Silverlight Hack

Silverlight & related .NET technologies

About Me

Welcome to Silverlighthack.com.  This is a site where you can find many articles on Silverlight, Windows Phone 7 and .NET related technologies.  

My name is Bart Czernicki.  I have been working with computers since 1988 and have over 12 professional years in the IT field focusing on architecture, technology strategy and product management.  I currently work as a Sr. Software Architect at a large software development company.

Below is the cover of my new book that shows how Silverlight's unique RIA features can be applied to create next-generation business intelligence (BI 2.0) applications.

Silverlight 4 Business Intelligence Soft 

Contact: bartczernicki@gmail.com

View Bart Czernickis profile on LinkedIn

NONE of the comments or opinions expressed here should be considered ofmy past or current employer(s).  The code provided is as-is without anyguarantees or warranties.

SQL Server 2008 Quick Fact - New SSMS Shortcut

SQL Server 2008 is around the corner and I have been playing with it on and off.  Microsoft has renamed the shortcut for starting Management Studio (old Query Analyzer + Enterprise Studio) in 2008.  I found this almost a year ago with one of the Release Candidates, but was reminded of it when I re-installed SQL Server 2008 this weekend.

I am a big fan of shortcuts.  Every developer sets their machines differently and working with database servers its always faster typing in the shortcut in start->run rather than digging for an icon.

SQL 2000 

In SQL Server 2000, to launch Query Analyzer we ran the ISQLW shortcut.  This essentially was the GUI equivelant of the ISQL console application.

SQL 2005 

In SQL Server 2005, the Query Analyzer application and Enterprise Manager had their functionality merged into one application called "SQL Server Management Studio".  One would figure that the shortcut for SQL Server 2005 would be SSMS or something.  The shortcut is actually called SQLWB.  For those that have played with some of the private old alphas of SQL Server 2005 (when it was still called Yukon) might remember that Management Studio was actually called SQL Server Workbench.  That executable had remained SQLWB even though the product name got changed.

SQL 2008

In SQL Server 2008, FINALLY we have a standard shortcut.  The shortcut now is SSMS; you guessed from the product name SQL Server Management Studio.  This is not the most prolific feature inside SQL Server 2008, but I thought it is nice that finally the shortcut is standard with the long name of the product.  There was someone in Microsoft who was probably asking himself the same thing "Why is the SQL Server Management Studio executable SQLWB?" nad finally decided to change it.

kick it on DotNetKicks.com

Posted: Aug 02 2008, 16:35 by Bart Czernicki | Comments (0) RSS comment feed |
  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5
Filed under: SQL Server 2008
Tags:
Social Bookmarks: E-mail | Kick it! | DZone it! | del.icio.us

Concepts To Become A Silverlight Master (Series Part 4 - Security).aspx

Series Articles:

This article focuses on the topic of security and Silverlight.  This is an abstract software development concept that every software developer should be aware of regardless of the environment in which they are developing.  However, each environment is different and exposes different risks.  Silverlight is no different.  Furthermore, because of its architecture, Silverlight exposes some potential security holes. In this article I go over the security risks to consider in Silverlight, how a hacker can use several tools to extract desired information and what to do to protect your applications.

Silverlight Environment

Silverlight applications execute on the end user's workstation.  This means the entire application and all the resources are brought down to the client and executed inside the client's environment.  The Silverlight 2.0 application is brought down in an XAP file. An XAP file is a file that includes: xml configuration/manifest files, resource files (XAML, images) and of course your business logic which is a compiled assembly (dll).  The XAP contains all these items because it is essentially a ZIP compressed file with a XAP extension.  By default, the XAP file does not include any compression security. If you are a seasoned developer, this should immediately trigger some possible design concerns you would want to avoid.

If you are designing applications for the Silverlight environment, there are obviously some security precautions you will want to consider:

Securing Your Code & Protecting Intellectual Property

Just like the full .NET framework, the .NET 3.5 subset that runs Silverlight is managed code.  The code is compiled in IL and can be very easily reverse engineered.  A great tool for reverse engineering code (even Microsoft's own .NET Framework) is Reflector.  A common solution to protect applications from other hackers or developers from easily reverse engineering code is obfuscation.  Obfuscation will rename objects, fields, methods, etc., in your code to code that is a lot less readable.  Remember, .NET doesn't care if a method in code is called "GetCustomers()".  It can just as well be called "a()".  This is just one example of obfuscation.  Traditionally web developers that utilized web assemblies did not have to consider this, as the assembly never left the server (not always the case) 

Reflector can disassemble Silverlight 2.0 assemblies

  • As a best practice, if there is ultra sensitive code or some secret intellectual property, ensure that it is executed in its own domain on a server where you access the output through a service call.  To be absolutely safe, do not place important business logic inside a Silverlight assembly that will be brought down to the client.
  • In some cases, there are assemblies that either are not super sensitive or you have at least modest interest in protecting.  In these situations, obfuscation is an ideal solution.  The code can still be reverse engineered with time; however, it will take a more dedicated effort.
  • Assemblies are not just vulnerable when they are executed or brought down to the client's workstation.  Remember that assemblies can also be "picked off" during transit.  For example, say you wrote a great application that is only available to users who have been authenticated through your web site.  Inside the XAP file you include some sensitive information that is okay for the end user to look at.  However, while in transit, this can still make the information inside your XAP file vulnerable.  If you are concerned about the XAP package being intercepted, consider using https as a secure delivery mechanism to the client.
  • Always make sure to sign the assemblies and provide the proper copyright information, especially if they are leaving the web server.
Isolated Storage (Protecting Sensitive Data)

Silverlight includes a concept called Isolated Storage, which can be viewed as large temporary storage mechanism ("cookies on steroids" is another term I saw on a blog recently).  Isolated Storage utilizes three files to manage the contents of Isolated Storage and it is cleared when a user clears the browser cache.  The files are well documented so a hacker who knows about Silverlight can easily access them.  Furthermore, the contents of Isolated Storage are not secure and should not be assumed so.

  • If you are persisting sensitive information on a client's workstation via Isolated Storage, consider obfuscating or encrypting the information.  Information such as passwords or sensitive client data will probably warrant the use of the cryptography library inside .NET.  Information such as a list of phone numbers might not warrant full-blown 128-bit encryption; however, obfuscating it with Base64 encoding might suffice.  The choice is up to the developer to determine how sensitive the data is.  However, when persisting data on the client, remember that the end user can always do something stupid and lose their laptop.  You do not want to be the one responsible for writing an unsecured application that causes identity theft because someone lost their computer.
  • Encrypting data on the client workstation exposes another issue to consider.  Obviously, you cannot write encryption inside a Silverlight assembly for Isolated Storage and leave it wide open.  A best practice would be to obfuscate the assembly that is used to encrypt the data.  Another possible solution is to have the data encrypted through a service call and the encryption logic.  More importantly, the key is never placed on the client.
  • Remember, you cannot protect everything!  (So don't even try to)  Just like on the web, your graphic files, Javascript, HTML design are all exposed for everyone to access.  Inside Silverlight, this applies to your XAML code and potentially your resource files. 

Silverlight Spy is a great program that "extracts" the UI information from the XAP file.  Not only that, it can also peek into the Isolated Storage of a Silverlight application.

Secure Communication (Protecting Data in transit to a Silverlight Application)

Silverlight includes several communication mechanisms to retrieve data outside its application domain.  The most popular mechanism is through service calls (Web Services).  As I wrote in part 2 of the series, Silverlight has great integration with WCF.  There are limitations though as to which bindings are supported.  Since WCF is part of the .NET 3.0 Framework, a great deal of bindings are not supported simply because Silverlight runs on a subset of the full .NET framework.

  • One of the core bindings inside WCF is basicHttpBinding.  This binding is largely around for backward compatibility and is usually avoided when designing enterprise based services with WCF.  However, this binding is one of the few that Silverlight supports and will be used in Silverlight apps.  BasicHttpBinding (unlike other WCF bindings) is, by default, unsecure.  Therefore, the default communication mechanism will encode your message as clear text when using this binding.  This maybe okay data that does not require secure transport.  However, if it does, this binding should be made secure using https.  For more information, watch this great video on some of the limitations of Silverlight/Https communication.

Fiddler is a great tool for inspecting message envelopes (peeking into unsecured web calls).  Is your information exposed in clear text?

In general, designing services with best practice SOA guidance is not different for Silverlight consumers.  I wanted to focus on WCF-BasicHttpBinding because there are a lot of examples using this binding with Silverlight and a lot of applications start from examples.  The examples often don't mention that one of the drawbacks of the binding is that it defaults to an unsecured transport.

Isn't this just common sense?

All of the concepts listed above are essentially "best practices" regardless of which platform development is being done.  Desktop applications have the same security concerns as Silverlight apps (local assemblies, access to temp/local files, etc).  Web Services have the same security concerns as Silverlight consumed services.

  • Silverlight is a new technology and many posts, articles and videos neglect to mention security implications in their examples.  It is easy to get lost in all the options inside a new environment and lose focus on common design considerations (i.e., security).
  • Silverlight is a unique plug-in model that runs on a subset of the .NET 3.5 framework on a client workstation.  Services are typically your best bet of communicating with databases or outside the client app domain.  These key features of Silverlight can sometimes be a trap to developers coming from other environments.  Developers not familiar with plug-in architecture, WCF or just novices starting out with Silverlight can easily fall into a security trap and design an application with major security holes.
  • There is some guidance on Enterprise level Silverlight applications and some articles on the web do focus on security.  Right now this is limited; however, it should not be overlooked.  Security is very important to consider during the design phase and even though there may be no formal "security best practice", you do not want to write a Silverlight application that is easy to breach.
  • The tools I listed above: Silverlight Spy, Reflector and Fiddler are not just some hacker tools.  Any serious developer should be using these tools to ensure their applications are written in the desired security model.

 

kick it on DotNetKicks.com
Posted: Jul 28 2008, 14:34 by Bart Czernicki | Comments (5) RSS comment feed |
  • Currently 4.833333/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5
Filed under: Security | Silverlight
Tags:
Social Bookmarks: E-mail | Kick it! | DZone it! | del.icio.us

Silverlight 2.0 - Concepts To Become A Silverlight Master (Series Part 3 - Blend)

Series Articles:

In order to get a better understanding of how Silverlight applications are designed from a UI perspective, let's take quick look at the Silverlight architecture.

Notice under the WPF Heading listed are Controls, Data Binding, Layout & Editing.  You might be wondering, why does this say WPF?  The reason is Silverlight essentially leverages a subset of WPF technology (some parts are different) for the items mentioned.  Before it was branded with the term Silverlight, it was actually known as WPF/E.  Therefore, one can see that Silverlight has its roots in WPF.  Furthermore, note how the WPF technology stack replaced the UI Core in Silverlight 1.0.  WPF has been around since 2006, when .NET 3.0 was released.   However, WPF adoption has been slowed because of poor UI tool support.  In Visual Studio 2005, it was complete mess to try to write a WPF solution.  Improved WPF support was finally added in VS 2008 (more is coming in .NET 3.5 sp1). However, Microsoft realized that in order to create rich/interactive applications, a first-class design tool was needed.  This is how the Blend product came to be.

The Blend product is part of Microsoft's Expression Studio, which is a collection of first-class design tools.  Microsoft Blend is a design tool that makes creating & editing XAML-based applications easy.  Both WPF & Silverlight use XAML to declaratively control the controls, binding, styles, animations, etc., for the UI.  Visual Studio is a great development IDE and has some basic design features.  However, adding a full-blown designer inside the VS shell would have had poor results.  Blend has been created with the designer in mind and the latest version(s) are actually written inside WPF! Expression Studio is a much needed application.  Microsoft is competing primarily with Adobe AIR/Flex products.  While Microsoft has the developer tools on its side (Visual Studio, C#, WCF, etc.), Adobe is the gold standard for graphical applications.  Because Adobe products such as Flash, Illustrator, PhotoShop, etc., are tightly integrated and provide a designer first-class tools, Microsoft needed a strong design suite of their own.

Seperating Blend into its own product allows graphic designers to create/layout/style the application while the developer focuses on the code/data communication, etc.  However, in order for this to happen, Microsoft had to leverage the ability of XAML to declaratively control layout, data binding, styling, templating, resource management, etc., inside Blend.  Simply creating a second product and saying this is for designers and Visual Studio is for developers would not go over well!  I think of it this way: Wherein some IT shops, DBAs are the only ones to touch the database and app developers only touch the the code. Except inside Blend, the seperation is the XAML/UI from the code behind.  Hopefully, this makes sense as to why Microsoft decided to seperate the heavy design operations to another product.

By now you are probably asking yourself:  So what can Blend do for me? 

  • Currently the Silverlight 2.0 SDK adds very little design support inside Visual Studio 2008.  A developer can definitely lay out a simple application; however, harnessing the true power of Silverlight with animations/effects/styles/templating is not all there.  As I mentioned above, I don't believe this will change in the RTM for the simple fact that it would be a real mess to try to add all the tools that Blend provides inside the VS shell.
  • Silverlight 2.0 uses Blend 2.5 (This might change when the RTM version comes out) and this gives Silverlight 2.0 first-class design support for layouts, controls, animations, styling, templates and resource management.  All these items that a developer would normally have to code by hand inside XAML are done for you simply using the Blend product.
  • Blend has excellent integration with Visual Studio 2008.  A developer can write a piece of code, jump to Blend, add a new control/user control and jump right back into Visual Studio and add some code behind.  This is all done very seamlessly and the integration is fantastic.  Blend can even build the entire Silverlight solution and perform test runs inside Blend as well!  Even as of Beta 2, this integration is first class and I cannot stress the power of this feature enough.
  • Blend is much more than just dragging and dropping a button and changing a color or a brush.  The true power of Blend comes with the ability to spice up an application with animation/transitions/styles quickly giving a Silverlight applications that fluid/liquid interface that many compare to the iPhone for example.  Blend does this by using a set of tools that expose XAML functionality (Remember, Blend just writes XAML).  For example, creating a new button that looks completely different but behaves like a button is straightforward or attaching a set of transitions for mouse events is easy simple.  These kind of additions not only make the UI look modern but can add visual queues, emphasis, enhanced spacial layout that were harder to do but add greater value to the application.
  • Blend is not just for a designer.  Not every IT department is going to have a dedicated designer able to strictly focus on pretty designs.  I am not a designer.  However, I dabbled with PhotoShop, GIMP, etc., and I could not do much beyond the tutorial I was using.  Blend makes creating a first-class design clear once you have a good understanding of the capabilities of the product.  The product definitely has the designer in mind; however, even a developer can use it and extend a Silverlight design.
  • Creating advanced custom controls usually has been left to 3rd party libraries.  Furthermore, creating professional looking controls demanded knowledge of GDI+ (which wasn't easy).  Creating professional custom controls/user controls has never been easier with Blend.  Personally, I have created simple mashup controls to pretty complex grid controls and it was actually pretty fun.  In my opinion, Blend is really going to give some of the 3rd party controls a run for their money in Silverlight 2.0.  The tools inside Blend drop the learning curve signifigantly for creating custom controls.
  • Blend essentially gives you the tools to bring Silverlight applications to life and to design Silverlight applications using best practices for future enhancements, data binding, templates, etc.

From the list above, one can see that Expression Blend does a lot for you!  This is why I feel it is a must, even for a developer, to learn Blend real well (unless you are the sadistic kind and like to crack open Notepad and hack XAML). Understanding Blend will allow a developer or a designer to bring their applications to life and harness the full power of Silverlight. 

kick it on DotNetKicks.com

Posted: Jul 25 2008, 17:18 by Bart Czernicki | Comments (8) RSS comment feed |
  • Currently 4/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5
Filed under: Blend | Silverlight
Social Bookmarks: E-mail | Kick it! | DZone it! | del.icio.us

Silverlight and Multi Touch Tablets

If you follow gadget or tech sites, you probably have seen some buzz around Tablet PCs in the last couple of days.  Yesterday Mike Arrington from TechCrunch posted a request to the community to help build a low-cost web tablet device with TechCrunch.

The goals of the project are simple:

  • low cost...about $200.00 (runs Linux)
  • Runs Firefox in kiosk/ATM mode.  Basically, it by passes the OS and turns on directly into Firefox
  • i-Phone like input; touch screen

Just as the story I just mentioned was getting buzz, there were rumors posted on Gizmodo that there might be a MacBook Touch coming out in October. Obviously, these are just rumors so there are little details...but that story is real interesting as well as the timing of the story especially the day after the TechCrunch story got posted and got HUGE attention/buzz.

 

In the last couple of days we have a lot of buzz about two tablet products.  Table PCs are nothing new; in fact, I used one back in 2003.  Furthermore, Dell offers a Tablet PC as well.  However, back in 2003 the multi-touch technology simply was not there (had to use a stupid stylus).  The Tablet PCs were slow, handwriting recognition was poor and it loaded XP.  Furthermore, the presentation technology was nonexistent.  Basically, you were running an OS with a stylus on a big screen in a clunky machine. The new Dell product is basically a laptop that has a touch screen LCD panel that can rotate at a greater angle.  Tablet technology up to this point has not succeeded in the mainstream.  However, I think these two upcoming products can succeed.  Think of it as Tablet 2.0 technology or even a Tablet relaunch :)

Apple has these things in their corner:

  • they are the gold standard in multi-touch & input technology
  • they proved they can master sleek, innovative, thin design
  • the current technology with longer battery life, solid state drives, improved graphics & presentation work

I think these sleek, thin web tablets are going to be the next hot thing in the next 6 months.  How does this fit in with Silverlight?  If you read the articles, you are probably asking yourself where you missed the Silverlight references.  Both of these products obviously are not going to be formally supporting Silverlight in their plans.  However, this is where as a .NET developer or company you can get a piece of the pie.  Silverlight is supported on a MAC/Safari.  So once the MacBook Touch launches, Silverlight will just work. The TechCrunch Tablet is a little harder because it runs on Linux. Hopefully the Moonlight project can get going again and give better support for Linux or maybe Microsoft will shock us and release a Linux plug-in.  However, since the TechCrunch web tablet was just announced yesterday, I would be shocked if anything was ready in the next 6-8 months.  October with the MacBook Touch (if the rumors are true) will be around the corner much faster.

Applications on the iPhone have a fluid user experience.  What do I mean by that?  The user has little interaction with the keyboard.  It is all about scrolling, sliding, flipping, dragging while keeping things SIMPLE.  Effective applications for these tablets lacking a keyboard will have to do just that and mimic the user experience from the iPhone or Microsoft Surface.  Silverlight will allow you to do just that. By designing applications in Silverlight, it will allow you to bring the user experience to life.  Silverlight allows you to present the layout of your application spatially and through animations/effects you can bring real time interactivity to the user.  Do you think a user of an iPhone who is used to the iPhone interface would want to load an application from 2 years ago that is a step back? Of course not.  This is where Silverlight compiled code rocks because it is ultra responsive and nothing out on the web can compete with it. 

Silverlight is a web technology and it is distributed through a plug-in.  This is a perfect way for Silverlight applications to sneak onto the tablets and get some of the attention of the user base.  This is why I am such a big advocate of Silverlight technology; because of how well it can complement the user experience in this example and others.  You know users will demand high quality and responsive interfaces (the iPhone generation is spoiled) and Silverlight is one way to spoil them even more.  Silverlight: learn it, use it and abuse it.  Hopefully, this article gave everyone a glimpse into the future on why it is a good idea to invest time in learning Silverlight.  It would be even better if the article gave you some ideas of applications/tools to write for the upcoming web tablets!

 

Posted: Jul 22 2008, 12:44 by Bart Czernicki | Comments (1) RSS comment feed |
  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5
Filed under: Silverlight
Social Bookmarks: E-mail | Kick it! | DZone it! | del.icio.us