Author: paranoidmike

A Product Manager sharing experiences on & of the job.

Threat Modeling Google group is now available

Published on by paranoidmikeLeave a comment

I’ve been using Microsoft’s Threat Analysis and Modeling (TAM) tool for about a year now, and I’ve gotten to really love how much easier and user-friendly this tool is than anything else I’ve found so far on the ‘net.  I’ve tried to find anything that was as comprehensive, easy for beginners, flexible and extensible as TAM is (let alone free), and there’s nothing else that even comes close.  Anytime I’m asked now to do any Threat Modeling for a product or technology, the only tool I would seriously consider is TAM.

That said, the more I work with it, I’m finding there are enhancements I’d like to make, or things I’d like to better understand:

  • What are the key steps that I should never skip?
  • What tools are useful for generating additional XSLT Report templates?
  • How does TAM merge overlapping content when importing Attack Libraries?
  • What extensibility classes are available for .NET-friendly developers to add to this tool?
  • What’s a reasonable number of Components or Attacks to include in any one threat model?

 I’ve worked with the TAM team at Microsoft to get some ideas on this, but they’re pretty much working flat-out on the Security Assessments for which they built this tool in the first place.  I’ve scoured their old blog entries (here, here and here) to glean tidbits, but I’d really like to work with more folks who are also using this – share what I’ve learned and get their input and ideas as well.

I’d hoped that Microsoft would have a Community forum for this great tool, but since they don’t, I’ve taken the bull by the horns and created one myself.  You can find it here on the Google Groups site.  Yes, Google.  Horrors!

I’ve tried to use MSN Spaces in the past as a collaboration workspace, but I’ve found Google Groups and Yahoo Groups are both better platforms for this sort of thing.  They give you more control, with less futzing around trying to make things “look right”, and they’re investing significant effort into these platforms.  Frankly, I’m a lazy guy at heart, and it was really freakin’ easy to setup the Google Group.  Sue me.

Call to Action: if you’re using Microsoft’s TAM tool already, or you know someone who’s responsible for things like “Secure Coding”, “Risk Assessments” or “Threat Modeling”, I’d encourage them to check out the Group, post some sample Files, start some Discussions or even just lurk for good ideas!

Debugging persistent Outlook crashing – can only go so far…

Published on by paranoidmike1 Comment

I’ve been experiencing a persistent crash in Outlook for months now – often Outlook will crash when I Send an email.  I suspect it’s related to the fact that in the main Outlook form ( Mail/Inbox) the Reply, Reply All and Forward buttons and keyboard shortcuts are inactive.  [They work from the context menu of an individual message, or if I open a message and use the buttons from the Toolbar displayed above the message itself.  Yes, very weird.]  I suspect it’s a result of an unclean uninstall of the Getting Things Done add-in for Outlook – which I used to like, but which has been supplanted by the combination of MindManager and ResultsManager (at least this week).

In any case, I’ve captured multiple .DMP files, but when I try to debug them I get very sketchy results.  I used to think it was because I don’t have access to symbols for the add-ins that I’ve installed for Outlook – which is normally where these kinds of crashes come from.  However, I’ve disabled all the add-ins that are listed in Outlook > Tools > Options > Other > Advanced Options > “Add-in Manager” & “COM Add-Ins”, and I’m still getting the same kind of crashing behaviour.  I’m still getting spotty results, which tells me I don’t even have symbols for Outlook (to map the function offsets that are listed in the dump), and I’ve been beating my head against a wall trying to figure out how to get access to them.

I’m almost positive I’ve got the Microsoft Internet Symbol Server configured correctly, and yet I continue to get errors like this:

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for OUTLLIB.DLL –
OUTLLIB!OlkGetUIlangID+0xd434:

I discovered that you can debug the loading operations with the !sym noisy command.  Once I enabled this, I saw this in my .reload output:

0:000> .reload
…………………………………………………………………………………………………………………………………………………..
SYMSRV:  C:\symbols\OUTLLIB.DLL\4566283D749000\OUTLLIB.DLL not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/OUTLLIB.DLL/4566283D749000/OUTLLIB.DLL not found
DBGENG:  C:\Program Files\Microsoft Office\OFFICE11\OUTLLIB.DLL – Mapped image memory
SYMSRV:  C:\symbols\outllib.pdb\0EAE667B6A73417A9D7DC2E4C81382232\outllib.pdb not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/outllib.pdb/0EAE667B6A73417A9D7DC2E4C81382232/outllib.pdb not found
DBGHELP: outllib.pdb – file not found
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for OUTLLIB.DLL –
DBGHELP: OUTLLIB – export symbols

I wanted to double-check that it wasn’t just a lack of some specific version of OUTLLIB.DLL, so I browsed to http://msdl.microsoft.com/download/symbols/OUTLLIB.DLL/, and received a 404 error.  To make sure there wasn’t some subtle IIS configuration issue, I tested http://msdl.microsoft.com/download/symbols/KERNEL32.DLL (a known good library), which gave me a 403 (Forbidden) error.

That tells me that Microsoft still hasn’t published Office symbols to the Internet – even while they’re trying to push application developers to use Office as a “platform” on which to build enterprise-class applications (VSTO, VSTA).  That’s a really noticeable gap, at least to me.

In any case, this is as good a debug output as I’m able to get:

FOLLOWUP_IP:
OUTLLIB!OlkGetUIlangID+d434
301b7b82 ff506c          call    dword ptr [eax+6Ch]

SYMBOL_STACK_INDEX:  0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: OUTLLIB

IMAGE_NAME:  OUTLLIB.DLL

DEBUG_FLR_IMAGE_TIMESTAMP:  4566283d

FAULTING_THREAD:  000014d0

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

PRIMARY_PROBLEM_CLASS:  NULL_CLASS_PTR_DEREFERENCE

BUGCHECK_STR:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE

SYMBOL_NAME:  OUTLLIB!OlkGetUIlangID+d434

FAILURE_BUCKET_ID:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_OUTLLIB!OlkGetUIlangID+d434

BUCKET_ID:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_OUTLLIB!OlkGetUIlangID+d434

Unfortunately, Google Groups and the web have nothing helpful to understand what “APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE” even means, let alone how to fix the problem it flags.

If I ever come up with a good answer to this, I’ll be sure to post it.  In the meantime, if anyone has any clues or hints for me on what I could do to narrow this down any further (e.g. any cool or powerful commands that I don’t know about – which probably includes anything beyond .symfix, .reload, k and !analyze -v.

EFS Certificate Configuration Updater tool is released!

Published on by paranoidmike1 Comment

After weeks of battling with Visual Studio over some pretty gnarly code issues, I’ve released the first version of a tool that will make IT admins happy the world over (well, okay, only those few sorry IT admins who’ve struggled to make EFS predictable and recoverable for the past seven years).

EFS Certificate Configuration Updater is a .NET 2.0 application that will examine the digital certificates a user has enrolled and will make sure that the user is using a certificate that was issued by a Certificate Authority (CA).

“Yippee,” I hear from the peanut gallery. “So what?”

While this sounds pretty freakin lame to most of the planet’s inhabitants, for those folks who’ve struggled to make EFS work in a large organization, this should come as a great relief.

Here’s the problem: EFS is supposed to make it easy to migrate from one certificate to the next, so that if you start using EFS today but decide later to take advantage of a Certificate Server, then the certs you issue later will replace the ones that were first enrolled. [CIPHER /K specifically tried to implement this.]

Unfortunately, there are some persistent but subtle bugs in EFS that prevent the automatic migration from self-signed EFS certificates to what are termed “version 2” certificates. Why are “version 2” certificates so special? Well, they’re the “holy grail” of easy recovery for encrypted files – they allow an administrator to automatically and centrally archive the private key that is paired with the “version 2” certificate.

So: the EFS Certificate Configuration Updater provides a solution to this problem, by finding a version 2 EFS certificate that the user has enrolled and forcing it to be the active certificate for use by EFS. [Sounds pretty simple eh? Well, there’s plenty of organizations out there that go to a lot of trouble to try to do it themselves.]

Even though this application fills a significant need, it doesn’t (at present, anyway) do everything that might be needed in all scenarios. The additional steps that you might need to cover include:

  • Enrolling a version 2 EFS certificate. [You can automate this with autoenrollment policy and the Windows Server 2003-based CA that is already in place for issuing v2 certificates and Key Archival.]
  • Updating EFS’d files to use the new certificate. [You can automate this by using CIPHER /U, but it’ll take a while if the user has a lot of encrypted files. The good news, however, is that the update only has to re-encrypt the FEK, not re-encrypt the entire file, so it’s much quicker than encrypting the same set of files from scratch.]
  • Ensuring that the user’s EFS certificate doesn’t expire before a new or renewed certificate is enrolled. [This is very easy to accomplish with Autoenrollment policy, but without the use of Autoenrollment, there is a significant risk that when the user’s preferred EFS certificate expires, the EFS component driver could enroll for a self-signed EFS certificate.]
  • Archiving unwanted EFS certificates. [This is different from deleting a digital certificate – which also invalidates the associated private key, which is NOT recommended. This would keep the certificates in the user’s certificate store, and preserve the private key — so that any files encrypted with that old certificate were still accessible. This is hard to do from UI or script, but is a feature I’m hoping to add to the EFS Certificate Configuration Updater in the near future. This is also optional – it just minimizes the chances of a pre-existing EFS certificate being used if the preferred certificate fails for some reason.]
  • Publishing the user’s current EFS certificate to Active Directory. [This is also optional. It is only necessary to make it possible — though still hardly scalable — to use EFS to encrypt files for access by multiple users (see MSDN for more information). This can be automated during Autoenrollment, but some organizations choose to disable publishing a 2nd or subsequent EFS certificate since the EFS component driver may get confused by multiple EFS certificates listed for a single user in Active Directory.]
  • Synchronizing the user’s EFS certificate and private key across all servers where encrypted files must be stored. [This is not needed if you’re merely ensuring that all sensitive data on the user’s notebook/laptop PC is encrypted, so that the loss or theft of that PC doesn’t lead to a data breach. However, if you must also enforce EFS encryption on one or more file servers, the EFS Certificate Configuration Updater will not help at all in this scenario.]

Try it out — Tell your friends (you have friends who’d actually *use* this beast? Man, your friends are almost as lame as mine – no offense) — Let me know what you think (but no flaming doo-doo on my front porch, please). And have a very crypto-friendly day. 😉

Funny Microsoft link of the day/month/year (whatever)

Published on by paranoidmikeLeave a comment

One in a very infrequent and unpredictable series:

http://www.techeblog.com/index.php/tech-gadget/video-zune-commercial-that-got-a-microsoft-employee-fired-starring-steve-ballmer

I’m pretty sure I’ve seen this performance — and if not, it’s damned similar to other occasions when I didn’t know whether to be amused, embarrassed or downright frightened.

Threat Modeling using Microsoft’s TAM tool? Visit the new online forum

Published on by paranoidmikeLeave a comment

I’ve been working with Microsoft’s free Threat Analysis and Modeling Tool for most of the year, and I’ve lamented the fact that there’s no online forum/group where I can share questions, ideas or custom templates with other users of the tool.

Well screw that – now there is just such a group (’cause I just created it).

If you’ve used this tool for developing/documenting your Threat Models, or if you’re considering it, then please feel free to lurk or even participate in this online community.  I’ll be posting what I’ve learned so far in using this tool, making available some reusable templates and reports, and generally giving the new group the care & feeding these things usually require at the onset.

Hope to see you Threat Analysts there!

Shameful: "Hotmail Fails To Deliver Up To 81% Of All Attachment Emails"

Published on by paranoidmikeLeave a comment

Outrageous.  First it took them FOREVER to come through on their promise to deliver 2 GB email accounts in the first place – my wife waited 3 or 4 months for her PAID account to get converted from the time they said it would happen “immediately”, and a year or more for her unpaid accounts. 

And now we see clear, damned-hard-to-refute evidence of how they’re not even providing a reliable mail delivery (let alone storage) service?

Hotmail Fails To Deliver Up To 81% Of All Attachment Emails

I can’t wait to see how they treat the stuff you put in their “reliable online storage services” – I sure ain’t gonna rely on Windows Live to backup my photos or documents.  I mean, how many of them would just “disappear” after six months of inactivity (or even just randomly, when no one’s looking)?

XSLT 1.0 defies the laws of physics – sucks AND blows simultaneously…

Published on by paranoidmike1 Comment

Holy crap, whoever came up with XSLT 1.0 must’ve really wanted me to suffer 🙂

I have spent the better part of a couple of weeks fighting with a simple piece of XSLT code to be able to generate some short, organized reports using the Microsoft Threat Analysis and Modelling tool (currently at v2.1.2).

It doesn’t help that the data model used by this tool has made a really poor choice in the way it classifies Threats:

  • The logical model would be to define an XPath like /ThreatModel/Threats/Threat[x], and then use an attribute or sub-element to assign the category of Threat
  • Instead, MS TAM v2.1.2 defines an XPath like this for each threat: /ThreatModel/Threats/$ThreatCategorys/Threats/$ThreatCategory
  • Thus, for a Confidentiality Threat, you get /ThreatModel/Threats/ConfidentialityThreats/Threats/ConfidentialityThreat

It certainly also doesn’t help that Microsoft has fallen behind all the other major XML engine vendors in implementing XSLT 2.0.  This article here indicates that not only did they wait to start any of the work until after the Recommendation was completed, but that they have NO planned ship vehicle or release date (despite the fact that XSLT 2.0 has been in the works for five years).

But really the fundamental problem that I (and about a million other people out there, over the last 7-8 years) am challenged by is the fact that you can’t pass what’s called an RTF (“Result Tree Fragment”) in an XPath 1.0 expression – the XSLT 1.0 standard just doesn’t allow dynamic evaluation of such an expression, AND they didn’t provide any reasonable way to actually get around the problem of RTFs.  It means that all the vendors providing engines to process XSL had to come up with their own extensions to handle this (e.g. [1], [2], [3]), and many people have also come up with creative (but horribly obtuse) ways to get around the problem.

So it goes – I’m stuck with (a) XSLT 1.0 & XPath 1.0 + proprietary “extension functions” [1], [2] in MSXML, because (b) the Microsoft TAM tool only uses the MSXML engine (which is fair – it’s gotta default to something).

What’s REALLY painful is learning that not only did I spend weeks banging my head against a wall learning some very obtuse and shouldn’t-be-necessary coding hacks to what in other languages are fairly trivial problems – but now I discover that it wasn’t even a question of RTFs at all, but rather that XSLT just ends up taking what I think is a reasonably well-thought-out design and dumping it on the floor:

http://groups.google.com/group/microsoft.public.xsl/browse_thread/thread/f3af4340991740e5

Oh, and how did the XSLT overlords solve this problem in XSLT 2.0?  The just eliminated the limitation on RTF in XPath expressions.  Done.  And done. 

Ugh – that’ll teach me to ever get lured into using a [functional?] programming language again.  Back to C# – that seems positively trivial by comparison…

SO: if you happen to have a masochistic streak in you, or you find that you absolutely must use XSLT 1.0 and not either XSLT 2.0 or System.xml.xsl, then (a) you have my sympathies and (b) here are some resources that I recommend you consult sooner than later:

You ask: why did Microsoft train ALL developers on Security?

Published on by paranoidmikeLeave a comment

One of you readers asked me to investigate why Microsoft decided to train all developers on Security, rather than targeting either (a) those developers who touch security-related features or (b) one designated “security expert” on each development team.

You asked, I answer with a collection of quotes from various sources, but basically all from the horse’s mouth (yes Michael, that makes *you* the horse in this analogy).  Please enjoy, and feel free to link others you might stumble across…

http://web.archive.org/web/20031202020539/http://blogs.gotdotnet.com/mikehow/PermaLink.aspx/1c7eb862-aec9-475e-bff3-c32bb3f063f5
“We need to teach more people about security. Now, you’re probably a geek, or a geek-wanna-be, and I bet you’re thinking, “ah, he’s trying to sell more copies of his book, he wants to teach people about writing secure code.” Ok, that’s true, I think software designers, developers & testers need to understand what it takes to build secure software; the threats have changed, and security no longer resides in the realm of the Security High Priesthood nor the Security Learned Few. Building secure software is simply part of getting the job done. Just like we learned the basics of optimal algorithms in school, kids coming out of school need to know the basics of building code that will run in that most hostile of environments – The Internet.”

http://blogs.msdn.com/sdl/archive/2007/05/02/security-education-v-security-training.aspx
“We require our SDL training to emphasize the basics of secure design, development and test – then allow employees and their management to select the training that meets the needs of their particular product or service.  There is one other point that bears mentioning – our training is constantly being reviewed or embellished to make sure that emerging security or privacy issues are being addressed. ”

http://msdn.microsoft.com/msdnmag/issues/05/11/SDL/
“If your engineers know nothing about the basic security tenets, common security defect types, basic secure design, or security testing, there really is no reasonable chance they could produce secure software. I say this because, on the average, software engineers don’t pay enough attention to security. They may know quite a lot about security features, but they need to have a better understanding of what it takes to build and deliver secure features. It’s unfortunate that the term security can imply both meanings, because these are two very different security realms. Security features looks at how stuff works, for example the inner operations of the Java or common language runtime (CLR) sandbox, or how encryption algorithms such as DES or RSA work. While these are all interesting and useful topics, knowing that the DES encryption algorithm is a 16-round Feistel network isn’t going to help people build more secure software. Knowing the limitations of DES, and the fact that its key size is woefully small for today’s threats, is very useful, and this kind of detail is the core tenet of how to build secure features.

“The real concern is that most schools, universities, and technical colleges teach security features, and not how to build secure software. This means there are legions of software engineers being churned out by these schools year after year who believe they know how to build secure software because they know how a firewall works. In short, you cannot rely on anyone you hire necessarily understanding how to build security defenses into your software unless you specifically ask about their background and knowledge on the subject.”

http://msdn2.microsoft.com/en-us/library/ms995349.aspx
(a) “But is it important to note that an education program is critical to the success of the SDL. New college and university graduates in computer science and related disciplines generally lack the training necessary to join the workforce ready and able to design, develop, or test secure software. Even those who have completed course work in security are more likely to have encountered cryptographic algorithms or access control models than buffer overruns or canonicalization flaws. In general, software designers, engineers and testers from industry also lack appropriate security skills.

“Under those circumstances, an organization that seeks to develop secure software must take responsibility for ensuring that its engineering population is appropriately educated. Specific ways of meeting this challenge will vary depending on the size of the organization and the resources available. An organization with a large engineering population may be able to commit to building an in-house program to deliver ongoing security training to its engineers, while a smaller organization may need to rely on external training. At Microsoft, all personnel involved in developing software must go through yearly “security refresher” training.”

(b) “One key aspect of the security pushes of early 2002 was product group team-wide training for all developers, testers, program managers, and documentation personnel. Microsoft has formalized a requirement for annual security education for engineers in organizations whose software is subject to the SDL. The need for an annual update is driven by the fact that security is not a static domain: threats, attacks and defenses evolve. As a result, even engineers who have been fully competent and qualified on the aspects of security that affect their software must have additional training as the threat landscape changes. For example, the importance of integer overflow vulnerabilities has increased dramatically in the last four years, and it has been demonstrated recently that some cryptographic algorithms have previously unrecognized vulnerabilities.

“Microsoft has developed a common introduction and update on security that is presented to engineers in both “live training” and digital media form. Microsoft has used this course as the basis for specialized training by software technology and by engineer role. Microsoft is in the process of building a security education curriculum that will feature further specialization by technology, role, and level of student experience.”

http://msdn.microsoft.com/msdnmag/issues/03/11/SecurityCodeReview/default.aspx
“Hopefully, you realize that reviewing other people’s code, while a good thing to do, is not how you create secure software. You produce secure software by having a process to design, write, test, and document secure systems, and by building time into the schedule to allow for security review, training, and use of tools. Simply designing, writing, testing, and documenting a project, and then looking for security bugs doesn’t create secure software. Code reviewing is just one part of the process, but by itself does not create secure code.”

The Security Development Lifecycle Chapter 5

“If your engineers know nothing about basic security tenets, common security bug types, basic secure design, or security testing, there really is no reasonable chance that they will produce secure software. We say this because, on average, software engineers know very little about software security. By security, we don’t mean understanding security features; we mean understanding what it takes to build and deliver secure features.”

Free XML tools? Trying to find a WYSIWYG editor for XML, XSLT – how hard can it be?

Published on by paranoidmike2 Comments

I’ve been using Microsoft’s Threat Analysis and Modeling tool (more on my experiences later), and one of the things I’ve determined is that I need an XML/XSLT editing/authoring tool to help me wade through all the information that’s buried in the threat model documents it generates (which is all written in well-formatted XML).

I’ve spent a few weeks trying desperately to find one tool that would allow me to do the following:

  • Get a quick overview of the XML without exposing me to all the raw code
  • Explore the hierarchy of XML in a treeview
  • Allow me to automatically collapse or hide certain elements and branches of the XML so that I can skip e.g. the GUID element in every object
  • Allow me to drag & drop XML elements around the document (or at least easy-to-use cut and paste)
  • Allow me to browse a self-describing set of the XML tags that are available to use in this document e.g. explore the document’s schema in tree form; collate a list of the XSL tags already in use in the document (not just all those potential tags supported in XSL 1.0 or 2.0)

A few abandonware tools that are mentioned all over the ‘Net, but which are no longer options:

  • ActiveState Visual XSLT: ActiveState delisted this years ago, and I cannot find a copy anywhere on the ‘Net for the life of me
  • Altova XMLSpy 2004 Home Edition: still available for download from Altova’s software archive, but they have removed all traces of the License keys that could be obtained for free
  • IBM XSL Editor: now part of some Websphere server-side engine

Some freeware apps I’ve found:

  • XMLmind Personal Edition: java-based GUI editor.  Provides collapsible tree view of document contents, inline editor for element text (hiding all the nasty tag content and code), and Provides downloadable add-ons to enable editing documents based on many different DTDs.
  • Microsoft XML Notepad 2007: horrible UI, but at least it abstracts away some of the complexity of XML…
  • Notepad++: does a good job of highlighting XML syntax and allowing you to collapse element branches, but doesn’t help my primary problem, which is…
  • XML Cooktop: XML syntax highlighting, processing XML with XSLTs and viewing the results
  • Butterfly XML: decent hierarchical view (and in my personal opinion, it beats out XML Notepad 2007), doesn’t scare off the user with tagged code, but no cut & paste capability (just add or delete).
  • Xerlin: Java-based XML editor
  • Vex: a “visual” XML editor 
  • Jaxe
  • XML Workbench

Visual Studio 2005 has some XML capabilities, but strangely nowhere near the level of “friendliness” that I’ve come to expect from this IDE:

  • It’ll open XML & XSLT just fine, perform the usual syntax highlighting, and even autocomplete any code that I try to add.
  • However, it just shows me the “raw code” – I can’t find any way to “hide” the code and just browse through this file in a more compact, abstract, more user-friendly way.
  • You know how you can switch between Design Mode and Code in VS2005 (e.g. creating a WinForms app)?  Or how FrontPage used to allow you to do the same thing?  That’s what I want.
  • Then I can learn some of the basics of what the code is doing by association, but in the meantime I can “get something done” without having to spend 15-20 hours learning about XML & XSLT syntax, language operators and all this minutia.
  • It’d be really cool if there was some sort of Object Browser tree view of the XSD (XML schema) or a “Toolbox” like collection of the kinds of code objects that I could add (that wouldn’t scare me off as much as raw code in unknown languages does).
  • Finally, I haven’t found any freebie XML-editing add-ons for VS2005.  [Other than the Visual XSLT from ActiveState that appears to have disappeared from existence.]
  • The next version of Visual Studio (“Orcas”) promises some improvements in dealing with XML & XSLT, but nothing earth shattering (at least not for my needs)

Actually, one of the best tools I’ve tried is another commercial app that I would never have expected to make “browsing and editing XML” as visual and flexible as it does: MindManager.

  • MindManager’s native document format is a compound XML document, and it’s able to open and save in unmolested XML format.
  • If you open an XML document, it’ll treat elements as Topics and element text as Callouts, making it easy to cut & paste or drag & drop elements from one part of the hierarchy (which looks like a tree with branches) to another.
  • It’s very slick, looks very simple but has all sorts of extensible power behind it.

And then there’s a raft of commercial apps that might do the trick, but which cost way more $$ than I have budget for:

  • Altova XMLSpy: For my purposes, this is no better than Visual Studio (even though it’s *loaded* with lots of additional features that I’m sure every XML goon would love).
  • Altova StyleVision: wow, how *un*suitable is that?  It doesn’t even open XSLT files – it only uses its own proprietary format, and while it seems to have lots of different ways to look at the content of the style sheet you’re working on, none of it seemed intuitive or familiar.  Probably makes more sense to someone who’s been using Altova tools for a while.
  • Stylus Studio XML: I like the visual XSLT mapper, the XSLT “backmapper”, their Sense:X feature, their ability to drag-and-drop from source XML to the XSLT (with intelligent handling of the resulting object), and their WYSIWYG XSLT designer (“You Design the HTML; Stylus Studio Writes the XSLT”)!!  Man, with all this going for it, I’m going to at *least* spend a few days with the eval version. 🙂

 

Surprised?  I was.  MindManager and Stylus Studio XML were *not* on the short list – they’ve (a) never been mentioned by anyone I talked to who had any familiarity with XML, and (b) if you’d asked me about any tools that have XML editing capabilities I’d never have been able to come up with these.

 

Sidebar: Lemme just mea culpa for a sec – it’s not that I can’t code (I taught myself VB.NET from scratch), but it seems horribly inefficient to try to edit existing XSLT documents only after I have to learn every little aspect of XSLT and XML syntax.  Doesn’t it?

Questions from a VB.NET amateur on the occasion of my first C# project…

Published on by paranoidmikeLeave a comment
  • Why doesn’t Visual Studio auto-generate the {} when I add an “if (true)” statement/a “foreach ()” statement/a “try” block and hit [Enter]?
  • Why doesn’t Visual Studio automatically clean up the indenting of my code, comments, etc. when I add/remove the { } braces or other things that would affect the layout of the existing code?
  • If these damned curly braces and brackets are so damned important, why aren’t they filled in automatically every chance we get?’
  • Why won’t Visual Studio automatically format the trailing */ characters when I hit Enter (which gives me the next * character + a space) and I type the / character?  VS should be able to handle auto-formatting as simple as that.