Feb 2 2009 1:08PM GMT
Posted by: Yuval Shavit
.NET application testing and security,
Windows 7
A couple blog entries ago, I mentioned that among Windows 7’s improvements is a fix to the user account control (UAC) functionality introduced in Vista. UAC was always a good — and overdue — idea, but Vista’s implementation was annoyingly chatty. Windows 7 would fix that, I wrote.
A security hole in Windows 7’s UAC has been found that uses a script to disable future UAC warnings, according to blogger Long Zheng. I haven’t tested it yet (our work machines still run XP), but Zheng’s blog entry includes proof-of-concept code. According to the blog, the issue had previously been marked as a bug on Microsoft Connect, but Microsoft closed the issue as “by design.
The easy fix is to set your UAC warning level to always ask for confirmation, even if it’s just to set system settings. That means malicious code won’t be able to disable UAC behind your back, but it also means UAC will be back to its annoying Vista persona.
Let this be a reminder to us all: convenience and security are often at odds. The problem is that too many warnings are also a problem, as users are apt to just click “yes” without reading your warning message. Striking the right balance between giving users power, giving them options, giving them convenience and giving them security is always difficult.
Oct 27 2008 12:53PM GMT
Posted by: Yuval Shavit
General Microsoft news,
Web applications,
.NET Web services (Windows Communication Foundation)
LOS ANGELES — In unveiling its Web-based development platform today at PDC, Microsoft has fired a salvo at Amazon EC2, the company’s hosted development platform. Microsoft’s version of the cloud computing platform, dubbed Windows Azure, is essentially a hosted version of its server-side .NET platform. Developers can write ASP.NET code, complete with hookups to a hosted version of SQLServer, and run it on virtual machines hosted by Microsoft.
Windows Azure is meant to be another tier of computing, addressing Web development in the same respect that Vista and Windows Server address client-side and server-side development, said Ray Ozzie, the company’s chief software architect.
For now, Windows Azure is in very early beta. Its functionalities are fairly limited, and the company has not rolled it out to the public at large yet; for now, only developers at PDC will get activation codes. Ozzie warned that when the service reaches a commercial release — at a yet-unnamed time — it will likely be very different, and possibly incompatible, with the current version.
Developers looking for client-side news were out of luck today; the whole keynote focused on Azure, with plenty of demos to show what the cloud OS can do so far (though not a whole lot on how that’s different from what standard client-server apps already do). Tomorrow’s keynote will focus on client-side Windows development; check here for more updates.
Sep 10 2008 2:04PM GMT
Posted by: Jack Vaughan
General Microsoft news,
Architecture and the SDLC
Microsoft Corp. said it will join the Object Management Group, the steward of UML and promoter of Model-Driven Architecture and other enterprise standards. Microsoft’ Bob Muglia made the disclosure as he described Microsoft’s plans to take modeling into mainstream industry use. Continued »
Aug 13 2008 1:49PM GMT
Posted by: Jack Vaughan
.NET Web services (Windows Communication Foundation)
By Andrew Horne
Authentication and authorization are key areas of focus in the “Improving Web Services Security” guide published by Microsoft’s Patterns and Practices Team. The guide leads you through SOA security, WCF security, and useful application scenarios for both internet and intranet.
The twin security approach of authentication and authorization assures that only trusted users use your applications. This guide runs through the decisions you have to make in setting up these security devices, such as which authorization approach to use: role-based, identity-based or resource-based. This leads to questions about user stores and transfer security, among many others. The answers you give to these questions also have an effect on authentication: for instance, do you go with username or certificate authentication? The chapter “Solutions at a Glance” gives you a neat five-step outline to keep your thoughts organized.
Patterns and Practices pooled knowledge resources with Microsoft’s WCF team and outside leaders in the field, while also comparing this knowledge with user responses. The guide reflects the increasingly important role security plays for designers in today’s technological environment. As Nicholas Allen, Program manager of WCF, writes in his forward to the book, “Security has to be treated as part and parcel of functionality.”
Download the guide here, and also check out SearchWinDevelopment’s WCF Learning Guide.
May 14 2008 2:32PM GMT
Posted by: Jack Vaughan
VS 2008 and .NET 3.5,
Database development and architecture
Microsoft released a beta of .NET 3.5 SP1 and VS 2008 SP1 releases. While devoted in great part to bug fixes, they also include new features, some that have been eagerly awaited. Versions of ADO.NET Entity Framework and the ADO.NET Data Services framework (Astoria) are included. Continued »
May 8 2008 10:37AM GMT
Posted by: Jack Vaughan
Architecture and the SDLC,
Methodologies (Team Development, Agile and so forth)
Little noted but of major interest: At last months Microsoft MVP Global Summit, Microsoft Chief Software Architect Ray Ozzie spoke about how he approaches his role as leader software technology steward at Microsoft. The session provided an inside view of how this famed technologist operates. Continued »
Mar 27 2008 1:33PM GMT
Posted by: Jack Vaughan
.NET application testing and security
How much foresight must engineers have? At what point do threats become absurdly remote? The questions arise, as I look at an item that recently crossed my desk. It provides a view into a future in which application security will endlessly enter uncharted regions. It has to do with hacking pacemakers via radio.
“Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses” describes a study that University of Washington and University of Massachusetts researchers undertook to measure the security and privacy properties of implantable defibrillators that support radio-based reprogramming. Read more on SearchSoftwareQuality.com.
Read Application threats seen to radio programmable pacemakers.
Mar 21 2008 11:04AM GMT
Posted by: Jack Vaughan
.NET Web services (Windows Communication Foundation)
Dino Chiesa, who previously wrote about how not to write a REST app, finally spills his guts on how to go about doing so. The basic metaphor in WCF is that services receive and respond to incoming communication, and clients initiate those communications. The REST service is an application that receives and understands HTTP GET Requests according to the REST pattern. He notes that although these can be built using any text editor, Visual Studio makes it a lot easier to code, test, and debug. He also talks about how LINQ complements REST approaches.
http://blogs.msdn.com/dotnetinterop/archive/2008/03/20/how-to-build-a-rest-app-in-net-with-wcf.aspx
Mar 3 2008 3:40PM GMT
Posted by: Jack Vaughan
VS 2008 and .NET 3.5,
Methodologies (Team Development, Agile and so forth)
NOTABLE THIS WEEK - There is little question that tools these days are subject to rolling releases. Noris there much question that bosses still look for reasons to put off new migrations. Developers want to get their hands on the newest stuff so they are ready when the tools and runtimes are truly released. Managers are not always wrong in waiting until the software is more fully baked.
Well, Visual Studio 2008 went to its final debutante ball last week. The event was held in Los Angeles, and it was entitled ”Heroes Happen Here.” As Microsoft hoped, VS 2008 was rolled out along with Windows Server 2008 and SQL Server 2008 (which, admittedly, is still something of a ‘player to be named later,’ as all of its parts did not get into the box on time for the Heroes launch.)
”With the launch of Visual Studio 2008,” CEO Steve Ballmer told the Heroes crowd, ”you’ll see performance again ramp up dramatically as we improve compiler speeds and developer productivity really quite dramatically. Start times, load times, compile times are all quite dramatically improved with this launch of Visual Studio 2008.”
After a long journey the tool once code-named Orca is out as Visual Studio 2008. For some of us, the move from code name to product name is anti-climactic. For many more of us, the real game is just about to begin.
To get a gauge of where things are headed, correspondent Coleen Frye spoke to Visual Studio 2008 users, and her work is on display on SearchWinDevelopment.com. In ”A view on VS 2008, ” a development manager at a cutting-edge Internet agency tells Frye that improvements to Team Foundation Server are among the keys that led the firm to take the VS2008 plunge. So, Ballmer’s boast of load and compile time improvements may be sound.
LINQ Learning Guide to get up to speed on this new way of working with data programmatically.
A slew of Visual Studio 2008 tips and tutorials is available as well in the site’s Visual Studio 2008 Learning Guide.
