The Hogg Blog

Language Oriented Programming

Chris Smith from the F# team has an awesome blog post on language oriented programming - and specifically LOP in F#. For those new to LOP Chris describes it as a style of programming that resembles a domain specific language - but is still valid in a general purpose programming language.

As we see more and more DSL's emerge - specifically in domains where visual models aren't adequate to sufficiently represent domain concepts - I believe we will see a huge movement toward LOP. For our Security Policy Language this was the case - leading us to the creation of our SecPAL Parser - which was also written in F#.

Anyone interested in DSL's should definitely read Chris' blog post...

patterns & practices Improving Web Services Security: Now Available!

Over the last 12 months we have had a lot of people who used the Web Service Security - Scenarios, Patterns and Implementation Guidance ask us where the implementation guidance for WCF was. Great news. JD Meier, Jason Taylor, Prashant Bansode and Rob Boucher and the rest of his P&P team have just released their guide which includes Security Fundamentals for Web Services, WCF Security Fundamentals and Scenario specific guidance. Great stuff - and a must read for anyone designing secure distributed systems based on WCF. Available from: http://www.codeplex.com/WCFSecurityGuide

P&P Happenings

I have been catching up with old friends from the P&P team over the last couple of days - many of whom have been working on new and exciting initiatives that I thought I would share with you. Each of these deserve their own blog posting, but until I get more time I thought a brief summary might be useful:

• J.D. Meier has as always been crazy busy. I mean to blog about this ages ago but never manage to find the time. Several cool things that JD has been working on include:
• Bookshare - If you are the kind of person that browses through airport bookstore thinking how great the selection of management guides is and wouldn't it be amazing if you could read all of them - then worry no more. J.D. spent his entire Christmas vacation reading all of them and providing nice summaries for you to take a look at with the goal being to allow you to determine which of these books are worth buying and reading yourself. Incredible stuff that only J.D. could create.
• GuidanceShare - A kick-ass repository of much of the work that JD and the rest of the P&P team has created. In wiki form so add to it or provide detailed feedback on what you liked and what you didn't like.
• Guidance Exporer - When I was much younger than I am today and technology changed at a much slower rate organizations used to create massive binders of stnadards that all developers would follow when writing and deploying applications. Today there is arguably too much technology and it changes too fast for such binders to be relevant. Until now. With Guidance Explorer you can leverage P&P's guidance base, plus add your own organizations standards and create views over this repository.
• A Documentation Factory - Nelly Delgado and Tim Osborne showed me some really great tooling that they have been working on for supporting creation of documentation to accompany blocks and factories. In the past this was always a nightmare. For P&P we had to create design and API documentation which then had to be output to CHM, HSX, HTML, PDF and goodness only knows how many other formats. Nelly and Tim have even released this guidance on www.codeplex.com/doctools - so if you are creating any kind of reusable assets you should definitely take a look.
• Unity - Grigori Melnik sent me a link to Unity a couple of months ago and I honestly haven't had time to do it justice with a full blog post and some samples - but in the mean time I suggest that anyone interested in concepts such as IoC and dependency injection should take a look.
• Fun, fun, fun... and I have been playing a little with Entlib 4 which looks like it will continue to kick-ass...

On a sad note fpr Microsoft Scott Densmore (Lead Dev and PM on Entlib and many other things) left P&P yesterday to start his new career at Disney. Not sure which rides he will be managing or which costumes he will be wearing - but which ever ones they are you can be sure they will be the fastest rides or the most opinionated Disney characters you will ever meet. :-) Best of luck Scott...

WhoIs Shenanigans

I am sure that everyone has used a WhoIs utility (such as http://www.internic.org/whois.html) for querying the owner of a domain name such as microsoft.com. There is however an alternative to these Web forms which provides more information allowing you to search not just for strings matching a domain name, but also for strings matching registered hostnames of domain names. This provides hysterical insight into the minds of some Webmasters. For a laugh take a look at some of these hostnames registered with microsoft.com or google.com in them.

MICROSOFT.COM.WILL.LIVE.FOREVER.BECOUSE.UNIXSUCKS.COM
MICROSOFT.COM.WILL.BE.BEATEN.WITH.MY.SPANNER.NET
MICROSOFT.COM.SOFTWARE.IS.NOT.USED.AT.REG.RU
MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
MICROSOFT.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
MICROSOFT.COM.IS.GOD.BECOUSE.UNIXSUCKS.COM
MICROSOFT.COM.HAS.ITS.OWN.CRACKLAB.COM
MICROSOFT.COM

GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
GOOGLE.COM.YAHOO.COM.MYSPACE.COM.YOUTUBE.COM.FACEBOOK.COM.THEYSUCK.DNSABOUT.COM
GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
GOOGLE.COM.IS.HOSTED.ON.PROFITHOSTING.NET
GOOGLE.COM.ACQUIRED.BY.CALITEC.NET
GOOGLE.COM

To see the complete list (r rated) try running the code yourself. Post a response with your funniest hostname or domain names other than these two that are particularly funny.

using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using System.Net.Sockets;

using System.IO;

namespace WhoIsQuery

   class Program

      static void Main(string[] args)

         // A query that results in more than one result lists all possible results

         // so that a more precise query can be entered.

         // A query with only one result returns just that result.

        // Send request to WhoIs Server

        Console.WriteLine("Contacting Internic");

        TcpClient client = new TcpClient("whois.internic.net", 43);

        StreamWriter writer = new StreamWriter(client.GetStream());

        writer.WriteLine("microsoft.com");

        // Retrieve response

        StringBuilder output = new StringBuilder();

        StreamReader reader = new StreamReader(client.GetStream());

        do

           output.Append(reader.ReadLine() + Environment.NewLine);

        while (!reader.EndOfStream);

        Console.WriteLine(output);

        Console.ReadLine();

The Glory Days of Home Computing

It has been a long time since I have blogged (more about that in some later posts), but two recent articles that I read on the BBC website have motivated me to write again. The articles honor the creators of the BBC Microcomputer which along with companies like Sinclair, Apple, Commodore and of course Atari provided the first introduction to computing to many developers of my era. It was a time when magazines like Your Computer, Computer and Video Games and Byte magazine provided the crucial link to a community of like minded youths that lived at the far corners of the world desiring to learn more about how to master the art of computer programming.

For me, these magazines were critical. At the time I lived in New Zealand, and home computers were few and far between. If I wanted a game, I had to write the game myself. Initially I tried this with Basic but was always frustrated at the quality of games possible with Basic - and then with machine code on one of my earliest computers - the ZX Spectrum. It was around this time that I turned turncoat and traded my ZX Spectrum for a BBC Computer which not only had a far superior version of Basic integrated into it - it also had the ability to inline assembly language, suddenly providing access to advanced graphical capabilities much more easily.

For folks from the United States where I now reside, I believe the home computer market was very different, although no doubt seemingly just as exciting. In the UK (and indeed New Zealand as well) there were a large number of home computers rivaling for attention, including: the Sinclar ZX Spectrum, the BBC Microcomputer, Amstrad, Dragon 32 and of course Apple II and Atari 400 and 800's. Each of these computers had their own strengths (and weaknesses) and a user base of passionate developers that would swear allegiance to their computer of choice. Never was this battle as bitter as that between owners of the ZX Spectrum and the BBC micro. It was an exciting time.

If you haven't heard of the BBC Microcomputer (which I am sure is the case for many non-British folks) it was in my opinion a true testiment to British engineering. Some of the capabilities of the BBC Micro that made it so compelling included:

• One of the most advanced Basic interpreters available on the market (in ROM), with integrated assembly language support
• Built in support for cassette tapes (yeeha!) or 5.25" floppy drives
• Built in networking capabilities, allowing schools to set up networks of BBC's very simply
• Extensibility through pluggable ROM's and easily burnable EPROM's
• Built in support for teletext

Teletext in particular was (along side early bulletin boards) a predecessor to the general Internet, allowing business and homes to obtain access to news and information using their home computers via data transmitted between frames in television signals. But as many things British, unfortunately the BBC Microcomputer did not infiltrate the United States until much later when the researchers behind the BBC Microcomputer - Acorn - developed the ARM processor which now powers many mobile phones and printers.

I often wonder how new generations of youths will become motivated and excited by the potential of home computing. Our Windows (or Apple) based home computers no longer ship with the ease of access that an integrated Basic interpreter provided - sure shell scripting and integrated VB script within applications like Excel is available - but it just isn't as accessible. Similarly, capabilities have advanced leaps and bounds. When we used to dream about the possibility of digitizing sound or pictures, this is now routine - and the possibility of writing a game without a team of graphical designers requires creativity that few people can possess (Tetris is the last such game I can recall).

As I write this blog, I am left to wonder if the era of home computing isn't dead and we are now in a new generation of network based computing, where our children will instead learn to understand basic protocols such as HTTP and REST, whilst using languages like Ruby, Perl and Python to take their first steps just as we did ours with Basic. If that is the case, and realizing that many of the Internet innovations of our era such as ICQ and Napster originating from youths much like the original Operating Systems designed by companies like Apple, Sinclair and Microsoft it maybe rekindles some of that early awe and excitement making me wonder where we will be in ten years time when my soon to be born daughter Tegan may possibly be learning to program...  

For those that have read this far, I assume we share a common past, so I thought it might be fun to see who could remember what the 8 computers pictures are. To keep it interesting, there are a mix of American and British computers... enjoy!

Released: Web Service Software Factory: Modeling Edition

I just saw an announcement from Don that the P&P folks have just released the third version of the Web Service Software Factory - entitled The Web Service Software Factory Modeling Edition. I know these guys have been working hard on this for along time now so this is really great news... And you know what they say about it taking Microsoft three attempts to get things right... Well, based on how good v2 of the Service Factory was - this thing should really kick ass! More information from here.

SAML STS for WSE 3.0 (reposted)

Every week or so I get another email asking where the sample code for the SAML STS for WSE 3.0 has been moved to now that GotDotNet GotNuked. It wasn't moved anywhere. So I figured I would repost it here for those that needs i. For those new to this you should also take a look at Pablo Cibraro's blog (Pablo was one of the developers on this sample) as he extended this to support credential caching and more.

A few caveats that people should be aware of when looking at this sample code:

• For obvious reasons, where at all possibly you should seek a WCF based solution first. There still appear to be a few people that cannot use WCF yet - which is why I am reposting this.
• We did do interop testing between a RC version of WCF and this STS - but this was released before WCF went gold - so if interop is important to you then you should test that.
• The code within this requires extensive knowledge of .NET security API's. Do not consider deploying this if you do not understand the entire solution.
• As with all things security related you should ensure you put together an appropriate security threat model and as part of your solution design...
• And of course batteries are not included!

Most common issues encountered:

• Configuring the access rights to the certifcates is probably the number one issue people run into. If you need help managing certs / permissions download this awesome tool.

The Great Debate: Patterns vs Tooling

With well over 250 attendees this years P&P Summit is the best attended I have seen so far. I was fortunate to participate in two presentations - the first talk was on SecPAL which I believe was well received, and the second was a discussion with myself, Dragos Manolescu, Wojtek Kozaczynski and Ade Miller on the future of patterns.

As you may recall the 4 of us worked on a paper called “The Growing Divide in the Patterns World” for an IEEE special on design patterns. Our article summarized results from a survey about the relevance of patterns for several hundred developers. One of the not surprising (or perhaps not unsurprising) results that we saw from the paper was that for many people simply with including patterns in tooling was sufficient and that they did not see significant value in traditional narrative based patterns. 

So, with our goal being to find a controversial subject that would encourage audience participation (and perhaps more importantly) provide feedback that will drive P&P's future investments in the pattern space we decided to use the P&P Summit as a forum for discussion about the extent to which P&P should share patterns via books or Pattern Share - or whether they should focus purely on including patterns inside factories. 

Myself and Dragos were in the red corner, advocating that patterns should first be written in the narrative form, whilst Wojtek and Ade took the blue corner arguing that this format is irrelevant and that the majority of non-academic folk only care about productivity and tooling. The discussion started off with a curve ball. I had expected Dragos to have a strong opening statement that would incite hatred amongst much of the audience, instead he punted to me - leaving me to take the rubber bullets from the audience (Keith Please had armed the audience with toy guns so as to shoot people that they disagreed with). 

Rather than making Wojtek and Ade's job way too easy, I decided to argue that tooling should only be based on patterns, and that tooling based on patterns was inevitable. As such I argued that it was critical not to lose site for the need for crisp architectural guidance articulated in pattern form that can be shared in books, web pages and hopefully organized dynamically on resources such as Pattern share. 

I have to say that the discussion was fantastic mainly because the audience got so involved in the discussion. We had advocates on both sides of the audience. Some common themes discussed (liberal paraphrasing) included:

• Many enterprise developers do not care about design patterns - they just want to do their job
• Enterprise architects have a hard time communicating the value in patterns to their development teams
• Patterns do in fact play a critical role in application architecture and P&P should continue to create and publish patterns independently of tooling
• People do not want to have to download factories to determine if there are patterns that are relevant to their problem
• Patterns should be consistent across programming platforms
• and much, much more...

I have some additional thoughts on the subject which I will share in the coming days as well - but first I wanted to see if we can't get some additional discussion going.

So, if you were in the discussion, feel free to post additional thoughts, or if you weren't there it would be great to hear your thoughts on this very important topic... To what extent should P&P invest in publishing patterns independently of tooling such as Factories - and would you like to see a reincarnation of the Pattern Share repository (friendlier UI etc)?

F# is getting productized!

I just saw the announcement on Don and Soma's blogs about the fact that a product team has officially been established to productize F#. This is great news for Don Syme and James Margetson who have been working slavishly on F# for the last couple of years. Congratulations guys!!!

For more information see:

• The formation of a team to take F# forward
• S. Somasegar on taking F# forward

Lunar Eclipse Photos

I happened to be up early this morning and shot some nice photos of the lunar eclipse that happened this morning.

Sample declarative access control policy

In my previous post I mentioned that we have now released a parser for SecPAL that allows policies to be written in a human readable simplified English grammar. I thought it might be worth including an example - based on the scenario that was used in the GridToday post on Access Control in Grid Computing Environments which (funnily enough) is very similar to the two pages of F# available here and very similar to the C# sample AttributeScenario solution included inside the v1.1 release of SecPAL.

The sample shows the policies being specified in C# using a similar approach to that you might use to specify dynamic SQL. Such policies could just as easily be read from a file etc.  In the future I will provide some more advanced samples - including more discussion about each of the samples - but for now just remember that another of SecPAL's strengths is its ability to create generic access control policies through the use of variables. In the simplified English grammar variables are prefixed by % signs. Variables are substituted for concrete values during evaluation. Enjoy...

using System;

using System.Collections.Generic;

using System.Text;

using Microsoft.Research.SecPal.Authorization;

using Microsoft.Research.SecPal.Parser;

namespace DeclarativeTest

class Program

static void Main(string[] args)

      // Input policies

      // 1. Policy restricting access to a resource to those principals possessing a valid email address

      string resourceAccessPolicy =

            "LA says %p can read digitalContent:'file://public/' " +

            " if %p possesses %a" +

            " where %a matches rfc822Name:'.*@microsoft.com' ";

      // 2. Policy delegating the rights to an STS to make statements about possession of email attributes

      string trustPolicy =

            "LA says K-STS can say %p possesses %a" +

            " where %a matches rfc822Name:'.*@microsoft.com' ";

      // 3. Identity assertion that would normally be included inside a token when the user requests access to a resource

      string identityPolicy = "K-STS says K-JAHOGG possesses rfc822Name:'jahogg@microsoft.com' ";

      // Authorization Query

      // Query created based on the specifics of the resource access request

      string authzQuery = "LA says K-JAHOGG can read digitalContent:'file://public/foo.txt' ";

      // Error - keyholder principals are getting recreated each time

      Assertion a1 = Interpretor.parseAssertion(resourceAccessPolicy);

      Assertion a2 = Interpretor.parseAssertion(trustPolicy);

      Assertion a3 = Interpretor.parseAssertion(identityPolicy);

      Assertion[] assertionList = new Assertion[3] { a1, a2, a3 };

      AuthorizationQuery aq = Interpretor.parseAuthQuery(authzQuery);

      Console.WriteLine("Authorization result");

      // Make an authorization decision

      IList<Answer> answers =

            AuthorizationEngine.MakeAuthorizationDecision(new LocalAuthorityPrincipal(),

                  new List<AuditRule>());

      Console.WriteLine("Answer was " + (answers.Count > 0));

Parser for SecPAL simplified English grammar now available!

Swiss Army Knife of X.509 Certificate Tools

Anyone who has dealt with X.509 certificates when trying to design, test and deploy secure Web services will know what an ordeal it can be to locate certificates in various cert stores using different cert identifiers, modify security properties of the private key to allow services accounts to sign or decrypt messages and all the other messing around that is associated with X.509 certificates. I happened to bump into Christian Geuer-Pollmann from the European Microsoft Innovation Center last week - and he showed me an awesome tool they have built to greatly simplify such challenges. This tool is available for download from here.

A Java implementation of SecPAL?

Panos, from the University of Newcastle just dropped me a note to say that he is making progress with his Java based SecPAL implementation - which is very exciting. I noticed that he has moved away from XSB and has decided instead to create his own custom datalog implementation - which is very cool - I am sure that took a coulple of very late nights! If you are interested in learning more take a look at Panos' blog.

A Qwik-E-Mart in Seattle!?

They say it is the only time you are likely to see people smiling in a 7-Eleven - and it is true! If you haven't already heard about a dozen 7-Eleven stores around the country have turned themselves into Qwik-E-Mart's in time for the release of the Simpson's movie. Maureen and I decided to check out the Qwik-E-Mart on Denny and 4th Street in Seattle before heading off to see the movie at the Cinerama. It is well worth the visit...