Bringing the R.S.18 Formula One car to life through mixed reality

(suspenseful music) Creating a Formula 1 car is an art. Every line drawn needs to make the car stronger, lighter, faster. Every element needs to be perfect. Create, develop, and refine to make something that makes you say, this ... is ... it. The new RS 18.

Brad Anderson's Lunch Break s7 e15 Outtakes

- So a lot of corporate leadership coaches ask this question. I'd like to get your feedback on it. - Oh, yeah? - If you had to pick you know, one Golden Girl which one would you be? - Rue McClanahan, she was the sassy one. - Uh huh, that would be you. - That'd be me. - It's lunchtime, and this is Brad Anderson's Lunch Break. Two of my favorite things about Microsoft are the smart people that constantly visit campus and the great fleet of shuttles. Whenever I can I try to take advantage of both of these things and I grab lunch with some of the tech industry's best and brightest. (upbeat peppy music) Okay, so let's have a little fun. You and I can play this game called This or That. - [Nicole] Okay, fantastic. - [Brad] Epic. - I said fantastic. This could go off the rails. - Oh, this is fine. So I'm gonna give you like two topics, and then I'll give you some kind of word or description. You're gonna tell me is it one, two, or both. - Okay. - Okay? So your two terms are transatlantic flights. - Okay. - Or World of Warcraft. Okay, do you know much about World of Warcraft? - A little bit. - [Brad] Alright. - I had to stop playing so that I could finish writing my dissertation, yes. (laughing) - Okay, alright, here we go. You would do something unspeakable in an exchange for an upgrade. - Transatlantic flight. - Okay, I think my boys would say both. You have too much personal baggage to be able to sit comfortably. (laughing) - Um, World of Warcraft. - Walking the floor at a tech conference. - Yes? - Or joining a fight club. People get more aggressive the longer they're there. - [Tim] I guess the fight club. - Yeah, I don't know. That could be both. I've seen people at the tech conference before. - It could be both. Yeah, it could be both. - There ya go, okay. You go back home and brag about how many sessions you were in. - [Tim] That could be both. - Yeah, so a big part of the work that you do is really deepening and broadening the partnerships that Microsoft has. - Right. - And so, you know, there will be a lot of CIOs and senior leaders who will be watching you know, what we're talking about here. How does the work that you do impact their lives and make them better and their organizations better? - [Peggy] I think we've had more of a focus over the last several years on the partnership aspect and kind of moving from this transactional relationship to more of a strategic partnership relationship, and that's opened up a lot of doors for us and our partners. And rather than, you know, approaching it from a transaction we can say, you know, what do our joint customers need? What problems are they trying to solve? And then that helps us look at areas of collaboration that we can do with partners, and I think the opportunities for both sides have increased. - [Brad] Totally. - Yeah, we take a lot of the friction out of it for them so if they have to do something manually that sort of integrates our two products our partner's and our own and we can put them together in a seamless fashion. Um, that's sort of a win for all three of us. - So over the years you've interviewed a ton of like, the tech heavy stars. - Yeah. - Right? - Yes. - Any one of them leave you totally like wow that was amazing? - [Tim] I did interview Steve Ballmer. - Yeah. - Um, so that was quite fun, and his character was not quite what I expected when I first met him. He was uh-- - Lot more low key in an interview? - Yeah, I guess so, yes. Yes, and I liked him actually. I think he was full of life and full of enthusiasm. I really appreciated that. - Yeah, well people know Steve for kind of like the stage presence, but when you're in a small group you know, and you just have this conversation, he really is a great-- - Yeah, and very sharp. - Exactly, just a great guy. I always loved those times I got to spend with Steve like that. We talk a lot about this transition to the cloud and the culture change that it is for our customers. We've had to go through that internally. You know, I've gotten hundreds and hundreds of engineers who have built on prem products for, you know, for some of them for decades. Now some of that skill set is implacable in the cloud, but we've had to fundamentally relearn different aspects of what it means to build cloud services, to operate them, you know, the architecture is different than a client server architecture. So we've had to go through that same cultural transition internally that many customers right now are facing as we're helping them and pushing them to move to the cloud, but we've had to go through it first. - [Jeff] I have started, and I think people would be surprised about this from the SharePoint guy, I start when I'm sitting down with the CIO or I'm on my phone, let me show you how. Look, here's, you know, see all my email, my calendar, but wait, it gets better. Here's OneDrive bring up all my docs. Yeah, that's pretty good. Here's how I share things. You know, let's keep going. Let me show you the new SharePoint app where I can show you my intranet, and I can show you my collab sites and the publishing sites, and search on people and documents and that blows people's mind. They say wow if I could deliver all that just to our users they'd be great. And they say on top of that it is secure. - [Ben] This stuff isn't really a technology barrier. This isn't really a technology change It's a cultural change. It's a huge change. - Massive culture change. - And you know, if we talk about tools or if we talk about technology first without actually addressing the fact that this about people, because we hear every company has their Uber moment coming. It's actually about how do you think about your business in terms of what your customers want and will want into the future and what your people can fundamentally deliver. So it's really about that human element and just spending time kind of thinking about the future and your future. (peppy whimsical music)

Bloom Open Space (Preview)

Bloom came out of a little experiment that we had, where it was just creating a shape on a screen, having it expand and disappear. Really, it's just a very simple tech demo. What I've liked about this project and this space is that you're creating things in a virtual world, but the people outside are actually in the real world watching it as well. It's not quite so divisive. It really is truly mixed reality. It's blurring the lines as to where one starts and one ends. I think it's a bit of a sense of magic, actually. You can also start to interact with other people. It's quite magical, actually, where two of you start creating things in the space around you. I don't think anyone's experienced anything like that before.

BlackMarble’s remote detective - powered by the Visual Studio family of DevOps tools

[Music] black marble is a group of really enthusiastic technology loving Geeks that have established themselves as the go-to guys if you've got a difficult problem devops is a big part of black marble it bridged the gap between it and operations for us two serve came about initially from one of our customers Cambridge sh constabulary one great thing that two serve is enabled is an idea of a remote Detective When officers are on the scene of a crime they're Gathering evidence and feeding it into the two serve event dashboard a detective back at a station can now look at that in real time and guide the actions of the people on scene in developing two serve we've really put into practice everything that we've learned along the way around devops and Alm Visual Studio team Services provides an end to-end solution for us from the Inception of an idea in the pub as you write it on the back of a beer mat we can check our coding and a whole variety of crossplatform solutions we can then build our Sol solution and deploy it out again into a whole heterogeneous areas so it's now really giving us a selection of tools that allow us to address the real world needs of our clients by combining Visual Studio team Services build and release with Azure resource templates we were able to help one of our Marquee customers take their deployment time down from over four months to just over an hour we've quadrupled our devops practice over the past year the risk if you don't keep up to date with the new technologies that enabled devops is that you'll be left behind it is important that our clients trust us and the fact that we're a Microsoft partner is very important to them it gives our customers the confidence that even though we may not be the largest supplier on the Block we have a proven track record of delivery and we have a very big friend standing behind us to support us knowing that we're transforming policing is a big part of why I love my job if we can get to serve into as many police forces as possible it means that all police forces can collaborate and have that digitized ation and transformational experience [Music]

Audio Description Version Windows 10 Craftsmanship

A white rectangular computer prompt flashes on a dark screen. It pulses in time to the music. Words typed on the screen read, we don't build Windows for all of us. We build Windows for each of us. Windows Accessibility Program Managers. >> When you build features for people that have a range of abilities, you end up making something that works for everybody. >> For me one of the amazing things, even today after 15 years at Microsoft, is how we're inventing new experiences. >> When we sat down we were focusing on those with low vision and no vision. We decided really we need to work on performance. To start Narrator, I'm gonna hold down the Windows key and press Enter. >> Window, start window, search box. >> So right now we're at about 80% of capacity of how Narrator could speak, and this is about how I would use my computer. That probably sounds like gibberish but once you get used to this, it's pretty quick. >> One of the things that we spent a lot of time looking at is how do you really help a developer be immersed in what it means to be blind. We built in the developer mode in Narrator. >> Caps lock, shift, developer mode enabled. >> So now you can see that we've blanked the screen. So I'm gonna press h to jump to the first header. >> Heading level one, go to Bing home page. >> And it will kind of immerse you in what that is like to not see your app. Select down to change to suggestions view. >> Across many applications, when you're typing, whether it's weather, news, Cortana. You're getting search suggestions. >> Fond du Lac, one of one selected. >> It's the first time that we're building that level of accessibility into both our screen reader and our applications. >> I'm going to flag this message. >> Content, delete button. Move button. Set flag button. >> Xbox looked closely at how they can diversify how people represent themselves. And so you'll see a new set of avatars so that someone can select an avatar that looks more closely to themselves. >> So wth Windows 10, the Edge team really wanted to do our part and make accessibility great on the web. >> Enter, hub. >> Whether they need the screen reader, whether it's high contrast, whether it's keyboard only. >> At level 3, draggable. >> It was really about making it more usable and more intuitive for all of our users. >> So in the future, I think the key is really matching the ability of the technology to the ability of the person. So everybody can participate. >> Kids curve their fingers into heart shapes over their chests. The colorful Microsoft logo is centered on the screen.

Anatomy of an extension

a visual studio extension project is a normal c-sharp project but with a few things that make it unique so let's go through and highlight some of those to get a better understanding of what makes a visual studio extension we'll start by creating a new v6 project by searching for the v6 community templates and we'll select the one with a command this is one of the more commonly used templates we'll also give it a name let's call it my demo the c sharp project is created and we can see we have a bunch of nuget packages already referenced it also contains a command class an extension icon and a v6 manifest this is where we keep metadata about our extension such as a name make sure to specify a descriptive name here we also need to specify a unique product id it can be any string and make sure to give your extension a good description you can specify a license as many comma separated tags as you want and a url to your github repository next we'll look at the visual studio command table file it's an xml file that lets us define commands menus groups key bindings and other things about our extension a group can contain multiple menus and commands and a button here is just a different word for command i can also set my key bindings to automatically trigger one of these buttons the package class is the entry point for most extensions here we can register services tool windows and in our case commands this will automatically find all commands and register them with visual studio and if we look at our command we can see it's a very simple class that handles the command click the same command that we defined in our xml command table file i'll build the project like any other.net project and that will produce the output in the bin directory the output of an extension project is a file called a v6 file and that is my extension i can simply double click the v6 file to start the visual studio extension installer this is the extension file that i want to publish to the visual studio marketplace or share with my colleagues if you're curious to see what's inside a v6 file simply rename it to sip and open it in the file explorer and that will show you everything inside the v6 container file so now that you know what makes an extension project an extension project you're now ready to build your first extension you

Alaska Airlines flies on Visual Studio Team Services and Xamarin

we are on a cloud first mobile only trajectory with a high focus on delivering both customer mobile as well as internal employee mobile so delivering Mobile Solutions is critical to our success as an airline we are building web services in the cloud we have moved all of our developers individual Studio team services and practicing continuous integration and continuous delivery we want to test out whether samon is a great platform for us to use zamon is a platform that enables C developers to write mobile applications natively for iOS Android and Windows we have standby benefits on all our flights and the hopper app was built to enable employees to navigate the Ever Changing loads on flights when we start off with hopper in one day we were able to create a prototype of the apps samon used the pable class Library which we put all our business logic service call we were able to share like almost like 80% of the Co it also has extensions that allow analytics it has natural integration with Visual Studio team services so we have a two we spr we created all our features user story and task in the res studo team Services the moment we check in the code then the bill will kick off and then it will create all the artifact and then the publish it to the hockey app so our QA can actually pick up the bill it's publish to the asson test C that's running on a list of like hundreds of devices the app as a native experience really allows us to give great customer service to our employees the feedback is phenomenal it is truly truly fantastic to see with samon and resource Studio team service we were able to enable the mobile moment so we can put the right information at the right time and the right contacts to our customer and our employee so they can do their work better and our customer will be happier

Airband TV White Space technology helping rural businesses in Essex County thrive

>> This is a small rural area, somewhere around 3,000 full-time residents. When I moved to the local area, the only Internet was satellite, and satellite just didn't work. >> We were using weird little repeaters from signals that were barely moving and Beth said, "I think I can get fiber optics and I think I can beam it to your silo." >> I purchased two antennas and radios I went along with that, people start saying you've got Internet, how do I get that? >> Here at the Hub we have a retail store. Internet is a huge boon to our existence. The locals who need a place to shop, who have no access to local food they can get local vegetables, locally made products that they wouldn't have access to otherwise. We communicate through a platform with a lot of the local farmers that's all internet-based. >> Our customers are ordering on an online market forum basically a grocery list. This is our grocery store, you get to pick as many of these things if you want, all internet-based. >> Currently I'm providing internet for 250 people. The problem with the current technology is that it needs to be line of sight. If somebody is back behind a bunch of trees or behind a mountain, it just doesn't work. In order to grow, we need some new technology called TV White Space. It uses the old TV frequencies and rebroadcasts them for Internet. The support from Microsoft has been extremely helpful, I never would've thought about expanding into TV white space without the support from Microsoft. From a policy level, we need more bandwidth so I can provide better service and push it out to more people. >> I think we're at ground-zero right now, with the Air Band initiative, we can take our farm to the next level. >> It's all about solving problems. It's a lot of fun to see people's eyes light up for the first time that they haven't had service before, it's nice to be able to do that.

AI Coding Assistance in Visual Studio 2022

a big step forward for the AI engine here in Visual Studio 22. here's a just a very simple.net console app and I want to show you some cool things and improvements we've done to the AI based coding assistant so I'm going to type a new line here and notice how Visual Studio automatically will suggest that I put in a last name which is exactly what I want in this case I want the last name property to be inserted for me right here I also want the full name so let's hit enter again and this time it suggests age which is it could be the accurate one but I want full name so I'm just gonna pretend it's not showing me anything and just start typing public string full name and notice here I can just hit Tab and I get my full name and it understands that full name is a product of first name and last name so the AI engine here in Visual Studio understands the context I'm in absolutely fantastic here let's scroll down and you can see here I have a method here called remove data and all it does it removes some data from the list that I have defined above it what's missing here is is a method for adding data so again I'm going to hit enter and visual studio already knows what I'm going to do here I'm going to create an add data method so notice that based on the name remove data it understands what remove means and so it suggests that I created a method called add but what was crazy was that it knew what that would do inside the method so it knew that it it should not take the list and remove something it should add to that list this is just absolutely fantastic here I'm just coding by tapping enter and hit hitting the Tab Key here and we can take it a step further let's say that I want to create a new method or I want some code but I'm not entirely sure how I should write it what I can do is that I can express it in a code comment like this one so here I have a comment it says take the two arguments and add them together so the arcs refers to the arcs that come into the to the main method up here so I'm just writing here in plain English what it is that I would like to have happen I can hit enter and visual studio will automatically suggest what that code might look like it understands what I'm saying in English in the code comment and can translate that into something that might be what I want this is the AI engine that is built upon huge data set and using machine learning it's able to take the context that the AI engine is aware of and pair that up with the big machine learning model when we pair those up together Visual Studio can do amazing things like this

Age of Ascent from Illyriad Powered by Azure Service Fabric and ASP.NET

we wanted to create a game of such massive scale that's never been created before we really wanted it to run naturally in the browsers anyone can play it immediately whether it's your laptop or your phone or your PC we were Building A system that could cope with huge demand and huge concurrency huge availability around about the same time service fabric came about say two alliances suddenly decide to go to war on a whim they all meet in space at the same time to Duke it out our microservices in azur service fabric will automatically scale up begin unfolding space and seamlessly distribute the load across all the nodes in the system we've tested it up to 50,000 concurrent players in the same battle arena we were handling 267 million application messages a second our game microservices are built using asp.net core it gives us Superior performance asp.net core is an open source that allows us to contribute back to it if we have any performance issues which then Microsoft review and together we make a better product our contributions to castal have reduced allocations lowered latencies and allowed it to be already 2,300 faster than previous incarnations of asp.net and more than six times faster than no. JS we run public player versus player Alpha play tests once a month where anyone can just drop in all you need is a modern browser that runs webgl turn up at the website and you can play the game against other players around the world

Address Sanitizer continue_on_error Pure Virtual C++ 2023

so please everyone give a welcome to Jim Radigan who is going to talk about dress sanitizer continue on error hey Jim how are you doing hi good morning everybody thanks Psy this morning I was just gonna talk a little bit about a new runtime uh mode that we have for the address sanitizer it's called continue on error and what happens is that this essentially gives you a check build for C plus plus and the check builds are defined as finding memory safety errors without any false positives so I'm going to go through a little story to begin with I did two presentations separated by two years about memory safety and um I started out the 2019 talk with the 2018 data and on the left in the graph you can see that the number of cves had continuously increased and cves are common vulnerabilities and exposures that are basically bugs that have been kept in an international database after some analysis out of all the cves 70 are due to memory safety errors and on the next slide I'll start to get into what is a memory safety issue now this was 2018 data so skip ahead to 2021 when I I in 2022 I did a talk and went back and looked at the previous year's data and here's the top 25 uh bugs for memory so not for memory safety but just for uh common weakness enumeration and they each get a score now I was able to clip or snip the top 17 and out of the top 17 six are memory safety errors now remember this is two years later so the yellow ones are memory safety errors and out of bounds right and out of bounds read a use after free an editor overflow and an effective address calculation for a memory reference that uses that no pointerview reference and the last one is when people annotate their code or write their own range checks so that's 2021 and then I did a talk in 2022 and then things haven't stopped so if we go to the next piece of data for 2022 this is um an award and I'll show you this the hackers have uh an award show every year for the top hacks in all different categories and the best remote code execution bug in 2022 was awarded to Microsoft and that was due to a heat buffer overflow so you can see that we continue to find uh really scary memory safety errors so what am I going to talk about I'm going to show why memory safety is critically important and hopefully that gets people to use the tools and um try to improve this problem which is uh systemic and then I'm going to talk about the new tool that we've got here with a demo and it's basically going to arm you with something that will allow you to expose all the C plus plus memory safety errors in your code and memory many are hidden so that last award for example that was code that was a heat buffer overflow that had been in the code for 20 years so to make this more Sim simple um I'm gonna tell this as a story between the bad guys and the good guys so the bad guys are the ones that make memory safety critically important and I'll show why in a second and then I'll talk about how the good guys are going to get a well-defined checked build for C plus plus it'll be a turnkey ship or do not ship so in other words when you use the new tool if your tests pass but we still log memory safety errors you shouldn't ship and you shouldn't integrate your code full stop so let's go talk about the bad guys for a second and hopefully this will motivate you into using the tools that we Supply and the new one especially so the bad guys have invented new programming paradigms and people may have heard about return oriented programming that's the first one that's been around for a long time that's ROP and data oriented programming or dop block oriented programming which is related and DDM which is direct data manipulation these are all started by the bad guys exploiting a memory safety error in your code and I'm going to show ROP how that works next and I'll show you that it's Turing complete so in other words you can write a program that can match any program functionality but using a stack pointer and the return instruction only [Music] okay so here I'm going to just start out with a traditional constant store and what we're going to do at the top is we're going to store valve one into array indexed at Bell too and the stack is in yellow and that's the stack pointer at the bottom it stays fixed and then the green box at the bottom are three different registers and then on the left is the machine code that the compiler would generate so it's just three machine instructions and these instructions are going to execute in the fall through fashion and it's going to update at the very very bottom in the green box the instruction pointer so that's 32-bit Intel so in this example we'll start out at address one so the instruction pointer is loaded with A1 and we execute that instruction which means load from the stack pointer into eax so the stack pointer is pointing at vowel one so this is how we get valve one into the machine we fall through we're at A2 now what we're going to do is we're going to load ESP Plus 8 which means we're going to get Val 2 into the machine you fall through to A3 and when we do that instruction with those register contents we're going to implement that store okay so that's traditional programming if you're using a fixed stack pointer and for manipulating the instruction pointer in the EIP register so with return oriented programming I'm going to show you what they call a gadget so what I can do is that exact same array store but I'm only going to use pops and Reps and what's going to happen is on the right hand side I'm going to get the stack to have exactly those values because I'm going to exploit a stack buffer overflow and I'm going to do that before I get to address one and that's going to set me up to actually do the following ROP Gadget so as we walk through this we're going to pop eax first which puts Val 1 into eax then we're going to do the return instruction at A2 sorry there's the increment for the stock pointer from the pop now we're at A2 and we're going to do the red and when we do the rat we're going to return to whatever the stack pointer points to which is A3 so that's how we get a fall through so we're going to pop ebx which puts Val 2 into the machine at A3 now at A4 because we did another fall through we're going to do a return and we're going to return to A5 and at address 5 we actually do the store so right there what I've done is smash the stack with the right values like an S print out for something into a local variable and then I knew about particular code in your existing program that would allow me to carry out this instruction so we went from traditional programming to something that is only done with moving the stack pointer executing returns doing a few things moving the stack pointer executing return that's return range Pro return oriented programming so now you can stitch these gadgets together and that's how you can get something that's touring complete so you can imagine that this is incredibly powerful and it's done just using memory safety errors in the existing code in your machine it all starts with one memory safety error wait what's memory safe that you ask well on msdn if you go to msdn address sanitizer uh I put those I think it's 15 or 17 categories of memory safety air bugs out there and each one of these URLs this is what I cut and paste from msdn has a link to a specific set of examples so there's a double free for example and then we give a source code example which is compilable and then we've integrated this into the IDE so if you open up that screen dump in a tab on a separate tab you'll actually be able to see how we've integrated the uh um the error into the IDE which is uh also in parallel with the command line dumps sorry well I'm gonna move on so you get a specifically well-defined notion of memory safety and this is a great way to understand what um is glossed over a lot in um in the literature we've very concisely Define this so you know in all uh what does Microsoft do for security in other words where does this all fit uh the address sanitizer uh relative to the Technologies we Supply so I've broken it down into a Venn diagram and there really are four buckets and if you go top down you can modify the source and then if you go a level down you can actually do static analysis on that or dynamic analysis and then as a fail safe for the last I would say God at least 20 years we've provided secure code generation which isn't something people talk about a lot but basically these two areas are run time and these are not as familiar as Source modifications and static analysis and so those are the forms of static analysis everybody is familiar with and those are the existing forms of source modification that you can look up on msdn but what I want to bring your attention to today is the secure code generation called guard and that's something that we spent many years introducing to thwart the ROP attacks that I just showed you your protection is only as good as what's used and so what I'm going to show you now is the result of a study that was performed finding out how much of the code on a Microsoft installation for Windows 10 used guard so they downloaded 10 applications from one of the top websites and only 21 files used guard that's two percent and then for Windows itself only 90 percent of the program files in the windows system folder used guard frustrating so that it to add to that you you can emit the use of guard which I just showed you obviously but then there are a lot of other things that you can just turn off you can turn off the canaries that we put on the stack for overriding locals you can turn off safe structured exception handling you can turn off aslr which is the address space linear randomization where we put things in different spaces randomly and then you can turn off depth which is basically the ability to protect code pages this should highlight the importance of a tool like Asam with continue on error so the war continues today after seven years of basically control control flow Integrity protection CFI is what they call it in the literature that is the Microsoft uh to on Microsoft that maps to guard which I just showed you so it's been really seven years in the industry of control flow integrity versus ROP attacks and the bad guys have not uh rested on their Laurels I found a really great paper here Roper which is a blazing fast multi-threaded ROP Gadget finder that's 2018. and that's in use pretty heavily today so the bad guys have also got moved on from ROP attacks which is trying to exploit control flow to data oriented attacks sorry so here we have what data oriented attacks do they manipulate non-control data like they'll just variable they'll change variables and pointers which don't contain Target addresses they'll change benign Behavior and without violating control flow so a simple DDM data direct data manipulation example would be to flip a bit in a variable that's used in an fnls so if I at the right time flip the bit in if x is true and invert it to what it what was expected I can change the behavior of your program dramatically just by flipping that one bit through a memory safety error so these are how they're oriented they're related I didn't have enough time usually I go into them but um data oriented programming and block oriented programming are um sophisticated attacks that take chunks of your existing code to carry out actions that you can actually program in a separate language and DDM is what I just direct data manipulation I just talked about by flipping a bit and so dop and Bop are actually used by a compiler called sploit so this is actually the sploit language you can program something to create your own shell here and it'll do it by going out and looking at a binary whatever binary you feed into it and it'll get blocks of code to actually carry out exactly this program so real world examples here's the Windows Movie Maker this is a famous famous exploit that happened before CB size is 44.70 we allocate a buffer that's 44.70 bytes that accidentally changes it to 44.96 and then down here we have a heat buffer overflow and you're gone the SQL Slammer this hit the internet a while ago though so this is an instance of a read name from a socket and then down here we have a stack overflow stack buffer overflow because of this s printf and what happens here is that the return address is corrupted and so they've got the bad guys starting an ROP attack with an open name socket so how bad is it really so um Ness the National Institute of Standards and Technology from the U.S Department of Commerce has put out guidelines on minimal standards and when the government gets involved it's very scary you've heard that you've heard the phrase we're from the government we're here to help well they're here to help now so the bad guys are using those four forms of abstract programming against us so what about the good guys that's us so delivering C plus plus requires both static analysis and dynamic analysis end of story you've got to do both so when I talked about static analysis and dynamic analysis I'm going to relate it back to our Venn diagram and you everyone's familiar with Slash analyze and I think people are beginning to get more familiar with the address sanitizer so what I want to do is show a little demo that shows the difference between static and dynamic analysis to make this tangible in the program on the right what you can see down at the bottom in Maine the first line what we're going to do is we're going to allocate a derived object which is larger than the base object but we're going to point to it through a typed pointer which is the base that's polymorphism 101. but then what happens is we're going to delete B and when we delete B where the red arrow is we're going to delete the base in other words we're going to delete something that's smaller than the space that we allocated and you're going to have a leak so if we use static analysis that's in the IDE then what happens is you get three four errors or four warnings the default Constructor should not throw work with delete can be declared no except down here we should not use an explicit smart pointer reassignment and then the real core error here it says do not delete a raw pointer that is not the owner now if I go to the address sanitizer and just run this this is what you'll get on the command line it'll tell you that there's a new and delete type mismatch the allocation was 12 bytes the delete was of a one byte object it'll give you the call stack for where things were allocated and it'll give you the call stack oh wait this is where it was deleted that's where the error was detected and then here it'll tell you where the new occurred for that error and then if you'll notice down here what it does is it aborts so in the old model it's one and done upon hitting the first error it'll kill your process which a lot of people thought was pretty draconian foreign [Music] okay so that showed the difference between static and dynamic analysis so what you can see with static analysis that takes place at compile time the language itself limits what you can do so there's an there's a a circle or a cycle abstract cycle that where type propagation will thwart Alias analysis and Alias analysis can thwart type propagation so if I don't know the type of the pointer p when I get to the call of Foo I can't do the Alias analysis and I can't really even type propagate across that so for example star Q if their p and Q are Global pointers I have no idea in this program what they're pointing to and I have to assume worst case so Dynamic analysis takes place at runtime it breaks that cycle that I just showed you and basically you just need good code coverage and the other win too is that a dynamic analysis like the address sanitizer all of your third-party libraries are in there affecting the behavior as well so you see exactly what's going to be going on as long as you've got good code coverage yeah but I run over 3 million tests daily why do I need this well here's an example of a program that we call secure by coincidence there's the red arrow should be or the the red Loop exit condition for that for Loop uh is off by one it shouldn't be less than or equal to it should be less than and so what happens then is you get a buffer overflow in the abstract but in reality this program will run almost all the time system allocates the storage into local but Malik has what we call slop in it we're going to actually allocate a chunk of memory that's cash word aligned so it might actually allocate something that's zero Mod 32 padded and so invariably local is going to always have one extra cash line in it and that's what we call the slop so this program is secure by coincidence and the memory safety error or the buffer overflow is uh hidden you'll never see it so Dynamic analysis is a simple recompile the address sanitizer will compile in all the necessary runtime checks it'll link to asan.lib and it'll diagnose all your errors at runtime so the problem with the as I showed you before is the existing X sanitizer is a one and done it'll do a great job diagnosing the first error it hits but then it will abort your process so one and done is a problem so a top five isv they build 36 hours they have 200 000 plus tests and 100 distributed test machines and the first day you try to deploy uh the address sanitizer you basically blow up a super large test lab and it is a giant un undefinable triage effort so it's not practical to do the one and done for large code bases and there's a lot of wins to do something different other than aborting this negative so what I'm going to do is show you uh another demo and here we go and we are in Padre so power is a ray Tracer and the first thing it does is it hits a new delete type mismatch and it aborts it's a popper is a really large program by the way so normally you would see the one error and you think oh I'm almost done you go home no problem but foreign options equals continue on [Music] equals one can I run the same program what's going to happen is we're not going to stop on the first error so in this particular case what you can see is that we have found 14 unique memory safety errors and there we Define a unique based on call Stacks so in other words call Stacks are paths so there are 14 different ways that this program will leak 14 different paths [Music] well the new address sanitizer with continue on error provides a checked build you can actually compile this way and just run all of your normal testing because it's not going to die on the first error and it won't interfere with the output of whatever's being produced by your program and you'll get well-defined errors they'll all be Memory safety errors and the compiler will insert all the necessary assertions so this is well defined it's not like you have to manually annotate your code in any way shape or form so in essence it's a turnkey system you know you just compile your programs with the address sanitizer and then you uh set an environment variable and you go the interface is really not that complex we give you two choices you go to the command line through stood out or stood error or if you really don't want to interfere with any output whatsoever all of the memory safety error information can go to your log file of choice that's it hopefully everybody understands that and the importance of it and I look forward to answering any questions if we're still there yeah thanks very much for the the great talk Jim um if folks have any questions please drop them in the chat if you're watching somewhere which is not the visual studio YouTube then you can head over there and uh you should be able to see the chat right underneath the window it has a question of my own is what would you urge people to do right now for making their bills safer well the the easiest thing to do is use 17 6 and start um trying to compile it this way it's just that simple and it becomes a pass failgate all you got to do is run it this way and if it fails by passing your tests that you normally do day to day but actually suddenly logs memory safety errors you shouldn't ship and you shouldn't integrate into the next branch yeah that makes sense okay we've got a question from um John who says can you tell us the difference between continue on error equals one versus two yeah sure that what that um what that means is that that's this slide the uh continue on error one is stood out this stood outstream standard output and uh two is standard error we map one and two of those just like on Unix and then another question is would you recommend enabling asan for debug configurations as well as release should there be a difference there will be a difference and um the I would enable them for the debug releases because what happens is there are so when you run debugged the optimizer is not on although we to be sure we went through great pains to make this work with all the Myriad Optimizer supplies but the interesting thing is when you optimize you eliminate memory references and so what can happen then is it'll hide or mask what our memory safety errors because things only live in registers or you do things like dead code elimination so I'd start with the debug builds or you know O2 check builds which is that's a term that we use I'm sorry at Microsoft quite a bit which check builds are we turn on some optimizations and we have assertions in there and uh it's like two-thirds of the way towards production code but it finds a lot of errors and this is a way of giving you a check build on steroids yeah any other questions for Jim we are five minutes until the next session is scheduled so we still got a little bit of time if anyone has any questions [Music] and Jim could you drop a a link to to me or in the the chat for the best place for folks to go um if they want to find out more about this sir the blog is going live today perfect can you see me and the slides that are on the screen uh we can see you we can get that yeah this slides are there now okay uh John's also asking is the continue on error support in production today yeah it's in 1706 I'm in the middle of when I get out of here we are building all of office with this right now and uh I'm also working with a team in France a big isv and we're trying to get um their entire code base uh covered with this and office takes we're building on just to give you an idea the size when we build office the machine I'm using right now is a 32 core threadripper it's got 256 gigabytes of memory and it has 10 terabytes of SSD I think it runs for 30 30 hours wow so the we're really trying to scale this up for production use and that's why um in 178 we're going to move this to uh move it out of experimental into full production full guarantees so we're really looking for feedback on this and we plan to add the leak sanitizer to this as well in the C in in an internal demo I add the leak sanitizer by adding one more flag here and then uh of course we're going to optimize so that um when you compile this way you won't take the performance hit from all the assertions yeah I think we got um last question here from fppt1 says is asan built in to be easy to use graphically within Visual Studio oh yeah so um in my failed attempt to pop the screen if you go here to the website where I drilled into um the double free for example and you open this in a new window you'll see on the left hand side is the command line output and then over here for the double free we've integrated the address sanitizer error reporting directly into the IDE so if you start out with Dev EMD slash debug XE and you just run this thing it'll actually pop that up with the source code for you okay and then Ken's asking is Asun new functionality for which yes we can say that it's been around a while but the Windows support is the last few years and this is brand new stuff that we're talking about today yeah the address sanitizer has been around in the end Google's responsible for starting it and that's I think Circa 2012 really was when they first did the use next conference what's been difficult in bringing this up on the Windows platform though is uh we have a tremendous amount of legacy and um the interop for all the different languages and then one other thing to note is that continue on error is first being brought up on the Windows platform it didn't it doesn't exist anywhere else we're going to open source it and move it Upstream but there was a there was a lot of comp complexity so what what's neat about this is that um if you hit a memory safety error we're going to continue executing so that bad mutating right will actually do its thing and we found that that was actually modifying metadata in the asan runtime and the asan runtime would blow up so we had to move the metadata around make sure it was safe and it was a pretty involved thing and so it's going to be slow going to get this up upstreamed and accepted by the community right well thank you so much for your time there's um one more question in chat but I can get that answered over text for you because we are on time for the next session now so thanks very much Jim

Adding an individual subscriber

[MUSIC] Assigning subscriptions is a key role for a Visual Studio Subscriptions administrator. To assign a subscription to an individual, select "Add" and choose individuals subscriber from the drop-down. In the Flyout Panel, the fields to add a subscriber are displayed, there are two ways to continue from here. If your organization is using Azure Active Directory, you'll have the option to search Azure Active Directory. Leveraging Azure Active Directory will automatically populate the individual's name, sign-in e-mail, and notification e-mail if one is maintained. At a different notification e-mail for receiving communications if you'd like. Select the subscription level, choose to allow software downloads and product keys, or not. Choose the country and language. To make notes about a subscription assignment, just add some details into the reference field. Lastly, click "Add" and you'll see the page update with a subscription assigned to your user. If your organization isn't using Azure AD, it's just a few extra steps. Instead of searching in the Azure Active Directory field, type the subscribers name and e-mail address, then follow the same steps as before. Lastly, click "Add" review any notices displayed, then once you're ready, click "Confirm". You'll see the page update with a subscription assigned to your user. For more helpful information like this, check out our docs pages or other recommended videos below. [MUSIC]

Aaron Dignan The Role of Culture in Enabling Creativity

Yeah, so I started a company called The Ready about 13 months ago. For the 9 years before that, I ran a company called Undercurrent and the arc of my life has been a search for the most interesting problem and I kept turning over stones and then eventually a few years ago, I turned over ORG design and I was like, oh that's it That's where all of our efforts as human beings come together. Our ability to organize, to coordinate, to create solutions and get things done and now that we're facing all of these challenges, it becomes a white hot topic for me and for us. I have the unique, good fortune of doing a lot of speaking and writing and traveling, talking to people all over the world and the question I ask everybody is, basically I sit down with leaders and teams both and say, "What's driving you crazy, what is slowing you down, what prevents you from doing the best work of your life, what's in your way at work," and I hear three answers remarkably consistently no matter where I go. No joke in the last ninety days I've heard this from the Prince of Sweden and the head of a non-profit in the Bay Area and it's 1) pace of change, both internally and externally. Just feeling like they can't keep up, they can't process it-the meetings, the emails, the information overload, the death by a thousand cuts of all the other people moving laterally and vertically into their space. There is a pace of change challenge that we all struggle with. Complexity. Complexity of scale or scaling. Having no idea how to make sense of the machines that we've created, how to get people to work and coordinate in the right way, how to navigate the functional matrix, or as I like to call it the Rubik's cube of death and so that's presently felt by everybody. Even really small companies now, who are going from fifty to five hundred employees in a year. Just feeling enormous complexity and then the last one is this sort of culture of command. The idea that somehow having culture is about controls, predicting control, plan, hierarchical decision making and all that sort of stuff sort of feels like a real rigid-slowing us down, preventing us from our potential. When I then ask teams the follow-up question, which is like, "What do we do to fix this, whose fault is this, what's happening?" I only get one of two answers. When I ask the leaders, they say, it's the people. "We have the wrong people, we need different people, our peoples attitudes suck, there's change averse, there's change fatigue, we need more digital people, we need more millennials, millennials are lazy, millennials are awesome." Then when I ask the people, they say, the leaders. "The leaders have got to go, the leaders suck, the leaders don't see the future, they're not young enough, they're not old enough, they're not experienced enough, they're too inexperienced, it's the leaders we have to change." In our actual work, in the kind of coaching and changing of organizations and studying how certain organizations have managed to change and adapt over time, we've learned that it's actually neither one. Sure there's probably a leader or two who could change, sure there's probably a set of skills that might need to adjust, but by in large, the people are not the problem. People are chameleons, people are incredibly sophisticated at echoing and absorbing and interacting with a community, with an environment. We often talk about ... we have this visual, I don't know if we can bring it up, but we often talk about the environment as an organizing, operating system. What is the OS for the organization? If you think about-your phone has an OS, your computer has an OS. Microsoft, obviously understands the concept of OS, but then you say, what is our organizational operating system, what are the simple rules that are so deeply embedded and so deeply held? The assumptions, the practices, the principles that make up who we are. That's the sort of unspoken, unrecognized area and what we've done over the last year, which has been a really cool research project, is we've gone and talked to companies and organizations that have bucked the trend, that are heavily adaptive, super fast, nimble, flexible, human, meaningful, purposeful places and said, "What's different about you, what would you hold up as something that is unique about your way of working and your way of organizing?" Every answer we get, we kind of capture and we just loosely start to collect and group these things.What we found after looking at over a hundred examples, is that they basically all coalesced around these nine areas. This is not a macie framework that covers everything about how you operate, but these seem to be the battlegrounds for the future of work. These are the areas where big changes are happening. Seismic changes are happening and you either are winning because of what you're doing in these areas, or you're failing or struggling, because of what you're not doing or what you're doing in these areas. Basically, when we started to talk about this concept of today and creativity, we really started to think about, what is it at the operating system level or a normal person would say the cultural level that is either inhibiting or empowering creativity. What is it about the way we meet, about the way we use and share information, about the way we distribute authority or don't, about how we talk about purpose and intent? All that stuff, that actually is either fueling and accelerating and empowering and creativity or holding it back and so that will be the subject of our breakout. Whatever room we're in, we'll find out-will be to probe that deeper by talking through the areas in this framework and any other areas of navigation that we want to cover, to get at a few key insights where we say, you know what, this is a nice big map, but these are the three areas where we feel like right now we're really missing it when it comes to creating more creativity, more creative hospitable work places and cultures and then we will bring that back to the group for review and heckle

(3) Building Node.js apps to connect to Office 365 Exploring the Calendar API

hello I'm Jason Johnston a senior content developer with the outlook ecosystems team today I'm going to show you how to connect your no GS app to office 365 and get update and delete calendar data on your calendar so let's get started to start with I've got this basic node J s app that we've developed over the previous two sessions right now we can log in and we can do basic calendar or sync now we'll take that those calendar items that we're syncing and be able to take some actions on those in case you missed the previous two set sessions the code that I'm starting with right now is available in the session to branch and the github repo which is included in the comments below ok so this app uses the node outlook library to do all of the API calls back to the Outlook api's we've already got it installed from our previous session so let's start by taking a look at the app as it stands right now if I log in and sync my calendar I get these items in a table with a view item link or right now the view item link doesn't work so let's fix that we switch over to our code and in the app j/s we'll add a view item route this view item route gets the item ID from the query parameters and then we set up a call to the get event method in the calendar namespace and no dot out node the node outlook library unlike with our sync calls we don't have to use the raw make API call here no doubt look already implements this functionality for us so all we need to do is set this get event parameters object with our access token and the item ID at the event that we want to retrieve and then call get event we pass the event that gets returned to us in our callback to the item detail page template so let's see that in action now if we click view item we actually get some details about the item and below we see the raw JSON dump of all the details that come back now this is nice but if you look at our form we're only displaying a few of the fields here the subject location how many minutes beforehand the reminder will fire and the start and end time but if we look at the JSON we're getting back a lot more data and then we're actually using this may not be that big of a deal but it is a little wasteful so we can trim that down and only get back the fields that we care about to do that we'll modify our view item we're out here to add a select this is a standard OData query parameter which allows you to specify the fields that you want back on a particular entity we just separate them with commas and I've included all the ones that we care about and display in the form and now we just need to add those parameters to our get event parameters so that they're passed to the API call and that should do it so if we restart the app now we should see a smaller results that returned again we see all the fields that we care about being displayed in our form but this time the JSON that comes back is much smaller and only includes the fields that we asked for since we're looking at the JSON here take a second to point out some of the new features from the v2 endpoint one is the time zone by setting our preferred time zone in the node outlook library we pass a prefer header which specifies that time zone so as you can see our start and end times are returned to us in Eastern Standard Time which is the time zone that I specified if we don't set that time zone these times would come back in UTC time or zoo the time the other new feature that I point out quickly is the reminders we have two new properties now in the v2 endpoint on events is reminder on and reminder minutes before start the is reminder on is a boolean that just tells us if there is a reminder set on the event and if it is set reminder minutes before start tells us how many minutes before the start of the appointment the reminders should fire pretty straightforward okay so let's get back to the code as you can see we have a couple of new buttons here on the form update item into lead item so let's start by implementing the update item okay so this should look fairly similar to some of the other routes that we've already added we get the item ID from the query parameters and the access token from our session we also get the new subject and new location from our query parameters which are passed in the form when we submit it then we construct an update payload now notice here that we're only setting subject and location we're not creating an entire new event entity whenever you do an update you only have to include the fields that you want to change we packages all up again into a parameters object with the token the item ID and our update payload and we pass that to the update event and the calendar namespace if it succeeds we redirect back to the view item view so that we can see our new changes so let's give it a try we'll change the subject and the location field and go ahead and update the item okay so as we see here we're getting an error access denied message well that's because the permissions that we requested in our app only gave us the ability to read the user's calendar we never requested the ability to write to the user's calendar so we can change that now we don't need to modify our application registration we just need to modify our code to request that scope as part of the login process so if we go to off helper j/s we'll swap out the calendars not read scope for the calendars dot read/write scope and that's all that we need to do now if we restart the app and sign in we're presented with a consent screen again that's because we've changed the permissions from the last time that the user granted consent as you can see we now have the read and write your calendars permission instead of just read your calendar now we should have the proper permissions to update the item and now we have the new values in our results if we look here we have the new subject in the new location and quickly we can verify that it has been updated ok great so now let's look at updating delete item again no doubt look has a built-in function for us here so we don't have to implement it ourselves and we get the item ID from the query parameters on the incoming request and we set up an event parameters delete event parameters object here with the token and the item ID and we call the lead event now here on success we redirect back to the sync page and that's because since we deleted the item we can't do it anymore if we try to view an item with that item ID we would get nothing back okay so let's give that a shot and see how that works okay so now that we have delete in place we'll go ahead and give that a try let's see what happens let's delete our doctor's appointment because we just don't feel like going to the doctor today that processes and then come kicks us back to the sink calendar page and that's it we've added get update and delete functionality for the calendar to our app be sure to check out dev dot lucam and dev office comm for more information and getting started materials for node and other platforms with office 365 if you'd like to get the completed source of the app that we developed over these sessions you can get that a github the link will be below in the description the master branch should reflect the finished app thanks for watching you

(2) Building Node.js apps to connect to Office 365 Calendar Sync

hello I'm Jason Johnston a senior content developer with the outlook ecosystems team in this video I'm going to show you how to connect your node J s app to office 365 and do a basic calendar sync so to start with I've got this basic nodejs app that we developed in the first video in this session to do the authentication piece we're gonna build on that work and add calendar sync so let's go ahead and get started in order to do all of our API calls back to the outlook calendar API we'll use the node outlook library which is a lightweight wrapper around the REST API so the first thing that we want to do there is install that library using NPM and once that's installed we need to require it in a pious okay so if we go back to the app that we implemented earlier what hey right we were left with this sync button that we haven't implemented yet it's pointing to a slash sync route in our app so let's start by implementing that okay so there's a lot here so let's go through it bit by bit so we use the outlook base namespace for this functionality and the reason that we do that is that no doubt look is as I said earlier very lightweight it implements a few basic functions but it also implements the ability to use any API call even if we haven't implemented a wrapper around it that's what the base namespace is really for so the first thing that I do here is use the set API endpoint function to point all of our API calls at the version 2.0 outlook endpoint we're going to make some use of some of the new features in version 2.0 during this so I'll use that endpoint the next thing I do is set the anchor mailbox to the user's email this is why we went through the trouble of extracting the user's email from the ID token in the first session and then I set a preferred time zone this is a new feature in the version 2.0 endpoint the ability to specify a preferred time zone and have all calendar times returned in that time zone so that you don't have to do all the calculations yourself okay so to start with we're going to manually configure our API request since we don't have a wrapper around it the first thing we do is set up the request URL when you're doing calendar sync that all works off of the calendar view endpoint in the API which is a view on a window of time we're going to do this for a week starting from today in seven days out so we set this to the me calendar view next we're gonna set up that time window as I said the start date will be today at midnight and the end date will be seven days from that time then we're going to set some prefer headers which will enable the sink functionality that we're after there's a couple of prefer header entries that we need to add one we need to set Oh dat ax dot track changes that tells office365 that we want to be able to synchronize data as changes come in the next thing that we set is our max page size here we're saying 5 which will limit the return results for each call to 5 results now we package up all of those things that we built before and to this API options object which gets passed to the make API call function so now that we have that there let's go ahead and run the app and see what happens okay so as you can see we have basically a raw dump of the json response for our synchronization requests we get back an event entity for each item on the calendar up to the maximum of five that we specified so great we see that that works but what happens if we have more than five items or changes come in after we do that initial sync how do we how do we continue to get changes well if we take a look in the response here at the end we have this item called OData delta link this is how we continue on with our sync so the way that calendar sync works is that the requests that we just made is considered the initial sync request from that we always get a delta link included in the response so the next thing that we should do is issue a second call to that delta link if there's more changes we'll receive them if there are no more will receive an empty response the response will include a delta link if there are no more changes and at that point we can save that delta link and periodically make calls to it to get any changes that come in if there are more changes more than the maximum that we have set in the prefer header we'll get a next link instead so after the initial sync we can look if there is a next link there are more changes if it's a delta link there are no more changes and we can wait however long we want to wait until we do the next sync so with that in mind let's modify our code a little bit to save the delta link and use that on the next call to sync so here I'm checking our sessions see if we have saved a sink URL and we'll use that instead of the basic me calendar view if it's not there then we'll just use the base URL but in order for it to be in the session we need to save it so let's go come back down here to where we process our response and save our Delta now we're taking a simplistic approach here for this demo if there's a next link we save that as our next sink URL otherwise if there's a delta link we save that we'll use whichever one we get back so now that we have that let's rerun the app and see what happens okay so we'll do our first initial sync and we get back five items now if we click sync again we get one more item that used the Delton link to get further information now if we click sync again with our new Delta link we get back no changes so we received all the changes that are there let's take a look at the code in pages yes that actually renders those changes that come in so we basically take the changes they come in and loop through each one of them we check if there is a reason property on each change that's set to deleted if we have that then that we know that it's a deleted item rather than an added or updated item deleted items are a little different in that you don't get all of the properties on the item since it no longer exists you do get back the item identifier so if you're saving this into a back end somehow keeping them in sync it's a good idea to be able to find the item in your back end based on the item identifier so that you can remove it if it's not a deleted item then we just set the entry in the table to use the subject of the appointment and add it into our table now let's take a quick look have what happens if we add an item after we've completed our sink so we'll go to the users calendar and we'll just add an item here now if we switch back to the app and do another sync we should see the new item that we just created and we'll see the flipside of that will delete the item and do another sink and this time we get back a delete change with the ID of the item and that's it we've done basic synchronization functionality join us in the next session where we'll take a look at doing it a little bit more with the calendar viewing items updating items and the leading items all from our app be sure to check out develop calm and dev office.com for more information and getting started materials for node and other platforms thanks for watching