Bill Karwin (twitter, new blog, old blog, Amazon) is famous for much work in the SQL database community, including InterBase/Firebird, mySQL, Oracle and many more.
Paros is a valuable testing tool for your security and vulnerability testing. Paros can be used to spider/crawl your entire site, and then execute canned vulnerability scanner tests. But Paros goes beyond that, it comes with a built in utility that can proxy traffic. This Paros Proxy utility can be used to tamper or manipulate any http or https traffic on the fly. This makes some of the more interesting security types of testing. It will help you isolate potential area’s of security concern and then manual attempt to perform the type of testing you desire.
Paros also comes with a built in Session ID analyzer. It will display a graph of all the types of Session ID’s it has been presented with using a multiple threaded session initiator. You then can determine if the graph appears random enough for the Session ID. It is a pretty unique and interesting tool to use. Although typically most developers will rely upon another technology tomcat, apache, or some other application to generate Session ID’s. This is not always the case and as such a Session ID analysis should be performed. Sometimes the Session ID will not be randomized enough and the hash used to create the Session ID is easily predictable.
Paros also comes with a built in Fuzzer. You will need to generate your own Fuzzer library to use the Fuzzer, but it will perform all the fuzzing for you.
On Windows, the keyboard shortcut [WayBack] Windows-L will lock your workstation and when [WayBack] Fast User Switching is enabled – and when your (corporate) policies allow it – shows your Switch User screen.
First of all, there is [WayBack] TSDISCON (which I found thanks to [WayBack] this thread). It is meant to disconnect a terminal services session, but when you are logged in on the console, it just locks your workstation.
When in a DTAP environment, you cannot always have complete clean boundaries. Issues in production don’t reproduce in acceptance, you cannot develop in production, etc.
So sometimes you have to simulate or connect to Test or Acceptance Database Servers from a Develop workstation.
There it can get hairy to keep track of which applications connect to which database server.
That’s where the below batch file comes in handy: it scans your systems on connections to common TCP ports used by SQL server, then for each connection give you some process details (or – if you add a commandline parameter – all details that TLINK can get).
The batch file uses the built in tools tasklist, netstat, find and sc (the latter to show information on the local running SQL Services).
Some clients generate their VPN connection settings using the CMAK (Connection Manager Administration Kit). Apart from the cumbersome way to support both x86 and x64 at the same time, they usually add in some kind of time-out feature, and often route the whole 10.0.0.0/8 network over the VPN to just host a couple of dozen machines. Having done most of my VPN connections by hand, and automating them using rasdial to dial these from the commandline, I also found out the hard way that you cannot use rasdial for CMAK generated VPN connections: it will give you the error “This function is not supported on this system.”. The funny thing is: you can disconnect using rasdial. Luckily, the far less well documented rasphonedoes work for dialing. The batch file below uses a few tricks, and you can set the parameters in the top of the batch file.
Some very interesting tips from game development that apply juts as well to general software development.
On code health:
Now I always try to dig right down to the root cause of a bug, even if a simple, and seemingly safe, patch is available. I want my code to be healthy. If you go to the doctor and tell him “it hurts when I do this,” then you expect him to find out why it hurts, and to fix that.
Though tools like SourceMonitor can help you track your code health, the best tool is between your ears.
If you followed my blog, you probably already guessed that I’m assisting a client to prepare for a big SQL Server 2000 to SQL Server 2008 R2 migration. When not, you know now :)
I’m a fan of commandline, tools, and preconfigured settings. Which means that I’m in the midst of reconfiguring all my shortcuts to SQL Server 2000 tools to SQL Server 2008 equivalents.
When inspecting and changing LNK shortcut files, two tools are important:
dumplnk: dumps a shortcut lnk file from the commandline
shurtcut: creates a shortcut lnk file from the commandline
Depending on the mode of authentication you use to connect to your SQL Server, there basically are two forms of shortcuts:
SQL Server Authentication (using SQL Server username and password): "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\isqlw.exe" /S"servername[\instancename]" /U"username" /P"password"
Windows Authentication (using the credentials of the currently logged in windows user): "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\isqlw.exe" /S"servername[\instancename]" /E
The former is less secure (so better to only store those shortcuts in a place that no other users can access).
The parameters /S, /U, /P and /E are very similar to the -S, -U, -P and -E ones from SSMS.exe (SQL Server Management Studio) with one distinction: there MUST be a space between each parameter and the value:
SQL Server Management Studio (using SQL Server username and password): "C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe" -S "servername[instancename]" -U "username" -P "password"
SQL ServerManagement Studio (using credentials for the currently logged in windows user): "C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe" -S "servername[instancename]" -E
The Wiert Corner - irregular stream of stuff 