A site devoted to discussing techniques that promote quality and ethical practices in software development.

Sunday, February 25, 2007

Road map from Windows to Linux

Sick of being restricted of what you can and cannot be done with Vista and sick of having to buy special hardware to run Vista, perhaps this road map from Windows to Linux may be just what you need.

The draconian restriction of not allowing the cheaper version of Vista to be installed in virtual machines is cleanly mad.

Tuesday, February 20, 2007

Delphi.Net Bug - Discarding unreferenced types

I have used compilers and languages for a long time and it is the first time that I have encountered a compiler (Delphi 2006) that actually throws away public types from not only .Net executables but also packages.

Discarding from an executable is kind of understandable because Borland simply extends the same assumption they used in Delphi.W32 to Delphi.Net, admittedly very foolishly and ignorantly. Borland probably does not realise that one can load an executable assembly in much the same way as a DLL assembly.

To see this, you can get the IDE wizard to generate say a VCL.Net Form application. Anywhere in a pas file, create a type in the interface section and build it.

Then examine the final product with a Lutz Reflector and you will find that Delphi has discarded this type. I suspect that Borland only discards the IL metadata of this type, the one that the Reflector and System.Reflection depends on but keeping them in Delphi's metadata.

In other word, Delphi.Net is producing dll for Borland environment only.

To retain this type, you need to create a dummy variable of this type in the implementation section. Now you will see this type being retained.

What is insane of Borland is to discard public types from a package? Public type in a DLL is meant to be used by another DLL or executable and so how could Delphi know that no one is going to reference this type and is safe to discard them?

My discovery has proved that Borland has made very unsafe judgment bordering on insane.

This discarding public types bug is the root cause of Delphi not generating correct IL code.

Saturday, February 17, 2007

A Delphi.Net IL generation bug

A Delphi.Net IL code generation bug has been discovered that can mislead non-Delphi.Net assembly. This is case that shows that Delphi.Net is generating assemblies that not only use CLR metadata but also Delphi.Net metadata, which is unknown to any CLR compiler.

Here is the structure that demonstrates the bug.

I have a Delphi.Net (Delphi 2006) package, called PackageA, which contains UnitA that contains an interface IA. It is irrelevant what method IA prescribes but for argument sake, let's say if specifies a method called SayHi() like this.

unit UnitA;

interface

type IA = interface
procedure SayHi();
end;

Then we have a second Delphi.Net package, called PackageB, which contains a UnitB that contains IB as follows:

unit UnitB;

interface

uses UnitA;

type IB = interface( IA )
procedue Yell();
end;
Everything compiled and linked provided that you have defined the references correctly. Now let's consider PackageA.dll and PackageB.dll as kind of interfaces publishing assemblies and we then implements the following concrete class that implements IB in C#:

using namespace UnitB;
public class CSharpClass : IB {
public void Yell() { Console.WriteLine( "I am yelling" ); }
};
When I used VS2003 to develop this and pressing the tab key after typing IB the IDE only added the implementation of Yell() method. I was puzzled.

Even more bizarre is that that assembly not only compiled and built but it also runs!

I then check the PackageB.dll with Lutz's Reflector and to my horror, I cannot see the base interface of IB and this explains why the C# class compiled and built.

Digging this further I disassembly the IB in PackageB and this is the IL code Delphi.Net generates:

.class interface public abstract auto ansi IB
{
.custom instance void .ctor(string) = ( ...... ) // ...
.method public hidebysig newslot abstract virtual
instance void Yell() cil managed
{
} // end of method IB::Yell

} // end of class IB

No wonder the C# only requires to implement just Yell(). I am wondering will this make any difference if I implement a concrete class in Delphi.Net just like the C# class.

To my astonishment, my class

type MyDelphiClass = class( System.Object, IB )
public:
procedure Yell();
end;

did not compiled and was complaining about the need to implement IA.SayHi() and the need to include UnitA.

According to the IL code of PackageB.dll it does not contain any IL code of the base (required interface) of IB, where does Delphi get the information. The only conclusion one can draw is that Delphi.Net is not playing by the rule properly again! It is digging into its Delphi metadata rather than relying purely on CLR metadata.

According to ECMA-335 CLI standard Partition II, 12.1 this is what it says:
Interfaces shall declare that they require the implementation of zero or more other interfaces. If one interface, A, declares that it requires the implementation of another interface, B, then A implicitly declares that it requires the implementation of all interfaces required by B.

Now if PackageB.dll is rewritten in C# or even VB.Net, it would generate the following IL code for the interface IB:

.class interface public abstract auto ansi IB
implements [UnitA]UnitA.IA
{
} // end of class IB
Note that now IB specifies that it requires IA unambiguously.

You may ask what is the big deal when the final concrete class's class IL code is the same. Yes, that is so provided that you are using Delphi.Net throughout and that you are not using Reflection. This is not .Net!

If you use reflection to examine PackageB.dll for IB, you will discover that:
# typeIB.IsInterface is true
# (typeIB.GetInterfaces()).Length = 0

This means Delphi.Net is generating wrong IL code misleading the user of that assemblies.

Digging this further, I discovered that the missing IA from interface IB is caused by the now infamous symbol tossing bug. Delphi.Net has this bug that when it detects no one references a symbol - be it in a package or an executable application, the compiler simply tosses it away.

The only way to keep them is to litter your program with variables of the type you want to keep. This not only promotes dangerous trap for maintenance worker but also being stupid particularly in a package. By definition of the non-.Net world, any public symbols in a package is for someone outside to use. In .Net, executable assembly is being loaded just like a package. So how can the package foretell no one outside the package is using it and then tossing it away.

Either way, it is a compiler bug that does not generate CLI conforming code. Beware when you are planning to migrate to .Net world in Delphi. You could be producing solution that you, in your all Delphi.Net solution, works fine but your customer using your public artifacts to extend finding their assemblies not working.

More and more reasons to stay away from Vista

I have been a big fan and great supporter of Microsoft's Operating Systems and products ever since I migrated from CP/M to MS-DOS 1.

Everyone that has been in the industry for a while will no doubt have seen a constant procession of operating systems from Microsoft. I, without exception, have been there in the front of the queue doing beta testing, developing software to exploit them; from Win 3.0, to Win3.1, from Win3.1 to NT3.1, etc.

Vista is the only one that I have not touched despite being invited to do development workshop, etc.

Initially I have doubt of my disinterest in this OS. Is it of age? But the more I look at this the more I've realised that it is caused not so much by its lack of technical brilliance but by the anti-consumer thoughts being put into it. It is an Operating System not for the consumer but to control the consumer.

An Operating System should be nothing more than doing what the consumer/owner of that piece of software directs it to do including breaking code where one should not. It should not be a law enforcement agent and much less being uses as a foot soldier of Microsoft to stealthily conquer a targeted empire.

If you disagree with that, then do you believe that WinZip should refuses to ZIP terrorists' contents, or things morally wrong materials? What is morally wrong in one country may be an acceptable culture in another.

This kind of feeling is now being supported more and more once the OS is available to the public and to allow researcher to do detail analysis.

The part that makes me uneasy with this OS is not so much about the Aero or the desktop is completely revamped from previous incarnation requiring new hardware. But all the protection systems that are an integral part of this OS. It makes the IE integration into XP like nothing. Not only to protect digital materials but its own operating system. No software should treat their customer as a thief by all the draconian software protection system - their second generation WGA, called Software Protection Platform.

Bruce Schneier, a well renown cryptographer and a long time doubter of the benefit of DRM has recently reported of view on the DRM issue in the Vista and the problem with this in his blog.

His blog message in part draws on Peter Gutmann's paper "A Cost Analysis of Windows Vista Content Protection".

The kind of things Microsoft tried to protect the "Premium Content" at all cost by controlling the hardware is nothing really new. When PlayStation (version 1) came out, it used CD and everyone knows how easy to copy CD. So Nintendo N64 came out trying to defeat piracy by using cartridge, which is a lot harder to copy. In fact, their Gameboy cartridge has also been pirated and enhanced with 10-in-1, 120-in-1 games cartridge that buying one will guarantee you never have to buy another one for a long time.

So what happen? Did every game console switch to cartridge? No. The end result is that there are plenty of N64 sitting on shops' shelf and fewer and fewer shops carrying the N64.

Another example is the PS/2. IBM wanted to control the MicroChannel bus and anyone want to build add-on board has to pay them royalty. The end result is no one build anything. I guess Microsoft's story may be different but no one should under estimate the power of disruptive technology that can do to the incumbent.

Microsoft should heed this advice:
"The sheer obnoxiousness of Vista's content protection may end up being the biggest incentive to piracy yet created"
Microsoft built its empire on open specification and as Peter said:
"A quarter of a century ago, IBM made the momentous decision to make their PC an open platform by publishing complete hardware details and allowing anyone to compete on the open market. Many small companies, the traditional garage startup, got their start through this. This openness is what created the PC industry, and the reason why most homes (rather than just a few offices, as had been the case until then) have one or more PCs sitting in a corner somewhere. This seems to be a return to the bad old days of 25 years ago when only privileged insiders were able to participate."
This is like waving a red flag in front of the bull by asking hackers to reverse engineer the damn thing and to have fun and then by-passing the mess. There is already report that the DRM inside Vista has been cracked. Hurray for consumers! As Bruce's famous saying goes, "it is like making water not wet". It is a waste of time.

Perhaps Microsoft saw the wonderful power of rootkit of Sony can do to control the consumer, it wants a bit of it and rather than carrying the stigma associated with rootkit, it legitimises its own rootkit but redeveloping their OS.

Perhaps it is time for the Linux camp to come to the forefront as Bruce reports
"Some researchers think that this is the final straw that will drive Windows users to the competition"
And this long time Microsoft supports is considering one such mission to survey the Linux landscape. Since I have lost interest in Vista, someone has to provide me with some queue to line up to satisfy my appetite for new OS.

The other sales pitch Microsoft uses to induce frightened PC users into upgrading to Vista is that is it:
Windows Vista provides better protection for your PC, your personal information, and your family than any previous version of Windows—with new security tools like Windows Defender, anti-spam and phishing filters, and Parental Controls. Automatic backups, Performance Self-Tuning, and built-in diagnostics help you keep your data protected and your PC running smoothly
Well, no doubt there is Windows Defender, etc and other new technology in the mix including the Windows Security model but Windows Security has been the core of Windows since Windows 2000. Microsoft in all those years have never chastised those developers that fail to adopt and to promote heavily the need to adhere to this model in order to protect the users from the attacks. You can search MSDN to see how many articles from year 2000 on LUA (Least Privilege Users Account).

In almost all their security brief on vulnerability, they always say that the attack can only gain the same privilege as the user's login account.

But in these years Microsoft has never spent much money in catching those violators and as result the majority of the users run their Windows with no security by running in Administrative Account. Many of these violators are not your Freeware stuff but big name stuff like Intuit's Quicken.

Why doesn't Microsoft publish a list of non-conforming applications to allow users who are interested in protecting their data to select the right tools? It should be like Bugtraq and I can guarantee you how effective this is in forcing rogue operators to conform.

Then all of a sudden as if Microsoft has the consumer's protection at heart and came out with Vista. If they are so concerned they could have done it in year 2000. Now they do not even report these violators to the Event Log in Vista but instead it introduces the UAC to allow these violators to run smoothly but at harms way. Because no event message is generated, many of these rogue developers would not know!

Oh! By the way, what about the default settings of Vista's firewall?

As for me, Vista can stay on the shop's shelf and WOW in the Microsoft's advertising campaign stands for Wrong Operating Windows in my life. Not until it has been analysed down to the last bit and that I am allowed to turn off things I consider a waste of resource to me, it will not be used and will not be recommended.

Microsoft should never forget about the statement made by the judge in the SonyBMG court case.

Thursday, February 8, 2007

More on IE Vs Firefox market share

This is a more detail analysis of the market shares of various Browsers.

Interesting observation of the war:
Firefox has grown the most over time, with a sharp rise reported in mid September last year. For the most part, this is at the expense of other browsers such as Safari and Opera, rather than Internet Explorer, but as the year progresses towards Christmas time, these other browsers temporarily overtake Internet Explorer.
With respect to the uptake of IE7, the report indicates:
The fact that the numbers appear to be the same means it's safe to assume that most IE6 users haven't yet defected to Firefox. However, what is interesting to note is that the uptake levels off at the end of December 2006. What reasons can we guess for this?

Well, a major component has to be the vast amount of people in the world with cracked, illegal versions of Windows XP who strictly control their communications with Microsoft and do not want any new software from them - or for whom WGA is a stumbling block. In some circles it's even a matter of pride to say you've never bought a Microsoft product and yet use the full suite of their products extensively.

Another reason may be that there are problems with old hardware not being able to deal with memory and system demands of IE7.
Their observation seems to suggest validity in my argument that Microsoft through their WGA initiative is pushing people towards either alternate browser, like Firefox, or to stay with IE6.

Tuesday, February 6, 2007

Vista firewall - outbound traffic is unblocked by default

It makes one wonder why a company spending so much on their activation scheme on their brand new Operating System is so stupid in configuring their firewall, relying on marketing spin to do the real work.

Take the report on Vista firewall by Robert Vamosi which says:
In Windows Vista, Microsoft says its new Windows Firewall is now two-way, that it adds outbound protection, but a closer look reveals that this is more deceptive marketing spin. With Windows Vista what you get turns out to be a half-cocked firewall that's hardly worth the upgrade.
Moreover he finds the configuration confusing:
It's confusing ... But for outbound--that is, those connections starting within your computer and going out to the Internet-- connections are allowed except when excepted. Here Microsoft uses the good icon. This is not good.
His observation is further supported by correspondence from Symantec, which says:
"We have discovered that though Vista's outbound firewall is 'on' by default, all outbound connects that do not match a rule are allowed. In the default configuration, there are no outbound 'block' rules, only allow rules. In other words, even though [the Windows Firewall outbound protection is] on, it is not doing anything."
This is kind of dumb. I thought Vista is supposed to be much more secure OS. Perhaps they waste too much time on this activation and protection scheme instead of developing proper protection of their user's information. It seems Microsoft values their IP/Information more than the customers'.

Microsoft's defense says:
If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network. ....The out of box experience would be poor, and they would soon be desensitized to the prompts.
They do not seem to be bothered by firewall like ZoneAlarm or Internet Security From Symantec.

Perhaps this attitude explains why Microsoft has not done anything since the release of Windows 2000 to promote the use of non-admin account leaving their users defenseless against attacks. They build these security model and then encouraging user to run with security turned off by running in admin account. They do not force those rogue programs to correct their security violation. If they do that in year 2000, they would not need this UAC in Vista to support rogue programs.

The confusing Vista firewall experience was further illustrated by David Berlind, who composes a photo gallery of the issue.

Linux, this is your chance to showcase your talent!

Evidence of IE market share slipping

When IE7 was first released, I posited that its market shares would slip and that the IE would have trouble holding of their market shares.

Recently, a new report is out that confirms that the market shares of Firefox is increasing by a strong margin and the reports says:
At 22 per cent, Firefox's share of the Australian market was higher than it was globally, with the open-source browser used by 14 per cent of users in July last year, Nielsen reported, citing data from e-janco.com.
It is hard to understand the philosophy of Microsoft. In fact as I argued in my previous blog, Microsoft is actually pushing people away towards alternate browser with their WGA initiative.

It is hard to understand why they do this. IE7 does not bring any revenue. So why frisks the user before allowing it to be installed. But denying a person to install, Microsoft is forcing that person to seek alternate browser, like Firefox.

Same with Media Player. If user can't get the latest, there is RealAudio, which can play Media Player format while WMP cannot play Real format.

Does Microsoft really believe those that do not have WGA-passed Windows would rush out to splash some money to buy genuine Windows just to get tab-browsing? If so, they would believe in tooth-fairies and Santa.

It would be far better for Microsoft not only to allow free download of IE7 but also free to install it in all Windows. In this way, it would a least makes it harder for Firefox to gain more market share for the very reason why IE took the lead from Netscape. It is convenient.

Now Microsoft turns the table around making it harder to install the IE7 on those Windows and this gives these people more incentive to use Firefox. Once they have a taste of it, they will become a willing salesman of Firefox.

That one person is not the only one becomes disenchanted with the Microsoft's frisking. He will do his/her best to encourage other to switch. Why not when it installs faster, writing blog messages with spell checking and no frisking. Mozilla treats their users with respect.

Hence as mentioned in many economic books on software industry, the incumbent does not have to reach a 50% or less market share to lose the market. The turning point comes much soon because of this snow-balling effect.

For me, I uninstalled IE7 immediately even though I broke my principle of not allowing Microsoft to frisk my machine running genuine Windows. The reason is that it fails to provide the functionality in LUA. I also strongly discourage anyone to install IE7.

So it will be interesting to see what will happen in the next 12 months.

At the moment, Firefox does not support embedding and this can handicap it in enterprise solutions or in solutions where one needs to render HTML inside an application. If some smart person can turn Firefox into a embeddable HTML component, the position of IE would be further eroded.

Saturday, February 3, 2007

Jim Gray is missing.

What a shocking news to learn that Jim Gray, the database guru that has worked on IBM and now with Microsoft, is missing in the San Francisco Bay. He is the brain child behind this project that captures and documents one's live.

Hang in there Jim! Hope he will be found safe and alive.

Blog Archive