I ran into this postential security riskwhile doing a security audit of Empower, our content mangement server that will be available for purchase in just a few short weeks, and it turns out to be a common hole that many tools and apps do not protect you from. Most modern web based blogging tools and a host of web site tools include the ability to view referrer information for a given item. The problem is that these tools assume that the incoming urls are valid, so they simply echo them to the screen. Unfortunately, this means that evil users can insert all sorts of nasty scripts into the referrer string and hijack your browser, stealing all sorts of information like domain specific cookies (ie. login info). If you want to see if you are vulnerable, you should go download the referrer spoofing tool over at http://home.wanadoo.nl/lc.staak/quickspoof.htm (and while you're at it, send Rory a nice google wierdos message :-) ). Enter something like http://hacked.com/<script>alert('you have been hacked');</script> and see if you get a dialog box when you look at your referrer logs.
So... how do we fix this? If you are using a datalist or repeater to echo the results, the simplest solution is to HtmlEncode values before sending them to the client:
A company that I have done quite a bit of work for is looking to hire a talented, full-time ASP.NET / C# senior dev. They are looking for a sharp person with a background in building e-commerce, content management, and/or portal solutions. If you are getting tired of doing the same old thing every day and are looking for a challenging position where you can really make a difference and have an impact in the industry, I highly recommend sending your resume and a cover letter over to firstname.lastname@example.org so that you can see what they have to offer. Articulate is a great, smart company that is quickly moving up the ladder and becoming a dominant force in their industry.I have nothing but positive things to say about the company, so once again, I highly recommend checking this out.
Oh... and by the way, in addition to being a great job with great people, this position is also 99% work from home, which means that other than some meetings which you'll have to fly somewhere like NY to attend, you can do all your work from the comfort of a nice sunny beach :-)
ActiveWin has some great links to videos of the VS 2005 team tools:
So, if we aren't going to get ObjectSpaces merely because some shmackheads at Microsoft think developers can't deal with changes in their object models when Longhorn comes around, they should release a version of ObjectSpaces along with Whidbey the same way they released WSE. This will satisfy the needs of developers who Microsoft promised this stuff in the Whidbey timeframe, as well as allow the community to give feedback on how the current approach works in the real world. At the same time, Microsoft will not be obligated to keep the APIs consistent when Longhorn is released, because the stuff was never advertised as the final deal. Then again, maybe the advertised reason for the delay is wrong. Maybe the reason ObjectSpaces is being delayed is because those shmackheads just couldn't get the thing working after 4 years... if that is the case, we are all in trouble.
“ObjectSpaces will be merged with WinFS!
The URL that I was giving was slightly off: go to http://msdn.microsoft.com/data/ to read all about.
Although there were many guesses on what the news would be nobody really hit the spot.
My first impressions on this are twofold:
- The API will be tightly integrated into Longhorn and therefore become an integral part of the operating system. This makes it even more important in my view than the previous scenario of an “add-on” to ADO.NET.
- It's a delay for even longer than “shortly after Whidbey“. “ 
I sure hope this isn't the case. If ObjectSpaces is really going to be delayed till Longhorn, I am going to seriously lose a lot of respect for Microsoft. First, they delay the whole freak'n Visual Studio suite by a year, and now they are saying that even with all they extra time, they can't put ObjectSpaces in? Give me a break! Perhaps those guys at MS that you've been looking up to are all talk. Perhaps they don't code quite as well as they would have you think... I find it quite strange that one guy can put together virtually an entire working ObjectSpaces implementation with a couple months of spare time, and all the ADO.NET geniuses at MS combined can't ship the same thing after 4 years of working on this crap (remember, they demo'd it two PDCs ago and told you it was just around the corner).
If you have been spammed today by the guy that is hitting us all go to:
and report that affiliate: 2004887 is spamming you (cut and paste one of his messages in the box). If the link is down when you try, then send an email to: email@example.com
Then, use the following emails and affiliate IDs to report to the rest of the affiliate programs this guy is using to make sure he doesn't get any money for his spam.
“According to the study, it's safe to argue that Tanenbaum, who had years of OS experience and who had seen the Unix source code, could create Minix in three years. "However, it is highly questionable that Linus, still just a student, with virtually no operating systems development experience, could do the same, especially in one-sixth of the time," says the study, which was written by Ken Brown, president of the Alexis de Tocqueville Institution.“ 
Linus and the author of Minix both swear up and down that the code is Linus' alone. But, this is gaurenteed to cause some flame wars in the near future.
Seth Nickell thinks Mono is to encumbered by Microsoft and too full of risks to be a viable option. Paulo and Miguel have already sufficiently discussed this topic, and nothing Seth has to say leads me to believe otherwise. The simple fact is that the Open Source community NEEDs a managed execution environment upon which they can standardize and a set of base class libraries to go with it, or they absolutely will not be able to compete in the coming years. The only other reasonable choice is Java, and it faces much more of these kinds of issues that Seth raises. Of course, the most patent-free route would be for the Open Source community to innovate and create some of their own stuff instead of photo-copying other people's ideas... but when is the last time that happened?
A while back, there was a lot of noise around a presentation tool from this company “Ventuz“ that was being used for a lot of MS conferences to make super slick 3d-ized PowerPoint presentations. Shortly thereafter, the company disappeared off the map. In fact, now, the “we will be updating our site soon“ message that used to be found at their domain has been replaced with a nice, IE “this page cannot be found“ message. So, will this slick C#/Managed DirectX app be one of the first super slick Longhorn Office upgrades? We'll see, but it wouldn't suprise me in the least.
A Menlo Park gas station sign displays the true price of gas.
Great news from Clemens:
“One of the reasons why I run Windows Server 2003 on my notebook is that "Services without Components" (managed incarnation is System.EnterpriseServices.ServiceDomain) didn't work on XP. If you just touch the ServiceConfig or ServiceDomain classes on XP, you get rewarded with a PlatformNotSupportedException, because the unmanaged implementation of that feature was present, but not quite-as-perfect-as-it-should-be on XP. That will soon be history. Windows XP SP2 and the COM+ 1.5 Rollup Package 6 will fix that and will bring COM+ 1.5 pretty much on par with Windows Server 2003.”
The M2 build (81) of the JetBrain's refactoring plugin for VS.NET is now available for download.
Great stuff featuring Clemens Vasters over at:
Chris has a great post mainly discussing pattents and GPL. Highly recommended reading.
“Some people asked about how I feel towards open source, and more specifically how I would feel if someone created a word processor that implemented all of the ideas of Microsoft Word.
Well, open source has many flavors. To the extent that open source is about people working together, contributing their time and effort to build something, I think its great. That's what I do all day too after all. In the case of open source, the contributors may or may not get paid for their work - that's a personal choice on their part (just as it is personal choice for me to give some of the money I earn to charity). Because some people choose to give to a community in this way doesn’t make their activity any more virtuous than those who choose to give in another way in my mind. ...“
This interview is great. It shows just how ignorant the people that are passing laws like the DMCA are:
“...TT: Okay, let’s take a different example. Four years ago, you said that people who use Linux, which is about a million to two million people, who want to play DVDs, should get licensed DVD players and that those would be on the market soon.
JV: And we have those now.
TT: But today, you still cannot on the market actually buy a licensed DVD player for Linux.
JV: I didn’t know that
TT: So the question is, if I just want to watch a movie--I rent it from Blockbuster--is that bad?
JV: No, that’s not bad.
TT: Then why should it be illegal?
Rich Taylor, MPAA public affairs: It’s not. ... You could put it in a DVD player, you could play it on any computer licensed for it.
JV: There’s lots of machines you can play it on.
TT: None under Linux. There’s no licensed player under Linux.
JV: But you’re trying to set your own standards.
TT: No, you said four years ago that people under Linux should use one of these licensed players that would be available soon. They’re still not available -- it’s been four years.
JV: Well why aren’t they available? I don’t know, because I don’t make Linux machines.
Let me put it in my simple terms. If you take something that doesn’t belong to you, that’s wrong. Number two, if you design your own machine, you can’t fuss at people, because you’re one of just a few. How many Linux users are there?
TT: About two million.
JV: Well, I can’t believe there’s not any -- there must be a reason for... Let me find out about that. You bring up an interesting question -- I don’t know the answer to that... Well, you’re telling me a lot of things I don’t know. “