As I've mentioned, I left Clarizen a couple of months ago.
Now about the new thing:
I joined a new startup company - Semingo.
During the past year I got certain that what I want to do right now is develop ideas "from scratch" in a startup environment. So when Sagie, who is one of the founders of Semingo and my friend from the army days invited me to join - it was a perfect fit.
The idea we're working on is very exciting and the people on the team are very bright.
Oren and Tomer are also blogging from a few feet away (and more bloggers coming soon!!).
We've only just started but it's been a lot of fun already.
About the product: all I can say right now is that it's related to social networks (just because that's what the press release says) and it's as cool as ice (before global warming). Don't worry, we're planning to release soon, so you'll be able to use it in no time (touch wood) - stay tuned!

Want to join me as partner in a cool new startup?
Get in touch: pasha at cohai dot co

Flash:



Mitch:



And yours truly:

Want to join me as partner in a cool new startup?
Get in touch: pasha at cohai dot co

ASP.NET provides an easy way to write custom http handlers. You simply implement the IHttpHandler interface and register your handler in the "web.config" section under system.web like this:

<httpHandlers>
  <add verb="*" path="*.my_extension" type="MyHanlders.Handler, MyHandlers" />
</httpHandlers>

This registers a class named Handler to handle requests to URLs with extension ".my_extension".
You still need to let the web server know about this extension, and configure it to pass processing of files with this extension to ASP.NET.

To do it in IIS7, add the following to your web.config, under the "configuration" section:

<system.webServer>
  <handlers>
    <add name="handler_name" path="*.my_extension" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" />
  </handlers>
</system.webServer>

Want to join me as partner in a cool new startup?
Get in touch: pasha at cohai dot co

I couldn't find this all in one place, so, here's how you enable developing and debugging an asp.net app under IIS7 on Vista:

1 Install windows features in "turn windows features on or off". You need these things (which are not installed by default):
Under "web management tools":
a. IIS metabase and IIS 6 configuration compatibility
b. IIS management console
Under "Application Development Features":
a. ASP.NET
Under "Common Http Features" - check everything.



2 Open the web application project in VS, go to proprties, under "Web":
 2.1 Select "Use IIS Web Server".
 2.2 Click "Create Virtual Dir" (this actualy creates an application, not virtual directory on IIS 7).
3 Open IIS manager:
 3.1 Make sure the default web site is started.
 3.2 Select your application:
  3.2.1 Click "basic settings...", choose under "Application Pool" the option "classic .Net AppPool"
  3.2.2 Under "authentication" enable "anonymous authentication"
  3.2.3 If you use windows/forms/passport authentication in your asp.net app. - you need additional configuration.
4 In VS set your startup page (right click on desired page in solution explorer)
5. Run

Note: debugging still shouldn't work at this point, only "start without debug".
Note 2: many places say that you must run VS as administrator (not the default way under Vista), but for me it seems to work when running not as admin as well.

To enable debugging:
1. Install this hotfix. Download here.
Now debugging should work also.


Related on pashabitz.com: SSL in ASP.NET - part I | SSL in ASP.NET - part II.

Want to join me as partner in a cool new startup?
Get in touch: pasha at cohai dot co

I should've posted on this a while ago, but it's been crazy lately. Better late than never.
A month ago I left my place of work at Clarizen. It's not been long, but it was definitely a great time for me.
I learned a lot and had so much fun.
Most importantly, I had a chance to work with some very talented and wonderful people - Eyal, Eli, Dudu, Sasha, Asher and many many more.
I participated in the development since a relatively early stage in the product's life and seen the release of the public beta.
Do take a look at what came out in the end - www.clarizen.com.

p.s. Clarizen-friends: don't forget to buy me a beer when the IPO comes!!!

Want to join me as partner in a cool new startup?
Get in touch: pasha at cohai dot co

Well, that's just the exception to the rule, that only proves the rule. (My Father, when wrong)

A while ago, I complained about how measuring the wrong thing will just make things worse, in particular, how measuring things in software almost never works.
Recently, I read the earth-shattering news that "Transformers" beat the all-time record for first-week revenue by a non-sequel.
"Transformers" beat the all-time record for first-week revenue by a non-sequel.
"Transformers" beat the all-time record for first-week revenue by a non-sequel.
Hmm. Is it, like, good?
Does it mean Transformers is the best thing since (user-generated) sliced bread?
Is it just a sucky flick?
I don't know.
Now, the interesting thing is: how did this ever become the news? Why don't they say "Transformers is the best movie ever", or "John Torturo as a 'section 7' agent is as brilliant as cold fusion"?
And another puzzle, for the advanced reader - why don't you hear about top grossing movies over a year or ten years' period? It's always "first weekend" or "first week".
Here's why:
Movie makers are in it for the money, just like the rest of us. And over the last decade or so, there's this one major obstacle in their little money making business. It's called piracy. It's easier to get an illegal copy of a movie than to get some water from the fridge.
In fact, I'm kind of thirsty now. But I'm not going to get that water. I'm too busy downloading Spiderman 4.
Oh, it's not out yet? No problem. They got it on bittorrent already.
So basically, most money you're going to make on a movie is in the first week or so. After that, everyone has already downloaded it from the internet for free.
Of course, the money people run the movie, not the...hmm...movie people. That's because the money people give the movie people money to buy food, and the movie people, well, they don't give the money people any money.
Now we have money people who run the movie and they want to make some money and they have to do it all in the first week. So they're going to measure, you guessed it, first week revenue.

Why do we care?
Here's the problem - to increase that measurement, which is first week revenue, it is not necessary to make a better movie. You just do better marketing, and more hype, and whatever. Because people who see the movie in the theater during the week don't really get a chance to hear from their friends if it's good or bad. They go because the trailer is really cool, and the ads are everywhere. And so, the quality may or may not suffer. We don't know. Because that's not what we measure.
Here you have an external force (illegal movie copying) creating a random measurement (first week revenue) and potentially driving final product quality down.

And please, don't measure bugs-per-developer either.

I've seen Transformers, by the way. It rocks. Hence my father's quote.

Want to join me as partner in a cool new startup?
Get in touch: pasha at cohai dot co

Some things I learned about software while watching Die Hard 4.0 and Transformers:

1. A hacker is most of the times a hot chick.
2. A hacker never uses normal operating systems. They have a bizzare OS, that is specifically optimized for their single need - displaying a map of USA with red dots on it.
3. When a computer is hacked into, the screen flickers.
4. Evil hackers, even if hot chicks, will always be proficient at martial arts as well.
5. You can hack a computer system by directing weird sounds at it.
6. Visualization is king - code breaking and pattern recognition are achieved using quick manipulations of 3D images.

Want to join me as partner in a cool new startup?
Get in touch: pasha at cohai dot co

Web 2.0. Web two o. Web two o. Web two o. Web two o. Web two o. Web two o. Web two o. Web two o.
I am actually typing this, no copy-paste.
Tim, what have you done to us?
Web two o. Web two o. Web two o.
Donna Martin graduates. Donna Martin graduates. Donna Martin graduates.
Can we please just get it over with?
Web two o. Web two o. Two, zero, o.
Two.
Full stop.
O.
Please. Enough.
Web two o. Web to you. Web to me. Web to us.
Toys'R'Us. Don't call us, we'll call you.
Have a nice weekend everybody, besos.

Want to join me as partner in a cool new startup?
Get in touch: pasha at cohai dot co

Here is a major security vulnerability in applications that use the ASP.NET forms authentication mechanism.

Forms authentication exposes a configuration property called enableCrossAppRedirects. It's default value is false.

However, a simple test showed that this property does not have the desired effect, and it is possible for an attacker to redirect a user to a malicious website from your legitimate login page.

Assuming your login page is at http://www.myapp.com/login.aspx, and login.aspx uses the FormsAuthentication.RedirectFromLoginPage method, the following request will redirect the user to another domain after passing authentication by your application:

http://www.myapp.com/login.aspx?ReturnUrl=http%3a%2f%2fgoogle.com%5c

Although this is not an issue on it's own, it can potentially lead to serious security threats to your users in the form of information stealing attacks.

Another annoyance, is what the MSDN has to say about this. The RedirectFromLoginPage method page in MSDN has a specific note on the potential risks of setting enableCrossAppRedirects to true:

Security Note

Setting the EnableCrossAppRedirects property to true to allow cross-application redirects is a potential security threat. When cross-application redirects are allowed, your site is vulnerable to malicious Web sites that use your login page to convince your Web site users that they are using a secure page on your site. To improve security when using cross-application redirects, you should override the RedirectFromLoginPage method to allow redirects only to approved Web sites.

Well, like we saw, you don't have to set the property to true. It works the same way when set to false.

But by far the most frustrating is

... You should override the RedirectFromLoginPage method to allow redirects only to approved Web sites.

Hmm. Right.

Too bad that the FormsAuthentication class is sealed.

And that RedirectFromLoginPage is static.

Real Solution

The only workaround, in case you really want to disable cross-domain redirects, is to check the ReturnUrl query string parameter in your code, before calling RedirectFromLoginPage.

Want to join me as partner in a cool new startup?
Get in touch: pasha at cohai dot co