Archives / 2004 / June
  • New Boston .Net User Group starts tonight

    As Chris Pels blogs:

    For those of you in downtown Boston there is a new Downtown Boston .NET user group starting up that will be holding its first meeting this Thursday 7/1/204 at 5 p.m. Details can be found here. Sam Gentile whom many of you here in the Boston area know is organizing this new group. We, the Boston .NET User Group, which meets out at the MSFT Waltham, MA office, will be working with the new Downtown Boston .NET user group to enhance the .NET community here in the Boston area. I will be attending their first meeting this Thursday and look forward to seeing you there if you can make it.

    I plan to be there as well at this very important and historic event.


  • FABRIQ is available

    Finally, finally, finally (in the words of Clemens):

    FABRIQ 1.0.4173.4 ( has been released!

    As Clemens describes it: 

    FABRIQ is an optimized architecture for fast, one-way, message processing within network-distributed nodes consisting of sequences of dynamically composed primitive processing steps. This isn't even trying to get anywhere near the guidance aspirations of Shadowfax, or let alone all the guidance we're getting from the Indigo team ...

    I am looking forward to playing with this over the weekend ...


  • Assessing Network Security book

    As mentioned by Michael Howard:

    Kevin Lam, David LeBlanc, & Ben Smith have released a new book, “Assessing Network Security” from MSPress. To quote Ben in an email he sent, “The book is primarily aimed at security professionals new to penetration testing and IT professionals and IT managers new to security, although all security professionals will likely benefit from the book.”

    That's great that new resources are coming out on pen testing.

    If you are new to the subject, here are a few links to get you started:

    Penetration Testing Guide

    Penetration Testing

    Penetration Testing for Web Applications (Parts One and Two)


  • Code Complete: Second Edition book

    I just received my pre-ordered (through Amazon) Code Complete: Second Edition book. This is another one of those “must have” books that helps the new programmer (as well as the seasoned mentor) understand and apply the best practices for software development. This one has been updated with code examples using C++, Java, and VB. This was one of those books I started reading when my career began, so I am looking forward to reading it again, and gaining fresh perspectives. Check out the web site associated with the book.


  • Threat Modeling book

    Dana expresses my thoughts exactly!

    Well now... Michael reports that he got his hands on a copy of Frank Swiderski and Window Snyder's Threat Modeling recently. Anyone else able to get it? Amazon isn't showing it available yet.

    I have been waiting for this book for some time. Come on amazon... take my money!!!!!

    I also have this book pre-ordered through Amazon.  Any day now ... waiting, waiting, waiting ....


  • WS Plumbing Group

    A few days ago, I noticed Christian Weyer posted information about the a new project created for Web Services (WS-*) plumbers that he, John Bristowe and the Interop Warriors have put together: Plumbwork Orange on the GotDotNet workspaces. I have also joined the effort, partly to follow the progress, but also to learn and contribute as well. I noticed there is some preliminary work done on WS-ReliableMessaging, in which I am particularly interested. I also like that John has been working on WS-Eventing, which is particularly needed.

    Update: John writes about the latest updates:

    Kapil Sachdeva is making some good progress on a WS-Federation implementation for the Plumbwork Orange workspace on GDN. Meanwhile, Yves Reynhout is moving ahead with an implementation of WS-ReliableMessaging. Very cool! As for me, I've solidified a few things in the implementation of WS-Eventing. Mostly, I've been adding XML documentation but I've been able to conduct some refactoring here & there.


  • Speaking to Boston .Net Users Group on Security

    I will be speaking to the Boston .Net Users Group in Waltham, MA (Microsoft offices) on July 14 at 6:30 pm.  Also that night, Chris Bowen will be giving an introduction to Test Driven Development (TDD) using NUnit at 5:00pm.

    Here is the schedule and topics:

    July Meeting-MSFT Waltham
    5:00 p.m.: Test Driven Development (Chris Bowen) Register

    This session will review the principles of Test Driven Development (TDD) through code examples utilizing NUnit. This session will familiarize developers with the basic constructs of unit testing and the advantages of TDD. This presentation will provide an invaluable background for the forthcoming Visual Studio 2005 Team System

    6:30 p.m.: Secure Coding: Best Practices (Robert Hurlbut) Register

    Security is important to nearly every company, but security can never be an add-on to an existing product. Developers need to be aware of common security threats, and they need to follow best practices for developing secure code. This presentation will introduce security topics such as checking data input, buffer overruns, Cross-Site Scripting, SQL injection, and the Rule of Least Privilege. The best techniques for secure coding will also be demonstrated.

    I will also be providing a snapshot of my upcoming WIN-DEV 2004 topic:  Writing Least Privileged Applications.

    Update:  The correct date for the next meeting is July 14, 2004.


  • Enterprise Services and TDD part 2

    I mentioned yesterday a special case of Roy's excellent article on using Enterprise Services with database unit testing where it seems to produce an inconsistent result with NUnit. The case involves a Server Application (I didn't try a Library Application for my test), Oracle, and NUnit. The issue is I can test successfully every other time, with a RollBack at the end of each transaction in order to put the database back to its original state. It's the every other time after that fails with these messages:

    ORA-03113: end-of-file on communication channel


    System.Runtime.InteropServices.COMException : You made a method call on a COM+ component that has a transaction that has already aborted or in the process of aborting.

    Has anyone seen a solution to these problems? In our case, the way we solved this ultimately was to do the standard way of testing database layer code by either rebuilding the data schema over again (getting the data into a consistent state) or writing the tests in such a way as not needing to do a RollBack.  For unique constraint tests, I would use a GUID appended to a value.

    As far as I can tell, Roy's usage of NUnit and Enterprise Services works perfectly with SQL Server, and I see it as a great solution. I think the issues I see with Oracle have to do with some missing or wrongly configured Oracle/MSDTC settings rather than flaws in Roy's approach. If anyone has a clue about the Oracle messages above, it would be greatly appreciated, as well as possibly helping someone else.

    Update: If memory serves me correctly, I think we also determined at the time this oddity was related to an existing bug in v. 1.1 code with the System.Data.OracleClient namespace. A bug fix was available, but only if it was a major problem (not publically available). I can test in Whidbey code to determine if this issues is now resolved.


  • Enterprise Services and TDD

    Roy Oshorove has written a very good introductory article on using Enterprise Services to do Test Driven Development (using NUnit) against database classes.

    Our team was doing this 8 months ago when we were in the thick of ES development (see some of my blog posts from that time).

    In our case, we had great success with this, but at times, we also had inconsistencies and problems.  In particular, if you are testing Server Applications, you may have objects that don't get released because the client, in this case NUnit, needs to call Dispose.  Also, since NUnit itself is not referencing EnterpriseServices, you may have other inconsistencies in your transactions that are not cleaned up properly.

    We also had problems with Oracle (both providers from Microsoft and Oracle) in using Enterprise Services in combination with NUnit. At times we would see a test succeed individually, but it would pass or fail inconsistently when running all tests, based on the inconsistent state of the transactions mentioned above.

    I like Roy's approach, though, and I will be interested in determining if this has helped solve some of the problems we were seeing with our results.

    Update:  In answer to Roy's question on this post regarding how I approached this:

    Today, I coded a sample in the format proposed by Roy's article.  The only real difference between his code and my previous code was I placed the RollBack call in all the test classes, and not in a base class.

    Testing with Oracle, I get the green light and everything works correctly, for the first time.  The second time, I get the dreaded Oracle "inconsistent state" error:  "ORA-03113: end-of-file on communication channel".  On the third try, I get a green light again.  And, it repeats the error the fourth time, and so on.  Back and forth.

    Update 2:  A little more information. The actual exception is this:  System.Runtime.InteropServices.COMException : You made a method call on a COM+ component that has a transaction that has already aborted or in the process of aborting.

    One item I noticed in Roy's code is that if you are testing a Server Application, and don't explicitly call Dispose in the test code, you will see objects instantiating in the Components Services view, but not releasing.

    A slight improvement to Roy's code would be to wrap the inner code with either a “using” statement or explicitly write the try/catch/finally in order to catch exceptions and call Dispose on the object.

    It still doesn't solve my Oracle problem, but just some further ideas.


  • New Boston .Net Group starting July 1

    I spoke with Sam Gentile a couple of nights ago, and he mentioned the 1st Boston Blogger Dinner was a big success.  Out of that dinner came many volunteers for a new .Net group, including my former boss Kevin Hegg as the speaker liaison.

    The first Boston .Net Group meeting is on July 1 at 5:00 pm at the Adesso offices. That's great news! Sam will be the user group leader. The first topic will be Sam's excellent CLR Internals talk he gave to the New Hampshire group and to the Vermont group, among others.

    Check out Sam's post for more details.


  • XP SP2 RC2 and Distributed Transactions

    Florin Lazar has some excellent tips posted regarding the new Windows XP SP2 Release Candidate 2 and any current distributed transactions you may have running.  There are some changes that you need to be aware for your applications.

    Florin also asks for feedback regarding any issues you may find:

    I recommend and I encourage you to give a try to this release candidate for XP SP2 on your test systems and send your feedback to the XP SP2 preview newsgroups: . Thanks!


  • Learn to run as non-Admin

    Aaron Margosis has started a new blog, and he is already trying to convince developers (and users) to run as non-Admin.  Excellent!  That will be part of my Writing Least Privileged Applications topic this October at WIN-DEV 2004 as well, but in the meantime, take a look at Aaron's posts:

    Not running as admin ...

    Why you shouldn't run as admin ... (this one is especially good as it talks about the dangers of malware when you run as Admin)



  • Virtual Server 2005, Enterprise Edition, RC is available

    Microsoft Virtual Server 2005, Enterprise Edition, Release Candidate

    Now available as a free download, the Virtual Server 2005 RC is the most cost-effective virtual machine solution designed for the Windows Server 2003 platform to increase operational efficiency in software test and development, legacy application migration, and server consolidation scenarios.

    A release candidate is software still in its development stage. Microsoft will be completing development, testing, and certification before making the final version of Virtual Server 2005 available later in 2004.

    Important: This release candidate software expires January 1, 2005. An end-user license agreement (EULA) is required for its use, which you can download using the link to the right. The Virtual Server 2005 RC software is intended for evaluation purposes only and may not be used in a production environment.

    The following items are included in the release candidate download:

    Virtual Server 2005, Enterprise Edition

    Getting Started Guide

    Virtual Server Administrator's Guide

    Virtual Server Programmer's Guide

    Release Notes

    Note: The Virtual Server 2005 RC is available only in English.


  • Windows XP SP2 RC2 is available

    Here is something I have been looking forward to:

    Release Canadidate 2 of Windows XP Service Pack 2 is now available for download. Here's a link and a bit about it:

    Windows XP Service Pack 2 Release Candidate 2 Preview
    To aid IT professionals in planning and testing for the deployment of Windows XP Service Pack 2 (SP2), Microsoft is making available this preview, based on Release Candidate 2 (RC2) of SP2. Additionally, we have established 11 newsgroups for sharing information.

    [by way of Brian Johnson]

    For more information regarding the changes, take a look at these [by way of Anil John]:

    Windows XP Service Pack 2 - Security Information for Developers [1]

    With Windows XP Service Pack 2 (SP2), Microsoft is introducing a set of security technologies that will help improve Windows XP-based computers' ability to withstand malicious attacks from viruses and worms. These technologies include:

    • Network protection
    • Memory protection
    • Improved email security
    • Safer browsing

    Together, these security technologies will help make it more difficult to attack Windows XP, even if the latest patches or updates aren't applied. These security technologies together are particularly useful mitigation against worms and viruses. To developers these technologies will have impacts on the applications that they create and the tools they use. This page contains resources to assist developers in dealing with these impacts.

    How to Make Your Web Site Work with Windows XP Service Pack 2 [2]

    "Examine the new security features in Windows XP SP2 that affect Internet Explorer and ActiveX controls, file downloads, pop-up windows, and more."

    Security improvements in the upcoming Windows XP Service Pack 2 [3]

    "Rebecca Norlander, group manager .... in charge of the Windows XP Service Pack 2 effort invited us over to chat about the upcoming Service Pack.

    ...So, for this first interview (the rest will come over the next week or so) we wondered just what was the big deal about security in Service Pack 2"



  • Indigo misperceptions

    By way of Chris Sells:

    Richard Turner, a PM on the Indigo team, addresses the biggest misperception about Indigo in this Channel9 video.

    Bottom line: Microsoft is not taking MSMQ, COM+ or Remoting out of the platform; it's just that Indigo, which subsumes the features of these other technologies, will do it all better.

    I was talking with one of my clients yesterday about how to solve a distributed architecture problem. In the end, I had to say the solution they were looking for will be Indigo. But, the beauty today is solutions written in most of the current technologies will migrate quite nicely to Indigo later on (especially ASMX). Plus, those applications using current technologies (COM+/ES, Remoting, Web Services) will STILL work without Indigo in the future as well. That's great news for understanding how to put together applications today that will still be relevant in the future.


  • Threat Modeling Resource Page

    By way of Dana:

    "To protect your applications from hackers, you have to understand the threats to your applications. Threat modeling is comprised of three high-level steps: understanding the adversary’s view, characterizing the security of the system, and determining threats. The resources on [Microsoft's] page will help you understand the threat modeling process and build threat models that you can use to secure your own applications."

    - Taken from Microsoft's Threat Modeling Page