Bimil 1.10

Illustration

Although I kept Bimil, my password manager, without a version for more than five years, version 1.10 comes right on heels of the 1.00.

Most noticeable change is adding the Start window. While not offering anything that isn’t possible in rest of the program, it does help speed-up opening of recently used files. Opening files in read-only mode also becomes possible and I’m sure this will be handy feature to many.

Fields have been refactored a bit; two-factor authentication and CVV buttons are hidden by default and former has gotten an option to show code instead of just copy.

Alongside a few minor fixes, feedback form has been moved to https. It just felt wrong to have password manager send messages via unencrypted channels. :)

As always, upgrade is available directly from program or these pages while source can be found on GitHub.

Ubuntu Under Windows

Illustration

During BUILD conference Microsoft announced it would be possible to run bash shell and Ubuntu binaries on Windows. My personal reaction to this was meeh.

Those familiar with me and blog might know I love some things about Linux - especially bash - and I have more Unix/Linux-based computers than ones running Windows (although the number is close). For server-like tasks - even at home - nothing beats Linux. Yes, learning curve is a bit steep due to heavy reliance on the command line but that becomes a strength once you get used to it. And don’t start me talking about superiority of SSH. Anybody with interest in technology is losing a lot if they don’t at least try Linux.

Reason for my less than warm welcome is because I already have all Linux command-line applications worth running under Windows. If you download Git for Windows, you will get Bash shell and bunch of tools that go with it. Frankly, I rarely go into Windows command-line (or its bastard child PowerShell) anymore. Bash is simply more powerful and more practical. With a few easily remembered commands you can do wonders - especially when filtering files. And anything bigger 95% of time has Windows version too.

I don’t view Ubuntu on Windows as a bad step. But I don’t believe it will bring much to developers who had bash running on Windows, one way or another, for years. Considering it is a Windows Store application I am sure there will be enough gotchas to keep it from being practical…

Of course, details remain to be seen once Windows 10 Anniversary edition is out.

POST Cannot Be Redirected

Illustration

Few days ago I’ve found a bug in a program of mine. As I have feedback built-in in most programs, I decided to use it for once. And failed. All I’ve got was an error message.

A bit of troubleshooting later and I’ve narrowed the problem down. It would work perfectly well over HTTPS but it would fail on HTTP. Also it would fail when redirected from my old domain, whether it was HTTP or HTTPS. And failure was rather unusual error code 418. That was an error I’m often using to signal something wrong with redirects. A bit of a digging later, I’ve noticed I was using POST method for my error reporting (duh!).

You cannot redirect POST requests. And I was doing server-side redirecting (or trying to) from my old domain to a new one and from HTTP to HTTPS.

At the end I’ve changed all my programs to use HTTPS, temporarily disabled redirecting to allow HTTP-only connections, and I’ve had to re-enable same script on my old site so I can get error reports from old versions without update. I knew this last domain move has gone too smooth…

How to Secure Memory?

Sometime you might want to protect your data in memory - the greatest example is when dealing with anything related to passwords. It is simply not smart to keep that data around in a plain-text.

In .NET there are multiple methods you can use for this purpose, starting with SecureString, ProtectedMemory, and my favorite ProtectedData.

Each of these has its advantages and disadvantages and definitely each can find its place in a security toolbox. However, I prefer ProtectedData because it doesn’t require any Win32 API magic to read (as SecureString), nor it has any limitations on block length (as ProtectedMemory). As long as you are ok dealing with byte arrays, you can use it almost as a transparent storage.

Most of the times I end up having something like this (the most basic form):

private static RandomNumberGenerator Rnd = RandomNumberGenerator.Create();
private byte[] RawDataEntropy = new byte[16];
private byte[] RawData = null;

internal byte[] Data {
    get {
        if (this.RawData == null) { return new byte[0]; } //return empty array if no value has been set so far
        return ProtectedData.Unprotect(this.RawData,
                                       this.RawDataEntropy,
                                       DataProtectionScope.CurrentUser);
    }
    set {
        Rnd.GetBytes(this.RawDataEntropy); //new entropy every save
        this.RawData = ProtectedData.Protect(value,
                                             this.RawDataEntropy,
                                             DataProtectionScope.CurrentUser);
    }
}

On each write we let Windows encrypt the data using a random entropy (in addition to its standard encryption) while on every read we simply decrypt the data and return a copy of it. Care should be taken to delete copies lying around, i.e. when you set the property and encrypt data, you should delete the original. Best practice for delete is to use Array.Clear, e.g.:

Array.Clear(value, 0, value.Length);

I will leave it for reader’s exercise why that might be preferred to a simpler value = null.

PS: Note that, as soon as you convert bytes to a string (e.g. to show it to the user), you have signed capitulation as now you have an unencrypted copy of the protected data in memory. Yes, sometime you need to do it, but keep it brief.

Bimil and Summae

Illustration

After using it myself for last five years, I finally decided to give my password manager a version 1.00 designator.

It is a simple password manager using Password Safe database format. Unlike Password Safe, it allows for storage of credit cards and two-factor authentication keys. Give it a try and see whether you like it.

Other application that got slight version bump is Summae. It now supports per user context menu settings. On other hand, you cannot install it on Windows Vista and below. If you are using Windows 7 you are good. If not, upgrade. :)