For anyone who cares, Service Pack 3 for Windows XP should be available today.
There's a 'bug' going around. You might have heard of it- it infected more than 1/2 million sites. I actually saw this particular attack before it hit the press, as one of the effected admins was posting questions about it on a tech support forum I frequent. It's really just a run of the mill SQL injection attack and I've seen the raw SQL code. While I'm not impressed with it's quality it was certainly effective enough. At the time I just didn't realize the significance. I want to make a few comments on the attack, and then I'm done.
The attack targets Microsoft's IIS+ASP+SQL Server combination, but it's not taking advantage of any specific security vulnerability in Microsoft's software. It's really not Microsoft's fault. I've seen a few people scoff at that, but it's true. The attack could just as easily have targeted Apache+PHP+MySQL, and some 'experts' are expecting a MySQL enabled version of the attack to go out soon. If you run a web site, the good news is that if you're doing even the most basic field validation you'll be fine. The only thing to blame here is bad coding in the web sites. To be fair I suppose there are some sites that have been running for longer than SQL injection has been a problem, but they'll be a very small minority. The moral of the story here is always sanitize your database inputs! This is database programming 101. You shouldn't be able to get a programming job if you don't know how to do that, and I mean it. If you already have a programming job and don't know how to filter your inputs for SQL injection, STOP RIGHT NOW, GO CHECK GOOGLE, AND FIND OUT! Yes, that's right; I'm yelling at you; you deserve it. This is kindergarten stuff (obligatory xkcd reference).
Since I called out the quality of the code for an obviously very successful attack I need to back that up, so here's my analysis. When you look at the code, everything is scrunched up on one line. The author uses single letter variables and other tricks to minimize the size of the code. That's not the bad part. There's a good reason for this: the code has to be passed in through form fields, and form fields are often validated first by the length of the text passed. Even if you don't validate anything else (and the attack relies on that completely, as I've explained), you might do this. By reducing the size of the code the author increases the potential number of vulnerable sites. Unfortunately, he uses a long name for one important variable, resulting in extra bytes that are repeated several times. He also misses an easy trick to reduce his code size and takes the time to close and deallocate a cursor. By fixing these issues he could have saved more than 100 bytes, or reduced his code size by more than 20 percent. Finally, in closing the cursor he made his code less successful and more open to detection. If he leaves the cursor open subsequent calls to his same procedure would fail. Because he closes it, they succeed. I know that several sites were only aware of the breach because of the load this procedure placed on their system when running repeatedly. Leaving the cursor open, while normally poor practice, would have been the better choice here. Not only that, but the attacker's system was unprepared for the resulting load. The javascript target of the attack was unavailable for several days because so many sites were hit it couldn't keep up.
Moving on. As I've already said, this attack succeeded at more than 1/2 million web sites. Nearly all of these sites are perfectly legitimate, and odds are you visited one or know someone else who has. That's where the problem comes in. See, while the attack initially targets web sites those sites are only a means to an end. The real target here is you. When you visit any of these sites code will run that will try to install bad things on your computer. Your anti-virus software might stop it, but then again it might not. Are you sure it's up to date? Are you sure it knows to check for this particular set of malware? You might only get a pop-up asking if you really want to continue before installing something bad. And this is a legitimate site. It might even belong to a church, government, or charitable organization. So of course you trust the site? Or maybe you've already trusted the site by accepting a 'certificate'.
In any of these cases your computer is turned into what is known as as zombie, and that means several things. It means the attacker can come back at his leisure and try to copy passwords, bank account information, identity information and other things from your computer. It also means your computer is now part of an invisible army the attacker can use to conduct denial of service attacks, send spam, crack captchas, or crack encrypted data. Your computer doesn't fully belong to just you any more, and you didn't even do anything wrong.
That's bad enough it has me re-thinking my previous decision to run without virus protection, which I finally put into practice when I re-installed my operating system last week. Even if you follow good computer practices, only visit reputable web sites, and have your system fully patched, you could be vulnerable to this attack. Currenly, my only layer of defense is the built-in Windows Defender, and that's not much. As weak as many current anti-virus programs are, at least it's something. I also typically use Firefox with the NoScript extension, but I don't always have the luxury of surfing in Firefox.
I was trying to install some software today, but I ran into this problem that kept me stumped for the better part of an hour. Now that it's solved I wanted to share how I fixed it, and maybe save some other poor soul part of my frustration.
The problem is that I have my computer set up to automatically connect some shared drives, and I map certain standard folders to those mapped drives. In my specific case it's the Pictures and Music folders (My Pictures and My Music in Windows XP). When I try to install any software that uses windows installer service I would get "Error 1327.Invalid drive P:". My best guess is that it does some kind of validation for those standard folders that network shares won't pass.
So how to fix it? After much searching I finally found a registry edit that will do the trick. Open your registry editor (Start menu->Run->'type 'regedit' and press Enter) and navigate through the tree to this key:
\\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
When you find that key check for any entry in the right pane that points to a network drive and change it to point to the local machine. That's it, problem solved.
I was planning to post a Vista review today, but I need a little more time. Check back for that next week.
I saw this article yesterday about how open source software is costing vendors $60 Billion (with a 'B') in revenue each year. What complete and utter bunk. It ignores the benefits entirely. You could just as easily take the opposite side and say that open source is unlocking $60 Billion in value for businesses. If you want to try to be neutral you might say that open source has a $60 Billion impact on the market, and let the reader decide whether that impact is positive or negative. Personally, I'm mixed on the issue, but such an obviously biased report angers me greatly, no matter which side it's for.
I have personally benefited immensely from open source software in many ways. One is that open source has driven browser development for the last several years. You might argue that Opera is better than Firefox, but without Firefox most people would still be using IE6. Oh, wait. Okay, many more people would still be using IE6, and IE7 and IE8 might not even exist. And a better browser helps everyone. Open source has saved me money. For example, I don't need to buy a copy of Microsoft Office for my home computer. There are a number of open source utilities I've used over the years that were definitely not free before open source came along. It's helped me be a better software developer by allowing me to see more code and providing tools I can build on. It's let me do things that otherwise wouldn't be possible. For example, I've extended the code from the stock dasBlog install for my home server more than once to add features that only I need. That's not possible with proprietary code, or even shareware.
On the other hand, one of the great things about being a software developer is that you're only one good idea, six months hard work, and a little bit of luck away from quitting your day job to be your own boss. Open Source makes that entreprenurial dream harder to achieve by reducing the potential price for your product and increasing competition. The barrier to entry in the software business remains low. In fact, open source has helped to bring it even lower by making publishing tools available for even less. But the road to success is more difficult.
My point is that there are ups and downs, and to so blatantly play just one angle is wrong.
A while back Scott Hanselman of dasBlog (which I use on my Home Server) and Jeff Atwood of Coding Horror had some back and forth on what it means to contribute to an open source project. The culmination of this exchange (shown in the last link I just posted) is a concise description of how to contribute to an open source project like dasBlog.
This series is a little old now, but it just happens I encountered a few bugs in dasBlog since installing it a few weeks ago. Most of those already have fixes, but one of them I fixed myself, and have now submitted a patch. To be fair to dasBlog this isn't an error in their code. It's just a theme problem, and those are -- to my knowledge -- provided by people outside the core project. But even if it's just a stray line in a style sheet it's still a problem, in that it made dasBlog nearly unusable if you happened to view that theme in IE7. The good news is that this stray line will no longer exist if my patch ever makes it to production.
This marks my first direct contribution to an open source project, even if it's not what many would consider "real code". Hopefully more will follow, including code in behavioral languages rather than just style sheets. This may come sooner rather than later, as in the next few weeks I'll be messing around in the dasBlog code to add a few items I want to make my home site more usable. These will be specific additions- new static pages and the like- so it won't be really appropriate to contribute all of them back. For the most part the only reason I'm adding them to my dasBlog installation is that I want to easily use the dasBlog users to control access. But I expect in the course of that work to find a few things worth sending back.
So I went to the Heroes Happen Here launch event yesterday. I had fun, learned a lot, and got some free software. It was especially nice because I knew some of the people there. My old boss was there, and I got to talk to him for a while. A co-worker was supposed to come as well, but wasn't able to make it. My mother, who is also a programmer, came. As a side note, someone walked off with her notebook (paper, not electronic, but her software package was tucked inside). Really, the nerve of some people. Whoever took it belongs in prison.
Another note about the software-- they sprung a surprise on us, and not a nice one. We only get one year evaluation licenses for SQL Server and Windows Server. It's disappointing, because at the 2005 event they were full licenses and there was no clear indication for this event it wasn't also the case this time. Supposedly the software won't stop working after a year and will still validate as "genuine" for updates and all that, but you'll be in violation of your EULA and I don't know if you'll be able to re-install it. I have a feeling that using it longer will be sort of unofficially sanctioned, like how Vista upgrades itself, but I'll still be waiting a while to actually install it.
I'm willing to wait because there was another surprise: they also gave us a full copy of Vista Ultimate 32-bit. This doesn't expire and I can re-install it later, so I'm using it for now instead. I would have liked to try the 64-bit edition, but the option wasn't available this time. Check back next week for my full review-- I have lots to say, but you need to use a system for a while to really appreciate it. UAC, for example, is really annoying at first as you set up the system and are constantly making lower-level changes. But once the computer is mostly configured it might not be so bad anymore, and I want to test that. I think that to avoid this 'burn in' period Microsoft should have disabled UAC by default for the first 30 days, and then start nagging you until you either turn on UAC or disable the prompt like they do to restart the computer after updates.
I have used Vista before, but this will be a nearly-first impression. The last time I used Vista was the last beta before the release candidates, and it was the 64-bit edition. At that time I was having motherboard issues in XP as well and there wasn't a good 64-bit driver for my video card yet. So here is my install experience and first impression:
So far it's not as bad as everyone makes it out to be. It installed in less time than it takes to bake a potato (I know because my wife was baking potatoes while I installed), and detected all my hardware. Let me say that again-- I didn't have to find or install a single driver. Normally just before I install a new operating system I make sure of two things: that I know the make and model of each major device and that I have a good driver handy for the network card. Given those I can find the rest on-line very easily. This time I didn't need anything, though that's really not more than I should expect for my slightly older computer. To this point I haven't seen the glitches people are complaining about. Gaming performance is not noticeably degraded (more on that next week). Right now my favorite new feature is one that no else seems to even notice: the new address bar (more on that next week as well). On the other hand, people tend to heap praise on the new start menu, while I just find it a jumbled mess. No doubt I'll adjust soon enough.
Getting back to the main topic, here are a few of the things I learned about at the launch event. Some of them aren't very interesting, but they caught my attention because they're more relevant where I currently work, or because I hadn't heard about them elsewhere:
Windows Server 2008
- I never saw a single UAC pop-up. Whether that means it was disabled for the demo, the demo was carefully orchestrated to avoid them, or Windows Server is just better about UAC I don't know. I suspect the first.
- IIS7 is a big improvement, and will bring back real xcopy deployment for ASP.Net developers. As it stands, ASP.Net requires the creation of a virtual directly before a new site will function. This is still the case with IIS7, but now you can automate the creation just by including the appropriate config file in your site.
- Most of the other items I saw don't matter much unless you're in a larger environment than I deal with right now: say at least a dozen servers or 100 desktops.
SQL Server 2008
- Configuration Server: We can register similar servers or databases under a configuration server and then run queries against the configuration server. The configuration server will then run that query on all the registered servers and return the aggregated results.
- Change Data Capture. It's no longer necessary to build audit trails into your applications. Developers can focus on building features, and let CDC worry about audit information. This is also more secure and faster because it moves the audit information away from the busier and more open application, and centralizes it for easier auditing.
Visual Studio 2008
- Office development is a lot easier. It's pretty easy to build new ribbons or add-ins. I missed the section on deployment, though.
- LINQ is even cooler than I thought. I saw a demo where SQL data was joined with XML data as easily as if they were two simple tables in the same database. Unfortunately, it makes VB.Net a 2nd class citizen because it likes to use anonymous types.
- I'm looking forward to the javascript debugging improvements, but I didn't get to see it demoed.
From Raymon Chen's blog:
You've all experienced the Fundamental Failure-Mode Theorem: You're investigating a problem and along the way you find some function that never worked. A cache has a bug that results in cache misses when there should be hits. A request for an object that should be there somehow always fails. And yet the system still worked in spite of these errors. Eventually you trace the problem to a recent change that exposed all of the other bugs. Those bugs were always there, but the system kept on working because there was enough redundancy that one component was able to compensate for the failure of another component. Sometimes this chain of errors and compensation continues for several cycles, until finally the last protective layer fails and the underlying errors are exposed.
That's why I'm skeptical of people who look at some catastrophic failure of a complex system and say, "Wow, the odds of this happening are astronomical. Five different safety systems had to fail simultaneously!" What they don't realize is that one or two of those systems are failing all the time, and it's up to the other three systems to prevent the failure from turning into a disaster. You never see a news story that says "A gas refinery did not explode today because simultaneous failures in the first, second, fourth, and fifth safety systems did not lead to a disaster thanks to a correctly-functioning third system." The role of the failure and the savior may change over time, until eventually all of the systems choose to have a bad day all on the same day, and something goes boom.
I just saw a news article about the captcha for hotmail (excuse me: windows live mail ;-) ) being defeated. This follows on the heels of defeats for Google and Yahoo as well. The story makes the point that a single zombie machine can now create about 1440 accounts per day, with a success rate of 10-15%. I've also seen a few follow up stories that taken together, the defeat the of possibly the three biggest (and toughest) captcha's could be the death of captchas. It's possible, but I don't think so.
First of all, the scale of the breach seems inflated. 1440 per day? That's exactly one per minute. How many zombie computers run 24/7, or can devote their full processing power to a task without alerting the user to the presence of zombie software? Does that assume a success every minute? Something's up with that number.
Secondly, you'd think they could keep a look-up table of IP addresses separating residential IPs (fewer than 5 machines) from corporate (often many more) and limit the residential IPs to, say, 5 new accounts per day. For the corporate IPs limit the number of failed attempts to a reasonable amount (say, 1000) before cutting off that IP as well. That would stop the vast majority of bad accounts, enough that it might not be profitable to the spammer any more.
I haven't heard of anyone doing this, and it seems fairly obvious to me. Maybe there's a flaw to my process, but there certainly ought to be a simple solution like that. So is the captcha dead? I, for one, hope not. Not that I like captchas. It's just that they're the lesser evil. The alternatives are unfettered spam, accounts that are unilaterally disabled by your provider at the first hint of spam activity, even harsher turing tests, or all of the above.
The life of a programmer in a decent shop has a pretty open schedule. Currently I have a mere four items in my Outlook calendar for the next three weeks. My work life is run more by tasks and deadlines than meetings or appointments. Even my home life is relatively unscheduled. I value the ability to be flexible, and tend not to worry too far into the future. If my schedule for the next couple weeks is more than I can keep in my head, I need to slow down.
I currently rely on Outlook Calendar for exactly one purpose: meeting reminders. I can be forgetful, and without the pop up reminding me of an impending meeting I'd rarely be on time. Lately I've been thinking about ways I can use Outlook Calendar more effectively. Why should I need to keep my schedule in my head, if Outlook can do it for me? Why is a gadget and software buff like myself so resistant to an electronic calendar? What are some ways I can use Outlook to be more effective?
I think I've had a breakthrough, and it comes in three forms: tasks, deadlines, and UI. As I mentioned earlier, my time is more organized around tasks and deadlines. It only makes sense to be able to put those items directly into the calendar. And for that to work, it would be helpful to update the UI in a few areas.
Tasks
Outlook already tracks tasks. The task system is very rich if you take the time to learn it, but it's lacking in one area: you need to be able to pin tasks to the calendar. There are four points where a task should be associated with the calendar: creation, time worked, completion, and deadline. It should be a fairly simple improvement, too.
Deadlines
Deadlines as I envision them are almost identical to regular Outlook appointments, but there is a key difference: Deadlines don't themselves take up any time on your calendar. Also, they should be able to be associated with tasks. Put simply, if you add a deadline to a task, it should automatically show up on the calendar. But you should be able to create deadlines separately, as well.
UI
To accomodate the new features, Outlook Calendar will need some UI updates. You'll need to be able to see tasks in appointments. This is easily visualized with a task icon in the appointment similar to the reminder icon and tool tip for the task description. It also needs a way to visualize deadlines and other 0-time items in the calendar. I think this could be done with a thick solid line that shows the deadline text either as a tool tip or directly in the calendar background, rather than in a box like a normal appointment.
There is one other area of the UI where I noticed some obvious room for improvement. Take a look at these two images and decide for yourself which would be more useful as a context menu for the system tray icon:
[edit]: One more thing. I'd really like to be able to write "rules" to help me organize mail that apply after I've finished reading a message. So a new message comes in. I open or read it in the preview pane. The rule will run when I move to another message, close the open message window, or minimize Outlook.
