Archives / 2004 / July
  • Smart Client Architecture and Design Guide

    I agree with Klaus that Smart Clients need another look, as ASP.NET is not the only solution for UI deployment.  The P&P book Smart Client Architecture and Design Guide came out in PDF form this week, and I have been reading this with great interest.  Take a look:

    For myself, I can see several upcoming intranet projects that would better utilize Smart Clients than ASP.NET.  I am especially interested in ClickOnce and seeing how Code Access Security (CAS) will play a bigger part in developing secure applications.


  • Password information and passphrase advice

    As related by Sergey:

    Valery posted two interesting articles with some historical facts about password and weakness of password schemes: Passwords. Part I - LM Hash and Passwords. Part II - NIX passwords.

    At the same time Robert Hensing from PSS Security start blogging with Why you shouldn't be using passwords of any kind on your Windows networks. [subscribed]

    Also subscribed to Robert Hensing's blog -- looks like he is already off to a great start!


  • Have you been hacked?

    Have you or a friend of yours been hacked?  I am referring to the way an attacker can exploit your computer through a missing patch, or an open port that needs to be closed, and essentially now “owns” the machine.

    Dana Epp has posted a link to an introductory article that tries to answer the question “How do I go about seeing if I have been hacked?”:

    The guys over at Bleeping Computer have written a tutorial that will show you how to determine if your Windows NT, XP, or 2000 box is hacked and how you can go about cleaning up the files they may have left behind.

    The tutorial shows you how to detect most hacks, but there are other methods that will be much harder to detect and will require a greater degree of knowledge in detecting them. The author believes that most of the hacks that are done in mass, especially by the script kiddies, will be detectable through these methods.

    Dana lists the tools mentioned in the article for performing a simple forensic analysis on your Windows system:

    • Fport - Lists all open ports (Think nstat like)
    • TCPView - Similar to Fport, but graphical, and shows more info such as CLOSED connections (very important post analysis)
    • Process Explorer - A great tool from Sysinternals which shows parent/child relationships with processes
    • PSTools - A set of cmd line tools used to open and kill processes, control servives, change passwords etc
    • Filealyzer - Windows explorer shell extension to your right click on a file

    This is great for your friends and family members who may be wondering and asking you this question.


  • Secure Coding slides, running as non-admin

    I have posted the Powerpoint slides from my Boston .NET Users Group presentation here on my website.  It is very similar to the presentation I gave to the Boston C# User Group in February, with a few modifications.  The presentation should also be on the Boston .NET User Group website soon as well.

    During the presenation, I asked the question “How many are running their development machines with a non-admin user?”.  Unfortunately, I got a few hands out of the 150-200 people in attendance. Some reasons given for why not were: 1) too hard, 2) not everything seems to work (development tools, etc.) while running a non-admin. My thought is more information needs to be made available about the whys, but also how to run as non-admin.

    I will be speaking specifically on why and how to do this at WIN-DEV later this year.  In the meantime, go read Julie Lerman's summary of Don Kiely's excellent talk given this past Monday on this important topic. Also, read Aaron Margosis' excellent blog posts on this topic as well. The word is getting out there, but I still think more needs to be done.


  • Clemens on .NET Rocks this week

    This is one not to miss: Clemens Vasters on .NET Rocks this Thursday, July 15 [see more details]. 

    I want to talk about (guess what) Services. Not Indigo, not WSE, not Enterprise Services, not SOAP, not XML. Services. Mindset first, tools later.

    Sounds like a great show!  If you miss it, be sure to download the mp3 next Monday from Carl's site.

    Update:  Get the MP3 here.


  • Frank Swiderski talks about his Threat Modeling Tool

    [By way of Dana]

    Looks like Robert cornered Frank and video taped him talking about his Threat Modeling tool I reported about back in May.

    The book he refers to in the video is actually CALLED Threat Modeling, which you can now order on Amazon. (Mine should be arriving any day now)

    If you want to understand how and why you should use this tool, check out the Channel9 video!

    As I mentioned previously, I received my copy of the Threat Modeling book and so far, it is excellent!  I will post a review this week sometime.


  • .NET Happenings around Boston

    A couple of .NET happenings in the Boston area:

    1.  Jason Haley organized the 1st Boston .NET Blogger Dinner, and now has organized the second one:

    Boston's 2nd .Net Blogger Dinner
    Are you in Downtown Boston and are a Blogger or developer? do you read weblogs about .Net?
    The 2nd blogger dinner is going to be next week
    Date: Tuesday, July 13, 2004
    Time: 5:30 pm - 7:30pm - come any time
    Place: Elephant & Castle, 161 Devonshire Street, Boston, MA (see map)
    Sorry I missed the last one, but I plan to attend this one!
    2.  The new Downtown Boston .NET User Group is in the early stages of a website (with RSS feed)!  More to come!


  • Plus One

    For the C#ies:

    this.age++;  // = 36

    For the VB.NETer:

    Me.age += 1 ' = 36


  • Don Kiely on Least Privilege in Vermont

    If you happen to be in the Burlington, Vermont area next Monday on July 12, be sure to catch Don Kiely at the Vermont .NET Users Group (one of the best user groups led by the fabulous Julie Lerman) meeting from 6-9 PM. Don is speaking on a topic I am very interested in:  Security through Least Privilege.

    ASP.NET apps are server apps, and that means that you need admin privileges to develop them, right? No! In fact, developing apps on a machine where you have admin privileges can lead to some nasty security holes in your app!. Least Privilege is one of the first principles of developing secure applications. But what does it mean? How do you do it? Why is it so critical? This session will explore how to develop apps that give the absolute minimum permissions to every user and login and still meet application and user requirement, as well as explore-gasp!-why developing without admin privileges on your development machine leads to much stronger and secure apps. Least privilege is not easy to use or implement, but in this day and age it is the only way you and your users have reasonable confidence in the security of an application.

    Too bad I am not in the area, though I did make the 5-6 hour trip last fall.


  • Jim Miller on TSS.NET

    For CLR wonks (and all others interested in the whys and hows of the .Net Framework), Jim Miller, best known as a CLR Architect and author of the book The Common Language Infrastructure Annotated Standard (a great book, by the way, if you want to read the ECMA specs in book form that Jim Miller wrote, along with annotations), has been interviewed on The ServerSide.NET by Ted Neward.  See the interview here.

    NOTE:  A transcript is available as well if you are not able to view the video.


  • Using SecureString now

    Have you heard about SecureString in Whidbey/VS 2005?  This was built to help solve some of the problems of storing sensitive and secret information in System.String:

    • It's not pinned, so the garbage collector can move it around at will leaving several copies in memory
    • It's not encrypted, so anyone who can read your process' memory will be able to see the value of the string easily.  Also, if your process gets swapped out to disk, the unencrypted contents of the string will be sitting in your swap file.
    • It's not mutable, so whenever you need to modify it, there will be the old version and the new version both in memory
    • Since it's not mutable, there's no effective way to clear it out when you're done using it [by way of Shawn Farkcas]

    Hernan de Lahitte has put together a sample class that works in a similar way as SecureString for .Net 1.1.


  • Speaking on Code Access Security to Downtown Boston .NET User Group on August 5

    Along with speaking at the Boston .NET User Group (at the Microsoft offices in Waltham, MA) on July 14, I will be speaking to the new Downtown Boston .NET User Group on August 5 at 5:30 PM.  This group started on July 1 in Boston, and is being held at the Adesso Systems offices.

    Rather than present the same topic twice, I will be presenting a general security overview for the developer in Waltham, and a more specific introduction to .Net Security in Boston with a look at Code Access Security:

    In unmanaged Win32 applications, the operating system authorized access to resources based solely on who was running the program. In today's highly distributed, component-oriented environment, you need a security model based on what a given piece of code, a component, is allowed to do. .NET allows you to configure permissions for components, and provide an evidence to prove that it has the right credentials to access a resource or perform some sensitive work. This talk will cover evidence, policy, permissions, and runtime enforcement (stalk walking, etc.)  I will also show how to manage application security using the .Net configuration tool and programmatically.

    I have found that CAS is probably one of the most difficult areas in .Net Security to master, yet it will prove to be more and more important to understand for developing secure applications now and in the future (especially with Longhorn).  Don't miss it!

    Update:  To try to reduce confusion, the official names of the Boston .NET Groups are as follows:

    1.  Boston .NET User Group (Waltham, MA)

    2.  Downtown Boston .NET User Group (Boston, MA)


  • SQL Express Beta 2 experiences

    Sam talks about his experiences with the new SQL Express Beta 2 Edition.  He is frustrated by the lack of UI tools (in particular, the publicized tool called “XM”), the lack of sample databases, and the lack of clear guidance on how to fully utilize the new database, especially for new developers looking at the Express product line.  As I mentioned on my SQL Server blog last week, I also got a chance to install SQL Server Express.  I also installed the other Express line of tools, and finally the full Visual Studio 2005 Beta 1 this past weekend.

    I first noticed that sample databases were missing.  This didn't bother me as much as others, as I have been in the habit lately of removing sample databases as per my reading of SQL Server Security.  My first test, though, was to add a new database.  Uh oh, no UI.  Fortunately, I also installed the C# Express tool, and started to use that to create the new database.  Unfortunately, I got this nasty error:  “Insufficient memory to continue the execution of the program.“ Yuck. I also downloaded Visual C++ Express as well and tried that. Success!  I looked to file a bug, saw that it was already filed, and added my workaround. It turns out that the Visual Basic Express version worked as well.  Also, sqlcmd.exe can be used to do the same thing (through the command-line, of course).

    Now, having created a new database, try to delete that database.  Guess what?  You can't through the Express tools!  Plus, I found you can't through the full Visual Studio Beta 1 either!  How?  Through sqlcmd.exe again!

    I typically use command-lines daily with Oracle, but I thought this would at least be an improvement as Microsoft has produced some of the best UI tools for SQL Server over the last few years (with 7.0 and 2000).  Obviously, not all of this is done and ready (yes, of course, I know it is still a Beta product!).  But, I can imagine it would be very frustrating for new developers trying to work their way through these steps.

    In the meantime, get familiar with the sqlcmd tool.  I keep a printout of the commands near my computer at the moment.


  • Physics or CS?

    KC Lemson brought back some memories for me in her post on If you'd ever considered Physics over CS ...

    You might want to think again.

    (Side note: at one point, the team of people who were in charge of monitoring Microsoft's Exchange servers and investigating any issues found all had advanced degrees such as Ph.Ds in nuclear physics and the like. Yes, that's right - real rocket scientists.)

    How funny!  My own start was in Theoretical Physics and Mathematics, but then I switched to software development when I looked for work.  I spent more time outside of the labs than in, but this reminded me of some of my own experiences as well.  I especially liked this guy's conclusion:

    Going into physics was the biggest mistake of my life. I should've declared CS. I still wouldn't have any women, but at least I'd be rolling in cash.



  • Mono hits 1.0 target

    Mono hit its 1.0 target release earlier this week.  These guys have worked hard over the past few years and have made a lot of progress.  Congratulations to all on the team!