Estimations are often very far off because those doing the estimations forget what is involved in completing a story. Often the estimation is done based on how long it takes to code it up. As you can see below, coding it up is just one of the tasks per story.

Even just doubling the code time is inaccurate. Why does a team that doubles the code time estimates still fall behind?

• Because they didn’t understand what is involved in the story.
• Because they don’t understand coding time versus work time

Reason #1 – You didn’t consider all the development tasks

There are many more tasks than just development. You need to know what these tasks are and understand them. You need to understand the risks each brings to meeting your goals.

Tasks to consider when estimating story time

First determine which tasks apply to a story. Then estimate each task individually. Then simply add up the hours. Your estimations will probably be more accurate and upper management will become aware of what tasks are slowing a story up.

Using this list can also help with getting tasks done at the same time as opposed to using the waterfall method. For example, if you are creating a new file, you can create an empty project, check it in and build and install can get working on their tasks while developer is still coding.

Let’s give an example:

So if you estimate based on coding, which is just 8 hours, you can see you aren’t even close. It will take four and a half times as long as you thought. If you estimate based on code and unit tests, 16 hours, you are still more than twice as long as you thought.

Note: I am not saying that these all have to be tasks on one story. You could break them up into separate stories. However, you will find that if Unit Tests and Automated Tests and these other tasks are separate stories, then the person in charge of prioritization of stories is now able to drop them in favor of other work and then your code will blow up one day and the developers will take some of the blame even if they shouldn’t. It is best if a story and all its tasks are 100% complete so you don’t ship half finished or a half tested product.

Reason #2 – You think developers code eight hours a day

Ok, so let’s talk about an eight hour day.

Most states have laws about two fifteen minute breaks (one ever four hours) so really, any employee is only going to work 7:30 hours a day. Ok, now add in the fact that it  usually takes five to fifteen minutes to focus back on work once back from a break. With lunch and two breaks that is 15-45 minutes. So now we are down to 6:45 minutes to 7:15 minutes. Ok, how long will be spent on email? 30 minutes to an hour. So now you are down to 5:35 to 6:45 hours of coding a day. Now factor in Stand up. 5-15 minutes, plus 5 to 15 minutes to get focus back and we are down to 5:05 to 6:35 minutes.

So on the best days a developer will likely code between five hours and 6 hours and 35 minutes.

Add a meeting or two in a day plus the refocus time after the meeting and development time is decreased further to 3 hours to 4 hours on meeting days.

So if you are assuming that your developers are going to coding 8 hours a day, you are in for a shock.

• Best Day: 5 hours to 6-1/2 hours
• Meeting Days: 3 hours to 4 hours

So add in scrum and sprint planning, story costing, and sprint retrospective, in which some meetings are longer than two hours and you lose a full day of development every sprint. So with a two week sprint, plan on 9 days of development at an average of 5 hours a day and you get 45 hours of development time.

• Average development time per sprint per developer: 45 hours

Now if you have a team of three developers. An inexperienced team might estimate with 45 * 3, or 135 hours. Unfortunately that probably won’t be accurate. Estimators will find that inevitably one of the team members has time off during a sprint. Remove 5 hours per day off (not eight). There also might be a holiday during the sprint. Well, a holiday means that 5 development hours per developer are not available, so that 135 hours becomes 120.

So lets put this into perspective. If you think that you have 8 hours a day for 10 days in a two week sprint for 3 employees and so you plan 8 * 10 * 3 and get 240 hours, and then you plan 240 hours of stories, you are only going to get half way done. This calculation is almost twice what in reality your team can do. If you plan this way, you will always be behind, and fail to meet goals and deadlines while working your developers to death.

Can you make up the hours by working the developers longer? Not really. The developers may end up putting an extra two hours a day in for 9 of the 10 days, but they will probably take one more 15 minute break on those days. Which only gets you about 1 hour and 30 minutes more per day times 3 developers times 9 days. This is 45 hours. 120 hours plus 45 hours only gets you to 165 hours. You are still 75 hours short of 240 hours.

So estimate accurately by starting with 50 developer hours per two week sprint (10 * 5 = 50) for each developer and subtract days off. Then estimate the work that can be done.

To make this easier for you, I have created A Spreadsheet for Sprint Planning that you can use.

Conclusion

If you fail to understand the number of development hours and fail to understand all the work for each development story, you will never be accurate, and you will always be behind and always be asking your developers to work longer hours, which will create a horrible work environment.

Understanding both of the above reasons above and estimating accordingly will provide accurate estimates. This will benefit the whole company. Upper management will see the true velocity. The quality of the code will be higher because the developers won’t be overwhelmed and stressed, which will result in lower bugs, maintenance, and support costs. Marketing will have realistic ideas of what is coming and what isn’t and won’t waste money getting ready for features that drop off a month before ship.

So I needed a TextBlock that was searchable and from searching online, it seems a lot of people need one too. So I decided to inherit TextBlock and write a SearchableTextBox. It is really easy to use. I wrote the blog post over on my other site:

A WPF Searchable TextBlock Control with Highlighting

So when my son Aiden was in my wife’s womb, my wife had a growth on her ear. It may have been a fungus, I don’t know, but it was just a little bump. Well, Aiden was born and wouldn’t you know he has a skin tag in the exact same spot.

Shout coincidence all you want, coincidence just doesn’t cut it for me. Somehow, this change in my wife was passed down to my son. I can’t prove it, but how likely is it that my wife had a growth in the exact same place on the exact same ear as my son’s ear tag? If I apply Occam’s Razor, I have to be honest, it is more likely that the fetus took after the mother than it was two random natural occurrences happened in the exact same place on the exact same ear.

Could the theory of slow evolution over time be slightly off. Maybe it still takes generations, but it is way faster than previously believed. If my son was able to make this small evolution, based on the mother, perhaps other changes that occur in the mother are passed down to their children.

So what is my theory? My theory is that a mother can somehow either influence the DNA or influence changes in addition to the DNA of their offspring.

If this theory is true, think about how the scientific view of evolution would change?

Of course, I am just a software developer, what do I know? Maybe it was just some random fluke.

Has HTML5 and CSS3 solved the layout problem? Or are tables layouts with CSS still a better solution.

You decide. Please post comments about other pros and cons you find. We all become experts when we all contribute.

Note: With both a table layout and an HTML5 layout, CSS is used, so this is not a CSS versus anything article. No matter which you use, lets agree that CSS should be used for style. However, CSS3 does add to the layout with the HTML5 solution.

3 Column HTML Table Layout with CSS Style

Click this link to see this layout: 3 Column HTML Table Layout with CSS Style

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>HTML Table Layout with CSS Style - 3 Column</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<style type="text/css">
 
html, body 
{
  height: 100%;
}
 
body 
{
    margin:0
}
 
table.layout 
{
  height:100%;
  width: 100%;
  border-collapse:collapse;
}
 
td.header 
{
  padding: 15px;
  height: 120px;
  color: white;
  background: black
}
 
td.nav-bar 
{
  padding: 15px;
  height:20px;
  background:DarkGrey;
}
 
td.leftcol 
{
  padding: 15px;
  width: 170px;
  min-width: 170px;
  background-color:Navy;
  color: white;
}

td.midcol 
{
  padding: 15px;
  min-width: 625px; /* Make 425px for min res of 800x600 */
}
 
td.rightcol 
{
  padding: 15px;
  width: 205px;
  min-width: 205px;
  background-color:Navy;
  color: white;
}
 
td.footer 
{
  height: 120px;
  background: DarkGrey;
  text-align: center;
}

</style>
</head>
<body>
<table class="layout">
	<tr>
		<td class="header" colspan="3">Header</td>
	</tr>
	<tr>
		<td class="nav-bar" colspan="3">Nav bar</td>
	</tr>
	<tr>
		<td class="leftcol">Aside left</td>
		<td class="midcol">Article</td>
		<td class="rightcol">Aside right</td>
	</tr>
	<tr>
		<td class="footer" colspan="3">
			<a href="http://validator.w3.org/check?uri=referer">
				<img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0 Strict" height="31" width="88" />
			</a>
		</td>
	</tr>
</table>
</body>
</html>

HTML Table Layout Pros

• Validated with W3C
• Only 95 lines of code with everything on its own line
• Works with every browser according to BrowserShots.org
• Very easy to use.
• Making the table be 100% height is easy
• Changing the width or height of any part of the page is easy

HTML Table Layout Cons

• Layout is coupled to the HTML, layout would be best decoupled – Solved by using scripting languages like PHP and ASP.NET
• Left column is found in HTML before the article body – No current solution

3 Column Layout HTML5 with CSS Layout/Style

Click this link to see this layout: 3 Column Layout HTML5 with CSS Layout/Style

<!DOCTYPE html>
<head>
<title>Layout HTML5 with CSS Layout/Style - 3 Column</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<style type="text/css">
 
html, body 
{
  height: 100%;
}

body 
{
    margin:0
}

header 
{
  padding: 15px;
  min-height: 150px;
  color: white;
  background: black
}
 
nav
{
  padding: 15px;
  min-height:20px;
  background:DarkGrey;
}

#main 
{ 
  /* height:100%; */ /* Broken with it, broken without it */               
  display: -moz-box;				/* Firefox */
  display: -webkit-box;				/* Safari and Chrome */	
  display: box; 					/* Future standard */
}

#main-aside-left
{
  padding: 15px;
  width: 170px;
  min-width: 170px;
  -moz-box-ordinal-group: 3; 		/* Firefox */
  -webkit-box-ordinal-group: 3; 	/* Safari and Chrome */
  box-ordinal-group: 3; 			/* Future standard */
  background-color:Navy;
  color: white;
}

article 
{ 
  padding: 15px;
  min-width: 625px;					/* Make 425px for min res of 800x600 */
  -moz-box-flex: 2; 				/* Firefox */
  -webkit-box-flex: 2; 				/* Safari and Chrome */
  box-flex: 2; 						/* Future standard */
  -moz-box-ordinal-group: 2; 		/* Firefox */
  -webkit-box-ordinal-group: 2; 	/* Safari and Chrome */
  box-ordinal-group: 2; 			/* Future standard */
}

#main-aside-right
{
  padding: 15px;
  width: 205px;
  min-width: 205px;
  -moz-box-ordinal-group: 1; 		/* Firefox */
  -webkit-box-ordinal-group: 1; 	/* Safari and Chrome */
  box-ordinal-group: 1; 			/* Future standard */
  background-color:Navy;
  color: white;
}

footer 
{
  height: 120px;
  height: 120px;
  background: DarkGrey;
  text-align: center;
}

</style>
</head>
<header>Header</header>
<nav>Nav bar</nav>
<div id="main">
   <article>Article</article>
   <aside id="main-aside-left">Aside left</aside>
   <aside id="main-aside-right">Aside right</aside>
</div>
<footer>
  <a href="http://validator.w3.org/check?uri=referer">
    <img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0 Strict" height="31" width="88" />
  </a>
</footer>

HTML5 Layout Pros

• W3C validated (experimental)
• Article data comes before the data in the asides – This is a huge SEO bonus
• Only 97 lines of code both CSS and HTML code, with everything on its own line
• Very easy to use.
• Making the table be 100% height is easy
• Changing the width or height of any part of the page is easy

HTML5 Layout Cons

• It doesn’t work on IE 9 or below and fails in many other browsers according to Browsershots.org. – No current solution.
• Much of the CSS has to be duplicated – No current solution but when it is fixed, the code will be another 10 lines smaller
• If the content does not fill the screen, there is no way to make the screen exactly 100% – No current solution but as long as the content is larger than the screen this doesn’t matter
• Layout is coupled to CSS,  a styling tool, layout should be decoupled – Solved by having a separate CSS file just for layout

Conclusion

Use Table layouts for now if your browser support is high priority.

Use HTML5 layouts if you can enforce uses to use HTML5 capable browsers.

MonoTouch and MonoDroid allow us to write our apps in C# and this is the right solution for our mobile apps and here are the reasons why.

Note: These reasons were ones I provided to a C# shop so some may not be valid for places where the majority of developers are not C# developers.

1. MonoTouch is native. See monotouch is both a wrapper for the native code and the ability to access C# libraries. It is not like flash or html 5, where it is completely different technology. It is just the ability to use native code from C# with an added C# framework.
2. MonoTouch uses the native UI (and MonoDroid does too). So UX’s desire to have a native UI is met by MonoTouch.
3. Many companies already use MonoTouch and MonoDroid: Microsoft, 3M, VMWare, Novartis, Target, Acenture, Cisco, AT&T, AOL, Monster, Cornell University, Raytheon, Intuit, HP, and many more companies.
4. The number of C# language experts we have: All of us
   The number of Objective-C language experts we have: Zero
   With C# everybody can work on the code, not just one or two Objective C engineers.
5. If we use Objective C, we will have a huge ramp up expense and this expense will occur over and over, because every time someone quits, it is more likely that we will have to incur the cost of training a C# developer to become an Objective C developer than it is likely we will hire. As you know, hiring a replacement may or may not happen.
6. Shared C# code. A large portion of our code the code write for SharePoint, iOS, Windows, and Android can be used and unit tested in one place. I have personally experienced this re-use of code at my previous company. We starting an Android app and our project was finished more than three weeks early by using MonoDroid, because we were able to use all the C# code we had already written.
7. C# is a more developed language and is far easer to write code in. For example, to connect to a web service using windows integrated security is just a few lines of code in C# but requires extra libraries and a massive amount of effort in Java or Objective C.
8. Shared Unit Test libraries. Since much of the code is shared, separate unit tests are not needed. Also, the C# unit testing frameworks we are already familiar with can be used and there is no need to ramp up on and implement a new unit testing technology. This is just another cost saving.

I recommended MonoDroid and MonoTouch at LANDesk and I will do the same here. The cost of using Ojbective C is far greater and the time to market is far longer. The SDLC of Objective C will have a greater cost. Choosing it will be a costly.

Since this isn’t my team and since it isn’t my decision, this is the last I am going to say about it.

In my first post, A basic reporting chart in ASP.NET, I went over the basics of creating a report using MSChart and ASP.NET and this was quit easy. However, in today’s world where the importance of business intelligence is ever increasing, the ability to drill down on a report has become the de facto standard. MSChart, ASP.NET, and HTML make it easy to create a drill-down report.

Note: Microsoft has a drill-down report in their ChartSamples example, but it was bundled as part of the same project with two-hundred other reports and was not a minimal example. It requires the use of an Access database (and I had nothing to read Access with), it has a bunch of javascript code that is for a tooltip preview of the drill down report, and the charts are in two objects. All of this made it more difficult for me to break this down.  In this example, the report will be its own ASP.NET project and will be a minimal example, however the use case and the sample data is taken directly from Microsoft’s example.

Report Example Use Case

Imagine you have a list of sales reps, their regions, and their sales results. You want a report to look at total sales per region. Then you want to click on a region to the see the sales by sales rep.

Download the project here: SampleChart.zip

Step 1 – Create the Visual Studio project

1. In Visual Studio, click on File | New | Project.
2. Select Visual C# | Web from the Installed Templates.
3. Locate and select ASP.NET Empty Web Application.
   Note: I like to demonstrate using an Empty project you nothing is done for you, and you have to learn everything you actually need to do.
4. Give the project a name.
   I named mine DrillDownChart because that is my example’s purpose.
5. Click OK.
6. Right-click on the newly created project and click Add | Reference.
7. Select the .NET tab.
8. Locate System.Web.DataVisualization and highlight it.
9. Click OK.

Step 2 – Add a web form for your chart

1. Right-click on the Project and choose Add |  New Item.
2. Select Web Form.
3. Give the file a name.
   I named my file  Report.aspx.
4. Click OK.

Step 3 – Create a data object for the report

Because data is often coming from a database, this example is going to use a DataSet. I am not going to connect to a database, but just use a statically build DataSet.

1. Right-click on the Project and choose Add |  Class.
2. Give the file a name.
   I named my file  SalesDataSet.cs.
3. Make the class inherit from DataSet.
4. Click OK.

Step 4 – Add example data to the data object for the report

While in a real world scenario, you would get the data from a database or somewhere, lets first just create some sample data. We are going to create two simple tables. One is a Region table, that has the region name and ID. One is a RepSales table that has sales per rep and the rep’s region id.

1. Create a property with only a getter that creates a region DataTable called RegionTable.
2. Add the columns needed: RegionID and RegionName.
3. Add the appropriate rows.
4. Create a property with only a getter that creates a reps sales DataTable called RepsSalesTable.
5. Add the columns needed: ID, Name, RegionID, and Sales.
6. Add the appropriate rows.
7. Now in your constructor, add those to the list of Tables in your object.

   using System;
   using System.Collections.Generic;
   using System.Linq;
   using System.Web;
   using System.Data;
   
   namespace DrillDownChart
   {
       public class SalesDataSet : DataSet
       {
           public SalesDataSet()
           {
               Tables.Add(RegionTable);
               Tables.Add(RepsSalesTable);
   
           }
   
           public DataTable RegionTable
           {
               get
               {
                   if (_RegionTable == null)
                   {
                       List<String> Regions = new List<string>() { "East", "West", "Central", "International", "South" };
   
                       _RegionTable = new DataTable("Region");
                       _RegionTable.Columns.Add("RegionID", typeof(int));
                       _RegionTable.Columns.Add("RegionName", typeof(string));
   
                       int i = 0;
                       foreach (var region in Regions)
                       {
                           DataRow row = _RegionTable.NewRow();
                           row["RegionID"] = ++i;
                           row["RegionName"] = region;
                           _RegionTable.Rows.Add(row);
                       }
   
                   }
                   return _RegionTable;
               }
           } private DataTable _RegionTable;
   
           public DataTable RepsSalesTable
           {
               get
               {
                   if (_RepsSalesTable == null)
                   {
                       List<String> reps = new List<string>() {
                           "Aaron", "Larry", "Andrew", "Mary", "Sally", "Nguyen", "Francis",
                           "Jerry", "Danny", "Jim", "Sarah", "Hannah", "Kim", "Gerry", "Bob" };
                       int[] regions = { 1, 2, 3, 1, 4, 2, 4, 3, 1, 2, 2, 3, 5, 5, 5 };
                       int[] sales = { 10440, 17772, 23880, 7663, 21773, 32294, 11983, 14991,
                                       17946, 8551, 19443, 27887, 30332, 16668, 21225 };
   
                       _RepsSalesTable = new DataTable("RepsSales");
                       _RepsSalesTable.Columns.Add("ID", typeof(int));
                       _RepsSalesTable.Columns.Add("Name", typeof(string));
                       _RepsSalesTable.Columns.Add("RegionID", typeof(int));
                       _RepsSalesTable.Columns.Add("Sales", typeof(int));
   
                       for (int i = 0; i < reps.Count; i++)
                       {
                           DataRow row = _RepsSalesTable.NewRow();
                           row["ID"] = i + 1;
                           row["Name"] = reps[i];
                           row["RegionID"] = regions[i];
                           row["Sales"] = sales[i];
   
                           _RepsSalesTable.Rows.Add(row);
                       }
   
                   }
                   return _RepsSalesTable;
               }
           } private DataTable _RepsSalesTable;
       }
   }
   

That is it, your fake example data is prepared.

Step 5 – Add a Chart to the Report.aspx file

1. Open the Report.aspx file.
2. Add a Register to the System.Web.DataVisualization assembly.
3. Locate the div inside the body.
4. Inside the div, add a Chart that includes a ChartArea.

   <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Report.aspx.cs" Inherits="CompareYearsByQuarter.Report" %>
   
   <%@ Register Assembly="System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
       Namespace="System.Web.UI.DataVisualization.Charting" TagPrefix="asp" %>
   
   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head runat="server">
       <title></title>
   </head>
   <body>
       <form id="form1" runat="server">
       <div>
           <asp:Chart ID="SalesReport" runat="server">
               <chartareas>
                   <asp:ChartArea Name="ChartArea1">
                   </asp:ChartArea>
               </chartareas>
           </asp:Chart>
       </div>
       </form>
   </body>
   </html>
   

Step 6 – Add code the Report.aspx.cs file

We are going to use the same object for both the original report and the drill down report. We will just a little code that switches which data the chart is populated with.

1. Open the Report.aspx.cs file.
2. Create an instance of the SalesDataSet object that has our sample data.
3. Add code in the Page_Load method to configure the Chart.
   Note 1: The steps for this code is in the code and comments itself. I created a method for each step and then populated the methods as  needed.
   Note 2: Notice that the AddDataToSeries() method uses and if statement to determine whether to add the original data or the drill down data.
   Note 3: Because we used a DataTable we query the example data using LINQ. It is likely that in your production reports you are using a real database and you will probably use queries directly to your database.

   using System;
   using System.Collections.Generic;
   using System.Linq;
   using System.Web;
   using System.Web.UI;
   using System.Web.UI.WebControls;
   using System.Data;
   using System.Web.UI.DataVisualization.Charting;
   
   namespace DrillDownChart
   {
       public partial class RegionReport : System.Web.UI.Page
       {
           // Step 1 - Create Example Data
           SalesDataSet ExampleData = new SalesDataSet();
   
           protected void Page_Load(object sender, EventArgs e)
           {
               // Step 2 - Populate chart drop down
               PopulateChartTypeDropDown();
   
               // Step 3 - Create Series
               Series series = CreateSeries();
   
               // Step 4 - Set the chart type
               SetChartType(series);
   
               // Step 5 - Add data (and if needed drilldown links to series)
               AddDataToSeries(series);
   
               // Step 6 - Add series into the chart's series collection
               SalesReport.Series.Add(series);
           }
   
           private void PopulateChartTypeDropDown()
           {
               List<String> chartTypes = new List<String>(Enum.GetNames(typeof(SeriesChartType)));
               chartTypes.Insert(0, "");
   
               foreach (var item in chartTypes)
               {
                   DropDownListChartType.Items.Add(item);
               }
           }
   
           private Series CreateSeries()
           {
               Series series = new Series("Sales");
               series.BorderWidth = 3;
               series.ShadowOffset = 2;
               return series;
           }
   
           private void SetChartType(Series inSeries)
           {
               if (Page.Request["ChartType"] != null)
                   DropDownListChartType.SelectedValue = Page.Request["ChartType"];
   
               if (DropDownListChartType.SelectedValue.ToString() == "")
                   DropDownListChartType.SelectedValue = SeriesChartType.Column.ToString();
   
               inSeries.ChartType = (SeriesChartType)System.Enum.Parse(typeof(SeriesChartType), DropDownListChartType.SelectedValue.ToString());
           }
   
           private void AddDataToSeries(Series series)
           {
               if (Page.Request["ChartType"] == null)
                   AddAllRegionData(series);
               else
                   AddSpecificRegionData(series);
           }
   
           private void AddAllRegionData(Series series)
           {
               DataTable sales = ExampleData.Tables["RepsSales"];
               DataTable regions = ExampleData.Tables["Region"];
   
               var query = from reps in sales.AsEnumerable()
                           join region in regions.AsEnumerable()
                           on reps.Field<int>("RegionID") equals region.Field<int>("RegionID")
                           group reps by region.Field<string>("RegionName") into regionGroup
                           select new { Region = regionGroup.Key, Sales = regionGroup.Sum(total => total.Field<int>("Sales")) };
   
               // Populate new series with data
               foreach (var value in query)
               {
                   series.Points.AddXY(value.Region, value.Sales);
               }
   
               // Step 7 - Make this series drillable
               for (int i = 0; i < series.Points.Count; i++)
               {
                   series.Points[i].Url = string.Format("RegionReport.aspx?region={0}&ChartType={1}", series.Points[i].AxisLabel, DropDownListChartType.SelectedValue);
               }
           }
   
           private void AddSpecificRegionData(Series series)
           {
               var query = from reps in ExampleData.RepsSalesTable.AsEnumerable()
                           join region in ExampleData.RegionTable.AsEnumerable()
                           on reps.Field<int>("RegionID") equals region.Field<int>("RegionID")
                           where region.Field<string>("RegionName") == (Page.Request["Region"] ?? "East")
                           select new { RepName = reps.Field<string>("Name"), Sales = reps.Field<int>("Sales") };
   
               // Populate new series with data
               foreach (var value in query)
               {
                   series.Points.AddXY(value.RepName, value.Sales);
               }
   
               // Step 7 - Make this series drillable
               for (int i = 0; i < series.Points.Count; i++)
               //{
               //    // Add drill down code to drill to a third chart
               //}
           }
   
           private void AddDrillDown(Series series)
           {
               for (int i = 0; i < series.Points.Count; i++)
               {
                   series.Points[i].Url = string.Format("RegionReport.aspx?region={0}&ChartType={1}", series.Points[i].AxisLabel, DropDownListChartType.SelectedValue);
               }
           }
       }
   }
   

Step 7 – Add an http handler to the Web.Config for the Chart

1. Open the Web.Config file.
2. Add an http handler for the chart.

<?xml version="1.0"?>
<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.0" />
    <httpHandlers>
      <add path="ChartImg.axd" verb="GET,HEAD,POST" validate="false"
           type="System.Web.UI.DataVisualization.Charting.ChartHttpHandler, System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </httpHandlers>
  </system.web>
</configuration>

Your project is now complete.

You now have a report that shows you the total sales per region.

Click on the report and you have the sales per region broken out by sales rep.

And your done.

Download the project here: SampleChart.zip

It is time to learn to write some charts. By charts I mean graphic views for reporting on data.

Obtaining MSChart

For .NET 4, MSChart is included in the .NET Framework, so if you have installed .NET 4, you have already obtained MSChart.

For .NET 3.5, the MSChart project which was an add-on. If you are using .NET 3.5, you need to download and install the add-on.

Note: I am using .NET 4 and it was installed with Visual Studio 2010, so I have no need to install the add-on.

Also, we are going to the very minimal steps manually. Many of these steps may be done for you (for example, the Visual Studio Designer will populate the Web.Config for you, but it is always good to know how do things yourself.

Report Example Use Case

Imagine you have sales trending for four years, 2009-2012, and you want to visualize this trend. You want a chart that should all four years, with the quarter results next to each other.

Download the project here: SampleChart.zip

Step 1 – Create the Visual Studio project

1. In Visual Studio, click on File | New | Project.
2. Select Visual C# | Web from the Installed Templates.
3. Locate and select ASP.NET Empty Web Application.
   Note: I like to demonstrate using an Empty project you nothing is done for you, and you have to learn everything you actually need to do.
4. Give the project a name.
5. Click OK.
6. Right-click on the newly created project and click Add | Reference.
7. Select the .NET tab.
8. Locate System.Web.DataVisualization and highlight it.
9. Click OK.

Step 2 – Add a web form for your chart

1. Right-click on the Project and choose Add |  New Item.
2. Select Web Form.
3. Give the file a name.
   I named my file  Report.aspx.
4. Click OK.

Step 3 – Create a data object for the report

1. Right-click on the Project and choose Add |  Class.
2. Give the file a name.
   I named my file  Data.cs.
3. Click OK.

Step 4 – Add example data to the data object for the report

While in a real world scenario, you would get the data from a database or somewhere, lets first just create some sample data.

1. Create a few lists of numbers, one for each year as shown.

   namespace CompareYearsByQuarter
   {
       public class Data
       {
           public int[] Sales2009 = new int[] { 47, 48, 49, 47 };
           public int[] Sales2010 = new int[] { 47, 50, 51, 48 };
           public int[] Sales2011 = new int[] { 50, 52, 53, 46 };
           public int[] Sales2012 = new int[] { 53, 54, 55, 49 };
       }
   }
   

That is it, your fake example data is prepared.

Step 5 – Add a Chart to the Report.aspx file

1. Open the Report.aspx file.
2. Add a Register to the System.Web.DataVisualization assembly.
3. Locate the div inside the body.
4. Inside the div, add a Chart that includes a ChartArea.

   <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Report.aspx.cs" Inherits="CompareYearsByQuarter.Report" %>
   
   <%@ Register Assembly="System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
       Namespace="System.Web.UI.DataVisualization.Charting" TagPrefix="asp" %>
   
   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head runat="server">
       <title></title>
   </head>
   <body>
       <form id="form1" runat="server">
       <div>
           <asp:Chart ID="SalesReport" runat="server">
               <chartareas>
                   <asp:ChartArea Name="ChartArea1">
                   </asp:ChartArea>
               </chartareas>
           </asp:Chart>
       </div>
       </form>
   </body>
   </html>
   

Step 6 – Add code the Report.aspx.cs file

1. Open the Report.aspx.cs file.
2. Create an instance of the Data object that has our sample data.
3. Add code in the Page_Load method to configure the Chart a separate series of data for each year.

   using System;
   using System.Collections.Generic;
   using System.Linq;
   using System.Web;
   using System.Web.UI;
   using System.Web.UI.WebControls;
   using System.Web.UI.DataVisualization.Charting;
   
   namespace CompareYearsByQuarter
   {
       public partial class Report : System.Web.UI.Page
       {
           Data data = new Data();
   
           protected void Page_Load(object sender, EventArgs e)
           {
               Series year2009 = new Series("Sales 2009");
               // Populate new series with data
               foreach (var value in data.Sales2009)
               {
                   year2009.Points.AddY(value);
               }
               SalesReport.Series.Add(year2009);
   
               Series year2010 = new Series("Sales 2010");
               // Populate new series with data
               foreach (var value in data.Sales2010)
               {
                   year2010.Points.AddY(value);
               }
               SalesReport.Series.Add(year2010);
   
               Series year2011 = new Series("Sales 2011");
               // Populate new series with data
               foreach (var value in data.Sales2011)
               {
                   year2011.Points.AddY(value);
               }
               SalesReport.Series.Add(year2011);
   
               Series year2012 = new Series("Sales 2012");
               // Populate new series with data
               foreach (var value in data.Sales2012)
               {
                   year2012.Points.AddY(value);
               }
               SalesReport.Series.Add(year2012);
           }
       }
   }
   

Step 7 – Add an http handler to the Web.Config for the Chart

1. Open the Web.Config file.
2. Add an http handler for the chart.

<?xml version="1.0"?>
<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.0" />
    <httpHandlers>
      <add path="ChartImg.axd" verb="GET,HEAD,POST" validate="false"
           type="System.Web.UI.DataVisualization.Charting.ChartHttpHandler, System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </httpHandlers>
  </system.web>
</configuration>

You are done. Build and look at your report.

You now have a simple report that should show you the sales trend for quarters 1,2,3,4 over four years. Your chart should look like this.

Download the project here: SampleChart.zip

I recently created an API and I wanted to give it a license where it is free for anyone to use, so I was planning on using the two-clause BSD License. However, after further thought, I realized that I had a few more stipulations I wanted to add. Yes, I wanted the software to be free to use, however, there are a few things I don’t want.

1. I don’t really want someone to fork my project just yet. I want the project to remain in one place.
2. I want the project to be free and commercial friendly, including free to use the code, or link to a binary in any way.
3. I don’t want a company to use my software to sell a competing solution unless I am compensated. In which case, I can license the software to them under a commercial license.
4. If anyone contributes to the project, I would like the right to sell the code under a different (possibly commercial) license. This prevents license and author sprawl. The fourth clause is crossed out because this will be done at commit time and is not needed in the license of existing source code.

Non-compete line addition to the new BSD License

So I came up with two one more line to the new BSD License: a third line prohibiting competing projects or solutions without permission; a fourth line that states that any contributions to the project will result in the all rights to the contributed code being assigned back to me. This will be done at commit time and is not needed in the license of existing source code.

<Project> <Project Description>
Copyright (c) <Year>, <Owner>
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this
   list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.
3. Use of the source code or binaries that in any way competes with <Project>,
   whether open source or commercial or other, is prohibited unless permission
   is granted under a separate license by <Owner>.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Let me know if you think this accomplish the non-compete goal. Especially let me know if something appears erroneous.

Single Ownership

Single ownership means the project always has all rights to every line of code, the binaries, and documentation or anything else that may be included in the project. So if any contributions from anybody to the project occur, they occur with the stipulation that ownership and all rights are transferred to the the project owners.

However, doing this in the license above is the wrong place. It should be a separate agreement that occurs in places like when registering with the project or its mailing list or it source repository. So contribution is done under this separate agreement.

Contributing to this project can be done under the following conditions:
  1. Any contribution (source code, documentation, or other) to this project 
     is your own work.
  2. You transfer all rights to the contribution (source code, documentation,
     or other) to <Owner>.

Again, let me know if this accomplishes the goal, or is insufficient or has errors.

Fork and Contribute License

I have worked on this and updated the above as follows:

<Project> - <Project description or tagline>

Copyright (c) 2012, <owner>
All rights reserved.
 
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
 
1. Redistributions of source code must retain the above copyright notice, this
   list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.
3. Use of the source code or binaries that in any way competes with <project>
   or competes with distribution, whether open source or commercial, is 
   prohibited unless permission is specifically granted under a separate
   license by <owner>.
4. Forking for personal or internal, or non-competing commercial use is allowed.
   Distributing compiled releases as part of your non-competing project is 
   allowed.
5. Public copies, or forks, of source is allowed, but from such, public
   distribution of compiled releases is forbidden.
6. Source code enhancements or additions are the property of the author until
   the source code is contributed to this project. By contributing the source
   code to this project, the author immediately grants all rights to the
   contributed source code to <owner>.
 
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Here is the two-clause BSD License, sometimes called the FreeBSD License or the Simplified BSD License.

Copyright (c) <Year>, <Owner>
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this
   list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Look, I love the browser as much as the next person, but that is as a user. I have no love for web development and the developers of html and css and the browsers are the reason why. Some things are not as hard as they are making it out to be.

HTML5 is becoming all the rage and the buzz world of the day. “Hey, just use HTML5 and all your problems will be solved.” Non-technical decision makers (and technical ones for that matter) are buying this. What nobody tells these people is that HTML5 is a current problem in and of itself. First, it is not a complete standard yet. Second, everyone is implementing the standard now, but doing it slightly differently. The problem is exacerbated by the use of vendor specific tags for future standards.

There are 13 known prefixes.

The design currently is the implement a feature first using a vendor tag and only later make it a standard feature. It is not possible to sustain this model for browser progress.

Could you imagine if there was a setting and every vendor implemented it with its prefix. For example, the display setting is already a problem and could get worse. What if it was as bad as this?

#main
{
  display: -ms-box;
  display: mso-box;
  display: -moz-box;
  display: -o-box;
  display: -xv-box;
  display: -atsc-box;
  display: -wap-box;
  display: -khtml-box;
  display: -webkit-box;
  display: prince-box;
  display: -ah-box;
  display: -hp-box;
  display: -ro-box;
  display: -rim-box;
  display: -tc-box;
}

Is it  possible that we may someday have to call a setting for each an every vendor prefix? Sure, but it is not likely. Ok, that above is a little absurd and an exageration, as nobody would use all those tags, we don’t even know what half those vendors are. However, even twice is too much! Do we really want to call a setting more than once? Should we ever have to? No, we shouldn’t. That is one of the biggest problems with web applications today.

I just can’t believe that we as developers are putting up with this html/css/browser problem.

I have to put the setting that is going to be the standard, and then for each browser, I have to put the browser specific setting. They are not smart enough to have each browser use the same tag for future standards, maybe something like -fs- for future standard, but instead lets use the vendor specific tag -moz- for mozilla and -webkit so we have to have a different tag for the same setting added for every browser we wish to support.

This is nonsense. I am so embarrassed for the organizations and their developers who have brought us to this point. We have to make every setting multiple times? Really? I am so glad I am not a developer for a browser because I take pride in my work and I would be so embarrassed to be part of such a mess.

How is it that browser developers aren’t smart enough to figure out a way we can use a single css tag, even for future standards?

Too many browsers

Competition is supposedly a good thing right? Well, I am not so sure that when dealing with free projects that is the case. I believe it is true for competitive businesses, but nobody is selling a browser.

Browsers are starting to sprawl worse than Linux. How many browsers do we rally need?

Here is a short list of browsers and they are all free:

• IE 6, 7, 8, 9
• Firefox
• Chrome
• Opera
• Safari
• Konqueror (KDE)

Sometimes with free projects, different from commercial projects, a division of the work force is a bad thing. I feel the same way about browsers as I do for Linux. If two groups worked together, they would often get more done than working apart. Sometimes there are natural divisions that lead to benefits in different areas, such as a desktop Linux version versus a server Linux version. With browsers there really isn’t a natural division like that.

We are re-inventing the wheel with each browser.

Unfortunately, control of the browser is coveted. The browser is the single most used application by the billions of computer users on our world. Controlling something as simple as the default browser homepage could mean the difference of millions, and perhaps billions, of dollars in advertising sales.

So to me, the question is this: How can we have a single browser but every commercial company still gets this “control” that they so desperately want?  Wow…once you really get the question pinned down, the answer is easy.

There is no reason that a single browser shouldn’t exist and all current browser developers could stop working on their browser and get one single browser to work. Use a BSD license so Windows and Apple and everyone else could include this browser with their own default settings (the default home page however they want, etc…), and mobile phones could do the same.

Then the next time the standard is increased from html5 to html6, we won’t have the mess we have now trying to go to html5. And we won’t have to wait as long because the combined efforts will take us to there so much faster.

Camtasia Studio 8 is here!  You can find it at http://www.techsmith.com/camtasia.html. Of course you can See What’s New with Camtasia Studio in video.

Camtasia Studio is the most amazing tool for creating computer training videos, web videos, or Vlogging.

The winner of the Camtasia Studio – Free license give-away has been determined and posted in the comments of that article.

Why I Like Camtasia Studo

I really like Camtasia Studio because I have used it and it just works and does what it says it can do in an easy to use fashion. I used it for every training video I created at my last job. I also have used it to submit my homework and video documentation on my final projects to my professors as I get a Masters of Computer Science.

Please feel free to post how you have used it.

P.S. Camtasia didn’t approach me for this give-away, I approached them because of how their software has helped me and how impressed with it I am.

Here is a simple Log singleton in C#.

Updated: 7/25/2016

using System;
using System.IO;

namespace Rhyous.Logging
{
    public class Log
    {

        #region Singleton

        private static readonly Lazy<Log> Lazy = new Lazy<Log>(() => new Log());

        public static Log Instance { get { return Lazy.Value; } }

        internal Log()
        {
            LogFileName = "Example";
            LogFileExtension = ".log";
        }

        #endregion

        public StreamWriter Writer { get; set; }

        public string LogPath
        {
            get { return _LogPath ?? (_LogPath = AppDomain.CurrentDomain.BaseDirectory); }
            set { _LogPath = value; }
        } private string _LogPath;

        public string LogFileName { get; set; }

        public string LogFileExtension { get; set; }

        public string LogFile { get { return LogFileName + LogFileExtension; } }

        public string LogFullPath { get { return Path.Combine(LogPath, LogFile); } }

        public bool LogExists { get { return File.Exists(LogFullPath); } }

        public void WriteLineToLog(string inLogMessage)
        {
            WriteToLog(inLogMessage + Environment.NewLine);
        }

        public void WriteToLog(string inLogMessage)
        {
            if (!Directory.Exists(LogPath))
            {
                Directory.CreateDirectory(LogPath);
            }
            if (Writer == null)
            {
                Writer = new StreamWriter(LogFullPath, true);
            }

            Writer.Write(inLogMessage);
            Writer.Flush();
        }

        public static void WriteLine(string inLogMessage)
        {
            Instance.WriteLineToLog(inLogMessage);
        }

        public static void Write(string inLogMessage)
        {
            Instance.WriteToLog(inLogMessage);
        }
    }
}

Note: This is not tested with multiple threads as this is a simple example.

A salt is an additional sequence of data (bits or characters, however you want to think about it) that is appended to a password before hashing the password and storing the hash in a database.

There are three types of salts that can be added to a password. Assume the password is passwd! and the salt is 12345, here are the three types described in a table.

Of course you can use multiple of these in any combination as well. You can surround the password by using both a prefix and a postfix. You can use all three. You can have multiple infixes, so a password of 12 characters such as MyPassword1! could become MyP12345assw12345ord1!.

Reasons for salting

Salting was created because hashing is imperfect. Hashing has multiple problems. However, I am only going to describe two problems and how salting improves the security in each situation.

Problem 1 – Rainbow tables

A database of hashes for all character sequences up to a certain number of characters can be generated over time. This database is called a rainbow table.

Scenario

Let say you registered at site ABCStore.tld. Some time later, ABCStore.tld reports that their database was compromised.  Your password was not stored in the database, but the hash of your password was. Lets say your password was passwd! and you use it on every site on the internet.

With a rainbow table, your password will be discovered in moments and that password will work on other sites perfectly.

How a Rainbow table works

It works by generating a table of passwords and their matching hashes. As each character is added to a password, the total possible password options increases, making the next number of passwords hard to generate. For an English keyboard, there are 26 upper case letters, A-Z, 26 lower case letters, a-z. There are ten numbers, 0-9. There are 33 special characters, 34 if you include tab.  There are other characters available, but the majority of people who speak English, those are the only characters used in a password. That is 95 possible options for a password (96 if you include a tab).

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
1 2 3 4 5 6 7 8 9 0
  ~ ` ! @ # $ % ^ & * ( ) - _ = + [ { ] } \ | ; : ' " , < . > / ?

So for every character in length the password is, the possible values grow exponentially.

However, it is actually easier than this. Most passwords are dictionary words, so a Rainbow table can be created with dictionary words first. Now a large portion of passwords are covered.

Then because most passwords are lowercase characters only, a hacker can have their rainbow table created by first creating only the options using all lowercase letters. Notices the numbers are significantly smaller.

Also it is common to only put numbers on the end of a password, so they can then do all lowercase passwords with one number at the end, then two numbers at the end. It is also to common to replace letters with number, E = 3, l or i = 1, S = 5, etc. It is also common to only capitalize the first letter, so that can be done too. So as you can see, by doing far less than generating all passwords, a rainbow table can be created that matches almost all passwords used.

Password Creation Hint: When creating your own password, avoid these trends and use long passwords. If it is allowed, use a sentence with punctuation as a password if you can such as this:

I love my wife, Michelle!

Sentence passwords are easy to remember, easy to type, and are freaking hard to populate into a rainbow table. The above sentence is 25 characters. Each space, the comma, and the ! are special characters, that is 6 special characters. There are two capital letters, one not just at the front.

So once such a rainbow table is created, if your password is easy, your password is just a select statement away from a hacker who compromises a database.

Select * from RainbowTable where hash=?

The hacker now knows your actual password  and can use that on other websites, like your bank account. You scared now? You should be!

How a salt improves security against a Rainbow table

Remember our scenario. How is that scenario less of a security concern because salting was used? The answer is fairly simple. Because salting changes the string being hashed, the hash is different. So a look-up in a Rainbow table will be less likely to return a result. The probability is high that even if a simple password was used, the rainbow table will not return a result. If a result is returned, the likelihood that the returned string is a collision not your password was increased.

Note: If the salt is known, or can be figured out, obtaining your password is still possible, but it is harder and will take longer.  If you change your passwords often enough, you only need the building of the Rainbow table to take longer than the time you use your password.

Problem 2 – Collisions

Another problem with hashing is that there is a possibility, however remote, that two completely different strings return the same hash.

Scenario

You register using the same username and password at both ABCStore.tld and XYZStore.tld. Two sites don’t use a salt, but they both hash your password with the same hashing algorithm. ABCStore.tld reports that their database was compromised.  Your password was not returned, but a collisions was returned.

Even though it is not your password, the collision string can be used to authenticate at XYZStore.tld also.

How a collision occurs

Because a hash is limited in the amount of characters it generates, but there are an infinite amount of character sequences, it stands to reason that infinite is greater than anything finite, once all hashes are used, the next hash created from a unique sequence will be a duplicate.

(Read this: What’s the shortest pair of strings that causes an MD5 collision?)

Lets make the numbers ridiculously small so you can understand easier. Imagine a hash that changes everything to a single digit number, 0-9. Once all ten hashes are used, the eleventh hash created is guaranteed to be a duplicate.

With SHA-256, the rules still applies, only there are a plenty of unique hashes, so collisions are extremely hard to calculate, even for multiple computers over a long period of time (at least today in June, 2012).

How salting improves security against collisions

If we look at our scenario where a hacker was able to determine a collision for the password used, not the password itself, they may not even have the salt string.

Well, if salting were used by both ABCStore.tld and XYZStore.tld, and both used different salts, then the collision that worked for ABCStore.tld doesn’t work from XYZStore.tld because they used different salts, and therefore the passwords aren’t the same. So that means that the hackers have to calculate your actual password, which is harder to calculate.

Even better, the hacker wouldn’t even be able to log into to ABCStore.tld because the login system will append the salt to the entered password, so having a collision doesn’t help, because after entering the password, the collision gets the different salt appended to it and it is no longer the same and is not a collision on another system.

Less-effective salt implementation

Salting works. However, it is often implemented in a way that is less-effective. Remember, “less-effective” is still somewhat effective. Let’s look at some less-effective uses of salting.

Using a single salt for all passwords

Look at the following table of passwords. Can you easily tell which is the salt and which is the password?

The salt is 12345679. Now because the salt is known, a hacker can now create a rainbow table using the salt.

This is “less effective” because it is still somewhat effective. This method is just not as effective as it could be.

According to scenario 1, it is effective because the standard rainbow table will not return a result. The hacker is now forced to create a new rainbow table. However, it is less effective because the hacker only has to create one more Rainbow table, and they can probably get all passwords with a partial rainbow table.

According to scenario 2, finding a collision will not allow authentication to another site with a different salt or a site without a salt. However, because the hacker knows the salt, they can find a collision from which they can remove the salt, and that leaves them with a collision string that works on ABCStore.com.

Using a static hash resource in the code

If a static hash is in the code, it is possible that this value can obtained from a binary or by compromising the code itself. Storing the hash in the code is effective as if the database is compromised, the hash was not in it.

It is somewhat effective in that the hacker now has to figure out the hash on their own. It is less-effective in that the code could be what was compromised.

Publishing the salt in the database

Since a single salt is “less effective” the author of an authentication system may decide to use a separate salt for each user. However, now he has so many salts, he needs to track them somewhere. The salt becomes a column, usually next to the password column, and usually the column is clearly titled: “Salt”.

According to scenario 1, this is still “effective” in that now a hacker must generate a Rainbow table for each user. Why is it still less effective? Because the salt is known, and only one password per Rainbow table is needed, a complete rainbow table is not needed. As soon as a string is found matching the hash, that Rainbow table can be abandoned. A dictionary designed to try high probability passwords first can significantly limit the time needed to find the average person’s passwords, which are usually simple and common dictionary words or names. Most passwords can be determined in a short amount of time. The time is of course based on resources. Of course, with cloud services, resources are cheap and powerful.

Using an existing user value as a salt

Instead of using a column called “Salt’, an existing known column, such as the username, first name, or last name is used. Of course, you wouldn’t use the actual value in the known column, it is probably too short. You would use a hash of the first name or a cryptographically random character sequence added to the value in the known column.

This is effective in that the hacker has to figure out which column is used as the salt. It is less effective because the hacker only has to do this on the first user and once the column is determined, for the rest of the users it is the same as publishing the salt in the database.

More effective implementations

One of the main failures of salting is the common idea that the salt is not secret. A secret or calculated salt increases security.

Salts should be unique per user and they should be hard and as close to impossible to figure out.  Here are some ways that a hacker may never figure out the salt, and never be able to create a Rainbow table using it. Something that provides the security as close to that of a one-time pad as possible.

Use a variably located calculated salt

There is not one salt, there are one or more salts. The salts don’t exist in the code, nor do the exist in the database. However, it is a combination of both. And the salt is not always a prefix, infix, or postfix, or any combination of the three, however, the number of salts and the location(s) are determined by one or more calculations.

There are seven possible salt combinations, however, because the infix could have multiple locations as well, the salt locations could be many more.

1. prefix
2. infix
3. postfix
4. surround (prefix and postfix)
5. prefix and infix
6. infix and postfix
7. all (prefix, infix, and postfix)

When there is an infix, it could be multiple infixes every n* characters where n could even be calculated so a 16 character password could have 1-15 infixes.

SaltLocations = Firstname % 7

Of course a more complex method could be used as well. Again, the number of infixes could be calculated. Each salt location should then have a separate salt and each salt should be created using a separate calculation. Also, make sure both the code and the database are used for the calculations. Even a simple algorithm makes life harder on the hacker. Go ahead and create a column called salt in the database, however, only store a random character sequence there.

Salt (database part) = First letter of first name + random character sequence + first letter of last name

This can be made even more complex by altering this using a function.

Salt (code part) = function(First two letters of first name + random character sequence + first two letters of last name)

Even if the function in code is a simple shift one bit function, the hacker will not know the function and will have difficulty figuring it out. Even if they figure out one salt, will they be able to figure out the number of salts, what each salt is, and where each salt is used.

This is more effective because the hacker will have to compromise both the database and code to figure out each salt and often the database and the code are stored on separate servers.

Use a variably located calculated salt including information outside the database and the code

No matter how many algorithms you use or how complex they are, if the hacker has the code and the database, they usually have the salt. What if you could change that? So what if having the code and the database is not enough.

External File

What if the code was obtained and the database was obtained but on inspection of the code, a file on the system, located nowhere near the code, held a value that was part of the hash. Now that file has to be accessed too. This file could be anywhere. On the same server, or on a separate server. It could be accessible by different credentials.

Salt = function(First two letters of first name + random character sequence + first two letters of last name + GetInfoFromFile())

Web Service

What if the calculations were performed on a separate server entirely using a web service and lets assume the web service is secure.

hash = Remote_function(password, First two letters of first name + random character sequence + first two letters of last name + GetInfoFromWebService())

The web service could also determines where to place the hash, in any of the seven ways mentioned, so compromising the local code no longer benefits the hacker.

However, adding a third server is costly and more complex and adds additional need for security. For example, if you don’t add security and the hacker gets the database and code, they could simply call the same web service. Adding security such as ‘source IP address of the calling server’ would be effective.

Now the database, the code, and the third-party server all have to be compromised by the hacker for them to determine your salt and then your password or a collision of your password.

Hashing your hash a calculated amount of times

Ok, so if you do everything above, you can still make life even harder for a hacker by hashing  your hash a number of times.

long RoundCount = CalculateRoundCount();
hash = hash(saltprefix + password)
for (long i = 0; i < RoundCount; i++)
hash = hash(hash)

Since we calculate the RoundCount so that every user in the database was hashed a different amount of times, it is difficult for the attacker to know how many hashes were run and so they have to try them all.

Kerckhoffs’s principle

Kerckhoffs’s principle states that a cryptosystem should still be secure even if everything about the system, except the key, is public knowledge.

This principle is abused by some security engineers in multiple ways:

1. they assume that only one key can or should exist.
2. they apply Kerckhoffs’s principle, which is for a single cryptographic action, to an entire multi-part software system.
3. they claim that a security measure is useless if that security measure relies on another part of the system being secret.

So is a calculated hash security by obscurity? Yes an no. This is security by multiple secrets. Security by multiple secrets is not necessarily the same as security by obscurity. Security by obscurity provides the idea that the code could be riddled with vulnerabilities but because the code isn’t known, it doesn’t matter, it is secure by being unknown. If you don’t know the hash, can you create valid rainbow table? No, you have to create the entire table and move to brute force. So it is security by making the hash a secret. Does it improve the hashing algorithm as a single cryptographic action? No. Does it require the attacker to build a bigger database of hashes? Yes. Does it make it more likely the hash they match with is a collision and not the user’s actually password? Yes.

Look, if the whole system were known, that would include the key or secret. Kerckhoffs’s principle explicit states that everything but the key or secret is known. His statement is true. It is best if that is the case. But that doesn’t mean security can’t be better for any given situation where that is not the case.

The best way to check if you are making your system more secure, is very similar to how you define features for a product: in stories. Barneck’s Security Story Principle (Barneck is me 😉 states this: Any security increase is valid if the security increase is for a hacker story that is valid.

So let’s look at some stories. Is security increased by making the salt secret?

If the salt is a secret, and the algorithm that calculates the salt uses a secret so the salt can’t be recalculated, then the system is more secure than it would be if the Salt were known. Even if the system is open source, if the open source software was written so the algorithm that creates the hash uses a secret that is generated by the user and is different for every install and not static in the source, then the attacker must first discover the secret to the salt before they can begin to use a rainbow table to find a collision.

There is a belief that cryptography should involve as few secrets as possible. However, one single secret is also a problem. What if that one secret is discovered. Shouldn’t the redundancy principle apply to secrets? Isn’t there a backup secret so discovering one secret is never enough? We inherently know that multiple keys and doors work better than one key and door. This is why we create games that have mazes where we have to find one key before we can find another.

Think of it as an arms race. Making the salt secret might not make your hashing algorithm any stronger. But does it have to? Isn’t it enough to make it harder for the hacker to make a rainbow table? Since a hacker is using a rainbow table, isn’t it valid to respond by attacking their ability to make a rainbow table? Yes it is. Time is a very important dimension in security and any measure taken that significantly increases the time required to hack a system is valid.

Now, as an exercise for you, what if the following calculations were done using separate secrets stored in separate places?

• Hash
• Hash location(s) – prefix, postfix, infix, or multiple
• Number of hash rounds

How does having separate secrets improve your system’s security? What administration concerns does it create?

Conclusion

Salting is effective. Even when a salt is implemented in a less effective manner, it is still better than having no salt at all.

Typically the salt is considered “not secret” but I argue that a hacker who compromises a database, the code, or both, should still have difficulty determining the salt or how the the salt is added to a password as that information allows for an easier creation of a rainbow table.

Implementing salting in these more effective ways can increase complexity, making it unlikely a hacker could reverse engineer a password using the hash or find and use a collision.

When developing in C#, you may have an object that contain properties that need to be initialized before they can be used. Think of a List<String> property. If you forget to initialize it, you are going to a NullReferenceException error. The List can be initialized as part of the constructor to solve this exception. However, maybe the List isn’t always used and you only want to load it if it needs to be used. So many people create a property that initializes iteself on first use. While this is not a bad idea, in C# it results in one line of code becoming at least six lines of code because you have to break out the auto property.

Here is the one line version verses the six line version (I can make it five lines if I put the private variable on the same line as the last bracket, which is a syntax I like with full properties).

List AddressLines { get; set; }

public List AddressLines
{
    get { return _AddressLines; }
    set { _AddressLines = value; }
}
private List<String> _AddressLines;

Wouldn’t it be nice if we could do this by only added single line of code, in this case an attribute? It can be that easy. Creating an instance on first use, or lazy loading, is a cross-cutting concern and can be extracted to an aspect using PostSharp. This article is going to show you how to do this.

It is assumed you have the following already installed and licensed:

1. Visual Studio
2. PostSharp

Step 1 – Create your Visual Studio Project

So to show you how this works, let’s get started.

1. Create a sample Console Application project in Visual Studio.
2. Add a reference to PostSharp.

Step 2 – Create an example class with properties

Ok, so let’s go ahead and create an example class called Address.

1. Right-click on your project and choose Add | Class.
2. Give the class file a name.
   I named this class Address.cs.
3. Click OK.
4. Add properties needed to store and address.
   Here my Address class working.

using System;
using System.Collections.Generic;

namespace ExampleAspects
{
    public class Address
    {
        public List AddressLines
        {
            get { return _AddressLines; }
            set { _AddressLines = value; }
        } private List<String> _AddressLines;

        public String City { get; set; }

        public String State { get; set; }

        public String Country { get; set; }

        public String ZipCode { get; set; }
    }
}

So our goal is to use Aspect-oriented programming to extract the lazy load something like this:

[LazyLoadAspect]
public List AddressLines { get; set; }

For me this is much clearer and more readable than the full property. Let’s make this happen in the next step.

Step 3 – Create the LazyLoadAspect

Ok, so let’s go ahead and create an example class called Address.

1. Right-click on your project and choose Add | Class.
2. Give the class file a name.
   I named this aspect class LazyLoadAspect.cs. Another good name might be InstantiateOnFirstUse or something.
3. Make the class inherit from LocationInterceptionAspect.
4. Override the OnGetValue method.
5. Write code to get the value, check if it is null, and if null instantiate and set the value.
6. Add a Type property that takes a type and implement that type if it is set, just in case you want to initialize using a child class. Otherwise how would you implement an interface.

using System;
using PostSharp.Aspects;

namespace Rhyous.ServiceManager.Aspects
{
    [Serializable]
    public class LazyLoadAspect : LocationInterceptionAspect
    {
        public Type Type { get; set; }

        public override void OnGetValue(LocationInterceptionArgs args)
        {
            args.ProceedGetValue();
            if (args.Value == null)
            {
                args.Value = Activator.CreateInstance(Type ?? args.Location.PropertyInfo.PropertyType);
                args.ProceedSetValue();
            }
        }
    }
}

Note: You may have a factory for creating your objects and you could replace the Activator.CreateInstance method with your factory method.

As discussed, replace the full property with this:

[LazyLoadAspect]
public List AddressLines { get; set; }

Step 4 – Prove your LazyLoadAspect works

Give it a try by creating an instance of Address in the Main method of Program.cs.

using System;
using Common.Aspects;
using PostSharp.Aspects;

namespace AspectExamples
{
    class Program
    {
        static void Main(string[] args)
        {
            Address address = new Address();
            // NullReferenceException would occur here without the LazyLoadAspect
            address.AddressLines.Add("To: John Doe");
            address.AddressLines.Add("100 N 100 E");
            address.AddressLines.Add("Building 12 Floor 5 Suite 530");
            address.City = "SomeCity";
            address.State = "Utah";
            address.Country = "USA";
        }
    }
}

Well, you are done.

Please take time to look at how the code actually ended up using ILSpy or .NET Reflector.

Return to Aspected Oriented Programming – Examples

I’ll be honest, I always cringe whenever I have to use try/catch. I do everything I can to avoid it. Besides being a resource hog, try/catch statements clutter code making it harder to read. So naturally I was excited when learning about Aspect-oriented programming (AOP) and PostSharp (the AOP library for C#) that try/catch statements are cross-cutting concerns and can be implemented as aspects.

It is assumed you have the following already installed and licensed:

1. Visual Studio
2. PostSharp

Step 1 – Create your Visual Studio Project

So to show you how this works, lets get started.

1. Create a sample Console Application project in Visual Studio.
2. Add a reference to PostSharp.
3. Populate the Program.cs with an example exception as shown.

using System;
using Common.Aspects;

namespace AspectExamples
{
    class Program
    {
        static void Main(string[] args)
        {
            ThrowSampleExecption();
        }

        private static void ThrowSampleExecption()
        {
            throw new ApplicationException("Sample Exception");
        }
    }
}

Ok, now we have an example exception, lets show how we can catch this exception, log it, and continue.

Step 2 – Creating an exception aspect

1. Right-click on your project and choose Add | Class.
2. Give the class a name.
   I named my class ExceptionAspect.
3. Click OK.
4. Make the class inherit from OnExceptionAspect.
   Note: If you haven’t added a reference to PostSharp, you’ll need to do that now.
5. Add a string property called Message.
6. Add a Type property called ExceptionType.
7. Add a FlowBehavior property called Behavior.
   The default value is FlowBehavior.Default.
8. Override the OnException method.
9. In the OnException method, create a message and log it.
   For this example, I will just log to the Visual Studio  Output window.
10. In the OnException method, set the FlowBehavior to the Behavior property.
11. Override the GetExceptionType method and configure it to return the ExceptionType property.

using System;
using System.Diagnostics;
using PostSharp.Aspects;

namespace Common.Aspects
{
    [Serializable]
    public class ExceptionAspect : OnExceptionAspect
    {
        public String Message { get; set; }

        public Type ExceptionType { get; set; }

        public FlowBehavior Behavior { get; set; }

        public override void OnException(MethodExecutionArgs args)
        {
            string msg = DateTime.Now + ": " + Message + Environment.NewLine;
            msg += string.Format("{0}: Error running {1}. {2}{3}{4}", DateTime.Now, args.Method.Name, args.Exception.Message, Environment.NewLine, args.Exception.StackTrace);
            Debug.WriteLine(msg);
            args.FlowBehavior = FlowBehavior.Continue;
        }

        public override Type GetExceptionType(System.Reflection.MethodBase targetMethod)
        {
            return ExceptionType;
        }
    }
}

Your ExceptionAspect class is complete and ready to use.

Step 3 – Apply the ExceptionAspect

1. Add ExceptionAspect as an attribute to the ThrowSampleException method.
2. Set the ExceptionType property to type of exception being thrown, which is an ApplicationException in this example.
3. Set the Message property to hold a message.
4. Set the Behavior property to FlowBehavior.Continue.

using System;
using Common.Aspects;
using PostSharp.Aspects;

namespace AspectExamples
{
    class Program
    {
        static void Main(string[] args)
        {
            ThrowSampleExecption();
        }

        [ExceptionAspect(ExceptionType = typeof(ApplicationException), Message = "An example exception.", Behavior = FlowBehavior.Continue)]
        private static void ThrowSampleExecption()
        {
            throw new ApplicationException("Sample Exception");
        }
    }
}

This is now complete. You have now implemented try/catch as an aspect.
You should take the time to look at your code with .NET Reflector or ILSpy to see what is really being done.
So here is the resulting code for the method accord to ILSpy.

• Notice that our one line of code in the original method is in the try block.
• Notice that in the catch block, the OnException method is called.
• Notice that the catch block also has a switch statement based on the FlowBehavior to determine whether to continue or rethrow, etc.

// AspectExamples.Program
private static void ThrowSampleExecption()
{
	try
	{
		throw new ApplicationException("Sample Exception");
	}
	catch (ApplicationException exception)
	{
		MethodExecutionArgs methodExecutionArgs = new MethodExecutionArgs(null, null);
		MethodExecutionArgs arg_1F_0 = methodExecutionArgs;
		MethodBase m = Program.<>z__Aspects.m2;
		arg_1F_0.Method = m;
		methodExecutionArgs.Exception = exception;
		Program.<>z__Aspects.a0.OnException(methodExecutionArgs);
		switch (methodExecutionArgs.FlowBehavior)
		{
		case FlowBehavior.Default:
		case FlowBehavior.RethrowException:
			IL_55:
			throw;
		case FlowBehavior.Continue:
			methodExecutionArgs.Exception = null;
			return;
		case FlowBehavior.Return:
			methodExecutionArgs.Exception = null;
			return;
		case FlowBehavior.ThrowException:
			throw methodExecutionArgs.Exception;
		}
		goto IL_55;
	}
}

You now can implement pretty much any try/catch block as an Aspect using the ExceptionAspect.

Reusability

One of the main benefits of Aspects is that they take cross-cutting concerns and make them modular. That means that like class files, they are now reusable. Now it is easy to use, link to, or copy and paste your ExceptionAspect class into any other project.

Return to Aspected Oriented Programming – Examples