Josh Christie's Weblog

NASA World Wind

"Wow" is the only word I need to describe NASA's World Wind. This FREE program combines topographical maps, satellite photos, aerial photos, and managed Direct3D to give you a pretty awesome 3D view of the entire globe. While I'm sure there are some legitimate uses of this software, it's fun to just "fly" around take a look at sites around town and around the world. You can download World Wind here and try it out for yourself.

If reality is anything like Hollywood, just press the "enhance" button several times and you'll be able to see me waving at you in the picture below.

My sleep pressure profile

Shopping for a new mattress has got to be one of the most difficult experiences there is. Not only do you have to lay down in awkward positions in the middle of a store, but you've got a salesman staring at you the whole time and trying to convince you the mattress will solve all sorts of problems you didn't know you had. And it's not like you're buying a chair. If you screw up and buy an ugly chair you can always stick it in the bonus room, but if you screw up and buy a bad mattress you're going be stuck sleeping on that thing for at least a few years.

Each store seemed to have their own gimmick. Some had mattresses cut down the middle to show you the padding and springs, some had cashmere covers on the mattresses to make them feel soft, but my favorite has got to be this sleep pressure profile shown below.

This place had a pressure-sensitive bed hooked up to a computer that's supposed to match you with the perfect mattress. All the data and graphs were even shown on a huge 60 inch TV for dramatic effect. As you can see from my pressure profile, my perfect mattress must accomodate multiple heavy lumps in my back and a head apparently made of lead.

This sophisticated mattress matching technology isn't cheap, either. It was hard keeping a straight face after we learned the cheapest mattress there was $3599. Needless to say, we looked elsewhere and eventually went with a much more reasonably priced synthetic latex foam mattress made at a local store. So far, I've been lucky enough not to have any "capilary shutdown" or "nerve entrapment."

Scripts to disable evil Windows features

There are a few features in Windows that aggravate me to no end so I thought I'd share the scripts I use to disable them in case you feel the same way.

The first evil feature is simple file sharing in Windows XP. Simple file sharing is on by default for systems not on a domain and turning it off is hidden all the way at the bottom of the View tab in Windows Explorer's Folder Options dialog. This feature hides all the Security tabs in Explorer, wreaks havoc when trying to use authentication in IIS, and basically makes it impossible to share files with anyone that has the setting turned off. Save yourself a lot of headaches and confusion by disabling simple file sharing.

The second evil feature is called hide file extensions for known file types. This brilliant feature makes it so half your files (the "known file types") have extensions and half of them don't. For the half that don't, you're expected to look at the little icons to figure out what kind of files they are. Someone working on Windows must have thought having ".doc" on the end of document files was too confusing. This feature is especially concerning since a malicious person can send you a file with double extensions and Windows will actually help them hide the real file extension. Thus, a file that looks like "budget.xls" could actually be "budget.xls.js" which, when opened, could run code to install spyware, delete your My Documents folder, or anything else. I can't understand how hiding file extensions could be useful to anyone and I'd be more than happy if this "feature" was eliminated in Longhorn.

Click here to download a zip file containing scripts that disable these two evil features.

Keeping secrets

Keeping secrets can be hard for many people, but sometimes it's even harder for software. It's difficult to think of many modern programs that don't deal with secret data such as usernames, passwords, credit card numbers, and even email addresses in one way or another. Why just to write this blog post I had to log in to my weblog using a secret password after connecting to my wireless network with a WPA password after logging in to Windows using yet another password. Passwords and other sorts of secret data are used in all sorts of software, so it should concern you, as it does me, that many programs don't do a good job keeping your secrets. There's really no excuse for this lack of security since Windows XP and the .NET framework offer several relatively easy to use facilities for gathering credentials and securely storing secret data.

If you need to securely prompt for credentials, you can use the CredUIPromptForCredentials function in credui.dll to pop up the standard credentials dialog that IE and other programs use. Not only does this function provide a consistent UI and save you the trouble of creating your own dialog, it also can automatically store the credentials securely and skip prompting the user for them again later. I won't go into implementation detail here since Duncan Mackenzie has written an excellent MSDN article on exactly this topic.

If you need to securely store credentials or other secret data, you can use the Data Protection API (DPAPI) functions CryptProtectData and CryptUnprotectData in crypt32.dll. These functions can be used to encrypt any data (in the form of a byte array) using an encryption key automatically derived from your Windows password. The great thing about the DPAPI is that Windows does all the tricky key management for you. An application using the DPAPI can also optionally provide a byte array of entropy to keep other applications running under the same Windows account from accessing encrypted data. MSDN has an article that explains the details of using the DPAPI and it even includes sample C# code for a DPAPI wrapper class.

Finally, if you're waiting for Whidbey (.NET 2.0) to rid you of the need to dive into unmanaged code for security, you're mostly in luck. Whidbey provides a simple managed wrapper class called System.Security.Cryptography.ProtectedData for the DPAPI functions CryptProtectData and CryptUnprotectData. Another great addition to the framework is the System.Security.SecureString class. SecureString lets you handle sensitive strings by keeping them encrypted in memory and clearing them out of memory when no longer needed or when garbage collected. Unless I'm just overlooking it, the only thing I've mentioned that's missing in Whidbey is the ability to make use of the standard credential dialog.

As you can see, Windows XP and the .NET framework can help your software keeps users' secrets safe and secure. I hope these tips come in handy the next time you're considering hard coding an encryption key into your code or considering using XOR and/or base64 encoding to "encrypt" secret data.