That's ASCII, not hex: An article on wardriving raises security hackles by repeating some slightly overheated statements about Wi-Fi security. The article opens with a 63-character ASCII WPA passphrase, which is later described as "hex." (ASCII passphrases in WPA can be up to 63 "printable" characters - ASCII 32 to 127 - while a hex version of a 256-bit TKIP or AES password is 64 hexadecimal digits long.) The article tries to conflate Wi-Fi attacks that led to the largest set of breaches in retail credit-card systems and wardriving, a hobbyist activity that's never been looked on very favorably by law enforcement. The sense of ennui of wardriving pioneers is pretty clear; when Wi-Fi is everywhere and generally secured, it's far less interesting. The wardriver in the article convinced the reporter that a maximum-length WPA passphrase stored on a USB drive for automatic use was the best way to go. But, really, 20 characters containing letters and punctuation and no words found in a dictionary along with changing your network's SSID (network name) provides all the security you'll ever need for a home or small business. (If you need more, deploy WPA/WPA2 Personal.)

Green Wi-Fi's Senegal efforts hit snags: The folks at Green Wi-Fi are well motivated, and they're running up against all forms of security theater and bureaucracy both here and in Senegal, where they have an active project. The San Francisco Chronicle notes the group's effort to build solar-powered, self-sustaining Internet access via mesh networked nodes. Getting devices out of the country, clearing customs in Senegal, and hooking up their solar system all hit problems they're working through. As with the One Laptop Per Child program, I see a "build it and they will come" mentality in Green Wi-Fi's mission statement: the notion that providing computing power and Internet access will result in good things, rather than an effort to figure out what good things need to be achieved, and whether computers and the Internet will assist.

Bind("AmountCharged", "{0:C}")

While this displays just as you'd expect (e.g., $200), it doesn't do so well when you submit an edit that includes the same value ($200):

Input string was not in a correct format.

I searched around and didn't find much in the way of a clean solution, but I did solve the problem with just a few lines of code. The trick is to handle the data-bound control's Updating event. Since I was working with a GridView, my solution looked a bit like this:

<asp:GridView DataSourceID='myDataSource'
              OnRowUpdating='FixFormatting'
              AutoGenerateColumns='false'
              CellPadding="3" ...>

Notice the OnRowUpdating handler that I've installed in my grid view. That code looks like this:

protected void FixFormatting(object sender, GridViewUpdateEventArgs args)
{
    decimal amountPaid = ParseDecimal((string)args.NewValues["AmountPaid"]);
    args.NewValues["AmountPaid"] = amountPaid;
}

When you handle this event, you're given a dictionary of old and new values, which appear to come directly from the controls (in my case, a TextBox was used to gather the updated data AmountPaid, so the type of object that I found in NewValues["AmountPaid"] was a string. I wrote a little helper method called ParseDecimal that parses a string into a decimal value, allowing currency characters, decimal points, and thousands separators. I also allowed a blank value to indicate zero:

public static decimal ParseDecimal(string value)
{
    if (string.IsNullOrEmpty(value))
        return 0;
    return Decimal.Parse(value,
        NumberStyles.AllowThousands |
        NumberStyles.AllowDecimalPoint |
        NumberStyles.AllowCurrencySymbol,
        CultureInfo.InstalledUICulture);
}

This solved the problem quite nicely. Now two-way binding works with formatted data.

Is there security needed between virtual machines?  Some say no, some say yes.  I've been out talking to a number of virtualization users and non users on this topic and I'm finding that some say no and some say yes.  The users of virtualization technology tend to say yes while others looking at virtualization from the outside tend to say no.  Why is this?

Well, I thought I'd blog on my thoughts on this!

You see, in the physical datacenter there is no firewalling between servers plugged into the same switch and because of this some people think, well if its not done in the physical world why should it be done in the virtual world.  I believe that its not done in the physical world today because there are no solutions today that embed security into datacenter switches.  Should it be done in the physical world?  I think so!  It never hurts to get security as close as possible to the things you are trying to protect and what better place than the switch port in which the critical asset are connected to.  This is why people have HOST BASED FW/IPS ON SERVERS!  To get security as close as possible!  Is that needed? 

So my first response to those that say, security between virtual machines is not needed because its not done in the physical world is:  Well, just because people have done things one way for many years doesn't mean there isn't a better way.

Would environments be more secure if there was security between servers?  I tend to think so.  You see, many of the attacks that are taking place these days are not attacks for fame but attacks for fortune and gone are the days where people just hacked to spread nasty viruses.  Its all about the data these days (ie. credit cards, social security numbers, etc).  We've all heard about the TJ Max security breach where customer data was compromised and many others like banks that have had credit cards compromised. 

How and the heck do you think most of these things happened?  Attackers are targeting the datacenter these days.  Physical or Virtual.  Their gateway into these environments are the Web Front End Servers.  Let me say that again.  The Web Front End Servers!  Hackers get to the data from the web front end server that talks to the database backend server.  This useually occurs by something called "Cross-Site Scripting" or "SQL Injection" breaches. 

Here is a trival way of how this happens:

A hacker finds a vulnerable web site.  He sometimes does this by something called Google Hacking.  He uses Google to search for sites that has vulnerabilities on it.  Say a web site has some content on one of the pages that says "Powered by Drupal 4.1".  If a hacker knows that Drupal 4.1 software has a vulnerability in it, he can now target all the search results related to this.  Click Here for more detail.

Now lets say Drupal 4.1 on a web site has a SQL-Injection vulnerability because the developer of the Drupal software didn't do Form Field Validation properly.  A Form field is something you fill out on a web page like a form that asks for the user name and password.  User names and passwords to log into the web site are stored on whats called a Database Server.  Hmmm... So this means the web server needs to talk to the database server right?  Yes!  Keep this in the back of our head for now.  The hacker enters in "Admin" for the user ID and "password doesn't matter 'or 1=1--" for the password.  And presto!  He is logged in to the server as Admin.

The reason he was able to log in is because the web site sends a SQL Database command to the Database server and because the developer of the Drupal software didn't do "Form Field Validation" properly (method of checking for invalid characters like the ' (single quote)  symbol), the user was able to bypass the password.  Notice the 'OR 1=1 command appended to the password.  One does equal one so therefore it will return a TRUE result to the password checker and the OR says use the password typed in (password doesnt matter) OR check to see if one is equal to one.  If its true then the password is valid for this user which is Admin.

Now that the user is on the web server, he probably has the ability to connect to the database server or other servers in the network.  Why?  Because there is connectivity from the web front end to all of the backend servers.  He essently can backdoor his way throughout the network.

Another method is for him to append some SQL statement to another SQL statement.  Lets say their is a FORM FIELD on the website that collects some information from the database to display it to web site users.  It could be entering in the Zip code to find store locations in your area.  Instead of putting in the zip code you could put in "95123 'UNION SELECT * FROM credit_card_table--".  The hacker is injecting via the UNION command (which means join one SQL statement with another one) a command that says grab all (via the asterisk) information out the credit card table.

Lastly, the hacker can use the UNION command to write text of his desire to a text file on the database server.  He may write some nasty code, tell the database to write the code to a file and then tell the server to execute that file.  The code could be used to do a denial of service attack to the other virtual machines or whatever.  The possibilities are endless!!

Anyway, these are high level examples.  I think you get the point.

The Web Front End Virtual Machine has a need to talk to the Web Back End Virtual Machine and security such as Firewalling, Intrusion Prevention definately needs to be in place to have a higher level of security.

Another reason to have security between virtual machines is because servers are now mobile in the virtual world.  They move between trust domains to take advantage of computing resources that may be available on a given piece of hardware.  Lets say one PHYSICAL server was hosting database VM's and another PHYSICAL server was hosting file server VM's.  The file server VM could VMOTION to the same environment as the database VM's.   Now where is your isolation between trust domains or unlike resources?

People should think about this problem in greater detail.  I'd love to hear everyones comments as to whether or not they think security between VM's is needed.

John Peterson
Montego Networks

Is there security needed between virtual machines?  Some say no, some say yes.  I've been out talking to a number of virtualization users and non users on this topic and I'm finding that some say no and some say yes.  The users of virtualization technology tend to say yes while others looking at virtualization from the outside tend to say no.  Why is this?

Well, I thought I'd blog on my thoughts on this!

You see, in the physical datacenter there is no firewalling between servers plugged into the same switch and because of this some people think, well if its not done in the physical world why should it be done in the virtual world.  I believe that its not done in the physical world today because there are no solutions today that embed security into datacenter switches.  Should it be done in the physical world?  I think so!  It never hurts to get security as close as possible to the things you are trying to protect and what better place than the switch port in which the critical asset are connected to.  This is why people have HOST BASED FW/IPS ON SERVERS!  To get security as close as possible!  Is that needed? 

So my first response to those that say, security between virtual machines is not needed because its not done in the physical world is:  Well, just because people have done things one way for many years doesn't mean there isn't a better way.

Would environments be more secure if there was security between servers?  I tend to think so.  You see, many of the attacks that are taking place these days are not attacks for fame but attacks for fortune and gone are the days where people just hacked to spread nasty viruses.  Its all about the data these days (ie. credit cards, social security numbers, etc).  We've all heard about the TJ Max security breach where customer data was compromised and many others like banks that have had credit cards compromised. 

How and the heck do you think most of these things happened?  Attackers are targeting the datacenter these days.  Physical or Virtual.  Their gateway into these environments are the Web Front End Servers.  Let me say that again.  The Web Front End Servers!  Hackers get to the data from the web front end server that talks to the database backend server.  This useually occurs by something called "Cross-Site Scripting" or "SQL Injection" breaches. 

Here is a trival way of how this happens:

A hacker finds a vulnerable web site.  He sometimes does this by something called Google Hacking.  He uses Google to search for sites that has vulnerabilities on it.  Say a web site has some content on one of the pages that says "Powered by Drupal 4.1".  If a hacker knows that Drupal 4.1 software has a vulnerability in it, he can now target all the search results related to this.  Click Here for more detail.

Now lets say Drupal 4.1 on a web site has a SQL-Injection vulnerability because the developer of the Drupal software didn't do Form Field Validation properly.  A Form field is something you fill out on a web page like a form that asks for the user name and password.  User names and passwords to log into the web site are stored on whats called a Database Server.  Hmmm... So this means the web server needs to talk to the database server right?  Yes!  Keep this in the back of our head for now.  The hacker enters in "Admin" for the user ID and "password doesn't matter 'or 1=1--" for the password.  And presto!  He is logged in to the server as Admin.

The reason he was able to log in is because the web site sends a SQL Database command to the Database server and because the developer of the Drupal software didn't do "Form Field Validation" properly (method of checking for invalid characters like the ' (single quote)  symbol), the user was able to bypass the password.  Notice the 'OR 1=1 command appended to the password.  One does equal one so therefore it will return a TRUE result to the password checker and the OR says use the password typed in (password doesnt matter) OR check to see if one is equal to one.  If its true then the password is valid for this user which is Admin.

Now that the user is on the web server, he probably has the ability to connect to the database server or other servers in the network.  Why?  Because there is connectivity from the web front end to all of the backend servers.  He essently can backdoor his way throughout the network.

Another method is for him to append some SQL statement to another SQL statement.  Lets say their is a FORM FIELD on the website that collects some information from the database to display it to web site users.  It could be entering in the Zip code to find store locations in your area.  Instead of putting in the zip code you could put in "95123 'UNION SELECT * FROM credit_card_table--".  The hacker is injecting via the UNION command (which means join one SQL statement with another one) a command that says grab all (via the asterisk) information out the credit card table.

Lastly, the hacker can use the UNION command to write text of his desire to a text file on the database server.  He may write some nasty code, tell the database to write the code to a file and then tell the server to execute that file.  The code could be used to do a denial of service attack to the other virtual machines or whatever.  The possibilities are endless!!

Anyway, these are high level examples.  I think you get the point.

The Web Front End Virtual Machine has a need to talk to the Web Back End Virtual Machine and security such as Firewalling, Intrusion Prevention definately needs to be in place to have a higher level of security.

Another reason to have security between virtual machines is because servers are now mobile in the virtual world.  They move between trust domains to take advantage of computing resources that may be available on a given piece of hardware.  Lets say one PHYSICAL server was hosting database VM's and another PHYSICAL server was hosting file server VM's.  The file server VM could VMOTION to the same environment as the database VM's.   Now where is your isolation between trust domains or unlike resources?

People should think about this problem in greater detail.  I'd love to hear everyones comments as to whether or not they think security between VM's is needed.

John Peterson
Montego Networks

The golden age of comics in the 30's and 40's saw the creation of the superhero.  The good versus evil storylines mimicked the real life events of the day. It elevated the comic book to an art form.  Comic style illustration and story telling in short dialog balloons had never before or since reached those heights. Than after WW II, with the advent of TV and one evil empire ending, comic books seemed to recede back into the background of young boys play things.  Their numbers never again reached the levels seen during the war and many of the characters faded away.

Over the years the comic industry tried to regain their former glory, but the age of the superhero was over.  Yeah there was the TV cartoons, who didn't watch Superman or Batman when you were little.  Some of you like me, may have even watched the Marvel Superhero Show that had short segments of many of the Marvel characters (check them out in the You Tube video), but they were campy and never appealed to an audience beyond young boys.  The Superman movies with Christopher Reeves market a turning point on the return of the superhero and the Batman movies were very successful.  But beyond those two, there were many flops.

With better technology and better story lines, Spiderman, Iron Man and now the latest, The Incredible Hulk have brought comic book superheroes from the page to the screen in a big way. I know that I was not a big fan of the Iron Man movie, but seeing Tony Stark come in at the end of the Hulk movie did get even me excited by the possibilities. Also seeing the Hulk and Iron Man, I began to see that these movies are not aimed at adolescent boys with stories that I am used to from comic books and TV shows.  These are movies aimed at adults with adult storylines.  The technology is great, the heroes are played by big stars (I hear Brad Pitt is playing Thor) rather than unknowns and the productions are first class.

Besides the movies already out, Thor, Captain America, and Namor, the submariner are all headed for the big screen. Once each of these and more have their movie debuts, the subsequent combinations and sequels are almost infinite.  This could be the biggest movie franchise of all time and make the original comic book owners more money then they ever dreamed of!  In the meantime, I am excited to see many of my boyhood heroes get this new big screen treatment!