One great technique out there is what is known as the iterative hash. This is simply taking the hash of some data and hashing the resulting hash and then hashing that hash again. pseudo-code example of this: string hash = sha256('data' + 'salt'); hash = sha256(hash); hash = sha256(hash); ...etc. By doing this many times (1,000-10,000 times maybe) makes the hash incredibly hard to crack. If an attacker steals your hash and finally cracks it...

Well back in e-town we have hit our cold spell like we always do. I decided to check the weather out and saw a great add from workopolis above the weather. I will leave it for you to decide if "It's a great day to look for a new job in Edmonton"

Here is the website and slides used in both talks (Cryptography So Easy A Goat Could Do It and Website Hacking 101 - SQL Injection Attacks and Cross Site Scripting). Both presentations used the same site and database so I have included everything as one bundle (including the slides). Injection Attacks And Cryptography.zip

The long awaited HTML5 draft is out. I had a quick look at it looks to be more of depreciating old things than anything else. Some absent tags of note: center, u, strike, frame, frameset, and noframes (frames are removed due to accessability issues.... and they were always a pain to work with too) A lot of other attributes have been removed that are now handled (and handled better) by CSS. Some of these are things like bgcolor, align, valign, background, cellpadding, and cellspacing to note a few. A lot of the new stuff revolves around media. There is the addition of a  videa...

As mentioned in "Hashing - The Basics" I felt that a separate post on hashing for passwords was required. Principal The principal of storing hashed passwords is fairly simple and can be described in these steps: When an account is created the plain text password is entered The password is run through a hashing algorithm The output of the hash is stored   When the user logs in they enter their plain text password again ...

The concept of Universal Plug and Play (UPNP) is a great idea but for some reason always frightened me.... and now I see why. For a bit of background UPNP is a protocol that is meant to allow network devices to seamlessly connect and configure. A good example of this is on home routers when you use the file sharing feature in MSN. When you to send someone a file your computer opens a port up and instructs the recipient to connect to your computer on port x and download that file. If you are behind a home...

I will be doing two talks at the Victoria Code Camp on January 26th. My first talk is titled "Cryptography So Easy A Goat Could Do It". This is an intro into cryptography including hashing, symmetric, and asymmetric encryption. I will be talking about a lot of best practices and comparing the differences between algorithms available in the .NET framework. My second talk has the much more boring title of "Common Web Site Exploits and How To Protect Against Them". In this one we will hack a sample site using common techniques and then look at how to lock the site...

Hashing has been a long used technique to store and validate information. Hashing is the function of applying a translation to a string to generate a unique (and replicable) fingerprint of the data (often referred to as a checksum). String Hash Hello World b10a8db164e0754105b7a99be72e3fe5 ...

I have always tried to write my blog towards the common developer (aka the intermediate programmer). I feel that this is the often neglected programmers; experienced enough to do some things on their own but not experienced enough to do everything on their own. So I started writing little tips and notes with those developers in mind. I have really enjoyed seeing my readership grow to people all over the world. In a former life I used to do security work on the networking side and really enjoyed it. I have found that passion with security on the...

One of the annoying things with using Tortoise SVN I have found was that I always have to exclude the bin, obj, and .suo files that are unique to each machine. Even if I did that someone else on my team might forget which just makes it a huge pain. I thought there must be a better way and sure enough there is a global ignore setting in the tortoise settings panel (just right click on any folder and select TortoiseSvn -> Settings). Right on the front page I noticed the global ignore setting: So far my global pattern is:    ...