The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Alternate (offline) Google Chrome installer (Windows) – Google Help

Posted by jpluimers on 2012/01/06

Currently most software installers have a small bootstrap and during the actuall install will download only the files that are actually needed.

Often that is not convenient: slow or no network connection, repeated installs in a test environment, etc.

Luckily, a lot of software does have an offline installer (a.k.a. standalone installer).

Being no exception Google Chrome has two offline installers: one single user install, and one for all users on the same Windows machine.

It ends up at one of these download pages, each with a download link for the current version (which changes for every new version):

–jeroen

via: Alternate (offline) Google Chrome installer (Windows) – Google Help.

Posted in LifeHacker, Power User, Windows, Windows 7, Windows 8, Windows Vista, Windows XP | 1 Comment »

Great answer by Cosmin Prund: How and when are variables referenced in Delphi’s anonymous methods captured? – Stack Overflow

Posted by jpluimers on 2012/01/05

Every once in a while, by accident you stumble on a really great answer on StackOverflow.

Here is a quote from Cosmin Prund describing on how Delphi implements anonymous methods using a TInterfacedObject descendant:

When you have a function like the one in the question, where you have an anonymous method accessing a local variable, Delphi appears to create one TInterfacedObject descendant that captures all the stack based variables as it’s own public variables. Using Barry’s trick to get to the implementing TObject and a bit of RTTI we can see this whole thing in action.

Read his full answer for the complete description including sample code.

I stumbled on this great answer trough the question Is it possible for a managed local variable to transparently “travel to” another local scope? which might sound like an odd question, but it is not: StackOverflow is about learning, and some people do that by asking questions on solving problems in a very uncommon way, just to learn there are far better ways of obtaining what they want.

–jeroen

via: How and when are variables referenced in Delphi’s anonymous methods captured? – Stack Overflow.

Posted in Delphi, Development, Software Development | Leave a Comment »

Undoing TinyUrl, Goo.gl, Bitly and other URL shorteners: http://expandurl.appspot.com/

Posted by jpluimers on 2012/01/04

Great stuff: http://expandurl.appspot.com/

Especially when a shortened URL breaks, and you want to find out if the underlying URL got moved to a different place.

--jeroen

via: http://stackoverflow.com/questions/6500721/find-where-a-t-co-link-goes-to

Edit 20240829

The above URL stopped working after a few years, so I dug up the history of it:

Read the rest of this entry »

Posted in Power User | Leave a Comment »

Introducing the for-if anti-pattern – via: The Old New Thing – Site Home – MSDN Blogs

Posted by jpluimers on 2012/01/03

I really like what Raymond Chen writes, not just the tech stuff in his Old New Thing blog, but  especially in his comments.

Here is a nice example:

You also see this anti-pattern used in real life: “What flavors do you have?” and then after the list of flavors is recited, “I was hoping you had raspberry.” -Raymond

And he is right, in real life, lots of people have stopped to actively think, expecing others (very often the government) to solve their problems.

It reminds me of one our kitchen magnets: “If it’s called common sense, then why is it so rare?”.

So: why do you think it is so rare?

–jeroen

via: Introducing the for-if anti-pattern – The Old New Thing – Site Home – MSDN Blogs.

Posted in About, Development, Opinions, Personal, Software Development | 2 Comments »

ASCII art: when old skool is modern again.

Posted by jpluimers on 2012/01/02

When old skool is modern again :)

The last few months, I observe more and more ASCII art, especially on social media like FaceBook, Twitter, etc.

The most recent was this one from our neighbours  – thanks guys – (it doesn’t do very good justice to the original, as it needs less linespacing, and works best with an Arial font):

.     °.˛*.˛.°★。˛°.★*.                              * Fijne Kerstdagen en *★* *˛.
.    ˛ °_██_*。*./ ♥ \ .˛* .˛.                       *.★ een geweldig 2012**★ 。
.     ˛. (´• ̮•)*˛°*/.♫.♫\*˛.* ˛_Π_____.    *      *      *         ★ toegewenst 。
.     .°( . • . ) ˛°./• ‘♫ ‘ •\.˛*./______/~\.˛* .。˛   *        *★* Someone  &
.     *(…’•’.. ) *˛╬╬╬╬╬˛°.|田田 |門|╬╬╬╬╬*★★*★ ★ Someone
. ¯˜”*°••°*”˜¯`´¯˜”*°••°*”˜¯ ` ´¯˜”*°´¯˜”*°••°*”˜¯`´¯˜” *

Since many characters are not ASCII at all, maybe Typewriter Art fits better.

Anyway: I like the new revival of these kinds of arts.

They remind being a lot younger and playing around with characters to see what graphical information I could put in a limited space. You can use this to present information too, as [W/A] this progress bar shows how busy the public traffic is.

They also remind me how much real artists can do in little space. Given the limited space especially on Twitter and Mobile Systems, and the common feature among those is still text, ASCII art makes a lot of sense again :)

Some references to give you an idea how bad I was at it, and how good others :)

Check out [Wayback/Archive] http://cd.textfiles.com/hackchronii/VIRUSL4/VIRUSL4.46 and search for “Pluimers” (sitenote: I was nicknamed by the chinese cook in the restaurant kitchen I worked a few years before that, though the cook pronounced “Charlie”  as “Cha-li”, and I nicked it to Charly to avoid conflicts).

A bit later I condensed it a bit (look for “rulfc1” at [Wayback/Archive] http://www.nic.funet.fi/pub/msdos/Info/info-ibmpc). [Wayback/Archive] Others were way better at Email Art and [not archived] Signature Art than I was.

Those were days where you would mostly communicate with text. And even that wasn’t a long time ago when you imagine that the oldest known form of Typewriter Art is from 1898!

--jeroen

Posted in About, ASCII art / AsciiArt, Font, Fun, Personal, Power User | 2 Comments »

After restoring fresh HDD from Time Machine Backup: No results from Spotlight

Posted by jpluimers on 2012/01/02

My Mac Mini Server had its’ primary HDD failure. It got replaced by the iAmStore service center, but contrary to what they promised, they didn’t put the Snow Leopard Server image on it.

So I grabbed an external USB DVD player, booted from the Snow Leopard Server install DVD, and restored the Time Machine backup from my external USB HDD.

Somehow, after the restore, Spotlight wouldn’t work: only the search bar was visible, but nothing else.

I tried various tips all having to do with erasing Spotlight for my root volume (so it would be automatically be reindexed), or many-part steps including killing SystemUIServer, Clearing Caches and Rebooting.

In the end the most simple one worked: just “turn Spotlight indexing on”.

My assumption is that Spotlight information is not backed up, and during restore Spotlight is turned off because continuously reindexing during restore will make the restore slower.

If someone can confirm this (or deny and explain the real reason), please post a comment.

This was what user nkt00 had posted as solution on the Apple forum:

I figured it out. In the man page for “mdutil” (type: “man mdutil” at the terminal shell prompt), it describes the option “-i”, which turns indexing on or off for the specified volume. I just typed:

sudo mdutil -i on /

and away it went

This was the screen output:

Last login: Mon Oct 31 19:31:01 on ttys000
macminiserver01:~ jeroenp$ mdutil -s /
/:
No index.
macminiserver01:~ jeroenp$ sudo mdutil -i on /
Password:
/:
Indexing enabled.
macminiserver01:~ jeroenp$

Now I’m happily using my Mac Mini Server again.

--jeroen

via No results from Spotlight: Apple Support Communities.

Posted in Apple, LifeHacker, Mac OS X 10.5 Leopard, Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, MacBook, Power User, SpotLight | 1 Comment »

my wiert.WordPress.com blog: 2011 in review: almost 400 posts, 220k visitors, “Silverlight dead/ long live XAML” most popular.

Posted by jpluimers on 2012/01/01

Don’t you love automated tools :)

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 220,000 times in 2011. If it were an exhibit at the Louvre Museum, it would take about 9 days for that many people to see it.

Click here to see the complete report.

Posted in About, SocialMedia, WordPress | Leave a Comment »

Mac RDP client uses “/console” after the machine name to connect to a server console (not “/admin”)

Posted by jpluimers on 2011/12/30

It took me a bit of searching to find this out, as the Windows RDP clients switched over to “/admin” for this a long time ago:

with the Mac RDC client, you can connect to a servers console by adding “/CONSOLE” to the end of the computer name

–jeroen

via MacUpdate: Member Profile – Nate Silva.

Posted in Apple, Mac OS X 10.5 Leopard, Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, Power User | Leave a Comment »

More vulnerabilities solved than just the ASP.NET hash collision DoS: Microsoft Security Bulletin MS11-100 – Critical : Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)

Posted by jpluimers on 2011/12/29

In addition to the ASP.NET hash collision Denial of Service attack, Microsoft patches 3 more vulnerabilities resulting in an Aggregate Severity Rating that is Critical.

This is a summary of the vulnerabilities. Please read the full MS11-100 bulletin for more details and how to download and install the patches.

Vulnerability Severity Rating Maximum Security Impact Affected Software CVE ID
Important Denial of Service Collisions in HashTable May Cause DoS Vulnerability CVE-2011-3414
N/A or Moderate N/A or Spoofing Insecure Redirect in .NET Form Authentication Vulnerability CVE-2011-3415
Critical Elevation of Privilege ASP.Net Forms Authentication Bypass Vulnerability CVE-2011-3416
Important Elevation of Privilege ASP.NET Forms Authentication Ticket Caching Vulnerability CVE-2011-3417

The CVE-2011-3415 is N/A in .NET 1.1, and Moderate in all other .NET versions.

–jeroen

via Microsoft Security Bulletin MS11-100 – Critical : Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420).

Posted in .NET, ASP.NET, C#, Development, Software Development, VB.NET, Visual Studio and tools | Tagged: , , , , , | Leave a Comment »

Many more web platforms vulnerable to the hash collision attack (not only ASP.NET) #28C3 @hashDoS #hashDoS @ccc

Posted by jpluimers on 2011/12/29

When writing my Patch your ASP.NET servers ASAP early this morning, I didn’t have time to research the full extend of the vulnerabilities published at 28C3 (slides, mp4), though a small bell was ringing a message that I had seen something like it before earlier this century.

I was right, this posting on perlmonks direct me to a /. posting in 2003 pointing me to the research paper on low-bandwidth attacks based on hash collisions (pdf version) that I had seen before. Perl 5.8.1 fixed it September 2003 (search for “hash” in that link).

The attack can be used for DoS because a normal distributed hash table insert of n elements will be running O(n), but a carefully crafted insert of those elements will run O(n^2).

Carefully crafting a worst case scenario depends on how well you can predict collisions in the underlying hash table implementation, which – apparently – is not too difficult, and requires little bandwidth.

Many platforms and languages are vulnerable (already archived at the WayBack machine), including those based on Java, Tomcat, .NET, Ruby, PHP and more in greater or lesser extent. I have the impression that the list only includes big names, but presume platforms based on smaller names (ASP, Delphi, Objective C) are equally vulnerable.

Just read the articles on CERT 903934, oCERT 2011-003Arstechnica, Cryptanalysis.euHeise (German), Hackillusion and the research paper published at 28C3.

a few quotes:

“This attack is mostly independent of the underlying Web application and just relies on a common fact of how Web application servers typically work,” the team wrote, noting that such attacks would force Web application servers “to use 99% of CPU for several minutes to hours for a single HTTP request.”

“Prior to going public, Klink and Wälde contacted vendors and developer groups such as PHP, Oracle, Python, Ruby, Google, and Microsoft. The researchers noted that the Ruby security team and Tomcat have already released fixes, and that “Oracle has decided there is nothing that needs to be fixed within Java itself, but will release an updated version of Glassfish in a future CPU (critical patch update).”

“The algorithmic complexity of inserting n elements into the
table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request”

“We show that PHP 5, Java, ASP.NET as well as v8 are fully vulnerable to this issue and PHP 4,
Python and Ruby are partially vulnerable, depending on version or whether the server
running the code is a 32 bit or 64 bit machine.”

Microsoft seems to have been notified pretty late in the cycle, I presume because the researchers started with a some platforms and finally realized the breath of platforms involved.

The ultimate solution is to patch/fix the platforms using for instance a randomized hash function a.k.a. universal hashing.

Microsoft will provide a patch for ASP.NET later today, Ruby already patched and other vendors will soon or have already (please comment if you know of other platforms and patches).

The links this morning indicated there were no known attacks. That is (maybe was) true for ASP.NET, but for PHP a public proof of concept of such a DoS is has been published by Krzysztof Kotowicz (blog) with sources at github and a demo html page.

Temporary workarounds (based on the some of the links in this and the prior blog post, and the workarounds mentioned here and here):

  1. If you can: replace hash tables by more applicable data structures
    (I know this falls in the for-if anti-pattern category, but lots of people still use a hammer when a different tool works much better)
  2. Limit the request size
  3. Limit the maximum number of entries in the hash table
  4. Limit form requests only for sites/servers/etc that need it.
  5. Limit the CPU time that a request can use
  6. Filter out requests with large number of form entries

Some platforms already have applied temporary workarounds (I know of Tomcat (default max 10000 parameters), and PHP (default max_input_vars = 1000) did, and looks like the ASP.NET fix will do too).

Other platforms (like JRuby 1.6.5.1, CRuby 1.8.7 (comments) and Perl 5.8.1 in September 2003 ) fixed it the proper way.

Note: workarounds are temporary measures that will also deny legitimate requests. The only solution is to apply a fix or patch.

A major lesson learned today for a few people around me: when vendors start publishing “out of band” updates, do not trust a single 3rd party assessment with state “initial investigation”, but be diligent and do some further research.

–jeroen

PS: Just found out that most Azure users won’t need to manually apply a fix: just make sure your Hosted Service OS servicing policy is set to “Auto”.

Posted in .NET, ASP.NET, C#, Cloud Development, Delphi, Development, Java, PHP, Ruby, Scripting, Software Development, Web Development, Windows Azure | 6 Comments »

« Previous Entries
Next Entries »