Cargo cult security – how not to use hashing

Sometimes, I still get surprised by the lack of thought behind some software systems that have made it to production. This time, I stumbled over a 2 year old reddit thread about the Swedish city Västerås using WiFi to track the movements of people, storing hashes of their smartphone MAC addresses, in the rather naive misbelief that hashing would render people anonymity. That leads me to a subset of the subject of cargo cult programming: cargo cult security.

In short, cargo cult programming means that you use a chunk of code because you more or less know what is does, but have no idea of how it works. That means you can’t modify the code, and you probably also unknowingly include redundant code.

In my example of cargo cult security, the developers in question used hashing as a means to anonymize users. From a cargo cult perspective, hashing works well for storing passwords, so if it’s used for a completely different application it should work there too, right? No, actually quite wrong.

Read more

F# SQLProvider+SQLite on the Raspberry Pi

fspi3Both the SQLite database engine and the Raspberry Pi are lean, mean little things, so they are a perfect match for each other.

Using F# under Mono, we get a high level way to tap into the low cost power of the Pi (though everything in this post should work on anything else running a Debian based Linux), and the SQLProvider type provider does precisely what type providers are supposed to: it combines the convenience of data access in a dynamic language with the type safety of a static one.

In this post, we’ll create an SQLite database and a minimal F# project that reads from and writes to it, on a Windows PC. Once we’ve got that running, we’ll get it running on a Raspberry Pi as well (I’ll assume that you’ve got Raspbian up and running on a Pi).

Read more

Using System.Data.SQLite under Linux and Mono

If you want to use the lean, mean and fast SQLite database in your .NET programs under Linux and Mono, using Mono.Data.SQLite might seem like the obvious choice, but you can actually do better. With a little effort, you can use System.Data.SQLite under Linux+Mono (and probably macOS too). There a couple of key benefits to be gained from this: Read more

Windows turns 30 – program like it’s 1985!

Since today, 20th November 2015, marks the 30th birthday of Windows, I thought it appropriate to commemorate its anniversary by programming Windows like it’s 1985. To put that in perspective, these were the days when Miami Vice was the hottest thing on the tube, people dug tunnels under the Berlin Wall and 20 MB was a reasonable size for your hard disk, which you called “Winchester”.

While most developers ignored Windows until version 3 was released in 1990, with good reason, those who didn’t were in for a programming experience that was not for the faint of heart. The “Hello World” program was famously four printed pages long, which rather set the tone. That was however a bit cruel, since a smaller Hello World would have been possible and might have scared fewer programmers away from Windows development. To honour Windows 30th birthday, I’d like to present you with a slightly more manageable Windows Hello World. So, get into the mood with some Dire Straits, Aha, Duran Duran or whatever you were exposed to back then, fire up the Quattro and… Read more

Mpir.NET – NuGet package for high performance large integers

mpirnetlogoMpir.NET is a .NET wrapper for the high performance multi precision integer library MPIR, which in turn is a Windows friendly fork of GMP.

As noted in my previous post, High performance large integers in .NET, it would be highly desirable to have a large integer library that combines the speed of MPIR with the usability of Emil Stefanov’s “GMP for .NET”. The obvious way of doing this, would be to make a fusion of Sergey Bochkanov’s MPIR wrapper for .NET, X-MPIR, and GMP for .NET. Since both Stefanov and Bochkanov have released their code under the LGPL license, this turned out to be possible with a couple of modifications to both code bases. Read more

High performance large integers in .NET

BigNumBench01ThumbWhen you’re playing with the sort of big integers used in, for example, cryptography, 64 bits just aren’t enough. In this post, I’ll compare and benchmark some of the alternatives that take .NET numerics beyond 64 bits. The benchmark results turn out to be a tale of the unexpected, to paraphrase Roald Dahl.

The test case is RSA signature verification, which uses the formula c=me mod n, where c, m and n are the same size as the RSA key (the public RSA key consists of n and e), typically 1024, 2048 or 3072 bits, while e usually is a mere 32 bits (usually holding the value 17 or 65537). In the test, I’ll use a 1024 bit key, because that conveniently enables me to reuse some F# code I wrote to verify RSA signed data written by EU digital tachographs. Read more

A utility to fix faulty ConcurrencyMode settings

As described in the post on EFConcurrencyModeTest, the Entity Framework tools for reverse engineering a database will not set ConcurrencyMode correctly for the column types (rowversion a.k.a. timestamp) used for optimistic concurrency control. Until that bug is fixed, you have to take care if this yourself. I put up with this about twice, before getting bored enough to write a utility that automates it. To paraphrase Terence Parr (ANTLR), why edit by hand in 10 minutes what you can spend an hour automating? Thus, I wrote FixEFConcurrencyModes. Read more

IdleLock – a utility to lock your PC after X minutes of idle time

IdleLockIconIf you want your Windows PC to lock (i.e. require you to enter your password to use it) after a period of user inactivity, you can go to the screen saver setting and check “On resume, display logon screen”. But what if you want the screensaver to be activated after e.g. 10 minutes, but you don’t want the PC to lock until after 20 minutes? In Windows XP, you could resort to the ScreenSaverGracePeriod registry hack. However, in Windows 7 and later, the PC will be locked no later than 60 seconds after the screensaver kicks in, no matter what ScreenSaverGracePeriod value you have specified. To remedy this flaw, I whipped up IdleLock, a small utility that locks your PC after a selectable time of user inactivity. Read more

ConcurrencyMode unit tests for Entity Framework EDMX files

When using Microsoft’s Entity Framework, the ConcurrencyMode attribute for properties mapped to rowversion (a.k.a. timestamp) database columns, should be set to ConcurrencyMode.Fixed, to enable optimistic concurrency.

Unfortunately, due to a bug in the Entity Framework tools, you have to do this manually. The NuGet package EFConcurrencyModeTest makes it easy to write the unit tests needed to make sure that you have done so.

Read more

MissingMethodException when migrating from F# 3.0 to F# 3.1

If you retarget an F# 3.0 project to F# 3.1 in Visual Studio 2013, you might end up with a System.MissingMethodException when you rebuild and run your project. This is because you need to manually update the App.config file after you retarget to F# 3.1.

Read more

Links from my talk at Prevas

Here are the links I was referring to at the end of my talk at Prevas:


Luca Bologneses presentation from 2008. Don’t be deterred by the age of it, it’s still a great talk and the most enjoyable F# talk out there. The link is to the WMV file, which is better than the online stream.

Type Providers intro and demo by Tomas Petricek.

3 part introduction to F# by Don Syme.

Online interactive tutorial


Google Drive – 15GB of unreliability

The better part of a year has passed since I last gave up on Google Drive because of its unreliability, which is akin to that of a Lucas automotive electrical system. In mid May, Google announced that they tripled the storage space, giving you a total of 15GB for free, if you were brave enough to submit your files to the bug ridden mess that is Google Drive. Surely, this must be an indication that they finally sorted out their problems and that Google Drive at last was ready for serious use? A couple of weeks ago, I thought it was time to find out.

Read more

Adding binding options to Morozov’s WPF MVC framework

Inspired by Dmitry Morozov’s MVC series (among the best F# articles I’ve ever seen!), I wanted to extend his data binding DSL to allow the setting of binding properties individually for each model property. The end result I was after, was to be able to write binding expression quotations like

  view.Control.LastName.Text <- model.LastName |> UpdateSourceOnChange
  view.Control.Bitness.Text  <- model.Bitness |> string |> Mode BindingMode.OneTime

Read more

Simple F# producer-consumer pattern

The producer-consumer pattern allows a producer thread to generate data (e.g loaded from disk or read from a web site) and put in a queue, concurrently with a thread that consumes the data from the queue.

A typical application of this is the processing of multiple disk files. When done in a single threaded, sequential manner, the CPU mostly sits idle while waiting for the disk during file load. The disk, in turn, doesn’t do anything useful while waiting for the CPU to finish processing a file before the next one is loaded. Using the producer-consumer pattern, the files are loaded from the disk and queued while the CPU processes files already in the queue, speeding up the processing of the second and all subsequent files. To boot, you get the possibility of running multiple producers and multiple consumers concurrently, as well as the smug feeling that goes with it. Read more

International Caps Lock Day – and VS2012 Menus

Today, the 28th of June, is INTERNATIONAL CAPS LOCK DAY. Someone at Microsoft seems to be a big Caps Lock fan, as MENUS AND WINDOW TITLES ARE ALL CAPS in Visual Studio 2012. With good reason, this is universally disliked. Fortunately, MS took note and provided a way to switch off the caps, so I’d like to celebrate INTERNATIONAL CAPS LOCK DAY with this link to the cure for VS2012’s menu uglyfication.


Detecting the CPU architecture in F#

If you google for methods of detecting the cpu architecture, you’ll find lots of pages about how to use WMI and ManagementObjectSearcher. This is an immensely slow operation which takes more than a second to complete (at least when I’ve timed it on a 2.8 GHz 4 core machine), so don’t use it. A quicker method is to use PInvoke to call the GetNativeSystemInfo function of the Windows API directly.

Read more

Compatibility between 32-bit, 64-bit and “Any CPU” .NET assemblies

I couldn’t find any decent .NET platform target compatibility chart, so I made one:

.NET platform compatibility charts

Read more

.NET RSAParameters endianness

Ever had to access or set the RSAParameters structure’s fields? Well, if you do, you will find that the MSDN documentation on them doesn’t specify their endianness (byte order). Googling isn’t too helpful either, as I found different sources claiming different endianness. So, I wrote a little test in F# that shows that the RSAParameters fields are indeed big-endian.

Read more

F# values, functions and a little bit of both

Judging from a few questions on stackoverflow and hubFS, programmers new to F# sometimes confuse value assignments with functions that don’t take arguments. This confusion is easily straightened out. In fact, it’s so easily straightened out, that it’s not really enough for a blog post. Thus, we spice things up a bit by letting the value assignment assign a function value, and throw in closures and something about the practical differences between stack and heap values for good measure.

Read more

F# ASCII85 module

Sometimes, you need to store binary data in places where only text data is welcome, such as XML files. The quick & dirty solution is to code your data into hexadecimal strings, which you can easily get away with when storing a few bytes. However, sometimes you want better space efficiency and this is where ASCII85 comes to the rescue.

Read more