Robert Hurlbut's Blog

I am in Redmond (on the Microsoft campus -- first time) for Wintellect's Devscovery conference this week. I unfortunately missed my flight on Monday night, but arrived mid-day on Tuesday. I am impressed with the campus -- you don't really get a sense of what it is like until you get here! I have seen pictures, but nothing compares with walking around from building to building (today, it is shuttle time). I had a mini-tour with my friends Ernie Booth (and his wife) and Aaron Weiker (two recent Microsofties) last night after a great Italian dinner. It is something to see these buildings and know that tools and OSs I have worked with for nearly my entire career (19+ years) were built right here.

I attended Jeffrey Richter's "Exception Handling" and "Hosting, AppDomains, and Reflection" talks yesterday afternoon. This is great stuff. Much of the second talk is what I have spoken on at other conferences before (more specifically, how to further isolate and secure AppDomains through security policy). I also met Jeffrey personally; it was great to hear a larger perspective from someone I had learned a great deal from his books. For the rest of the conference, I will check out John Robbins' sessions on testing and debugging and Jeffrey Richter's threading sessions today, and some of the other database, ASP.NET, and security talks on Thursday. The next Devscovery is in April, 2006 in New York. If you have a chance, you should go. Well worth it.

Nigel Watling (great start of a blog, by the way -- subscribed! RSS) has a very nice summary of some material on developing as a non-administrator and writing least priveleged code. Andrew Duthie particularly liked this quote: 

The idea of least privilege is to limit the damage done by accident, error or attack. It’s quite simple: the more privileges a process has the more havoc it can wreak on your machine.

During Mark Russinovich’s entertaining and insightful malware talk at TechEd EMEA he admitted to accidentally downloading some spyware (which proved remarkably obstinate to remove). When Mark asked the audience who personally had been infected by malware, almost the entire room (~700 people) raised their hand. I have to admit I was surprised. If someone as smart as Mark Russinovich gets infected then what hope is there for the rest of us? The numbers in the room provided ample evidence: not a lot!

I like it too! But, I especially liked his last sentences:

How you write your code can affect the experience and the security of many people and, what’s more, they are your customers. Be nice to them.

That is, or really should be, the bottom line. We as developers develop software sometimes for ourselves, but most profitably for our customers. Sure, we can take the easy road and develop while running as an administrator and ignore the rules about where to put files and what registry settings we can touch. But, what service is that really providing to our customers? What happens when they take your software and run it in a least privileged environment (i.e. they run it as a normal user)? What happens when they are restricted from writing to "Program Files" (for whatever reason, I have no idea!) and get a popup that says "You must be administrator to run this application"? At some point in the near future, it means they stop buying and using your product. Period. How is that for the bottom line? Learn it, live it.

Shawn Farkas has posted an excellent summary of the newest features and changes for Security in .NET 2.0 on his blog. He also links to Keith Brown and Dominick Baier for their lists and resources as well. All highly recommended.

I will be presenting the newest security changes in one form or another at several upcoming conferences: New England Code Camp 4, VSLive! Orlando, and Heartland Developers Conference 2005.

[Found by way of Christian Weyer]

Finally here: thinktecture’s Ingo Rammer and Richard Turner from Microsoft have published articles on performance comparisons of distributed application technologies

Performance of ASP.NET Web Services, Enterprise Services, and .NET Remoting

System.Messaging Performance

This is great stuff! I especially like the treatment of System.Messaging (which wraps MSMQ), as there hasn't been enough written about this great tool, and especially nothing (as far as I know) about metrics for it.

I am putting this here as a nice placeholder (for myself and others):

The patterns and practices folks have just updated their list of Security-related "How-Tos"

http://msdn.microsoft.com/library/en-us/dnpag2/html/SecurityHowTosIndex.asp [found by way of Michael Howard]

G. Andrew Duthie made an announcement this morning about another Mid-Atlantic Code Camp, set for Saturday, October 29. This one will be focused exclusively on Security. Looks like a great potential list of topics:

• Authentication and Authorization
• Protecting Secrets
• Threat Modeling
• Web Application Security
• Windows Application Security
• Database Security
• Code Access Security
• .net Framework Security Classes
• Security Frameworks (Enterprise Library, ASP.NET 2.0 Membership, etc.)
• Best Practices
• Worst Practices

Vote here for your favorites.

This is a follow-up to an earlier post on the new book 19 Deadly Sins of Software Security. I received this in the mail last night (it was pre-ordered) and I can't put it down! It is a small book and can be read through quickly. But don't let that fool you -- it is packed with lots of great information. This is the kind of book you wish every developer you know will read. Hopefully, lots of software shops will make this required reading for all their developers.

This is a follow-up to my talk to the New England VB Users Group a week ago. I have placed slides and code on my site for my talk on VB.NET 2.0 Language Changes. I spoke mostly about "My" and Generics, plus a few other new items (i.e. Using statement, operator overloading, etc.).

The talk took me a little out of my normal topics, but it was fun and there were lots of great questions. The audience was mostly those using either VB6 and/or VB.NET 1.1 off and on. One resource I mentioned, and highly recommend, is this FREE book called Introducing Visual Basic 2005 for Developers (co-authored by Derek Hatchard). Also, be sure to get the FREE Refactor! tool by Developer Express if you are playing with VB 2005 Beta 2.

I mentioned a few months ago I had to postpone some time I set aside for Wintellect's Devscovery training in Washington, DC in May to go instead to Redmond at the end of August (Aug 28-Sep 1). I am all booked and very excited to go. This will also be my first trip to the Microsoft campus, so I am looking forward to that aspect of the trip as well.