Tracing in dot NET

Well, I finally implemented instrumentation use the Trace class as well the Debug class in an older Winforms app that I am updating. It is a good idea to do so. Though I do have a few questions. Let's see...
RE .Assert vs .Write - I wish there were a way to write a single command that would log a message, AND under the conditions of Assert Failue, through up the warning message. It appears that you have to write two separate statements, and if the Assert is thrown you get its message along with the trace logging message.

APCU User Group Meeting

Conrad Weisart spoke on UML at the APCU meeting today in Wilmette.
He has an extended critique. Mostly he skeptical about UML and many other trends in software design over the years. For example, he ridiculed the notion that traditional SE was really a waterfall, saying that was a straw-man parody of the real process. And he quoted someone as refering to extensive USE case narratives as the "Victorian Novel" methodology.

I agreed to speak at the next Wilmette meeting on running with a least privilege account.

In Random Access:
I asked two questions, and never got to asking about backup.
What are folks doing to..
1) manage passwords
2) manage favorites across machines
3) do backups

Some other questions came up...
Marlyn has set up FireFox as her default browser, but IE is still being launched when she clicks
an href link she places inside a PDF she is authoring.

Here is a recent column, at the MS IE community site that may helpful:
Playing favorites: How to control which browser is 'Head Honcho' on your PC
It discusses setting different browsers as the default by using the SPAD tool (Set Program Access and Defaults) in WinXP.

Configuring Blogger for this BLOG

Now Allowing Anonymous Comments (posted 28 May 05)
I just noticed that you had to be registered at Blogger to post a comment here. Since a number of folks at the CCS user group meeting probably are not, I have switched this blog to allow anonymous comments.


Permalinks (posted 27 June 05)...
Up to now on my blog it has appeared that all posts here were identified by the title of the post, so that if you changed the title any ref to it would break. But, now I found several FAQs in the Blogger help related to permalinks.

How do I create permanent links to my posts?
Among other things, this states that I should have gotten permalinks by default when using their templates, though I did not.

What does the Link field do?
The Link field can be very useful if your blog posts are frequently about other
articles, and you want the links to these easily spotted on your public blog.

So I am turning it on and will see what happens.
Well, I also need to specify a satisfactory template for my posts.
Mostly what I have accomplished is screwing up the column layout!


Here are other potentially useful FAQs:
How can I do more with links?


And, I expect, yet more to come...

Internet Explorer Tweaks and Tools

As mentioned below, when discussing Internet Zone settings in IE, I find it frustrating that there are no intermediate ones between untrusted Internet and Trusted Sites. In the past I had looked into this briefly without luck, but a google search now shows some remarks suggesting this is possible.

There are several interesting posts at IEBlog - the Microsoft Internet Explorer Weblog, a blog by members of the Microsoft IE team. An article IE Security Zones posted there by Mike Friedman is the most helpful I have found. He describes the zones, and posts a utility that uses the URL Security Zones API to programmtically assign urls to zones without going through the IE>Tools>Security tabbed interface. I will report after I try it. He also links to a number of good reference articles.

His post generated some rather nasty cross postings attacking Microsoft, and I respect their forbearance in tolerating that stuff. As to the validity of the content of the arguments about security holes I am uncertain. The Secunia site linked to says (as of 2005-02-10) regarding:

Internet Explorer Security Zone Bypass and Address Bar Spoofing -
The vulnerability has been fixed silently in some cumulative security update.

CCS User Group Presentation

I gave my little talk to an small group from the CCS downtown chapter last night, after two days of intensive training on SQL Server 2005. The audience was mixed with technically advanced and novice users, so I started by explaining something about how security works in Windows. Then went on to a discussion about how you should lock down your WinXP box. We ended up spending so much time on security settings for Internet Explorer that I had very little time to show the techniques I have used for running as Non-Admin(LUA) but I encouraged folks to check out my references here and offered to answer any questions posted in comments here.

Norbert suggested that I write up the steps I suggest for securing a new PC. That is something I have been thinking of and will start to in posts here.

Guy G. brought up a number of interesting points. When I was demonstrating the Internet Zone settings, I complained that there should be some intermediate ones between untrusted Internet and Trusted Sites. He said there is. In the past I had looked into this briefly, but now a google search shows some remarks suggesting this is possible. So I will look into it and post more details.

When I urged all users to track and apply patches/updates from Microsoft that seemed to provoke a lot of comment and resistance. I asked who had installed the XP Service Pack 2 and several people said it breaks lots of apps, but couldn't say which. Microsoft has posted a recent list of Programs that are known to experience a loss of functionality when they run on a Windows XP Service Pack 2-based computer. I emphasized that you should install it if you run IE and other Internet connected apps and suggested that now MS patches most known defects before they are widely exploited. At that point Guy and others spoke up to state that MS has not responded to a lot of posted vulnerabilities. I see that the Secunia - Stay Secure site indicates a number of unpatched advisories. I don't know anything about that site - it just was linked from some blog postings.

I was doing the demos on WinXP Home and Guy mentioned some problems he has had with it. He asked whether you can create local groups, and the answer is yes. While you cannot use the control panel plugin that is available on XP-Prof, you can do it at the command line as follows:

NET LOCALGROUP MyTestGroup /ADD 'creates new local group
NET LOCALGROUP MyTestGroup SomeExistingUserName /ADD 'adds user to group
NET LOCALGROUP MyTestGroup ' shows membership of the group

On another theme, it was good to see some folks from my old Programming SIG at CCS - specifcally Allen Kapusta and Pat Kennedy, and Tim Mill-Groninger of the ITRC which hosted us.

[Added July 25]
Allen Kapusta asked for exact command lines for launching IE, that I rushed through at the end of the presentation when time ran out. Here are several options.

First, a batch/cmd file to launch IE from a shell command window, which you open with possibly different credentials. I put this line in a file called "LaunchIE.CMD".

Start " " "C:\Program Files\Internet Explorer\iexplore.exe"

Alternatively, if you are running as Admin or other privileged user, then you can use the DropMyRights utility (by Michael Howard) to run IE (or other program) under that ID with reduced privileges with a shortcut such as the following.

C:\utils\DropMyRights.exe "C:\Program Files\Internet Explorer\iexplore.exe"

Windows XP Tips and Tricks - Windows Explorer

'Set Defaults in Explorer'

I like to set Explorer to always show the right pane in details view. But, in some installations of Win XP this setting does not seem to take. I have noticed it at some corporate sites where I worked. In discussion with the Network/Security guru there he said he had tried to fix it but failed. They had a very locked down configuration enforced with lots Group Policy settings.

These are some old links I had regarding this issue:
http://www.annoyances.org/exec/show/article01-434
http://www.annoyances.org/exec/forum/winxp/t1099286606
http://www.annoyances.org/exec/forum/winxp/t1027192061

I've also noticed on some other machines, but never got a good answer.

I also want to post the way to add Toolbars, as demonstrated by Privbar and other tools.


Explorer Command Line Options

I like to create Desktop shortcuts to frequently used directories, and more often than not want them to open in the two pane view. The switches for this are /e and possibly /root.

Explorer [/n] [/e] [(,)/root, MyTargetDir] [/select, TargetToSelect]

Here are some references:
Windows Explorer Command-Line Options

Pronunciation of English words in US vs UK

Speaking of streaming audio... I listen frequently to BBC programs and notice distinctions in pronunciation of a class of words, between the UK and US. Here are examples...

Revelatory - reveLAtory (like we say revelation, but changing -tion to -tory) vs revelaTory

Corollary - coROLlary vs coroLLARY

Controversy - ContROVersy vs CONtroVersy

There are plenty more, which I will post as I notice them. I think there is a pattern in there, of Americans moving the emphasis to the final syllable.

CWUG meeting - Mark Skoog, walking encyclopedia

The Chicago Windows User's group

Mark Skoog presented a report from the Windows HEC held in April. But more than that he answered questions on a variety of hardware related topics, especially multi-media playing and telephonic capabilities. I still have a number of questions I want answered.

In discussion after the meeting there was some reference to IM (he had mentioned MS Live Communication Server during the talk). He said that many staff, even in purported secure financial companies use IM. I said most companies, in my experience, disable IM by locking down desktops and closing network ports, but he started to respond suggesting that was either not done or not effective. I would like elaboration on that topic.

I also am more interested in good audio over my home network than video, and would like details on how to set it up.

Password Security and Protection Links

Last summer and fall some folks at Microsoft and elsewhere provoked discussions of what makes a strong password. One fellow emphasized that length is really the key. That was widely discussed, as in this article at WindowsITPro by Mark Joseph Edwards.

Since I last visited this topic Jesper M. Johansson, of Microsoft Security Program Manager has posted a series of articles - The Great Debates: Pass Phrases vs. Passwords (in three parts)
Part 1 of 3,
Notable quotes:

"... understand the difference between password guessing and password cracking."
"... if an account has a relatively complex password, guessing will not succeed anyway."
"Cracking ... is performed after the attacker has obtained the raw hashes."
"Cracking is far faster than guessing."

Part 2 of 3 - discusses the relative strength of each type of password

Part 3 of 3 - Concludes by providing guidance on passwords and policy

Earlier I thought the main take-away was that longer is better in passwords and that length trumps strength, in the sense that increasing character count is more effective than increasing the base of characters allowed. I think that is consistent with the formula for calculating the number of permutations of l chars of a base set with n members.
But he concludes "In the end, until we perform further research, we cannot state conclusively that one is better than the other."

UPDATE (June 2005)

Keith Brown has written a utility he calls Password Minder, which generates and stores passwords for use at different sites. He describes it in two of his Security Briefs columns in MSDN magazine last year:
Part 1 - Mind Those Passwords!
Part 2 - Password Minder Internals

Rocky Lhotka talks about SOA hype at CNUG meeting

At Wednesday's CNUG meeting Rocky gave a presentation before a packed room on The State of Distributed Application Development. I call it Debunking the hype over SOA. He has been discoursing on this for some time on this in print and in postings at his site and others.

He showed slides outline the history of distributed applications and suggested that not much has really changed over the past twenty years. He said we are still solving the same problems.

Among his many observations, many in the form of analogies...

• Many of todays thin-client technolgies hark back to days of dumb terminals attached to big iron. He came from a VAX background.
• He described two views of SOA - Academic versus Practical?
  Academics have a model of autonomous, independently acting objects which communicate (asynchronously) via messages. The Practical (largely vendor driven) approach is really data-centric. He said pure Web Service calls are just like DB Sprocs!
• Hardware and Networking Technology combined with better app server software have made two-tier client-server applications an appropriate technology again today (in response to a question from Mike Disbrow, who termed it regression). Whereas in the 90's it could only support 30 concurrent users, today it can handle 300, which is enough for most applications.
• Today people are applying SOA and webservices in many scenarios where they do not make sense, but it is appropriate in some.
• He rather ridiculed "Contract-first" WS development, but I've forgotten his reasoning.
• His preferred solutions involve layers where BL is in the middle layer but replicated to smart,flat clients for UI performance. He did not detail just how that replication is accomplished.
• Finally, with respect to building distributed applications, he said "Just say no".

Many of the questions, and mild arguments came from older developers with a long heritage going back to mainframe days. He had particular fun with a fellow who said he does like to put BL into the database(sprocs). Later it turned out that fellow was doing that in part to extend the functionality of expensive vendor apps which did not publish a useful API.


Though he was to some degree flogging a straw man it was overall a worthwhile and enjoyable event.
Along the way he recommended several books:
David Taylor - Object Technology: A Manager's Guide
Some book on COM and CORBA (have to find the reference)

Rocky has written extensively on this topic on his blog and at theserverside.net.
Here are some links to some of those posts:
SOA is really just RPC with angle-brackets
Can a Service have Tiers?

These are some articles he has posted at theserverside.net:
The Intersection of Objects and Services
The Fallacy of the Data Layer

Questions I am asking - How do you...

I'm just posing some questions about how to best do certain tasks when running Windows.

What's the best way to manage and share links to websites?
Use favorites - and synchronize thru a website or shared folder?
Use a folder - and again share or synchronize it?
How to Manage Passwords?
Backup - What's the best solutionDrive Imaging - The following three seem to be the most popular solutions
PowerQuest - Drive Image software
Acronis - True Image
Symantec - Norton Ghost

lots more questions to come...

User Group Presentation - Securing Windows by Running LUA

LUA is a TLA(three-letter-acronym) for "Least-Privileged User Account". On 24 May, 2005 I will be giving a presentation for the Chicago Computer Society on the topic of running Windows under a non-Admin user account.
Running Windows under the local administrator account with full privileges exposes your machine to numerous dangers, especially when working with Internet-facing applications. Under normal circumstances you should run under an account with fewer privileges.
I will discuss the motivation to, techniques for and difficulties with running LUA on Windows XP based on my experience (see my post below).

It will be an interactive evening with a demonstration of my configuration and utilities. And, if possible, I will demostrate changing the configuration of an unsecure machine to run effectively with an LUA. In addition I will discuss a number of other, better known, steps to keep your machine running efficiently and free of malware.

Here are some relevant links to topics I will discuss (see also my earlier post):

MS TechNet: Using a Least-Privileged User Account describes the motivation for doing this.
MS Support: Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account

(I will update and extend this post for several days)

Links to Interesting Security Postings

This is an excellent article describing the weakness of the traditional steps suggested for securing a Wireless Network: The six dumbest ways to secure a wireless LAN

Here is a neat link at Tobin Titus site that shows how google can find ASP.NET web sites that have not properly secured their directories from browsing, even for the web.config...
Googling for web.config and other source code

He also has a lot of other posts about security, particularly for Web Sites.

eg: Home Network Paranoia
Canonicalization issues and File Paths


PASSWORD ISSUES

http://patricklogan.blogspot.com/2004/07/world-without-acls.html
Discusses the 'holy grail' and links to a site that has a utility for creating
and storing passwords.

Events as Delegates under the Hood

Delegates in C# vs VB.NET down to the IL is a good post by Tobin Titus comparing how event handlers are implemented in VB and C# and explaing the underlying IL generated by both. The VB apparently uses a virtual dispatch method under the hood. It uses the "little know feature ... event accessors" to facilitate the handles construct.

Did you catch the difference between the C# and VB.NET IL output? We are no
longer calling ldvirtftn, but instead, we are simply calling ldftn. This is the
difference between VB.NET using a virtual dispatch sequence and C# using an
instance dispatch sequence. ... My guess is that if you don't understand delegates, you won't get the difference between these two fields.

He references C# language docs at MSDN which discusses "field-like events"

When compiling a field-like event, the compiler automatically creates
storage to hold the delegate, and creates accessors for the event that add or
remove event handlers to the delegate field.

I must admit that I miss the VB handlers when I write C#. I don't like having to look in the generated code section to see the tie ups. Tobin suggests the C# approach is more OOP. Maybe so, but less obvious.

Tobin Titus has been among the authors of multiple books (mostly Wrox) on .NET threading and related topics. He is joining MS on the IIS team.

[Factored out of a moved post - Jan 2006]

Lists of Interview Questions

Scott Hansleman at ComputerZen
What Great .NET Developers Ought To Know (More .NET Interview Questions)

Joel at Joel on Software

Windows and .NET Structured Exception Handling

A this long post with many comments by Christopher Brumme (MS) in 2003 is worth reviewing. Nice quote near the top...

At the top level, the managed exception model is nice and simple. But – as
with everything else in software – the closer you look, the more you discover.

Want to learn the MS App Blocks and new Enterprise Library?

PnP (MS Patterns and Practices) Group have posted a new learning tool (link from Mike Gunderloy @Larkware): Enterprise Library 1.0 Hands On Labs

Notes on Forthcoming Visual Studio 2005

Microsoft has been demo-ing this stuff publicly for well over a year now, and promoting it with lots of events and articles growing into a crescendo, dare I say orgy, of promotion.
I'm just going to post some links to articles to read.

Rob Caron has a good post describing the different editions
Rick LaPlante(MS) explains on his blog that some of Team System will be included in lesser editions. But the edition pricing information for MSDN Subscriptions shows it comes pretty dearly. Mike Gunderloy of Larkware editorializes on this and provided those links.

The express editions and Beta 2 CTP were posted for download in mid April and disks are said to be shipped in week or two for people who attended MSDN events.

DevExpress, makers of CodeRush, have released a refactoring tool for VB.NET2005
It is promoted on a page at the MSDN site, where there are two short demo videos.
It looks TERRIFIC! I see another refactoring tool advertized out there too.

Articles to Print and Read

On WindowsForms Apps

There are links to lots of good articles at the WindowsForms site.

There are two well promoted reference apps from Microsoft (created by Vertigo):

TaskVision - released with the 1.0 version of the platform
IssueVision - released for DevDays 2004 - designed to demonstrate "SmartClients"

On SECURITY in Web Services

Understanding WS-Security - Scott Seely, Microsoft Corporation October 2002


WS-Security Drilldown in Web Services Enhancements 2.0


Patterns and Practices guide Designing Data Tier Components and Passing Data Through Tiers

Recently posted at the MSDN site:

Creating Dynamic Data Entry User Interfaces - by Scott Miller

Understanding Cryptography in .NET

I've come across a couple of articles on MSDN that helped me get a perspective on cryptography in .NET.

There is a reasonably full discussion under the "Securing Applications" heading in the .NET Framework Developer's Guide at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconCryptographicServices.asp

Another one under the Web Services Enhancements topic is a quick overview:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse/html/d396b110-66fa-44a0-8cec-e05fb205d087.asp?frame=true


UPDATE - 7/1/05
Two articles in MSDN with sample apps:
Cryptography Simplified in Microsoft .NET (2003) - an introduction by Paul Sheriff
Employ Strong Encryption in Your Apps with Our CryptoUtility Component - Article in MSDN Magazine (Nov 2004) by J. Sawyer and M. Stuart

And some others:
A Simple Guide to Cryptography under Implementing ASP Security
Protect Private Data with the Cryptography Namespaces of the .NET Framework - by Dan Fox