Update on Using Collections - Now we have Generics

I am still mostly using VS2003 and have learned more about how to use the different collections in the FCL, but now we have generics in .NET 2. So it is time to learn about them. Ken Getz wrote a column in MSDN Mag "Being Generic Ain't So Bad" discussing their use in comparision to writing custom wrapper classes.

There is reference article Defining and Using Generics in VB 2005 at MSDN

Blogs to Track

List some more sites to track. I have been using Bloglines upon the suggestion of Jeff Key, but at last night's Nerd Dinner he said he has switched to the Google feed aggregator. I will have to look at it. In the meantime, add these to Bloglines (which is not responding just now).

http://geekswithblogs.net/sabotsshell/Rss.aspx
DotNetSlackers itself aggregates articles about ASP.NET "for Lazy Developers"
Dr Dobbs Journal
Mike Gunderloy's Larkware which everyone said they read regularly

more on Securing Windows

Internet Security Guide at Firewall Guide website is full of pretty good info.
Tighten Microsoft Windows to Improve Security is a checklist there.
Checklist for Securing Windows XP Pro at Lawrence Berkeley Nat'l Lab is a fine article, written for internal users it is probably a little advanced for standalone home users.
Securing Windows XP (Sep 2005) at TweakHound - a link from above.
TweakHound also has some other helpful articles such as these:
Windows XP Backup Strategies For Home Users
What Do Those XP Services Do?

Amazon brings back Gold Treasure Chest

I used to make a lot of purchases at Amazon from the gold treasure chest at the top right which offered special discounts on a list of items they think appeal to you. Then last year it seemed to have disappeared. Now I see it is back, and improved. Now you can hold on to one item while you step through the whole list, thus avoided the anguish of the 'optimal stopping problem'. I think they might suck me in again, except that the extra discounts seem to be quite minimal compared to my recollection of the past offers.

Beta Microsoft MCP Exams Offered

The latest MSDN Flash is shows an offering of Beta exams for MCAD and MCSD for a one month period starting around Valentine's Day:

Beta Exam Invitation for MCAD and MCSDs

February 13 - March 12

• MCAD Exam 70-552 - Upgrade: MCAD Skills to MCPD Windows Developer
  by Using the Microsoft .NETFramework (use promo code 552BTA)
• MCSD Exam 71-553 - Upgrade: MCSD Microsoft .NET Skills to MCPD Enterprise ApplicationDeveloper by Using the Microsoft .NET Framework - Part 1 (use promo code BTA553)
• MCSD Exam 71-554 - Upgrade: MCSD Microsoft .NET Skills to MCPD Enterprise
  ApplicationDeveloper by Using the Microsoft .NET Framework - Part 2 (use promo
  code UPG554)

These free beta exams will count toward certification in the same way as the final version of the exam.

Interesting Finds after Nerd Dinner

We had a Nerd Dinner last night, and Brian Beatty and others mentioned some interesting sites, particularly 43 this and that. I've been surfing these a bit this morning and came upon these "Interesting Finds" (a la Jason Haley):

Google Blogscoped by Philip Lennson - lots of articles critiquing Google, esp on censorship.
Cool Tools by Kevin Kelly is full of descriptions of fascinating tools and books. Really NEAT.
DotNetSlackers

Feline Cranial Protection link from Eric Gunnerson's blog

More to come...

'LUA' name changes to UAP, then UAC

Apparently the Vista team has a new name for the functionality we have been referring to as running LUA (Least-Privilege User Account). First they went to User Account Protection and more recently to User Account Control. Those are certainly an improvement over LUA. The team working on this has its own blog, now at http://blogs.msdn.com/uac, and there is a new overview posting there called 6 User Account Control Windows Vista Policies

IE's "Mark of the Web"

Researching the Blocking issue I came upon the "Mark of the Web" feature added to MSIE following the release of XP-SP2, which locked down the local_machine URL security zone.
How the Mark of the Web Enhances Computer Security

Because the Local Machine zone has so few security restrictions, active HTML documents running on the local machine have access to the computer's entire file system. The MOTW aids Internet Explorer in protecting the user from the risks of running these documents in the Local Machine zone. By referencing the MOTW, Internet Explorer can force these Web pages into a zone that has more restrictions, such as the Internet zone. At the same time, the MOTW cannot
be used to elevate Web pages to a zone with fewer restrictions. Forced out of the Local Machine zone, the active content has no access to the computer's file system. Note Windows XP SP2 applications—including Internet Explorer 6—that take advantage of the Local Machine Zone Lockdown security feature run in an even more restricted environment than the Internet zone. Additionally, cross-domain requests both to and from the active HTML documents fail, so
that code running from these Web pages cannot access the user's hard drive.

That makes sense, but it seems to contradict the explanation below by Dave Massy on the IEBlog, which I find a little confusing. I don't seem to be the only one, based on the comments to his posting (see "There does seem to be a some continued confusion around the LMZ lockdown").

I have not tested the functionality yet myself to see if I can figure it out, but I did notice that this box has only one file with that tag in it.

Here are some discussions of this:

Mark of the Web posted in March 2005 at the IEBlog by Dave Massey of MS
Tricks with Mark of the Web: Behaviors, XML files at Adi Oltean's(MSFT) AntiMail weblog
This UK site has good discussion of the issues surrounding the LocalMachine zone.
Changes to Functionality in Windows XP Service Pack 2 - Part 5: Enhanced Browsing Security

Unblock CHM files after patch for MS05-026 - Vulnerability in HTML Help

I have been running Mark Russinovitch's ProcessExplorer utility on several machines which are fairly well locked down and the help details pain has not been displaying. After trying a lot of security related fixes I could think of I finally googled it and found that a recent patch added a new feature to block HTML files which came from outside computers. When you look at the properties of the file in Explorer an option to "Unblock" will appear if it is blocked. Checking that fixed the problem. The same problem arises when you try to open the file directly. Then a dialog titled "Open File - Security Warning" appears and warns about the danger of proceeding. It gives the option to uncheck - "Always ask before opening this file" - which does the same thing as 'Unblocking'. I found that while running as a limited user I could check those boxes but it had not effect, so I had to make the change while running as Admin make the Unblock effective for all users. Thus I conclude, that while I don't know exactly what information is stored to control this, but that it seems to be applied on a machine-wide basis, not per user.

The following bulletins and KB articles from MS address this issue:

• You cannot open HTML Help files from Internet Explorer after you install security update 896358
• 896358: MS05-026 - A vulnerability in HTML Help could allow remote code execution
• INFO: Executing Files by Hyperlink and the File Download Dialog Box

Update:

It appears that this behavior is controlled by something called Persistent Zone Identifier. There is a fair amount of documentation of them on the MS site (Persistent Zone Identifier Object), but surprisingly little discussion in blogs. Here is one example referencing from Internet Explorer7 Bugs at Channel9:

HTML Help doesn't work
When I try to view a chm help file that has been downloaded from the internet, the help browser loads about:blank rather than the help page. This happens when the chm file has what I think is called a persistent zone identifier associated with the file (on NTFS - when I double-click the file, I get a security warning before launching). If the file does not have the identifier (removed via Properties->Unblock) the help page is correctly displayed.

Changes to Security Zones in MS Internet Explorer Version 7

There was a post in December describing how zones will work in the new version, along with some discussion of how the current version handles them.
Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

It has recieved extensive comments, not all of which I have read yet. One theme among them is that the zones are not effective, so why bother. But they seem useful to me and the most disappointing thing that I notice is that they apparently have not added any new zone between ran Internet and Trusted. That is what I want, and have created on my machines.

Some excerpts:

The My Computer Zone is locked down as of IE6 for XP SP2; the changes in IE7 continue our trend to run the browser with more secure default settings.

Because security zones allows more power to some websites, zones also open the possibility of zone-spoofing attacks: if there is a flaw in IE’s zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in. With URL parsing and other improvements in Windows XP SP2 and IE7, we have helped to ensure this doesn’t happen.

More on Running LUA

Still trying to run and develop as a limited user. Keith Brown, following someone else, references work done by Ziff-Davis and discussed in an eWeek article which shows the safety advantage of running as a normal user versus Admin or even Power user! Only the base limited user was largely immune from infection by viruses when they surfed the web extensively. They don't indicate what kind of prophylaxis they used for their web browsing however.

Addendum to some earlier posts
I have tended to run devenv.exe (Visual Studio) as an Admin, but one can develop local WinApps with a limited account as long as you make sure that account has the proper rights to the target source directories and any needed data file directories. Setting those up on a non-domain machine can involve setting the rights at a granular level, and normally this is not available in the Windows Explorer GUI when simple file sharing is enabled.
But you can use the NT command line tools for setting ACLs (Access Control Lists) - CACLS.EXE (NT) and XACLS.EXE (Support Tools). They are a little arcance but do the trick. One thing you have to be careful of is not use the /G or /P options with out /E, or else you remove all existing rights.

As to managing the localgroups, I never listed the UI tools for changing them in my post CCS User Group Presentation where I showed the appropriate command lines. There are several GUI programs that allow you to manage users and local groups:
Running "control userpasswords" gives you the rather dumb User Accounts dialog in Control panel. Running or "control userpasswords2" gives you a smarter, more granular tool to manage users, including specifying their group membership. Finally "lusrmgr.msc" is an MMC plugin which provides a full powered GUI tool to create/manage local users and groups.

It is worth noting that Power Users seem to have the power to add users to the Admin group, hence one reason that it is not really a safe level of operation.

Tip on using Google as a Free Proxy

Came upon an interesting tip at a site called Tech Resource, a community site based in India, which has several sections including one where at least one programmer from google posts about what they are doing. The article, Use Google as a Free Proxy, shows how you can use google to access a page from a site that would otherwise be blocked.

CNUG Downtown Chapter meets at IMG

The opening meeting of new downtown chapter of CNUG met at IMG's new office at 200 West Monroe on Tuesday night. Marc Gusmano gave a helpful presentation covering many aspects of enhancements in ASP NET 2.0 and in VS2005. He pointed out some interesting tricks in the IDE as well as the the underlying platform. The meeting was very well attended (over fifty people) and there was considerable audience interaction. The meeting was generally quite successful. The only problem was that the display was projected against a wall which made it somewhat dim and discolored, as well as rather small. I look forward to more meetings there.