Gmail password leaks download? For real? Tvskit – btcsec

A lot of people are changing their Gmail passwords since the news on 5 million Gmail passwords leaked widely spread all over the internet today. According to the new, the user “Tvskit” posted the zip file with the following screenshots in Russion Bitcoin forum.

Tvskit - Gmail Password Leak

Some sources said that the passwords in that file are 60% accurate but old passwords. I followed a few links to get the zip files from different source (including the original btcsec website) and extracted them on a VM. Here is the list of links that I downloaded the files. (Note: I intentionally didn’t link them from my blog. ) Gmail Password Downloads

Here is the size of those Gmail passwords files that I downloaded. Gmail Password Download Sizes

If you are planning to download those files from those websites that I posted in screenshot and the size are the same, don’t bother downloading it. Because those files don’t contain any password and it’s just the list of user names. (4929083 accounts in totals)

Gmail password leaks but no password

A user “cDull” from reddits also shared what they think about what happened as below in this post “5 Millions of “Gmail” passwords leaked [RUS], most likely it’s a compilation of passwords from other sites

That is pretty smart of you, and there are many others that had same idea. Just do a grep for ‘+’ in the gmail account dump and you see a lot of eharmony, filedrop, friendster, bravenet, bioware, savage, xtube, and others if you do the command below. There might be more than 20 different website references in there. This is definitely a compilation and a bunch of bullshit FUD.

grep '+' google_5000000.txt | cut -d+ -f2 | cut -d@ -f1 | sort | uniq -c | sort -h | tail -n 21
18 bravenet
18 filesavr
19 policeauctions
25 4
27 eh
28 3
32 freebiejeebies
40 hon
51 bryce
52 savage2
54 bioware
57 spam
60 2
62 savage
63 friendster
64 eharmony
66 daz3d
88 filedropper
125 1
132 daz
176 xtube

If you managed to get the file then don’t forget to use a VM before extracting the file. Of course, you have the file with passwords then let me know..

Most annoying thing in Visual Studio

Here is my most annoying thing in Visual Studio. What about yours?

I have my MVP MSDN subscription, Dreamspark (Ya, I am still a student), BizSpark (with my friends)  for many years. This dialog pop-up once in a while to annoy me. Ya. it happened with VS express version that is totally free as well. Who the fuck are you to keep on validating your own royal customers? Is it your best marketing strategy?

I guess some program managers who decided to force (instead of encourage) VS users should be a part of this year’s cut (18K? )

It doesn’t matter how much I love Microsoft technology. but I hate when I am being forced.

Most anoying things in VS


Status of FxCop/Code Analysis! – Is FxCop still being maintained?

Short version

The old version IL-based FxCop/CA are dead but the new version of CA that based on source-code instead of IL will be in VS “14”.  (You can scroll down and see the reply from Alex Turner, the owner for Diagnostics in managed languages. )

Long version

Yes, I was a huge fan of FxCop/Code Analysis. I forced encouraged everyone in my team to make FxCop/CA happy for every single line of code before they commit. FxCop/CA does help to make sure your code is still following Framework Design Guidelines without assigning some experts to do the manual code review for every commits.

Note: If you are not familiar with FxCop/CA then you can read about them in the following links (FxCopCode Analysis and FxCop Vs. Code Analysis)

We all know that Microsoft has released a few versions of .NET framework. When was FxCop’s last release? I reported the following issues that we have with FxCop/CA but I didn’t see those issues are being addressed.

The worst part is that some teams (e.g. MVC/Web API team) from Microsoft are not even following the FxCop’s rules. I posted this questions “Why a fresh new MVC project couldn’t pass the Code Analysis? One-Microsoft” in MSDN forum as well.

I am the one who is encouraging the team to follow FxCop in company but I wasn’t sure why the issues that have been reported a while back are still not being addressed. I wasn’t even sure whether Microsoft is still maintaining the FxCop or not so I tried to reach out to Microsoft team internally and luckily, I got the answer.

Here is the unedited reply from Alex Turner, the owner for Diagnostics in managed languages. I am sharing his email with everyone (including my teams) with his permissions. 

Hi Michael,

FxCop has indeed been dormant for a while, and it’s certainly become stale in the face of new C# language features like async. My favorite instance of that is the cyclomatic complexity rule – FxCop will complain that an empty async method has too branches for you to easily maintain, even when it contains no code J

This is all due to FxCop analyzing IL rather than source. That worked great in the C# 1.0/2.0 days when the code you wrote mapped almost directly to IL – rules could look at that IL and work out what the source was. However, heavier transforms like LINQ and async get you too far from the code that was written to give good guidance on anything except method/type naming and IL-level performance tweaks. In the face of such decaying rules, it’s unfortunate but not surprising to me that other Microsoft teams are skipping the dance required to stay FxCop-clean.

For VS “14”, we’re investing heavily in source-based code analysis, built using Roslyn. This not only gives back the fidelity we’ve been missing in async methods and other high-level constructs – it also lets us surface code analysis issues live as you’re typing, even before your code fully builds, since we’re operating on the same syntax trees and symbols that IntelliSense uses. We’re also surfacing a supported API for plugging such rules into the compiler as you build, so that API authors and other third parties finally have a supported way to build such analysis, rather than hacking it into FxCop.

As Christoph pointed out, we’re proving out our new Roslyn-based diagnostics by reimplementing the high-value, low-false-positive FxCop rules using Roslyn. We haven’t yet decided when to pull the switch and officially swap out the IL-based FxCop rules for rules built on Roslyn, but the new live analysis engine will be built into the C#/VB compilers in VS “14” (it’s already in the CTP). At a minimum, we’ll ship this set of rules online, as an opt-in package you can use instead of the built-in VS support.

Alex Turner
Senior Program Manager
Managed Languages


The conclusion is that the old version IL-based FxCop/CA are dead but the new version that based on source-code analysis instead of IL will be in VS “14”.

[Quora] – Advice from someone who made $15 millions after selling the tech startup.

I came across this awesome answer to the question “Is getting rich worth it?” on Quora site. I have no idea who posted this great answer but I just feel like it’s worth sharing with you all.  (Note: I did read the terms of service from quora and I am allowed to share it with the link to the original post.)

I made $15m in my mid-20s after I sold a tech startup. I talked to a lot of people about this question, and thought a lot about how to stay the same person I was before and after making money.

Here’s my answer: being rich is better than not being rich, but it’s not nearly as good as you imagine it is.

The answer why is a bit more complicated.

First, one of the only real things being rich gives you is that you don’t have to worry about money as much anymore. There will still be some expenses that you cannot afford (and you will wish you could), but most expenses can be made without thinking about what it costs. This is definitely better, without a doubt.

Being rich does come with some downsides, though. The first thing you are thinking reading that, is, “cry me a river”. That is one of the downsides. You are not allowed to complain about anything, ever. Since most people imagine being rich as nirvana, you are no longer allowed to have any human needs or frustrations in the public eye. Yet, you are still a human being, but most people don’t treat you like one.

There’s the second downside. Most people now want something out of you, and it can be harder to figure out whether someone is being nice to you because they like you, or they are being nice to you because of your money. If you aren’t married yet, good luck trying to figure out (and/or always having self doubt) about whether a partner is into you or your money.

Then you have friends & family. Hopefully your relationship with them doesn’t sour, but it can get harder. Both can get really weird about it and start to treat you differently. They might come and ask for a loan (bad idea: if you give, always give a gift). One common problem is that they don’t appreciate Christmas presents the way that they used to, and they can get unrealistic expectations for how large a present should be and be disappointed when you don’t meet their unrealistic expectations. You have to start making decisions for your parents on what does and does not cost too much, and frankly, it’s awkward.

Add all of these up and you can start to feel a certain sense of isolation.

You sometimes lay awake at night, wondering if you made the right investment decisions, whether it might all go away. You know that feeling standing on a tall building, the feeling you might lose your mind and jump? Sometimes you’re worried that you might lose your mind and spend it all.

The next thing you need to understand about money is this: all of the things you picture buying, they are only worthwhile to you because you cannot afford them (or have to work really hard to acquire them). Maybe you have your eye on a new Audi — once you can easily afford it, it just doesn’t mean as much to you anymore.

Everything is relative, and you are more or less powerless to that. Yes, the first month you drive the Audi, or eat in a fancy restaurant, you really enjoy it. But then you sort of get used to it. And then you are looking towards the next thing, the next level up. And the problem is that you have reset your expectations, and everything below that level doesn’t get you quite as excited anymore.

This happens to everyone. Good people can maintain perspective, actively fight it, and stay grounded. Worse people complain about it and commit general acts of douchebaggery. But remember this: it would happen to you, too, even though you might not think so. You’ll just have to trust me on this one.

Most people hold the illusion that if only they had more money, their life would be better and they would be happier. Then they get rich, and that doesn’t happen, and it can throw them into a serious life crisis.

If you’re part of the middle class, you have just as many opportunities to do with your life what you want of it. If you’re not happy now, you won’t be happy because of money.

Whether you’re rich or not, make your life what you want it to be, and don’t use money as an excuse. Go out there, get involved, be active, pursue your passion, and make a difference.

Polymer – Tips on running “Getting Started Tutorial” on Windows

Yes. As the title say, this post is about tips on how you can run Polymer sample on Windows.


IIS instead of python server

In Google’s Polymer document, it suggests you to run the following python command to start the web server.

python -m SimpleHTTPServer

python -m http.server

But most of windows developers doesn’t have the python installed on our windows machine. What else do we have? Yes. Most of us have the IIS so you can simply create a website and point to “polymer-tutorial-master” folder in IIS. That is.

.json extension in IIS

When you are working on <post-list> component tutorial, you will know that you are not able to show the list. It’s because the post-service is doing http-get to /posts.json file from the web server. IIS doesn’t have the .json extension by default. (Note: I am using IIS 7.5.)

MEME Type in IIS7

So, I added the .json extension in MIME and then it works. If you want to see the step by step how to add new MIME in IIS then you can refer to this post “add .json handler support in IIS 7“. But for me, I didn’t add the handler for .json.

After adding the .json MIME in IIS then go and refresh the page. You will see the list as below.


Polymer is a very interesting project that based on web components. But yes, it reminds me of my Silverlight/WPF days where I used to deal with template/data templates. I am still studying more about this project and hopefully, I can share my experience with Polymer with you all later.


Deploying the Azure website and Azure webjob from Octopusdeploy (+TeamCity)


Last week, it has been a busy week for us but we are glad that managed to bring the Azure WebJobs with Octopus Deploy into one of our small projects. I like to share something that we have learnt and like to get some feedback from you guys.

Azure Web Job

Oh well, Scott Hanselman did a pretty good job on explaining about it in his blog post “Introducing Windows Azure WebJobs” so I am not going to repeat the same thing here. I will just give you a short note on this.

What is Azure Web Job?

It’s a backend job that you want to run it on Azure.  It’s like Windows Service that you run on your machine or the batch job that you used to run from Windows Schedular. There are three triggers points as below~

  1. Azure Storage: You can trigger the Azure webjob to run by sending a message to the blobs, queues or tables in your Azure storage account.
  2. Scheduler: Just like windows scheduler, you can run the web job either one time or on regular basis.
  3. Http/https Endpoint: You can run your web job by accessing this endpoint as well.

What are the different between Azure Web Job Vs Cloud Service (Worker Role) Vs Virtual Machine?

  • VM: You can install your backend job on VM but you need to maintain your VM on your own. (For example: updating OS/Framework update, security patches)
  • Cloud Service: It’s still a VM but is manged by Microsoft so you don’t need to maintain it but still, you might not need a VM to run your backend job.
  • Web Job: It’s like using a shared host. You don’t need to maintain any VM and it got full integration with Azure storage as well. If you are a fan of Azure website, you might like it as well.

Where does it store?

The web job are stored in the following directory.

site\wwwroot\App_Data\jobs\{job type}\{job name}

It’s important to know because we are going to use it later.

Ok. My short note on Azure webjob will end here since it’s not my intention to write about web job in this post. but there are a lot of useful blog posts regarding Azure webjob so I am sure that you can easily google them.

Or, you can read some of my favorite posts below~

Octopus Deploy

Why Octopus? As we have only one production, we don’t need Octopus. I found only one reasons why you will need Octopus Deploy.

That reason is ~

  • Multiple servers deployment: If you have a lot of servers then Octopus tentacle comes in handy. You can easily configure the octopus tentacle on all of your servers and you can deploy it in one shot. That tentacle will take care of synchronizing the deployment to all servers. Cool, huh?

Note: I asked the octopus team just to confirm whether my assumption is correct or not. You can read in this post “What is the main selling point for octopusdeploy?” Yes. my assumption is correct!

In our case, we can actually publish the Azure website directly from CI (Team City) using MSDeploy.

Team City + MS Deploy + Azure Web Site

This is the commandline parameters ~

 /p:Configuration=Release /p:OutputPath=bin
/p:DeployOnBuild=True /p:DeployTarget=MSDeployPublish /p:MsDeployServiceUrl=https://{yourazurewebsite-url}:443/msdeploy.axd /p:AllowUntrustedCertificate=True /p:DeployIisAppPath={your-app-pool-name} /p:MSDeployPublishMethod=WMSVC /p:username={your azure website user name from published setting}/p:password={your azure website password from published setting}

Note: You can get the user name and password from the publish profile from your website dashboard.

quick glance

I wrote about MS deploy for publishing website a while back. “WebDeploy 3 – Error in publishing website to Amazon EC2

Anyways, as everyone is talking about Octopus, I thought it might be a good idea to try and get a taste of it.

So I downloaded the Octopus (2.4.7) which includes Octopus Server (x64), Octopus Tentacle (x64) and TeamCity Plugin.

Team City + Octopus Team City Plugin

I installed Octopus plugin in Teamciy by placing the zip file under <TeamCity Data Directory>/plugins. If you are not sure about the <TeamCity Data Directory> then you can check it out in “Administration->Global Setting” page in TeamCity. The default path is C:\ProgramData\JetBrains\TeamCity . Then restart the service to take effect on new plugin installation.

If your installation is working fine then you will see “Octopus Packing” in “MS Build runner” build step or “VS build runner” build step.

Octopus Packing

Note that Octopus has the limitation on the version number and it doesn’t work if your version is just a single number so you will have to change like “1.0.%build.counter%” in “Build number format” in “General Setting”.

After that, you need to enable the nuget feed in Teamcity administration page.

Enable Nuget in TeamCity

That’s all. If you want to view the step by step instruction then you can check this page “TeamCity + Octopus Deployment

Octopus Server

It was pretty easy to install and configure the Octopus server on my server. Good job, Octopus!

Octopus Tentacle

Obviously, I need the server and TeamCity plugins but why Tentacle?

Oh well, Octopus has another limitation beside the build number. It doesn’t work without Tentacle. I think they didn’t think about the deployment scenario where we, developers, don’t have any server. I asked them here (link) to confirm about this. To workaround this, I have to install “Tentacle” on the server that I am hosting the octopus server and configure it as a machine in Octopus’s Environment page.

Octopus Environment

How to connect TeamCity and Octopus? Yes. You need to add the nuget feed that you enabled in Teamcity by using “Add Feed” button in Octopus Library page.

Octopus External Feed1


After that, you can create a new project in Octopus and add the steps in “Process” panel.

Note that there are a few different ways as below to deploy the Azure website and web job.

  • FTP Upload
  • Git push
  • MS Deploy

Even thought I am told that there is an Octopus MSDeploy template, I decided to use the FTP upload in my case. (Yeah, I am not a big fan of git push deployment until now. Sorry! )

Here is the default FTP template that you can use when you are adding the step in “Process”

Upload by FTP Template


Here is the step details that you need to fill up for FTP template. Octopus FTP Step Details

You can get about the FTP information of your site or webjob from Azure dashboard.

Remember what we said in “Where does it store” section? The web job are stored in the following location so you will have to point to this directory in your “FTP upload” step.

site\wwwroot\App_Data\jobs\{job type}\{job name}

That’s it.

This is how we are using Team City + Octopus for publishing Azure Web Site and WebJob. What is yours?