Last Week in .NET #23 – Solarwinds gets hacked; Microsoft goes on the Attack

In what I can only describe as a “lead magnet”, here’s a copy of my weekly .NET newsletter, creatively titled “Last Week in .NET”. I’m posting it here in the vain hopes that you’ll sign up for the newsletter or subscribe to the podcast. ♥

Between the SolarWinds hack, Microsoft releasing a working document detailing the problems with the .NET ecosystem, and a bouncy castle crypto vulnerability, it’s been a busy week. Let’s dive in and see what happened, shall we?

🤼 Immo Landwerth, PM for .NET, writes a document on the eco-system problems in .NET. This document is monumental in it being a candid take on the .NET OSS ecosystem problem; and while it says it softer than I will, it lays the blame for the state of the .NET Ecosystem on Microsoft. Building Trust with your community is the first step to solving any problem (and let’s be clear: Building trust if-you-don’t-already-have-it should always be the first step) and this document does just that. Microsoft is its own worst enemy when it comes to building a sustainable eco-system for .NET. Luckily they’re at least aware of the problem. There’s also a github issue devoted to feedback on The Document and you should chime in if you have passionate thoughts on the subject. I know I do.

.NET Core updates are coming to… Microsoft update (not Windows Update!). Well, not exactly. Client updates will happen through “Automatic Updates”, server updates will happen via WSUS and Microsoft Update. Somewhere a sysadmin is crying.

🚨 the Bouncy Castle project has a vulnerability in its authentication module which allows attackers to very easily figure out the hashed passwords. The flaw? It checks that the characters exist in the string instead of checking that the characters are at the correct index. Hugops to the Bouncy Castle team.

👩‍💻 Not to be outdone by Apple, Microsoft is designing its own ARM Chips for its servers and Surface PCs. No amount of designing your own chips will get Microsoft out of the “We must support all of our software from the beginning of time” problem they’ve created for themselves, and that problem is central to why “just making ARM chips” won’t make things better. Maybe this is the business person in me talking; but perhaps some of these 25 year old applications need to be re-written off of Win32?

📝 CodeMaze walks through using Authentication in ASP.NET Core with Angular. I got excited for a second when I thought they were going to cover authorization, but no. No one covers Authorization. Authorization is like married couple sex. You know people do it, but you never see it and they really don’t talk about how they do it that much.

You can win $250 US dollars by taking part in the .NET Foundation “State of .NET” survey. Yes, I have jokes, but I’ll put those aside for a second to say: You should take this survey. The .NET Foundation needs to hear what you find important, and they need you to be as direct about it as possible. Also, how can Microsoft possibly figure out which open source project to torpedo next if you don’t tell them what you’re using?

🚨🚨🚨 The Solarwinds DLL used to hijack systems “Solarigate” was catalogued last week by the folks at Microsoft. In case you missed that fun, Nation state-level hackers found the deployment credentials for Solarwinds updates on Github; engineered an update with a malicious payload inside of it, got into a few dozen government agencies networks, used that payload to install backdoors and laterally move into other systems, and all the while kept it secret for 9 months. This post goes deep into an analysis of that DLL. This is what we need more of. Microsoft immediately stepped up, addressed how this happened and now provides an immensely valuable resource on learning more about the inner workings of this attack.

📝 Lesley Carhart writes up her own thoughts on the SolarWinds attack. No snark here, Lesley is one of the smartest infosec people I know, and her commentary is always helpful in these trying times (gestures broadly).

🎥 Remember when movie tie-ins were terrible video games? Now it’s using the movie to tech people how to code, and we’re all the better for it. Space Jam: a New Legacy is coming out, and why not use it to teach people how to code?

📝 Xamgirl shows you how to implement Multi-binding in Xamarin forms blog posts on Xamarin are the programmer’s equivalent of a gym membership. I read them, and I really want to pick up Xamarin forms; but then I have Ionic sitting right there and I just don’t do it. I can just read the blog posts and learn Xamarin vicariously through that; right?

📝 Telerik reminds you of 10 things you probably didn’t know about Blazor Not covered on the list is that Blazor is the programming language for stoners; and it represents an underground attempt to make Mary Jane mainstream. Sign. I can’t do it. I can’t write satire about QAnon without it sounding completely nuts and completely plausible that someone thinks that all at the same time.

📝 So there’s a blog post by David Pine that shows you how to make localization using machine generated translations using Azure Well that’s pretty flipping neat.

🤼 The team working on System.Text.Json details what’s next. Given that Newtonsoft.Json is functionally stable and doesn’t seem to be getting many more updates, it doesn’t make a whole lot of sense for teams looking for new Json serialization to use Newtonsoft.Json, and so we may as well embrace what Microsoft has created here.

🐦 David fowler shares his progress on improving Http.sys for teams migrating from .NET Framework to .NET core, and given the age of the code in question; this PR serves as a really good way to see how to make performance improvements to code that’s almost 20 years old.

🎙 Dotnet Rocks interviews Laura Laban, CEO of InfiniteFlight on her product InfiniteFlight, which is a .NET and C# mobile flight simulator. Yes, a mobile flight sim written in C# and using .NET. That alone is amazing.

🐦 Nick Craver, Architecture Lead at Stack Overflow, deep dives into a mysterious bug the Stack Overflow team was running into and they found what was causing it it. Stack Overflow runs on .NET 5; and this twitter thread is about as close as you can come to “being along for the ride”. Well worth your time to read.

💸 Microsoft Changes its certification programs and makes them free, but you have to renew them yearly This isn’t so bad, especially given the rate of change these days. One reason why a “Last Week in .NET” wouldn’t have worked before .NET core is that… well… release cycles were counted in years, not weeks.

🎥 Channel 9 deep dives into what is MSAL + Microsoft.Identity.Web to which I have the same question, and a follow up if you will: how is this different from IdentityServer?

And that’s what happened last week in .NET. We’re going to be feeling the effects of the Solarwind attack for years. The sheer patience involved in the attack coupled with the way that systems were compromised and how lateral movement occurred means that it could be quite a while before we know the full extent of the damage. And on that happy note, I’ll see you next week; maybe. Depends on what sort of news comes out this week in the world of .NET. It being close to Christmas, probably not a whole lot.

Leave a Reply