Archive for December, 2007

Timing is EVERYTHING

Being a person who believes in continual improvement, and being proactive instead of reactive, I suggested to one of my employers that I worked for that we should implement ELMAH (Exception Logging For .NET) to handle our uncaught exceptions.  They weren’t too interested when I made the suggestion and so I did not push it.   I had found this gem of code here because I spend a bit of time each day doing research and improving my skills. (see point 2)

However, we had this continuing problem where customers would have a problem with the .NET site, maybe they had a crash and we had no way to diagnose the crash other than to remote into their machine and try to reproduce the error.  What made it worse is that they had debug mode off, and we could not even see the exact crash details.  Often we would have to take a risk and modify their file to put debug on (I say take a risk because if you make enough modifications, the application will restart and kick everybody off the system) and this was a live site with real customers.

So once the problem was large enough that it was passed on to the development manager.  When he queried the team for possible solutions to that particular crash, I jumped at the opportunity to suggest ELMAH.  The sale was immediately closed, and within a week we had ELMAH up and running on some of our customers.

Lesson?  Wait for the right time to make your suggestions.  it can be very effective.  Otherwise your advice may be falling on deaf ears.

Also.. this had the same result again when the timing was right we were able to successfully convince our development manager to make the switch from SourceSafe to Subversion.  We had discussed it many times but we had to wait for just the right time and when this time came (since they already knew about it and liked it, but were just waiting for a good time), getting approval from management was easy as pie.

How Random is your Random??

How random is your random? 

Computers are very deterministic.  What that means is that you put something in, you get something out.  In order to get computers to perform "randomness", it is very difficult.

Why is this important to understand? Because we want to write our code properly, if we depend on the random function for some security purpose, such as for generating passwords, we are actually putting security holes in our application without realizing it.

In .NET Using RNGCryptoServiceProvider would give you much better random results than just a Random.Next()
 
However, in order to truly  randomize your number, you would have to do something like use data from customer mouse movements, or something wierd like that.  Alternatively you can use a hardware random number generator such as the one Intel created that uses thermal noise to generate real random numbers

To realize just how complicated this really is, lets look at this quote from the Pokerstars web site on how they shuffle the cards in their software:
 
 
SHUFFLE
"Anyone who considers arithmetic methods of producing random digits is, of course, in a state of sin." – John von Neumann, 1951
We understand that a use of a fair and unpredictable shuffle algorithm is critical to our software. To ensure this and avoid major problems described in [2], we are using two independent sources of truly random data:
* user input, including summary of mouse movements and events timing, collected from client software
* true hardware random number generator developed by Intel [3], which uses thermal noise as an entropy source
Each of these sources itself generates enough entropy to ensure a fair and unpredictable shuffle.
Shuffle Highlights:
* A deck of 52 cards can be shuffled in 52! ways. 52! is about 2^225 (to be precise, 80,658,175,170,943,878,571,660,636,856,404,000,000,000,000,000 ways). We use 249 random bits from both entropy sources (user input and thermal noise) to achieve an even and unpredictable statistical distribution.
* Furthermore, we apply conservative rules to enforce the required degree of randomness; for instance, if user input does not generate required amount of entropy, we do not start the next hand until we obtain the required amount of entropy from Intel RNG.
* We use the SHA-1 cryptographic hash algorithm to mix the entropy gathered from both sources to provide an extra level of security
* We also maintain a SHA-1-based pseudo-random generator to provide even more security and protection from user data attacks
* To convert random bit stream to random numbers within a required range without bias, we use a simple and reliable algorithm. For example, if we need a random number in the range 0-25:
o we take 5 random bits and convert them to a random number 0-31
o if this number is greater than 25 we just discard all 5 bits and repeat the process
* This method is not affected by biases related to modulus operation for generation of random numbers that are not 2n, n = 1,2,..
* To perform an actual shuffle, we use another simple and reliable algorithm:
o first we draw a random card from the original deck (1 of 52) and place it in a new deck – now original deck contains 51 cards and the new deck contains 1 card
o then we draw another random card from the original deck (1 of 51) and place it on top of the new deck – now original deck contains 50 cards and the new deck contains 2 cards
o we repeat the process until all cards have moved from the original deck to the new deck
* This algorithm does not suffer from "Bad Distribution Of Shuffles" described in [2]
PokerStars shuffle verified by Cigital and BMM International
PokerStars submitted extensive information about the PokerStars random number generator (RNG) to two independent organizations. We asked these two trusted resources to perform an in-depth analysis of the randomness of the output of the RNG, and its implementation in the shuffling of the cards on PokerStars.
Both independent companies were given full access to the source code and confirmed the randomness and security of our shuffle. Visit Online Poker Random Number Generator for more details.
[2] "How We Learned to Cheat at Online Poker: A Study in Software Security" – http://itmanagement.earthweb.com/entdev/article.php/616221
[3] "The Intel Random Number Generator" – http://www.cryptography.com/resources/whitepapers/IntelRNG.pdf"
 
Here is an article about how to shuffle a deck of cards: http://www.codinghorror.com/blog/archives/001008.html?r=31644 and in one of the links it explains a big security hole in their random number generation and how it could have been used to leverage thousands of dollars from players.

Here is a snippet of how to get Cryographically safe random numbers:

 

This will fill in the 8 bytes with a crytographically strong sequence of random values.

byte[] salt = new byte[8];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(salt);
Optimization WordPress Plugins & Solutions by W3 EDGE