All posts by onlyconnect

.net, microsoft, mobile, silverlight, software development, windows

A Silverlight UI for Windows Mobile 7, backward compatibility in doubt

Note: speculative post; I have no official information on this.

It’s been rumoured for ages; but at this point I would be surprised if the Windows Mobile 7 UI were not built with Silverlight. Consider:

  • Silverlight has to be supported – it should have been in 6.5 – otherwise nobody will take mobile Silverlight seriously
  • WM7 has to have excellent UI design; and WPF/Silverlight is Microsoft’s designer-friendly UI framework
  • Silverlight 4 already supports touch control in the current beta
  • Scaling/Zooming is baked into Silverlight and ideal for a mobile UI
  • If Silverlight is present on the device it would make sense to build the UI with it

If this is right, there are a couple of interesting aspects for developers. It will make Silverlight a more attractive platform in scenarios such as Enterprise roll-outs where the device can be specified.

The awkward question: what about all those existing Windows Mobile apps built either with native code or with the compact framework? Again, there are rumours of lack of backward compatibility. Does that mean that all Windows Mobile 7 apps with a UI will have to be done in Silverlight? That’s what John Biggs says:

WinMo 7 will not run 6.x code. End of story. It is based on Silverlight and .Net. Everything save a few basic programs will not work under WinMo 7. There is no expectation that this will be a “business device” and the focus is currently on games including some XBox Live functionality for gaming and messaging. There will be a Microsoft App store with an easy approval process.

I find this a stretch. I can believe that Microsoft might initially target the consumer market, or have crippled “consumer” versions; but not that it would give up on mobile business apps – we heard at PDC (to the point of tedium) how Microsoft is supporting “three screens and a cloud”, unified for developers by Visual Studio. There’s no reason why Silverlight should not be used for business apps.

What about backward compatibility though? Traditionally Microsoft does a good job of keeping your old stuff running, within reason; possibly too good – Windows is full of compatibility hacks that may be to its detriment overall.

Another point to bear in mind: WM7 needs a browser, and I don’t see Microsoft re-implementing IE in Silverlight.

So I’m sceptical about this too; but with Windows Mobile at such a low ebb could the company decide it has little to lose?

.net, azure, cloud computing, microsoft, software development, web authoring

Windows Azure is too expensive for small apps

10 Comments

I’m researching Windows Azure development; and as soon as you check out early feedback one problem jumps out immediately. Azure is prohibitively expensive for small applications.

Here’s a thread that makes the point:

Currently I’m hosting 3 relatively small ASP.net web applications on a VPS. This is costing about $100 per month. I’m considering transitioning to Azure.
Q: Will I need to have 1 azure instance per each ASP.net application? So if I have 3 web apps, then I will need to run 3 instances which costs about $300 per month minimum, correct?

The user is correct. Each application consumes an “instance”, costing from $0.12 per hour, and this cost is incurred whenever the application is available.

Amazon also charges $0.12 per hour for a Windows instance; but the Amazon instance is a virtual machine. You can run as many applications on there as you like, until it chokes.

Google App Engine has a free quota for getting started, and then it is charged according to CPU time. If the app is idle, you don’t pay.

In addition, all these services charge extra for storage and data transfer; but in a low-usage application these are likely to be a small proportion of the total.

Summary: Azure’s problem is that it does not scale down in a way that makes business sense. There is no free quota, unless you count what is bundled with an MSDN subscription.

I realise that it is hard to compare like with like. A cheap Windows plan with a commodity ISP will cost less than either Amazon EC2 or Azure, but it is worth less, because you don’t get a complete VM as with Amazon, or a managed platform as with Azure, or the scalability of either platform. The point though is that by cutting out smaller businesses, and making small apps excessively expensive for customers of any size – even enterprises run small apps – Azure is creating a significant deterrent to adoption and will lose out to its rivals.

Check out the top feature request for Azure right now: Make it less expensive to run my very small service.

.net, internet, microsoft, silverlight, software development, windows, windows 7

Silverlight 4 with COM can do anything – on Windows

7 Comments

At PDC Microsoft played down the significance of adding COM support to Silverlight 4 when run out of the browser and fully trusted (you can also be out of the browser and not fully trusted). The demos were of Office automation, and journalists were told that the feature was there to satisfy the requests of a few Enterprise customers.

Now former Microsoft Silverlight program manager Justin Angel, who has implemented his blog in Silverlight, has spelt out what we all knew, that Silverlight with COM support can do just about anything. His richly-illustrated blog post has code examples for:

  • reading and writing to any file (subject I guess to the permissions of the current user)
  • executing any command or file
  • emulating user input with WShell.SendKeys
  • pinning files to the Windows 7 taskbar
  • reading any registry values
  • adding an application to the Windows startup folder
  • doing text to speech using Windows built-in engine
  • accessing local databases with ODBC
  • automating scanners and cameras
  • using the Windows 7 location API, accessing the full .NET Framework
  • and of course … automating Microsoft Office.

Well, fully trusted means fully trusted; and these are great features for powerful though Windows-only Silverlight applications, though I hope no user installs and trusts one of these applets thinking it is “only Silverlight” and can’t do much harm.

The post also has comments on the lack of any equivalent feature for the Mac in Silverlight 4:       

If Microsoft chooses to not go ahead with Mac support in Silverlight 4 RTM, well, it’s not because they couldn’t

says Angel, suggesting that it would be easy to add AppleScript support. (I had to type that quote – no clipboard support in Silverlight 3).

Of course there is time for Microsoft to unveil such a feature, say at Mix10 in March, though I wouldn’t count on it.

.net, microsoft, software development

Why F# rather than IronPython in Visual Studio 2010?

15 Comments

Dynamic languages are all the rage; and after JavaScript, Python is perhaps the dynamic language of the day, loved by Google and gaining increasing attention. IronPython, built on .NET, is stable and at version 2.6. Now Visual Studio 2010 turns up with an additional language in the box, but it is not IronPython; rather it is a little-known language out of Microsoft Research called F#.

Now, F# is very interesting and brings real diversity to Visual Studio; it is great for mathematics and for parallel programming. But wouldn’t IronPython have sparked more immediate interest from the .NET community? Judging by this feature request, with 500 votes, it would. It’s is a little embarrassing for Microsoft that the favoured IDE for IronPython work is SharpDevelop. Plenty of IronPython enthusiasts are pressing for Visual Studio support.

Here’s what IronPython MVP Jeff Hardy says:

I think I can safely say that adding full, high-quality support for IronPython to Visual Studio would require at least a couple of man-years of work. The rabbit hole goes pretty deep when you consider all of the functionality that VS offers, not to mention the difficulty of doing IntelliSense well. I estimate they’d have to at least double the IronPython team to get full support into VS11. IronRuby would require the same commitment.

Hardy is hopeful for VS 2012.

I still find it odd. Official Visual Studio integration would do a lot to raise awareness and usage of IronPython; and make Microsoft’s commitment to dynamic languages more visible – though I guess F# supporters will be happy with Microsoft’s priorities here.

blogging

A note to RSS subscribers

5 Comments

This blog has a full-text RSS feed. In other words, you can read the entire contents of a post without visiting the site – though I hope you will visit the site from time to time to read the comments, like the excellent discussion on web vs desktop applications here.

The reason for this note is that the feed broke for some subscribers recently; and the reason it broke was that I’d hacked the code to ensure that you get full text feeds and not excerpts with a “read more” link. I had hacked the code not because WordPress was broken exactly, but because of a legacy problem. The feed for this blog used to be http://www.itwriting.com/blog/rss.php. WordPress still supports this URL, but without my hack it delivers excerpts, even though WordPress is set for full text. The hack works; but it is perilous because I use Subversion to keep WordPress up-to-date. If I modify the WordPress source, and then the same file gets updated in the official source, then Subversion inserts some stuff in the file to assist in resolving the conflict. That’s fine, except that it may break the PHP until I get round to fixing it. There’s also a risk that the modified file will no longer work because of changes elsewhere.

The sane solution then is not to modify the WordPress source, but to ask you to use the modern, approved and up-to-date RSS feed URLs which are:

http://www.itwriting.com/blog/feed for RSS

and

http://www.itwriting.com/blog/feed/atom

for Atom.

If you use Google Reader, for example, I suggest you remove the existing subscription and add a new one with one of the above URLs.

That said, the old URL now works again, but with excerpts and not full text. The reason is not that I want you to visit the site, add to my page views and enjoy the unobtrusive advertising (though I do); it’s because of the technical issue above. Now you know how to fix it.

.net, microsoft, security, windows

The end of Code Access Security in Microsoft .NET

7 Comments

In the early days of .NET I remember being hugely impressed by Code Access Security. It gave administrators total control over what .NET code was permitted to run. It’s true that the configuration tool was a little intimidating, but there were even wizards to adjust .NET security, trust an assembly, or fix an application – great idea, that last one.

image

Well, now the truth is out. Code Access Security was too complex for humans to configure. Buried deep in the documentation for .NET Framework 4.0 you can find Microsoft’s confession, under the heading Security Policy Simplification:

In the .NET Framework 4 Beta 2, the common language runtime (CLR) is moving away from providing security policy for computers. Historically, the .NET Framework has provided code access security (CAS) policy as a mechanism to tightly control and configure the capabilities of managed code. Although CAS policy is powerful, it can be complicated and restrictive. Furthermore, CAS policy does not apply to native applications, so its security guarantees are limited. System administrators should look to operating system-level solutions such as Windows Software Restriction Policies (SRP) as a replacement for CAS policy, because SRP policies provide simple trust mechanisms that apply to both managed and native code. As a security policy solution, SRP is simpler and provides better security guarantees than CAS.

The section below, headed Obsolete Permission Requests, is even more damning of the old system:

Runtime support has been removed for enforcing the Deny, RequestMinimum, RequestOptional, and RequestRefuse permission requests. In general, these requests were not well understood and presented the potential for security vulnerabilities when they were not used properly.

It goes on to explain why they did not work, with explanations like this one for RequestOptional:

RequestOptional was confusing and often used incorrectly with unexpected results. Developers could easily omit permissions from the list without realizing that doing so implicitly refused the omitted permissions.

The new .NET Framework 4.0 no longer enforces these obsolete permissions.

Microsoft is right. As far as I’m aware, few used the .NET Configuration tool, and I cannot even find it in Windows 7, even though Visual Studio and all the versions of the .NET Framework are installed. Developers feared, with justification, that tinkering with the settings would simply cause mysterious exceptions that were hard to resolve.

I recall though that Code Access Security was considered a highly strategic feature when .NET was first released. One of the promises of .NET was that applications would be more secure and malware less prevalent. The fine-grained permissions were a selling point versus Java.

The painful lesson is that simplicity is a feature. Of course some things are inherently complex; but technology succeeds when it simplifies rather than complicates the tasks that we face.

cloud computing, microsoft, software

What does Ribbon Hero say about Microsoft Office?

Microsoft has released a tutorial game called Ribbon Hero in its Office Labs. This installs an Office add-in for Word and Excel which watches you work. It has several features. When you perform an action such as Copy and Paste for the first time, it awards you points. You get further points by performing “challenges”, where Ribbon Hero generates a document and sets you a task, like removing duplicates from a table. Finally, you can upload your score to Facebook to share with friends.

I gave it a go. It worked, though on the second challenge I got the right result in what the Ribbon Hero clearly considered to be the wrong way, which was annoying. Hint – use the Ribbon. Should have thought of that.

image

Ribbon Hero is easily impressed, and on a quick look the tasks are mostly basic ones, though I guess they could be expanded if the idea proves popular.

Irritating and patronising, or a brilliant training tool? Well, learning by doing is a good principle so I don’t dismiss it, even if my own reaction is more the former one.

The interesting aspect is what the existence of this tool says about Office. Not everyone gets on with the Ribbon; some miss the old menus. Further, Office is so bloated feature-rich that knowing it in depth is a formidable task. I have often been told that the majority of wish-list requests are for features that already exist.

In consequence, a large part of the challenge for Microsoft’s Office team lies in enabling users to operate the product successfully. This is not a new problem; the notorious “it looks like you’re writing a letter” Office Assistant, or Clippy, was another attempt. The Ribbon itself was also meant to address it, though I am convinced that Microsoft also intended to differentiate itself from the competition and to devise a user interface it had some hope of protecting, if necessary, in the courts.

You could argue that the very existence of Ribbon Hero is an admission of failure. The perfect office suite would not need a game to teach it; it would work so much in accord with what the user expected that it would not be necessary.

I use Office all the time and respect it. That said, eventually Microsoft (or a competitor) will need to remove features rather than adding them, or to retire Office and deliver something better in its place, that achieves the same goals but with less complexity – if such a thing is possible. And if it is going to happen, it will happen on the Web; for some, it already has.

blogging, open source, web authoring

Fixing a WordPress plugin setting

I changed the theme and plugins used on this blog recently. Along the way I managed to slightly corrupt the settings for one of the plugins, GD Star Rating, the result being that the stars in the Top Rated Posts widget would not display. I figured out the problem: the plugin stores the path to the graphics which represent the stars, and this had incorrectly been set to an https path. Since I use a self-generated SSL certificate, the result was that browsers did not trust the connection and refused to display the graphics.

Unfortunately this path is not configured directly in the plugin options, as far I can see. I temporarily changed it to display a text rating while I worked out how to fix it.

The setting had to be in the MySQL database somewhere; and I found it. It is one value in a massive 10,000 character field called  option_value, in the main options table. It seems that most of the settings for the plugin live in this single colon-separated field, even though the plugin also creates 12 tables of its own for the ratings data. Hmm, I don’t like the way this implemented. How often does this field get queried and parsed?

Still, the immediate problem was to alter the value. I ran up the MySQL interactive SQL utility and typed very carefully. This is where one false move can obliterate your WordPress install; I’m reminded of someone I knew (not me, honest) who set all his company’s customers to have the same address with a careless update missing its WHERE clause. Fortunately this is only a blog. Transactions are also good. Anyway, what could go wrong? it was a simple combination of UPDATE, REPLACE and WHERE.

It worked, the stars have returned, and I know a little bit more about the innards of WordPress and this particular plugin.

internet, microsoft, security, windows

Government security advice is misguided; switching browsers will not make you safe

9 Comments

I have mixed feelings about the recent government recommendations from France and Germany to switch from Internet Explorer for security reasons.

Although raising security awareness seems on the face of it to be a good thing, this is naïve advice and may do more harm than good. Security is a complex and multi-faceted problem, and it does people no service if they believe it can be fixed by switching browsers. Another common illusion is that running anti-virus software, or even up-to-date anti-virus software, makes you safe. It does not. Anti-virus software does not detect all viruses, and in particular it frequently fails on those that are most dangerous, in other words, those which are newest.

Another factor is that many of the most successful malware attacks come via social engineering. That’s not browser-specific, though there are attempts to maintain bad site lists, which don’t in my experience work very well.

The danger is that people think they are safe, and take fewer other precautions, ending up less safe than before.

Is FireFox, Chrome or Opera safer than IE? I’m not even sure about that. The latest versions of each are massively safer than IE6, for sure. But how does a fully-patched IE8 compare to the latest fully-patched versions of the other browsers? At least one test [pdf] says that IE8 is actually safer, though unfortunately it dates from March last year and does not cover drive-by downloads:

Microsoft Internet Explorer 8 (RC1) was the standout in our tests, achieving a best-in-class 69% catch rate against Malware. It is clear that Microsoft is making an effort to provide security to their customers with IE8.

Know a better one? I’d be interested in more recent tests.

Microsoft is not always competent; read this blog for evidence. But it has made genuine efforts to improve security and has a comprehensive update mechanism that mostly works. IE now has protected mode on Vista or Windows 7, which is no panacea but helps a little.

But what about the known zero-day vulnerability in IE? Isn’t that enough to make switching browsers necessary, if only temporarily?

I’m not so sure. Frankly, it would surprise me if there are not known multiple vulnerabilities in all the major browsers, if you move in the right (or wrong) circles.

How then do you do secure computing? Don’t connect to the internet. OK, how else? The risk cannot be eliminated but it can be reduced … don’t run with local admin rights, don’t run unknown executables, only enable plug-ins and scripting for web sites you know to be safe, keep your operating system patched and up-to-date, and so on.

Another thing you can do is to browse the web in a virtual machine – a sort of super protected mode – not perfect, but would prevent some attacks at the expense of convenience.

If you are really serious you can use AppLocker, or another whitelisting technique, to control what can run on your box.

And passwords … one thing I do hold against Microsoft is that the company has a brilliant authentication mechanism called InfoCard that is almost never used, even by Microsoft. Unfortunately that’s not something any individual can change; but it is possible at least to use more complex passwords and not to pass them over the internet in plain text.

I’m not sure, even today, that many people realise that when they use Twitter on an airport or hotel or conference wi-fi, or collect email via POP3, that they are likely passing their credentials in plain text over the internet for any smart hacker to read.

I am also depressed how often I see “security questions” on registration forms, asking for things like mother’s maiden name to be used in case of lost password. It is obvious that these are actually insecurity questions; they lower security while easing the burden on support desks. All too often, these organisations then lower it further by emailing your password back to you in plain text. It also sometimes turns out that the password itself is stored in plain text on their web-connected databases, accessible to hackers.

Overall the IT industry is desperately bad at security, and by and large convenience has won. Yes, I think that should change. No, after years of reporting on IT I am not optimistic that it will, certainly not soon. And knee-jerk instructions to switch browsers may please Mozilla and Google, and web developers for whom Internet Explorer is a constant irritation especially in old versions, but will do little else to improve the situation.

general

BRIAN ENO LIKES ABBA, thinks music business is a passing phase

I enjoyed this interview with Brian Eno, partly because it echoes some of my own musical journey – as a listener, I must emphasise:

I like Abba. I did then and I didn’t admit it. The snobbery of the time wouldn’t allow it.

Quite. Which is why a couple of years ago I bought the 4CD set Thank you for the Music, and not only do I love it, I admire what they did, the technique, the melody and the emotion.

I may have been foolish to buy it. It sounds like Eno doubts we will have to for much longer:

I think records were just a little bubble through time and those who made a living from them for a while were lucky. There is no reason why anyone should have made so much money from selling records except that everything was right for this period of time. I always knew it would run out sooner or later. It couldn’t last, and now it’s running out. I don’t particularly care that it is and like the way things are going.

Kudos to Eno for portraying this not as some evil thing, but just something of our time. I love Spotify; millions of songs on demand and for free. I’m not sure how long Spotify itself will last, but clearly the era of the record shop is over and there are many reasons to be glad about that – even if one cannot help a little nostalgia for the fun of browsing the racks and the excitement of setting the needle onto a groove for the first time, or the CD equivalent.