Slashdot Mirror

← Back to Stories (view on slashdot.org)

.NETly News

Posted by ryuzaki0 on from the honk-if-you-remember-netly dept.

Lots of .NET stories in the news today and yesterday; it's a total coincidence that Microsoft started a huge marketing push on Wednesday, including the occasional Doubleclick ad running on Slashdot. BrendanL79 writes: "Peter Wright at Salon.com contributes to public awareness of Microsoft's .NET with this exuberant piece. The praise borders on sycophancy ("Gutenberg ... Babbage ... now Gates") with no apparent tongue in his cheek. Comments?" Reader vw writes: "Active State has just released Visual Perl 1.2, Visual Python 1.2, and Visual XSLT 1.2 as plugins for Microsoft's Visual Studio .NET. Wonder how long it will take for a Mono hack." Numerous readers pointed to several stories about a buffer overflow problem in Visual Studio .NET which was supposed to be immune to buffer overflows - but it had passed Microsoft's stringent new security audit.

12 of 291 comments (clear)

  1. Am I the only person who is hesitent about this? by frob2600 · · Score: 4, Funny

    In Bill Gates' version of the way things will be, we will all carry around hand-held computers that will allow us to access our e-mail, trade our stocks, send video and photos to the family and generally manage our daily lives. Those hand-helds will also be phones and navigation units, and will carry our electronic wallets. They'll communicate with our computers at home to manage the heating, order the groceries and, when we get home, set just the right ambience for that all-important date with a mix of appropriate mood lighting and Barry White.

    Am I the only person who is just a little afraid to have all of my personal information online? There is just too little right now to keep it secure. Maybe when we are on IPv6 it will be better. But it becomes too easy to hit a few buttons and accidentally abort your new baby instead of inform your parents. ;-)

    --

    ---
    "Do not meddle in the affairs of sysadmins,
    for they are subtle and quick to anger."

  2. the beer went thru my nose... by gTsiros · · Score: 4, Funny

    ..."microsofts new stringent security audit".

    am i the only one who reads this as

    "we now pay attention to compiler warnings"

    ;)

    --
    Looking for people to chat about multicopters, coding, music. skype: gtsiros
  3. Story not complete by estar · · Score: 5, Informative

    .NET is many things and many people are confused by what .NET exactly refers too. In the context of this story .NET is refering to the compilers, and libraries that make up Visual Studio.NET. VB.NET, & C# are both geared toward using the CLR and .NET Framework. Visual C++.NET can use the CLR and .NET Framework but, unlike VB, you can work with Visual C++ like you could in previous versions and ignore the CLR and .NET Framework. So what is the security error reported? This is the detail as reported by Cigital. The protection afforded by the new feature allows developers to continue to use vulnerable string functions such as strcpy() as usual and still be "protected" against some forms of stack smashing. The new feature is closely based on an invention of Crispin Cowan's called StackGuard and is meant to be used when creating standard native code (not the new .NET intermediate language, referred to as "managed code"). This is a problem with Microsoft's Version 7 C++ compiler not with the CLR and .NET Framework.

    1. Re:Story not complete by kawika · · Score: 4, Informative

      Exactly. All Cigital seems to be saying is that unmanaged (unsafe) code is still subject to buffer overflow problems. This is not news, and it's why you have to jump through some hoops in .NET to use unmanaged code. Those of you who visited Slashdot yesterday may remember this item about .NET that explains it a bit.

      Microsoft's alternative, of course, was to create a totally safe environment that wouldn't run any legacy code and wouldn't allow direct calls into the OS. But of course that's been done before (Java). Remember, .NET isn't just for developing network apps, it's for developing local ones as well. If there's already a proven DLL, COM object, or system call that does what I want to do for a local app, I would prefer to use it than reinvent the wheel inside the sandbox.

  4. .Net fails the pr0n test by Kushana · · Score: 5, Funny

    Peter Wright seems to have been given a few too many Microsoft T-shirts, for his critical facilities have completely left him.

    Human history has shown that with the advent of any new important media, pr0n has never been far behind. The printing press? One estimate says that within 10 years 30% of all presses were being used for pr0n. Glossy magazines? Pr0n. Pictures on your computer screen? Pr0n. The Web? Pr0n.

    The simple fact is that .Net will not assist in the distribution of pr0n, and therefore will never be as important to humanity as the printing press, the computer, or the Web.

    --

    Careers should combine three things: what you can do, what you want to do, and what you can get paid for.
  5. Compiler: Stackguard! by irregular_hero · · Score: 5, Informative
    Look here for additional details on the compiler buffer overflow.

    It's not actually a _compiler_ overflow.

    Instead, it's a subversion of the "buffer overflow protection" that's built-in to the compiler. The most startling piece of this technical review is that the Microsoft "Overflow Protection" in the compiler appears to be a port of StackGuard. The reviewers point out that an examination of the binary output reveals that the compiled code is nearly identical to the StackGuard output.

  6. Peter Wright makes his money from MS by isaac · · Score: 4, Insightful

    Read the bio blurb at the end of the article - the author has written a pair of books on programming in VisualBasic and has 2 books on .Net coming out this year. Hmmm... might he have some stake in .Net's widespread adoption?

    -Isaac

    --
    I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
  7. This is not news. Doesn't ANYONE study history by Maury+Markowitz · · Score: 4, Insightful

    Once again I find myself ashamed to be a part of an industry that can't remember anything five years into the past. .NET has been done before, many times. The only news here is the hype, as always.

    Let's see, unified runtime, libraries of code with multiple versions, simplified networked object support, standardized metadata...

    OpenStep circa 1995.

    Sure, OS used plists instead of XML (which didn't exist), a private system instead of UDDI (which didn't exist) and was aimed at C people instead of Java (whichy didn't exist) but the broad strokes are the same:

    A multi-platform runtime with standardized libraries, which can exist as multiple versions (with resources) at the same time, with objects that can write themselves out so they can be manipulated as flat data (for storage or network invocation).

    The differences are interesting too, .net includes more security features (useful in some contexts) and is multi-language instead of multi-platform. This last issue is a practical one only, at least until Mono is working. And they decided to go multi-language via an IDL, which I consider to be moronic (OpenStep used fat binaries, faster, smaller, better, realistic).

    I'm sure other "old timers" will have their own similar systems to include for comparison, but the real point is not that OpenStep did it, but that SOMEONE did it.

    And years later no one is using OS (mostly), whereas I'm sure five years from now .net will be one of the most used systems out there. That's the power of marketting. Look how well it worked on the droid on Salon.

    Maury

  8. Salon lost major tech and street cred by coyote-san · · Score: 5, Insightful

    When I read that Salon puff piece last night, I had to check my calendar. Twice. Yet it stubbornly refused to be April Fools Day.

    I wouldn't have minded a piece on .NET. I wouldn't have minded, much, a softball piece on .NET.

    But that fawning piece of crap was inexcusable. It was clearly written by the marketing department - no tech would ever favorably compare Bill Gates to Guttenberg - but it was presented as a straight story.

    Now I'm going to find it impossible to take any other story the post seriously. I will always have to ask who really wrote the piece.

    That's a shame - Salon has been a good thorn in the side of the powerful for a long time. Look at the old stories on the "Drug Czar" paying for anti-drug messages in prime time entertainment shows, or their coverage of the RIAA. But now there will always be a loud voice in the back of my head asking if this is another PR piece by the powerful.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  9. Michael, why must you be so ignorant? by Zico · · Score: 4, Informative

    From the summary (yes, it was written by Michael, not the submitters): Numerous readers pointed to several stories about a buffer overflow problem in Visual Studio .NET which was supposed to be immune to buffer overflows - but it had passed Microsoft's stringent new security audit.


    Where to begin with this mess of falsehoods?

    • This isn't a VS.NET buffer overflow, it's about a way to attack code generated by the Visual C++ compiler when the /GS compiler switch is used.
    • Nobody ever came close to claiming that VS.NET would automatically create C++ code that would be immune to buffer overflows. The boldest claim I've seen Microsoft make is "Also, the Microsoft® Visual Studio® .NET C compiler has support for a new /GS switch that protects your code from many common buffer overrun problems." There does indeed seem to be a flaw, similar to what makes StackGuard attacks possible, but even if you get rid of this problem, it wouldn't be immune to programmers writing potential buffer overflows into their code -- the only thing that these tools do is try to get rid of the most common errors.
    • The security audit was about making sure that one's computer/network isn't made vulnerable by having Visual Studio.NET installed on it.

    On a side note, since this only affects unmanaged code, it's not really related to the .NET/CLR stuff.


  10. .Net as a marketing strategy by NumberSyx · · Score: 4, Insightful

    First, let's get the myth out of the way. .Net is not a product. It's a marketing term,

    This is probably the most telling statment of the whole article. .Net is not about a new way of using computers, cool technology, security or any of the other things Microsoft is spouting. .Net is a buzz word driven marketing push and nothing else. It is not going to solve any problems that have not already been solved, introduce any new technology or bring world peace. Microsoft is going to spend the next several years spending billions of dollars to bring us .Net Notepad, .Net Solitaire and the new and improved .Net Virus.

    I capped my karma a few days ago, so feel free to moderate me down, just don't expect me to care.

    --

    "Our products just aren't engineered for security,"
    -Brian Valentine,VP in charge of MS Windows Development

  11. .NET is SCRUMTRILESCENT! by MillionthMonkey · · Score: 4, Interesting

    I think the average Salon reader is not the kind of reader who takes things at face value. I think the editors know it too. Look at it as a subtle editorial troll, designed to provoke an outraged response. Which it has.

    I don't think you can discount it so easily:

    About the writer
    Peter Wright is a software consultant and the author of numerous books on Visual Basic programming. He is currently working on two .Net titles for Apress slated for release later this year.

    Have you read some of these quotes?
    Bill Gates has already changed the face of the world as we know it, but his magnum opus has yet to be fully appreciated. On Wednesday, Microsoft unveiled Bill's greater masterpiece -- in the guise of the Visual Studio.Net development tools suite.
    It would be easy to dismiss this as just another Microsoft product launch, just another example of the Redmond behemoth rolling ever onward in its quest to gain enough funds to brand a continent. Don't. Visual Studio.Net will have as profound an effect on the way that we live our lives as the labors of love Babbage and Gutenberg gave us. To dismiss Visual Studio.Net and the technology it encompasses is to go back in time and dismiss Henry Ford's automobile as a passing fad.
    [several pages of excited babbling deleted]
    As developers move to embrace .Net, the Internet will be transformed from a complex, un-standardized mishmash of awkward static views of data to a dynamic pool of data connected by a true web of Web services all working together to make your life easier.
    .Net marks the dawn of the third age of computing -- embrace it.

    It reminded me of Will Ferrell's Actor's Studio sketch as well. ".Net is such a masterpiece that there are no words to describe it- so I will make one up: Scrumtrilescent."

    I guess if you've been stuck with Visual Basic for the past several years, an MS ripoff of Java would look pretty interesting. I doubt that Java programmers are going to flock to .NET, however. It seems that the people most excited about it are the VB types. .NET will probably end up displacing VB, not Java. Personally, I think James Gosling has a pretty good take on Java vs. .NET. After all, he invented both. :)