Recent articles like this one have been speculating on the possibility that a potential flaw in IIS might be responsible for a rash of malicious iFrame attacks that have plagued the Web recently.

It would appear that IIS, ASP[.NET, and SQL Server are not the culprits.  A response to me and others, direct from Microsoft follows.

***

We have been investigating these reports today and just posted two blog posts about them:

http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx

http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx

The high-level summary is:

These *are not* a result of any known security issue with IIS, SQL, ASP or ASP.NET (or any other Microsoft product)

These are instead the result of SQL injection issues within the web pages/applications hosted on these sites

 The above blog posts provide more details on the attacks and have pointers on how to make sure your site doesn’t have SQL injection issues.

Got my invite yesterday and got it all working today.  From the user’s perspective (which is the only on available at this point in time), Mesh offers three things (1) FolderShare-style file synchronization between PCs, including the ability to share your folders with invited members/users (2) SkyDrive-style cloud storage, file access and sync participation and (3) Remote desktop access to connected devices that is VPN/NAT friendly (i.e. it works over port 80, in a peer-to-peer fashion).  That’s it.  For now.  Kind of makes me wonder why even the BBC reported on this thing.

Also, if you remember when Ray Ozzie first got to Microsoft and first got his blog set up, he posted on something called Simple Sharing Extensions (SSE).  These extensions are to RSS (and ATOM, as it turns out) and allow simple feeds to function as the transport for synchronization.  SSE was later renamed FeedSync, and is the basis for Mesh.  And, in fact, you’ll see “news” feeds all over Live Mesh.  These are really easy to produce, given the FeedSync foundation to Mesh.

And that means that this whole thing is going to be programmable.  Mary Jo Foley’s got a slide on her blog that even shows that there will be Visual Studio integration for all this.  But there will also be JavaScript interfaces, and interfaces for other languages, and a whole URI-based convention for getting to everything.  Nice.  That makes it seem like it will be easy for me to sync the data my apps use, over the Mesh infrastructure (including the cloud storage bit) without writing a lot of code.  In fact, with a little LINQ magic, I should be able to query and iterate through files within my mesh-enabled folders and items within my Mesh-enabled applications.

Goody gumdrops?  Not yet.  Because until Microsoft cleans up the mess of things it’s created that cry out for synchronization, no amount of DIY programmability is going to make me happy.  I’ve been thinking about this today.  Here are some things I’d like to be able to sync.  Easily:

• Photos (to my PCs, Media Center/Windows Home Server, and mobile phone).  And I want the option to downscale the resolution on the copies pushed to my phone.  And I want the ability to push/pull content to flickr, Snapfish, Shutterfly, etc
• Music (to my PCs, Media Center/Windows Home Server, mobile phone, and MP3 player).  And I want the option to downscale the bit rate on the copies pushed to my MP3 player and phone. 
• Outlook calendar, contacts and tasks (between two separate Outlook instances on my home and office PCs).  And somehow this should work along with (and not against) Exchange Sync and ActiveSync/Windows Mobile Device Center.  And I want the ability to sync certain of my contacts with Facebook, Twitter, Windows Live, and other online services and social networks.  No more double entry, and no more forcing me into an all-or-nothing situation in terms of what gets synced.
• OneNote notebooks, or sections or section groups between PCs and onto OneNote mobile (over the Internet, not only through USB and Bluetooth)
• SharePoint libraries and lists should also be an endpoint, and a source, of data
• Favorites, between my Favorites folder, and Live Favorites, and del.icio.us and others.  Make it work with Digg too.  And with Windows Help favorites.  And push mobile favorites to mobile devices as an easily selected option.
• Internet radio stations.  Push their URLs properly into Windows Media Player, Media Center, my Sonos setup, and the Resco Radio app on my phone.  Not to mention any internet-enabled MP3 player.
• RSS feeds, of course.
• Backup volumes, from my local or NAS drive to my Amazon Simple Storage Service account or my records retention vendor’s server.
• Ability to sync specific douments automatically to FedEx Kinko’s, Mimeo, and other printing services.
• A configuration of all of the above assets (perhaps in the form of an OPML file), so that when I get a new PC, I can instantly get it syncing all the right stuff

Right now, here are all the different Microsoft Sync technologies I can think of.  Let’s get them all to use Mesh under the covers, and get them to work in a federated, cooperative fashion:

• Exchange Sync
• ActiveSync (Windows Mobile Device Center)
• Offline files
• Vista Sync Center
• Windows Media Player sync
• SQL Server Merge Replication (Is this too big a stretch?  I don’t think so.)
• SQL Server Compact Edition Sync Services

It’s getting close to 1am now, so I’ll stop.  But I bet the above lists are nowhere near comprehensive.  The point is that a transport isn’t enough.  We need something that understands devices contextually and has a good idea of what to sync where, and at what quality. 

A few articles have cropped up in the last couple of days on Office 2007's "failing" OOXML compliance tests.  If you're interested in reading up on that, perhaps you'd like to start with the slashdotting of it.

Well, the whole point of moving a proprietary file format into open standardization is that the format is controlled by the standards body and gets changed along the way. This has already happened with OOXML, and this is the reason for the apparent non-compliance.  So this "failure" is actually a success.  Or, to quote Run D.M.C.,  "Not bad meaning bad, but bad meaning good."

A more precise explanation, with background information, can be found here.

Materials for the workshop Lenni Lobel and I presented on April 3rd are available here.

Since Wednesday's announcement by Microsoft that it will publish the source code for major parts of the .NET Framework, there has been a lot of press and commentary.  Much of the press was positive and much of the commentary negative.

My own quotes were part of the positive press.  Specifically, I corresponded at length with Darryl Taft of eWeek, resulting in quotes in the article “Microsoft Reveals .Net Source Code” and with Mary Jo Foley, which resulted in a quote in her blog post on the subject.

Much of the negative commentary focused on how by publishing of the Framework source under their Reference License, Microsoft has prevented the Framework code from being truly Open Source.  Other commentators went further, and surmised that Microsoft has published the source for reasons of entrapment: essentially, by allowing people to see the source, Microsoft could then pursue developers involved in Open Source projects, including Novell’s Mono, who might be “influenced” into writing similar code and introducing it into these Open Source products.

With my own opinion and bias well-known and documented, I still feel compelled to respond. I do this because I fear that while some of these criticisms may be, technically, true, they are quite beside the point.  So here goes…

First, to the point that Microsoft is not releasing .NET Framework source code into a true Open Source vehicle: you are 100% correct.  There is nothing new here.  Except for the relatively small set of code that Microsoft releases under its “permissive” license, it is not an Open Source company, does not especially believe in the Open Source model, and does not view non-adherence to Open Source conventions as a failing, a compromise, or a cop-out.  Rather, it views what we might call “exposed source” as a learning tool, and a development aid.  Specifically, in the case of the .NET Framework source and Visual Studio 2008, the main scenario for using the source will be to aid and ease debugging of .NET applications.  Think Microsoft is being a tease?  Nope.  You’re just just mis-reading her signals.  Go proposition another girl.

Second, to the point that Microsoft may be luring Open Source developers into copyright infringement: (a) you’re ignoring history, and (b) you’re confusing Microsoft with a monolithic organization.  Allow me to elaborate on both points.  (A) Microsoft has been releasing source code since the early 90s, including that for its C/C++ compiler and its MFC and ATL frameworks for Win32 (Joel Spolsky speaks to this quite authoritatively in another Mary Jo quote here).  (B) There really are people at Microsoft who are hostile to Open Source and even somewhat vindictive toward its proponents.  Thing is, Scott Guthrie, the person who pushed for and announced the release of the .NET Framework source code, isn’t one of them.  Scott is a no-nonsense guy whose main concerns are developer satisfaction and technical excellence.  It was also Scott who worked with Novell and Miguel de Icaza, to make “Moonlight” (a Linux/Mono version of Silverlight) a reality, and to endorse it rather than relegate it to renegade status.  Scott was also a driving force behind ASP.NET which of course requires Windows on the server, but works with most any browser and OS on the client.

Let’s be real clear: worst case, things became no worse after Wednesday’s announcement than they were before it.  Best case, they became a lot better.  And I would encourage even the most ardent Microsoft critic to consider the latter opinion.  It’s a fairly safe bet that Scott Guthrie overcame internal resistance at Microsoft in order to release the Framework source.  He likely needed to convince people who felt strongly that exposing the source would be putting intellectual property at undue risk.  Scott probably needed to present a business case that showed how the developer gains and their positive impact on Microsoft's business far outweighed the risks of IP theft.  So if you want Microsoft to be more Open and less “evil,” you’ll want people with Scott Guthrie’s mind set to be successful, and you’ll want to support his initiatives.  If you want Microsoft to stumble, that’s fine too.  But if so, it becomes difficult to argue issues like this on the merits, since that viewpoint can lead to predetermined conclusions.