There are three virtual methods that IMHO should have never been added to System.Object…
• ToString()
• GetHashCode()
• Equals()
All of these could have been implemented as an interface. Had they done so I think we’d be much better off. So why are these a problem?

First let’s focus on ToString():
1. If ToString() is expected to be implemented by someone using ToString() and displaying the results you have an implicit contract that the compiler cannot enforce. Your code might assume that ToString() is overloaded, but there is no way to force that to be the case. Had this been an interface, say IDisplayString, your client code would be able to ensure that an object implement this.

2. Most argue the benefit of overloading ToString() is for the debugger. You should NOT be doing this, instead you should start using [System.Diagnostics.DebuggerDisplayAttribute].

3. As for needing this implementation for converting objects to strings via String.Format(), and/or Console.WriteLine, they could have deferred to the System.Convert.ToString(object) and checked for something like ‘IDisplayString’, failing over to the type’s name if not implemented.

4. Exactly what ToString() returns or should return seems to be a matter of debate and is the worst of all it’s problems. Is this a display string? If so, for what culture? Is this a serialization string? Is it just for debugging? There doesn’t seem to be any correct answer.

And don’t even get me started on GetHashCode/Equals.
1. Overloading .Equals has nothing to do with expressing equality in your code (value1 == value2) unless you remember to call it directly. Stupid!

2. There are numerous ways in which to compare two objects. Reference comparison is one, or perhaps by an object’s identity field, or even a name field? What I love most is that the reference comparison is difficult to produce on an object that overloads these. Does anyone know how to get the ‘hash’ of an object’s reference (memory location)? BTW you can, it’s not in an obvious place like Object.GetHash(object), it’s RuntimeHelpers.GetHashCode(object).

3. Casting — why lord, why? Why must you make me cast the object I’m comparing myself to. And what do I do with null or some other object type? Is there some standard I’ve never heard of that defines the appropriate action? Certainly neither equality or inequality are the correct response?

4. What comparison will be used? I’ve implemented IEquatable before, sometimes things I call even use it; however, a larger part of the time I still have to overload the object’s GetHashCode/Equals.

5. Much like ToString() there isn’t a way to tell if an object actually implements this behavior. If it does, did I want them to is an entirely different story. They could be breaking my code by implementing these without either of us knowing I was depending upon reference comparison.

So I say enough already, can we please just deprecate these already? I’d even be willing to find and fix all the places I’ve been unwillingly forced to use these damn things.


A good friend of mine who is the definition of a ‘Security Expert’ replied to my recent post regarding the use of current encryption technologies. He had this to say about my assertion that PKI cannot prove my identity:

PKI-based authentication can prove who you are, to the extent it can prove that the name in the certificate corresponds to the entity wielding the private key.

Since he seems by this to have missed my original statement I wanted to clarify why I don’t believe PKI technology can be used for personal identity. The problem isn’t the technology, certainly if I am only one with the private key then I can prove who I am. My argument is that you cannot secure the private key.

Oh sure, you could take that private key and ACL/encrypt it down to my user account. Even better you could put it on a thumb drive bio-metrically encrypted for only my access. This is still insufficient security. Programs running on machines that I use when accessing that data can get to that data. Since you cannot secure the platforms we use, you cannot secure data stored or accessed by them. Not that the technology is wholly unusable, for some things it would be entirely sufficient; however, I sure wouldn’t want my private-key to be the only thing needed to access my online banking.

Let’s say we went down this road and everyone had a private key. That provides one attack everyone is vulnerable to. It would be a matter of hours before people started finding ways around whatever security was in place. Wherever you have more potential victims and higher rewards the criminals will attack. Why do you think MS-Windows has been attacked the most?

The hidden beauty behind the mess of online credentials is that everyone does it differently. This forces an attacker to pick something specific to target, like PayPal, or BoA. The attack, if successful, only works there. This is a good thing. Putting all our eggs in one security basket is just a bad idea… Kinda like using the same username and password on every website you visit.


An excerpt of a recent slashdot post:

“… I wanted to ask the Slashdot community, what do you think the hold up is (regarding use of encryption)? Are the existing protocols somehow not good enough? Are the protocols fine, but not supported well enough in software? Is it too complicated to manage the various encryption protocols and keys? Is it ignorance or apathy on the part of the IT community, and that we’ve failed to demand it from our vendors?”

I think I’d go with a few core issues on this one…

First, a large part of the development community is is ignorant of the encryption technologies and how to make them work.

Second, a larger problem is the greed of the existing trusted root authorities. Most individuals are not willing to expend the ridiculous amount of money required just to assert their identity. IMHO it’s an evil exploitation.

Third, and most important. The meat of the problem is ‘identity’. How do I prove who I am? PKI cannot solve this. Why? Because I use several machines to interact with the web not one. If any of these machines, some of which I don’t control, are compromised then some other party can act on my behalf. No machine is secure enough for me to trust it with that kind of control over my online identity.

Thus we are where we are, PKI is expensive and not well understood by most developers. Further, even if this were overcome it would not server as proof of who I am. To truly address the issue a completely new technology/approach is required. I rather doubt we will see a solution in our lifetime.

Jan 112010

Changed hosting environments, hopefully this will be less painful to all :)