There are a series of 5 webcasts from Microsoft with two of the best counter-hacker guys, discussing AJAX security and how to protect your AJAX applications.

This is a must for anybody doing serious AJAX development.

The announcement came on Joe On .NET and is linked below:

Upcoming AJAX Security Webcasts

On the other hand, the ASP.NET team has released a nifty little library called the Microsoft Anti-Cross Site Scripting Library.  Useful for encoding all input other than those specified as OK.  You can learn more about it and download it from http://www.asp.net/downloads/teamprojects/default.aspx?tabid=62#antixss

Video: Microsoft Home

Video: "Athens" - Microsoft & HP's PC of the future

Microsoft started off CES with a Bill Gates pre-keynote address.  BillG started saying that this is probably the last time he gets to go on the CES stage and talk about technology!  :(  I don't buy that completely though :)

However, the address was very exciting with some of the stuff that was never demo'ed before.

There was Windows DreamScene - something quite amazing spectacular and something that was a hush-hush thing at Microsoft for a while now.  Of course, it is another UI glitz, with playing videos now being able to be set as the desktop background.  I got to install a small internal BETA today and it works great.  Sure looks exciting and I think the Vista Ultimate Edition users will love the feature (that'll ship as a Vista Ultimate Extra).

If you haven't seen DreamScene, you should watch the CES keynote.

One of the biggest announcements yesterday was Windows Home Server.  Windows Home Server is the vision of having a server in every home that takes care of backend infrastructure for the digital home.  In many ways, a "home server" makes perfect sense to orchestrate all the digital devices that make up today's homes.  Hook up your Media Center PC, your laptop, your personal computer, your XBox, your Windows Mobile phone and everything to the backend server and let it manage backups, synchronization, and a lot more for you.  That's the message.  However, to learn more, you can also check out the Center for Digital Amnesia Awareness Web Site. :)

In the meanwhile, Bill Gates has also written this must-read article titled "A Robot In Every Home".  When you read the paper, you realize the real parallel universe between the "origin of the PC" days and today's world.  I played around with Microsoft Robotics Studio v1.0 yesterday and created my first robot in a simulated environment that I could control with a small controller-like Window (called the Direction Dialog).  That was pure thrill!

Exciting times ahead, and with this company - that's a statement that'll always be true!

Security on the web has taken a new dimension with AJAX-driven websites.  AJAX-driven websites are more susceptible to cross-site scripting (XSS) attacks and offer easier means of call and logic discovery.

I had covered these in sessions titled "Building Secure Next Generation Web Applicaitons" during the recent Security Yatra and also during some MSDN Days organized in a few SIs in India. 

Some of the really startling attacks I discovered while preparing the content for the demo included the MySpace worm.  The complete details are available at http://namb.la/popular/

Not only did the worm bypass all of Myspace.com's rules, but surprised the author of the malicious code himself by affecting a million users in under 20 hours!

I just also received an email that talks about a very interesting vulnerability in PDF and Adobe Reader that makes it possible to perform serious XSS attacks.  That was quite startling because the avenues are increased not just to AJAX-sites but common technology such as Adobe PDF and OpenOffice.  The article is available at http://www.eweek.com/article2/0,1895,2079201,00.asp?kc=EWEWEMNL010107EP26A

The actual attack instructions are also available here.  But let me warn you not to try this with any site.  Don't mess around - it is a dangerous world out there.

And for all your developers there, if that didn't shake you and say "Take security seriously", I don't know what will.

"Like almost everyone who uses e-mail, I receive a ton of spam every day. Much of it offers to help me get out of debt or get rich quick. It would be funny if it weren't so irritating."

- Bill Gates, "Why I Hate Spam", Wall Street Journal 2003

Years later, spam still continues to be a meaningless giant that torments the Internet.  I had blogged about spam once in an early post in 2004.  What has changed since then has been technology that is striving to provide better email filters.  Fighting the source of the spam is something that several organizations are trying to work on and has not quite been successful.

As a computer program, what do you do when you think a particular email is spam?  Obviously, the program cannot take the decision to delete it.  It can move it to a folder and hope for the user to check it and then delete it.  This is important because you would otherwise lose valid emails that are identified wrongly as spam.

The solution seems to be in identifying spam spot-on without making a mistake.  The industry has some ground to cover in that direction. No spam filter today is 100% accurate.   So the solution is not workable.  What else can be done?   Several things:

a.  Users should realize that spam affects everybody and is a global problem.  I have heard many people come up to me and say "Hotmail has more spam" or "I stopped using Yahoo because of spam", etc.   Realize this - no email service provider is free of spam.  If you don't get as much spam at your yahoo id as you do at your hotmail id, it is only because you either registered at too many places on the Internet with your hotmail id, or because you had your hotmail id for a longer time.   Eventually spam will hit your other id as well.

b.  Create longer email ids - most spam generators try combinations of letters and so an English word or a common name is more likely to be spammed rather than an uncommon email alias.  So, for instance, a pandurang@... would attract more spam than a pandurang.nayak@... (unlikely that a right combination of names will be auto-generated).  

c.  Never give our your email id OR ALIAS at any website that you don't trust.  I do this as a rule for the past two years now and has worked in reducing a lot of spam.  Most websites out there sell out your email ids.  Worse, the auto-spam software takes an alias and then sends an email by appending @hotmail.com, @gmail.com, @yahoo.com, etc. to the same alias.  And guess what?  In most cases that'll probably work as well.   Most current email clients, both online and offline, do not automatically display images - which used to be a way the spamming site tracked that you recieved the email and hence realized that they'd hit a valid email id. 

d. My Hotmail and Yahoo ids which recieved a lot of spam, actually have seen a decline.  Also worked with the fact that I let Hotmail "expire", without checking it for a long while and then when I recreated my ID after a month or two, I saw a substantial decline in spam.   I know this is probably not possible in all cases, but if you "gave up" an account due to spam, you can probably re-login and re-activate it and be surprised about how much lesser spam you'll get.   Most spam software assumes the email is a valid one, unless they get a "bounce" on the email.  And many software will continue to spam you even if there is a "bounce".

e.  Never encourage spam - there are too many times that people themselves spam others.  I am not talking about email forwards with jokes and other stuff.  I am talking about chain mails that say things like "Don't add xxxxx as a friend in Yahoo! messenger.  It is a dangerous virus that will delete everything on your hard disk."  Give me a break.  Such virus is not feasible unless a complete idiot is using the computer.  But then, there will be a zillion fowards of this email and lo! you have more spam added to the world.

f.  Report spam.  This is one of the best ways to fight spam.  When you see an email that was spam, tell your email service provider that this was spam.  Click that button saying "This is spam" and report it.  Over time, this is what will help eradicate most spam originators.  But when you do so, be honest.  Don't mark a newsletter that you signed up for, but never read, as spam.  That is not spam.  If you really don't want that newsletter, unsubscribe.

g.  Be wise.  I see so many people giving out email IDs on websites, blogs, forums, social networking sites, etc. freely.  It is fine to do so when you know that the email id will not be revealed.  But if the email id is just going to be posted on to the website, you are inviting spam.  Several spammers automatically crawl websites looking for email ids.

So till we have a permanent, efficient, universal solution to spam - it is us who have to fight it.  Spam is just like fighting a dangerous disease. If we don't do our bit, it can be too late when we realize our folly.

Don Box and Chris Anderson present you a holiday season song which you can hear here. 

The lyrics (reproduced from here):

Vista, we shipped it,
Vista, we shipped it,
Vista, we shipped it,
Better late than not.
Vista, you'll love it,
Vista, you'll love it,
Vista, you'll love it,
It's the best we've got!

Yes we've got Indigo
And it will even glow
When you've got Avalon
Spicing up the show!

Sure there's no WinFS
But we got RSS
And search and indexing
will help sort out the rest!

U-SER-A-COUNT-CON-TROL
UAC means I'm no admin
UAC means You're no admin
UAC means She's no admin
UAC means He's no admin

Vista's why... we're happy again

Happy Christmas and New Year to all readers of ThinkingMS too!!

The master of books on Windows programming does it again.  This time it is Windows Programming using the Windows Presentation Foundation (WPF).  If you plan to be a serious WPF developer, this is a must read.

What I like best about the book is the title.  Applications = Code + Markup.  Charles Petzold starts off in the book saying that the new breed of Windows applications are still code.  In a way, it is saying, don't get all scared about XAML and think that the entire WinForms programming model has been thrown out of the window.  You continue learning to program Windows in pretty much the same way as the previous generation.  Only that it gets exciting because there are new ways of doing things, aka declarative coding. 

Needless to say (if you have read CP before), the book can be read pretty much like an interesting novel that you can't drop before it is finished. I have run through the first 4 chapters in one day (didn't just read - wrote code as well) and plan to finish the book by the end of this year (which actually is 5 days away)!

Meanwhile, if you are just starting on .NET, or want to get deeper, you might also want to read .NET Book Zero - a free book available on Charles Petzold's site - www.charlespetzold.com

His blog also has announced the next book he's working on - "Windows 3D". Check out this post.

PHP developers wanting to take advantage of the powerful ASP.NET platform usually perceive it as a steep curve, especially if they have no prior ASP experience.

Here is a neat guide that walks a PHP developer through ASP.NET and migration considerations.

http://www.microsoft.com/japan/msdn/net/aspnet/aspnet-migratingphp-aspnet.aspx

Surprise! Surprise!

A whole new bunch of surprises that should excite the hell out of all those who have been working with Microsoft Expression and Windows Presentation Foundation.

Read the official announcement at http://www.microsoft.com/presspass/features/2006/dec06/12-04expression.mspx

Very notably - the first official public CTP of "WPF/E" (codename) has been announced today.  "WPF/E" (codename) is a very exciting technology that enables you to take your WPF-powered applications to a wide variety of platforms, including Internet Explorer, Safari on the Apple Mac and Firefox!!  That means that several WPF features can now be targeted to even non-Windows systems.  This is a big leap forward and I am sure a lot of people will be thrilled hearing that. 

Also, the Expression suite now has been re-branded and has a new member in the family.  There are also changes to some of the existing products and you can find it all at www.microsoft.com/expression

A new website for designers and design resources is now available at www.microsoft.com/design

Finally, Expression Web, a really fascinating product is now in its release version.  So a packet of surprises!  Go get them!