After a short exchange of friendly but accusatory cross-continental messages, I’ve learned something new about .NET projects today. Let me start with the symptoms as that’s the first thing I Googled for and how I suspect others will find this and save themselves some pain in the future.

Let’s say you have a solution like this:

This is a brand newie right out of the box to demonstrate the problem. The web project references the ClassLibrary project as a project reference. In other words, the project file contains something like this:

<ProjectReference Include="..\ClassLibrary\ClassLibrary.csproj">
  <Project>{705479f2-2820-44ea-a983-f03c70ae0754}</Project>
  <Name>ClassLibrary</Name>
</ProjectReference>

So far, so good. However, when you go to build it gets decidedly unhappy:

I’ll admit to some amusement when I see friends liking pages such as this:

I’ll admit to even more amusement when they’re mature adults (of either gender) or as seen recently, when they’re my mother in law. Of course when confronted about their salacious ways they’ll always swear black and blue that they never “liked” the link. Except they did, they just didn’t know it.

What you’re seeing here is a Facebook “worm” or in other words a script which replicates itself. Someone sees it, clicks the link then it automatically appears on their wall without their knowledge. Three of their friends then see it on their wall and click through then three of their friends do the same and so on and so forth.

But how can this happen? Why does Facebook allow someone to inadvertently “like” a page they would never actually intentionally like, or at least not intentionally broadcast that they like it! It’s actually both very simple and quite clever so let’s pull it apart and figure out how this is working.

You know what really strikes me about a lot of the hacks we’ve seen lately? It just seems too easy. I mean we’re seeing a huge number of attacks (an unprecedented number, by some figures) and all too often the perpetrator is a kid. I don’t mean that in a relative sense to myself as I get older, I mean literally a child.

The problem, of course, is that many of these “hacks” have become simple point and shoot affairs using freely available tools. In the case of SQL injection, tools such as Havij mean that even if you don’t know your indexes from your collations or your UDFs from your DMVs, so long as you can copy and paste a URL you can be an instant “hacker”.

In fact I reckon it’s so easy that even my 3 year old can be a successful hacker. Turns out that’s not too far from the truth:

Who’s hacking us? How are we (as developers) making this possible? What are some of the common flaws we’re building into software? And what exactly is “pwned” anyway?!

All these questions and more come up and get answered in the presentation I made to Developers Developers Developers! in Sydney a few months ago. Fortunately the good folks at SSW were kind enough to record and very professionally produce a number of the sessions then make them available via their SSW TV channel.

Despite the managers of the conference facility doing their best to emulate a Swedish sauna by cranking the heat up to 11, I was very happy with the way the presentation went. For those around Sydney, I’ll be giving a talk in a similar style at the Web Directions South conference next week with mostly new material.

One last thing – I need to give some credit to Mikko Hypponen for the material relating to the three sources of hackers (criminals, hacktivists and governments). I was inspired by his TED talk titled Fighting viruses, Defending the net where he refers to these threats among many other insightful observations about the online security landscape. In fact I’m inspired by most things Mikko says and the way he delivers his message so do yourself a favour and check out his material.

Last week, with the help of the good folks at Red Gate, I set up a little competition to give away 5 licenses of their very excellent SQL Source Control product. The entry criteria was simple – share your most painful experience which could have been avoided by using source control.

Many painful stories emerged but I thought it worth sharing and commenting on the 5 winners as I’ve felt this pain time and again in years gone by. So enjoy these stories and hopefully take away some nuggets of knowledge that might help you avoid the same pitfalls in the future.

To the winners: hopefully those licenses will help ease the painful memories of mistakes gone by! I’ll be in touch with your prizes shortly.