Rob Smyth

Thursday, 20 November 2014

DITA's image

DITA is a publishing/authoring standard suited for technical documents. But it is interesting/perverse that DITA frameworks have such poor documentation.

I like the looks of DITA. I think it has a lot to offer to save time by the classic "the best way to save time is to not do it at all". But gosh I find it hard to penetrate.

Shameless dig: It seems the same as software developers who do not automate their processes ... if your profession is automation then it is perverse that you do not automate.

Friday, 1 August 2014

Keeping an Authenticode certificate secure for signing applications

Your working for a small/medium company and the boss wants you to secure the application with digital signing ... your not in control of IT security, how are you going to ensure that the private keys are secure?

Background

Cyber security is becoming more important to software development as the risk of attack become better understood and more prevalent. Basic .Net application security requires both signing the application with an Authenticode digital certificate and strong name signing the assemblies.

Authenticode signing allows users to identify that the application came from "us" and has not been modified by somebody else since we signed it. Critical for user who download installers and is superior to MD5 checks.

Strong name signing is about ensuring that referenced assemblies have not been replaced.

Both Authenticode and strong name signing are based on the security of private keys. If an attacker obtains a copy of the private key they may impersonate your company without the end user knowing.

How build applications and keep certificates secure

Assumptions:
  • You network's security is not "perfect".
  • You do not want to expose the key to all staff (principle of least privilege) ... they probably do not want to have access anyway.
  • You would like separation of duties (optional with the process here).
  • All encrypted storage is breakable.
Setup:
  1. Obtain a computer with a new OS install that is normally stored, turned off, in a secure location. Purchase and download the Authenticode certificate onto this computer being careful to minimize network connection to placing the purchase and downloading the certificate only. Minimize the attack surface by keeping this secure PC normally off-line.
  2. Export the certificate's private keys to secure devices (e.g. IronKey). Such a device will self-destruct after N attempts making attacks near impossible.
  3. Delete the certificate from the PC.
Building a release:
  1. After testing binaries (testing application), sign assemblies and complete strong name signing on the secure PC with the Authenticode private key available on an inserted USB stick.
Note: Holders of the secure USB devices should only ever open the device on the secure PC.

Best practice is to use tested binaries from a build server (artifacts) such as TeamCity and use an installer build script that recognises key available on USB device.

Using this approach:
  • the private key is only vulnerable to the network during the installer build.
  • unsigned binaries can be testing without signing.
  • the PC used to perform the final installer build/signing is clean and normally off-line.

See also: Oracle security overview.

Thursday, 13 March 2014

Software R&D manager Yin & Yang

Taking on-board "the fastest way to do something is to not do it at all"  (is this an Alistair Cockburn quote?) I'm thinking that a software R&D manager's performance might come from how many things a team does not have to do.

A yin and yang relationship with a software developer who's performance could be measured by how much they (or help a team to) deliver working functionality and a manger.

How do you measure what was not done?

Thursday, 27 February 2014

Resolving WatchGuard connection problem on Win 8.1

A solution I found to a WatchGuard VPN connection problem:

  1. Uninstall WatchGuard
  2. Delete the folder C:\Users\\AppData\Roaming\WatchGuard
  3. Reinstall WatchGuard

Works better than before now.

Background:

I had been using WatchGuard for a few months on Win 8 and then Win 8.1 successfully although the connection was often 'difficult'. But, for reasons unknown, it stopped working mid Feb 2014.

I was originally using  WatchGuard 11.6.0.

Now using WatchGuard 11.8.0. (Build 425534) on Windows 8.1.


Cyber Security

The Australian Signals Directorate (ASD) has done a great job publishing some real useful, and practical, guides on cyber security. Nice work.

I'm interested in:

The ASD's strategies documents are useful and helpful. Check out their top 4 strategies, they say that of the thousands of breaches they have investigated 85% would have been prevented by just these 4 strategies.

Monday, 11 November 2013

NLog MethodCallTarget configuration

I wanted to add an error indicator to a UI to give the user indication that a error or warning has been logged. I've found this very useful to get feedback from users. But each time I do this it takes me a while to get NLog to play nice with the application's XML logging configuration file. The thing I keep missing is to reload the configuration by:
NLog.LogManager.Configuration = loggingConfig;
Here is an example:

{

                var target = new NLog.Targets.MethodCallTarget();
                target.ClassName = this.GetType().AssemblyQualifiedName;
                target.MethodName = "OnErrorLogged";
                target.Parameters.Add(new MethodCallParameter("${level}"));
                target.Parameters.Add(new MethodCallParameter("${message}"));

                var loggingConfig = NLog.LogManager.Configuration;
                loggingConfig.AddTarget("UIErrorMonitor", target);

                var loggingRule = new LoggingRule("*", NLog.LogLevel.Error, target);
                loggingConfig.LoggingRules.Add(loggingRule);

                NLog.LogManager.Configuration = loggingConfig;
}

        public static void OnErrorLogged(string level, string message)
        {
// do stuff
         }

Wednesday, 8 May 2013

StyleCop

StyleCop is a great Visual Studio / Resharper add on to compliment lines of code (LOC) metric tools.

If your team values LOC then StyleCop is for you.

Thursday, 2 May 2013

Agile Project Management Team Tools

Hmm ... kinda by definition of 'agile' should the post be about 'team feedback tools' ... but lets skip that. I'll even try to skip the agile/scrum/XP question (is XP or scrum inherently 'agile'? ... darn I did not skip it).

The main players seem to be:
  • VersionOne
  • Mingle
  • Rally
  • Scrumworks
  • Excel
I have no experience with Mingle or Rally, but have a lot of experience with VersionOne and, over the last few months, with Scrumworks. My impressions are ...

VersionOne

When I first used VersionOne back, I guess about 2004, I thought it was great. But last year (2012) I was on a team using it and it was ... hmmm ... good but not exciting. It offered a very rich feature set,  but it seemed to me to have lost focus on useable features. I remember several years ago a projects page that showed an estimated time of delivery. To me, kinda fundamental. Not really available in the current version.

The good:
  • Free for small teams/use with limited features ... very restrictive.
  • Large range of features.
  • Multiple projects
  • Actual effort reporting independent of iteration.
  • Great customisation.
  • Track lifecyle of user wish list right through to tasks.
  • Support for automated release documentation.
 The bad:
  • Forget hosting if your not in the US of A. The product does not support time zones and does not update burn down until the end of the day which for me is in the middle of the day ... if your trying to promote team acceptance this is a red flag. (I reported this as an issue several years ago and I know it was also reported in 2012.)
  • Hosted options are very very slow.
  • No retrospective time entry, which is greatly aggravated by the time zone problem. You cannot enter what you did yesterday.

Scrumworks

After a few months of using it ... I'm not impressed. It provides a web view and a Java application. The two seem to written by different teams. While the web view allows entry of today's effort and updating of "to do" (velocity), the Java application allows editing the original estimate but not the "to do".

The Java application just does not cut the Scrum intent. I cannot see how a team can manage "burn down" using it.

The good:
  • Free 
  • Retrospective time entry (enter effort tomorrow).
 The bad:
  • Primitive
  • Different views (Java app / web) have different models.
To me, although I do it, retrospective time entry of effort is a process anti-pattern. If team members cannot be bothered to enter effort before going home then there are more problems than implied here.

Simple, but in the end Excel would be better.

Excel

Dunno, but I think Excel has more to offer.


I summary, today, I would consider other options than VersionOne or Scrumworks. But VersionOne is way better that Scrumworks. Actually, Scrumworks seems to me to be more of an inhibitor than useful  :-(.

Tuesday, 30 April 2013

Great error message - Flickr

A great message error message ...

Acknowledge the problem, request lighter use, let you know something is happening to fix it, and talking like a human.

Even better than Firefox's "Well this is embarrassing ..."

Love it.

Saturday, 27 October 2012

BaffleBox.Show() #1

Self explanatory really:

Yep, gotta stop that operation completing successfully.