I will speak at 3 universities:

• Hebron University 29th November
• Khadoori University at Tulkarum 30th November
• Bir Zeit University 1st December

2 of my friends will be joining the tour too: Mohammed Saleh from Jordan and Saed Shela .. the Israelis blocked Ali Nimer –Jordan- from joining us since they didn’t issue a visit permit for him. I wish he could make to Palestine … maybe next year inshallah.

See you there ..

Last month May 26th PalDev brought Kiril Vassilve -AerData- to the stage, to talk about his life experience applying Scrum in a distributed team. Kiril has 17 years for experience in Software development industry. He worked with a Palestinian team from Equiom MENA – a software outsourcing house based in Ramallah- for the last 4 years. Equiom as well as an increasing number of the Palestinian IT firms are doing software development outsourcing for customers from US and Europe.It was very good chance for the developers community to hear from a person who was applying Scrum in similar condition for a good amount of time.

Last year PalDev arranged a CSM training with James Coplien were a 28 members attended. Most of them were from companies that do outsourcing! Not so many could guide their colleges/firms to move towards applying Agile/Scrum .. I was thinking that bringing a person who made it there could help and will pack people with a good stories to tell to their manager.

Learning Scrum fundamentals does not always give you that knowledge of how things will go when you are out in real life. Applying a disciplined methodology while being exposed to all kind of obstacles & circumstance of real working environments could turn into big failure if you have no idea how to handle real issues. You will be afraid and have all kind of thoughts .. does this will work? what could go wrong? should we do this or do that?… Scrum is an open framework  .. it will not have answers of many of your questions. Because all of this, hearing and talking with community colleges who made this way through this experience will be a great resource of learning.

I started the meeting by a quick presentation “Scrum in a Nutshell” where I explained Scrum basics, Scrum roles, meetings and artifacts .. that was very good brief to show what Scrum is. Then our 2m tall Bulgarian friend Kiril took the stage and he started his presentation by talking about “What Scrum is NOT!” that was a good start since many of our audience who has been new to Scrum has all kind of ideas about his Scrum thing

Kiril has few slides to show then the discussion started, many of audience questions was arguing how Scrum could work! since the good amount of the audience are coming from waterfall background and another good amount is applying cowboy programming in their projects –which even worst than waterfall-

one of the most reasons that make Scrum fails is not having a good Product Owner aka PO who is able to write good user stories

One of the ideas Kiril stressed on is that one of the most reasons that make Scrum fails is not having a good Product Owner aka PO who is able to write good user stories. PO is a crucial role for the Scrum team and if the PO is not writing a good user stories this means the development team will face tough time and will waist his time doing the PO work. Another issue Kiril stressed on is that the management must have a basic understanding what Scrum is and how it works and they must have the commitment to apply such framework. The management shouldn’t have the idea that Scrum is something belongs to the development team only and they are free to interfere with the team work any time they need.

I believe the audience enjoyed the discussion since it was more like developers weeping! we were making fun of our managers, customers and business analysts ..etc who was turning our life harder by their un-disciplined acts .. we enjoyed that part

At the end  pizza was served and the audience continued their debate while they have their standup meeting

Finally I would like to thank gSoft Technology Solutions and Ramallah Chamber of Commerce & Industry for sponsoring this event.

Woof!

Last week I traveled to Dubai to attend the well known technology conference  Microsoft TechEd. I tried to attend last year 2010 but I never got my visa until the conference come to its end. This year I did all arrangements early enough – not so early – to make sure to be there. Being there and having the chance to meet and network with more than 2000 attendee and meet many Microsoft insiders  face to face was really a nice experience.

The event started on Tuesday 8/3/2011, there was a pre-conference sessions but you need to pay extra 200$ to attend and that was not one of my options. The opening keynote was nice, Ali Faramawy a MSFT Vice President from  Egypt talked first about TechEd and Microsoft plans for Middile East. He mentioned that they got 1 attendee coming from Libya an forgot to mention me the only attendee from Palestine!  After that S. Somasegar -Senior Vice President, Developer Division- took the stage first using the new Xbox Kinect Avatar then physically and started talking about the  Microsoft’s different product lines and the future vision for them. Nearly each demo have some problems but that was some kind of fun!  not for the speakers for sure

After the keynote I met accidentally with Naseem Tuffaha an amazing Microsoft rockstars from Palestine. We talked a littile bit about the opening keynote, Naseem introduced me to 2 Microsoft executives I don’t recall their names. I talked with them a little bit about my newly created startup AbbMatrix and our project codename “Prunus” .. they liked the idea and I was really happy for hearing that.

After that I went to attend my first breakout session “User Experience Best Practices for Building Applications on Windows Phone 7″ .. Here is list of sessions I attended for the whole 3 days:

Tuesday, 8 March 2011

User Experience Best Practices for Building Applications on Windows Phone 7   – Windows Phone – Mingfei Yan

Introduction BizTalk – Anton Delsink (I am not sure about the title)

Introduction to Windows Azure   – Cloud Computing & Online Services – Ahmed Essayed

Wednesday, 9 March 2011

• Test Automation with Visual Studio 2010: Coded UI Tests and Lab Management   – Developer Tools, Languages, and Frameworks – Brian Keller
• Deep Dive into Razor    – Web Platforms – Scott Hunter
• The Future of C#   – Development Practices – Lisa Feigenbaum
• Applied Software Testing with Visual Studio 2010   – Developer Tools, Languages, and Frameworks – Brian Keller
• Build a .NET Business App in 60 Minutes with Dynamics CRM 2011   – Microsoft Dynamics -Steven Kaplan

Thursday, 10 March 2011

• Changing our Game : Windows Phone 7 and the Windows Phone 7 Application Platform  – Windows Phone – Mingfei Yan
• Conferencing with Lync Server 2010: What’s new, what’s behind the scenes. (UNC310)  – Unified Communications – Mahmoud Badran
• Open Data for the Open Web  – Development Practices – Ronald Widha
• Meet the Visual Studio Team   – Developer Tools, Languages, and Frameworks – Lisa Feigenbaum, Shy Cohen, Brian Keller, Vishal Joshi, Scott Hunter, Jay Schmelzer
• What can .NET 4 do for me? 16 Reasons to Adopt and Leverage .NET 4 – Development Practices – Shy Cohen
• Closing Keynote: Think Small to Build Big  – Samer Abu-Ltaif, Walter Puschner

The event went well, the speakers was generally at a good level of their topics but some of them was not so confident while their doing their speeches. It was really amazing specially to meet many of the guys I know from twitter face to face.

One thing I hate about TechEd Dubai, that Microsoft didn’t give us the attendees any giveaways other than the TechNET subscription .. I envy MIX and PDC folks they always get some nice gift e.g Last Year in PDC they gave all the attendees a new WP7 device!

It was really a great opportunity and I recommend that each techies who cares about the development of his career to attend such event .. for me I will be their next year definitely.

It was more like a social meeting rather than a technical one, and we chose a calm, lovely and nice restaurant “Diamonds Restaurant” at Ramallah’s center. More than 20 CSMs attended, and we did some guests who was curious to know more about us. For this meeting it was limited one since it was targeting the people who attended the course last September. PalDev will hold open Scrum meetings and activities in the future, finally that’s what PalDev all about, a community based organization which is open for anybody interested.

The meeting was brief .. I did a small speech introducing the goal and the meeting agenda. Then our main speaker Salem Awadallah – Service Delivery Director from Asal- talked about their experience applying Scrum in Asal – a software and outsourcing house in Ramallah- within different teams who works for different clients using various technologies.

Finally, we gave each CSM a copy of Jim Coplien’s new book “Lean Software Architecture”. The audience where so happy and excited and instantly some of them suggested to have a debate in the next meeting to discuss the book content.

Wooof!

I was thrilled to be invited to present in front of students in one of the best universities in Palestine, actually its my second time there, last year I did a 3 hours presentation introducing “ASP.NET Development using C# & VS2008”.

When I reached the university I was afraid not to have so many people attending – the number of Bethlehem University student is already small- but I was more than happy to see that more than 40 students attending. I was already late and I entered before couple of minutes of my presentation.

.NET Clubs in Palestine

This is the 7th club being launched in Palestinian universities. So far we have:

Enjoy it!

The Certified Scrum Master certificate states that you are good to play the role of Scrum Master which is one of the 3 roles in Scrum. Don’t mistake that you are a master of Scrum!

The Preparation Material

There are several resources to prepare yourself for the exam I used “Scrum Guide” which was written by Ken Schwaber and Jeff Sutherland, co-creators of Scrum. You can download this 21 guide book in many languages. There is an Arabic version translated by http://www.agilemaroc.org/, big thanks for them although I disagree with the way the make it since I believe that translating technical terms into Arabic will make them loose their meaning.

Anyway here you can download the Scrum Guide which represents the official Scrum Body Of Knowledge. The English version and here is the Arabic one.

The Evaluation Exam

This exam is the second requirement of CSM certificate from Scrum Alliance, the 1st one is attending 2 days training course with a Certified Scrum Trainer. It consist from 42 question covering three areas:

- Scrum Principles
- Scrum Terminology
- Scrum Practices

For me I passed the exam scoring 91%.

The questions was clear, well crafted and easy to follow. What is so nice was that you explanation for the answer after you answer the question. In this way you can know immediately why your answer is correct of wrong. This will help you better to keep this knowledge in your mind.

It took me around 40 minutes to finish the exam since I was stopping to read the explanation almost after each answer. In general the questions was direct and doesn’t need deep thinking.

One last thing to talk about this exam is it’s a Pass/Pass exam so you will be certified even if you failed in this exam. I think this is a temporary since the exam is still in beta.

The Certificate

Now I am a certified Scrum master! There will be always a strong debate about the technical certificates are they good or bad for the industry. I will not discuss this here but here is my own opinion or how I think about the certificates.

The certificate itself is a tool to measure the knowledge and the experience of the person who will certify. Its not always an accurate measure or a proof of quality and there are a lot of factors that affect this.

Mainly that depends on the person himself, if he is taking his career seriously and believe that having a certificate will help him to know where he stands, and he is complying with prerequisites and requirements of the certificate then it will be a good measure, but if he is not its hard to tell.

Here is a nice comic about the certificate buzz, Jim showed this in our class

Being a Certified Scrum Master does not mean –in my case at least- that I am mastering Scrum, or I have the enough knowledge to start turning my organization into Scrum on the wide scale.

It means that I have the principles clear in my mind and I am ready to start learning how to change the traditional way we are doing software development – in the majority of Palestinian software firms, which I can tell you from my experience is really sucks.

Its give us the opportunity to engage with international experts and peers in the Scrum community worldwide.

We are responsible for learning more about modern software development, and how successful people are doing it in their real environments which are very huge in compare with what we have here. And share this new knowledge with our community, we are so lucky that PalDev became an official Scrum user group. This will help in many ways I will talk about this in future posts.

Woof!

Big thanks to Jim Coplien and Jim Cundiff -Scrum Alliance Managing Director-to make this event a reality

PalDev managed the local logistics/arrangements and collected a nominal amount of money from the attendees to cover the expenses, special thanks to Odayy Hazeem, Ayman Awartani and every one who helped to carry this out.

We were a group of 27 developer and project manager from different cities and companies. The combination was great where you people from different backgrounds working  for different companies work together in course activities. This the magical chemistry which will ensure the success of any event which includes engaging activities. Originally we had 5 girls listed their names but we ended with 1 girl and the rest canceled.

From what I heard, every person who attended was pleased with the new expertise they had and were feeling a great amounts of energy which Jim forced us to discover in our selves.

How I found Jim? How we started this?

Many of my friends who attended the training was asking me who I knew this amazing Jim … so here is the story. The story started late 2008  when I was Google the internet and studying Scrum, I just discovered the Scrum Alliance website and they were announcing their new certificate system. I noticed that there is a CST –Certified Scrum Trainer- in Israel who usually holds training course in Herzelia, and  found no CSM courses in any Arabic country! For my bad luck I can’t be in Israel since I can’t have an Israeli permits so I moved to into other direction.

I tried to contact some trainers to arrange for a training in Jordan but didn’t end with anything. Early this year I was visiting Scrum Alliance website  again and looking in the upcoming courses page when I noticed couple of courses in Turkey which was the closest country I can travel to – excluding Israel-. The course trainer was James O.Coplien, I followed a link and reached Jim’s profile and by each line I read I was thrilled more and more.

That was on 20 January 2010 when I sent him a message asking if we can arrange a course in Amman and explaining that I can contact other communities in Jordan to carry out this course and get the needed number of trainees, he replied in less than 2 hours with:

“Salam Huthaifa,
Wow – this is a fantastic request. I was just thinking about dong something like this the other day… “

I was very happy with his reply and so we started planning for this course through a long email loop where Jim did the heavy lifting for us by providing the training, and acquiring the sponsorship … etc. The original plan was to have this training in Amman, Jordan but since the majority of people who registered were from Palestine we decided to move it to Ramallah. Jim was more than happy with this decision since it was the original vision of the event.

Meeting Jim in Ramallah!

Our training was to start on 27 to 28 of September, I was a little busy that week in SharePoint Saturday Palestine. I was in a nice trip with my SPSPal friends Jole Oleson, Michal Lotter, Paul Swider, Michal Noel and Muhanad Omar through Hebron and Bethlehem in Sunday the next day of  SPSPal, I was supposed to meet Jim in Ramallah in the evening.

I was saying goodbye to my SharePoint friends and then rushing to Ramallah to meet Jim in Grandpark hotel. While I am on my way to Ramallah I sent him a sms telling him that I will meet him within 20min. And after that time I was still stuck in Qalndia evening traffic! that was the most embarrassing thing to do with a person with ironic timing in your first meeting!

Later on dinner with group of friends and other guest from Jordan Jim was asking me when I will pick him up at the morning. I was afraid to give him a direct answer so I said: “lets say I will do my best to be in the hotel at  7:00-7:30am “ we laughed a lot about this

The D-Day

As we predicted and as Jim mentioned people will not show up on time although we announced the exact time through emails and on the event page. After small introduction the fun started and you could feel the energy in the air. The people where so happy with the ice breaking game. Before start Scruming! Jim said we need to agree on the break times and the penalty of breaking this commitment, the majority was okay with doing 10 push-ups as a penalty. After the 1st break I was one of those who did 10 push-ups! that was embarrassing but a lot of fun

I have no words to describe what we achieved and learned through the rest of 2 days. Jim was inspiring! he has a radical way of describing and explaining things. He was working so hard to guide us to think in the correct way and doing things right. Many of us discovered how much wrong was their ways in doing software development. Many others just realized how much their ways was stupid. All of us felt hard to believe that this will work in real life but was shocked when we heard that many of the biggest companies with distributed branches world wide was applying those ways which Jeff Sutherland and Ken Schwaber  developed in 1990’s.

One of the amazing things that Jim mentioned is that the application of the Toyota –the giant automobile manufacturer- way to software engineering is the heart of most of the agile methodologies. I decide that I will buy “The Toyota Way” book soon, after all I am a big fan of the Japanese people and their way of doing things and Kaizen continuously.

PalDev the 1st Arabic Scrum UG

While we arranging for this training I was in the process if registering PalDev as an official Scrum user group. The Scrum Alliance have more than 110 user groups world wide. Shortly before 2-3 days of the training day I received an email from the Scrum Alliance stating that PalDev is officially registered as Scrum User Group. 

It’s a privilege for PalDev to join this international community and be the 1st and only Arabic Scrum user group.

After this course we have a new 27 Scrum master who are ready to learn more about Scrum, and share their knowledge with the others for the best of their companies and the whole ICT sector in Palestine. In this way PalDev is achieving its active role in developing the ICT sector generally and the software development sector particularly in Palestine.

Event Arrangements, lessons learned

Registration

I used eventbrite for announcing and managing the registration process online. I was not aware of the custom fields feature so it was a late to add extra fields e.g: phone, company, job title. I sent dozens of emails asking the people who registered to update their info. So make sure that you are asking  for all the needed information before publishing the event since its probably will be he last chance you can ask for it. The custom fields feature is very nice and easy to use.

Announcements and Notifications

The majority of people stated that eventbrite notifications were never showed up in there email inbox. This behavior is expected since many email services will think its a spam and send it to the junk folder. Besides there are the possibility of people not checking their mail frequently or even not using their main email in the registration process! For such events where the target group is small less than 50 and from the same area/country the best way of broadcasting important updates is by using phone. So make sure to have the participants phone numbers.

Marketing Materials

I was pissed off when I saw the marketing materials we have. Our provider didn’t comply with what we dealt on, the t-shirts which supposed to be geeky have PalDev & Scrum Alliance logos printed in a very stupid and ugly way. The notebooks have nothing to do with notebooks they look like a pile of papers stick together with a cheap glue. And after all of this he didn’t deliver the pens on time! The mistake I did was I changed the former provider who I used to work with -since he didn’t answered my calls – although his work quality was very pleasing and proofed.

People Management

Every event contains people, and people are very complicated. In this course the trainer and me myself faced small challenge to make some people listen and stop side talks. Sometimes during the course I wished I could throw couple of guys out of the hall because they kept talking even after Jim told them directly to stop that. I wonder why any person would pay a good amount of money to attend a training while he will keep talking and not listen to the trainer!

Last Word

This event was a huge success in all measures. I wish I have the ability to describe what I saw better but I could say that Jim Coplien, the trainees and PalDev as a group has a great add value from this event. Thanks Jim Coplien for being an inspiring teacher and a great friend for Palestine

Woof!

In this post I will show a quick summary about the events and the people who are helping to make this a reality.

Certified Scrum Master CSM Training

For the 1st time in the Middle East region, PalDev in corporation with Scrum Alliance are holding a Certified Scrum Master training course. More than 25 software engineers is attending this course representing a verity of software firms in Palestine from Nablus, Ramallah, Hebron and Jerusalem.

Scrum is an iterative, incremental methodology for project management often seen in agile software development. This methodology is wide spread and applied by of thousands software teams worldwide.

This training is supported by Scrum Alliance and the trainer himself who helped PalDev to deliver this training for the Palestinian developers with a very big discount – more than 80%- by finishing this course the developer will become a part of the Scrum Alliance community and this allow him to continue in higher levels in the Scrum certificates.

Jim O. Coplien

This training will be delivered by a topnotch computer scientist and one of the key names in the Agile community world wide James O. Coplien. Jim Coplien is the founder of the Pasteur Organizational Patterns project, which was the foundation for the Borland QuatroPro for Windows study that inspired Jeff Sutherland to include daily stand-up meetings in Scrum. This work was also one of the main foundations underlying the organizational principles of Extreme Programming.

In a former life Cope is best known for his design and programming books such as Advanced C++, Multi-Paradigm Design, and the pioneering two books of the PLoPD series of edited works. He is also one of the founders of the pattern discipline, and his book Organizational Patterns of Agile Software Development Is the most authoritative work on Agile foundations today. His next book, together with Gertrud Bjørnvig, is Lean Architecture for Agile Software Development and will be published by Wiley in 2010. He is a partner with The Scrum Foundation, and also with Gertrud & Cope in Denmark.

PalDev members are so lucky to have a great guy like him in Palestine, I believe it will be a very special experience and new knowledge for the Palestinian developers. A nice surprise by PalDev is awaiting the ICT community so stay tuned!

SharePoint Saturday Palestine

SharePoint Saturday SPS is an educational, informative & lively day filled with sessions from respected SharePoint professionals & MVPs, covering a wide variety of SharePoint-orientated topics. SharePoint Saturday is FREE, open to the public and is your local chance to immerse yourself in SharePoint!

This international initiative are running dozens of offline and online SPS events, all over the world SharePoint Saturday events complies SharePoint lovers together. The Arabic regions has three SPS events tell now:

• SharePoint Saturday Arabia – an online event
• SharePoint Saturday Jordan – in Amman
• SharePoint Saturday Palestine – in Ramallah

Hosting the 2nd SPS event in the whole region in Palestine is a great thing. This reflects the commitment of the Palestinian community to be in the lead although of all the complexities we face here. In SharePoint Saturday a magnificent group of international SharePoint experts will combine us. I am really excited to have those people here in Palestine, and I am sure that their excitement is not less than ours.

This events will take place tomorrow Saturday25/9/2010 in Pecdar building at Ramallah/Jerusalem street. There will be 8 session over on the whole day. Take a look on the detailed agenda here
Many thanks to our sponsors for their commitment and support. SharePoint Saturday Palestine event is sponsored by: BIT, NIIT, Devosis, and MercyCorps. More about the sponsors is here.

Our Guests:

Michael Lotter

Michael Lotter, MCTS, is a SharePoint Solutions Architect for B&R Business Solutions, and travels throughout the United States implementing SharePoint and InfoPath-based solutions. He is an active speaker at East Coast Code Camps and user group meetings, and is a co-author on O’Reilly’s SharePoint 2007: The Definitive Guide. Here is a little secret about him: he is the Founder and Chief Organizer of SharePoint Saturday initiative! he is the SPS guy thanks Michael!

Michael Noel (MVP)

Michael Noel is an internationally recognized technology expert, bestselling author, and well known public speaker on a broad range of IT topics.  He has authored several major industry books that have been translated into over a dozen languages worldwide. Significant titles include SharePoint 2010 Unleashed, Exchange Server 2010 Unleashed, Windows Server 2008 R2 Unleashed, ISA Server 2006 Unleashed, and many more. Michael Noel was been in Palestine the last year to speak about Microsoft TMG and help launching PalITPros user group. We spent a great time together, Michael was very excited for being in Jerusalem

Muhanad Omar (MVP)

Muhanad Omar is a consultant, trainer, speaker and community advocate. Muhanad is a two-time recipient of the prestigious Microsoft Most Valuable Professional (MVP) award for SharePoint Server, the Founder and Leader of the Jordan SharePoint User Group, and Regional Evangelist for the International SharePoint Professionals Association (ISPA).  Muhanad is a Palestinian who is entering Palestine for the 1st in his life because he have no Palestinian ID, Welcome back Muhanad!

Joel Oleson

Joel is Sr. Product Architect and SharePoint Evangelist at Quest Software where he is responsible for product strategy across the SharePoint business unit. As an internationally recognized technology expert in SharePoint, Social Computing, and Internet Technologies, Joel’s writings and extensive public speaking experience across six continents leverage his expertise helping customers and partners. Engagements frequently include keynotes and featured speaker requests at major industry events. Prior to Quest, Joel worked at Microsoft for 7 years including architecting the first global deployment for Microsoft and the launch of SharePoint 2007 in the SharePoint Product. 

Paul Swider

Paul J. Swider is an international speaker, writer and freelance consultant. In addition he is president of the Charleston SharePoint Users Group and a contributing author of the new Professional SharePoint 2010 Development book published by Wrox Press. Paul was in Palestine in May 2010 to join the local community in the PalTech Days conference he also helped in launching the local SharePoint user group PSUG. We spent a great time with Paul in our tour in Ramallah and Jenin when we visited the AAUJ

Mohamed Saleh (MVP)

Mohamed Saleh is a Sr. Development Engineer at Devosis, based in Amman, Jordan. His focus lies within Microsoft .NET technologies, primarily in Microsoft SharePoint Products and Technologies. He received the Microsoft MVP Award for Visual C# for his contributions to the Jordan .NET Community 2 times. Mohamed Saleh aka. MAS is a board member in the Palestinian .NET user group PalDev and he helped us a lot form the day 0 when we started the whole community thing.

Final word

Its really great thing to see such activities in Palestine which for sure will have a great impact on the ICT sector. And plays an important role by providing the Palestinian professionals with the necessary tools and knowledge to cope with their peers in different countries. And its amazing to see the local Microsoft communities reaching this level of maturity and organization which makes them one of the most successful technical initiatives in Palestine.

I will come back with more details and new later on. Looking forward meeting you in those events soon.

I was amazing to watch the panic wave moves quickly through Twitter and other social media websites, Microsoft quickly released the Security Advisory (2416728) describing the publicly disclosed vulnerability which affects all the ASP.NET versions. This means that more than 25% of the websites on the earth is exposed for attackers.

What Affected?

A lot!

“In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework’s API!” stated Juliano Rizzo

The attacker could even download forbidden files such as web.config and have access to sensitive data e.g. connection strings, security credentials. Scott Guthrie wrote a post describing this vulnerability and how to walk around it in the mean time.

The vulnerability affects all the ASP.NET versions 1.1- 4.0. And it affects all the ASP.NET development frameworks: ASP.NET Webforms, ASP.NET MVC, ASP.NET WebPages. SharePoint which is an enterprise ASP.NET based product from Microsoft is also affected. Here the SharePoint team post

Padding Oracle, the name

To make the long story short, since encryption algorithms work on blocks of data (usually 8 or 16 bytes per block), the remaining bytes are “padded”. For example, a 5-letter word “TABLE”, will be padded with three bytes to become 8-byte block. I’ll skip the explanation on how exactly it is done – you can read here about that.

“Oracle” is a mechanism inside a cipher, capable of providing Valid or Invalid answer for a given ciphertext. Therefore, “Padding Oracle” is a mechanism, capable to answer, whether the padding of the provided cyphertext is valid or not.

Padding Oracle, the attack

Ciphers (encryption algorithms), built in Microsoft in .NET framework, throw a System.Security.Cryptography.CryptographicException with a message “Padding is invalid and cannot be removed” in case of invalid padding. So this is our Oracle for padding!

” Since HTTP is a stateless protocol, web developers must either manage states on the server, or push them to the client. For performance and scalability reasons, many web developers tend to go with the latter method. They want to keep the state as a secret, and turn to cryptography which is the right tool. However, they use it wrongly, i.e., neither apply a MAC to the ciphertext nor use an authenticated block cipher mode, and make their systems vulnerable” stated Rizzo in his paper

Note: By default ASP.NET are using a MAC validation mechanism to ensure that cookies and viewstate are not tampered with while being on the client. But seems its not effective to prevent the attack.

ASP.NET and cryptography applications

Two main applications for cryptography are used heavily in ASP.NET websites are in FormsAuthentication and WebsResources. By conquering cipher-texts used in those two techniques the attacker can get access to sensitive data and harm your website

If you used to build ASP.NET application you are aware of the authentication story, one of the authentication methods available is by using “Forms Authentication”. Usually forms authentications requires an authentication ticket to be encrypted and put inside authentication cookie – the ticket is included in the URL incase of cookie-less authentication-. In the example below the protection attribute states that the authentication ticket is encrypted

<system.web>
  <authentication mode="Forms">
    <forms name=".AuthCookie" loginUrl="login.aspx" protection="All"/>
  </authentication>
</system.web>

The authentication ticket is encrypted using the <machineKey> configuration element of the server’s Machine.config file. ASP.NET 2.0 uses the decryptionKey and the new decryption attribute of the <machineKey> element to encrypt forms authentication tickets. The decryption attribute lets you specify the encryption algorithm to use which could be one of: AES, DES, or 3DES . ASP.NET 1.1 and 1.0 use 3DES encryption, which is not configurable.

<machineKey validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
               AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>

The 2nd application is WebResourse.  WebResourse is a away to store files e.g images, CSS, javascript files in an assembly and then pulling them out on the runtime, this concept came with ASP.NET 2.0 to ease the deployment of web applications and controls

<script src="/WebResource.axd?d=Io6c51_3UKGUurfQ8VwthSja0Q5lIxFzavuaGWKwEVs1&amp;t=634145708086754692" type="text/javascript"></script>

The value of querystring parameter “d” in the last line is the resource name encrypted using the machine key configuration element, by default the majorty of ASP.NET controls e.g menu, validation, imagemap, grid .. etc are using WebrResources to reference javascript files needed for their work.

ScottGu mentioned in his post that the attackers could use the oracle padding vulnerability to download files e.g web.config which may contain sensitive data. TheGu didn’t explained how but it seems the attack is  carried out using the WebResource ScripResources.axd mechanism to download the web.config files.

How Padding Oracle works?

You can check this detailed article that shows how exactly the exploited algorithm works, from what I read in the last couple of days I could summarize this into:

• The attacker finds a Base64 string which usually is a ciphertext, in ASP.NET this could be obtained easily from WebResource.axd URL or from an authentication cookie
• The attacker changes one byte in a cyphertext at a time and sending it to the oracle, asking “is it valid?” till the byte is decrypted. The “Vaild/invalid” answers are simply understood by examining the responses from the server responses e.g the error code 500 means that the cpihertext is invalid and 404 means the cpihertext is valid but could not decrypted
• The attack itself is not depending on the error code returns, its just need to monitor any abnormal behavior. Even if the website returns the same error pages in all cases, the attacker could make use of timing differences, as stated by Thai Duong one of the researchers who exploited the vulnerability

• After successfully getting the secret key in ASP.NET the machinekey, the attacker could create his own cookies and start using your system as a SuperUser, administrator .. or he could download your sensitive files e.g web.config
• As the researcher stated in there paper and in the demo they could use the vulnerability to encrypt their own cipher-text without getting the original encryption key! interesting right!

“We designed the following technique, which allows attackers to use a padding oracle to encrypt messages of any length without knowing the secret key”

The researcher published this video showing how they could take down a DotNetNuke installation, by getting the encryption key and encrypt their own SuperUser cookie

What to Do?

Start with this:

• Don’t ever allow your application to return YSOD -in a production environment -when an exception is thrown, this is the bad and will allow end users to examine your application exceptions in details
• Turning <customeErrors> On is not enough, since this will send YSOD with the exception message only which look a little bit uglier
• Don’t ever store any sensitive data in cookie, viewstate or any client side state, because there will be always a chance to get leaked to malicious users. Consider storing data into server base state instead.

Then:

• Apply the walk around described in Scott Guthrie post. The walk around shows how to redirect all the errors to the same page and add random time delays. This walk around as some stated is not enough but it will make things harder for the attacker and will confuse him more
• The most effective way of defense IMHO is to make sure that you server can defend himself against DoS attacks. The exposed vulnerability will flood you server/application with thousands of requests. Defending web servers/applications against DoS attacks is always a requirement and you must consider this whenever you deploy a web server/application.
• Defense against DoS attacks could be achieve on the hardware or application levels. It could be used by firewall, routers, ISA or on the IIS level. And this could be achieved on the hardware level too. More about defending DoS attacks
• If you are using shared hosting e.g GoDaddy contact them and check if they are applying a defense mechanism against DoS attacks
• Read the FAQ’s posted by Scott Guthrie about the exploited vulnerability

Scott Guthrie said that his team is working on a new security patch that will be published as a part of windows update as soon as possible. Until that time developers need to protect their own applications by using methods explained previously.

Resources

• Practical Padding Oracle Attacks paper by Juliano Rizzo and Thai Duong
• Important: ASP.NET Security Vulnerability by Scott Guthrie
• Frequently Asked Questions about the ASP.NET Security Vulnerability by Scott Guthrie
• A great explanation about the Oracle Padding, including an implemented python script
• Fear, uncertainty and and the padding oracle exploit in ASP.NET by Tory Hunt
• “Padding Oracle” ASP.NET Vulnerability Explanation by Vlad Azarkhin
• Padding Oracle Exploit Tool (POET) – original tool used for JSF attacks