I am, over the next several months, going to attempt to brooch the subject of security. This is a subject full of controversy, misinformation (or lack of information), and a general lack of understanding of what security is, who are we defending against, how ‘they’ (whomever they may be) will try to attack us.

The Problem

Security is defending against infinity and infinity keeps changing. The interesting thing about security is that there is no way to always know who the attackers will be, how they will attack or for that matter, if they were successful in their attacks or not. Another problem is, what kinds of security tools exist to help protect a system against attacks? Which of course leads to another problem, what kind of attacks exist against these tools and how do you implement these tools properly? These are problems that I’ve been facing lately with a large project I’ve been tasked to work on and I’ve been on a journey to discover the answers to these problems and thought I’d share.

Wax On, Wax Off

So how does one start out as a grasshopper and become a jedi master? Well a great way to start is to learn from the masters, but first, we have to know who those masters are. Here are just a couple of masters that you should know:

1. Bruce Schneier: Security expert and author. He is a great, comprehensive teacher and has written several books on cryptography and even more importantly, how to implement cartographic systems. He also has a great blog on security.
2. Alfred Menezes, Paul van Oorschot and Scott Vanstone: Co-authors of several cryptography books most notably The Handbook of Applied Cryptography
3. Whitfield Diffie: A security expert and the co-inventor of the Diffie-Hellman key exchange algorithm.
4. Adi Shamir: Inventor of RSA and numerous other cryptographic algorithms.

“Your done?!?!!?” cryptography masters scream, and I respond, “so sorry, I just don’t have time/patience to reference every single security master”. These are just a couple guys to know about but you should learn about more of the masters.

What Exactly Is Security?

Security, in short, is either two things. #1 Complete void of access: Scenario, you have a document on a computer in a metal room with big locks on the doors and there is no network connections of any kind to this computer. #2 Cryptography: Assuming that you require access to data, cryptography is the over-arching solution.

Security Principals

Kerckhoffs’s principle

Only secrecy of the key provides security. You are not required to show the world your code, however, your dependence on security must be based on the cryptographic keys being secret. Any dependency beyond this is false security. We have seen time and time again that a determined attacker can, and will, thwart any security system that is dependent on anything other than the secrecy of the cryptographic key.

Security By Obfuscation

There are many companies/organizations who think of obfuscation as a defense when all obfuscation can ever be is a deterrent. Any determined attacker can, eventually, get past obfuscation especially when your talking about a published solution. The mindset of a security expert is to assume the enemy knows the internals of the system and design the system so that the attacker still cannot breach it. The ‘enemy’ could be anyone. It could be someone in an organization. It could be a designer or developer of the security system! The goal should always be that even if you know the entire system from start to finish, you still could not breach the security within a reasonable amount of time. There are some good reasons for obfuscation, code obfuscation for instance. That can help to deter individuals from stealing your product and make it slightly harder for an attacker to understand how your system works, but you must never think of obfuscation as a defense.

Futility

“It is futile to lock the barn door after the horse has been stolen”. This is a great concept that has many implications. One of these implications is that security must extend from the source, all the way to the destination. If there is a section of the data’s journey in which the attacker is able to get the data, all has been for naught.

The Weakest Link

“Security is only as strong as the weakest link”. It doesn’t matter how thick and strong 299 links in a powerful chain are, if the 300th chain in the very center of the chain is made of thin, weak tin, the entire chain is as strong as weak tin. Any attacker who is worth his salt is not going to start an attack at the thickest point in the chain, he is going to go straight for the weakest link in the chain to break through.

Over the next few months I’ll be talking more about my journey through security and will hopefully help myself and others have a better understanding of security

I’ve not blogged for a while for one reason. I’m tiring of the environment of negativity, flaming and bashing when it comes to the web world. It’s literally like we’ve become vampires vs lycans fighting each other. Choose your side! RIA or web standards! However, there are a few real programmers out there who aren’t driven by fear or what they’ve read on the internet. Programmers who take a pragmatic look at technologies and find out what they really do at a lower level and how they do it and to find out what the true pros/cons are and then make an informed decision per project. This is a wonderful article that mirrors this approach http://blogs.forbes.com/fredcavazza/2011/07/17/why-opposing-html5-and-flash-is-a-non-sense/.

Highlights: Dire Predictions

"…writing about the agony of Flash is an easy way to draw readers". This is the bottom line. Technology bloggers these days are passing themselves off as "professionals you should listen to" when in reality they are simply little people who gained a little bit of knowledge without really getting their hands dirty. They use familiar tactics such as the ones used by today’s media writing about the END OF THE WORLD only to get more people watching/reading and produce higher ratings. This is what you are buying into when you read articles that hype about HTML5 killing Flash or Silverlight. I remember not very long ago the opposite was true. People were proclaiming the death of HTML and Flash would "take over". These days, anyone can make predictions, scare a bunch of people and get hits on their websites. Do they get ‘dinged’ for when those predictions do not come true? Nope. People just forget. I remember 10 years ago Linux gurus telling me that Linux was going to take over windows in 10 years.

When does the insanity end?

It ends when you, a developer, stops listening to fear and remember what drove us as developers in the first place. Curiosity! Exploration! That’s why we do what we do and those who are explorers and pioneers are not blinded by fear-mongering idiots who don’t know their thumb from their… toe. Explore other programming languages and technologies that you aren’t familiar with! Keep your mind open and be honest with yourself about the pros and cons of all technologies.

I’ve been preaching the gospel of security for years. The response? Typically something like this *Glazed over eyes* ‘hmm,, wow,, hmm yeah,, um,, that’s interesting we should look into that’ or ‘Wow, your paranoid aren’t you’ or ‘Oh no one could figure out how to hack into our web application’ (that one is a particular favorite). The fact is this. Crackers (notice I did not say Hackers as a Hacker is ethical and a ‘Cracker’ just wants to ‘crack’ a system and cause trouble), are out there. Everywhere. And they are becoming more sophisticated. For a while it seemed that most Crackers were just looking for weaknesses. Any website, application or network that had gaping security holes were exploited. Just this past week 2 of my friends GMail accounts were hijacked and I received spam email from them. They took their laptops to an open wifi and checked their email and they were had. Even more interesting there are much more sophisticated techniques such as a group of Russian Hackers who developed a way to hack into an encrypted wifi network by obtaining the wifi key and brute force attacking the key using your Nvidia graphics card http://www.tomshardware.com/news/nvidia-gpu-wifi-hack,6483.html. This is also a technique that is taking over brute force password cracking by storm as you can tens of millions of tries per second. All of this sounds technical and hard to do, but the exact opposite is true. Its easy. Not for some technical guru but for anyone who is remotely interested in hacking. These days we have very sophisticated tools that have easy to use GUIs and lots of youtube tutorials on how to use them such as Cain & Abel by oxid.it which is a very powerful network hacking tool (among other things). Hey, these days you don’t even need to do anything more than press a button to hack someones website with tools such as Firesheep which uses session hijacking to allow an unauthorized user to appear as an authorized user. To top it all off the amount of hacking is increasing by an alarming rate. Recently we have Sony, CitiGroup and the CIA (just to name a few). Not all system cracks are more sophisticated though, some are just more of the same thing. CitiGroup for example. The crackers were able to get a list of account numbers and retrieve sensitive information simply by plugging in the account numbers in a string in the address bar of a browser. Obviously a company who decided not to take security seriously.

Easy Conclusion

Security isn’t an option. It never has been and the feeble excuses developers make to try and get out of doing the right thing are being stripped away. There is nothing left except to learn about security and implement it. And how do we implement security? By becoming hackers ourselves. We have to read what hackers are saying and get our hands dirty trying to hack systems. When we do, our eyes are opened to just how easy it is for a determined person to get into a system and then we are able to put up walls to stop it.

Am I paranoid? Well the word paranoid means someone who has undue fear of something that really doesn’t exist. Well, unless I missed it, I think that the evidence clearly shows that crackers most definitely do exist and they are very active and they can/will attack you at some point. The opposite of course is ‘Naive’ which means someone who has a very simple nature and a great lack of experience and judgement. Anyone who thinks that security isn’t paramount in application development or network/server administration and shouldn’t be given extra attention should have their head examined. We as developers cannot afford to have our heads stuck in the sand anymore. The crackers are simply not going away. They are growing in numbers and sophistication and so must we.

And here’s a list of the new features http://i1.silverlight.net/content/downloads/silverlight_5_beta_features.pdf?cdn_id=1. A couple of the main features I took note of was the ability to do COM and pInvoking in or out of browser. Currently Silverlight4 allows out of browser trusted apps to do COM but this moves towards the ability to interact with software such as Office or physical devices such as medical etc within the browser itself and not have to install it as an out of browser application. Another great feature to take note of is the ability to put breakpoints in the XAML code where you are binding to a datasource. This is very handy for troubleshooting and debugging. There are tons more features to check out so have fun!

I just read this blog post written by Dean Wilson and it really got me thinking about the difference between those who play with technology and like to think that they actually know something about it and those who actually work with it in depth and understand the purpose of the technology. The problem with those who play and have opinions is that they only understand the purpose of the technology in their own sphere of life experiences. So, in answer to Dean Wilsons’ article I would like to explain (once again) why Silverlight exists and why it isn’t here to threaten HTML5.

The Purpose

The purpose of Silverlight is NOT ONLY VIDEO!!!! It is also to give developers capabilities that they do not have given the Javascript/HTML5/CSS environment, and yes, I mean desktop browser applications not just Microsoft Phone. Currently there are several things that Silverlight has that HTML5 doesn’t have and no one is talking about ever adding these capabilities which, I might add, is not necessarily a bad thing. So what are these capabilities that I’m speaking of? Here’s a list. And please please please keep in mind that this IS NOT AN HTML5 BASHING SESSION!!!! I am very simply, pragmatically as possible listing what Silverlight can do that HTML5 cannot do and many times shouldn’t do. I’m both an HTML5 and Silverlight developer.

The Capabilities

- Powerful client/server encryption.
     * Javascript simply doesn’t numbers big enough to handle the calculations needed to produce very powerful algorithms such as AES where Silverlight can handle these types of algorithms in applications that require the highest amount of security.

- Multithreading
     * Javascript is currently single threaded. Google gears introduced the ‘Worker Pool’ and HTML5 is bringing ‘Web Workers’ but it is still not true threading (not to diminish this new exciting feature for HTML5 however). Silverlight is truly multithreaded and there are many advantages to this.

- File System Access
     * Javascript and HTML5 do not have access to the file system where Silverlight does. There is no one talking about giving this ability to Javascript or HTML5 for security reasons, however in cases where this would be necessary Silverlight is a good alternative.

- Printing
     * The only capabilities that Javascript/HTML5 has when it comes to printing is to tell the browser to print the current page. Silverlight offers more capabilities to make adjustments when printing and to select what objects to print and what objects to exclude.

- Web Cam
     * Silverlight 4 introduced some great new features for accessing a web camera and streaming video to your Silverlight application. There are a lot of amazing possibilities especially since you can control and edit and filter the video.

- Client Side File generation
     * Many web applications have ways of exporting data sets displayed in your app to a file format such as excel or PDF. All of this must occur on the server side and then download the file to the client computer. All of which takes a lot of resources if there are many users doing this at once. Silverlight offers the ability to generate PDFs, Excel documents and much more on the clients computer thereby reducing the amount of processing required on the server and reducing the amount of data going over the wire and effectively distributing the work load amongst many computers.

- Binary Compression
     * There are many ways in which you can compress the data going to and from your browser. GZIP being one of the more common. Silverlight offers binary encoding for its data which is much more compressed than GZIP and it raises performance.

- Network Performance
     * Modern browsers allow you to connect to a maximum of 2 simultaneous connections at a time (unless you go to about:config or something similar and manually change underlying settings) whereas Silverlight allows for up to 6 simultaneous connections. As of Silverlight 5, Silverlight will be utilizing Low Latency networking as well improving performance even more.

- COM Interop
     * Some think that this is a thing of the past, however there are many instances in which the need arises to be able to interact with COM. For instance you need to access a COM enabled application such as Microsoft Office. You can send emails through Outlook, or get data from an Excel Spreadsheet. Silverlight has the capability to extend its reach into the COM environment in Out Of Browser, Trusted applications for scenarios. With Silverlight 5 we are being given the capability to p-invoke the Windows API which gives even more capabilities. For instance being able to connect with a physical device of some kind such as medical equipment.

- Out Of Browser Offline
     * While Google Gears gives some of this capability, Silverlight offers the ability to have online/offline mode and actually be installed as an application to be run outside of the browser.

- True 3D environment
     * Silverlight 5 is also offering the capability to render a true, hardware accelerated 3D environment. There are many very good looking simulations of this in Javascript such as webGL however it lacks many needed capabilities to truly create, say for instance, a first person shooter. This really opens the doors for game developers who want to build high quality 3d games that run in your browser.

- Video Streaming
     * While it is true that HTML5 has a video player, no one seems to mention that it does not have anywhere near the capabilities that Silverlight has with smooth streaming, 1080p quality, the ability to completely customize the player, slow motion (with audio pitch correction in Silverlight5) etc. While Silverlight is certainly not only about video, it shines in this area.

- Cross Platform
     * One of the biggest issues as an HTML5 developer is running into browser compatibility issues. Is this getting better? Yes and no. Yes in the sense that Microsoft has ’seen the light’ and realized (admittedly) that IE6 was a very very very bad idea and standards in HTML are very important. Hence, IE9 is going to make our lives easier. However we have more browsers to deal with today than we did a few years ago and there are still many compatibility issues to deal with that can suck a lot of time out of a developers life. Silverlight (since it is a browser plugin) works across Windows/Mac (and arguably Linux with the Moonlight project) and works in all major browsers without the types of layout and scripting compatibility issues we’ve seen with HTML/Javascript. Instead of having 5 browsers open to test, you can just run it in one browser and your assured it will work in all the others the same way.

- Other Design
     * There are many other design aspects of Silverlight that are very welcomed in the world of design. Rounded corners for instance. HTML5/CSS3 finally introduces this as well http://www.css3.info/preview/rounded-border/ with some browser. Not all support this yet. It also has the ability to do other things such as drop shadows, glow effects, gradients and much much more all in your layout code without ever having to touch photoshop. This is advantageous because you no longer have to store the PSDs externally to your project, its all in code, not to mention you don’t have to download all those extra images. Speaking of images there are a plethora of image effects that you can apply client side to images that you load in your app.

- Development Environment
     * Very large enterprise applications can get a lot of spaghetti code really fast if your not careful. C# is a very robust language that has many features that Javascript doesn’t have that are very useful to Enterprise level applications such as Classes, Interfaces, Abstract Classes, Typed object lists and many more features that would take many more articles to cover so I won’t even try to go over it all here. Other features include code compilation, more comprehensive unit testing, performance analysis tools, very powerful UI scripted tests, more powerful exception handling even at a global level (which is very important for error logging). Debugging abilities include the ability to put breakpoints in all areas of your code even in the design layout XAML (coming up in Silverlight 5).

- Development Tools
     * One area of development particularly found in Design/Development firms is the disconnect between designers and developers. Each developer reading this who has ever worked with a Designer has some story of some design that seemed artistic to the designer but ended up being nightmarish to implement. One of the tools that Silverlight offers is Blend. Blend is a design tool that has the look and feel of programs such as Photoshop and even has simple tools for creating design elements such as shapes, gradients etc. This coupled with an image editing application gives designers much more power and developers less headache. The beauty of this is that whatever the Designer creates in Blend is immediately translated into XAML code that is automatically decoupled from the developers C# code effectively shrinking the gap between designers and developers. This isn’t a silver bullet mind you but it is moving in the right direction.

So whats your point? Should we only use Silverlight?

That is absolutely not my point. There are many scenarios in which Silverlight is a terrible idea. Say for instance you want to have a very content driven website that is very visible to search engines. Silverlight is most definitely NOT a good option for something like that. Also, while the number of computers that currently have Silverlight already installed is growing at an astounding rate given the short time Silverlight has been around, it is STILL a plugin and you STILL have to install it before your application will work. Most of the time this truly isn’t a problem given that people are already installing a plethora of plugins ranging from quicktime, flash, windows media, adobe reader, java and an infinite number of firefox/chrome/IE plugins. However there are still those who don’t like it so you have to know your audience. So there are many scenarios in which HTML5 IS the better option.

Conclusion

This is not an exhaustive list of Silverlight features. There are many more things of which Silverlight is capable example being smooth animation. However Javascript/HTML5 offer a lot of very nice animation frameworks as well so the point of this list is just to show how Silverlight differentiates from HTML5. Once again (just to reiterate) I’m not saying Silverlight is NOT better than HTML5 and HTML5 is NOT better than Silverlight. They are very simply, different technologies that have different capabilities. The key is to determine what the requirements are for your application and then make an informed decision based on the facts of what the technological capabilities are for each platform. The key for developers and consumers is choice. We now have more choices than we did before. And not just more of the same, given this list (and the many many features I haven’t listed) Silverlight is much more and this is a good thing for all of us. HTML5 however is also much more than its predecessors and is a very exciting technology to say the least. At the end of the day we cannot ignore technologies that are different because we’re too scared to learn something new. This will only serve to narrow our perspective and make us less than we could be. Its time to understand these technologies and the vacuum that they are trying to fill and why and admitting that those vacuums are real and need to be addressed instead of listening to those who have uninformed opinions such as Dean Wilson. This is a textbook example of ‘A little knowledge is a dangerous thing’.

Let me start out by saying (for all the test driven devs out there who are going to pick this apart lol) that catching bugs through testing is far better than debugging and catching bugs through error logs. However, that does not mean that test driven development has brought Utopia to earth and that any software that implements proper testing doesn’t have bugs. They still have bugs,,, just a lot fewer bugs.

Scenario

So I’ve been working on a windows service as of late that does a lot of database calls, emails etc. So a lot of external things could happen to cause exceptions and I wanted to be able to quickly look up in a log file to see what errors were occuring. Here’s a quick little class to get an exception and ouput a formatted error message that points to where the problem originates:

class ExceptionFormatter
    {
        StringBuilder format = new StringBuilder();
        public ExceptionFormatter(Exception exception)
        {
            StackTrace stacktrace = new StackTrace(exception, true);
 
            var stackframes = stacktrace.GetFrames();
 
            format.Append("********* Error ************\r\n");
            format.Append("Message: " + exception.Message + "\r\n");
            format.Append("Inner Message: " + (exception.InnerException != null ? exception.InnerException.Message : "") + "\r\n");
 
            foreach (StackFrame frame in stackframes)
            {
                if (frame.GetFileLineNumber() != 0 && !string.IsNullOrEmpty(frame.GetFileName()))
                {
                    format.Append("File Name: " + frame.GetFileName() + "\r\n");
                    format.Append("Line Number: " + frame.GetFileLineNumber() + "\r\n");
                    format.Append("Column Number: " + frame.GetFileColumnNumber() + "\r\n");
                    format.Append("Method Name: " + frame.GetMethod() + "\r\n");
                }
            }
 
            format.Append("****************************");
        }
 
        public override string ToString()
        {
            return format.ToString();
        }
    }

This is really simple to use. Just pass the exception into the construct and then call the .ToString() method and you get your formatted error. This iterrates through the stackframe to get the location of the errors on top of what the errors are. Hope this helps!

So recently I’ve been playing around with keyloggers. A keylogger is a small application that typically is used for malicious purposes, but they run on your computer and record all key strokes coming in from your keyboard. This works by attaching to a win32 api ‘hook’ called the ‘low level keyboard’ hook. Most programmers have two sides, the ‘programmer’ side and the ‘hacker’ side. This can be very helpful in the long run as the two sides fight against each other and come up with methods to outsmart each other. So I started thinking ‘how can you defend against a keylogger?’. The first and most obvious choice is some kind of antivirus. However, most real hackers write their own unique keyloggers that antivirus doesn’t have in its database. Case in point, I wrote up a quick little key logger and ran it on my computer that has several antivirus programs and none of them picked up on it. Another option is that there are several small applications that have methods of ‘finding’ keyloggers. The method is usually monitoring the file system to see if a file is growing as the user is typing. This works sometimes but not always. Both of these methods are good but if you have an application that needs extra security going out to hundreds of users the risk becomes greater and greater.

A solution

One solution for this problem is to generate a random number of random keystrokes as a user types in each key into say, a password textbox. Now there are several requirements for this to work:
Requirement #1: The random key strokes must be detectable by the keylogger
Requirement #2: The characters must be backed out as they will end up in the textbox the user is typing in
Requirement #3: The backspace must not be detectable by the keylogger
For this solution I used a project called ‘Input Simulator’ (http://inputsimulator.codeplex.com/). This uses the windows api to generate keystrokes that are indistinguishable from a keystroke coming in from the keyboard. To back out the character I programatically fire an event on the password textbox that the user is typing in. Here’s the code:

public Login()
        {
            InitializeComponent();
 
            keycodes.Add(VirtualKeyCode.VK_0);
            keycodes.Add(VirtualKeyCode.VK_1);
            keycodes.Add(VirtualKeyCode.VK_2);
            keycodes.Add(VirtualKeyCode.VK_3);
            keycodes.Add(VirtualKeyCode.VK_4);
            keycodes.Add(VirtualKeyCode.VK_5);
            keycodes.Add(VirtualKeyCode.VK_6);
            keycodes.Add(VirtualKeyCode.VK_7);
            keycodes.Add(VirtualKeyCode.VK_8);
            keycodes.Add(VirtualKeyCode.VK_9);
            keycodes.Add(VirtualKeyCode.VK_A);
            keycodes.Add(VirtualKeyCode.VK_B);
            keycodes.Add(VirtualKeyCode.VK_C);
            keycodes.Add(VirtualKeyCode.VK_D);
            keycodes.Add(VirtualKeyCode.VK_E);
            keycodes.Add(VirtualKeyCode.VK_F);
            keycodes.Add(VirtualKeyCode.VK_G);
            keycodes.Add(VirtualKeyCode.VK_H);
            keycodes.Add(VirtualKeyCode.VK_I);
            keycodes.Add(VirtualKeyCode.VK_J);
            keycodes.Add(VirtualKeyCode.VK_K);
            keycodes.Add(VirtualKeyCode.VK_L);
            keycodes.Add(VirtualKeyCode.VK_M);
            keycodes.Add(VirtualKeyCode.VK_N);
            keycodes.Add(VirtualKeyCode.VK_O);
            keycodes.Add(VirtualKeyCode.VK_P);
            keycodes.Add(VirtualKeyCode.VK_Q);
            keycodes.Add(VirtualKeyCode.VK_R);
            keycodes.Add(VirtualKeyCode.VK_S);
            keycodes.Add(VirtualKeyCode.VK_T);
            keycodes.Add(VirtualKeyCode.VK_U);
            keycodes.Add(VirtualKeyCode.VK_V);
            keycodes.Add(VirtualKeyCode.VK_W);
            keycodes.Add(VirtualKeyCode.VK_X);
            keycodes.Add(VirtualKeyCode.VK_Y);
            keycodes.Add(VirtualKeyCode.VK_Z);
 
        }
 
private void PasswordTextBox_KeyUp(object sender, KeyEventArgs e)
        {
            Random RandNumber = new Random();
            int RandLength = RandNumber.Next(1, 5);
 
            int RandDigit;
            int RandShift;
 
            if (e.Key != System.Windows.Input.Key.Back)
            {
                for (int i = 0; i < RandLength; i++)
                {
                    RandShift = RandNumber.Next(0, 1);
 
                    if (RandShift == 1)
                    {
                        InputSimulator.SimulateKeyDown(VirtualKeyCode.SHIFT);
                    }
 
                    RandDigit = RandNumber.Next(0, 36);
                    InputSimulator.SimulateKeyDown(keycodes[RandDigit]);
                    var target = Keyboard.FocusedElement;
                    var routedEvent = Keyboard.KeyDownEvent;
 
                    KeyEventArgs ev = new KeyEventArgs(
                          InputManager.Current.PrimaryKeyboardDevice,
                          InputManager.Current.PrimaryKeyboardDevice.ActiveSource,
                          0,
                          Key.Back);
 
                    ev.RoutedEvent = routedEvent;
 
                    target.RaiseEvent(ev);
 
                    if (RandShift == 1)
                    {
                        InputSimulator.SimulateKeyUp(VirtualKeyCode.SHIFT);
                    }
                }
            }
        }

So this little bit of code runs on the keyup event of the password textbox. To make the amount of random characters larger simply change RandNumber.Next(1, 5) to RandNumber.Next(1, 10), but keep in mind that its going to have to back out more characters.

One powerful feature of silverlight is the ability to quickly and easily build animations into your application. Animations are typically built out using a Storyboard control either in your XAML or programatically in C#. Your storyboard will contain an animation and that animation will be applied to an element. Animations can be DoubleAnimation, ColorAnimation or a PointAnimation. Today we will just focus on the DoubleAnimation.

Double Animations

A DoubleAnimation is simply a double that is either incremented or decremented and is applied to a property. So before we get any further, lets take a look at what it can do:

Just show it to me

As you can see this is smoothly animated to show or hide a simple gray box. The box is just a stack panel that could potentially hold more elements. Here’s the code:

XAML

<UserControl x:Class="SilverlightApplication1.MainPage"
    xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
    xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
    xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
    xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
    mc:Ignorable="d"
    d:DesignHeight="300" d:DesignWidth="400">
    <Grid x:Name="LayoutRoot" Background="White">
        <Canvas Background="White" Margin="0,0,34,108" x:Name="mycanvas">
            <Canvas.Resources>
                <Storyboard x:Name="ShowStoryboard">
                    <DoubleAnimation
                        Storyboard.TargetName="mystackpanel"
                        Storyboard.TargetProperty="(Canvas.Top)"
                        From="-50"
                        To="0"
                        Duration="0:0:.5"
                    >
                        <DoubleAnimation.EasingFunction>
                            <BackEase Amplitude=".5" EasingMode="EaseOut" />
                        </DoubleAnimation.EasingFunction>
 
                    </DoubleAnimation>
                </Storyboard>
 
                <Storyboard x:Name="HideStoryboard">
                    <DoubleAnimation
                        Storyboard.TargetName="mystackpanel"
                        Storyboard.TargetProperty="(Canvas.Top)"
                        From="0"
                        To="-50"
                        Duration="0:0:.5">
                        <DoubleAnimation.EasingFunction>
                            <BackEase Amplitude=".5" EasingMode="EaseIn" />
                        </DoubleAnimation.EasingFunction>
                    </DoubleAnimation>
                </Storyboard>
 
            </Canvas.Resources>
            <StackPanel Canvas.Top="-50" Height="50" Width="640" VerticalAlignment="Top" x:Name="mystackpanel" Background="Gray">
            </StackPanel>
            <Button Content="Show" Height="23" Name="button1" Width="75" Click="button1_Click" Canvas.Left="20" Canvas.Top="137" />
            <Button Canvas.Left="110" Canvas.Top="137" Content="Hide" Height="23" Name="button2" Width="75" Click="button2_Click" />
        </Canvas>
    </Grid>
</UserControl>

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Windows;
using System.Windows.Controls;
using System.Windows.Documents;
using System.Windows.Input;
using System.Windows.Media;
using System.Windows.Media.Animation;
using System.Windows.Shapes;
 
namespace SilverlightApplication1
{
    public partial class MainPage : UserControl
    {
        public MainPage()
        {
            InitializeComponent();
        }
 
        private void button1_Click(object sender, RoutedEventArgs e)
        {
            if (Canvas.GetTop(mystackpanel) == -50)
            {
 
                ShowStoryboard.Begin();
            }
        }
 
        private void button2_Click(object sender, RoutedEventArgs e)
        {
            if (Canvas.GetTop(mystackpanel) == 0)
            {
                HideStoryboard.Begin();
            }
 
        }
    }
}

Explanation

As you can see in the XAML code we have 2 storyboards. One to show the gray square and 1 to hide the gray square. The only thing we have in our C# code is to simply start each animation if the animation is shown or hidden. Notice that our stack panel is in a canvas to move it precisely where we want it. With a DoubleAnimation there are 5 major pieces:
#1 Set the Target Name: The target name is the ID of the element we want to animate.
#2 Set the target property: The target property is the property we want to set the double property to. In this case it is (Canvas.Top) <- note the parenthesis when you have a multipart property.
#3 Set the From property: The from property is the starting value.
#4 Set the To property: The to property is the ending value.
#5 Set the duration: Hours:Minutes:Seconds.
You will also notice that we also have a nested EasingFunction. We will go over the easing functions later in the series.

The end?

This is just to ‘wet your whistle’ and show you a basic animation that silverlight can do. I will be posting up more on silverlight animations soon.

A very powerful tool that SQL provides is the SQL Server Profiler. Anyone who has worked with SQL for a significant amount of time knows how this works but just to fill everyone else in, the SQL Server Profiler will monitor and track just about anything and everything that happens in your database. When you let this run over time you can export the results to the SQL Tuning Advisor which then gives you advice on how to tune up your database. The only downside to this approach is that it can be very taxing on your database.

An alternative approach

An alternative to the SQL profiler is that SQL actually stores query stats internally in the sys.dm_exec_sessions table. This is not a long term view but a shorter term view of queries that have run recently against your database. You can use the following query to find slower running queries:

SELECT TOP 5 S.cpu_time,
memory_usage,
total_elapsed_time
,S.session_id AS [SPID]
,S.login_name
,S.reads
,S.writes
,C.client_net_address
,T.dbid
,T.text
FROM sys.dm_exec_sessions S
JOIN sys.dm_exec_connections C
ON S.session_id = c.most_recent_session_id
CROSS APPLY sys.dm_exec_sql_text(C.most_recent_sql_handle) AS T
ORDER BY total_elapsed_time DESC

This query will give you valuable information such as the memory usage, cpu time and the time it took to run the query. This can be a very handy tool if you are trying to increase performance on your DB overall.

What about indexes?

One thing this query doesn’t address is your indexes. If you don’t use indexes, pick up a very large reference book sometime and try to find something very specific without using the books index. It will almost certainly take you longer. Same with SQL. Indexes are very important when it comes to reading data from a table, however they are not so nice when it comes to writing data to a table (the index also has to be written as well). So how do you find out if your indexes are being utilized? The answer is the following query:

USE master;
SELECT * FROM SYSdatabases
GO
 
SELECT * FROM sys.dm_db_index_usage_stats
WHERE database_id = 9
GO

The first query will help you to identify which database you want to check for index performance. The second query you simply put in the ID of the database you want to check and it will give you a list of indexes and how they are being used in the database.

Pluto

Pluto is a very impressive Silverlight web application that is a ‘digital audio workstation’ that allows you to record and playback multiple tracks and even allows you to connect a midi device. The only caveat to the midi device is that you do have to install external software for that feature to work but other than that this app runs beautifully in or out of the browser.