Happy Holidays!

In an effort to escape Seattle’s … interesting … weather patterns of the last few months, I’ve taken off to New York for the holidays.  (And unlike last year’s 19 degree temperature drop, this year it’s actually going to be warmer in the Northeast.  Go figure.) So, until January, Happy Holidays!  -Shawn


Evidence Must Be Serializable

The Evidence object acts as a collection for any sort of object that you want to add as evidence for an assembly or AppDomain.  (It can get confusing because there is both an Evidence class and objects used as evidence.  I’ll capitalize the first one to disambiguate between them).  Both the AddHost and AddAssembly methods take…


new NamedPermissionSet

Every once in a while I find some code doing something similar to this: new NamedPermissionSet(“LocalIntranet”).Assert(); // … call some API that requires Intranet permissions here CodeAccessPermission.RevertAssert(); At best this code is confusing to people reading it, and at worse this code is actually doing something very different than what the author is intending to do. The…


Relative URL Membership Conditions

Caspol will allow you to setup a URL membership condition with a relative URL by using a command such as: caspol -ag 1. -url Foo.dll Internet -exclusive on This command probably doesn’t do exactly what you would expect though.  Namely, it does not resolve the location of foo.dll when you run the command and store…


SecureString Redux

A few times over the last couple of days discussion about a tool on the Internet which can attach to your process and dump out the contents of your SecureStrings has come up.  If this tool can exist, then what benefit does SecureString really provide? The fact that this tool can exist is not a…


Quickly Testing Code Under Different Cultures

Earlier this week, a situation came up where we needed to make sure a new feature worked when it was used with a non-English culture.  Normally we’d run some tests on a Japanese machine, but one wasn’t readily available at the time.  Instead, I put together a quick tool that our tester could use to…


XML Digital Signature Verification with Unknown URI Schemes

A few years back, there was a discussion thread on one of my XML digital signature posts about verifying an XML digital signature which had references to a URI prefixed with cid:.  Recently Mattias Lindberg ran into this problem as well, and devised a clever solution to it. Mattias realized that SignedXml uses WebRequest.Create to help…


Kenny Kerr Explores UAC

Kenny Kerr, one of our Security MVPs, has updated his Windows Vista for Developers series with Part4 – User Account Control.  Kenny takes an in-depth look at what UAC means for developers and covers areas that a lot of other sources don’t touch on, such as integrety levels.  This is absolutely worth a read once…


The Differences Between Rijndael and AES

When you need to write managed code that encrypts or decrypts data according to the AES standard, most people just plug the RijndaelManaged class in and go on their way.  After all, Rijndael was the winner of the NIST competition to select the algorithm that would become AES.  However, there are some differences between Rijndael…


Using Lightweight CodeGen from Partial Trust

Last time I talked about the new Orcas feature allowing you to use reflection from partial trust.  Specifically we talked about standard reflection and Reflection.Emit, putting off Lightweight CodeGen until today. Before we start, if you’re new to LCG, you might want to check out Yiru’s quick introduction to the feature.  If you’re planning on…