Using Episerver Search with FIPS Mode

Until recently, it was not possible to use Episerver’s search features on a FIPS enabled server — something that is quite common with government servers.

With the latest update to the NuGet package (version 9.0.2), you can configure the Lucene search engine so that it doesn’t use MD5 encryption (the culprit that causes FIPS mode to cry foul). It’s also a very simple change.

Open your web.config file and find the section. Then add a fipsCompliant=”true” attribute to it.

< fipsCompliant="true">
    <add name="local" description="local" allowLocal="true" readonly="false" />
  <namedIndexes defaultIndex="default">
      <add name="default" directoryPath="[appDataPath]\Index" readonly="false" />

Reindex the site afterward, and everything should work as expected.

Insecurity by Over-security

I’ve worked for many clients with many ideas of what makes a secure environment. Some use simple FTP servers, and some don’t trust anyone but their own employees. Others use multiple, nested levels of remote desktop connections, RSA tokens, and specialized software. But is there such a thing as too much security — so much that it actually becomes insecure?

Secure Password Requirements

To make a strong password, experts tell us it must include upper- and lower-case letters, numbers, and special characters. Remembering it will likely be difficult. Entering it will likely result in typos. If this is what you believe, you’re wrong, as illustrated by this popular XKCD comic.

XKCD comic strip

Because many systems require these complex passwords, you need to write them down. If you’re a good developer, you use a secure password database. If not, maybe you just attach sticky notes to a monitor. The problem is that when remembering a password is hard, people often store it insecurely. All that complexity is worthless if someone accidentally sweeps that sticky note under the door and into someone else’s hands.

Many people use online password storage services, like LastPass. These services are convenient, but also problematic. It is increasingly common for online companies to announce that someone hacked their server and leaked passwords.

Avoid this by using long, memorable passwords. It’s much more secure in the long run.

Frequent Password Resets

Password complexity is bad enough, but businesses also require passwords to be reset far too often. When systems require frequent password resets, most users create easily guessable variants of a password. For example, MarchPass123$ is followed up next month by AprilPass123$. If someone finds those old passwords, then figuring out the current password requires little effort. Passwords shouldn’t last forever, but requiring users to change them frequently only results in more security holes.

File Transfer Restrictions

Another common security feature I’ve noticed is the disabling of copy/paste or file shares while remotely connected to a machine. Rarely do I work on a project that requires remote access where I don’t need to transfer some files or copy and paste a large chunk of code.

When these features are disabled, users find work-arounds — usually insecure work-arounds. Typing by hand is tedious and usually impractical. More likely, you’ll upload the files to an online service or save them to a USB stick. I’ve even seen cases where companies block access to sites like Google Drive and Dropbox, which forces users to find less reputable online services. As more security is added, systems often become less secure.

Two-factor Authentication

Security experts eventually realized that complicated, oft-updated passwords were not working, so their solution: make things even harder for users. That’s right, in addition to the password nightmare, many systems now require users to enter a string of digits from a key fob or piece of software that changes every minute or so.

How does this lead to insecurity? Well, I’ve actually seen people write their username and password onto the fob itself. In cases of RSA software apps, they keep a plain text file with all the information needed to access the system right on the desktop.

The point I want to make is that when you make security harder for the user, the user will make the system less secure. The answer isn’t to add more complexity, it’s to change the security. If the only barrier to entry is a simple fingerprint scan or an easily remembered password, then users have no need to make notes or to circumvent the system.

Keep security practices simple to keep systems secure.

Rebuttals to Improper Pronunciation of GIF

In case you weren’t aware, there has been a long-standing debate on the pronunciation of the GIF file format. The “G” is actually pronounced like the “g” in “giraffe.” But, most people read the word before hearing someone actually say it, and they assume it is pronounced like “gift.”

Being a nonconfrontational person, I generally avoid correcting others — although my wife would disagree — but I find it amusing when some people try to justify a flawed position. Here are some of the reasons I’ve come across for continuing to say GIF incorrectly and my rebuttals to those reasons.

If the creator wanted people to pronounce it like a “J”, he should have called it JIF.

The creator can name and pronounce it however he wants. If my name were Todd but it was spelled like Toad, people would still call me Todd, because they would respect my wishes (hopefully). The point is, when you create something — whether it be a child or a file format — you get to decide the spelling and pronunciation. That’s your privilege.

The “G” stands for graphics, so it should be a hard “G”.

Scuba stands for Self Contained Underwater Breathing Apparatus, so by your logic, it should be pronounced with a short “u”, as in “scrub,” because we say “underwater,” not “oonderwater.” Acronyms aren’t pronounced based on the words their letters represent.

Everyone else I’ve heard pronounces it with a hard “G”.

And everyone thought the sun orbited the earth for thousands of years. This is an appeal to popularity logical fallacy. To be honest, in the graphics and design industry, the “J” sound for GIF is more popular; it’s the common, layman pronunciation that gets it wrong. Unfortunately, commercial media isn’t helping, as seen in this ad by Kmart.

People were saying GIF with a hard “G” before the creator publicly corrected them. He should have said so sooner.

People don’t seem to understand that Steve Wilhite, GIF’s creator, has always pronounced it with a “J” sound and was known to often correct those that said it incorrectly. I suppose that the French also should have said that the correct pronunciation of the word “voilà” is not “wallah” before everyone started saying it. The truth is that the creator of the word doesn’t assume that everyone is going to get it wrong; therefore, there isn’t a need to make such public announcements.

I’ve always said it that way and I’m not going to stop now.

That’s your perogative. I would of spent more time on this rebuttal but, it’s a doggy dog world, and I imagine you’re the type of person that probaly makes all kinds of pronounciation faux pas. Irregardless, finish your expresso and go about your bidness.

Sadly, we live in a world where many people won’t get the irony in the previous three sentences.