Jim Kita's MS Architecture Blog

Pardon me if this is a “duh” topic, but it was new to me and so may be new to other developers too, so… The registry has changed under Windows 64 presumably starting from Windows Server 2003 64 bit and Windows XP 64 bit. As a result, there is a different view of the registry for 64 bit applications and 32 bit applications. According to the documentation:

“To support the co-existence of 32-bit and 64-bit COM registration and program states, WOW64 presents 32-bit programs with an alternate view of the registry. 32-bit programs see a 32-bit HKEY_LOCAL_MACHINE\Software tree (HKEY_LOCAL_MACHINE\Software\WOW6432Node) that is completely separate from the true 64-bit HKEY_LOCAL_MACHINE\Software tree.”

The Microsoft.Win32.RegistryKey library, predictably runs as a 32 bit application. You can safely add/read/remove keys and entries with this library and they will be safely mapped to the “WOW6432Node” transparently for you.

Things get hinky when using the regedit tool to add or remove keys/entries. The default version of regedit is a 64 bit application and therefore has access to all registry entries, but with a 64 bit view. If you add an entry in the path that you are accustomed to, either manually or through a script, the items will appear only to 64 bit applications, and therefore NOT visible to the .NET application that makes use of the Win32 library. One has two options for working around this behavior. If you are aware of the “WOW5432Node” you can mentally make your changes under that node and/or modify your scripts to include that path. Alternatively there exists a 32 bit version of regedit that acts and behaves like a 32 bit application with the all 32 bit keys properly mapped. You may access this version of regedit with the following command:

“%systemroot%\syswow64\regedit”

Obviously this version is only available on 64 bit OSes and you must close the 64 bit version of regedit before opening a 32 bit version. So by using the 32 bit version of regedit all of your existing scripts and .NET applications will remain compatible with 64 bit versions of Windows, which is the approach that I prefer.

PTPT and if you say it just right it comes out petit petit (petit the French word for small).  But the Petit Petit touch screen user interface out of Germany will have no small impact on computing.  This blog is not at all about User Experience because there are much better sources for that type of content.  But having said that, application architecture fails if it does not incorporate an effective user experience.  So having seen lots of bad and not-so-good user interfaces, when a brilliantly intuitive user interface concept comes along, I have to evangelize about it.  Simply put, Petit Petit brakes ground by categorizing ALL of your digital information (pictures, music, documents, email, etc.) into those four dimensions (people, things, places and time) and allows you to manage that data based on the associations between the dimensions.  As a very brief example, to find that email from Johnny from last November, you drag the contact of Johnny over to email, then up to the timeline near Nov and up pops your filtered list of emails around that timeframe.  Even discounting the touch aspects of this project, the realization that data can be organized in such a clear, concise manner could lead to effective interfaces for the other projects that I am working on.  For more information, go watch the video.

As an update to my earlier blog entry, I noticed this afternoon that Microsoft has opened the Pivot project to public beta.  It is a rich client application and as such, it requires a client side download and install.  The hardware/software requirements are very steep too, so make a note of that if you are seriously considering this tool.  It is, though,  a very interesting application and I can see several uses for this software, including my current project.  You can view a collection in many different ways along any one of the pre-defined “facets.”  The definitions of the collections are defined by an xml file which is documented here.  It should be pointed out that the installer imports browser favorites and history during the installation process.  This is so that it can depict your history as another collection type.  Overall, I find the experiment to be useful for certain types of data mining type applications.

More precisely, users will do things to your application that you never expected or intended.  But for the most part these users are not evil.  There are, though, a small subset of users who are actively attempting to corrupt your Web application and they will more likely than not find a way to do so.  A blog over at SANS points this out:  Client Side Input Validation is Evil.  Again the title overstates the problem, but if your application relies ONLY on JavaScript validation (AJAX or otherwise) your application is seriously weak. 

This is not to say that client side validation does not have its place.  Most ordinary Web users appreciate being warned of errors before being sent on a round trip to the server and back.  But please, please do not make the assumption that what comes in through HTTP has first passed through your JavaScript library.  Once we understand that a miscreant will bypass your Web form entirely, it becomes clear that any validations that you perform on the client side must also be reproduced on the server.  It’s a given and something that I wished more frameworks/libraries would simplify.

For as long as it has been available, I have recommended the Microsoft Anti-Cross Site Scripting Library for internet development because it is a valuable tool to assist developers mitigate one class of common security threats.  As important as this tool is, I was always a bit disappointed that it only went part way in handling the wide variety of threats our applications are exposed to.  As a result, I was excited to learn that the next version of the Anti-XSS Library will be completely revamped and renamed.  The new name is the Web Protection Library (WPL).  Besides being easier say, the library will maintain mitigation for Cross Site Scripting and add protection for the following type of attacks:

• SQL Injection
• Cross-Site Request Forgery (CSRF)
• Setting Enforcement like SSL & HTTP_ONLY cookies
• Security Runtime Engine for SQL Injection & XSS
• Among others

The library, which was announced here, is currently in a state of CTP and Microsoft does not advise its use in production.  But to my mind you have one of three choices:  (1) Don’t mitigate for web application threats, (2) write your own library and risk making as many (or more) implementation errors as the MS Security Tools team or (3) take their work in progress with a reasonable expectation of features and performance but getting a lot from your investment.

If you are doing web development, please look at the WPL now.

So I am looking at the calendar on my desk and it is telling me it is 01/11/10.  This number fascinated me because it is a palindrome meaning it is the same backwards and forwards.  After staring at it a bit more, I realized it was composed of only 1s and 0s which means it could also be construed as a binary representation.  So I wish you all a very happy 0x1e day.  I am sure this will happen somewhat frequently in the next two years or so, but it was the first realization of the phenomenon for me.

Within the world of Business Intelligence and Analytics, data analysis can only be automated so far and manual analysis is often required to add an important component of human intelligence.  To that end, data visualization is a useful, if not critical tool to be able to absorb and understand large amounts of data.  So it came as a bit of a surprise that Microsoft’s Live Labs has a research project called “Pivot” intended to help visually analyze data patterns on a Web scale.  What intrigues me the most about this project is that, while it is intended to operate at “Web scale” it would appear to be able to scale down to handle any size data set as long as it can be organized into “Collections,” even if the collection represent business data like customers and product orders.  While the project is very limited at this time the sample video teases a user interface that is very intuitive for any user comfortable with Web 2.0 technologies. 

Has anyone work with this technology yet?

Are you using the Microsoft AJAX framework with your ASP.NET application and are worried about the cost to maintain and serve up the javascript library components along side your application code?  Well Microsoft just introduced the Microsoft AJAX Content Delivery Network.  They host, mantain and serve the AJAX javascript library on their servers and you can point to their library files at ajax.microsoft.com from within your application <script> tags.  Right now it appears to be limited to AJAX Beta 09/2009 related library files, but this is good news for limiting your server bandwidth and improving overall security.

As a follow up to my blog post from yesterday, I noticed that the Internet security vendor Websense also released a report on the state of Internet security [PDF] that largely confirms the SANS report discussed previously.  The two take-away quotes that I found most interesting were:

“61 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.”  and

“With their large user base, good reputations and support of Web 2.0 applications, these sites provide authors of malicious code with abundant opportunity to easily reach a wide number of victims with their attacks.”

There are glimmers of good news to be found in the newly published SANS report on The Top Cyber Security Risks which is an exhaustive survey of attack data collected from the intrusion prevention systems of over 6000 organizations.  But the report reveals how gaps in organizational security policies lead directly to an avalanche of critical weaknesses in the IT infrastructure.  As a result, this report should be considered a must read for anyone involved in information security.

On the client side, the report indicates that there have been no new widespread worms on the order of Conficker/Downadup that have been detected in the wild.  Nonetheless, attacks on the OS vulnerabilities that lead to worm type malware have tripled from early summer to late summer, giving the indication that the miscreants are not giving up attacking operating systems.  More troubling, though is the rise in attacks on vulnerabilities in common applications like Adobe Reader, QuickTime, Adobe Flash and Office.  Given that organizations take twice as long to patch these applications as they do to patch the OS, SANS observes that “the highest priority risk is getting less attention than the lower priority risk.”  IT organizations are aware that attacks on applications vulnerabilities often occur through the exploitation of targeted email attachments as well as “drive by” attacks over the web by visiting nefarious sites intentionally hosting malware.  Unfortunately, the report makes clear that the IT security picture is more complicated since numerous trusted internet sites have been compromised so as to surreptitiously become a host and attack vector for malware. This leads directly to the SANS findings on the server side.

The SANS report indicates that a staggering 60% of attacks detected in the wild attacks are directed at Internet facing web applications.  These attacks are not only directed at information disclosure vulnerabilities, but also have the intention of altering the public facing application to become a new stealth malware host.  Both open source web application frameworks and custom applications are actively being targeted using the well known techniques of SQL Injection and Cross Site Scripting vulnerabilities.  A successful attack on an organization’s public facing web site will exploit the trusted relationship the company has with its customers to distribute malware to those same customers.  Since the report observes that “most web site owners fail to scan effectively for the common flaws,” the situation is becoming more widespread.  As an architect of web-based enterprise applications, the report clearly shows that the attention paid to threat modeling and remediation on public facing applications can no longer be considered an option, but rather are important factors that must considered at every point of the software development lifecycle.

In conclusion, the SANS report is a great snapshot of the current threat to Internet security.  Fortunately, the report concludes with references and recommendations for steps to remediate and control the top security risks identified in the report.  As a result, this report should be read and digested by anyone involved in internal or external information security.

[This article first appeared on the Analysts International corporate blog.]