.Format(
            "Event message: {0}", 
            theEvent.Message));
        formatter.AppendLine(string.Format(
            "Event time: {0}", 
            theEvent.EventTime.ToString(
            CultureInfo.InvariantCulture)));
        formatter.AppendLine(string.Format(
            "Event ID: {0}", 
            theEvent.EventID.ToString("N", 
            CultureInfo.InvariantCulture)));
    }

    private static void EmitApplicationInfo(
        CustomEventFormatter formatter, 
        WebApplicationInformation appInfo)
    {
        formatter.AppendLine(string.Format(
            "Application domain: {0}", 
            appInfo.ApplicationDomain));
        formatter.AppendLine(string.Format(
            "Application Virtual Path: {0}", 
            appInfo.ApplicationVirtualPath));
        formatter.AppendLine(string.Format(
            "Application Physical Path: {0}", 
            appInfo.ApplicationPath));
    }

    private static void EmitProcessInfo(
        CustomEventFormatter formatter, 
        WebProcessInformation webProcessInfo)
    {
        formatter.AppendLine(string.Format(
            "Process ID: {0}", 
            webProcessInfo.ProcessID.ToString(
            CultureInfo.InvariantCulture)));
        formatter.AppendLine(string.Format(
            "Process name: {0}", 
            webProcessInfo.ProcessName));
        formatter.AppendLine(string.Format(
            "Account name: {0}", 
            webProcessInfo.AccountName));
    }

    private static void EmitRequestInfo(
        CustomEventFormatter formatter, 
        WebRequestInformation webRequestInfo)
    {
        string name = null;
        if (webRequestInfo.Principal != null)
            name = webRequestInfo.Principal.Identity.Name;

        formatter.AppendLine(string.Format(
            "Request URL: {0}", 
            webRequestInfo.RequestUrl));
        formatter.AppendLine(string.Format(
            "Request path: {0}", 
            webRequestInfo.RequestPath));
        formatter.AppendLine(string.Format(
            "User name: {0}", 
            name ?? "[ANONYMOUS]"));
        formatter.AppendLine(string.Format(
            "User host address: {0}", 
            webRequestInfo.UserHostAddress));
    }

    private static void EmitExceptionAtAGlance(
        CustomEventFormatter formatter, 
        Exception exception)
    {
        formatter.AppendLine(string.Format(
            "Type: {0}", 
            exception.GetType().Name));
        formatter.AppendLine(string.Format(
            "Message: {0}", 
            exception.Message));
        if (null != exception.InnerException)
        {
            formatter.Indent();
            formatter.AppendLine("-->Inner Exception");
            EmitExceptionAtAGlance(formatter, 
                exception.InnerException);
            formatter.RevertIndent();
        }
    }

    private static void EmitExceptionStackTrace(
        CustomEventFormatter formatter, Exception exception)
    {
        formatter.AppendLine(exception.StackTrace);

        if (null != exception.InnerException)
        {
            // no point indenting
            // since stack traces typically wrap like crazy
            formatter.AppendLine();
            formatter.AppendLine("-->Inner exception stack trace:");
            EmitExceptionStackTrace(formatter, exception.InnerException);
        }
    }
}

And finally, here's a helper class that manages indentation levels for the output email message:

public class CustomEventFormatter
{
    const int TabSpaces = 4;

    StringBuilder sb = new StringBuilder();
    private int indentLevel;
    private bool startingNewLine = true;

    public void Indent()
    {
        ++indentLevel;
    }

    public void RevertIndent()
    {
        if (indentLevel > 0)
            --indentLevel;
    }

    public void Append(string text)
    {
        if (startingNewLine)
            EmitIndent();
        sb.Append(text);
        startingNewLine = false;
    }

    public void AppendLine(string lineOfText)
    {
        if (startingNewLine)
            EmitIndent();
        EmitIndent();
        sb.AppendLine(lineOfText);
        startingNewLine = true;
    }

    private void EmitIndent()
    {
        sb.Append(' ', TabSpaces * indentLevel);
    }

    public void AppendLine()
    {
        AppendLine(string.Empty);
    }

    public override string ToString()
    {
        return sb.ToString();
    }
}

Build this into a library application and reference it in your config file. Here's an example:

<healthMonitoring>
  <providers>
    <add name="mailWebEventProvider"
         type="MyMailWebEventProvider"
         to="web-fault@fabrikam.com"
         from="website@fabrikam.com"
         buffer="false"
         subjectPrefix="[WEB-ERROR]"
       />
  providers>
  <rules>
    <add name="All Errors Email"
         eventName="All Errors"
         provider="mailWebEventProvider"
         profile="Default"
         minInstances="1"
         maxLimit="Infinite"
         minInterval="00:01:00"
         custom=""/>
  rules>
healthMonitoring>

U.S. Government Policy for Seizing Laptops at Borders

Fri, 01 Aug 2008 08:21:25 +0000

Amazing. The U.S. government has published its policy: they can take you laptop anywhere they want, for as long as they want, and share the information with anyone they want.

Here's the actual policy:

Federal agents may take a traveler's laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption, or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, US Customs and Border Protection and US Immigration and Customs Enforcement... DHS officials said that the newly disclosed policies — which apply to anyone entering the country, including US citizens — are reasonable and necessary to prevent terrorism... The policies cover 'any device capable of storing information in digital or analog form,' including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover 'all papers and other written documentation,' including books, pamphlets and 'written materials commonly referred to as "pocket trash..."

It's not the policy that's amazing; it's the fact that the government has actually made it public.

Slashdot thread. My previous essay on crossing borders with laptops, and how to protect yourself.

Although honestly, the best thing is probably to keep your encrypted archives on some network drive somewhere, and download what you need after you cross the border.

More on World's Ugliest Logs

Wed, 30 Jul 2008 09:46:00 +0000

To follow the old thread on ugliest logs, I just saw this log entry:

...done

(yes, that's it!)

If you are a developer who produced it, please die. Be done :-)

More on ugly logs in the future!