تکنیک‌های Obfuscation (مبهم‌سازی)

در دنیای توسعه نرم‌افزار، Obfuscation در برنامه‌نویسی یکی از تکنیک‌های حیاتی برای حفظ امنیت کد و جلوگیری از دسترسی غیرمجاز به منطق داخلی برنامه است. این روش، با پیچیده و غیرقابل فهم کردن ساختار کد، باعث جلوگیری از مهندسی معکوس شده و مانع از سوءاستفاده هکرها یا رقبا می‌شود. امروزه استفاده از ابزارهای مبهم‌سازی به‌عنوان یک لایه امنیتی برای محافظت از نرم‌افزار در کنار دیگر اقدامات امنیتی رایج، جایگاه ویژه‌ای پیدا کرده است.

Obfuscation چیست؟

Obfuscation یا مبهم‌سازی، فرآیندی است که در آن کد منبع یا باینری یک برنامه طوری تغییر می‌کند که عملکرد آن بدون تغییر باقی بماند، اما فهمیدن منطق آن برای انسان یا ابزارهای تحلیل‌گر بسیار دشوار شود. هدف اصلی این تکنیک، جلوگیری از سوءاستفاده، کپی‌برداری و مهندسی معکوس ��ست.

چرا Obfuscation مهم است؟

- محافظت از نرم‌افزار در برابر سرقت معنوی - افزایش امنیت در برنامه‌هایی که اطلاعات حساسی را پردازش می‌کنند - جلوگیری از تزریق کدهای مخرب - محافظت از الگوریتم‌های اختصاصی در پروژه‌های تجاری - اطمینان از اینکه حتی اگر فایل‌های اجرایی لو رفتند، کسی نتواند به سادگی ساختار کد را بازسازی کند

برنامه‌نویسی

انواع تکنیک‌های Obfuscation

- تغییر نام متغیرها و توابع نام‌ها به رشته‌های بی‌معنا یا نام‌های تکراری تغییر پیدا می‌کنند. - درهم‌ریزی ساختار کد استفاده از دستورات بی‌ربط، تو در تو کردن بلاک‌های کد، یا ایجاد مسیرهای منطقی جعلی. - رمزگذاری رشته‌ها (String Encryption) رشته‌های متنی رمزگذاری شده و در زمان اجرا رمزگشایی می‌شوند. - پنهان‌سازی منطق با کلاس‌ها و توابع پویا توابع یا کلاس‌ها به صورت داینامیک ساخته می‌شوند تا در زمان تحلیل استاتیک قابل فهم نباشند. - Inserting Dummy Code وارد کردن کدهای بی‌اثر که باعث گمراهی تحلیل‌گر می‌شود.

ابزارهای مبهم‌سازی محبوب

- ProGuard برای Java و Android - Dotfuscator برای .NET - Obfuscator-LLVM (OLLVM) برای پروژه‌های C/C++ - JScrambler برای JavaScript - UglifyJS برای فشرده‌سازی و مبهم‌سازی کد JS

نقاط ضعف احتمالی

- ممکن است بر عملکرد برنامه اثر منفی بگذارد. - کدهای مبهم ممکن است در هنگام دیباگ دچار مشکل شوند. - برخی تکنیک‌ها با قوانین GDPR و شفافیت داده‌ها در تضاد هستند.

کاربرد Obfuscation در صنعت هاستینگ

در سرویس‌های هاست اشتراکی، سرورهای مجازی (VPS) و حتی هاست مخصوص اپلیکیشن‌های موبایل، استفاده از تکنیک‌های Obfuscation نقش حیاتی در محافظت از فایل‌های حساس کاربران ایفا می‌کند. برای مثال، شرکت وان سرور با ارائه هاست لینوکس و ویندوز، بستری امن برای میزبانی پروژه‌هایی فراهم می‌کند که به Obfuscation نیاز دارند. استفاده از ابزارهای مبهم‌سازی در کنار سرویس‌های امنیتی وان سرور می‌تواند سطح بالاتری از امنیت نرم‌افزار و اطلاعات را تضمین کند.

نتیجه‌گیری

استفاده از Obfuscation در برنامه‌نویسی نه‌تنها باعث محافظت از نرم‌افزار در برابر تهدیدات می‌شود، بلکه روشی موثر برای جلوگیری از مهندسی معکوس و سوءاستفاده است. با بهره‌گیری از ابزارهای مبهم‌سازی مناسب و رعایت نکات فنی، می‌توان امنیت پروژه‌های نرم‌افزاری را به شکل قابل توجهی افزایش داد. اگر به دنبال ارتقاء امنیت کد خود هستید، یادگیری و پیاده‌سازی این تکنیک‌ها می‌تواند نقطه شروع بسیار خوبی باشد. Read the full article

Penny Pinching in the Cloud: Azure Static Web Apps are saving me money

I've long run a few dozen websites in Azure and while I've long noticed people (frankly) wasting money by having one Azure App Service (a Web Site) per Azure App Service Plan (a VM) I tend to pack them tight.

A Basic 1 (B1) Azure App Service running Linux is around $13 a month but has nearly 2 gigs of RAM. Up that to about $26 a month and you've got 3.5 gigs of RAM and 2 Cores AND 10 gigs of storage. Use ALL that RAM. Max out that storage - use the resources you have paid for. If you hit up against a limit you can always add more and scale up. Run those boxes hot, you paid for them!

While my blog and podcast and main site run on Azure Premium SKUs (and are fast and it's worth it) I have a dozen little one pagers, brochureware sites, and toys like https://www.keysleft.com/ and I've managed them all in an App Service as well. But they are static sites. They are nothing sites...so why do I need an App Service? It's overkill.

Turns out Azure Static Web Apps are a lovely thing and they are FREE while in Preview. It's great for static sites, sites made with static site generators, or Jamstack sites with serverless functions behind them.

So I converted a bunch of my little sites to Azure Static Web Apps. Took maybe 90 minutes to do 8 of them as seen below.

Since the code for these sites was already in GitHub, it was very easy to move them.

For example, the code for the KeysLeft site is at https://github.com/shanselman/keysleft and Azure Static Web Apps has a GitHub Action that easily deploys it on every commit. It's butter. It's created for you but you can see the generated GitHub Action as it lives alongside your code.

The docs are clear and it works nicely with Vue, React, Angular, or just regular HTML like my son's Hamster Blog. https://www.myhamsterblog.com/

As it's in Preview now it's free, and I'm sure it'll be super cheap when it goes live. I have no idea how much it will cost but I'll worry about that later. For now it's allowed me to turn off an entire Azure App Service and replace it with Azure Static Web Apps.

They also support custom domains and they automatically make and assign you an SSL cert. My only complaint is that there's no easy support (today) for apex domains (so all mine have www. as CNAMES) but you could proxy it through a free Cloud Flare account if you really want.

Check it out, I suspect you have a site right now that's either generated or just static and this could save you some money.

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, the makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Visit preemptive.com/hanselminutes for a professional-grade trial.

© 2021 Scott Hanselman. All rights reserved.

     Penny Pinching in the Cloud: Azure Static Web Apps are saving me money published first on https://deskbysnafu.tumblr.com/

Penny Pinching in the Cloud: Azure Static Web Apps are saving me money

I've long run a few dozen websites in Azure and while I've long noticed people (frankly) wasting money by having one Azure App Service (a Web Site) per Azure App Service Plan (a VM) I tend to pack them tight.

A Basic 1 (B1) Azure App Service running Linux is around $13 a month but has nearly 2 gigs of RAM. Up that to about $26 a month and you've got 3.5 gigs of RAM and 2 Cores AND 10 gigs of storage. Use ALL that RAM. Max out that storage - use the resources you have paid for. If you hit up against a limit you can always add more and scale up. Run those boxes hot, you paid for them!

While my blog and podcast and main site run on Azure Premium SKUs (and are fast and it's worth it) I have a dozen little one pagers, brochureware sites, and toys like https://www.keysleft.com/ and I've managed them all in an App Service as well. But they are static sites. They are nothing sites...so why do I need an App Service? It's overkill.

Turns out Azure Static Web Apps are a lovely thing and they are FREE while in Preview. It's great for static sites, sites made with static site generators, or Jamstack sites with serverless functions behind them.

So I converted a bunch of my little sites to Azure Static Web Apps. Took maybe 90 minutes to do 8 of them as seen below.

Since the code for these sites was already in GitHub, it was very easy to move them.

For example, the code for the KeysLeft site is at https://github.com/shanselman/keysleft and Azure Static Web Apps has a GitHub Action that easily deploys it on every commit. It's butter. It's created for you but you can see the generated GitHub Action as it lives alongside your code.

The docs are clear and it works nicely with Vue, React, Angular, or just regular HTML like my son's Hamster Blog. https://www.myhamsterblog.com/

As it's in Preview now it's free, and I'm sure it'll be super cheap when it goes live. I have no idea how much it will cost but I'll worry about that later. For now it's allowed me to turn off an entire Azure App Service and replace it with Azure Static Web Apps.

They also support custom domains and they automatically make and assign you an SSL cert. My only complaint is that there's no easy support (today) for apex domains (so all mine have www. as CNAMES) but you could proxy it through a free Cloud Flare account if you really want.

Check it out, I suspect you have a site right now that's either generated or just static and this could save you some money.

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, the makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Visit preemptive.com/hanselminutes for a professional-grade trial.

© 2021 Scott Hanselman. All rights reserved.

     Penny Pinching in the Cloud: Azure Static Web Apps are saving me money published first on http://7elementswd.tumblr.com/

Azure devops msbuild arguments

Azure devops msbuild arguments

Azure devops msbuild arguments Azure devops msbuild arguments Latest world news Azure devops msbuild arguments Dotfuscator Community Build Task PreEmptive Solutions Protect your Applications with Dotfuscator Community The Dotfuscator Community extension adds tasks to your Azure DevOps build process that help you protect your applications from unauthorized decompilation, tampering, debugging, and…

View On WordPress

Something Awesome Project # 7 – a Report on the Process of my Cracking and some Recommendations for Software Engineers to Prevent their Software to be cracked

Something Awesome Project # 7 – A Report on the Process of my Cracking and some Recommendations for Software Engineers to Prevent their Software to be cracked

I have done most of the work I once I proposed in Something Awesome Project Proposal in the first weeks of this term. Now, to finish my last milestone – Milestone 4 – I am going to write a report on the process of my cracking work and give some recommendations to software engineers about how to prevent their software to be cracked.

1.     The cracking process of software written in C++ and C#

For software written in C#, it is easy to reverse it into a class-based, Visual Studio project-like structure in the help of .Net Reflector. The project-like structure I got from this technique is quite like the real project in Microsoft Visual Studio, apart from the lack of real names of classes, methods and variables. By dipping through the project structure, I spotted the method that was in charge of the verification of serial numbers entered by users. Difficult to reverse the verification function mathematically, I just copied the function verbatim into a new Visual Studio MFC project and use that function to test if any serial numbers generated was genuine. I would generate all possible combinations made of legal letters and only output the ones that go through the test successfully. By sheathe this core algorithm into an MFC GUI appearance, A Keygen was made by myself. You can choose different editions of Trisun Software Duplicate MP3 Finder Plus and generate as many serial numbers as you want. I tested many serial numbers generated by my Keygen and tested them into Trisun Software Duplicate MP3 Finder Plus and all of them passed the verification.

For software written in C+, I used IDA to disassembly the main executable binary into assembly instructions. I deliberately entered a wrong serial number in the original executable and an error message popped up. By searching this very piece of message in IDA, I pinpointed the exact location of this error message and with one more step, I found the function (subroutine) which loads this piece of message. That subroutine is the very one I was looking for but I could not have found it by only looking at its name – all function names except those of C library functions being number-based and it was not possible for me to run into a function like VerifyKey() in .Net Reflector. Now that the verification function was spotted, I immediately went up, from the location where that error message would be loaded, to the ‘JNZ’s that indicate the failure of the verification of serial numbers. By patching the ‘JNZ’ instructions to ‘JZ’s, I enabled the software to get wrong serial numbers pass. Changing ‘JNZ’s to ‘JZ’s only required to change the Intel x86 binary instruction from 0x75 to 0x74. I got a patched binary executable when I applied the patches to disk. Now this new executable would accept any wrong serial numbers and permanently registers its license. I also made a patch in a simple C++ project in Microsoft Visual Studio to show the possibility of a standalone patch just like those made by Russian geeks.

2.     Recommendations for software written in C++ and C# about the prevention of circumvention of license activation

For software written in C#, code confusion is needed to prevent them to be reversed by .Net Reflector. Dotfuscator is a powerful tool for programmers to confuse their C# code, rearrange variable names and encrypt the hard-coded strings, the string table and various resources packed in the executable. Also, ConfuserEx is a free and open source tool for this purpose. Virbox Protector is an all-in-one tool to encrypt the code.

For software written in C++, there are more way to protect them. Shelling a way to add a shell to the original software and display fake property information, data segment, code segment to the outside world, and reverse engineering tools like IDA can only see the first ‘layer’ of that software and cannot figure out the real logic beneath it. VMProtect is a tool to shell a software. It is easy to use and require little knowledge of programmers to handle it.

As Internet is much more popular than ever before and general-purpose desktop application software (contrast to system software, database software, etc.) can hardly find themselves running in an offline environment. Migrating crucial part of the software and hosting it on a cloud on the Internet is a trend in software development. Methods being hosted on a cloud will expose themselves only by RPC interfaces (like Restful APIs) and an API key is commonly needed to access these remote methods. Illegal users who does not have a valid serial number will not get access to these crucial remote methods and the standalone part of the software will turn out to be useless for them.

Reference

·         PreEmptive Solutions. 2019. .NET Obfuscator & More | Dotfuscator - PreEmptive Protection. [ONLINE] Available at: https://www.preemptive.com/products/dotfuscator/overview. [Accessed 22 July 2019].

·         ConfuserEx. 2019. ConfuserEx. [ONLINE] Available at: https://yck1509.github.io/ConfuserEx/. [Accessed 22 July 2019].

·         VMProtect Software Protection » VMProtect. 2019. VMProtect Software Protection » VMProtect. [ONLINE] Available at: https://vmpsoft.com/products/vmprotect/. [Accessed 22 July 2019].

·         Nordic APIs. 2019. 3 Common Methods of API Authentication Explained | Nordic APIs |. [ONLINE] Available at: https://nordicapis.com/3-common-methods-api-authentication-explained/. [Accessed 22 July 2019].

Legacy. Is. Dangerous.

Don't forget about the GitHub Command Line

I spend so much time at the command line using the Windows Terminal. Then I spend a ton of time using git at the command line. But then I ALT+TAB over to GitHub and mess around in the browser.

Why have I been sleeping on the GitHub CLI? - there's a command line interface for GitHub!

I installed with "winget install GitHub.cli" but you can get it from https://cli.github.com if you like.

Then you run gh auth login once:

gh auth login ? What account do you want to log into? GitHub.com ? What is your preferred protocol for Git operations? HTTPS ? Authenticate Git with your GitHub credentials? Yes ? How would you like to authenticate GitHub CLI? Login with a web browser

Now you've got a new command "gh" to play with!

I went over to one of my local git clones for the Hanselminutes Podcast website and I can now list the open Pull Requests from the command line!

Here's the real time saver that Dan Wahlin reminded me about: gh repo create!

> git init Initialized empty Git repository in D:/github/ghcliblogpost/.git/ > gh repo create ? Repository name ghcliblogpost ? Repository description This is a test for my GH CLI Blog post ? Visibility Public ? This will add an "origin" git remote to your local repository. Continue? Yes ✓ Created repository shanselman/ghcliblogpost on GitHub ✓ Added remote https://github.com/shanselman/ghcliblogpost.git

Fantastic! You can even gh issue create!

gh issue create Creating issue in shanselman/hanselminutes-core ? Title This is a test issue ? Body <Received> ? What's next? Submit https://github.com/shanselman/hanselminutes-core/issues/219

Checking out a Pull Request is a great time saver as well. Go check out http://cli.github.com/ and see how it can help you today!

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, the makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Visit preemptive.com/hanselminutes for a professional-grade trial.

© 2021 Scott Hanselman. All rights reserved.

     Don't forget about the GitHub Command Line published first on http://7elementswd.tumblr.com/

Don't forget about the GitHub Command Line

I spend so much time at the command line using the Windows Terminal. Then I spend a ton of time using git at the command line. But then I ALT+TAB over to GitHub and mess around in the browser.

Why have I been sleeping on the GitHub CLI? - there's a command line interface for GitHub!

I installed with "winget install GitHub.cli" but you can get it from https://cli.github.com if you like.

Then you run gh auth login once:

gh auth login ? What account do you want to log into? GitHub.com ? What is your preferred protocol for Git operations? HTTPS ? Authenticate Git with your GitHub credentials? Yes ? How would you like to authenticate GitHub CLI? Login with a web browser

Now you've got a new command "gh" to play with!

I went over to one of my local git clones for the Hanselminutes Podcast website and I can now list the open Pull Requests from the command line!

Here's the real time saver that Dan Wahlin reminded me about: gh repo create!

> git init Initialized empty Git repository in D:/github/ghcliblogpost/.git/ > gh repo create ? Repository name ghcliblogpost ? Repository description This is a test for my GH CLI Blog post ? Visibility Public ? This will add an "origin" git remote to your local repository. Continue? Yes ✓ Created repository shanselman/ghcliblogpost on GitHub ✓ Added remote https://github.com/shanselman/ghcliblogpost.git

Fantastic! You can even gh issue create!

gh issue create Creating issue in shanselman/hanselminutes-core ? Title This is a test issue ? Body <Received> ? What's next? Submit https://github.com/shanselman/hanselminutes-core/issues/219

Checking out a Pull Request is a great time saver as well. Go check out http://cli.github.com/ and see how it can help you today!

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, the makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Visit preemptive.com/hanselminutes for a professional-grade trial.

© 2021 Scott Hanselman. All rights reserved.

     Don't forget about the GitHub Command Line published first on https://deskbysnafu.tumblr.com/

Hack a TV into a Teams and Zoom Computer with EpocCam and Miracast

If you have a TV, you can turn it into a fancy conference room monitor and pretend you have a Surface Hub 2S. Let's see the different ways we can make Teams/Zoom meetings more a "walking around and thinking" experience, and less a "hunched in front of the laptop" experience.

Cheapest/Good - Wire up to a big TV

You can just get a nice HDMI cable and plug it into your TV and duplicate or extend your laptop's screen. In this simple scenario you're using your Laptop's mic and webcam, and just using the screen of your TV. You can also check your audio output and use the TV speakers as output if you like.

Doing this is not just a nice change of pace, but it reminds you of the options you have to hold meetings! It's your space...how many ways can you change your boring meeting into a new perspective by using the same space in a new way?

Cheap/Better - Wireless to a big TV

If you want to be wireless, you can use Miracast (if your computer/laptop/Surface supports it) or AirPlay or AirServer to "throw" your screen wirelessly to your TV. Some Samsung Smart TV support wireless communications built-in!

You may be able to throw from Windows to a Smart TV with AirServer software. You may be able to throw with AirPlay on your Mac to an Apple TV.

You may be able to get a Miracast HDMI dongle (amzn link) and make a dumb TV smart. This is the solution I use. I throw my Surface screen over Miracast to the TV.

Less Cheap/Best (for me) - Wireless to a big TV with a wireless Webcam via my iPhone

I have a TV on my wall in my office, but it doesn't lend itself to wires and moving my laptop. I wanted to throw the screen over there AND also have a webcam on top of the TV. Ideally there'd be a webcam in the bezel of the TV, but there isn't.

What's an ideal and cheap webcam? My iPhone is already a great device with a long life battery, it's portable, and a webcam. You can get a number of apps that will enable you to use your iPhone (or Android) as a webcam.

I decided on Elgato EpocCom to turn my iPhone into a webcam.

Troubleshooting: The docs aren't amazing, so you'll want to not only install the software, but confirm that the EpocCamService is enabled in the Windows Firewall for both Private AND Public Networks (or ensure your network is the same type as the type that's enabled for this service.) I had to manually allow the EpocCam Service to work on Private Networks.

Then you'll get the iPhone side of the app and your iPhone will show up as a camera. With the Pro version ($7.99) you'll get higher quality and microphone support.

Now I just put my iPhone on the top of the TV, run the EpocCam software, and then on my PC I throw my video to the TV and select the EpocCam virtual Camera. Now I can wander around my office and pace and talk and think, which is great!

Here I've got my Samsung Frame TV (amzn link) (I got it for just $600 as it's the 2018 model, I love it) and I've hooked up the Microsoft Wireless Display Adapter v2 (amzn link).

Other Alternatives

Once you familiarize yourself with these wireless options for throwing video and audio around, you'll find there is no right answer. There's only the answer that works for you! The results will be similar, but some of the solutions will fit better into your system or setup.

Here's some other ideas.

Use NDI Tools to throw formally throw video around your office and catch it with OBS or XSplit

Use a really long USB extension code and mount a cheap webcam on the top of the TV

Just use your iPhone or iPad or Android device and join Teams or Zoom with the phone itself! Then either wired (via adapter and HDMI) or wirelessly connect the device to your TV!

Leave your solutions in the comments!

There also appear to be Teams devices that will take a TV or Display and Teamsify it! I'll go educate myself about those as well!

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, the makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Visit preemptive.com/hanselminutes for a professional-grade trial.

© 2020 Scott Hanselman. All rights reserved.

      Hack a TV into a Teams and Zoom Computer with EpocCam and Miracast published first on http://7elementswd.tumblr.com/

Hack a TV into a Teams and Zoom Computer with EpocCam and Miracast

If you have a TV, you can turn it into a fancy conference room monitor and pretend you have a Surface Hub 2S. Let's see the different ways we can make Teams/Zoom meetings more a "walking around and thinking" experience, and less a "hunched in front of the laptop" experience.

Cheapest/Good - Wire up to a big TV

You can just get a nice HDMI cable and plug it into your TV and duplicate or extend your laptop's screen. In this simple scenario you're using your Laptop's mic and webcam, and just using the screen of your TV. You can also check your audio output and use the TV speakers as output if you like.

Doing this is not just a nice change of pace, but it reminds you of the options you have to hold meetings! It's your space...how many ways can you change your boring meeting into a new perspective by using the same space in a new way?

Cheap/Better - Wireless to a big TV

If you want to be wireless, you can use Miracast (if your computer/laptop/Surface supports it) or AirPlay or AirServer to "throw" your screen wirelessly to your TV. Some Samsung Smart TV support wireless communications built-in!

You may be able to throw from Windows to a Smart TV with AirServer software. You may be able to throw with AirPlay on your Mac to an Apple TV.

You may be able to get a Miracast HDMI dongle (amzn link) and make a dumb TV smart. This is the solution I use. I throw my Surface screen over Miracast to the TV.

Less Cheap/Best (for me) - Wireless to a big TV with a wireless Webcam via my iPhone

I have a TV on my wall in my office, but it doesn't lend itself to wires and moving my laptop. I wanted to throw the screen over there AND also have a webcam on top of the TV. Ideally there'd be a webcam in the bezel of the TV, but there isn't.

What's an ideal and cheap webcam? My iPhone is already a great device with a long life battery, it's portable, and a webcam. You can get a number of apps that will enable you to use your iPhone (or Android) as a webcam.

I decided on Elgato EpocCom to turn my iPhone into a webcam.

Troubleshooting: The docs aren't amazing, so you'll want to not only install the software, but confirm that the EpocCamService is enabled in the Windows Firewall for both Private AND Public Networks (or ensure your network is the same type as the type that's enabled for this service.) I had to manually allow the EpocCam Service to work on Private Networks.

Then you'll get the iPhone side of the app and your iPhone will show up as a camera. With the Pro version ($7.99) you'll get higher quality and microphone support.

Now I just put my iPhone on the top of the TV, run the EpocCam software, and then on my PC I throw my video to the TV and select the EpocCam virtual Camera. Now I can wander around my office and pace and talk and think, which is great!

Here I've got my Samsung Frame TV (amzn link) (I got it for just $600 as it's the 2018 model, I love it) and I've hooked up the Microsoft Wireless Display Adapter v2 (amzn link).

Other Alternatives

Once you familiarize yourself with these wireless options for throwing video and audio around, you'll find there is no right answer. There's only the answer that works for you! The results will be similar, but some of the solutions will fit better into your system or setup.

Here's some other ideas.

Use NDI Tools to throw formally throw video around your office and catch it with OBS or XSplit

Use a really long USB extension code and mount a cheap webcam on the top of the TV

Just use your iPhone or iPad or Android device and join Teams or Zoom with the phone itself! Then either wired (via adapter and HDMI) or wirelessly connect the device to your TV!

Leave your solutions in the comments!

There also appear to be Teams devices that will take a TV or Display and Teamsify it! I'll go educate myself about those as well!

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, the makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Visit preemptive.com/hanselminutes for a professional-grade trial.

© 2020 Scott Hanselman. All rights reserved.

      Hack a TV into a Teams and Zoom Computer with EpocCam and Miracast published first on https://deskbysnafu.tumblr.com/

Msbuild arguments azure devops

Msbuild arguments azure devops

Msbuild arguments azure devops Msbuild arguments azure devops New Msbuild arguments azure devops Dotfuscator Community Build Task PreEmptive Solutions Protect your Applications with Dotfuscator Community The Dotfuscator Community extension adds tasks to your Azure DevOps build process that help you protect your applications from unauthorized decompilation, tampering, debugging, and data…

View On WordPress

How to remote desktop fullscreen RDP with just SOME of your multiple monitors

I saw this over on the Microsoft Remote Desktop Uservoice

Allow ability to choose subset of local monitors for RDP session (full screen)

Allow ability to select a subset of current monitors with full screen. Currently can choose all or 1 but cannot choose for instance 2 of 3 (full screen).

That seems useful, I wish it did that. I know about this checkbox that says "Use all my monitors" but I can't say just use 1 and 2 but not 3, right?

Turns out that you CAN span n monitors but it's just buried/internal and has no UI.

Save your RDP file, and open it in Notepad. Everyone's RDP file is different but yours may look like this:

full address:s:x.x.x.x:3389 prompt for credentials:i:1 administrative session:i:1 screen mode id:i:2 span monitors:i:1 use multimon:i:1 selectedmonitors:s:0,1

I can put on selectedmonitors:s:x,y and then use the zero-based numbers to indicate my monitors. To get a list of monitors, I can run mstsc /l to LIST out all my monitors on my machine. I can also use mstsc /multimon as a command line to use multiple monitors.

So I set my selectedmonitors:0,1 to use my left and middle monitor and skip my right one.

In this picture, I'm RDP'ed into a remote Windows 10 machine in Azure on Monitors 1 and 2 while Monitor 3 is my local one.

Sweet.

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Mention HANSELMAN for savings on a professional license!

© 2020 Scott Hanselman. All rights reserved.

      How to remote desktop fullscreen RDP with just SOME of your multiple monitors published first on https://deskbysnafu.tumblr.com/

How to remote desktop fullscreen RDP with just SOME of your multiple monitors

I saw this over on the Microsoft Remote Desktop Uservoice

Allow ability to choose subset of local monitors for RDP session (full screen)

Allow ability to select a subset of current monitors with full screen. Currently can choose all or 1 but cannot choose for instance 2 of 3 (full screen).

That seems useful, I wish it did that. I know about this checkbox that says "Use all my monitors" but I can't say just use 1 and 2 but not 3, right?

Turns out that you CAN span n monitors but it's just buried/internal and has no UI.

Save your RDP file, and open it in Notepad. Everyone's RDP file is different but yours may look like this:

full address:s:x.x.x.x:3389 prompt for credentials:i:1 administrative session:i:1 screen mode id:i:2 span monitors:i:1 use multimon:i:1 selectedmonitors:s:0,1

I can put on selectedmonitors:s:x,y and then use the zero-based numbers to indicate my monitors. To get a list of monitors, I can run mstsc /l to LIST out all my monitors on my machine. I can also use mstsc /multimon as a command line to use multiple monitors.

So I set my selectedmonitors:0,1 to use my left and middle monitor and skip my right one.

In this picture, I'm RDP'ed into a remote Windows 10 machine in Azure on Monitors 1 and 2 while Monitor 3 is my local one.

Sweet.

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Mention HANSELMAN for savings on a professional license!

© 2020 Scott Hanselman. All rights reserved.

      How to remote desktop fullscreen RDP with just SOME of your multiple monitors published first on http://7elementswd.tumblr.com/

Easily adding Security Headers to your ASP.NET Core web app and getting an A grade

Well that sucks.

That's my podcast website with an F rating from SecurityHeaders.com. What's the deal? I took care of this months ago!

Turns out, recently I moved from Windows to Linux on Azure.

If I am using IIS on Windows, I can (and did) make a section in my web.config that looks something like this.

Do note that I've added a few custom things and you'll want to make sure you DON'T just copy paste this. Make yours, yours.

Note that I've whitelisted a bunch of domains to make sure my site works. Also note that I have a number of "unsafe-inlines" that are not idea.

<configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=31536000"/> <add name="X-Content-Type-Options" value="nosniff"/> <add name="X-Xss-Protection" value="1; mode=block"/> <add name="X-Frame-Options" value="SAMEORIGIN"/> <add name="Content-Security-Policy" value="default-src https:; img-src * 'self' data: https:; style-src 'self' 'unsafe-inline' www.google.com platform.twitter.com cdn.syndication.twimg.com fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com cse.google.com cdn.syndication.twimg.com platform.twitter.com platform.instagram.com www.instagram.com cdn1.developermedia.com cdn2.developermedia.com apis.google.com www.googletagservices.com adservice.google.com securepubads.g.doubleclick.net ajax.aspnetcdn.com ssl.google-analytics.com az416426.vo.msecnd.net/;"/> <add name="Referrer-Policy" value="no-referrer-when-downgrade"/> <add name="Feature-Policy" value="geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';"/> <remove name="X-Powered-By" /> <remove name="X-AspNet-Version" /> <remove name="Server" /> </customHeaders> </httpProtocol> ...

But, if I'm NOT using IIS - meaning I'm running my ASP.NET app in a container or on Linux - this will be ignored. Since I recently moved to Linux, I assumed (my bad for no tests here) that it would just work.

My site is hosted on Azure App Service for Linux, so I want these headers to be output the same way. There are several great choices in the form of Open Source NuGet libraries to help. If I use the ASP.NET Core middleware pipeline then these headers will be output and work the SAME on both Windows AND Linux.

I'll be using the NWebsec Security Libraries for ASP.NET Core. They offer a simple fluent way to add the headers I want.

TO BE CLEAR: Yes I, or you, can add these headers manually with AddHeader but these simple libraries ensure that our commas and semicolons are correct. They also offer a strongly typed middleware that is fast and easy to use.

Taking the same web.config above and translating it to Startup.cs's Configure Pipeline with NWebSec looks like this:

app.UseHsts(options => options.MaxAge(days: 30)); app.UseXContentTypeOptions(); app.UseXXssProtection(options => options.EnabledWithBlockMode()); app.UseXfo(options => options.SameOrigin()); app.UseReferrerPolicy(opts => opts.NoReferrerWhenDowngrade()); app.UseCsp(options => options .DefaultSources(s => s.Self() .CustomSources("data:") .CustomSources("https:")) .StyleSources(s => s.Self() .CustomSources("www.google.com","platform.twitter.com","cdn.syndication.twimg.com","fonts.googleapis.com") .UnsafeInline() ) .ScriptSources(s => s.Self() .CustomSources("www.google.com","cse.google.com","cdn.syndication.twimg.com","platform.twitter.com" ... ) .UnsafeInline() .UnsafeEval() ) );

There is one experimental HTTP header that NWebSec doesn't support (yet) called Feature-Policy. It's a way that your website can declare at the server-side "my site doesn't allow use of the webcam." That would prevent a bad guy from injecting local script that uses the webcam, or some other client-side feature.

I'll do it manually both to make the point that I can, but also that you aren't limited by your security library of choice.

NOTE: Another great security library is Andrew Lock's NetEscapades that includes Feature-Policy as well as some other great features.

Here's my single Middleware that just adds the Feature-Policy header to all responses.

//Feature-Policy app.Use(async (context, next) => { context.Response.Headers.Add("Feature-Policy", "geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';"); await next.Invoke(); });

Now I'll commit, build, and deploy (all automatic for me using Azure DevOps) and scan the site again:

That was pretty straightforward and took less than an hour. Your mileage may vary but that's the general idea!

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Mention HANSELMAN for savings on a professional license!

© 2020 Scott Hanselman. All rights reserved.

      Easily adding Security Headers to your ASP.NET Core web app and getting an A grade published first on https://deskbysnafu.tumblr.com/

Easily adding Security Headers to your ASP.NET Core web app and getting an A grade

Well that sucks.

That's my podcast website with an F rating from SecurityHeaders.com. What's the deal? I took care of this months ago!

Turns out, recently I moved from Windows to Linux on Azure.

If I am using IIS on Windows, I can (and did) make a section in my web.config that looks something like this.

Do note that I've added a few custom things and you'll want to make sure you DON'T just copy paste this. Make yours, yours.

Note that I've whitelisted a bunch of domains to make sure my site works. Also note that I have a number of "unsafe-inlines" that are not idea.

<configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=31536000"/> <add name="X-Content-Type-Options" value="nosniff"/> <add name="X-Xss-Protection" value="1; mode=block"/> <add name="X-Frame-Options" value="SAMEORIGIN"/> <add name="Content-Security-Policy" value="default-src https:; img-src * 'self' data: https:; style-src 'self' 'unsafe-inline' www.google.com platform.twitter.com cdn.syndication.twimg.com fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com cse.google.com cdn.syndication.twimg.com platform.twitter.com platform.instagram.com www.instagram.com cdn1.developermedia.com cdn2.developermedia.com apis.google.com www.googletagservices.com adservice.google.com securepubads.g.doubleclick.net ajax.aspnetcdn.com ssl.google-analytics.com az416426.vo.msecnd.net/;"/> <add name="Referrer-Policy" value="no-referrer-when-downgrade"/> <add name="Feature-Policy" value="geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';"/> <remove name="X-Powered-By" /> <remove name="X-AspNet-Version" /> <remove name="Server" /> </customHeaders> </httpProtocol> ...

But, if I'm NOT using IIS - meaning I'm running my ASP.NET app in a container or on Linux - this will be ignored. Since I recently moved to Linux, I assumed (my bad for no tests here) that it would just work.

My site is hosted on Azure App Service for Linux, so I want these headers to be output the same way. There are several great choices in the form of Open Source NuGet libraries to help. If I use the ASP.NET Core middleware pipeline then these headers will be output and work the SAME on both Windows AND Linux.

I'll be using the NWebsec Security Libraries for ASP.NET Core. They offer a simple fluent way to add the headers I want.

TO BE CLEAR: Yes I, or you, can add these headers manually with AddHeader but these simple libraries ensure that our commas and semicolons are correct. They also offer a strongly typed middleware that is fast and easy to use.

Taking the same web.config above and translating it to Startup.cs's Configure Pipeline with NWebSec looks like this:

app.UseHsts(options => options.MaxAge(days: 30)); app.UseXContentTypeOptions(); app.UseXXssProtection(options => options.EnabledWithBlockMode()); app.UseXfo(options => options.SameOrigin()); app.UseReferrerPolicy(opts => opts.NoReferrerWhenDowngrade()); app.UseCsp(options => options .DefaultSources(s => s.Self() .CustomSources("data:") .CustomSources("https:")) .StyleSources(s => s.Self() .CustomSources("www.google.com","platform.twitter.com","cdn.syndication.twimg.com","fonts.googleapis.com") .UnsafeInline() ) .ScriptSources(s => s.Self() .CustomSources("www.google.com","cse.google.com","cdn.syndication.twimg.com","platform.twitter.com" ... ) .UnsafeInline() .UnsafeEval() ) );

There is one experimental HTTP header that NWebSec doesn't support (yet) called Feature-Policy. It's a way that your website can declare at the server-side "my site doesn't allow use of the webcam." That would prevent a bad guy from injecting local script that uses the webcam, or some other client-side feature.

I'll do it manually both to make the point that I can, but also that you aren't limited by your security library of choice.

NOTE: Another great security library is Andrew Lock's NetEscapades that includes Feature-Policy as well as some other great features.

Here's my single Middleware that just adds the Feature-Policy header to all responses.

//Feature-Policy app.Use(async (context, next) => { context.Response.Headers.Add("Feature-Policy", "geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';"); await next.Invoke(); });

Now I'll commit, build, and deploy (all automatic for me using Azure DevOps) and scan the site again:

That was pretty straightforward and took less than an hour. Your mileage may vary but that's the general idea!

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Mention HANSELMAN for savings on a professional license!

© 2020 Scott Hanselman. All rights reserved.

      Easily adding Security Headers to your ASP.NET Core web app and getting an A grade published first on http://7elementswd.tumblr.com/

Easily adding Security Headers to your ASP.NET Core web app and getting an A grade

Well that sucks.

That's my podcast website with an F rating from SecurityHeaders.com. What's the deal? I took care of this months ago!

Turns out, recently I moved from Windows to Linux on Azure.

If I am using IIS on Windows, I can (and did) make a section in my web.config that looks something like this.

Do note that I've added a few custom things and you'll want to make sure you DON'T just copy paste this. Make yours, yours.

Note that I've whitelisted a bunch of domains to make sure my site works. Also note that I have a number of "unsafe-inlines" that are not idea.

<configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=31536000"/> <add name="X-Content-Type-Options" value="nosniff"/> <add name="X-Xss-Protection" value="1; mode=block"/> <add name="X-Frame-Options" value="SAMEORIGIN"/> <add name="Content-Security-Policy" value="default-src https:; img-src * 'self' data: https:; style-src 'self' 'unsafe-inline' www.google.com platform.twitter.com cdn.syndication.twimg.com fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com cse.google.com cdn.syndication.twimg.com platform.twitter.com platform.instagram.com www.instagram.com cdn1.developermedia.com cdn2.developermedia.com apis.google.com www.googletagservices.com adservice.google.com securepubads.g.doubleclick.net ajax.aspnetcdn.com ssl.google-analytics.com az416426.vo.msecnd.net/;"/> <add name="Referrer-Policy" value="no-referrer-when-downgrade"/> <add name="Feature-Policy" value="geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';"/> <remove name="X-Powered-By" /> <remove name="X-AspNet-Version" /> <remove name="Server" /> </customHeaders> </httpProtocol> ...

But, if I'm NOT using IIS - meaning I'm running my ASP.NET app in a container or on Linux - this will be ignored. Since I recently moved to Linux, I assumed (my bad for no tests here) that it would just work.

My site is hosted on Azure App Service for Linux, so I want these headers to be output the same way. There are several great choices in the form of Open Source NuGet libraries to help. If I use the ASP.NET Core middleware pipeline then these headers will be output and work the SAME on both Windows AND Linux.

I'll be using the NWebsec Security Libraries for ASP.NET Core. They offer a simple fluent way to add the headers I want.

TO BE CLEAR: Yes I, or you, can add these headers manually with AddHeader but these simple libraries ensure that our commas and semicolons are correct. They also offer a strongly typed middleware that is fast and easy to use.

Taking the same web.config above and translating it to Startup.cs's Configure Pipeline with NWebSec looks like this:

app.UseHsts(options => options.MaxAge(days: 30)); app.UseXContentTypeOptions(); app.UseXXssProtection(options => options.EnabledWithBlockMode()); app.UseXfo(options => options.SameOrigin()); app.UseReferrerPolicy(opts => opts.NoReferrerWhenDowngrade()); app.UseCsp(options => options .DefaultSources(s => s.Self() .CustomSources("data:") .CustomSources("https:")) .StyleSources(s => s.Self() .CustomSources("www.google.com","platform.twitter.com","cdn.syndication.twimg.com","fonts.googleapis.com") .UnsafeInline() ) .ScriptSources(s => s.Self() .CustomSources("www.google.com","cse.google.com","cdn.syndication.twimg.com","platform.twitter.com" ... ) .UnsafeInline() .UnsafeEval() ) );

There is one experimental HTTP header that NWebSec doesn't support (yet) called Feature-Policy. It's a way that your website can declare at the server-side "my site doesn't allow use of the webcam." That would prevent a bad guy from injecting local script that uses the webcam, or some other client-side feature.

I'll do it manually both to make the point that I can, but also that you aren't limited by your security library of choice.

NOTE: Another great security library is Andrew Lock's NetEscapades that includes Feature-Policy as well as some other great features.

Here's my single Middleware that just adds the Feature-Policy header to all responses.

//Feature-Policy app.Use(async (context, next) => { context.Response.Headers.Add("Feature-Policy", "geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';"); await next.Invoke(); });

Now I'll commit, build, and deploy (all automatic for me using Azure DevOps) and scan the site again:

That was pretty straightforward and took less than an hour. Your mileage may vary but that's the general idea!

Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Mention HANSELMAN for savings on a professional license!

© 2020 Scott Hanselman. All rights reserved.

      Easily adding Security Headers to your ASP.NET Core web app and getting an A grade published first on https://deskbysnafu.tumblr.com/