[Last Week in .NET #86] – Spring has Sprung and so have Security breaches

It’s been a while, and I appreciate all the well-wishes I received from you all. Unfortunately my FIL is still in the hospital (he’s been in the hospital for 105 days, which is itself a shocking number), but as they say, the show must go on.

I’ll spend this time catching you (and let’s be real, me too) up on what happened in the world of .NET since we last talked.

πŸ™ˆ Microsoft is caught testing ads in Windows 11 File Explorer and then once chastised, said it was ‘not intended to be published externally’](https://www.theverge.com/2022/3/15/22979251/microsoft-file-explorer-ads-windows-11-testing).

I’m grateful Microsoft didn’t try to lie, but I almost would have preferred a lie over the eventuality that Ads are going to be in my operating system.


πŸ™‹β€β™€οΈ Nadine Dorries, Britain’s Big Tech Slayer asks Microsoft “When are you getting rid of the algorithms?” I don’t know if it’s better or worse that Microsoft’s business decisions have been made by humans to this point. All kidding aside, as an industry we rely on the almighty algorithm as God and it thankfully is backfiring. Sure, it’s easier to rely on a computer than it is to make humans make decisions, but in true Computer Science form we are only, at best, adding another layer of indirection. Or, as the saying about using a regex goes, now you have two problems.


1️⃣Uno Platform v4.2 has been released. This includes .NET 6 Mobile RC1 (what is .NET 6 Mobile? I’ve been gone far too long) and support for Visual Studio 2022 17.2 Preview 4. Apparently it also includes support for using OpenGL to render the UI chrome. This feels important but UI programming has long been a convuluted mess for me to understand. I’m not proud of it but it took me over a decade to understand what the “X Window Server” even did.


πŸ₯šπŸ₯šOkta had a security incident, followed by a mea culpa, followed by a blog post that says, “Secure your .NET 6 Web API [with Okta]“. I could not read the blog post because the author’s cojones were blocking the screen.


πŸ’ΈTim Cochran and Carl Nygard write a rather extensive article on MartinFowler’s website about tech debt. I like the article, though I take issue with branding accidents, mistakes, and inexperience as technical debt.


😎How do we remove the ‘not cool’ label from .NET? Do you want to be cool? or do you want to be successful? Which one really matters?


πŸ‘The null parameter checking feature x!! has been removed from C# 11. I’ve been banging the drum against syntax explosion for years and while I have no doubt that I’ve had no effect at all on anyone about this, I’m still happy to put a point up on the “please stop” board. C# is a wonderful language, but the more baggage you add to it, the harder it becomes to maintain, and someone has to go through the years of legacy code and remember the ‘old ways’ (that were considered ‘new’ as of 2018). You know what happens when you just add syntax on a whim? Perl happens.


πŸ“ƒMatt Zorich says you should use Azure AD Password Protection on-prem if you are licensed for it. Azure AD Password protection sets up global lists of ‘bad passwords’ to keep people from using them. They’ve got the money, why not just buy LastPass and integrate it into the OS? Why this half-step?


β€ΌSecurity Alert: Attack Campaign involving stolen OAuth user tokens issued to two third-party integrators. On April 12th, Github Security uncovered that attackers were using OAuth app tokens to download data from their customers. It appears that either Heroku or Travis-CI (Or both) had a breach, and the attacker used the OAuth Tokens to get into the github repositories. Heroku’s take on this incident is linked previously, but Travis-CI has been mum on this topic as far as I can tell.

Security breaches are bad. Not saying anything when another comnpany accuses you of having a security breach is worse. You understand how it’s worse, right TravisCI?


πŸ“ΉMalwareTech takes you through how to reverse engineer an RPC vulnerability in windows (specifically CVE-2022-26809 This is a must watch video.


πŸ“Mysteries of the Registry I preferred the old days of file based configurations, since File-based backups are as old as computers themselves. But despite that, the registry is still an interesting thing to read about.


πŸ—„Speaking of which, you can download File Manager from Windows 3.1 for Windows 11. This is about where we peaked, if I’m being honest.


🏠New Security Features for Windows 11 will help protect hybrid work, I too also know a cheaper and easier way to protect hybrid work: Don’t go into an office. Work Remote 100% of the time. If your house gets broken into you have more pressing issues.


🀡Kenney Myers releases a demo-app built in .NET 6 and using Server-side blazor. The Jury is still out on blazor. It’s adoption rate is dismally low. Why aren’t you using blazor? Hit reply and let me know.


🌭The Software Development industry is a sausage fest. 91.67% (The .67% is just adding insult to injury) of the industry identifies as a dude. Not coincidentally, diverse eco-systems have better survival rates than non-diverse ecosystems.


πŸ’ͺAzure Virtual Machines support ARM. No snark, just cool.


πŸͺWill DockerTools ever support .NET Hot Reload? If you give a mouse a cookie, they’re gonna want a glass of milk.


πŸŽ‰Windows App SDK 1.1 Preview is out Also turns out in the intervening time they also released 1.1 Preview 2.


πŸ’€.NET 5 End of Life is May 8th, 2022 followed by .NET Core 3.1 on December 3rd, and tomorrow.. Yes, tomorrow, .NET 4.5.2 through 4.6.1 are End of Life’d.

I wish they’d just go ahead and EOL everything before .NET 4.7.2 — that’s when the “.NET Standard 2.0” is more or less guaranteed to work with .NET Framework.

πŸ₯ŠMiguel de Icaza brings up an old beef with .NET bindings and Unity It’s a tale as old as tech: Platform A writes hooks into Platform B. Platform B gets upset, fearing a bridge is being built over its moat, and kills the hooks. Who loses? We do. We all do.


πŸŽ‰NET 7.0 Preview 3 has been released. As usual he EF Core team operates at a frentic pace.


πŸŽ‰.NET 6.0.4 has been released with “non security fixes and performance improvements”, and you can click through to learn more depending on what you use.


πŸŽ‰ And .NET 5.0.16 is out also with those same sorts of non-security updates and performance improvements. Interestingly Microsoft is making .NET Core updates available via Microsoft Update on an opt-in basis. Does Microsoft Update support Linux Server OSes? Probably not.


πŸŽ‰ Finally, .NET 3.1.24 was released, along with the others, with the same sort of updates. I’m gonna go ahead and say it, if you’re still using .NET Core 3.1, it’s way past time to adopt .NET 6. Way past time.

And that’s what’s happened since the last time you and I talked about .NET. I hope you are well, and I’ll see you next week.

Leave a Reply