Like it or not, Microsoft is going to start adding a lot of extensions to RSS to produce some cool features for Longhorn. I have a love-hate relationship with this idea. What really chaps my hide about this video because the first guy acts like he is the first guy to think of these ideas. I actually see this in Microsoft employees a lot. They come out looking smug (and I know they don’t mean to be) as though they thought up this great idea and they want you to come up to their level of thinking. What this really comes down to is that a lot of the features you and I have wanted to create and use RSS for are now going to be a lot easier to use from Longhorn.
Looking over the shoulder of an attacker
If you ever thought that it wasn’t important to keep that windows update working on schedule, think again. Security Monkey has posted a small blog entry entitled “Looking over the should of an attacker“. Its definitely interested and should be a warning. However, I would remind you that just about any public internet service , Windows w/IIS or Linux w/Apache, you simply must not be complacent about how you configure your systems or keep them updated.
AJAX is a Fraud
I’ve been around long enough in this industry to recognize marketing fraud when I see it. The buzzword that has become of AJAX is one such instance. I’ve about had it with hearing people talk about how its so new and innovative. I know of at least 5 people, including myself, who were using Xml Data islands and javascript to produce dynamic output into a browser as early as 1999 and 2000. I find it amazing that an article can be written by a virtual nobody in the industry like Jesse James Garrett that proclaims something as “new” that has been around since before the first victim of the DotBomb industry.
The reality of the situation is that these technologies have been around for ages, but the world wasn’t quite ready for them yet. The industry was bellowing, “Bring out your dead” and Netscape refused to answer, insisting “I’m not dead yet”. Sorry for the Monty Python analogy but rings true. Now that the platform market has been mostly conglomerated, it’s much easier to roll client-side to server-side javascripting out to the public.
Additional influences like the proliferation of broadband internet access to the masses has made such uses of bandwidth possible on the public internet space as opposed to being restricted to local intranets — much like several of my similar implementations of the technology at AIMCO years ago.
This article isn’t all about anger over this marketing BS — although it is admittedly part of it. Its partly about the idea that marketing has taken over innovation in this world. Between all of the patent wars in the big companies, and other corporations, like Adaptive Path, taking over technologies and name them as their own the industry has just become a big war-ground for business folks. Lastly, this is about the idea that I’m about to post a few scripting examples of this in the next month. I don’t want them to be chalked up in the AJAX hype column.
Where am I?
Only in the blogging world does a subject like “where am I?” get past the most curious of eyes without suspicion of insanity of the author. The truth is I’ve been asked by a couple of people why I haven’t posted anything in the past few days. You can rest assure that I have a slew of articles on various topics coming, but you’ll have to wait for me to start posting them for about another week. I’ve been involved in a couple of ultra super secret Whidbey projects for Microsoft. They keep it so secret I don’t even know what I’m doing for them! OK, in all seriousness, I’ll be flying to Redmond tomorrow and will be spending the rest of the week basking in the clouded downpours, sipping various coffees, and listening to more grunge rock than I can handle, and really, isnbt that about 15 seconds of it? I like visiting the area but every time I go up there I ultimately end up sitting in my hotel room all night after doing my duties at Microsoft. I intend to go out and find something to do or some exquisite place to eat. I even get in my rental go-cart and drive around for a few seconds before stopping at the nearest fast food joint, grabbing a number n and heading back to the hotel. Such is my existence as a non-adventurous kind of guy.
So in case any of you have never been to Redmond, let me share a small piece of it with you. This is where I’ll be. It’s the aerial view of the main campus — albeit 3 years ago.
Wasn’t that thrilling? OK, I’ll see you next week.
Security Wiki @ Channel 9
The Patterns And Guidance team has added a new wiki on Channel9 for security topics. Check it out, rinse, repeat.
Dockable Tool Windows in VS.NET 2005
VS.NET 2005 introduces a ToolStripContainer control which allows you to develop applications with toolbars that can be docked, undocked, reordered and otherwise rearranged to the edges of a form. This is an excellent idea, however, what was an obvious miss for the product was the ommission of a dockable window. We are all used to seeing these windows in the VS.NET IDE. The are, essentially, dockable, sizable toolwindows that can be removed, docked , undocked, resized, pinned against a border of the IDE, or unpinned. This feature has been suggested multiple times and would definitely add a professional touch to many applications. Microsoft ommitted this feature from VS.NET 2005, but perhaps if we can get enough votes, this feature will be reimplemented. Realizing that the release date is only 5 months away, its unlikely, but we can always try. Go to [I have removed the link as it is now 404/archived] to and vote for this suggestion!
Michael Howard Points to Excellent Series of Papers
Mike Howard has pointed out on his blog that there is an excellent compilation of security white papers in PDF form (image-based PDFs, not Text-based) available for download. Despite their age, these provide the very foundation for some of the most sophisticated security pillars today. Well worth the read.
Total Immersion touts ‘Augmented Reality’
This video looks way cool. It’s the presentation demo of a company called Total Immersion where they are touting their ‘augmented reality’ technology. It allows them to merge animation and objects with real-time video. I watched this demo and immediately started shuttering at the idea that Fox Sports would butcher this technology in football games. Its bad enough that they have all these strange animations and sound effects during the game, but can you imagine giving John Madden the ability to , I dunno, put costumes on players in real time? This is a far cry from just superimposing those yellow “first down” markers on the playing field.
This does, however, raise some interesting ideas. How about product placement in movies AFTER the movie has been made? What about the security issues involved? You could super-impose a gun on someone in a bank real time to frame them. OK, maybe I’ve been watching too much Sci-Fi channel lately. Anyway, this brings up very interesting possibilities that far excede those we ever imagined the first time cartoons were merged with reality in Roger Rabit.
Thread-Safe Generic Dictionary
The following question was posted on MSDN forums last night and I thought I’d take a little time to answer this considering my apparent threading affinity (*cough*). Here was the question:
“Could someone give me a pointer as to how I might implement a thread safe wrapper around a genric dictionary? I’ve written thread-safe dictionaries in C# 1.x by inheriting from the DictionaryBase but I’m a bit stumped as to how to acheive this using Generics.”
I can certainly understand the complaint here. It comes from the fact that Microsoft apparently didn’t think anyone would need thread-safe generic collections — or if you did, you should do your own work on this. Think I’m wrong? Consider this link, which states:
A System.Collections.Generic.Dictionary<,> can support multiple readers concurrently, as long as the collection is not modified. Even so, enumerating through a collection is intrinsically not a thread safe procedure. To guarantee thread safety during enumeration, you can lock the collection during the entire enumeration. To allow the collection to be accessed by multiple threads for reading and writing, you must implement your own synchronization.
What this means is that you have some limited options. 1) Create a sub-class of System.Collections.Generic.Dictionary, 2) Create a utility class for modifying the collection safely, or 3) Creating your own thread-safe dictionary from scratch.
Lets consider these one by one.
The first option: Sub-Class
This seems a bit rediculous. Your methods might look something like the following:
using System;
using System.Collections.Generic;
using System.Text;
using System.Threading;
namespace ThreadedGenerics {
class ThreadSafeDictionary : Dictionary {
public new void Add(T key, U value) {
// Add your preferred thread locking mechanism here
base.Add(key, value);
// unlocking here
}
// TODO : Remaining Method Implementations
}
}
or in VB.NET :
Imports System.Threading
Imports System.Collections.Generic
Public Class ThreadSafeDictionary(Of T, U)
Inherits Dictionary(Of T, U)
Public Shadows Sub Add(ByVal key As T, ByVal value As U)
' Add your preferred thread locking mechanism here
MyBase.Add(key, value)
' unlocking here
End Sub
' TODO : Remaining Method Implementations
End Class
This is obviously silly because we have to override all of our functionality anyway only to wrap the call in a critical section. You should lock the underlying collection as well, but that’s up to you to decide which method you prefer.
Additionally you have to qualify the method ‘overrides’ with “New” (Shadows in VB.NET) instead of override because Dictionary<,> didn’t mark the functions as virtual. Lets go ahead and scratch this option off the list. It just doesn’t make a lot of sense and violates OO.
The second option: Create a Utility Class
This method seems to make a bit more sense. You simply create a utility class to do all the work for you and do the wrapping. Its cleaner than the “inheritance” method. (I hesitate to call anything inheritance when you can’t override the functionality but rather follow a hide-recall pattern.) This would look something like this:
using System;
using System.Collections.Generic;
using System.Text;
using System.Threading;
namespace NewWinFormsFeatures
{
public class ThreadSafeDictionaryUtility
{
Dictionary dict;
public ThreadSafeDictionaryUtility() {
dict = new Dictionary();
}
public void SafeAdd(T key, U value) {
// Add your preferred thread locking mechanism here
dict.Add(key, value);
// unlocking here
}
// TODO : Remaining Method Implementations
}
}
or in VB.NET
Imports System.Threading
Imports System.Collections.Generic
Public Class ThreadSafeDictionaryUtility(Of T, U)
Private dict As Dictionary(Of T, U)
Public Sub New()
Me.dict = New Dictionary(Of T, U)
End Sub
Public Sub SafeAdd(ByVal key As T, ByVal value As U)
' Add your preferred thread locking mechanism here
Me.dict.Add(key, value)
' unlocking here
End Sub
End Class
This should work pretty well but it isn’t the most efficient way to get what you want. It does, however, prevent you from performing much implementation. You basically only provide the implementation methods you want and you simply wrap them into a critical section or object lock.
The third option: Rolling your own
This last option requires you to create your own implementation from scratch. This would require you to create a class that implemented the IDictionary<,> interface (and any others that you want to implement such as ISerializable). I wont get into details here because to do this right, you really need to do a lot of work and its already 3am here 🙂 What I will say is that Microsoft does state that DictionaryBase is not thread safe. What it does use is the BeginCriticalRegion and EndCriticalRegion methods to let the host know that exceptions in portions of the “add” code may be damaging to other code in the AppDomain. After waking up this morning and reviewing this code (per a very kind individual who bluntly pointed out my error) I feel its neccessary to write an explaination of what those methods do and when its not appropriate. BeginCriticalSection and EndCriticalSection around the ENTIRE Dictionary.Add method would be inappropriate. Where it would be appropriate to use these functions is in this third option — rolling your own. You want it around the very small portion of the code that does the array shifting and modifying of the underlying value. Otherwise, in the case of wrapping it around the Dictionary.Add method, something as simple as an invalid argument passed into your thread-safe class may cause the entire appdomain to shut down.
HTH.
Mike Downen has started blogging!!!
YES! Another good resource for security information has just started blogging. Mike Downen is the program manager for security in the CLR. Man, I really wish he had come with the other CLR team members to Atlanta. In any case, point your aggregators to this blog. It has the potential to provide very valuable security information.
