Andy's observations as he continues to attempt to know all that is .NET...

Monday, October 22, 2007

Mobile Bingo

Just couldn't help myself in writing a bingo caller for my Mobile phone the other week, you see it was my daughter's birthday and she wanted bingo at the party and my wife had decided the low tech approach of pulling numbers out of a bag was the way to go...I wasn't having it "I could write a .NET App for my phone in 10 minutes to do that" I said. Kind of brave since it was my first mobile phone app, I paid £300 for this phone so it just has to do more than just make calls...You know what a bit more than 10 minutes say 30 and I had it working...It just goes to show easy things have become these days....Im thinking of porting wack a mole now...although I'm not sure my touch sensitive screen will last...


You can download the app from here


Wednesday, October 10, 2007

WPF Extension method

I used my first extension method yesterday with WPF.  I wanted to bring a control to the foreground, that means changing its position in the child list to the last child.



  Parent.Children. Add(element);


What I would prefer to do is call SendToFront on the collection with the appropriate child.  Since I don't have any control over the type being used to hold the collection,  I would need to resort to extension methods to get a more object style syntax.  Resulting in the following code.


public static class UIElementCollectionExtensions


   public static void SendToFront(this UIElementCollection collection, UIElement element )







All this is well and good but it would have been virtually as elegant with an old fashioned static call on some Util class.    It then dawned on me why these are perhaps so useful, for me anyway I rely on intelli sense to see what I can do with a lot of the WPF controls, with any Util class methods I write I need to have knowledge of them, but with extension methods intelli sense can potentially pick them up.  So I refactored my code once more into a separate assembly, but placing the code into the System.Windows.Controls namespace, thus whenever I use WPF controls and reference my additional extension assembly I get my new methods.  On a large scale project I can see how this could be aid productivity.


However there is something smelly about placing my code into someone else's namespace so on reflection I think it would be far nicer to place all my extension methods inside my own namespace, and just make sure I bring them into scope by using my extension namespace.

Thursday, October 04, 2007

Too much reliance on encryption

A friend of mine was telling me recently how safe manufactures grade their safes, they don't simply say this is unbreakable/uncrackable ( only a fool would say that ). What they do say is that they say you need X amounts of TNT or N hours to crack this safe, clearly limiting their liability you may think, but actually its useful and practical information to anyone who has a safe. Firstly they know that there are no guarantees, but they also know what level of additional security they may need to layer on to get closer to full peace of mind. In the case of the fact that it takes 2 hours to crack the safe the owner could employee a security guard to patrol the safe location every 1 hour, hopefully not creating a window of opportunity for the cracker to do the deed. When you want to secure digital data similar considerations need to be taken into account.

Ive recently been involved with debating the security of biometric systems used in schools with a biometric firms Principal Sales Engineer based in the US. The issue we have as a group is that whilst Im sure all measures today are being take to secure the data in terms of encryption technology, the plain fact remains that history has shown us that what ever cryptography we used today is likely to be compromised in a reasonable time frame say 5-10 years. Therefore when we encrypt any sort of date we need to be aware of this since if the data has uses outside this time window then clearly we cannot rely just on this means of security.

At this goes to the very heart of the debate in biometrics in schools, the Engineer in question dismissed are complaints about encryption technology not being adequate for 10 years plus by first acknowledging this fact ( which is a great step forward ),

"I personally believe their will be another breakthrough in the next 10

to 15 years. Whether is it quantum computing or the DNA processor they

have been working on for the last 10 years. They can now beat a person

in tic tac toe. 5 years ago they could count to 10 with 80 percent

accuracy. They are much faster because they don't have to calculate

they just know the answer. But it is going to be a while and belive it

or not there are higher levels of encryption out there. There are 512

and even 1028 based encryption. Like the computer industry, there is

always someone out there building a stronger based encryption."


Further that statement shows that the industry as a whole knows we need stronger encryption because we know its only a matter of time for it to be broken, but he then goes on to say that

"As I said above the great thing about using encryption on keys and or

files is the fact that if there is a problem with a key or the actual

encryption you can encrypt the info with a better encryption or even

encrypt the encryption such as is done with 3 DES. It is DES encrypting

DES encrypting DES. The US government went from a standard of 3 DES to

AES 256. Not because 3 DES had been broken…. It has not. But because

they saw there were some weekensses that could be exploited and maybe in

the next 10 years or so it may be broken. Now do you think that all the

info that they have stored in 3 DES is still in 3 DES… I think not.

They reencrypted it in the new standard."


Whilst this is all well and good there is a piece to this solution that makes the US government solution ok but not for the average school. In that it relies on the fact that the person who is responsible for the re-encryption has guaranteed sole access to the data, in other words no one has taken an illicit copy, or more likely has some backup media, or an old hard disk. Whilst I can imagine that the US government has plenty of physical security measures in place to make sure they own the only copy of the data, I can't imagine that the average school will have similar system in place, and let's be realistic they can't with theft being the obvious one.


In fact I encountered a similar experience when working for Cisco, we were trying to pitch wireless networking to a large bank. Whilst they accepted the notion that the encryption technology we had chosen prevented illegal access to the network, we could not demonstrate to them that any data sniffed off the network could not be decrypted in a time frame that still made the data useful to an outsider. These guys were smart and did truly understand the nature of securing the business data.

So to summarise a responsible biometric manufacture would secure biometric data as best they can today, but once the software has been deployed if that data is to be truly secure it needs have sufficient physical security measures in place provided by the owner to ensure that in the future the encryption based solution still has adequate merits, the moment you do not have complete ownership of the data all bets are off...and by their own admission the biometric provider in this case said their guarantees is for appx. 10 years, in the case of biometric data for kids that data is sensitive for 60-70 years.





About Me

My photo
Im a freelance consultant for .NET based technology. My last real job, was at Cisco System were I was a lead architect for Cisco's identity solutions. I arrived at Cisco via aquisition and prior to that worked in small startups. The startup culture is what appeals to me, and thats why I finally left Cisco after seven years.....I now filll my time through a combination of consultancy and teaching for Developmentor...and working on insane startups that nobody with an ounce of sense would look twice at...