Browse by Tags

Tagged Content List
  • Blog Post: Dynamic contagion, part one

    Suppose you're an epidemiologist modeling the potential spread of a highly infectious disease. The straightforward way to model such a series of unfortunate events is to assume that the population can be divided into three sets: the definitely infected, the definitely healthy, and the possibly infected...
  • Blog Post: Past performance is no guarantee of future results

    Before I get started today, a couple housekeeping notes. First off, sorry for no blog the last three weeks; I have been crazy busy adding features to the Roslyn C# semantic analyzer. More on that in an upcoming episode. Second, check out the snazzy new Developer Tools blog aggregation page ; it's one...
  • Blog Post: Keep it secret, keep it safe

    A lot of people really love the idea of cryptography. To computer geeks like us there is nothing cooler than the idea that computing relatively simple arithmetic on a message can enable you to communicate secretly with anyone in the world, even if there are eavesdroppers. Unfortunately, this means that...
  • Blog Post: The curious property revealed

    Today is the fifteenth anniversary of my first day of full time work here at Microsoft. Hard to believe it has been a decade and a half of writing developer tools. I am tremendously fortunate to be able to work with such a great team on such a great toolset for such great customers. I'm looking forward...
  • Blog Post: Guidelines and rules for GetHashCode

    " The code is more what you'd call guidelines than actual rules " - truer words were never spoken. It's important when writing code to understand what are vague "guidelines" that should be followed but can be broken or fudged, and what are crisp "rules" that have serious negative consequences for correctness...
  • Blog Post: All your base do not belong to you

    People sometimes ask me why you can’t do this in C#: class GrandBase { public virtual void M() { Console.WriteLine("GB"); } } class Base : GrandBase { public override void M() { Console.WriteLine("B"); } } class Derived : Base { public override void M() { Console.WriteLine("D"); base.base. M(); // illegal...
  • Blog Post: Asynchrony in C# 5, Part Eight: More Exceptions

    (In this post I'll be talking about exogenous , vexing , boneheaded and fatal exceptions. See this post for a definition of those terms .) If your process experiences an unhandled exception then clearly something bad and unanticipated has happened. If its a fatal exception then you're already in no position...
  • Blog Post: Careful with that axe, part one: Should I specify a timeout?

    (This is part one of a two-part series on the dangers of aborting a thread. Part two is here .) The other day, six years ago, I was was talking a bit about how to decide whether to keep waiting for a bus , or to give up and walk. It led to a quite interesting discussion on the old JoS forum . But...
  • Blog Post: Why Can't I Access A Protected Member From A Derived Class? Part Six

    Reader Jesse McGrew asks an excellent follow-up question to my 2005 post about why you cannot access a protected member from a derived class . (You probably want to re-read that post in order to make sense of this one.) I want to be clear in my terminology, so I’m going to define some terms. Suppose...
  • Blog Post: Use the right tool for the job

    Consider the following scheme: I have some client software which I sell. When the client software starts up for the first time, it obtains a “token” from the user. The token string can be anything; the user can choose their name, their cat’s name, their password, the contents of some disk file, whatever...
  • Blog Post: Sorry about the CAPTCHA

    A quick metablogging note. Those of you who comment on this blog (6700+ comments and counting, thank you all) have probably noticed that it now has a CAPTCHA, that little "please prove you're a human" test before the comment is posted. I understand why. The MSDN and TechNet blog sites are high-value...
  • Blog Post: What's the Difference, Part Five: certificate signing vs strong naming

    Both strong naming and digital signatures use public key cryptography to provide evidence about the origin of an assembly, so that you can apply security policy to determine what permissions are granted to the assembly . They differ most importantly not in their mathematical details, but in what problems...
  • Blog Post: Alas, Smith and Jones

    We have a feature in C# which allows you to declare a " friend assembly ". If assembly Smith says that assembly Jones is its friend, then code in Jones is allowed to see "internal" types of Smith as though they were public(*). It's a pretty handy feature for building a "family" of assemblies that share...
  • Blog Post: Preventing third-party derivation, part two

    If you find a class in a library that has all private/internal constructors, it is pretty clear that the author of the class is sending you the deliberate message that this class is not to be extended by you. In our previous example, it was not so clear. Obviously the author of the class in question...
  • Blog Post: Preventing third-party derivation, part one

    In this episode of FAIC, a conversation I had with a C# user recently. Next time, some further thoughts on how to use the CLR security system in this sort of scenario. Him: I have this abstract class defined in one assembly: // Assembly FooBar.DLL public abstract class Foo { internal abstract void...
  • Blog Post: Tasty Beverages

    “ Diet Dr. Pepper tastes more like regular Dr. Pepper.” That was a previous advertising slogan for Diet Dr. Pepper, my personal favourite source of both caffeine and phenylalanine; I’m drinking it right now as I write this. The present slogan is the brain-achingly oxymoronic “ Diet Dr. Pepper:...
  • Blog Post: Protected Member Access, Part Four

    In Part Two I asked a couple of follow-up questions, the first of which was: Suppose you were a hostile third party and you wanted to mess up the parenting invariant. Clearly, if you are sufficiently trusted, you can always use private reflection or unsafe code to muck around with the state directly...
  • Blog Post: Why Can't I Access A Protected Member From A Derived Class, Part Two: Why Can I?

    This is a follow-up to my 2005 post on the same subject which I believe sets a personal record for the longest time between parts of a series. (Of course, I didn't know it was a series when I started it.) Please read the previous article in this series, as this post assumes knowledge of part one. .....
  • Blog Post: How do I mitigate a SQL injection vuln?

    Joel points out today that SQL injection vulnerabilities are common and bad, bad, bad. He does a good job of describing the attack but doesn't really talk about how to mitigate it. When I advise people on how to close security holes like this I always tell them that closing the original hole is probably...
  • Blog Post: Why are base class calls from anonymous delegates nonverifiable?

    I'm still learning my way around the C# codebase – heck, I'm still learning my way around the Jscript codebase and I've been working on it for nine years, not nine weeks. Here's something I stumbled across while refactoring the anonymous method binding code last week that I thought might be interesting...
  • Blog Post: Do not use string hashes for security purposes

    A recent question I got about the .NET CLR's hashing algorithm for strings is apropos of our discussion from January on using salted hashes for security purposes . The question was basically "my database of password hashes doesn't seem to work with .NET v2.0, what's up with that?" To make a long story...
  • Blog Post: How To Obtain The Name Of The Client From The ASP Server

    Here's a question about client side vs. server side scripting that I got recently: I want to get the machine name of the client the request is being made from. With ASP I can get the IP address using this code: ipaddr = Request.ServerVariables("REMOTE_ADDR") But I don’t know how to get the name of...
  • Blog Post: A Face Made For Email, Part Two

    One year ago this week I was the Channel Nine guinea pig -- I'm still not sure why, but for some reason The Scobelizer and his cohort chose me to be the first guy interviewed for their project. (Probably because I'm mostly harmless.) Channel Nine has succeeded tremendously, and I'm very pleased to have...
  • Blog Post: You Want Salt With That? Part Four: Challenge-Response

    My friend Kristen asked me over the weekend when I was going to stop blogging about crypto math and say something funny again. Everyone's a critic! Patience. my dear. Today, the final entry in my series on salt. Tomorrow, who knows? *********************** So far we've got a system whereby the server...
  • Blog Post: You Want Salt With That? Part Three: Salt The Hash

    Last time we were considering what happens if an attacker gets access to your server's password file. If the passwords themselves are stored in the file, then the attacker's work is done. If they're hashed and then stored, and the hash algorithm is strong, then there's not much to do other than to hash...
Page 1 of 2 (48 items) 12