Setting up Win7 Beta

The Windows7 Beta seems to use drivers from Vista, so I am having trouble setting it up on an older test machine which currently runs XP. It will not recgnize the audio or ethernet hardware!

App.Config problems

I am having curious problems with an old app that uses the WebClient class. When I try to add an App.Config file the WebRequest fails! If I remove the App.config, then it works again. I haven't been able to figure this out yet.

(Blogger has been failing while I try to post today - Error code: bX-qmyy22).

So, to recap, I was trying to add the App.config to use it to load various lists of items to go into list boxes and other settings. Hence I checked out the use of AppSettings and custom Configuration and Dynamic Properties, and so on. But they all do seem to be rather labored constructions, so I think I will abandon the App.config and instead use custom files. Rocky Lhotka gave a presentation in 2004 on the use of local storage for storing user settings, which I will look at again. It can still be found at his website

Posting again

Decided to start posting here in public again.

Topics I could fill in on, over the past year cover a lot of Windows configuration issues - especially security related ones. As to programming, the new .NET stuff of most interest is probably LINQ. But I have been doing more shell programming and will put up some notes about it.

Along the way I have found a lot of useful utilities...

Disk and File management utilites:
Bulk Rename (recommended by Scott Hanselman)
DU.EXE by SysInternals guys now at Microsoft
FolderSize - freeware by a curmudgeonly Brian Oraas at foldersize.sourceforge.net

Multiple great utilities by Nir Sofer @Nirsoft.net:
Particularly his terrifc RegScanner utility. I've never seen anything like it!
Boy does it run fast. And you can restrict searches in a multiplicity of ways.
There was a command line registry grep tool, but I've lost track of it.


And regarding security the standard Microsoft utilities...
CACLS.EXE, XCACLS.EXE, and especially SUBINACL.EXE.
I have had to become pretty familiar with these to keep running LUA.

Time to upgrade to Vista?

I've been having lots of problems with my XP-SP2 machine.
Most recently cannot install IE7. Looks like its related to the way I have the machine locked down.

Earlier the machine seemed to be really bogged down. Turns out that was because the System Restore service was running against an external harddrive on a USB port.

Problems running MS Office under LUA

The past month I have spent a lot of time trying to correct problems introduced when I installed MS Office 2003 Professional from CD onto a machine running fully updated XP Professional.

The main problem is that Windows Installer is automatically launched when you start any Office program, or Internet Explorer, if the account does not have admin privileges. This is quite irritating and frustrating, amd my efforts has been quite tedious and frustrating too. I did a lot of searching online at both Microsoft and elsewhere, and posted on some forums without luck.

Extending IE - links and thoughts

I started writing some extensions to IE, based on MSDN articles, back in 2000 and refined them in 2002. Those primarily used the context menu tips shown in MSDN and the KBase.
The main article is "Browser Extensions" under Web Programming at MSDN.
How to add to the standard context menus of the WebBrowser control

Now I am looking at this again and have found how to add items to the tools menu after seeing some keys in the registry. This is discussed in Adding Menu Items under the above section.
I copied what is done by a 'search related' add-in for MSN does. You need to put a custom GUID under HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
I see on this machine than along with the MSN search one, there is also one from Sun for the 'Sun java console'. It has a special dll which it launches.

They both have a CLSID entry which points to shdocvw.dll as inproc server.

Some other links of interest which I have found now are:
Extending the IE Context Menu at The Old New Thing blog - has some other tips

New LUA stuff

MS articles on LUA that I recently came upon (partly from Mike Howard here)


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp

Gaming with Least-Privileged User Accounts

VISTA RELATED
Developer Best Practices and Guidelines for Applications in a Least ...
(subtitled "Uderstanding User Account Protection in Microsoft Windows Vista Beta 1")
Privilege-elevation APIs

This blog finally restored

Well, Blogger eventually restored this blog after their webbot had disabled it sometime in March. It took me a long time to figure out how to get through to them. The links posted in the various support/help pages did not give any email address to contact them, so I posted in several feedback fora. And, as I indicated above, someone in support eventually responded and after checking this blog re-enabled it. Fortunately for me, all the content was apparently still there, and became visible after I republished.

I must say this was rather disturbing. I was worried about losing my work here and irritated that they simply disabled the site without sending me ANY notification!

Running LUA - Tricks and Talk

Some observations on my further experiences running LUA.
Traditionally I have always installed custom utilities into a root\utils directory. I have done this for years ( since 16-bit Windows) for several reasons - I know where they are, which makes it easy to see which are installed and to copy them between machines, and with one short path it can be added to environment execution path without a lot of overhead. I have always disliked the "Program Files" directory because it does not conveniently meet those requirements. And I particularly dislike the fact that it is a long name with a space in it. That was a problem for some time after it became the standard when trying to install old, often 16-bit software, which didn't handle the space.
But now that I am thinking more about security I am choosing to install more software into ProgFiles. So I am now discovering the problems that leads too with certain software. Some programs seem to write local data back to their execution dierectory without option to change it. They don't run correctly without access to those files in ProgFiles. I discovered this with one app I installed under the Admin logon. But then tried to run under a limited logon. I wasn't sure whether the problem was inability to access the registry or files, so thought about granting full rights to its directory to users who need it. But instead I found that by launching the app while running under my limited logon with elevated privileges the app sucessfully created the needed data files with my limited logon as owner. Then when I went back to run the app with the normally limited logon it I find that the app now has enough permissions to use those files as needed without granting me extra privileges to that directory. That is a pretty clean solution.

There have been a lot more references talking about running LUA lately. I will try to find them.

What's up

Lot's of interesting reading, but I didn't post since I had lost the password for a while.

I have been reading/working Ron Jeffries book "Extreme Programming in C#". I find it interesting and helpful. It has been a pretty good way to try TDD, which I haven't used much in my own work. Another theme is evolving the codebase in a natural way using regular refactoring. I have always done a lot of refactoring without knowing it had a name (a la Monsieur Jourdain) so I do enjoy watching him change the code in a natural way.

One useful thing I note is related to his YAGNI ('you aren't going to need it') principle. I sometimes get hung up trying to build a more general design than is currently needed, especially since I have found it hard to retrofit projects when additional functionality required late in a project. In particular, I once got hung up on the same capability that he has trouble with in the last chapters of his book - to wit, an Undo feature. He firmly believes that it is better to keep building continually usable software with limited functionality than to push for a complete project with full functionality that extends the development timeframe.

More to come...

Update on Using Collections - Now we have Generics

I am still mostly using VS2003 and have learned more about how to use the different collections in the FCL, but now we have generics in .NET 2. So it is time to learn about them. Ken Getz wrote a column in MSDN Mag "Being Generic Ain't So Bad" discussing their use in comparision to writing custom wrapper classes.

There is reference article Defining and Using Generics in VB 2005 at MSDN

Blogs to Track

List some more sites to track. I have been using Bloglines upon the suggestion of Jeff Key, but at last night's Nerd Dinner he said he has switched to the Google feed aggregator. I will have to look at it. In the meantime, add these to Bloglines (which is not responding just now).

http://geekswithblogs.net/sabotsshell/Rss.aspx
DotNetSlackers itself aggregates articles about ASP.NET "for Lazy Developers"
Dr Dobbs Journal
Mike Gunderloy's Larkware which everyone said they read regularly

more on Securing Windows

Internet Security Guide at Firewall Guide website is full of pretty good info.
Tighten Microsoft Windows to Improve Security is a checklist there.
Checklist for Securing Windows XP Pro at Lawrence Berkeley Nat'l Lab is a fine article, written for internal users it is probably a little advanced for standalone home users.
Securing Windows XP (Sep 2005) at TweakHound - a link from above.
TweakHound also has some other helpful articles such as these:
Windows XP Backup Strategies For Home Users
What Do Those XP Services Do?

Amazon brings back Gold Treasure Chest

I used to make a lot of purchases at Amazon from the gold treasure chest at the top right which offered special discounts on a list of items they think appeal to you. Then last year it seemed to have disappeared. Now I see it is back, and improved. Now you can hold on to one item while you step through the whole list, thus avoided the anguish of the 'optimal stopping problem'. I think they might suck me in again, except that the extra discounts seem to be quite minimal compared to my recollection of the past offers.

Beta Microsoft MCP Exams Offered

The latest MSDN Flash is shows an offering of Beta exams for MCAD and MCSD for a one month period starting around Valentine's Day:

Beta Exam Invitation for MCAD and MCSDs

February 13 - March 12

• MCAD Exam 70-552 - Upgrade: MCAD Skills to MCPD Windows Developer
  by Using the Microsoft .NETFramework (use promo code 552BTA)
• MCSD Exam 71-553 - Upgrade: MCSD Microsoft .NET Skills to MCPD Enterprise ApplicationDeveloper by Using the Microsoft .NET Framework - Part 1 (use promo code BTA553)
• MCSD Exam 71-554 - Upgrade: MCSD Microsoft .NET Skills to MCPD Enterprise
  ApplicationDeveloper by Using the Microsoft .NET Framework - Part 2 (use promo
  code UPG554)

These free beta exams will count toward certification in the same way as the final version of the exam.

Interesting Finds after Nerd Dinner

We had a Nerd Dinner last night, and Brian Beatty and others mentioned some interesting sites, particularly 43 this and that. I've been surfing these a bit this morning and came upon these "Interesting Finds" (a la Jason Haley):

Google Blogscoped by Philip Lennson - lots of articles critiquing Google, esp on censorship.
Cool Tools by Kevin Kelly is full of descriptions of fascinating tools and books. Really NEAT.
DotNetSlackers

Feline Cranial Protection link from Eric Gunnerson's blog

More to come...

'LUA' name changes to UAP, then UAC

Apparently the Vista team has a new name for the functionality we have been referring to as running LUA (Least-Privilege User Account). First they went to User Account Protection and more recently to User Account Control. Those are certainly an improvement over LUA. The team working on this has its own blog, now at http://blogs.msdn.com/uac, and there is a new overview posting there called 6 User Account Control Windows Vista Policies

IE's "Mark of the Web"

Researching the Blocking issue I came upon the "Mark of the Web" feature added to MSIE following the release of XP-SP2, which locked down the local_machine URL security zone.
How the Mark of the Web Enhances Computer Security

Because the Local Machine zone has so few security restrictions, active HTML documents running on the local machine have access to the computer's entire file system. The MOTW aids Internet Explorer in protecting the user from the risks of running these documents in the Local Machine zone. By referencing the MOTW, Internet Explorer can force these Web pages into a zone that has more restrictions, such as the Internet zone. At the same time, the MOTW cannot
be used to elevate Web pages to a zone with fewer restrictions. Forced out of the Local Machine zone, the active content has no access to the computer's file system. Note Windows XP SP2 applications—including Internet Explorer 6—that take advantage of the Local Machine Zone Lockdown security feature run in an even more restricted environment than the Internet zone. Additionally, cross-domain requests both to and from the active HTML documents fail, so
that code running from these Web pages cannot access the user's hard drive.

That makes sense, but it seems to contradict the explanation below by Dave Massy on the IEBlog, which I find a little confusing. I don't seem to be the only one, based on the comments to his posting (see "There does seem to be a some continued confusion around the LMZ lockdown").

I have not tested the functionality yet myself to see if I can figure it out, but I did notice that this box has only one file with that tag in it.

Here are some discussions of this:

Mark of the Web posted in March 2005 at the IEBlog by Dave Massey of MS
Tricks with Mark of the Web: Behaviors, XML files at Adi Oltean's(MSFT) AntiMail weblog
This UK site has good discussion of the issues surrounding the LocalMachine zone.
Changes to Functionality in Windows XP Service Pack 2 - Part 5: Enhanced Browsing Security

Unblock CHM files after patch for MS05-026 - Vulnerability in HTML Help

I have been running Mark Russinovitch's ProcessExplorer utility on several machines which are fairly well locked down and the help details pain has not been displaying. After trying a lot of security related fixes I could think of I finally googled it and found that a recent patch added a new feature to block HTML files which came from outside computers. When you look at the properties of the file in Explorer an option to "Unblock" will appear if it is blocked. Checking that fixed the problem. The same problem arises when you try to open the file directly. Then a dialog titled "Open File - Security Warning" appears and warns about the danger of proceeding. It gives the option to uncheck - "Always ask before opening this file" - which does the same thing as 'Unblocking'. I found that while running as a limited user I could check those boxes but it had not effect, so I had to make the change while running as Admin make the Unblock effective for all users. Thus I conclude, that while I don't know exactly what information is stored to control this, but that it seems to be applied on a machine-wide basis, not per user.

The following bulletins and KB articles from MS address this issue:

• You cannot open HTML Help files from Internet Explorer after you install security update 896358
• 896358: MS05-026 - A vulnerability in HTML Help could allow remote code execution
• INFO: Executing Files by Hyperlink and the File Download Dialog Box

Update:

It appears that this behavior is controlled by something called Persistent Zone Identifier. There is a fair amount of documentation of them on the MS site (Persistent Zone Identifier Object), but surprisingly little discussion in blogs. Here is one example referencing from Internet Explorer7 Bugs at Channel9:

HTML Help doesn't work
When I try to view a chm help file that has been downloaded from the internet, the help browser loads about:blank rather than the help page. This happens when the chm file has what I think is called a persistent zone identifier associated with the file (on NTFS - when I double-click the file, I get a security warning before launching). If the file does not have the identifier (removed via Properties->Unblock) the help page is correctly displayed.

Changes to Security Zones in MS Internet Explorer Version 7

There was a post in December describing how zones will work in the new version, along with some discussion of how the current version handles them.
Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

It has recieved extensive comments, not all of which I have read yet. One theme among them is that the zones are not effective, so why bother. But they seem useful to me and the most disappointing thing that I notice is that they apparently have not added any new zone between ran Internet and Trusted. That is what I want, and have created on my machines.

Some excerpts:

The My Computer Zone is locked down as of IE6 for XP SP2; the changes in IE7 continue our trend to run the browser with more secure default settings.

Because security zones allows more power to some websites, zones also open the possibility of zone-spoofing attacks: if there is a flaw in IE’s zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in. With URL parsing and other improvements in Windows XP SP2 and IE7, we have helped to ensure this doesn’t happen.

More on Running LUA

Still trying to run and develop as a limited user. Keith Brown, following someone else, references work done by Ziff-Davis and discussed in an eWeek article which shows the safety advantage of running as a normal user versus Admin or even Power user! Only the base limited user was largely immune from infection by viruses when they surfed the web extensively. They don't indicate what kind of prophylaxis they used for their web browsing however.

Addendum to some earlier posts
I have tended to run devenv.exe (Visual Studio) as an Admin, but one can develop local WinApps with a limited account as long as you make sure that account has the proper rights to the target source directories and any needed data file directories. Setting those up on a non-domain machine can involve setting the rights at a granular level, and normally this is not available in the Windows Explorer GUI when simple file sharing is enabled.
But you can use the NT command line tools for setting ACLs (Access Control Lists) - CACLS.EXE (NT) and XACLS.EXE (Support Tools). They are a little arcance but do the trick. One thing you have to be careful of is not use the /G or /P options with out /E, or else you remove all existing rights.

As to managing the localgroups, I never listed the UI tools for changing them in my post CCS User Group Presentation where I showed the appropriate command lines. There are several GUI programs that allow you to manage users and local groups:
Running "control userpasswords" gives you the rather dumb User Accounts dialog in Control panel. Running or "control userpasswords2" gives you a smarter, more granular tool to manage users, including specifying their group membership. Finally "lusrmgr.msc" is an MMC plugin which provides a full powered GUI tool to create/manage local users and groups.

It is worth noting that Power Users seem to have the power to add users to the Admin group, hence one reason that it is not really a safe level of operation.

Tip on using Google as a Free Proxy

Came upon an interesting tip at a site called Tech Resource, a community site based in India, which has several sections including one where at least one programmer from google posts about what they are doing. The article, Use Google as a Free Proxy, shows how you can use google to access a page from a site that would otherwise be blocked.

CNUG Downtown Chapter meets at IMG

The opening meeting of new downtown chapter of CNUG met at IMG's new office at 200 West Monroe on Tuesday night. Marc Gusmano gave a helpful presentation covering many aspects of enhancements in ASP NET 2.0 and in VS2005. He pointed out some interesting tricks in the IDE as well as the the underlying platform. The meeting was very well attended (over fifty people) and there was considerable audience interaction. The meeting was generally quite successful. The only problem was that the display was projected against a wall which made it somewhat dim and discolored, as well as rather small. I look forward to more meetings there.

Using Collections in .NET [UPDATED]

How and when to use the various collections and other aggregators or an array has been an ongoing question for me. There is/are a variety of classes in the FCL which provide collection-type containers. How do you decide which to use when? Here are some references I have found helpful. But no conclusions yet.

I think the discussions are good in the books of Francesco Balena, Jeff Richter, and others:
Authors I like include Ken Getz and Paul Sheriff, but I don' find articles by them on this.

Articles I have found:
Scott Mitchell has some articles at his 4GuysFromRolla site:
Chapter 2 (from his ASP.NET: Tips, Tutorials, and Code book) compares 5 types of collections: ArrayList, Hashtable, SortedList, Queue, and Stack. After discussing each one individuality he shows their similarities and demonstrates the use of the IEnumerator interface to access them.
Specialized Collections is a useful article at MSDN.
Not to mention his series An Extensive Examination of Data Structures at MSDN.

Related Blog Postings:
Collection classes and behavior by Yves Reynhout
Article: OOP and Security sometimes go hand in hand by Tobin Titus

The new version 2.0 of the Framework will apparently extend the functionality of collections. Obviously the availability of generics is significant; plus some new extensions to the actual object collection classes. No refs yet for them.

CodeSmith by Eric Smith may be a good way to generate code for collection classes. http://www.ericjsmith.com/codesmith/default.aspx

[Original post 5/15/2005]
Delegates in C# vs VB.NET down to the IL

C# posts on several topics

I know the answer (its 42) is "Abhinaba's blog on C#, Team Build (VS Team System), and all other things". It has a number of interesting posts with numerous comments.

C#: Anonymous methods are not closures, led to extended and interesting discussion.

C# : Enum and overriding ToString on it:

His introduction:
"I saw two posts on Enums today on Eric Lipperts and Chris Rathjen's blog. Enums are significantly different from the other types and people run into unusal problems while working with them. "
He discusses the issue I have faced:
"This is a common issue that comes up frequently when you want to show values in reports, web pages, XML where you want to put in human readable text for enum values. Commonly people use non-generic solution of maintaining arrays of these descriptions and get text out of them by indexing using the enum value or some other things like storing it in a hashtable and using the ToString value as the key to get the desciption out."

Internet Wayback Machine

Checking into iPodder and other podcasting tools I came upon articles about a feud between Dave Winer and Adam Curry. This led eventually to some article posted on the "Internet Wayback Machine". That is a terrific site which has been taking snapshots of websites since 1996.

About the Wayback Machine
Browse through 40 billion web pages archived from
1996 to a few months ago. To start surfing the Wayback, type in the web address
of a site or page where you would like to start, and press enter. Then select
from the archived dates available. The resulting pages point to other archived
pages at as close a date as possible. Keyword searching is not currently
supported.

More on Xi-Soft Netransport to download webcasts

How to download Microsoft webcasts posted September 2005
References the original post by Georgeo Pulikkathara from 2004:

Is Microsoft going to an Open Standard for Office File Format

The news has carried stories that Microsoft is going to submit the document file formats in the forthcoming Office 12 to ECMA as an open standard. Here is an interesting post on the subject:

Microsoft ECMA/ISO move could give Office formats new lease on life by ZDNet's David Berlind -- I'm trying to grab a few vacation days here during the short week. But the news that Microsoft is looking to establish its Office XML Reference Schema (the new file format for it's Office productivity suite) as an International Organization of Standardization (ISO) ratified standard has pulled me out of hiding for at least one [...]

Local Microsoft Events in November

There have been plenty of Microsoft events locally this month. The biggest may have been the VS2005 Launch Event. It was good to see Rocky Lhotka again, and chat with him in the Q&A booth. He is anxious about the impact of offshoring.
The last talk, (by Tim Landgrave?), on using the Component Application Block in Smart-Client apps showed stuff I had not seen before. And it finished with a BANG when he blue-screened!

CNUG had another Day of .NET on Saturday the 12th, just two days after the launch event. Pretty good turnout (>200) but somewhat disappointing lineup of speakers. The highlight for me was a talk on AJAX (even though Joel Spolsky and others enjoy pointing out that there is nothing new there).

Wednesday night "The Scripting Guys" (Dean Tstatas & Peter Constantino) were in town, and gave a good presentation. They have a great web site at Technet. Sample resource script.

Cross-Site Scripting and Tracing

Reading about WinINet I came across a "HttpOnly" attribute for cookies that Microsoft added to IE6 in SP1 (Note there is no hyphen in the attribute name).
That led me to some other good articles about cross-site scripting.
Mitigating Cross-site Scripting With HTTP-only Cookies
Scott Hanselman blogged about it over the summer, but I missed it then.

And to an article that uses the TRACE function as a technique to circumvent this attribute.
I don't know whether it is common to turn off the TRACE functionality on IIS servers.

Jeff Prosise wrote and lectured on website hacking during 2004. He came to Bloomington(IL) as part of an INETA-sponsored tour a year ago. I guess I wasn't blogging then, so I didn't post about his presentation, but other user groups and bloggers (Robert Hurlbut) have posted summaries and his sample code. Jeff wrote Stop Cross-site Scripting Attacks in their Tracks in ASP.NET Pro Mag in 2003 (subscription only) and on Foiling Session Hijacking Attempts in his Wicked Code column in MSDN Mag for August 2004 and

==============================================
Other topics:
Where is that artcle about script reading the clipboard?
--------------------------------------------------
Retrieving Data using Script

Audio Encoding - Tools and Quality tests

HydrogenAudio is an excellent resource for information on audio technology it has active forums and a useful wiki (which I found through Wikipedia).

It points to several sites which describe comparison tests of different sound systems:

ABX Double Comparator at ABX Company site of David Carlstrom.
Roberto's public listening tests page has some samples and results of encoding.

Newly found tools

• MonkeyAudio for lossless compression.
• MediaMonkey as a general tool.
• MP3Tag just for tag editing.

Sites with lists of tools

• free-codecs has a lot of codecs
• mp3-converter.com has even more stuff, and is better organized

Interesting web sites

Searching the web after the Nerd Dinner last night I came upon some sites of interest:


http://www.programmableweb.com/

Speaking of Mapping

Yahoo has released their mapping update to compete with maps.google.com and VirtualEarth.msn.com. It looks appealing, but I tested a somewhat odd address that is a restaurant in a shopping mall - "44 Yorktown Convenience Center, Lombard, IL 60148". Only google got it right. And it got it JUST right. Impressive.

On the other hand, google, and the others emphasize their money making local links, which diminish the useful size of the actual maps. Sometimes the google map is full width, and sometimes restricted by local lists on the left. It is tough to figure out how to get the full width map.

Chicago Nerd Dinner - Nov 15, 2005

We had another enjoyable and educational evening last night, as organized by Jeff Key and Ryan Rinaldi. Also in attendance were Brian Beatty, Brian Scott, Chris X, Rob X, and I. Eric was only there in spirit. Jeff raffled off the tools package from JetBrains which was won by Eric.

We had a wide-ranging discussion. Here are some of the questions and topics which came up that have stuck with me.

Web sites and services:

• Amazon's new "Mechanical Turk" web service pays humans a (very) small fee to perform simple tasks (HITs) which are hard for computers. Very creative. They reference an article at Business Week.
• 37signals.com is an ASP which provides inexpensive organization, collaboration and management tools for small business and individuals. It is built using the "Ruby on Rails"(RoR) framework, which has been getting attention lately. eWeek has a good article on RoR and they also have an interview with its creator, David H. Hansson. There was extended discussion of it, which I missed since it was at the other end of the table.
• http://www.writely.com/ is a web-based site for creating and collaboratively editing documents. It is also mentioned in Ten Blogging Hacks by Steve Rubel

Some other topics, issues:

FLICKR was bought by Yahoo last spring. It caused quite a stir back then, and more recently Wired has reported some resistance to its integration into the Yahoo superstructure.

Ryan was talking about a seminar by Juval Lowy at DevConnections, who he said was very instructive, if a little too full of himself, and about working with Clemens Vasters (whom I confused, thinking instead of Ingo Rammer, the .NET Remoting guru.)

Where, if anywhere is pluralsight based? Bill Williams, who is their administrative contact was, and I think, still is based in Massachusets. They do a lot of training in Redmond, WA. I guess the issue was where Ryan's blog reading went when he hit their server. Need to do one of those IP mapping requests to figure that out.

And there was also some discussion of whether there might be a new Internet bubble. I mistakenly confused Ted Neward with Dave Winer, who sold his weblongs.com site to Verisign earlier this year. Scoble blogged about it here in October. Verisign talked about it here. There is a good bio of Dave at Wikipedia.

More on Security and Running LUA

I have come upon some more references on this topic:

Aaron Margosis mentioned that running as a member of the Power Users group is just as dangerous as local admin. I didn't quite understand that, and have only recently found some more details on this issue:

Per Ostergaard discusses this in a "And I thought Power Users were a wise choice..." at his msgoodies blog.


Microsoft posted a KB article A member of the Power Users group may be able to gain administrator rights and permissions(October 2004) describing the nature and danger of putting users in the "Power User" group.


He found a reference at the "Hall of Shame" page at the threatcode.com site.


He also posts links to more details of the dangers of the "Power Users" group. There is an oldpost at Michael Howard's blog about kewl tools that has some good comments on the issue.

Margosis posts PrivBar Source Code

Aaron Margosis posted the long awaited source code for his PrivBar utility on Oct 13 and yesterday (10/27/05) has posted an update. I am about to try making the modifications I sought.

Audio Stream Capture

Here are some articles about capturing Audio Streams. This is something I have been trying to do since I found the great programming on BBC radio.



Wikipedia has quite a few good articles on digital audio encoding and decoding in different formats. Audio Data Compression is quite good, including a section on Lossless compression.


And it supplied some good references to other tools.

Swen's Weblog explains How to download Real Audio streams and convert Real Audio to MP3
He also writes about Lossless Compression with the Shorten (.SHN) format.
The eTree.org Wiki is also a good source on Lossless Encoding using Shorten or FLAC.

A Small SHN and MD5 FAQ by D & G Hamiltion is a widely referenced article (last update 2003). Sources he references have stopped updating and reference the Wikipedia article above.

Jeff Prosise on the ASP.NET Provider Model

Jeff has written a series of articles for Microsoft on the Provider Model in ASP.NET. He links to them at the Wintellect Wintellog. They are posted at MSDN. This is the parent article. They are quite helpful. I looked so far at the membership provider. He provides a simple, somewhat crippled (readonly) sample that uses an XML file datastore.

[UPDATE]
Dino Esposito has an excellent (as usual) article in the December MSDN Magazine on the new provider for the ASP.NET Membership and Profile API.

SECURITY - Cached data and Cookies

Brief article at CNET by a man from Checkpoint points out the danger of unencrypted files being cached on user's local PC. He also mentions data cached by search tools. Helpful warnings, but not much offered as a solution.

URL's, URI's and URN's

I just came upon an interesting post, URL Dogma, Ian Griffiths wrote at the start of his blog. It is about the design and implementation of stable, user-friendly web page addresses. He references a couple of good articles that state goals and describes problems achieving them with ASP on IIS. One reference is URL as UI by the esteemed Jacob Nielsen in 1999, where he interestingly predicted the demise of domain names within a few years!

The essay 'Cool URIs don't change' at W3.ORG Style is an iteresting dialog.

An article at Wikipedia, URI(Uniform Resource Identifier), explains the definition of URI and its relation to URL. URI's provide unique naming functionality as well as locator functionality.

Some newer posts on Non-Admin development

Not exactly new, but one Nigel Watling, a Microsoft Technical Evangelist, has posted a well stated essay on the privilege options for developers. He carefully lists and analyzes the options, discussing in detail the tools and techniques I have mentioned in numerous earlier posts. It is well layed out. I came to it from a posting by Robert Hurlbut on his blog. He has a number of good security related postings.

He discusses my preferred approach "Logging in as LUA and escalating privileges when required" in some detail and mentions at least one security hole I have ignored - the possibility of messages being sent from some process window to the window running with elevated or admin privileges. He makes reference to the various techniques and pitfalls, but does not detail them.

Interestingly he preferred choice would be FUS (FastUserSwitching), but of course it is not available in most work environs. I don't like it. I frequently want to have Internet browsing windows open on the same desktop where I am developing.

Notes from Pluralsight folks

Joe Hummel is doing another webcast series at Microsoft (Tuesdays at noon Chicago time).
It is

So checking out the Pluralsight blogs here are a few refs of some note:

Craig Andera mentions "Speaking of blogging things so I can remember them…"
and talks about working as a consultant versus teaching.

It looks like Keith did not update his password manager from the version I have.

New Security Links

After some time off, Microsoft security expert Jesper Johansson has posted a new article, How to Shoot Yourself in the Foot with Security, Part 1 -- by Jesper M. Johansson. It discusses issues surrounding the CIFS/SMB (SimpleMessageBlock) protocol defenses against man-in-the-middle attacks.

And, it looks like Keith Brown has posted a new version of his Password Manager program. I need to check it out.

more .NET links

Travis who? got attention at Wintellect's Devscovery.
He has some interesting posts at his 'Paraesthesia.com' site:
http://www.paraesthesia.com/blog/comments.php?id=597_0_1_0_C

Your Clipboard is Not Safe!

Joe Stagner has posted an illuminating talk in video form along with sample code which demonstrates how easy it is for javascript code to capture the contents of the Windows Clipboard. Of course this could be a serious risk if you use the clipboard to paste in long, complex secure passwords. I will have to check the code for Keith's password manager tool to see about adding a clear clipboard function after pasting. Or the Windows API direct typing.

Furl.net stores web pages

Here are some references I found through Google:

http://blog.contentious.com/archives/2004/06/22/10-cool-things-to-do-with-furl
Create Your Own Online Web Page Archive at searchenginewatch.
Furl - Saving Web Pages the Easy Way

Robots may threaten online Poker

There is an interesting article at Wired, "On the Internet, Nobody Knows You're a Bot" , and lots of posts related to the topic of robots that can play poker at online gambling sites.

• The Rise of the PokerBots at CodingHorror.com, which is a good .NET coding site.
• A page on the WinHoldem site emphasizes the importance of running with least privilege.

Task management software

Alex King has an interesting online or local package of software to manage tasks. And then lots of people are using the GTD (Getting Things Done) methodology of David Allen.

Security Alerts and Running NonAdmin

There has been a lot of news lately about malware exploiting the vulnerabilities Microsoft described with the patches they released last week.

Some article I read pointed me to this good site: Websense Security Labs

It has an example, "Malicious Website / Malicious Code: Phishing via Hosts File", which provides another good example of the dangers of running as local Administrator. If you run with diminished rights and with the NTFS protecting the Windows directory, then the hosts file cannot be modified by processes you launch.

USRobotics Modems

Iread this week that USRobotics was being sold to VC firm. Heck, I thought it was still part of 3Com. Turns out they had spun it off after holding it a few years.

There is a good article, "I remember modems", at Tom's Hardware.

He links to a good site: http://www.modemhelp.org