I’m on my way home now from Whidbey Blast, a one-day, Visual Studio 2005 conference put on by the Northern Colorado .NET Users Group. I did the keynote and a session about MSBuild, then sat in on other sessions.
One of the sessions was put on by Keith Brown, security guru and a fellow Visual Developer – Security MVP. He asked how many people develop or have developed partially trusted applications. One person shyly raised his hand, and Keith indicated that was pretty typical. He also mentioned that if you develop an Indigo-based application, the app has to run with full trust because the Indigo team doesn’t believe that enough people write partially trusted applications to make it worthwhile for them to do the work to make Indigo usable. In the car on the way to the airport today Kathleen Dollard says she doesn’t write them because clients aren’t willing to pay for them.
I’m flabbergasted! Have I been living in a foreign world, my own little state of Nirvana? A dream world?
If all this is true, it is going to mean that we are making the computing world no safer from attacks. Are we so focused on perimeter security (e.g., firewalls) and post-infection eradication (spyware and virus scanning) that we are ignoring the fundamental ways that we can make our users’ systems more secure? No wonder so many people still run every day with admin privileges and don’t use the great (but not perfect) tools that Microsoft gives us in Visual Studio and the .NET framework. Are people just waiting for the operating system (Windows Vista) to become more secure to solve all our security problems (it won’t). Have we learned nothing from all of the clever attacks over the last few years? No wonder Microsoft takes so much heat for security issues. Are we as developers not willing to admit our complicity in the problem?
Yikes! I have to investigate this more. I’d love to hear any thoughts you have.
Update: Cathal Connolly responded:
Thought I'd fire you a quick email and let you know that not everyone is burying their heads in the sand on this one. I'm a member of the dotnetnuke (dotnetnuke.com) coreteam. When we moved from the 2.x cycle to 3.x, we took the time to make the necessary changes to run the application under medium trust (it was about 50k lines at that point). We had to sacrifice very little functionality (mostly removing reflection calls that automatically populated listboxes and replacing them with textbox's that require the user to specify the correct assembly name), and found the changes weren't too difficult (most of the effort was expended in testing), and it's been well worth the effort, first of all for minimising the attack surface, secondly for the positive publicity, and finally we found that many shared hosting providers are now following Microsofts advice of running under medium trust, so we were ready with a fully functioning version in advance.
The single biggest issue we have is around access to additional external sites (typically for webservices/newsfeeds), so we documented up the scenario, and so far that's been sufficent to get most of our users over that speedbump. It would be nice if Microsoft had allowed more than 1 originUrl in the web.config (similar to the multiple URI machine.config options), I presume this limitation is the reason they didn't make the effort to mark the necessary Indigo/WCF assemblies with the APTCA attribute.
Note: I also believe that communityserver were trying to have a working partial trust version.
I didn’t make it to PDC this year, but plenty of bloggers have posted plenty of information about what they’ve found most interesting.
The most amusing post that I’ve seen that doesn’t intend to be amusing is Ted Neward’s analysis of the new features coming in C# 3.0 that will arrive at some well-into-the-future date. It seems that C# is becoming VB, if not in syntax at least in features.
Check out implicitly-typed variables, in which you can do something like this (these are Ted’s examples):
var i = 5;
var s = "This is an implicitly typed local variable";
var a = new int[] { 1, 2, 3 };
(Note that a var is not a variant. The variables are strongly typed, it’s just that the compiler is figuring out the type.) So i becomes an Int32, s becomes a string, and a an Int32 array. Then check out object initializers, where the compiler will generate constructors for you. Anonymous types take this even further, where the compiler will be able to infer a type entirely.
While these features don’t function exactly like those in VB, it seems that the C# has a mandate to make C# a more productive language to program in, something that VB has working toward for years.