Security on the web has taken a new dimension with AJAX-driven websites.  AJAX-driven websites are more susceptible to cross-site scripting (XSS) attacks and offer easier means of call and logic discovery.

I had covered these in sessions titled "Building Secure Next Generation Web Applicaitons" during the recent Security Yatra and also during some MSDN Days organized in a few SIs in India. 

Some of the really startling attacks I discovered while preparing the content for the demo included the MySpace worm.  The complete details are available at http://namb.la/popular/

Not only did the worm bypass all of Myspace.com's rules, but surprised the author of the malicious code himself by affecting a million users in under 20 hours!

I just also received an email that talks about a very interesting vulnerability in PDF and Adobe Reader that makes it possible to perform serious XSS attacks.  That was quite startling because the avenues are increased not just to AJAX-sites but common technology such as Adobe PDF and OpenOffice.  The article is available at http://www.eweek.com/article2/0,1895,2079201,00.asp?kc=EWEWEMNL010107EP26A

The actual attack instructions are also available here.  But let me warn you not to try this with any site.  Don't mess around - it is a dangerous world out there.

And for all your developers there, if that didn't shake you and say "Take security seriously", I don't know what will.

"Like almost everyone who uses e-mail, I receive a ton of spam every day. Much of it offers to help me get out of debt or get rich quick. It would be funny if it weren't so irritating."

- Bill Gates, "Why I Hate Spam", Wall Street Journal 2003

Years later, spam still continues to be a meaningless giant that torments the Internet.  I had blogged about spam once in an early post in 2004.  What has changed since then has been technology that is striving to provide better email filters.  Fighting the source of the spam is something that several organizations are trying to work on and has not quite been successful.

As a computer program, what do you do when you think a particular email is spam?  Obviously, the program cannot take the decision to delete it.  It can move it to a folder and hope for the user to check it and then delete it.  This is important because you would otherwise lose valid emails that are identified wrongly as spam.

The solution seems to be in identifying spam spot-on without making a mistake.  The industry has some ground to cover in that direction. No spam filter today is 100% accurate.   So the solution is not workable.  What else can be done?   Several things:

a.  Users should realize that spam affects everybody and is a global problem.  I have heard many people come up to me and say "Hotmail has more spam" or "I stopped using Yahoo because of spam", etc.   Realize this - no email service provider is free of spam.  If you don't get as much spam at your yahoo id as you do at your hotmail id, it is only because you either registered at too many places on the Internet with your hotmail id, or because you had your hotmail id for a longer time.   Eventually spam will hit your other id as well.

b.  Create longer email ids - most spam generators try combinations of letters and so an English word or a common name is more likely to be spammed rather than an uncommon email alias.  So, for instance, a pandurang@... would attract more spam than a pandurang.nayak@... (unlikely that a right combination of names will be auto-generated).  

c.  Never give our your email id OR ALIAS at any website that you don't trust.  I do this as a rule for the past two years now and has worked in reducing a lot of spam.  Most websites out there sell out your email ids.  Worse, the auto-spam software takes an alias and then sends an email by appending @hotmail.com, @gmail.com, @yahoo.com, etc. to the same alias.  And guess what?  In most cases that'll probably work as well.   Most current email clients, both online and offline, do not automatically display images - which used to be a way the spamming site tracked that you recieved the email and hence realized that they'd hit a valid email id. 

d. My Hotmail and Yahoo ids which recieved a lot of spam, actually have seen a decline.  Also worked with the fact that I let Hotmail "expire", without checking it for a long while and then when I recreated my ID after a month or two, I saw a substantial decline in spam.   I know this is probably not possible in all cases, but if you "gave up" an account due to spam, you can probably re-login and re-activate it and be surprised about how much lesser spam you'll get.   Most spam software assumes the email is a valid one, unless they get a "bounce" on the email.  And many software will continue to spam you even if there is a "bounce".

e.  Never encourage spam - there are too many times that people themselves spam others.  I am not talking about email forwards with jokes and other stuff.  I am talking about chain mails that say things like "Don't add xxxxx as a friend in Yahoo! messenger.  It is a dangerous virus that will delete everything on your hard disk."  Give me a break.  Such virus is not feasible unless a complete idiot is using the computer.  But then, there will be a zillion fowards of this email and lo! you have more spam added to the world.

f.  Report spam.  This is one of the best ways to fight spam.  When you see an email that was spam, tell your email service provider that this was spam.  Click that button saying "This is spam" and report it.  Over time, this is what will help eradicate most spam originators.  But when you do so, be honest.  Don't mark a newsletter that you signed up for, but never read, as spam.  That is not spam.  If you really don't want that newsletter, unsubscribe.

g.  Be wise.  I see so many people giving out email IDs on websites, blogs, forums, social networking sites, etc. freely.  It is fine to do so when you know that the email id will not be revealed.  But if the email id is just going to be posted on to the website, you are inviting spam.  Several spammers automatically crawl websites looking for email ids.

So till we have a permanent, efficient, universal solution to spam - it is us who have to fight it.  Spam is just like fighting a dangerous disease. If we don't do our bit, it can be too late when we realize our folly.

Don Box and Chris Anderson present you a holiday season song which you can hear here. 

The lyrics (reproduced from here):

Vista, we shipped it,
Vista, we shipped it,
Vista, we shipped it,
Better late than not.
Vista, you'll love it,
Vista, you'll love it,
Vista, you'll love it,
It's the best we've got!

Yes we've got Indigo
And it will even glow
When you've got Avalon
Spicing up the show!

Sure there's no WinFS
But we got RSS
And search and indexing
will help sort out the rest!

U-SER-A-COUNT-CON-TROL
UAC means I'm no admin
UAC means You're no admin
UAC means She's no admin
UAC means He's no admin

Vista's why... we're happy again

Happy Christmas and New Year to all readers of ThinkingMS too!!

The master of books on Windows programming does it again.  This time it is Windows Programming using the Windows Presentation Foundation (WPF).  If you plan to be a serious WPF developer, this is a must read.

What I like best about the book is the title.  Applications = Code + Markup.  Charles Petzold starts off in the book saying that the new breed of Windows applications are still code.  In a way, it is saying, don't get all scared about XAML and think that the entire WinForms programming model has been thrown out of the window.  You continue learning to program Windows in pretty much the same way as the previous generation.  Only that it gets exciting because there are new ways of doing things, aka declarative coding. 

Needless to say (if you have read CP before), the book can be read pretty much like an interesting novel that you can't drop before it is finished. I have run through the first 4 chapters in one day (didn't just read - wrote code as well) and plan to finish the book by the end of this year (which actually is 5 days away)!

Meanwhile, if you are just starting on .NET, or want to get deeper, you might also want to read .NET Book Zero - a free book available on Charles Petzold's site - www.charlespetzold.com

His blog also has announced the next book he's working on - "Windows 3D". Check out this post.

PHP developers wanting to take advantage of the powerful ASP.NET platform usually perceive it as a steep curve, especially if they have no prior ASP experience.

Here is a neat guide that walks a PHP developer through ASP.NET and migration considerations.

http://www.microsoft.com/japan/msdn/net/aspnet/aspnet-migratingphp-aspnet.aspx

Surprise! Surprise!

A whole new bunch of surprises that should excite the hell out of all those who have been working with Microsoft Expression and Windows Presentation Foundation.

Read the official announcement at http://www.microsoft.com/presspass/features/2006/dec06/12-04expression.mspx

Very notably - the first official public CTP of "WPF/E" (codename) has been announced today.  "WPF/E" (codename) is a very exciting technology that enables you to take your WPF-powered applications to a wide variety of platforms, including Internet Explorer, Safari on the Apple Mac and Firefox!!  That means that several WPF features can now be targeted to even non-Windows systems.  This is a big leap forward and I am sure a lot of people will be thrilled hearing that. 

Also, the Expression suite now has been re-branded and has a new member in the family.  There are also changes to some of the existing products and you can find it all at www.microsoft.com/expression

A new website for designers and design resources is now available at www.microsoft.com/design

Finally, Expression Web, a really fascinating product is now in its release version.  So a packet of surprises!  Go get them!

It was always amusing to think about the Google Answers service.  People paid to get answers to questions, some of which were really absurd at times. 

However, Google shutting down this service signals the fact that Google is wary of not running services that do not make sense from a revenue standpoint.  This should be new to Google fans who have probably never seen this happen before.  No wonder it has sparked off a lot of news and discussion.

Some discussions on the Google Answers site itself: http://answers.google.com/answers/threadview?id=786508

Arzoo.com, a Sabeer Bhatia venture did the exact same thing and shut shop even before the world knew about it.   Of course, Arzoo.com has re-launched as an online travel portal and it remains to see how well that will do.  

Google is reported to be cutting down many other services that do not make sense and do not have large user bases to make themselves focussed.  If you ask me, that is a signal to all other Web 2.0 startups there creating several online applications, many of which are meaningless and have no revenue direction.  Watch out - if Google thinks it is wise to shutdown a service that has been running for 4.5 years and risk a loss of reputation among a small user base - they must have really thought about it.  So it is time, many of the new dotcom startups put on their thinking caps as well.

The recently concluded IndiMIX event is now available online.  Visit http://www.msnspecials.in/indimix/video.asp to view the same. 

For those who are interested, I feature in the session titled Designing the Next Web. 

Also, from the same URL above, you can click on "BRIDGING THE TWO INDIAS" to watch a very interesting discussion on bridging the digital divide.  This happened a day earlier with Steve Ballmer and several other dignitaries at Delhi.  President Kalam presided over the occassion.

By the way, I am also featured in the Bob Muglia closing note video, desperately trying to hook up the laptop to a bunch of projector plugs in total disarray.  Did succeed eventually.