The TechEd 2004 presentations were online for a while. I now get a lovely 404...
Hitting the root now shows a password prompt instead of redirecting to the above url.
Even the PDC2003 slides now appear to be gone ("This content is no longer available online.")...
What's going on? :(
Update: Some slides are still available around in MSDN, at least for Visual C# and ASP.Net. (without any audio/video, at least yet).
The June edition of MSDN magazine has a very interesting Q&A that describe how teams inside Microsoft use Reflection (via).
The first half of that article explains how the Xbox Live team uses it along with dynamic MSIL generation to serialize and deserialize the packets from their network protocol to .Net classes. This approach allows them to minimize the efforts and errors when adding new protocols.
The source code for the article is available as a working demo of custom serialization using this technique.
Here's a random idea I had while reading about Tivo giving away its Home Media option for free: what if you could order a pizza from your networked Tivo?
You can run interactive networked program on Tivo, like an RSS reader or a Caller ID notifier.
You can also order pizza from the command line.
Ordering pizza from your Tivo is just a matter of combining the two with a little Tivo GUI.
Tivo would remember your ordering options, so that subsequent orders are even faster. It could even analyze your order pattern and suggest/remind you to order a pizza before you watch your favorite sports event.
Update: The same idea could transpose to the X-Box.
I kind of wonder why the Tivo doesn't seem to support any kind of native plugin support (see myHTPC plug-ins or Microsoft's Media Center extensions).
The same idea could also extend to other tasks (like buying movie tickets).
But at the same time you don't want to re-create a browser. A possible solution would be for PizzaHut or MovieFone to not only offer html and wml versions of their websites, but also support a "10-foot interface" style.
The question is how to avoid having the user input personal data using a remote... Maybe the Tivo website could be used as a portal, and maybe also a single sign-in provider. Or the "TivoML" framework would allow the page to access the information cached in your Tivo with script, while being careful to keep the user in control of his private data.
Update (2005/02/19): still no pizza ordering from your Tivo (alhtough it could be possible to implement using the Tivo SDK (HME))... but it just came to Everquest (type the "/pizza" command during the game).
Two different problems related to this topic were mentioned recently: Edward Felten about tracking emails with web bugs and a CSS "exploit" to leak information about the sites you visit.
Tracking email with a bug:
I had implemented a simple web bug for email two years back (a "InvisibleMailReceipt" plugin for Outlook). I didn't think this idea could support a buisness, but apparently two companies are using this concept (beside spammers).
The problems I ran into were that it would track my own IP as well (when I check the email in my Sent folder) and the IP would not give you enough information when the receipient shares the same corporate proxy as you. Also, Outlook now doesn't display the images, by default. But in a more recent post Felten discusses the use of iframe to implement bugs and bypass this filtering in Outlook. There is a good chance a stylesheet or a script link could also do the trick.
Leaking the visited site information:
Two links via HotLinks came by, describing a way to use the :visited CSS pseudo-class to find out what other sites you visited. It looks like a:visited { background-image: url(http://webbugurl); }, as explained in the Mozilla bug.
Although it seems the exploit isn't new, it got some attention again.
Milo explains how to exploit this in IE and
Gemal has a running demo.
This "evil" slideshow website even relies on the exploit for it's functionality ;-)
Update: DidTheyReadThis was declared illegal in France. Read bullet 6 "French privacy authority forbids mail-service" (via this french blog).
TypeKey is an online authentication service that provides a single sign-on (SSO) experience to the websites that support it.
My goal for this TypeKeySecurity C# library is to allow ASP.Net programmers to easily take advantage of this service.
Download the code (includes source, binaries, documentation and a demo).
Merits of SSO solutions can be argued (there is trade off between security and convenience) and those of TypeKey can be argued as well (in comparison to similar systems like Passport).
But I am convinced that for many personal and community sites using an SSO can make the developer's life easier (no need to re-implement the same code and DBs every time), as well as the user's (no need to register a new account for each site and remember all the passwords). TypeKey happens to be rather simple and open, which makes it a good choice.
Read the TypeKey FAQ for more info.
Documentation
Build
The source file includes build files for NAnt and VS.net 2003.
Three tasks are available for NAnt, "build", "doc" and "clean". Re-building the documentation ("doc") requires NDoc to be installed.
Deployment
Four simple steps ;-)
Sample web.config
Read the documentation online (CHM format).
Demo site
The demo site consists of four files:
Configure your web server to point to this directory and load /default.aspx page into your browser, using your server's url. You should see a page with a link to log in.
Click it and sign in with a TypeKey account. You should be sent back to that page, which should now show the information for the user you logged in with.
The page sets a cookie so that the authentication persists throughout the session.
TypeKeyIdentity class overview
When the TypeKeyAuthenticationModule is hooked into with your ASP.Net site, you can find out about the current user through the TypeKeyIdentity object, available using "(TypeKeyIdentity)Context.User.Identity;".
This identity object will tell you whether the user is currently authenticated, how long it has been since he was authenticated by TypeKey, his login name (the TypeKey unique identifier), his email address and his display name (nick).
For privacy protection, unless you specifically need the user's email, TypeKey will only provide you with a SHA-1 hash of the email. If you do need that information, the login prompt shows that the user's email address will be shared with your site.
TypeKey uses your login name as the unique identifier. But in the case where you need to key your database using the user's ID, using a string may seem weird. So the TypeKeyIdentity also exposes the MD5 hash of the login name for this purpose. It is a 128 bits integer. That can be used in MS SQL using the uniqueidentifier datatype.
Let me know if you know of a better way to derive a (smaller) numerical identifier from the login name :-)
Development story
I had taken a stab at the TypeKey protocol while it was in Beta. I just found out the official TypeKey protocol documentation was published (via Srijith's post).
The format for the signature was the main missing element. It uses DSA (Digital Signature Algorithm).
Signature format:
TypeKey returns the DSA signature in the format "<base64R>:<base64S>". But the DSA class in the .Net framework expects one byte array.
Looking at Mono's code for DSA showed that .Net expect the byte array to contain R followed by S.
Since both R and S have a fixed sized the internal of the DSA implementation can easily split them apart when needed.
Reading the DSA public key:
The other problem with implementing the DSA signature check is that TypeKey provides its public key online using the format "P=<decimalP> Q=<decimalQ> G=<decimalG> pub_key=<decimalY>". But the crypto classes in the .Net framework need all these as byte arrays.
Mono solves this problem by implementing a BigIntegers class in the Mono.Math namespace, which doesn't exist in the MS .Net framework.
I used their implementation for a while, but ran into signature problems that required me to declare the Mono.Security.dll in the machine.config (using <add assembly="Mono.Security, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=0738eb9f132ed756"/>). But I don't want people who use the TypeKey authentication provider to have to do that...
I chose to use Chew Keong TAN's implementation of BigIntegers at the CodeProject .
Things would have been much easier if the public key (P,Q,G,Y) had been stored as binary with base64 encoding instead of decimal.
Security
Replay
The main security improvement that should be included in the protocol is having the signature be site specific. Srijith discussed this risk, which allows authentication assertions to be replayed from one site to another. A trivial way to mitigate this is to have the signature apply to "<email>::<name>::<nick>::<ts>::<t>" where t is the site token.
Single sign-out
I also think TypeKey should offer a single sign-out solution. Currently, if you log into two blogs, you get logged into those two sites and also the TypeKey site. But when you log out from one of the blogs, you get logged out of the TypeKey site, but not the other blog. This is a problem if you are using a public computer (say in a library or internet cafe).
Writing the code for the sign-out in this library was kind of a pain. The Passport sign-out seems more elegant and keeps urls cleaner. For TypeKey to implement a similar model is they would need to keep track of the sites you logged in within a session and store a "logout gif" url for each registered site.
Time skews
One more issue is pointed out in the TypeKey: there should be minimal time skew between the TypeKey server and the site requesting the authentication. NTP can be used for that purpose. For example, I noticed that my own box has a 5 minute time difference with TypeKey. This can be used to enhance a cross-site replay (see first security threat) and can also be a problem if you need a very tight control over the time window you want to apply to users authenticating (which most TypeKey-enabled sites should not).
TypeKey service dies
This is an undeniable risk. Either the uptime for TypeKey service is not good enough for your needs, or a terms of use change doesn't fit you, or the service disappears entirely...
The best mitigation I can think of is that you should store the email of the user (cleartext or SHA-1, it doesn't matter) along with the rest of the profile data you persist. This would allow you to migrate away from TypeKey by using the ownership of an email address as an authentication mechanism.
Also, Stuart Parmenter is working on re-implementing a TypeKey authentication server (via Ted Leung).
Conclusion
I included a webcontrol to display a "sign-in/sign-out" logo, but I want to make it easier to tweak (CSS based), as well as provide nicer logos. I also want to provide some hooks and events in the authentication lifecycle for customization.
Since I don't run my own CVS server anymore, I started a project on SourceForge. It's called TypeKeyDotNet.
I hope you'll find this component useful. Let me know if you have questions or comments.
All feedback is welcome :-)
Links
My overview of the Passport web authentication protocol.
More on Passport sign-out.
Update: A CPAN Perl library to interface with TypeKey: Authen::TypeKey.
Some useful feeds scraped by varchars.
Update: Microsoft Reseach now offers RSS feeds as well. Check out Microsoft Research News and Headline, Microsoft Research Downloads and Microsoft Research Publications.
Update: Ben Hammersley wrote a scraping script to expose fedex package tracking as RSS. You can also get custom bootleg RSS for 2$.