Microsoft has officially released Virtual PC 2004 SP1 to the public, FOR FREE!
This is an excellent tool to test new Operating Systems or beta software that may bork your box.
Anything that occurs in the Virtual PC will remain only in the Virtual PC and not cause harm to your main Operating System. Also, you can actually choose not to save the changes to the image, and return the system to the state it was in at the start of your session. It really is an excellent testing tool. I often use Virtual PC or VMWare for development using beta software.
I am really happy Microsoft has decided to offer this product for free.
Virtualization really is an excellent technology, and should take away the fears many users have about beta testing Windows Vista, Office2007, or other beta software and operating systems.
I might also recommend allowing guests to surf the web in a VirtualPC. If you have friends who frequently download and install spyware loaded applications on your machine, this will save you hours trying to undo their damage. Your box will thank you for it
“Imagine a computer that is the size of a grain of sand that can test
keys against some encrypted data. Also imagine that it can test a key
in the amount of time it takes light to cross it. Then consider a
cluster of these computers, so many that if you covered the earth with
them, they would cover the whole planet to the height of 1 meter. The
cluster of computers would crack a 128-bit key on average in 1,000
years.”
That is a staggering number. Imagine the difficulty of brute force attacking a 256-bit encrypted key!
He goes on to offer several other quotes, and analogies which really put the difficulty into perspective.
This leads me to another point I would like to make. Always encrypt passwords in a database. Except in extremely rare circumstances there is no reason to store user passwords in plain text. If the user forgets their password it is trivial to generate a new password for them, and store a 1-way hash of the new password in the database. When the user logs in, simply 1-way hash the password they entered (with the same algorithm) and compare the hash to the one stored in the database.
For security, user passwords should never be recoverable, even by administrators. This not only prevents a rouge employee from retrieving a list of all usernames and passwords in the system, but also protects against SQL injection attacks if you make a mistake securing you forms based authentication system.
For a greater level of security, I recommend using a salted-hash, which
appends a number of random characters to a string prior to hashing.
This method will also prevent potential dictionary attacks. For those interested, David Hayden provides a simple method for adding a salt to hashes.
I highly recommend reading the blog posts by Jeff Atwood and David Hayden for more information of this subject.
If you have not read these documents in a while, I highly recommend giving them a look.
In a world where Bi-Partisan politics consumes our government and media, it is important to remember the goals for our founding fathers as they separated from England to form our nation.
