You've reached the internet home of Chris Sells, who has a long history as a contributing member of the Windows developer community. He enjoys long walks on the beach and various computer technologies.
Thursday, Jan 9, 2003, 3:59 PM
TeeGofer
Here. From Husein Choroomi: "TeeGofer is a tool designed specifically for the .NET Component writer. Written in 100% native C# code, it works by reflection to read in metadata from .NET Assemblies (.DLLs or .EXEs) to create first class quality online help documentation. The Tool is extremely easy to work with, presenting a tree navigator of the entire structure of any Assemblies selected for the Help Project." Really Cool!
Thursday, Jan 9, 2003, 12:05 PM
Looking for whitepapers, presentations & webcasts?
Here. From David Briggs: My friend and author of only4gurus.com has enhanced the site with more that one thousand and five hundred whitepapers, presentations and webcasts for IT professionals. This site is extremely usefully for consultants and field support professionals. Ramon says that contributions are welcome. David
Thursday, Jan 9, 2003, 6:38 AM
Developer
From Jeff Richard: Hello: I am in the process of constructing an application using Microsoft's smart client architecture (no-touch deployment), leveraging dynamic assembly loading to prevent installation on the client PC. I have run into a situation where I need a browser control to display content from an existing web site (help, reports). The problem is that the IE COM control cannot be consumed from a smart client application due to a security violation. I found a workaround, not he best solution since the path to IEXPLORE.EXE must be known, using the Win32 CreateProcess() API call to launch an instance of IE in a separate process. Security is handled by granting the application the ability to execute unmanaged assemblies. Has anyone found a "pure" .NET browser control that supports similar rendering capabilities as the IE COM control? Jeff. jtrichard@sotasw.com
Wednesday, Jan 8, 2003, 12:40 PM
New Year's Resolutions
Here. I take a look back at 2002 and a look forward into 2003 for me and the site.
Wednesday, Jan 8, 2003, 11:38 AM
Ask The Wonk Goes Live
Here. Due to popular demand, I've provided a subscription-based Q&A forum. Enjoy!
Wednesday, Jan 8, 2003, 12:00 AM in The Spout
New Year's Resolution
I just flew in from 2002:
- Wrote or co-wrote 4 books: Mastering VS.NET, Windows Forms for C# Programmers, Windows Forms for VB.NET Programmers and ATL Internals, 2/e (you should see them all in 1H03)
- Helped Don & Shawn with their books (no writing, just heavy-duty feedback)
- Wrote 6 articles for the Wonders of Windows Forms column (some are excerpts from my WinForms book)
- Wrote 9 articles for the "Chris Sells on .NET" newsletter (some are excerpts from my WinForms book)
- Started the "Adding Ref-Counting to Rotor" research project (we've got a alpha running!)
- Wrote a 5-day WinForms short course
- Spoke at bunches of conferences and seminars, including the 2 Web Services DevCons I hosted
- Started a newsletter and published 8 issues
- Started the Windows Developer News forum
- Wrote or co-wrote 13 magazine articles (3 are still pending publication)
- Wrote 29 Spout pieces, including the ever popular VS.NET Fun Facts
- Shipped 3 releases of Genghis
- Shipped several other new tools and samples, including Wahoo!, CollectionGen, XsdClassesGen, imcli and RegexDesigner.NET
- Created the Intel Rich Client series where I served as the editor for 6 articles (1 is still pending)
- Consulted for several companies
- Mentored several proteges
- Conducted a very painful, but very fruitful, marketing survey
- Lost 55 pounds (which I hope never to find again!)
- Answered countless mailing list and direct questions via email
and boy are my arms tired! Even I look at that list and think "holy workaholic, Batman!" Of course, I couldn't have done all these things alone. I worked with fabulous co-authors and co-contributors. Thanks to you all and I look forward to working with you again in 2003!
In the new year, I have the following goals:
- Make Ask The Wonk a fun experience for all involved (it just started on Monday, but it's already great fun answering the level of questions I've received!)
- Move the DevCons to the phones via the PhoneCons to avoid the expense and hassle of travel for everyone, while still maintain the power and charm of the DevCon
- Get those .NET War Colleges humming! I *so* look forward to these
- Several more releases of Genghis (a new release is already cooking)
- A few more magazine articles (I've got a few already in the queue)
- Finishing up the Rotor ref-counting project, publishing the code and the results
- Re-org the web site a bit (again!)
- Continuing the Wonder of Windows Forms column
- Hanging on the Off Topic mailing list (still my favorite mailing list)
- A couple of other projects that I'm dying to share with folks, but am sworn to secrecy...
- Losing another 35 pounds (it's a 2-year plan)
- Find a way to take a vacation
We'll see how I do this time next year, especially on those last two.
Tuesday, Jan 7, 2003, 3:41 PM
What is Disconnected Data Architecture?
From Sergey Kostrov ( SergeyKostrov@hotmail.com ): What is Disconnected Data Architecture? Can anybody explain it? I've taken this term from .NET SDK documentation. Unfortinately, explanation of this term is a little bit unclear.
Monday, Jan 6, 2003, 12:24 PM in .NET
Conferences Re-Tooled for .NET?
Here. From Chris Sells' Marketing Guy: The Pioneers of WinForms PhoneCon is a new method for attending Chris Sells's popular DevCons. The whole unit can share a PC and speakerphone to attend a PhoneCon conference cheaper than 1 person can attend a regular conference. PhoneCons are spread over 8 weeks to give you time to absorb the conference information, instead of having your head crammed full of too much information in just 1-2 days. Best of all, you get to conduct conversations with leading .NET experts as well as your fellow attendees, offering a 'virtual hallway' before, during, and after each session!
Thursday, Jan 2, 2003, 3:02 PM
DLL Help Database
Here. From Husein Choroomi: "DLL Help exists to assist developers, system administrators, and other IT professionals who face file version conflicts with Microsoft software. Use DLL Help to identify which software installed a specific version of a DLL." [JoelonSoftware] What's DLL Hell? ;)
Thursday, Jan 2, 2003, 12:24 PM
Apps Are People, Too
Here. My dream to secure wahoo.exe instead of wahoo.exe users and how long we've got to go to realize that dream.
Thursday, Jan 2, 2003, 12:00 AM in The Spout
Apps Are People, Too
I concerned Wahoo! patron sent in the following screen shot of the current high scores as exposed by the high scores service:
As you can see, the high scores service has turned into the poster child for the need for web service security. However, after hanging out at two Web Services DevCons and talking with Keith "Mr. Security" Brown, I've come to the conclusion that there is no good way to secure this specific web service. Even worse than that, there's an entire class of web services just like it that can't be guaranteed secure.
The goal of the high scores web service is to provide access only to the Wahoo! app itself. Only Wahoo! knows when someone has earned their score while playing instead of merely faked it through some other means. Of course, this application is just for fun, so the lack of a secure high scores repository is hardly a big deal (although I'm often surprised when people tell me that they play wahoo.exe instead of sol.exe). However, imagine that a real application wanted to do the same thing. Maybe Microsoft only wants Office applications and not Linux knock-offs to query the clip art web service on microsoft.com. Or maybe your business wants to provide a web service that only your apps can talk to.
Of course, Microsoft doesn't ship the source code for Word and your business is unlikely to ship the source code for your apps if you plan on making money on them (remember actually making money on software?), so that's different than Wahoo!, isn't it? No. Every time you put code on a machine outside of your sphere of influence, you might as well ship code, especially if it's .NET code, which comes with a built-in disassembler! "But wait," you say. "What about code obfuscators?" Well, that arms race has already been fought in the world of Java and disassemblers won. There was no way that an obfuscator can hide the details of Java byte code without completely destroying the usability of the code (particularly in the area of performance). .NET will be no different.
"Aha! But what about unmanaged code? x86 can't be read like IL." You're right. It is harder to disassemble x86 than IL, but not significantly so. The x86 disassembler tool vendors have been working for a lot longer on this problem and we've bred guys like Andrew Shulman and Matt Peitrek that dream in x86 and only translate to English as a convenience for their wives.
The bottom line that if you ship code, you might as well ship the source, as it's available anyway. If a computer can execute your code, somebody can read it and pull out the details of whatever you're using to obfuscate the communication between your code and your back end (whether it's a web service or not).
"So why do I have to log in all the time if there's no such thing as security?" Well, it's not as if there aren't ways to secure systems in the world, but all working security thus far invented depends on physical security, whether it's the private part of a key pair secured in your safe or a password secured in your brain. The reason that applications can't make use of this kind of security is because they don't have access to safes and their minds can be read much more easily that those of humans (although a rubber hose is just as effective as ildasm.exe, when something is really important).
So what does that mean for applications that want to make use of back-ends? I see four solutions. One, you can tie security to a user instead of an application. For example, if I make everyone sign up for a Wahoo! account to log high scores, I'd at least know who to ban from use when they faked impossibly high scores. However, it also opens up the possibility of the user completely bypassing the application altogether, including any checks that the client may make on validity of the data being sent to the back-end.
The second possibility is to make things hard*er* on the potential hackers. Keith summed it up nicely:
"After looking at your JPG, I'd suggest some server side filtering. Limits on user name length and content would help you at least reduce the amount of space that hackers can use for advertising. OTOH, you've got a nice little bulletin board going there ;-)"
Anything I do in the way of encryption and obfuscation between the app and the back-end will slow down potential hackers and for something like Wahoo!, I don't suspect it would take much to keep folks honest (turning off the asmx test page would be a good first step, for example : ).
One way to make things harder, and a third way to secure apps, is a dongle, which adds new hardware to a machine along with the software. Unfortunately, a dongle could be reverse engineered just as a hunk of software. It's only the fairly uncommon use of dongles that keeps them from being broken more often.
The fourth option, which Keith mentioned, is Microsoft's new Palladium platform, which operates with special hardware and software to limit a user's access to their own computer, kind of like a universal dongle.
The real question is, what's secure enough? Unfortunately, this is an arms race that will eventually be won by any hacker with enough smarts, time and money. For users, we continue to make things harder on hackers as we transition from passwords to biometrics and smart cards. For applications, we've got dongles and precious little else, which makes it darn hard to treat apps like the independent entities into which they're evolving.
Tuesday, Dec 31, 2002, 9:25 PM in .NET
"When I first heard about .NET, I held my nose"
Here. I did an interview a long time ago and just noticed that my most fun quotes were actually printed in USAToday. Cool!
Monday, Dec 30, 2002, 5:38 PM in .NET
Xopus.NET
Here. From Jesse Ezell: "I have put together a Xopus wrapper for .NET. Basically, it isolates you from having to know all the Xopus details: just drag, drop, and set the designer properties." Xopus is an opensource browser based WYSIWYG xml / xsl based editor that works natively in IE 5.5+ / Mozilla 1.3+ / Netscape 7+. Pretty cool stuff.
Sunday, Dec 29, 2002, 2:13 PM
CodeSmith Beta
Here. "CodeSmith allows you to create templates that will generate code for any ASCII based language. The code generated can be customized by the use of properties. A property can be any .NET object that has a designer (most built in .NET types have designers already) and can be as simple as a boolean property that allows you to conditionally add or remove code from the result, to an object such as the included TableSchema object which provides everything you could possibly want to know about a table in a database. Having access to this information allows you to generate things such as stored procedures, business objects, presentation layer code, or anything else you can think of based on a table schema." This looks like a promising code-gen tool, and I've seen more than my share...
Saturday, Dec 28, 2002, 6:28 PM in .NET
.NET Wrappers for NVIDIA's Cg API
Here. From Ben Houston: This simple wrapper, written in Managed C++, allows for developers to make use of NVIDIA's new Cg shader language from within a C# or VB.NET application. It is simple to use with existing OpenGL wrappers such as Llyod Dupond's CsGL. A sample application that makes use of OpenGL and Cg via C#, ExoEngine, is available for download on the same site.