Linux users are often smug about the state of their computer security, rightly criticizing Windows for its numerous security holes, but overlooking their own vulnerabilities.

Now it’s their turn to suffer.

Over the last several days, Linux users have been targeted by a phony email claiming to be from the Red Hat Security Team, claiming that a vulnerability in fileutils-1.0.6 could “allow a remote attacker to execute arbitrary code with root privileges.” The email tells people to download a patch to fix the problem.

The patch, of course, contains malicious code that compromises the system it’s run on.

Linux users: Welcome to my world.

This kind of thing is old hat to PC users. Just this morning, for example, I received four phony emails purporting to be from eBay and PayPal, but which were really phishing exploits.

Linux users are going to have to get used to this kind of thing. They’ll have to learn to be suspicious of any email they receive, and pay as much attention as possible to keeping their system patched - using only legitimate patches, of course.

In a way, this security exploit may be a backhand compliment to those who use Linux. They should figure that if malware writers have finally taken notice of them, it means that they’ve finally arrived.

What do you think about Linux (and Windows) security? Let me know.

Related link: http://www.ondotnet.com/pub/a/dotnet/2004/10/25/libertyonwhidbey.html

In previous articles, I discussed security and managing users’ roles. My new article on personalization will pick up from where those pevious articles left off, and show you how to provide personalized web pages for your users with ASP 2.0.

Personalization allows your web site to welcome the user (”Welcome back Jesse”) and to persist the user’s state (”You have three items in your shopping cart”).

I’ve discovered today that CodeDom classes are serializable. So what does that have to do with anything, right?

When you drop a control into a WinForm and hit the save button, the designer turns the state of your controls into code and puts that code in the form’s InitializeComponent method.

To get the code for InitializeComponent, Visual Studio looks at the class being designed (the root component) and asks for its RootDesignerSerializer. This serializer is a class derived from CodeDomSerializer. It has a Serialize method and a Deserialize method. Serialize takes the state of your class and all of its children and converts them into a CodeDom tree. Then the CodeDom tree gets turned into source code and saved with your form. Deserialize takes a CodeDom tree and returns the original object. Deserialize is similar to using reflection. Each statement tells Visual Studio what property to set on each control to make it look as you intended in the designer.

So here’s what I did…I wrote my own RootDesignerSerializer. (It’s not as complicated as it sounds). It’s a class derived from CodeDomSerializer. In its constructor, I create the standard RootDesigner class.

Type rootSerializerType = Type.GetType(”System.ComponentModel.Design.Serialization.RootCodeDomSerializer, System.Design, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”,true);
_rootSerializer = Activator.CreateInstance(
rootSerializerType,
BindingFlags.CreateInstance | BindingFlags.NonPublic | BindingFlags.Public | BindingFlags.Instance,
null,
null,
null) as CodeDomSerializer;

Then in the Serialize method, I tell the standard .NET class to Serialize. I get CodeDom back from the Serialize method. Then, because CodeDom is serializable, I save the CodeDom statements to a file.

if (_rootSerializer != null)
serResult = _rootSerializer.Serialize(manager,value);

//serialize all of the code to an external file
FileStream fs = new FileStream(”C:\\sercontrol.txt”,FileMode.Create);
SoapFormatter formatter = new SoapFormatter();
formatter.Serialize(fs,serResult);
fs.Close();

On the Deserialize, I read the file and give the CodeDom tree to the standard Deserialize function which returns the original object.

if (File.Exists(”C:\\sercontrol.txt”))
{
//deserialize the result from a file
FileStream fs = new FileStream(”C:\\sercontrol.txt”,FileMode.Open);
SoapFormatter formatter = new SoapFormatter();
codeObject = formatter.Deserialize(fs);
fs.Close();
}

if (_rootSerializer != null)
desResult = _rootSerializer.Deserialize(manager,codeObject);

To get VS to use my serializer, I put this attribute on my control:

[RootDesignerSerializerAttribute(typeof(MyRootSerializer),typeof(CodeDomSerializer),true)]

What this means so far is that at design time I can make Visual Studio save the code that would normally go into InitializeComponent to an external file. What I need to do next is make it read this tree at run time and apply it to my form. This will give me the ability to in essense have a code behind file.

More later…

I remember when I first started programming in Windows. It was in Windows 3.0, and I had just graduated from college. I went to Babbages (now Gamestop) and I bought two languages. Back then it seemed all of the cool programming software would come out in Babbages, the way game titles come out today. Anyway, I bought VB 1.0 and Turbo C++ for Windows from Borland. Microsoft didn’t have a version of Quick C for Windows at the time. I wanted to write a little program to keep track of my appointments. I played with those two languages for a long time, side by side, trying to decide if I should write my programs in C++ or in VB.

The argument went like this: with Turbo C++ I can change anything I want in my program. I can use inheritance. I can use C++ — the language I spent five years learning in college. But wow, look at all the junk I had to do to just write a message loop.

VB on the other hand feels like a scripting language. It feels like programming in HyperCard for the Mac. I can’t change everything I want, but do I need to? What if there’s something I can’t do in it? But wow, look at how easy it was to write my program. I turned to my dad and said, “Dad, look at this, you just drag and drop controls, hit run, and that’s your program.” He liked it too, although he wasn’t a programmer.

I went with VB. I did everything in VB, and later when I started working my first official programming job, I showed my boss VB 1.0. Until then they had had a Unix application ­ no plans for Windows. When my boss saw VB 1.0 he just played with it non-stop and decided that we were porting our software to Windows. I’ve never had so much fun programming. He had never had so much fun programming.

Why am I saying all this? There have been seven versions of VB so far. Now that we are about to get an eight version, the general consensus is that VB looks just like C#. Who cares about that? I want my old VB back. I want VB to be so different from C# and so much easier to use that a C# person will feel jealous of VB. I want the kids of C# developers to write programs faster with VB than their parents, and for their parents to wonder why they are not writing their stuff in VB. And I want a programmer coming out of college to say, “I know it doesn’t feel like a real language, like one of the languages I had to learn, but wow, look at how easy it is.”

Do you feel VB has been heading in the right direction?

Part of my job is to write a scaled-down version of Visual Studio. It’s kind of like SharpDevelop except very tailored to our business. Just fyi, we’re not in the business of creating a product to compete with Visual Studio. Our IDE serves as an add-on to our main product, and it is meant to be simpler to use for our users than Visual Studio.

Anyway, I’ve been learning a lot about WinForms architecture working on this project, so I thought about sharing some of the things I’ve learned in various posts.

The first thing I’d like to share is that I believe the main problem with WinForms is Control serialization. Control serialization is the root of all evil in WinForms.
Controls serialize to CodeDom. They don’t serialize well to other forms, such as XML. Yes, you can write your own XmlSerializer friendly classes but let’s face it, the serialization form they speak natively is CodeDom. CodeDom in principle is good because it is language agnostic. It is an abstract serialization format. The problem is that CodeDom turns into code. Code is not a good storage format because it cannot be easily parsed. And to make things worse, although Microsoft provides a nice way to turn CodeDom into code, they don’t provide a way to turn code back into CodeDom. For turning code back into CodeDom you have to find a code parser. (We have played around with several and I’ll post my findings later.) The only implementation of a class that returns CodeDom from code is in Microsoft.VisualStudio.Dll. It is not part of the framework’s core assemblies. The framework’s designer can turn the state of an object into CodeDom (after implementing four or five interfaces) but in order to load the code result back into the designer you need to provide it with CodeDom back.

I know there aren’t too many people trying to write their own designers but I suspect there are a lot of people trying to save the state of their forms, and CodeDom would be perfect if you could take the resulting code and turn it back into CodeDom easily.

Is anyone else trying to turn code into CodeDom?

The beta of the just-released Google Desktop has some problems, but a much-hyped privacy invasion isn’t one of them.

The Google Desktop, released last week, is one of the best pieces of free software you’ll ever find. It tries to do for your PC what Google does for the Web, and although it only partially succeed, it’s still a spectacularly useful piece of software.

But the biggest public complaint so far - that it presents a privacy risk - is overhyped, and to my mind, a bogus argument.

Because the software can index Web sites that you visit with your PC, there are those who have noted that if the software runs on a public computer, such as at an Internet cafe, and you use that computer to check your email on a Web-based service such as Hotmail, that any user of that computer will be able to read your email by doing a Google search of the computer’s hard disk.

But how likely is it that you’ll use a public PC running the software? Not very. And how likely that a stray passerby will somehow know your user name and search for it? Less likely still.

And in fact, there’s a very simple fix - if you’re at a public PC, turn off the software before checking your email. Right-click the Google Desktop icon in the System Tray, and choose Exit. That’s all it takes - it won’t index any site you visit. You can also right-click the icon, and choose Pause Indexing, and it won’t index for the next fifteen minutes. And you can keep doing that indefinitely. Again, problem fixed.

Of course, this isn’t to say that the software doesn’t need to fix some things. It does.

To help you understand what’s wrong with it, you first need to know what it can do. It indexes your Outlook or Outlook Express email, text files, Word, Excel and PowerPoint files, AOL Instant Messenger conversations, and Web pages you’ve visited in Internet Explorer. Then it lets you search through them lightning fast, and displays them Google-style in your browser. (For advice on how to hack it, see Rael Dornfest’s article, Google Your Desktop.)

That’s well and good, but it doesn’t allow you to search through your Outlook email by folders, a serious oversight. It also doesn’t let you search through your Outlook contacts or calendar. This makes no sense; it indexes .pst files, so while it’s there, it might as well do a bit more in-depth indexing.

Because it uses the Google model of searching, it doesn’t allow you to do some very basic searching, such as searching only specific directories on your PC. You also can’t restrict it from indexing specific Outlook folders, which means that it indexes all mail routed to your spam folder as well.

There are also other problems - people have reported that it takes literally days to index their hard disk, and that the software makes Windows sluggish at times.

Despite this, I use Google Desktop at least a dozen times a day. So I hope that some of it gets fixed when it’s out of beta. But I’m not worried at all about it invading my privacy, no matter where I compute.

Have you used Google Desktop? What do you think of it? Does it invade your privacy?

It’s been two years since I’ve written a blog entry. What have I been doing all this time? I’m not sure. I was too young to have gone through the sixties, but I feel like that’s where I have been. I have this feeling like I was part of some big party, like Woodstock, and now the party is over and I’m wondering, what next?

All I remember is that I was working as a contractor for IBM. I wasn’t the best programmer there, but I was making really good money and I knew COM really well. In fact, I felt I knew COM so well that I decided to hang out with the best. I flew to California in search of fame and fortune. I went and applied to DevelopMentor.

DevelopMentor is a training company. At the time, DevelopMentor was teaching COM and all of the best known speakers that taught COM worked there. I mean these guys knew everything. I knew them all from their articles in MSJ. I had Don Box’s Essential COM book practically memorized. At family gatherings I would explain to all my relatives what Don wrote in his first chapter — why we needed COM. True, not a lot of my relatives appreciated the beauty of COM, but that didn’t stop me. I wanted to be one of them.

I applied and I made it. I became a DevelopMentor instructor. I was one of the guys. I would walk down the hall with my head held high and the other instructors knew my name. True, one of the instructors always called me by the wrong name, but that was all good.

We were talking about changing the world. I had connections. I could write for the best magazines if I wanted to, I could speak at conferences, I could turn down jobs because they paid too little. And I could say things like, “Oh yeah, I know him. He and I both teach at DevelopMentor. We’re practically best friends.”

I was writing books for O’Reilly. I was travelling all over teaching COM. The students loved me. Sometimes they would give me a six out of five in the evaluations. If a lady did that, I would show my wife, and she’d get jelous.

And then one day, crash. Everything went downhill. To protect the innocent, I’m not going to say what happened, but everyone at DevelopMentor went their separate ways and the party was over. DevelopMentor is still there, but the guys that I joined DevelopMentor for are not.

I am now working in a cubicle, programming in C#. It’s been 1.5 years since I’ve talked to people at DevelopMentor. My books are behind a closed cabinet over my cube.

My friends at work now have blogs. They say, “You know, you should write a blog.” I say, “Yeah, maybe I should.” Once in a while I catch a glimpse of the old days in their eyes, when I hear one of them say, “I want to write a book someday,” or, “It would be fun to teach.” Then they say, “Hey, you wrote some books once, right? You are Jose Mojica aren’t you?”

I pull my hood back and answer, “Jose Mojica, Jose Mojica, now that’s a name I haven’t heard in a long time.”

Related link: http://www.intencha.com/adrian/000243.php

It seems that there’s a lot of discussion going on about the fact that Apple isn’t planning on shipping a 1.5 JDK until Tiger (that’s Apple’s Tiger, not Java’s Tiger) goes gold. I’m seeing a lot of frustration about this, to the point that people are charting and graphing the lag between JDk’s on Windows and on the Mac.

(By the way, for those who remember the furor over my Why I am not a platform zealot post a while back, I’m now the proud papa of a brand new PowerBook.)

Here’s my question, though, and I’m really interested in other people’s thoughts: most folks out there won’t be running the 1.5/5.0 JDK for apps anytime soon. Heck, I have a hard enough time trying to get my clients to use 1.4.2 for development. So, I’m not feeling the push from the delivery side to get 1.5 rocking. I am, however, feeling the pull from the research side, and, to do that, I just have OSX Tiger installed on a FireWire drive and use the Java Tiger beta release that exists there to play with it. I’m happy, because I get to keep up with all the new features of Java and I’m playing around in 10.4 to boot.

So, is it that people really are being pushed to ship 1.5 code today, so the lag is a huge drawback? Or that they don’t feel comfortable running beta OS’s to do their work and/or research? Or that they don’t have access to OSX Tiger? For me, it just doesn’t seem to be that big a deal, but clearly for a lot of people, it is.

Google Desktop is great, don’t get me wrong. I have it running on my box right now and am very happy with its performance. Sure, its missing some file type support (.pdf comes to mind) but its only a beta, and that will come in time. It has the potential to be a Spotlight for Everybody kind of app.

There are two major drawbacks that I see, though. First, you have to view the results in a browser window in Googlestyle. This is fine for a simple search, but often I’ll want to: do something with the resultset other than page through it, and/or scan it quickly for patterns. I can’t do either with 10-per-page results in a browser.

Second, and more problematic: you have to be an Administrator to install it. Well, ok, lots of apps are like that. But it can only be run by the user who installed it. That’s a major problem, especially for those of us who have drunk Keith Brown’s koolaid and only work from non-Admin accounts. See, if I log over to Admin and install it, then log back in as me, I can’t run it. If I log in as me and run it as Admin, then it works, but can’t see my Outlook mail (since that’s under my account, not the Admin account).

The solution, as Keith points out is to elevate your normal account to Admin status, install the app, then move the account back down to normal. But, what a hack.

The app looks great, but that’s just the kind of thing that can drive a guy nuts!

Anti-spyware maker Webroot Software has just confirmed what Windows users have long known: Spyware is a Windows-only phenomenon.

Recently, the company told the U.K. paper the Register that it hasn’t detected a single piece of spyware targeted at Macs or Linux machines. By way of contrast, the company’s Spy Sweeper software (which runs on my PC 24 hours a day), detects 15,000 pieces of spyware running on Windows machines.

The average PC is infected with 26 pieces of spyware, says Earthlink’s Spy Audit service, although that number is clearly inflated, because it includes certain types of cookies, as well as passive adware, in addition to spyware.

Why Windows? Internet Explorer and Windows itself has to take a good part of the blame, because of their inherent security holes.

But the operating system is only part of the problem. The bank thief Willie Sutton is reputed to have said when asked why he robbed banks, “Because that’s where the money is.”

For the same reason, spyware authors target Windows machines. That’s where the users are, and so that’s where the money is.

You don’t have to be a victim, though. Get the latest version of SP2, which includes a pop-up blocker, and helps stop drive-by downloads; install anti-spyware software like Ad-Aware, SpyBot or Spy Sweeper; use anti-virus software; and use a firewall like ZoneAlarm. (The Windows Firewall won’t do much good against spyware.)

So if you’re a Windows user, face the unfortunate fact: You live in a very crowded virtual neighborhood, and if you don’t lock your doors and Windows, you’ll be attacked.

Why do you think only Windows is targeted by spyware? Let me know.

The current developers’ build (pre-alpha) of OpenOffice.org can be downloaded from http://download.openoffice.org/680/index.html. (This page is updated when new builds become available.) At the time of writing, the latest build is 1.9.m54.

A guide to new features is here: http://marketing.openoffice.org/2.0/featureguide.html. Changes range from cosmetic (a new icon set and some rearrangement of menus and toolbars) to major (a new file format, called OASIS, and a new database front-end, called Base).

The basic UI freeze (that is, which buttons and menus exist and where they are located) occured with this build. The new icon set hasn’t been finalized, but is expected to happen with the next build.

Hundreds of people have been putting the new version through its paces. As expected, comments have ranged from delight (when a new feature has met someone’s needs or an old feature has been improved) to dismay (bugs are, of course, present in a pre-alpha release).

In my major interest area (the word processing component, Writer), I’ve found major bugs related to saving templates and creating master documents. Writer hasn’t crashed, but some things simply fail to work as they should. I’m filing issues, and I assume that a future build will include a fix, so I won’t detail those problems here.

In future entries in this blog, I will be mentioning some of the new (or changed) features that are working properly.

Those interested in playing with the new version should heed the usual warnings: don’t use these builds for anything vital, and (if possible) do use them on a spare computer, so if something catastrophic happens it won’t take your working system or data with it.

If you’ve been testing this pre-alpha version of OpenOffice.org, I’d like to hear about your experiences, good or bad.

Related link: http://www.cacert.org

A couple of my fellow O’Reilly bloggers have already mentioned CACert:
Andy Oram at CAcert: Digital certificates become free
and
Rob Flickenger at Distributing Your CA to Client Browsers
I’d just like to add that you can use certificates from CACert to sign your VBA macros in Excel, Word, or whatever. It sure beats paying Verisign $400/year!

As I noted in my last weblog, to use the Internet is to be a potential victim.

But until I installed a logging program called LinkLogger that builds reports from the router logs of my home network, I had no idea of just how constantly we’re all under attack.

I’ve been running the software for just about a week, and the results are startling. One just one PC on my network, there have been an average of about 80 to 90 attempted attacks or probes a day. Here’s what else the software shows me:

• The most common probe is one that looks via port 901 for the NetDevil Trojan on my system, so the prober can try and control my PC.
• Second most prevalent is a probe of port 4899, looking for remote administration software for controlling my PC.
• Tied for third place is the infamous myDoom, called by some the fastest-spreading email worm of all time, scanning on port 3127; and the SQL Slammer Worm on port 1434 looking for vulnerable Microsoft SQL Servers or MSDE systems
• Most of the probes are single attempts, or two or three attempts by the same person. But some people stay around a long time, or make repeated tries, with one person trying 66 times to break in.

I use NAT on my network, the ZoneAlarm firewall, and anti-virus and anti-spyware software, so I haven’t been victimized. And most likely most of the probes are done by script kiddies sending out automated probes to many thousands of PCs, and not targeting my system.

Still, it’s sobering to see. Intrusion attempts have become the background radiation of the Internet, and so these days, you better wear a lead suit when you log on.

Have you been targeted or broken into? Let me know.