GDI+ Security Vulnerability

There is a new critical security vulnerability that affects a wide range of software that can't be easily patched through Windows Update. The vulnerability lies inside of GDI+ and can allow a maliciously formed JPEG image file to create a buffer overrun and inject malicious code - even through a web page's graphics...no scripting or anything.

Windows Update will go ahead and update major components but you also need to go to the Office Update site as well as update a bunch of other software you might have on your machine.

In particular for developers, the .NET Framework (pre-latest service pack) and even Visual Studio.NET 2003 and 2002 are affected and need to be separately patched.

The full bulletin with links for all the various patches are available here. http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

If you go to Windows Update it will also provide you with a GDI+ Detection tool that will scan your hard drive looking for affected components. I strongly you recommend everybody jump all over this one quickly.

Building Mobile Applications, Metro Toronto .NET Users Group

Tomorrow night I'm presenting at the downtown Toronto .NET users group - topic Pocket PC development with the CE framework. I'll have a new HP 4700 device with a VGA resolution screen for folks to take a look at - courtesy of your friendly neighborhood HP rep. I'll also have my trusty 5650 with the old form factor for you to play around with. Hope to see you there.

Details: http://www.objectsharp.com/oNewsUpdate/ReadingFullStory.aspx?StoryNum=-28

Shorthorn Longhorn

So this will cause a few blogs. I have just heard that....

  • Longhorn slated for 2006. Longhorn server 2007.
  • Winfx, and Avalon are coming to windows xp in 2006. Indigo as well - and on Windows 2003 as well. These are all part of WinFx that is going to be extremely important for .NET developers and companies wanting to take advantage of these improvements.
  • Winfs is leaving longhorn (post release). So that means ObjectSpaces and the Microsoft Business Framework too.

Wow. Never a dull moment. I'm attending a briefing with Jim Allchin in an hour so I might have more I can tell.

But will we also see a delay of ObjectSpaces or the Microsoft Business Framework until after the longhorn release. Those have been recently tied into WinFs - but no specific announcements about that - and I wouldn't be surprised if that changed soon. 

DevCan 2004

I'm co-chairing two tracks of DevCan coming up in Setp/Oct in Vancover/Toronto (exact dates to follow) - see www.devcan.com for more.

I'm doing the architect track and web track. If you have ideas for content you'd like to see, or have a topic you'd like to present in either of those categories, send them to me. You don't have to be canadian, but it helps :)

New Service Packs for 1.0 & 1.1 .NET Frameworks imminent

.NET Framework 1.0 SP3 and 1.1 SP1 are in tech preview at the moment. Had a nagging bug and want to know if it's fixed?

The contents & links to Tech Preview Downloads can be found here:

http://msdn.microsoft.com/netframework/downloads/updates/sptechpreview/default.aspx

 

Next Generation Developer Training

 
I've been (in some manner) involved in the software developer training business for over 10 years now. Over the past 3 years however, I've really been questioning the value and purpose of classroom training for software developers. So has Don Box. The internet has had a lot to do with that I think and the # of developers taking a week off work to sit in on a class has dropped in recent years. There was a buzz about elearning for awhile - but it hasn't really gone mainstream - and you hear about blended learning now too.
 
Vendor-based classroom training typically amounts to not much more than reference manuals. A component is introduced, a few demo's or scenarios on how you can use it - and a lab to follow. About 80% of what I see in these classes I could find on google. And the best part about google is that I can find it when I need it....just in time, on the job. After I learn something on google, I get to use it in a real life scenario so absorption is pretty high that way.
 
Classroom training has the advantage of taking you outside of your typical day (usually for a week) and forces you to sit and spend some quality time with some new technology on a grand scale. The problem with googling for small bits of information is that you miss the bigger picture and a full architectural understanding of how best to accomplish something. The instructor is an important part and can make the difference between a good class and a great class. But the problem remains with traditional training in that they are really just showing you how to swing their hammer. There is only a small percentage of leeway when an instructor can add extra value above and beyond the curriculum. The good ones do, but there is never enough time.
 
Several months ago we took a hard look at what people really needed and what kind of value we could bring to bear above and beyond what people could learn from reading the online help or googling. That extra value is of course the experiences of the instructor and the resulting set of best practices....stuff that you rarely find in any book.
 
The problem of course with relying on an instructor to make the difference is that sometimes they don't. And sometimes their experiences are different than others. You end up with a very inconsistent delivery.
 
So we decided to create new courses based primarily around the best practices captured from the experiences of several developers. We still cover some fundamental tools & techniques but quickly move beyond that into the best practices of how to apply that. The idea is to have students spend less time on things they can learn on their own time. How often to you get to spend a week with an expert who has been using a new technology for a few years? The idea is to maximize the time for that week.
 
We haven't relied on just our own experiences either. We've decided to lean heavily on the community in this regard, in particular, the content coming out of the MS Patterns and Practices Group. The culmination of all this work was the first delivery of our new courseware based on "Best Practices" a couple of weeks ago. It was also John Lam's first course with ObjectSharp. I had the opportunity to talk to a few students, including a couple of our own instructors who sat in on the course, and I even managed to drop in for about 30 minutes on the last day.
 
The comments are great on the evals too. Our evals are always good, but these evals were awesome. "The most professionally run course I have ever taken." "The best course I've ever taken". Our salesperson told me that she even had a student ask in the middle of the week if we were going to be handing out evals because he wanted to make sure he had an opportunity to comment on how great the course was. I'm really proud of what we accomplished but I'm even happier that we've touched a nerve with our customers and found a way to maximize the value to them for taking a full week out of their lives. I can't wait until I get to teach one of these new courses.

How to partition your classes between assemblies

Eric Gunnerson has great post with some performance inspired assembly guidelines for fewer larger assemblies. Versioning and Security units of work. Good reasons.

But a non-performance reason for partitiioning into more assemblies is to stop developers from doing things like referencing your data access layer classes from a user interface layer (without going through a business object layer). If you have your classes in 3 assemblies/projects: UI, BUS and DA, where UI references BUS and BUS references DA, then it's hard for a class in UI to call a class in DA - without going out of their way to add a project reference.

Should a project always correspond to an assembly? Well that's the default but you can create intermediate assemblies called netmodules and link them together with the assembly linker (AL.exe). Net Modules are MSIL but without a manifest. You create the new assembly which links the modules together (and adds metadata) with the AL.exe.

The only problem with all of this is that you have to use the command line to compile your projects into .netmodules and link them afterwards. The net result however is that still end up satisfying Eric's performance tips with the requirement for binary partitioned UI, Business, and Data Access layers.

TechEd 2004 Sesion Slides & Videos Available Online to Public

The site doesn't yet contain everything but things are trickling in.

http://microsoft.sitestream.com/TechEd2004/

Smart Client Deep Dive

Myself and Adam Gallant delivered an MSDN Deep Dive last week about developing Smart Client applications. I covered the overview & secure data access sections. The samples and IssueVision (1.0 C# & VB) along with the slides are available over here. Thanks to those who came out.

Update: If you want to take advantage of getting this stuff (and more) on the DevDays CD, you can fill in the form here.

Data Driven Development

So we have Test Driven Development and Model Driven Development or Design by Contract (similar perspective). But in the past, I've been a fan of Data Driven Development. This is a technique I haven't had the pleasure of using recently....because it relies on you building new applications with new databases.

What is this technique you ask? Well for me it is designing the data model first. In the early days of Client/Server, PowerBuilder and ERwin were my tools of choice. New applications. New databases. My design process (and that of many of my associates) was not so much to design a database but to document the data that existed in the organization - and do that in 3rd normal form. ERwin still stands as one of the best modeling tools ever because it actually made the job of coding up a database schema easier and faster than any other alternative. I could also use my model throughout the entire lifecycle since it did an excellent job at full round trip engineering/synchronization.

One of the cool features of PowerBuilder was your ability to annotate your database schema with UI hints. So you could say that a given column in your database should by default be shown as a checkbox, and that checked should be saved as “true“ and unchecked as “false“ - or whatever weird thing your DBA said it had to store. Whenever you designed a screen with that column, bam you'd have it the way you'd expect - as a checkbox. The downside of PowerBuilder's datawindows of course was that the data store/entity/container was quite pretty tied to your database and they made no attempts to hide that fact. But boy, productivity was really high - although I was producing tightly coupled, loosely coupled code :( .NET let's me build better code now, but productivity is still lacking.

At TechEd a couple of weeks ago, I stopped by the DeKlarit booth for a demo of their product by their lead architect Andres Aguiar. I was happy to see a tool that builds upon the Data Driven Development process. Of course, you don't have to start with an empty database, but this tool does an excellent job of making your job easy when starting from scratch. Andres promised to send me an eval so I can play with it some more to see how it works with existing databases but this tool so stay tuned. I could easily see this tool paying for itself in a matter of a couple of weeks.

As for ERwin, I'm still a fan although it really hasn't changed much in the past 10 years. I remember the first copy I had fit on a single floppy. So did the 200 table model I created with it. I was using LBMS System Designer who stored my model in some kind of 10mb black hole and took 10 minutes to generate a schema. When I first installed ERwin, I had it installed and reverse engineered by LBMS model - and forward engineered to from Oracle to SqlServer inside of 10 minutes. I couldn't believe the schema generation took 20 seconds compared to LBMS at 10 minutes.