Zac Bowling’s Blog

I couldn’t find a good reason for why I would need code level security, yet in Mono, until recently you couldn’t execute assemblies on another machine without direct user involvement on most of the primary platforms that Mono targets when designing a very basic distributed processing system.

In Windows, assemblies you might not know or have complete control over can directly be executed off a network share, from a webpage in IE (like an activeX control or COM object), or even on a webserver if you are hosting assemblies for use on a webserver. The ability to overwrite assemblies can be a concern in some cases as well. Microsoft made .NET handle this pretty well and has thier setup working for the vastly more complicated maze they have because of the amount of integration. .NET has in everything now and it’s included with every recent version of Windows.

Mono is growing on its ability to do the same, but didn’t start out in the same boat. In a Linux environment, very few pecies of software are going to be based on Mono and the framework comes pre-installed on very few systems. If Mono is installed, it usually supposed to be there and its entire setup is usually understood when its there. Also in Linux, it remains very difficult to execute an assembly without direct user interaction in the process. Hosting of assemblies for Mono for ASP.NET is still very limited right now as well, but if anyone where to do so, other methods of maintaining security are possible in Linux like in many other shared virtual hosting environments do already, because most systems for that are provided at a operating system level. It’s almost a fact that Mono can be almost as unique and Linux makes it a hard target and why security is still very high with Mono.

So where do security risks come up when you could just run Mono under and a secured user in Linux? It’s a very good question. The anwser is when you have code that can execute in the same application domain as a semi-trusted assembly. Only one Mono process for everything and some code might need higher security where other code maybe only partially trusted for execution. Mono then has to delgate how stuff runs. The case might come up when you might have a purchased component and you can’t review it’s source or when the assemblies could be loaded from a uncontrolled source like in the case of a distributed transaction system or when you might call and load an assembly dynamicly like with auto updated software or anything you can come up with.

The solution: Code Access Security (CAS), and good user policies is the most intelligent solution. If you can review the source, you can’t trust the code so you have to protect yourself. CAS is amazing. Conceptually if you think about it, the assembly would have to call base class libraries in the framework if it was going to do anything insecure, but in Mono you control everything. You have the source of the code its going to call, and you provide the framework for it. Because of that, anywhere it may call in the framework to do something, you can catch it. That is what CAS is.

Another system would be running a secondary app domain in another process with higher security and tunneling messages back and forth over some type of interprocess communication system (like .NET remoting or dbus). Security can almost be assured in this case but will cause a major drag in performance to make it work.

What does this mean? Mono has security in mind. What could be better when you are trying to prove to someone in managment that Mono is truely enterprise worthy?

I love the ads by Halliburton. They make it seem like they are such a great and noble company. I think they are pure evil. I think everyone knows it. Lets add it up simply….

Vice Presdient Dick Cheney is a former Halliburton CEO (who still owns a major amount of shares in the company)

Halliburton won (HAH) the contract to drill Iraq for oil after collapse of local goverement which formerly didn’t comply with Halliburton’s requests to sell its oil.

Iraq, a country in the news a lot because we feel lied to over why exactly we went to war with them. Now it turns out that we went to war with under a pretense that turned out to be false.

Just those facts alone are anough to make me say “WTF?”

Note: It’s good to note that I’m not one of the most politicly active people out there. I like to write code and remain as nuetral as possible. BUT you only get so many “WTF’s” in my book, and when you pass that limit and I have to be very annoyed… Might as well get with the gang and speak up and call George Bush a money gobing whore of a President that wouldn’t know what middle class or poverty was if it crawled up his arse and decided to live there. Don’t let him screw up S.S. please. I make good money myself and S.S. doesn’t really affect me to much(now) (so I guess that qualifies me for the president’s party) but my entire family’s long term plans have S.S. in there to fill in the gap, and why shouldn’t it. It all makes me sick and I get tired of talking about. Lets just end it please!!!!!

This is the first time I have ever publicly voiced an opinion except to some of my very close friends. What I’m getting at is that if I’m willing to break my vow of silence that has been sheilding me from offending anyone with other opinions. If you have a problem with what I said, leave me a comment. I’m so angry now that I’m willing to fly out and try to talk some common sense into you (and blog my trip and my mission) and if that fails, I’m willing to beat you senseless (you think I’m kidding but think of the hits I will get either way when I show the tape). I’m tired of being passive on this issue now..

HELLO! FROM PLANET EARTH - PEOPLE!!!

I hoped to get this working one day. A UPnP IDG client library for Linux so we can do zero-config, NAT transversal with our favorite UPnP based consumer routers (basicly any medium to higher end D-Link, Netgear, Linksys, 2-Wire, etc models sold now days). I did all the research trying to write it myself as an extention to Gaim, but lacked the time to finish it (setting aside the evil ego trips from a nameless member of the Gaim team). Well with all the Summer of Code sponserships by Google, the Gaim team put this feature up as a thing they want done. Here you go people :-). Basicly $4,500 to the first student to do it and I’m handing it to you, all reverse engineered and documented. The only thing I ask is make it in the form of a Glib/Gobject based library that we can all use. Credit would be nice but I really don’t care as long as we get it out there. I just want it so if we write a new Bit-Torrent client, a DCC extention for an IRC client, or anything else that could use direct connection between two people behind a firewall, we have it like the Windows users do. I’m willing to help, but I’m just a little bit occupied to lead this one up myself and I want to get new developers to join in the efforts. Have fun and enjoy!

A lot of this, most of the Mono guys know, but still blog worthy …

Enterprise Databasing

• HOT PostgreSQL 8.0 The king!
• NOT SQL Server 2005 New XML datatype and built in Native Client libraries where everything is web service based and exposed via IIS/http.sys via port 80 (Can’t wait till a new slammer comes out that attacks this on port 80 and all the ISPs start blocking it.)

Email on Mono/.NET

• HOT DotNetOpenMail Excellent! Great design and handles mulitple languages better than anything on the market.
• NOT AspNetEmail ohh loooky, I can add asp.net like controls and databind them in my emails, thats really useful… (*sarcasim*)

Python on Mono/.NET

• HOT Boo
• NOT IronPython Nice one, Microsoft! Love that shared source license (*sarcasm*)

Rapid Application Development

• HOT Ruby On Rails
• NOT Does anything really compare ? ? ?

Other Stuff…

• HOT SQLLite What more do you need in a basic SQL engine?
• HOT DotLucene Text indexing to the max!
• HOT NUnit Of course!
• WARM TestDriven.NET VS.NET users (do knock till you tried it)
• WARM SourceGear Vault Not my favorite source control product but I give them love for the Mono support.
• HOT Subversion Everyone is doing it.

Man, I’ve been so busy at Match.com’s international sites.

Right now I’m in the process of migrating python to .NET and preserving business rules for tons of accent code. A few systems out there for email in .NET (ignoring CDO/CDOSYS and its great and wonderful world of pain). There is aspNetEmail. The problem with aspNetEmail is the fact that it doesn’t accept your own encoders and it doesn’t run correctly on Linux with Mono (the obfustication tool they used on it screws up strings which even break when called from .NET 2.0). I’m deep into DotNetOpenMail. Its really amazing and its released under a X11 (BSD modified) type license.

I’m having to focus on encoding for over 33 languages and 12 different character encodings (oh boy) and I need the fine control that many purchased componets can’t provide. Besides, ITS JUST EMAIL :-). Not everything is unicode (yet) in my work but still emails have to be sent out as the native character sets that everyone can read (and you have to make sure your emails are near perfect for some international and some web clients) so it means down encoding, cross encoding, removing accents on characters (when the target can’t read them), and so much more.

One thing I have found is that Mono on my RHEL 3 and 4 boxes in some cases handles latin based languages far better then .NET does on Windows. I haven’t tested Mono with the Asian languages becuase the data in the database was encoded in html entity tags (last ditch effort to make the html emails work on Hotmail and Yahoo in various smaller countries). Lots of fun though.

On another note, I’m pretty impressed with Microsoft’s Enterprise Library. Looks like a great candiate for a port (if it doesn’t work already out of the box). Also tinkering with the idea of a distributed transaction system for Mono/.NET. Lots of ideas, so much work, so little time!

UPDATE:
Here is the link to the Microsoft Enterprise Library framework which should be portable (at least the backends) to Mono. Microsoft Enterprise Library