Securing yourself from Download.Ject (a.k.a JS.Scob.Trojan, Scob, JS.Toofeer)

Hopefully you have heard of the new Download.Ject virus that is also known as JS.Scob.Trojan, Scob, JS.Toofeer and have taken the corrective steps to fix it. Like most other users, I primarily use IE ( about 85% of the time and FireFox the rest of the time) and need to be careful of this threat – especially on what it does.

If you have not done anything to prevent this I seriously recommend that you do ASAP. I have a brief description on how to fix this and what it does.

What is it?

It is a Trojan downloader written in JavaScript. It has been found from a number of web sites on June 24th, 2004. The Trojan has been found to be appended to existing files at those web servers, for example pictures such as jpeg files. According to reports, the script has not been appended by modifying the actual files on the server but using the so called footer feature from IIS. When executed, the Trojan attempts to use an invisible frame to connect to a page at a remote web site. At the time of writing, the page in the web site is not available. While the page is not currently available, there has been reports that this downloader has been used to install variants of Padodor backdoor.

Padodor backdoor was created by a Russian hacker group called HangUp Team. This backdoor steals users personal information including credit card numbers, logins and password that a user types and other sensitive information. The backdoor’s file is a PE executable 51712 bytes long. The backdoor’s file is encrypted and the decryption routine is polymorphic. Every time the backdoor installs itself, it changes its decryptor, so its file will look different after every installation.

What does this do on the Web Server (IIS):

  1. Drops ads.vbs into the current folder/
  2. Drops three files, named %System%\inetsrv\iisXXX.dll, where XXX are three hexadecimal digits.
  3. Modifies the configuration of IIS Web sites on the infected computer to make one of the iisXXX.dll files the document footer.

What does this do on the client site (i.e. your Browser):

When the backdoor’s file is run, it installs itself to system. It copies its file to Windows System directory with a random name that can contain ’32’ in the end. The name can be for example ‘amackg32.exe’. Also the backdoor extracts and writes a small DLL file to Windows System folder. That file also has a randomly generated name that can contain ’32’ in the end, for example ‘bnldnl32.dll’. That DLL file is a starter for the dropped backdoor’s executable file. It already contains the name of the dropped backdoor file – it is inserted there before extraction.

  1. The file is not accessed through HTTPS and the Trojan has not set a currently valid cookie on the computer, it launches a JavaScript file located at 217.107.218.147.
  2. The Trojan then sets a cookie which expires in one week. The cookie begins with the characters “trk716”.
  3. Created the following registry keys:
    •  [HKCR\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32]
       @ = "%WinSysDir%\.dll"
       "ThreadingModel" = "Apartment"
    •  [HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
       "Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
When the backdoor is active, one of its threads looks for certain text strings in open application windows: 
 
  • .paypal.com
  • signin.ebay.
  • .earthlink.
  • .juno.com
  • my.juno.com/s/
  • webmail.juno.com
  • .yahoo.com
  • Sign In
  • Log In
 
If such text strings are found, the backdoor tracks user's login and password and saves it to a file 
that will be sent to a hacker. The backdoor steals credit card information that a user inputs in 
webforms and sends this data to a hacker. Once the Trojan is triggered, it will not be triggered 
again until a week later.

How do I detect it?

To determine if the malicious code is on your computer, search for the following files:

  • Kk32.dll
  • Surf.dat

Steps for Windows XP users:

  1. On the taskbar at the bottom of your screen, click Start, and then click Search.
  2. Under What do you want to search for? click All files and folders.
  3. Under All or part of the file name:
    type: Kk32.dll
    and then click the Search button.
  4. Under All or part of the file name:
    type: Surf.dat
    and then click the Search button.

If either of these files is present, your computer may be infected.

How do I clean it?

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan, repair all the files detected as JS.Scob.Trojan!inf, and delete all files detected as JS.Scob.Trojan, JS.Scob.Trojan!inf or JS.Scob.Trojan!dr.
  4. Reset the document footer setting of IIS web sites.

What if I am running Windows 2000 Server?

You can Check document footers on the IIS server:

  1. Click Start, and then click Run.
  2. In the Open box, type the following, and then click OK:

    %SystemRoot%\System32\inetsrv\iis.msc

  3. In the IIS MMC, expand Computer_Name (local computer), and then expand Web Sites. Note Computer_Name is a placeholder for the name of your computer.
  4. Right-click a Web site, and then click Properties.
  5. Click the Documents tab, and then locate the Enable document footer check box. You may be infected with Download.Ject if the Enable document footer check box is selected and the path to the document footer file points to a file that has a name that is similar to %Systemroot%\Winnt\System32\Inetsrv\Iis<3 random digits>.dll

For more information check out he following links:

White-Box testing (a.k.a Glass Box or Clear Box or Open Box testing)

This is part 3 of the testing-series of posts where I cover White-Box testing (inspired by Microsoft’s upcoming Testing Series of good advise from PAG). You can check out the earlier post here.

White-Box testing (Glass Box/Clear Box/Open Box testing)

White box testing assumes that the tester can take a look at the code for the application and create test cases which look for any potential failure scenarios. You need to determine the suitable input data for testing of various APIs and the special code paths that need testeing by analyzing the source code for the application. One needs to ensure that the test plans need to be updated before starting with White–Box testing.

A failure of a white box test may result in a change which requires all the black box testing to be repeated and re-determination of white-box paths.

  • Profile The Application Code Blocks. Profiling is the activity which allows you to monitor the behavior of a particular code path in run time when the code is actually in execution. Typically you would profile your code for one or more of the following:
    • Code Coverage. Profiling for code coverage with the help of a tool ensures that there is no redundant or dead code which never gets called for any execution path.
    • Memory allocation pattern. This helps you in studying direct and indirect memory allocations while executing a code path, detect and analyze memory leaks (for unmanaged code), etc. For example you can analyze in which GC generations (Gen 0, Gen 1, Gen2) the maximum objects reside or are there any side affect allocations taking place in a loop which are increasing the memory utilization significantly. This can help you optimize the memory utilization of the code block. You can use various tools such as CLR profiler, Intel Vtune, etc. for this purpose.
    • Contention and deadlock issues. You can analyze the code for deadlocks using tools like WinDbg which are a part of the Windows debugging toolkit.
    • Time taken for executing a code path. You can profile the time taken by the scenarios for which performance is critical. This may require custom instrumentation of the code path which may be distributed across physically different machines. There are also various third party tools available which help you measure the time taken for execution of a particular scenario.

      If the code needs to be integrated with web application one should also check out the Request Execution Time (ASP.NET\Request Execution Time) perf. counter. You can create a test harnesses such that the overhead of the harness is minimal and most of the processing time is spend within the code.

If during profiling you find that a particular condition needs to be tested under load such as potential deadlock issues or inefficient memory cleanup which is visible only under scenarios you can provide inputs on the type of metrics which should be chosen while load testing the code and what are the things you should be looking for when stress testing the code.

  • Testing internal subroutines. You need to test the various internal functions to ensure that they are processing the right data without any loss or inconsistency and returning the expected output.
  • Test various loops and conditional statements. You should test various types of loops such as simple, concatenated, nested loops etc and the accuracy of conditional statements in the code components such as relational expressions, simple conditions, compound conditions, Boolean expressions, etc.
  • Testing various scenarios identified. Various potential scenarios should have been identified in earlier in the process of reviewing the implementation. You must test these scenarios by first analyzing the code and then submitting the inputs which tend to exploit the weakness in the code (if any).
  • Security Testing. During the process of source code review if you identify that a particular code access security is not able to restrict undesirable access in the targeted deployment environment you should test this scenario by first analyzing the code and then simulating the deployment environment to identify any scenarios where the code block may expose sensitive information to hackers.

More Information – check out http://tinyurl.com/32ye3

White Box Testing and Black Box Testing

This is really part II of my testing series (as I have become to call it) – I had an earlier post on Unit Testing. I recently had the opportunity to review some of the new stuff coming out of the Prescriptive Architecture Group at Microsoft and here is some of the interesting things proposed by them.

When you are doing Functional Testing of your application or code, it can be of two kinds – Black Box and White Box. I am going to highlight some of the suggestions of MS on Black-Box here and have another followup post on the Whitebox testing.

Black-Box testing

The black box testing assumes no knowledge of code and is intended to simulate the end user experience. One can use sample applications to integrate and test the various components of an application for black box testing. This approach allows for testing of all the possible combinations of the end user actions. Some of the testing techniques which are covered in this are:

  • Testing all the external interfaces for all possible usage scenarios. All the external interfaces that can be integrated by the end users with their applications.
    • Ensure the interfaces meet the requirements and functional specs. This type of testing ensures that the components in an application implement the interfaces required per the functional specifications. This also allows you to develop a test harnesses. You need to test for all the possible ways in which the APIs can be called by the clients of the code block. The usage scenarios include both the expected process flows and random inputs.
    • Testing for various types of inputs. The second step is to ensure that the interfaces are returning the expected output and are robust enough to handle invalid data and exceptional conditions gracefully. The input data can be randomly generated within a specified range expected by the application, outside the specified range or at the boundary of the range. Testing with data outside the specified range ensures that the application is robust and can handle invalid data and the error messages generated are meaningful for the end user. Boundary testing ensures that the highest and lowest permitted inputs produce expected output.
        
  • Performance Testing. You execute performance related test cases from the test plan in a simulated environment which is close to the real world deployment. Performance testing is done to verify that the application is able to perform under expected and peak load conditions, and that it can scale sufficiently to handle increased capacity. There are two main aspects of performance testing with different end goals. You must plan and execute test cases for both these aspects as mentioned below:
    • Load Testing: Use load testing to verify the code behavior under normal and peak load conditions. This allows you to verify that the application can meet the desired performance objectives and does not overshoot the allocated budget for resource utilization such as memory, processor, network I/O etc. This also allows you to measure the measure response times and throughput rates for the application.
        
      Load Testing also helps you identify the overhead (if any) of using the application to achieve a desired functionality by testing applications with and without the code block for achieving the same end result.
    • Stress Testing: Use stress testing to evaluate the code’s behavior when it is pushed beyond the normal or peak load conditions. The goal of stress testing is to unearth bugs that surface only under high load conditions such things as synchronization issues, race conditions, and memory leaks.

The analysis from performance tests may serve as input to White Box Testing. You may need to do a code review of the suspected module to weed out any possible causes of issues such as a coarse –grained lock which is causing increased wait times for threads etc.
 
The data analysis from performance tests provides useful inputs to the type of problems which surface under load conditions. These inputs help you focus on profiling a particular code path during white box testing.

For more information on performance testing check out:

Is Unit Testing important for all?

Scott (the author of dotText – the open source bits running this blog), has an interesting question to ask, is Unit Testing important for all to include it in all the edition of Whidbey of only Visual Studio Team Systems. I think this should be a moot point. In my opinion no developer can say he/she is feature complete if they have not done a “unit test”. How can one know if their code does what it is supposed to do? Sure the QA/Test team is there, but their job is to ensure your code meets the functional requirements, but the basic building blocks only a developer knows best and it is their responsibility to ensure that they test it. Sadly, a lot of developers and designers have the attitude of “That is the QA’s job” – unfortunately they could not be further from the truth. I also find developers who do a unit test tend to have less bugs in their code (Note: this is my personal experience and recording, there is no experiment or sampling conducted). Since I am one of the advisor’s for PAG (representing the company I am employed with), I recently got the opportunity to review some of the new testing best practises they have coming out – lots of good common sense stuff – keep a look out for that in the near future. I will be posting some stuff from there here in the next few days too. Anyways, I would love to hear your viewpoint on the whole issue?

One Step to Teleportation

Nearly three years ago TechDirt wrote about breakthroughs in atomic entanglement that could lead to advancements in quantum computing and teleportation. It seems that much of that research has continued as two separate groups of researchers have now used entanglement to successfully teleport the quantum state of an atom. As the article points out, the fact that two separate research groups came up with similar results (using slightly different methods) is particularly promising. It is amusing, though, to note that just about every article discussing atomic teleportation feels the need to explain that this is nothing like Star Trek style teleportation.

First mobile phone virus created!

BBC is reporting that the first ever computer virus spread by mobile phones has been sent to anti-virus firms. No infections have been reported and the worm is harmless but it is proof that mobiles are at risk from virus writers. The worm, known as Cabir, infects phones and devices running the Symbian operating system. Anti-virus firms are divided on whether it will open the floodgate to similar viruses. Because the worm requires Bluetooth technology to travel, it is geographically constrained to a radius of about 30 metres. Then it is dependent on someone having Bluetooth turned on within that range. And as a final blow to its progress, any unsuspecting phone user in the vicinity would have to accept the virus which would be preceded by a warning that the source of the file is unknown.

How to Fight Spam?

Microsoft has a common sense article that is aimed for most non-technical users on how to help them stop spam. If you already get lots of spam they discuss here how to fight it.

The crux of the matter is disclosing your email address. Some spammers get address lists from Web sites where you may have signed up for free offers, ordered something online, or entered a contest. They can also get your address from Internet white pages listings, newsgroups, resumé postings, and chat rooms. Follow these tips whenever you can:

  • Set up an e-mail address dedicated solely to Web transactions. Consider using a free mail service to set up an e-mail account for your online transactions. This will help you keep your real e-mail address private.
  • Only share your primary e-mail address with people you know. Avoid listing your e-mail address in large Internet directories. Don’t even post it on your own Web site.
  • Disguise (or “munge”) your e-mail address. Use a munged address whenever you post it to a newsgroup, chat room, or bulletin board. For example, you could give your e-mail address as “s0me0ne@example.c0m” using “0” (zero) instead of “o.” A person can interpret your address, but the automated programs that spammers use cannot.
  • Watch out for checked boxes. When you buy things online, companies sometimes add a check box (pre-checked!) to indicate that it’s fine to sell or give your e-mail address to responsible parties. Click the check box to clear it.

How "heavy" is your page?

If you want to see how heave your site is then browse over and plug in your url and check it out. Here is how the numbers for this blog came up to:

Load Time by Connection Speed
Connection Speed Download Time
14.4Kbps 85.93 seconds
28.8Kbps 44.96 seconds
56Kbps 24.84 seconds
ISDN (128Kbps) 13.22 seconds
Cable (512 Kbps) 6.30 seconds
T1 (1.44 Mbps) 4.82 seconds
SDSL (1.544 Mbps) 4.76 seconds
ADSL (2.0 Mbps) 4.59 seconds

Page Objects
Size Object Type URL
137443 HTML http://www.desigeek.com/weblog/amit/
4672 CSS http://www.desigeek.com/weblog/skins/bahree/style.css
2990 IMG http://www.desigeek.com/weblog/Images/login_icon.jpg
1052 IMG http://www.desigeek.com/weblog/Images/atom.gif
953 IMG http://www.desigeek.com/weblog/images/Comments.gif
138 IMG http://www.desigeek.com/weblog/images/link.gif
130 IMG http://www.desigeek.com/weblog/Skins/bahree/images/xml.gif
88 IMG http://www.desigeek.com/weblog/Skins/bahree/images/arrow_on.gif
4 CSS http://desigeek.com/weblog/amit/customcss.aspx

It also told me what was broken – which means I should take out the time to fix it. Here is a subset of the stuff that is broken:

HTML Problems
Line Object Missing
60 IMG:../Skins/bahree/images/arrow_on.gif HEIGHT
60 IMG:../Skins/bahree/images/arrow_on.gif WIDTH
62 IMG:../Skins/bahree/images/xml.gif HEIGHT
62 IMG:../Skins/bahree/images/xml.gif WIDTH
65 IMG:../Images/atom.gif HEIGHT
65 IMG:../Images/atom.gif WIDTH
195 IMG:../images/link.gif HEIGHT
195 IMG:../images/link.gif WIDTH

What is OC192?

I was in meetings today with Microsoft and going over some client stuff that I cannot really talk about here. But at this client the “hot backup” is done on a remote NAS over a OC192 line and I was like what the heck is that? Turns out that has a bandwidth of almost 10 gigabytes/sec (9.6 gb/s to be exact) – wow! Imagine all the things one can do with that pipe. Drooool! What is the fastest you have used? Till now I have worked on an OC12 – once this is up this would be my fastest!

PS – I am not a network engineer – I know enough to setup a dinky little domain and network at home but am not the expert – so don’t bombard me with all the nomenclature. *grin*

Update: Karan tells me there is a still faster OC768 which runs at close to 40 gb/second.

Orkut and India

Karan has a very interesting discussion going on Orkut and India. Here is essentially my view on the whole topic:

In my personal experience, most Indians that I have met here in USA are full of crap when it comes to India! They have viewpoint hearing that one goes “whaaaat?????” and left scratching their heads. When I dig a little more, it turns out that they have lived all their live in one small town (or a big metro) before they stepped on a plane to come here and that makes up their Indian experience and viewpoint! How pathetic can that be?

I am one of the lucky ones and have had the opportunity to explore many places in our lovely country. And come with a very different viewpoint from these people. If you stop and think about it for a minute, each state is like a mini-country with its own music, food, culture, local customs, language, etc – where else in the world can you find that?

Now, I am not saying you all in this discussion have not explored, but I am trying to make the point that most people outside of India have that mentality. Reminds one of the book – The Inscrutable Americans – check it out if you have not – a MUST read.

I think Karan is on the right track in portraying the on-line newspapers. I have relatives working for some of the leading papers in India and know their “inside story”. Not to mention my sister is a reporter.

Personally speaking for myself having been out of India for a number of years (I do go back at least once a year on an average), I have found myself become more patriotic and notice the small things – most of which are things that make me proud to be an Indian – ya ya I am a sentimental fool. But then I also very conveniently ignore some of the “real” issues dogging our country.

I don’t know if I notice the small things because I do not take it for granted any more or what. But I agree with Karan, there are so many things happening in the backyard that we don’t even get a whiff of here.

Anyways I would just like to close that most Indians I have met here who are wonderful people and very successfully professionally are the biggest jerks when it comes to knowledge about their country and I am not talking just geography. Just my $0.02.

What do you think?

Indian Classical Music

On a different note than most of my entries here, last weekend I went to an Indian classical music concert by Zakir Hussain and Master Pandit Jasraj and was organized by the Bay Area Performing Arts. The concert was amazing, I have seen Zakir a number of times earlier and as always be was mind blowing. This was the first time though I saw Jasraj and did not know he sang Krishan Bhajans. Though I personally don’t care about the Bhajans but the rags he sang were quite amazing too – especially the ones showing his control over this voice where we went all the way from a very high note to a very flat and dull one (like from a bass). And the special treat were the Jugalbandi’s – one has to attend a Zakir concert just for that – oh what fun! If you find out Zakir is playing in your area I would highly recommend checking it out. If it happens to be the first time you zee Zakir hussain then you are going to be blown away by the whole experience.

How to tell you are American?

Not long ago, one of those earnest-freshman puppydogs on the Net declared that there was “no such thing as American culture.” Right. Fish have also been known to doubt the existence of water.

The following is a first crack at an ostensive definition of ‘American culture’– things shared by the vast majority (let’s say 90%) of native-born Americans. Many of these won’t sound ‘cultural’ at all to Americans; they’ll sound like just descriptions of the way things are. But each one of them would be contested in one or more non-American cultures.

If you’re American…

  • You believe deep down in the First Amendment, guaranteed by the government and perhaps by God.
  • You’re familiar with David Letterman, Mary Tyler Moore, Saturday Night Live, Bewitched, the Flintstones, Sesame Street, Mr. Rogers, Bob Newhart, Bill Cosby, Bugs Bunny, Road Runner, Donald Duck, the Fonz, Archie Bunker, Star Trek, the Honeymooners, the Addams Family, the Three Stooges, and Beetle Bailey.
  • You know how baseball, basketball, and American football are played. If you’re male, you can argue intricate points about their rules. On the other hand (and unless you’re under about 20), you don’t care that much for soccer.
  • You count yourself fortunate if you get three weeks of vacation a year.

If you died tonight…

  • You’re fairly likely to believe in God; if not, you’ve certainly been approached by people asking whether you know that you’re going to Heaven.
  • You think of McDonald’s, Burger King, KFC etc. as cheap food.
  • You probably own a telephone and a TV. Your place is heated in the winter and has its own bathroom. You do your laundry in a machine. You don’t kill your own food. You don’t have a dirt floor. You eat at a table, sitting on chairs.
  • You don’t consider insects, dogs, cats, monkeys, or guinea pigs to be food.
  • A bathroom may not have a bathtub in it, but it certainly has a toilet.
  • It seems natural to you that the telephone system, railroads, auto manufacturers, airlines, and power companies are privately run; indeed, you can hardly picture things working differently.
  • You expect, as a matter of course, that the phones will work. Getting a new phone is routine.
  • The train system, by contrast, isn’t very good. Trains don’t go any faster than cars; you’re better off taking a plane.
  • You find a two-party system natural. You expect the politicians of both parties to be responsive to business, strong on defense, and concerned with the middle class. You find parliamentary systems (such as Italy’s) inefficient and comic.
  • You don’t expect to hear socialism seriously defended. Communism, fuhgeddaboudit.
  • Between “black” and “white” there are no other races. Someone with one black and one white parent looks black to you.
  • You think most problems could be solved if only people would put aside their prejudices and work together.
  • You take a strong court system for granted, even if you don’t use it. You know that if you went into business and had problems with a customer, partner, or supplier, you could take them to court.
  • You’d respect someone who speaks French, German, or Japanese– but you very likely don’t yourself speak them well enough to communicate with a monolingual foreigner. You’re a bit more ambivalent about Spanish; you think the schools should teach kids English.
  • It’s not all that necessary to learn foreign languages anyway. You can travel the continent using nothing but English– and get by pretty well in the rest of the world, too.
  • You think a tax level of 30% is scandalously high.
  • School is free through high school (at least, it’s an option, even if you went to private school); college isn’t, unless you get a scholarship.
  • College is (normally, and excluding graduate study) four years long.

Everybody knows that

  • Mustard comes in jars. Shaving cream comes in cans. Milk comes in plastic jugs or cardboard boxes, and occasionally in bottles.
  • The date comes second: 11/22/63. (And you know what happened on that date.)
  • The decimal point is a dot. Certainly not a comma.
  • A billion is a thousand times a million.
  • World War II was a just war, and (granted all the suffering of course) ended all right. It was a time when the country came together and did what was right. And instead of insisting on vengeance, the US very generously rebuilt Europe instead, with the Marshall Plan.
  • You expect marriages to be made for love, not arranged by third parties. Getting married by a judge is an option, but not a requirement; most marriages happen in church. You have a best man and a maid or matron of honor at the wedding– a friend or a sibling. And, naturally, a man gets only one wife at a time.
  • If a man has sex with another man, he’s a homosexual.
  • Once you’re introduced to someone (well, besides the President and other lofty figures), you can call them by their first name.
  • If you’re a woman, you don’t go to the beach topless.
  • A hotel room has a private bath.
  • You’d rather a film be subtitled than dubbed (if you go to foreign films at all).
  • You seriously expect to be able to transact business, or deal with the government, without paying bribes.
  • If a politican has been cheating on his wife, you would question his ability to govern.
  • Just about any store will take your credit card.
  • A company can fire just about anybody it wants, unless it discriminates by doing so.
  • You like your bacon crisp (unless it’s Canadian bacon, of course).
  • Labor Day is in the fall.

Contributions to world civilization

  • You’ve probably seen Star Wars, ET, Home Alone, Casablanca, and Snow White. If you’re under forty, add Blazing Saddles, Terminator, Jaws, and 2001; otherwise, add Gone with the Wind, A Night at the Opera, Psycho, and Citizen Kane.
  • You know the Beatles, the Rolling Stones, Bob Dylan, Elvis, Chuck Berry, Michael Jackson, Simon & Garfunkel, Linda Ronstadt. If not, you know Frank Sinatra, Al Jolson, Duke Ellington, Louis Armstrong, Tony Bennett, and Kate Smith.
  • You count on excellent medical treatment. You know you’re not going to die of cholera or other Third World diseases. You expect very strong measures to be taken to save very ill babies or people in their eighties. You think dying at 65 would be a tragedy.
  • You went over US history, and some European, in school, Not much Russian, Chinese, or Latin American. You couldn’t name ten US interventions in Latin America.
  • You expect the military to fight wars, not get involved in politics. You may not be able to name the head of the Joint Chiefs of Staff.
  • Your country has never been conquered by a foreign nation.
  • You’re used to a wide variety of choices for almost anything you buy.
  • You still measure things in feet, pounds, and gallons.
  • You are not a farmer.
  • Comics basically come in two varieties: newspaper comics and magazines; the latter pretty much all feature superheroes.
  • The people who appear on the most popular talk shows are mostly entertainers, politicians, or rather strange individuals. Certainly not, say, authors.
  • You drive on the right side of the road. You stop at red lights even if nobody’s around. If you’re a pedestrian and cars are stopped at a red light, you will fearlessly cross the street in front of them.
  • You think of Canada as a pleasant, peaceful, but rather dull country, which has suddenly developed an inexplicable problem in Québec. You probably couldn’t explain why the Canadians didn’t join the other British colonies in rebelling against King George.
  • You consider the Volkswagen Beetle to be a small car.
  • The police are armed, but not with submachine guns.
  • If a woman is plumper than the average, it doesn’t improve her looks.
  • The biggest meal of the day is in the evening.
  • The nationality people most often make jokes about is the Poles.
  • There’s parts of the city you definitely want to avoid at night.

Outside the Beltway

  • You feel that your kind of people aren’t being listened to enough in Washington.
  • You wouldn’t expect both inflation and unemployment to be very high (say, over 15%) at the same time.
  • You don’t care very much what family someone comes from.
  • The normal thing, when a couple dies, is for their estate to be divided equally between their children.
  • You think of opera and ballet as rather elite entertainments. It’s likely you don’t see that many plays, either.
  • Christmas is in the winter. Unless you’re Jewish, you spend it with your family, give presents, and put up a tree.
  • You may think the church is too powerful, or the state is; but you are used to not having a state church and don’t think that it would be a good idea.
  • You’d be hard pressed to name the capitals or the leaders of all the nations of Europe.
  • You aren’t familiar with Mafalda, Lucky Luke, Corto Maltese, Milo Manara, Guido Crepax, Gotlib, or Moebius.
  • You’ve left a message at the beep.
  • Taxis are generally operated by foreigners, who are often deplorably ignorant about the city.
  • You are distrustful of welfare and unemployment payments– you think people should earn a living and not take handouts. But you would not be in favor of eliminating Social Security and Medicare.
  • If you want to be a doctor, you need to get a bachelor’s first.
  • There sure are a lot of lawyers.

Space and time

  • If you have an appointment, you’ll mutter an excuse if you’re five minutes late, and apologize profusely if it’s ten minutes. An hour late is almost inexcusable.
  • If you’re talking to someone, you get uncomfortable if they approach closer than about two feet.
  • About the only things you expect to bargain for are houses, cars, and antiques. Haggling is largely a matter of finding the hidden point that’s the buyer’s minimum.
  • Once you’re past college, you very rarely simply show up at someone’s place. People have to invite each other over– especially if a meal is involved.
  • When you negotiate, you are polite, of course, but it’s only good business to ‘play hardball’. Some foreigners pay excessive attention to status, or don’t say what they mean, and that’s exasperating.
  • If you have a business appointment or interview with someone, you expect to have that person to yourself, and the business shouldn’t take more than an hour or so.

No debugger in C#?

I don’t get it. Anatoly discusses how he (along with other people he quotes) don’t use the debugger in C# or any other managed code and letting the runtime find the exception and let it “deal” with it.

Now I don’t know these people and they could probably be correct in the context of the applications they write, but I don’t agree with their viewpoint. Sure there are applications that would not warrant the use of a debugger (like HelloWolrd *grin*), but most of the applications I design and work on are fairly complex and the debugger is a very invaluable tool! Exceptions are very expensive (as discussed here) and should be used wisely! Of all the features of Whidbey, the one I am most excited about is the huge improvements in the debugger and also how you an extend the debugger with GUI to inspect your complex data types. The point also holds for any managed language and not just .NET. What do you think?

DotGNU on Pocket PC

Pocket C# is port of C# compiler from DotGNU project to Windows CE. DotGNU contains open-source runtime, compiler, tools and many other things to make free cross-platform .NET environment. I took only compiler and several required tools and ported them with some modifications to WinCE platform. This would allow you to develop and build applications using standard .NET CF and C# right on your pocket device. It’s quite easy, you almost don’t need to do anything manually – just write your code and project file and then build it with one tap.

Components are currently “shipping“ are:

  • C# compiler (cscc-cs)
  • IL (intermediate language) assembler (ilasm)
  • Linker (ilalink)
  • Wrapper for these tools (cscc)
  • XML based build tool (csant)
  • Runtime libraries – standard Microsoft .NET CF
  • Sample applications

Currently this is the compiler only, but an IDE has been proposed to make programming easier on this. There have also been son talks for possibly support for J# and VB.NET

You can check out the newsgroups and get more information on the DotGNU.

What makes good code good?

As Paul Dilascia discusses in his article in MSDN Magazine (most of which I am gonna mooch-off here), What is good code? Does good code mean that the program works as it is meant to without bugs? Well if that is your only criteria, then I don’t think so, that is something that is expected. One also needs to look at it internally – as they say beauty is beneath the skin (or something like that anyways). As Paul asks what internal qualities produce perfection (for the application/code)? It does not matter what language or platform you program in – one needs to remember the things that were taught in school when you took your first programming class – simplicity, readability, modularity, layering, design, efficiency elegance and clarity.

  • Simplicity – It does not mean NOT writing 10 lines of code for something that can be done in 5 – but rather to make the extra effort to be concise but not to the point of obfuscation. It also means that your functions should not be spanning pages. Simplicity makes the code easier to manage and debug making it more reliable and hence bug free.
  • Readability – This means that the others can read your code. It means you take the effort to write comments and explanations (for very complex things) in the code. It also means to follow your coding guidelines and choose variable and function names carefully
  • Modularity – I like how Paul put this. This means your application is built like the universe. The world is made of molecules, which are made of atoms, electrons, nucleus, quarks and strings! Similarly, good programs build large systems from smaller ones which in turn are build on smaller building blocks. Just as atoms combine in novel ways, software components should be reusable.
  • Layering – This means that internally your application resembles a layer cake (slurp, smack, drool). The app sits on the framework which sits on the OS and within the application you follow a similar paradigm. The higher layers should call the lower ones which in turn raise events back up. Lower layers should never know that the higher ones are upto.
  • Design – This means read Dilbert! Invest the time to plan and design your application before you build it – much much cheaper in the long run.
  • Efficiency – Means the application should be acceptably fast and economical i.e. it does not hog any resources. It loads and departs without a fuss. At a high level you need to be aware of your performance requirements.
  • Elegance – This is like beauty – hard to describe but easy to recognise. Elegance combines simplicity, efficiency, brilliance and above all pride.
  • Clarity – This is the “granddaddy” of good programming. The fundamental challenge of programming is managing complexity! All the other points mentioned above are ways to achieve clarity – clarity of code, clarity of design, clarity of purpose. You must understand and really understand what you are doing at every level. Bad programs less often a failure of coding skills than of having a clear goal which is why design is the key. If you cannot write it down, you cannot explain to others, you don’t really know whats happening!

I am a big believer of the principle of KISS (Keep It Simple and Stupid)! All the above points to that. In the real world there are very rate instances where someone has not tried to make this more complex than it needs to be (with yours truly being guilty of the same). But everyone learns (and so did I). The key is to remember KISS and that your design needs to be good. If the architect on the project is not making that clear (or doing it correctly), then he/she/them need to be told!

What do you think makes good code?