https://www.henrik.org/

Blog

Friday, December 26, 2014

Public facing hard to guess identifiers

This might take some explaining of the actual problem. When applications are reporting information I would like there to at least not be possible to guess an identifier starting at 1 and have the data end up on some other users account. My goal isn't so much to guard against somebody who is intentionally trying to do misreporting, but to make it hard enough to do for all but the determined attackers.

So how do you do this, one way is to just use GUID's for every identifier but I have always hated that and it leads to bad database design at least in my opinion. So my suggestion is to just use a simple integer identifier counting upwards internally. However whenever the identifier required to report for this is displayed to an end user I take this ID and encrypt it using a secret key with AES-256. This results in a pretty much random 16 byte array that you then encode using base 64 and present to the user. Once any reporting is done you simply do the reverse so that the ID needed to be used is the base 64 encoded encrypted value. This means that it will be almost impossible to guess a valid identifier for anything coming from the outside but internally you can still just deal with regular integers of varying size for everything.

The performance hit should be negligible since AES is implemented in hardware in recent CPU's and even without it AES is really fast.

Thursday, December 25, 2014

Dealing with timestamps

I thought I would do a detour though and share some thoughts on dealing with timestamps.

Something to take into account dealing with timestamps reported into the system is that I can not really trust that users have their clocks running correctly. And since data can be collected offline and then submitted after the fact I need to compensate for the devices that have really weird time settings (A surprising amount of people run their machines with the clock set to 1970). I would deal with this by simply have the clock as the reporting device thinks it is at the time of submission be included as part of the submission. This will give me a delta for how much all the other included timestamps in that particular submission need to be adjusted. It will not handle the case where the user has changed their clock between the start of the data being collected and the time it was submitted, but hopefully that will be a pretty rare occurrence.

Tuesday, December 23, 2014

Fun with collations and persistence layers

So today I spent several hours trying to figure out how to get the correct collation on a SQL Server table created using the Microsoft Entity framework.

So you would think that given that I use a C# string that is UTF8 that when you create a table using this data type with the entity framework it would by default have a collation that supports Unicode more or less properly out of the box... No such luck.

And to make matters worth the Entity framework provides no provision to specify the collection used. In the end what I had to do is to run the following custom SQL on every column that I need proper unicode handling of (For me that means properly distinguishing different high code point Unicode characters as being different letters and also being case sensitive).

  ALTER TABLE {tablename}
    ALTER COLUMN {columnname}
    NVARCHAR({length})
    COLLATE Latin1_General_100_BIN2

The problem is that to do this you also need to drop any indexes that use this column before you make the change and then recreate the column (In my case since I have no deployed database yet I simply create the indexes after I have properly changed the collation). Then once I solved everything for SQL Server I had to do it all over again for MySQL (Different parts of the service runs on SQL Server and MySQL), but that was a lot easier than for SQL Server. Finally I spent some more time trying to figure out some unit tests to validate that an error in this area will not sneak in at a later date since this would be easy to forget.

I have always had a very skeptical approach to persistence layers like the Entity framework (Or indeed any other similar project like Hibernate, XPO etc...) in that I think it produces horribly inefficient database access patterns and should really only be used if you don't care at all about performance or if you are lazy.

I do like certain aspects of the Entity framework though. Specifically I do like being able to specify the database structure using LINQ instead of SQL (You generally get better compile time error checks with this) and also the migration layer for the Entity framework is pretty nice.

That said having worked on developing SQL development tools for over a decade and knowing SQL at the back of my spine I would not trust it for a second to actually generate the SQL for my database access layer. That I hand code for exactly the purposes that I need.

Thursday, October 9, 2014

Finally someone explained why Sweden has so much better IT infrastructure than the US

Ran into this article about why Sweden has so much better internet connectivity than the US. I've been complaining about this for years that even now 10 years later I am still paying more for less bandwidth than I had before I moved in Sweden (And this is unfortunately the norm, not a fluke). The reason is quite simple that government here don't dare to tread on the toes of large entrenched economic interests.

Tuesday, September 2, 2014

Quotes from my old home page

So my old home page used to have a page with a bunch of really nice quotes on it and I would hate to see them all get lost now that I don't have a good place for them so I figured I would just post them here. So here goes.

The difference between theory and practice, is that in theory, there is no difference between theory and practice.
- Richard Moore

The 3 great virtues of a programmer:
Laziness, Impatience, and Hubris.

- Larry Wall

The best definition of a gentleman is a man who can play the accordion -- but doesn't.
- Tom Crichton

Your mind is like a parachute. It works best when open.
- Matthias Elter

I might disagree with what you have to say, but I'll defend your right to say it to the death.
- Voltaire

Software is like sex, it is better when it is free.
- Linus Torvalds

People who think they know everything tend to irritate those of us who do.
- Oscar Wilde

Think about how stupid the average person is.
Then realize that half of them are more stupid than that.

- George Carlin

My taste is simple, the best.
- Oscar Wilde

Great minds discuss ideas,
Average minds discuss events,
Small minds discuss people.

- Eleanor Roosevelt

Don't take life too seriously, you'll never get out of it alive anyway.
- Elbert Hubbard

Light travels faster than sound.
That is why some people appear bright until you hear them speak.

- Allbert Einstein

The trouble with being punctual is that nobody's there to appreciate it.
- Franklin P. Jones

Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
- Albert Einstein

Happiness isn't something you experience, it's something you remember.
- Oscar Levant

God bless the American legal system
A glorious machine that turns stupidity into cold hard cash!

- The Drew Carey Show

Working weeks come to its end, party time is here again.
- Come with me, Depeche Mode

I want to run
I want to hide
I want to tear down the walls
That hold me inside

- Where the streets have no name, U2

Got a letter from the government the other day.
Opened it and read it. It said they were suckers.

- Black Steel In The Hour Of Chaos, Public Enemy

It's a small world and it smells funny
I'd buy another if it wasn't for the money

- Vision Thing, Sisters of Mercy

I'm a 21:st century digital boy
I don't know how to live, but I got a lot of toys

- 21:st century digital boy, Bad Religion

When will the world listen to reason?
When will the truth come into season?
I have a feeling it will be a long time.

- It'll be a long time, Offspring

I didn't believe in reincarnation in any of my other lives.
I don't see why I should have to believe in it in this one.

- Strange de Jim

If a man has a strong faith he can indulge in the luxury of skepticism.
- Friedrich Nietzsche

I'm a firm believer in the concept of a ruling class,
especially since I rule.

- The movie "Clerks"

If there's no light at the end of the tunnel, get down there and light the darn thing yourself!
- Lauri Watts

Unix is the most user friendly system I know, the point is the it is really selective about who is indeed its friend.
- Luigi Genoni

It's the mature and adult thing to do!
How does that affect me?

- Seinfeldt

Dates are for having fun and people should use them to get to know each other.
Even boys have something to say if you listen long enough.

- Lynette, age 8

CNNESPNABCBCVTNT, but mostly BS
- Television, Disposable Heroes of Hiphoprasy

What did you do yesterday?
I did absolutely nothing and it was everything I thought it would be.

- The movie "Officespace"

I drink to make other people interesting.
- George Jean Nathan

When everybody is out to get you, paranoid just seems like a good idea.
- Woody Allen

How to relate to women:
Treat them like compilers that take simple statements and turn them into big productions.

- Userfriendly

Communism doesn't work because people like to own stuff.
- Frank Zappa

Sure there have been injuries and deaths in boxing,
but none of them serious.

- Boxer Alan Minter

Plans are useless, but planning is indispensable.
- Dwight Eisenhower

Life is a sexually transmitted disease and the mortality rate is one hundred percent.
- R. D. Laing

I'm on a seafood diet.
When I see food I eat it.

- The Drew Carey Show

I'm bi-sexual. Whenever I want sex I have to buy it.
- The movie "Splitting Heirs"

What do you think of western civilization?
I think it would be a good idea.

- Muhatma Gandhi

If you don't know where you are going you are never lost.
- Unknown

If you're right 90% of the time, why quibble about the remaining 3%?
- Unknown

Acceptance testing: An unsuccessful attempt to find bugs.
- Unknown

Jag spenderade mina pengar på sprit, kvinnor och sång.
Resten slösade jag bort.
(Roughly: I spent my money on women, drinking and singing.
The rest I squandered).

- Unknown Swede

A hen is only an egg's way of making another egg.
- Samuel Butler

Those who live by the sword, get shot by those who don't.
- Unknown

Monday, September 1, 2014

Created a brand new home page

During the last couple of weeks I've decided to beef up on current web technologies like HTML5, CSS3, jQuery and such. I figured a great test case for my new skills would be to remake my own web page and I just put it live this morning. The new page has a hopefully much more contemporary design, uses responsive design and it is a single page web application (Except for the blog part which is still hosted by Blogger).

I also included a few newer photos and updated my about page with things that happened in the last decade. I also took time to update my resume which also hadn't been updated for the last decade. I also have some really cool interactive stuff going on in the resume section. Check it out and tell me what you think.

Saturday, August 30, 2014

Got married and am moving to Long Beach

It has been a long time since I made any posts so here is a short update.

First of all I got married to the lovely and beautiful Lisa DuMouchel (Now Lisa Johnson). We met through a common friend while she was living in San Francisco in early 2012. A little bit over a year later we were married on the 4th of October 2013 at the Saint Regis Monarch Beach in Dana Point.

Moving to Long Beach in a couple of days. I'll be sad to leave Laguna Beach, but the new place looks really nice as well. It also have more room for guests if anybody want to visit.