July 2004 - Posts
Mozilla (and expecially Firefox) are becoming widespread browsers and the first security alerts are coming out...
Secunia has released a security advisor for a new Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability.
The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files (the Mozilla user interface is built using XUL files). This can be exploited to "hijack" most of the user interface (including toolbars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.
Solutions to this? For the moment only one... do not follow links from untrusted sites! 
I want to take in evidence an interesting question launched by Adrian Florea on UgiDotNet: what's the reasons to have a Main method not public???
Adrian points the attention to the differences between the last specifications of Java and C#:
| C# Language Specification, 2nd edition | Java Language Specification, 2nd edition |
10.1
"Specifically, the execution environment can access the application’s entry point regardless of its declared accessibility and regardless of the declared accessibility of its enclosing type declarations." | 12.1.4
"The method main must be declared public, static, and void. It must accept a single argument that is an array of strings" |
Any explanations? Thanks Adrian for the question...
On an announce appeared on ASP.NET Forum yesterday, Rob Howard announced the availability of the new version of ASP.NET Forum, now called Community Server::Forums 2.0.
A great application, but I want to launch a little request that comes after my Forum download... why don't include in the package a manual installer, or at least a guide for a complete manual installation of the Forum (from Database creation to application setup)?
I think it will be really useful, expecially if you're not on the machine where the forum must be installed, but you want to install it remotely.
Possibility to have something like this? 
This evening I've tryed Vlad's Blog Migration Tool 0.1, a tool for blogs migration (it supports blogs based on .Text 0.95 at the moment).
I'm planning to transfer my blog from here to my personal web server in the next days (I think that at the end I'll have 2 copies of the same blog, here on DotNetJunkies and on my new server), so I've tryed to transfer 10 posts. These are the results:
1) The Blog Migration Tool is really simple to configure... just type the url, login and password of the source and destination Blogs and you're ready to start (good! ).
2) Press the "Migration" button for the transfer... what happens? Apparently nothing... the button seems not pressed, there's no a progress bar that said you that a transfer is started (and the application seems blocked).
3) Maybe a crash? Maybe I've not pressed the button correctly? Ok, retry... I press the "Migration" button for the second time... results? The same as above...
4) Maybe the application doesn't work correctly? I decide to open my destination blog to see if something has changed... what happens? The post were successfully transferred from my source to my destination Blog, but, because I've pressed the button for 2 times, they were transferred 2 times... the same for Links and Categories!!! Terrible noise... I've to manually delete the duplications! 
So, this is what I want to say to Vlad: the application is really useful and works correctly, but I think you need to setup some little updates to do a great final products. These are my feedbacks:
1) Place a Progress bar to indicate a transfer in progress (or at least place a WaitCursor). User now can't understand clearly that a transfer is started.
2) Why don't place a checkbox for choosing what you want to transfer? The application now transfers all (posts, feedbacks, links, categories) and this is a problem for a blog transfer in more than one step (expecially for links and categories duplication).
3) The application now, if you choose to transfer 10 posts for example, starts from the 10 most recent posts. Why we can't choose where to start a transfer (for example by post date)?
4) One of the most important feature that is needed with this application is the possibility to transfer a blog in more than one step (for example, on the 1st step I transfer 50 posts, on the 2nd step other 50 posts and so on). The application must avoid posts duplication (and now it doesn't avoid this).
These are only advices... I think that the possibility to transfer a blog in more than one step and choosing what I want to transfer is really a must to do (and maybe not so difficult I think).
I hope you can do something Vlad, your Blog Migration Tool has all the possibilities to be a great tool... good work and say me something about! 
I've a friend of mine that is a life that works with Python (expecially under Linux platforms)... he has always said to me that Python is the best language he has never used, expecially for its structure (I don't know if it's really true! ). Now I'm happy to say him that also for the .NET platform is available a good Python language: IronPython!
I think it's the time that he start thinking to develop also under Windows!
In these days I was busy with moving my domains on a new server and I've setup a .Text installation for hosting my personal Blog.
During a visit on ASP.NET Forums, I've discovered this wonderful control by Judi Smith... it's an Improved .Text Gallery Thumbnail Viewer Control and I think I'll try it soon on my new Blog installation.
Great work Judi!
A great idea from Keith Brown: exposing his "The .NET Developer's Guide to Windows Security" book as an online collaborative Wiki.
Keith is asking to the community to help him to improve the site... check it!
Yesterday Google (and seems also other big search engines) was down for a big attack of a new variant of MyDoom virus (MyDoom.O).
The type of attack is always the same: a big number of simultaneous requests directed to the search engine at the same time.
This new variant of MyDoom spreads itself as usually via email and, when it infects a computer, it starts looking for email addresses on the infected computer and also (and this was the yesterday problem) starts a big search on search engines (like Google) for email addresses. Seems that Google has received a lot of query with arguments like these:
"Delivery failed", "Message could not be delivered", "Mail System Error - Returned Mail", "Delivery reports about your e-mail", "Returned mail: see transcript for details", "Returned mail: Data format error instruction", "MAILER-DAEMON", "Mail Administrator", "Automatic Email Delivery Software", "Post Office", "Bounced mail", "Returned mail", "Mail Delivery Subsystem".
You can try by simply do a query with one of the items above (like THIS for example). Can you see how many mail addresses you could obtain?
This is a problem... Search Engines must start thinking a way to obfuscate email addresses (and obviously users must always do it).
| After Google... check www.asp.net:
ASP.NET is currently down for maintenance
| | | | We are sorry, but we are currently updating the site. Apologies for the inconvenience, the site will be back up shortly. |
|
Curious... what happens????
Google is down now...
Server Error
The service you requested is not available at this time. Service error -27.
Why????
Thanks to Jason Mauss, I've discovered this wonderful Gmail Client that Johnvey Hwang has written.
I've tryed it quickly today with my Gmail account and seems working really good (I like the Account and Contacts Management).
HERE you can find the source code of the API and the complete application. Good work Johnvey!
I was reading about some new features of ADO.NET 2.0 and, when reading about the new ExecutePageReader method, a question comes in my mind...
Normally, for paging I currently use stored procedures with temporary tables that pages data with the ROWCOUNT I want (I pass it as a parameter to the stored procedure).
This new method obviously simplifies me the work: the paging is done by the method and I've not to write SQL Code on my stored to to the paging task... wow... but... the ExecutePageReader method use server cursors and I'm not sure this is a more efficient way for paging than the SQL Server way (stored). Is there a real advantage on performance or not? I'm not so sure...
However, I've listen from a friend of mine that maybe ExecutePageReader will be dropped from the future... is it true? And why? I think that it could be a useful method however... no drop it please!
Have you see the new Linspire moovie? Check it here:
http://www.linspire.com/RunLinspireFlash.php
Really amazing... but too offensive against Microsoft I see...
A package that must be signaled:
if you want to try Mono on Windows, now on Novell site is available a Windows Installer that includes Mono 1.0, GTK# 1.0, gtk+ 2.24, and XSP, the Mono web server for ASP.NET web pages (Apache for Windows is not yet supported due to sockets problems).
Do you remember the so called HijackClick 3 series of Internet Explorer vulnerabilities? In summary, you can force a drag and drop event simply when the user clicking a something by moving the window when the OnMouseDown event fires.
MS seems to patch these vulnerabilities some times ago (ok, I think it's really discutible this fact: disable some functions from being called when the mouse button is down for me is not a real patch, but only a temporary solution).
What's new? As you can see on a new post on SecurityFocus, MS has patched MSHTML.DLL and IEXPLORE.EXE but they have forgotten to patch the Popup.Show() function. Now an exploiter can show a popup on loading of the main window, move it and show a favorites list on the MouseDown event, and set a timer to hide the favorites list and taunt the victim who just got tricked into adding a link of our choice to their favorites list.
Also a real example of these exploit is available, just click HERE.
I think this is a clear sign that IE staff must improved, they must start thinking on something better. Patching a problem is not equals to simply disable functions, but the problem must be understood and correct.
I don't know if it's true, but accordingly to some rumours on forums, seems that you can get 2GB of space free NOW by registering an @msn.com email address.
Personally, I'm sceptic about this rumours expecially because, accordingly to the original MSN Hotmail plans, 2 Gb of free storage will be reserved only under a little payment (Premium User). However, If someone can confirm this upgrade...
UPDATE: I see on your reply to this post that maybe you don't understand the sense of my message... I try to explain. Seems that this morning NEW Msn subscribers had an upgrade to their mailbox space from 250Mb to 2 Gb. I don't know if this is a bug or what, but this is the fact.
If you want to help Microsoft to receive feedback about your way to using code, the .NET Framework Code Coverage Edition is what you need: it enables you to collect and upload data on how .NET Framework and Windows code is used by managed applications and components that you have developed.
This is an instrumented version of the .NET Framework and contains a tool that collects the code usage information behind the scenes. All you have to do is exercise your code under the watch of this tool, then save and send the data.
An interesting way to achieve compatibility and to have feedback about feature needed by users.
This is the beginning of a big problem, expecially for the future and for sites with lots of accesses...
On an article just appeared on InfoWorld, Chad Dickenson points the attention to a problem: RSS feed Readers are useful for obtaining informations in real time, but they can have a dangerous behaviour. He observed that "every hour, Infoworld sees a massive surge of RSS newsreader activity that has all the characteristics of a distributed DoS attack. So many requests in such a short period of time are creating scaling issues".
We can observ this problem also on other sites and I think it's time to think to avoid these types of problems.
The basic problem with RSS now is that it's based on a "pull" method: every RSS clients that wants to retrieve informations have to make periodic requests to the server only for see if there's something available. You can see that, if the requests are a big quantity, some problems may occour.
Solutions or ideas to avoid this? Maybe not a "pull" method, but a "push" method: if the feed source was able to push the feeds to the clients, there will be a significant decrease of traffic on the network. Obviously, this type of actions is not so simple... for example, clients must be subscribed to the feed server, so a way of subscribtion is necessary. The server obviously will push the informations only on subscribed (and recognized) clients.
Yes... recognized... a way of authentication I think is necessary (maybe a key exchangement between news client and news server).
These are only ideas... this is a problem that must be take in consideration, NOW!
10 years of IRC... 10 years of good services... 10 years to become the biggest IRC Network in the World... thanks to all the people involved.
Happy Birthday DALnet!!!
Yesterday, for the first time on 3 months that I'm a Gmail user, I've tryed to auto-sent me a .ZIP attach with a source code of a Visual Studio 2003 solutions I've developed on my office.
What was the result? Gmail has refused it... I was asking why this, and after few try, I've discovered a noise thing: if your .ZIP file contains some executable code, such as .EXE or .DLL, the Gmail system recognize it as an invalid attachment and refused it. If your .ZIP don't contains these types of files, it's accepted.
Now that I know this, I send me .ZIP files with executable code on them simply by renaming the extension (for example, .ZIP will become .ARC, archive ). This works good but, as you can see, it's really noise...
Google, why this choice? Gmail is a beta service, maybe you can review these settings...