Category Archives: Allgemein

Free commercial tools for open source development

As an open source developer you may be eligible for special offers. This post lists some of them.

Visual Studio development

For ReSharper, a Visual Studio plugin, you can apply for a 1 year Open Source License. For debugging, watch OzCode‘s offer. CppDepend, an architecture analysis tool, is available to projects that use C/C++ as the programming language. PVS Studio can do static code analysis.

Java development

For Java UI components, JIDE makes an offer. Excelsior JET converts your Java code into an executable. IntelliJ offers a 1 year license. JArchitect helps you keep the architecture right. Gluon, a Java cross platform development framework, happily provides 1-year licenses as well. You can also get Chronon, which monitors your Java performance.

Others / programming language independent

Open source projects may use Atlassian products (you have heard of JIRA) for free.  Xamarin, a mobile platform framework, wants to help open source developers.  If you need a cross platform installer, InstallBuilder might be your choice for the open source project. Doesn’t fit? Maybe Advanced Installer does if you’re on Windows only. Mockups might be created with the free license of Balsamiq. If you’re keen on Python and the Pycharms IDE does not suit you, Wing IDE works on Linux and iOS. Perhaps Aquafold database is also helpful. Like IntelliJ and Resharper, PHPStorm is also available.

What did I say? A background voice recorder

What did I say? is a software that continuously records audio from an input device (e.g. a microphone) and saves it to disk on demand.


  • continuously record audio from an input device
  • discard audio after a configurable time span
  • keep the recorded audio in memory only
  • run in the background (no window, just a notification icon)
  • write to disk upon request (WAV format)

Possible usages:

  • take notes during brainstorming when someone said something interesting
  • provide evidence in cases of defamation or sexual harassment
  • “pilot recorder” / “black box”


Command line options:

  • -s: Sample rate (44100, 22050 or 11025 Hz)
  • -b: bits per sample (16 or 8 bit)
  • -c: channels (1 = mono, 2 = stereo)
  • -t: recording time in minutes (buffer time)

System requirements:

  • Windows 8 or higher
  • .NET Framework 4.5

Download What did I say (1 MB)

License: MIT, closed source at the moment.

Known issues:

  • when saving to a file and then canceling the save dialog, the recorded audio is lost

Missing features:

  • Hotkey support
  • Support for external triggers (e.g. alarm contact)
  • Integrated playback

Please post bug reports and feature requests to where yyyy-mm-dd is the date you send the email (that’s my spam filter).

Shutdown with warning

Shutdown with warning is a small tool inspired by a Software Recommendations question.

It shuts down your PC at a given wall clock time and displays up to 2 warnings before that time with the option to shut down the PC.

Download Shutdown With Warning

Supported OS: Windows 7 SP1 to Windows 10

Prerequisites: .NET 4.0

License: MIT

Report bugs to: where yyyy-mm-dd is the current date.


Shutdown warning

Make KeePass more secure: compile KeePass yourself

Heise recently published an article about KeePass not using HTTPS. The article turns out to be a canard, since KeePass cannot update itself. This article reminded me that I have attacked KeePass in 2009 to see how secure it is. Since it offers security features like password encryption, dual channel auto-type obfuscation, secure desktops etc., I thought this is a well-written and totally secure application.

Unfortunately I had to find out that my first two approaches of attacking KeePass worked very well (I don’t want to go into details here and provide full source for script kiddies; if you’re a developer you’ll probably be able to implement the attack based on the modifications I make to KeePass). Therefore I contacted the author, Dominik Reichl. However, he explained that such issues cannot be fixed. A few days later (2009-02-27 according to, the following text was added on the KeePass website, Security section:

All security features in KeePass protect against generic threats like keyloggers, clipboard monitors, password control monitors, etc. (and against non-runtime attacks on the database, memory dump analyzers, …). However in all the questions above we’re assuming that there’s a spyware program running on the system that’s specialized on attacking KeePass.

In this situation, the best security features will fail. This is law #1 of the 10 Immutable Laws of Security [4][5]: “If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore”.

For example, consider the following very simple spyware specialized for KeePass: an application that waits for KeePass to be started, then hides the started application and imitates KeePass itself. All interactions (like entering a password for decrypting the configuration, etc.) can be simulated. The only way to discover this spyware is to use a program that the spyware doesn’t know about or can’t manipulate (secure desktop); in any case it can’t be KeePass.

If KeePass is not that secure, let’s try to make it a little more secure by yourself. Are you allowed to do so? Well, KeePass is released under GPL2 so you can modify it. You even don’t need to publish the modified source code as long as you don’t distribute your version and keep it for yourself. Only with publishing you need to publish under the same license. The relevant paragraph is

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. […]

Step 1: Compiling KeePass

  1. Download and install Visual Studio 2015 Community Edition if you don’t have VS 2015 already
  2. In the Download section, scroll to the bottom and download the source code for KeePass 2
  3. Unblock the ZIP file in the file properties (otherwise you might get strange security questions)
  4. Unzip the ZIP file
  5. Ideally, add all the source code to a version control system (SVN) just to be able to make changes without breaking anything
  6. Open the solution file KeePass.sln, which is a VS 2008 project, in VS 2015
  7. Confirm the one-way upgrade warning
  8. Try to build the solution. You’ll get some errors regarding PFX files which are used for the digital signature.
  9. Open the properties of all projects. Choose “Signing” and remove the checkmarks for the PFX file. I’ll assume that you don’t have an own PFX. If you do have an own PFX file, you’re probably familiar on how to use it.
  10. Try to build the solution. For me, it still failed due to “sgen.exe” not working well. Open the KeePass properties, go to “Build Events” and remove the post build step. This also has to do with the digital signature
  11. Try to build. This time it should work.
  12. Set “KeePass” as the startup project.
  13. Commit your work to SVN (if you have)

Step 2: Make it a bit more secure

For a specialized attack on KeePass, the attacker needs to find out that KeePass is KeePass. The attacker might look at the executable name, so let’s change it.

  1. Open the KeePass project properties
  2. Change “Assembly Name” to something you want, e.g. “PwManager”

So the executable name is better now. An attacker may still identify it as KeePass from the title etc., so let’s change that as well.

  1. Open KeePassLib\PwDefs.cs
  2. Change all “KeePass” to something else as well, e.g. “PwManager”
  3. As you’re there, change all URLs to “about:blank” if you like

Our modified KeePass version still uses the KDBX file extension, so an attacker may notice that and gather interest.

  1. Open KeePass/App/AppDefs.cs
  2. Find a class called FileExtension
  3. Change the extension from kdbx to something else, e.g. pwmg
  4. Change the “ExtId” from “kdbxfile” to “pwmgfile”. This would probably affect the Registry in case you want to register the file extension. Personally I recommend running it portable and not registering the file extension.
  5. Below those definitions, you’ll find some more items with “KeePass” in the name. Change it as well.
  6. Compile it and run it
  7. Commit your work to SVN

Step 3: recognize a potential replacement

Whatever efforts we take, an attacker may use other techniques to identify our application as a KeePass clone and replace it with a copy to fool us. Let’s mitigate that by changing the color of the password form. A replacement may not be able to imitate this, so you’ll notice the replacement, because it has the default KeePass color and not your color.

  1. From the KeePass project, open Forms/KeyPromptForm in designer mode
  2. Change the background color, e.g. to blue
  3. Compile it and run it
  4. Create a demo database and check the password dialog. It should have your color now
  5. Commit your work to SVN

If you followed this tutorial, you should now have a version of KeePass that it a little bit safer and looks similar to this:

KeePass password entry form

Sure, it still does not cover all attack vectors but at least the following:

  • Stealing *.KDBX files: your password file will not be found since it has a new extension now
  • Replacement of KeePass by a malicious clone via the Image File Execution Options Debugger Registry key (since this would require the executable to be named KeePass.exe)
  • Replacement of KeePass by a malicious clone in any other way, since you’ll likely detect the replacement due to the wrong color

What else could you consider? Based on my attacks I would do the following two things next:

  • Add a part of the password to the password via code. This will prevent someone from recording your complete password with a generic keylogger. So even he has your “KDBX” file and a recorded password, he’ll still need your program to get the second half of the password.
  • Detect if KeePass loses the focus and regains the focus very quickly. A user will need ~100 ms or longer to switch between applications. If the time is shorter, it’s likely that an attacker opened an invisible window and returned the focus to KeePass. Using Auto-Type will type into the attacker’s invisible window. The attacker may choose to forward the input to the original destination window so you won’t notice that it got lost.
  • Display the title of the window that KeePass is going to send the password to.
  • Display a list of DLLs loaded into the process. That way you might detect keyboard hooks etc. To shorten the list you could exclude DLLs signed by Microsoft, exclude known DLLs etc.

I have not yet described these modifications in detail.

TaskJuggler Installer for Windows

Developing software often needs some project management and planning. Unfortunately I regularly break Microsoft Project schedules in a way that leveling the resources does not work any more.

I have tried alternatives like GanttProject and ProjectLibre, but they all don’t fit my needs. Then I saw a recommendation for TaskJuggler. Unfortunately, TaskJuggler is not very convenient to install, especially behind a company firewall which prevents downloading missing Ruby gems.

After much pain, I figured out that I need to download and install the following in this order:

  1. Ruby
  2. RubyGems
  3. Tins gem
  4. Term-ansicolor gem
  5. Mime-types gem
  6. Mail gem
  7. TaskJuggler gem

Luckily, RubyInstaller covers steps 1 and 2.

After installation, I found that I need even more adjustments for convenience:

  1. Icon to better recognize the TaskJuggler .TJP files
  2. A file association for editing the .TJP file in Notepad++ (or at least Notepad)
  3. A context menu entry to “compile” the project to avoid the long Ruby command line “C:\Ruby22\bin\ruby.exe” “c:\Ruby22\bin\tj3” “myproject.tjp”. In addition, stop in case of errors.
  4. Syntax highlighting in Notepad++ to detect mistakes while typing
  5. A template for the New entry in the context menu (because starting with a totally empty file is hard)
  6. Support for Windows Explorer’s preview pane

Those convenience features need a lot of Windows Registry tweaking and are thus error-prone.

Nevertheless, once installed, TaskJuggler is a really great product. To lower the hurdle of using it, I have created the TaskJuggler Windows Installer which performs above steps.


TaskJuggler 3.5.0 Installer 0.7 32 Bit (20.0 MB)

TaskJuggler 3.5.0 Installer 0.7 64 Bit (20.6 MB)

Be aware that this is a version which has not been tested much.

Reporting bugs

Report bugs to taskjuggler.yyyy-mm-dd@lockerflockig,de (where yyyy-mm-dd is the current date).

Removing source control settings from Enterprise Architect

I last used Enterprise Architect by Sparx Systems on 19th of June 2006.  As our architecture was stable since then, there was hardly a need to update the architectural diagrams. And, frankly spoken, Enterprise Architect was not the best product at that time, so everyone was happy in case he needn’t touch it.

We’re now making a major refactoring so I copied the Enterprise Architect model from our old repository to the new location, then opened it. Although I am using version 9.1 now (I started with version 5.0 in 2005), the usability has not significantly improved. The first dialog I saw asked me to remove the read-only flag manually. While I can do that, it would definitely have been an option to provide a button labelled “Remove read-only flag and open”.

We’re simplifying the architecture, so for most parts I should remove existing parts. That should be as easy as pressing the Del key. As a warm-up task to become familiar with EA again, I identified something to remove, selected it and pressed the Del key. Nothing happens. No message, even not a notification in the status bar. What’s wrong?

In the Edit menu, I find my first mistake: items are not deleted using the Del key, they are deleted using Ctrl+D. How could I forget? But unfortunately the menu item is disabled, which means that I cannot delete it.

I remember that we had trouble accidentally modifying diagrams some years ago and there was a way to protect items against modification. That’s confirmed by doing a right-click on the item: there’s a context menu entry labelled “Lock Element…”.

Nothing happens. Wait, notice the text in the status bar, which says:

Current package and contained elements are checked in and may not be edited.

Alright, so there’s the old version control setting included somewhere and I should probably remove it. That should be a project-wide setting, right? EA is almost intuitive in this point. There’s a Version Control submenu of the Project menu. I see that there’s the old configuration. I can select it and press the Delete button. But Enterprise Architect cannot simply remove the version control settings from all those items for you, because it says

This configuration is being used by the following package(s): Building Block View, Runtime View, Concept View, Process View, … and may not be deleted.

Alright, that’s only a list of 16 packages. I should be able to remove version control settings from those packages manually. In the project browser I select one of the views and in its context menu I choose Package Control/Version Control Settings. It turns out that this is exactly the same dialog as on project level. Very confusing. Much like Enterprise Architect in 2005.

Luckily I tried Package Control/Configure… next. This dialog provides a checkbox to enable or disable the checkbox “Control Package”.

I went through all the 5 root views and removed the source control settings. But there need to be 11 more items under source control. How to find them?

There is a keyboard shortcut which expands all nodes of a treeview. And since Enterprise Architect didn’t modify that default behavior, just press the asterisk key to expand all nodes. The nodes under source control all have a yellow key on a dark background. Simply identify those and remove version control settings as well.

Whenever you think you have removed all items, go back to the project menu and try to delete the setting on project level. Finally, I reached my goal: removing source control settings from Enterprise Architect.

No, wait – the original goal was to remove an item from a diagram…