Code Mortem

"Old code never dies...you have to kill it." - Grady Booch

Sunday, August 20, 2006

Charity Investments

I almost cracked up when I read this report on the DRUDGE REPORT this afternoon.

The BILL & MELINDA GATES FOUNDATION declares its noble mission is to bring "innovations in health and learning to the global community."

But the world's largest philanthropic organization also is among the organizations that collectively loaned nearly $400 million to MEDIANEWS GROUP INC. -- for the acquisition of newspapers in California and Minnesota!

"I thought this foundation was all about starving kids, not starving newspapers," mocked one Seattle insider.

The GATES FOUNDATION loaned an unspecified amount to MEDIANEWS, along with GENERAL ELECTRIC.

In April, MEDIANEWS agreed to buy four newspapers, including the SAN JOSE MERCURY NEWS and CONTRA COSTA TIMES, from MCCLATCHY CO. for $1 billion. MEDIANEWS also bought California's MONTEREY COUNTY HERALD and the ST. PAUL PIONEER PRESS in Minnesota. It also own the DENVER POST.

The move into funding media acquisitions was unusual for the BILL & MELINDA GATES FOUNDATION, whose donations usually go to health and anti-poverty purposes.

In June, financier Warren Buffett announced he would donate an estimated $31 billion to the GATES FOUNDATION, bringing its total endowment to more than $60 billion -- which could easily save every newspaper in America!

Foundations are huge investors. In addition to giving away money, they also invest large amounts of money. The Gates' foundation was funded with Microsoft stock (and most recently Berkshire Hathaway stock) but over time, the foundation will sell stock and diversify its investments. I don't have any inside information, but it's obvious that the foundation is not "donating" this money to the MEDIANEWS GROUP. The foundation is loaning the money. Loans are often underwritten by foundations, retirement funds, or other institutions interested in generating a return while preserving their capital. When you have billions of dollars in cash, you can't exactly open a savings account at the local savings and loan. Big corporations swap short-term (and longer term)loans around on a daily basis.

This is a big todo about nothing.

My car is faster than your car


It seems that no matter how big and bad a hotrodder builds his car, there is always another one out there that is just a bit faster. Here is an example. The Corjette, a jet powered corvette build by a drag racer isn't even able to race in sanctioned events, because they don't have a category for jet powered cars. It makes a nice demo though.

Monday, January 30, 2006

Sparkling Fun

http://www.sparkfun.com/

Tinkering with electronics is one of those things that I love to do, but never have time. Someday, I'd love to get some of the items on this site and play around. They have GPS modules, cellular modems, LCDs, gyros, accelerometers, ultrasonics, microcontrollers, you name it...

Tuesday, January 10, 2006

Google Video Trashing

The hype leading up to the Google CES announcement was so thick that they could never have lived up to it of course. What is a surprise to me is how upset many bloggers are about Google Video. Here are a couple of examples: We Sat Around Waiting For Google Video And All We Got Was This?, After the keynote hype, is Google Video worth all the fuss?. I might be only one, but I think Google's take on video is refreshing. Everyone keeps talking about the fact that they created their own DRM, but it's nothing more than a login. Give it up, people! How many people really think that video producers are going to give all this content away for free so it can be spread around the illegal file-sharing networks? A login is something that pretty much everyone who uses the Internet understands and is probably comfortable with. Since the login is stored at the Google site, you can move the video from machine to machine without a problem. If you lose the video when your computer crashes, you just download another copy. That's more than you can say for most other DRM schemes.

Their open approach to selling content is refreshing as well. iTunes doesn't allow just anyone to upload video or audio and sell it online. By opening the publishing mechanism wide open, they are providing a new business opportunity for lots of small-time video producers. If anything, the networks have to be scared to death of this. If you think about what the Internet did to publishing, by allowing blogs to flourish, this could do the same thing for independent video production.

So, I might be the only one, but I love Google Video. I think it's brilliant.

Monday, January 09, 2006

Drifting Into Envy

This is great video of some expensive cars getting thrashed by professional drivers (plus I wanted to test the new Google video posting features). It's a good thing I can't afford one of these cars, this would get me sold in a minute.


Saturday, January 07, 2006

Creating a Null DACL in Managed Code

While the .NET 2.0 framework libraries bring a lot of added value to the original libraries, the documentation at this point leaves a great deal to be desired. One of the challenges that I faced recently was how to create a null DACL for some interop code. The new framework library includes some great classes for setting security on Registry keys, files and synchronization objects, but if you try to go beyond that, watch out. The documentation will provide you no help. I figured this out by spending several hours experimenting with the and by using Reflector to look at the IL inside the Microsoft binaries.

I was trying to create a named pipe in managed code. I'm still surprised that the managed libraries have no support for this yet, but be that as it may, I created the obligatory P/Invoke definition for CreateNamedPipe and called it from my code. That worked fine, but I discovered that the default privileges assigned to the pipe were not adequate so I needed to open up access to my pipe. A DACL is a Discretionary Access Control List in Windows. It is a list of ACE (Access Control Entries) that grant or deny access for a group of users to the associated resource. Every file in Windows (on NTFS) has such a list as do most kernel objects. A null DACL is basically a blank check. If your resource has a null DACL, then everyone has complete access to the resource. Sometimes this is referred to as an AEFA (Allow Everyone Full Access) ACE. This is not the same as an empty DACL; in fact it is the opposite. An empty DACL denies everyone any access to the resource.

Now, I must insert a disclaimer. Somebody will surely respond that I shouldn't be creating a null DACL, because it is insecure. That is not the point of this post. I had a good reason to need open access to my pipe, and I am assuming that anyone wanting to use this technique would as well. This technique is expandable beyond NULL DACL's anyway.

So, let's move on. There are two challenges. One, is that we need to figure out how to create the null DACL using the framework libraries in managed code, and second, we need to figure out how to marshal the information successfully over into the unmanaged API. Here is the P/Invoke declaration for CreateNamedPipe.

[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr CreateNamedPipe(string lpName, uint dwOpenMode, uint dwPipeMode, uint nMaxInstances, uint nOutBufferSize, uint nInBufferSize, uint nDefaultTimeOut, SECURITY_ATTRIBUTES lpSecurityAttributes);

I've highlighted the last parameter because that is the one that I care about right now. The lpSecurityAttributes parameter determines what security the caller on the other end of the named pipe must have in order to connect to the pipe.

Here is the interoperable declaration for the SECURITY_ATTRIBUTES structure.

[StructLayout(LayoutKind.Sequential)]
class SECURITY_ATTRIBUTES {
int nLength;
IntPtr lpSecurityDescriptor;
int bInheritHandle;
}

Now, how do we create the security descriptor that is needed for this structure? The security descriptor is what contains the null DACL. The framework does supply us with a class for this called RawSecurityDescriptor. Here is the line of code to create the descriptor with a null DACL.

RawSecurityDescriptor gsd = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, null, null, null, null);

Yep, that's all for that part. The tricky thing is that you have to set the DACLPresent flag even though you pass null in for the DACL (It's one of the other parameters to the constructor). This makes the class create a null DACL. If you don't pass in this flag you will get a restricted DACL that is set to the login of the current user and the Administrator only.

Now that the first step is done, how do we pass the RawSecurityDescriptor in the SECURITY_ATTRIBUTES structure to the CreateNamedPipe function? This is a bit messy, but it works.

// Build NULL DACL (Allow everyone full access)
RawSecurityDescriptor gsd = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, null, null, null, null);

// Construct SECURITY_ATTRIBUTES structure
SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
sa.nLength = Marshal.SizeOf(typeof(SECURITY_ATTRIBUTES));
sa.bInheritHandle = 1;

// Get binary form of the security descriptor and copy it into place
byte[] desc = new byte[gsd.BinaryLength];
gsd.GetBinaryForm(desc, 0);
sa.lpSecurityDescriptor = Marshal.AllocHGlobal(desc.Length);
Marshal.Copy(desc, 0, sa.lpSecurityDescriptor, desc.Length);

// use the structure
CreateNamedPipe( yada, yada, yada,..., sa);

// Important!! Be sure to clean up after you use the structure
Marshal.FreeHGlobal(sa.lpSecurityDescriptor);
sa.lpSecurityDescriptor = IntPtr.Zero;

This code creates the null DACL and then copies the binary representation into memory where the SECURITY_ATTRIBUTES structure can reference it. Make sure you free the memory after you complete with the structure. I built the free into the Finalizer of the SECURITY_ATTRIBUTES class, but don't wait on the Finalizer to be invoked. I used the Disposable pattern as well to make sure that the memory was freed. Here is a complete listing of the class.

[StructLayout(LayoutKind.Sequential)]
internal class SECURITY_ATTRIBUTES : IDisposable {
internal int nLength;
internal IntPtr lpSecurityDescriptor;
internal int bInheritHandle;

public static SECURITY_ATTRIBUTES GetNullDacl() {
// Build NULL DACL (Allow everyone full access)
RawSecurityDescriptor gsd = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, null, null, null, null);

// Construct SECURITY_ATTRIBUTES structure
SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
sa.nLength = Marshal.SizeOf(typeof(SECURITY_ATTRIBUTES));
sa.bInheritHandle = 1;

// Get binary form of the security descriptor and copy it into place
byte[] desc = new byte[gsd.BinaryLength];
gsd.GetBinaryForm(desc, 0);
sa.lpSecurityDescriptor = Marshal.AllocHGlobal(desc.Length); // This Alloc is Freed by the Disposer or Finalizer
Marshal.Copy(desc, 0, sa.lpSecurityDescriptor, desc.Length);

return sa;
}
public void Dispose() {
lock (this) {
if (lpSecurityDescriptor != IntPtr.Zero) {
Marshal.FreeHGlobal(lpSecurityDescriptor);
lpSecurityDescriptor = IntPtr.Zero;
}
}
}
~SECURITY_ATTRIBUTES() {
Dispose();
}
}

I hope this helps. Maybe somebody else will be luckier than me and happen upon this post rather than having to rediscover the method.

Friday, December 30, 2005

The Cookie Disease Is Spreading

Now the cookie-monitoring is spreading to other government agencies as "security researchers" try to make a name for themselves.

Here is a quote from the article (Cookiegate Hits White House), speaking of cookies.

"They are helpful, for the most part, but they carry the potential for abuse because they can monitor and document the activities of web surfers."



Cookies cannot monitor and document the activities of web surfers. The cancer is spreading.

Thursday, December 29, 2005

Persistent Rumors about Persistent Cookies

I'm still amazed that after all this time the popular media insists on clinging to the old myths about browser cookies. The Associated Press is reporting that the NSA is somehow spying on visitors to its web site. Their evidence? The NSA site leaves a cookie on your machine! Huh??

These articles constantly claim that web sites can somehow "spy" on you or track your web browsing activities by leaving a cookie on your computer. I don't understand why this claim persists despite its complete inaccuracy. A cookie does not actively do anything on your computer. It is simply a way for a web site to store settings in your browser so that when you return the site can continue where it left off. It is not possible to "spy" using a cookie. The privacy concerns are entirely unfounded and based in myth rather than fact. If you disagree with me, please explain how someone can spy on me using a cookie. I'd love to know.

"Privacy advocates" claim that your web surfing can be tracked by using cookies. A cookie can only be used by a site that it is enabled for. Web site owners could track your browsing activity within their own site, but that can be done anyway without cookies. All web servers keep a log of your browsing activities. In fact, whole companies are built on analyzing web logs. Google just bought Urchin, a software company devoted to web analytics.

There are possible issues where an advertising company (such as DoubleClick) would leave behind information in a cookie and since the advertising content shows up across many other sites, they have a way to "track" your usage across sites that use their advertising. Still, since they can use web logs and IP address tracking to do the same thing without cookies, the argument is pretty pointless.