Masking Credit Cards for PCI

On October 20, 2011 · Leave a Comment

PCI DSS, the security standard for companies that handle credit cards, defines a number of rules as to how credit cards are handled. One of those rules, 3.3, is defined as follows:

Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)

So based on this requirement I assumed that the code to do this would be common and widely available; much to my surprise there are rather few samples that do this, and of those I found they only showed the last four (which when you are handling a lot of credit cards, searching for an account by the last four isn’t all that helpful) and were often rather fragile.

So I whipped this up, hopefully it’ll be useful to others.

public static string MaskCreditCard(string value)
{
  const string PATTERN = @"\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|" +
    @"6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|" +
    @"[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})\b";
 
  var replace = Regex.Replace(value, PATTERN, new MatchEvaluator(match =>
  {
    var num = match.ToString();
    return num.Substring(0, 6) + new string('*', num.Length - 10) +
      num.Substring(num.Length - 4);
  }));
 
  return replace;
}
view raw gistfile1.cs This Gist brought to you by GitHub.

The regex pattern is from Regular-Expressions.info and should detect most major cards.

Tagged with:
 

Why Cringely is wrong about Java

On October 15, 2011 · Leave a Comment

A couple of days ago I was sent a link to Robert Cringely’s latest treatise:  The second coming of Java – and to say I disagreed was a bit of an understatement. To me, it represents a fundamental flaw in his perception of developers, and more importantly the economics of software development.

The key to Cringely’s argument comes down to this:

When SSDs gain enough capacity there will be a shift from the Ruby world back to the Java world. Not for prototyping, because, well, it’s prototyping. But simply because the statement “Ruby is incredibly slow but I don’t care because my database is slower” will no longer be true.

What he’s missing here is the real reason people use frameworks like Rails; it’s not about it being Ruby, or being the latest cool thing – it’s about developer productivity. That’s it, and that’s all there is to it – Rails allows a developer to do more in less time. That’s one of the key reasons so many Java web developers jumped ship (though I can think of a few others), and what pushed Microsoft to invest so heavily in their MVC framework.

I could fully rehash the argument, but in what I consider to be one of Jeff Atwood’s best articles,  Hardware is Cheap, Programmers are Expensive, he covers a key point to my argument – developer time is vastly more expensive than hardware. Atwood’s take on the issue is clear:

Clearly, hardware is cheap, and programmers are expensive. Whenever you’re provided an opportunity to leverage that imbalance, it would be incredibly foolish not to.

When there’s a choice between developer productivity, and spending money on hardware – the conclusion should be the same. It’s much cheaper to throw more hardware at a slower framework than it is to invest more developer time in a faster framework. For any non-trivial application, throwing more front-end servers at it will always be cheaper than slowing the development process down with a non-productivity-centric toolkit.

It’s simple economics; server hardware is getting faster and cheaper, developer time is only getting more expensive.

Tagged with:
 

Pen-Testing Silverlight+RIA with SoapUI

On July 6, 2011 · 1 Comment

I was recently given the task of ensuring that a Silverlight+RIA application that could contain private information was secure for deployment to a public web site. So I started searching for automated pen-testing tools that could work against Microsoft’s Binary SOAP protocol (msbin1, a.k.a “application/soap+msbin1“) and found only disappointment. For various reasons, it’s significantly more complex to pen-test a application using msbin1 than traditional SOAP + WSDL.

To properly test the services, I had to make a compromise: temporarily modify the application to expose a SOAP endpoint. While this changes the state of the application and thus reduces the validity of the tests, it does provide a reasonable way of testing the web services to ensure that they are behaving as intended.

The recently released SoapUI Pro 4 adds new security testing tools that makes this a viable (and attractive option). To get this working, there are a few small changes that need to be made to the solution:

First, you’ll need to add a reference to “Microsoft.ServiceModel.DomainServices.Hosting.EndPoints” which is part of the RIA Services Toolkit; this allows you to expose different End Points for the service such as SOAP and OData.

Next, you’ll want to add the following configSections entry to your Web.config:

<configuration>
 <configSections>
   <sectionGroup name="system.serviceModel">
     <section name="domainServices"
      type="System.ServiceModel.DomainServices.Hosting.DomainServicesSection,
      System.ServiceModel.DomainServices.Hosting,
      Version=4.0.0.0,
      Culture=neutral,
      PublicKeyToken=31bf3856ad364e35" />
   </sectionGroup>
 </configSections>
 ...

Finally, to expose the SOAP end point:

<configuration>
 ...
 <system.serviceModel>
  ...
  <domainServices>
   <endpoints>
    <add name="Soap"
     type="Microsoft.ServiceModel.DomainServices.Hosting.SoapXmlEndpointFactory,
     Microsoft.ServiceModel.DomainServices.Hosting,
     Version=4.0.0.0,
     Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   </endpoints>
  </domainServices>
  ...

Finally, just follow the instructions for SoapUI to setup your tests, and you can feel (just a little) more confident in your application. Passing with flying colors obviously doesn’t mean your application is bulletproof, but it helps to confirm that web service code is solid.

Now, while this does provide some insight into your application and should help find common issues, it’s not a replacement for a professional assessment by a qualified auditor. If you are handling credit cards or other highly targeted information, please consult a security specialist before a public deployment.

Tagged with:
 

Happy 20th birthday Visual Basic!

On May 21, 2011 · Leave a Comment

Today I saw a post on Facebook by a friend of mine, Anthony Green, about writing his first blog post as a Microsoft employee (he has a personal blog as well, unfortunately he’s not written anything since 2008) – when I saw the title, I couldn’t believe it was 20 years already – seems just yesterday that I wrote about its 15th birthday:

Happy 20th Birthday Visual Basic!

My, what a journey it’s been. Almost fifteen years ago I randomly bought a copy of “Visual Basic 5: Deluxe Learning Edition” – I was just 15 at the time and wanted a new hobby, and writing software seemed like it would be fun. In those early days, I had no idea what career I would choose, and really didn’t intend for software development to become the dominant force in my life – I just wanted a better, more productive way to spend my time during the summer.

In the years that have went by, I became passionate about the field, and all it encompasses (possible obsessed, if you believe my wife) – it’s been the driving force in my life. Today, I manage a team of 6 developers, and have a fun start-up with some friends (that someday won’t cost me money every month) – and all because I bought that book. Overall, I have a lot to thank VB for, it really did get me started in this field.

Today though, my language of choice has moved on to newer options – I prefer bleeding technologies when I can use them – but VB will always have a place in my heart, and I’ll always follow its progress as it continues to transform and adapt to an ever-changing world. As the most popular .NET language (contrary to what many of the C# developers think), it plays a vital role in the development of the framework and the ecosystem.

In the conversations I’ve had with Anthony about the future of the language, I greatly look forward to writing about its 25th birthday; I expect those will be exciting times for the language and the entire .NET ecosystem.

Tagged with:
 

VB6: Not so open source

On May 20, 2011 · Leave a Comment

Earlier today, a rather surprising tweet hit, being retweeted at least 80 times, including by a few rather influential people in the .NET world:

@RoyOsherove
Roy OsheroveMicrosoft announces to mvps at #msteched that VB6 will be released as open source on codeplex end of june! w00t
May 19 via TweetDeckFavoriteRetweetReply

 

Needless to say, that’s not an announcement that anybody was expecting, but given the talk going on at the time – and the high-profile people talking about it, there wasn’t much reason to doubt. Announcing a product that has been dead for years is going open source would certainly be a strategy shift for Microsoft, but does it make any sense? Kevin Dente of Herding Code fame certainly thought that Microsoft had better things to release:

@kevindente
Kevin DenteInstead of VB6 I’d rather see MS open source IE6. Then at least we could build a standalone version of it.
May 19 via HalfwitFavoriteRetweetReply

 

Shortly after the initial tweet, Doug Seven, the Director of Product Management, Visual Studio Tools & Languages, replied asking Roy Osherove (the original poster) to email him. Hmm, it’s starting to smell like something odd is going on. A couple of hours later, Doug set the story straight:

@dseven
dsevenThe rumors of VB6 going open source are simply not true. #msteched#vb6rumor #vb6
May 19 via webFavoriteRetweetReply

 

To which, Roy then tried to unset:

@RoyOsherove
Roy OsheroveRT @dseven: The rumors of VB6 going open source are true. #msteched#vb6rumor #vb6
May 19 via TweetDeckFavoriteRetweetReply

 

It’s worth pointing out that Roy Osherove currently has a full ten-times the followers that Doug Seven has, meaning his altered retweet was seen by more people (at least initially). For several hours word was going around, and accepted by a number of people who thought Microsoft was actually going to open the code to VB6 (including journalists who were too busy writing articles to do any fact checking) – all based on one person who made it all up.

Lesson here: be careful about what you re-tweet, it’s easy to endorse a lie as several people unwittingly did today (@blowdart summed it rather well).

Tagged with:
 

Errors on ‘gem install mysql2′

On May 16, 2011 · 8 Comments

On my fresh Ubuntu 11.04 box running Ruby 1.9.2 instead of the standard Ruby 1.8, I ran into some undocumented errors while installing the mysql2 gem. Here’s what I was seeing:

$ gem install mysql2
Building native extensions.  This could take a while...
ERROR:  Error installing mysql2:
	ERROR: Failed to build gem native extension.

        /usr/bin/ruby1.9.1 extconf.rb
          <internal:lib/rubygems/custom_require>:29:in `require':
          no such file to load -- mkmf (LoadError)
	from <internal:lib/rubygems/custom_require>:29:in `require'
	from extconf.rb:2:in `<main>'

Gem files will remain installed in
  /usr/lib/ruby/gems/1.9.1/gems/mysql2-0.3.2 for inspection.
Results logged to
  /usr/lib/ruby/gems/1.9.1/gems/mysql2-0.3.2/ext/mysql2/gem_make.out

This obviously isn’t all that helpful, nor did I find anything all that useful on Google – thankfully the issue is easy to solve. All that’s needed is to ensure that the following packages are installed:

sudo apt-get install libmysqlclient-dev libmysql-ruby1.9 ruby1.9.1-dev

Then you can try installing the gem, it should work, hopefully

Tagged with: