All posts by onlyconnect

microsoft, virtualization, windows

Hands on with Hyper-V: it’s brilliant

6 Comments

I have just installed an entire Windows server setup on a single cheap box. It goes like this. Take one budget server stuffed with 8GB RAM and two network cards. Install Server 2008 with the Hyper-V and Active Directory Domain Services, DNS and DHCP. Install Server 2003 on a 1GB Hyper-V VM for ISA 2006. Install Server 2008 on a 4GB VM for Exchange 2007. Presto: it’s another take on Small Business Server, except that you don’t get all the wizards; but you do get the flexibility of multiple servers, and you do still have ISA (which is missing from SBS 2008).

Can ISA really secure the network in a VM (including the machine on which it is hosted)? A separate physical box would be better practice. On the other hand, Hyper-V has a neat approach to network cards. When you install Hyper-V, all bindings are removed from the “real” network card and even the host system uses a virtual network card. Hence your two NICs become four:

As you may be able to see if you squint at the image, I’ve disabled Local Area Connection 4, which is the virtual NIC for the host PC. Local Area Connection 2 represents the real NIC and is bound only to “Microsoft Virtual Network Switch Protocol”.

This enables the VM running ISA to use this as its external NIC. It strikes me as a reasonable arrangement, surely no worse than SBS 2003 which runs ISA and all your other applications on a single instance of the OS.

Hyper-V lets you set start-up and shut-down actions for the servers it is hosting. I’ve set the ISA box to start up first, with the Exchange box following on after a delay. I’ve also set Hyper-V to shut down the servers cleanly (through integration services installed into the hosted operating systems) rather than saving their state; I may be wrong but this seems more robust to me.

Even with everything running, the system is snoozing. I’m not sure that Exchange needs as much as 4GB on a small network; I could try cutting it down and making space for a virtual SharePoint box. Alternatively, I’m tempted to create a 1GB server to act as a secondary domain controller. The rationale for this is that disaster recovery from a VM may well be easier than from a native machine backup. The big dirty secret of backup and restore is that it only works for sure on identical hardware, which may not be available.

This arrangement has several advantages over an all-in-one Small Business Server. There’s backup and restore, as above. Troubleshooting is easier, because each major application is isolated and can be worked on separately. There’s no danger of notorious memory hogs like store.exe (part of Exchange) grabbing more than their fair share of RAM, because it is safely partitioned in its own VM. After all, Microsoft designed applications like Exchange, ISA and SharePoint to run on dedicated servers. If the business grows and you need to scale, just move a VM to another machine where it can enjoy more RAM and CPU.

I ran a backup from the host by enabling VSS backup for Hyper-V (requires manual registry editing for some reason), attaching an external hard drive, and running Windows Server backup. The big questions: would it restore successfully to the same hardware? To different hardware? Good questions; but I like the fact that you can mount the backup and copy individual files, including the virtual hard drives of your VMs. Of course you can also do backups from within the guest operating systems. There’s also a snag with Exchange, since a backup like this is not Exchange-aware and won’t truncate its logs, which will grow infinitely. There are fixes; and Microsoft is said to be working on making Server 2008 backup Exchange-aware.

Would a system like this be suitable for production, as opposed to a test and development setup like mine? There are a couple of snags. One is licensing cost. I’ve not worked out the cost, but it is going to add up to a lot more than buying SBS. Another advantage of SBS is that it is fully supported as a complete system aimed at small businesses. Dealing with separate virtual servers is also more demanding than running SBS wizards for setup, though I’d argue it is actually easier for troubleshooting.

Still, this post is really about Hyper-V. I’ve found it great to work with. I had a few hassles, particularly with Server 2003 – I had to remember my Windows keyboard shortcuts until I could get SP2 and Hyper-V Integration Services installed. Once installed though, I log on to the VM using remote desktop and it behaves just like a dedicated box. The performance overhead of using a VM seems small enough not to be an issue.

I’ve found it an interesting experiment. Maybe some future SBS might be delivered like this.

Update: I tried reducing the RAM for the Exchange VM and it markedly reduced performance. 4GB seems the best spot.

microsoft, security, software development, vista, windows 7

Windows security and the UAC debate: Microsoft misses the point

2 Comments

Poor old Microsoft. When User Account Control was introduced in Windows Vista the crowd said it was too intrusive, broke applications, and not really more secure – partly because of the “OK” twitch reflex users may suffer from. In Windows 7 UAC is toned-down by default, and easy to control via an easy-to-find slider. Now the crowd is saying that Microsoft has gone too far, making Windows 7 less secure than Vista. The catalyst for this new wave of protest was Long Zheng’s observation that with the new default setting a malicious script could actually turn off UAC completely without raising a prompt.

Microsoft’s Jon DeVaan responds with a lengthy piece that somewhat misses the point. Zheng argues that Microsoft should make the UAC setting a special one that would:

force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state

DeVaan doesn’t respond directly to this suggestion which seems a minor change that would barely impact usability.

DeVaan also says:

There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running.

It’s an important point; though I wonder how DeVaan has missed the problems with autorun that can pretty much install malware without consent.

I am not one of those journalists whom Zheng lambasts:

This is dedicated to every ignorant “tech journalist” who cried wolf about UAC in Windows Vista.

Rather, I’ve been an advocate for UAC since pre-release days; see for example my post If Microsoft doesn’t use UAC, why should anyone else? which I later discovered upset some folk. One reason is that I see its real intent, best articulated by Mark Russinovitch, who writes:

UAC’s various changes and technologies will result in a major shift in the Windows usage model. With Windows Vista, Windows users can for the first time perform most daily tasks and run most software using standard user rights, and many corporations can now deploy standard user accounts.

and Microsoft’s Crispin Cowan:

Making it possible for everyone to run as Standard User is the real long term security value

In other words, UAC is a transitional tool, which aims to bring Windows closer to the Unix model where users do not normally run with local admin rights and data is cleanly separated from executables.

The real breakthrough will come when Microsoft configures Windows so that by default non-expert home and SME users end up running as standard users. Experts and system admins can make their own decisions.

In the meantime, I don’t see any harm in implementing the change Zheng is asking for, and I’d like to see Microsoft fix the autoplay problem; I believe users now understand that there is a trade-off between security and convenience, though they become irritated when they get the inconvenience without the security.

Update: Microsoft now says it will fix Windows 7 so that the UAC settings are better protected.

Technorati tags: , ,
gaming, microsoft, multimedia

Farewell to Ensemble Studios and thanks for Age of Empires

1 Comment

Saw this sad note on the Ensemble Studios site today:

Ensemble Studios created the Age of Empires series of games; I’ve played these since the first release and had a huge amount of fun. Some of the best times have been with multiplayer with friends and family on a home network. The games combine strategic interest and challenge with rich graphics, which of course have evolved remarkably in line with increasingly powerful PC graphics cards.

If anyone from Ensemble reads this – thank you.

We can still enjoy playing the games but the studio is a victim of Microsoft’s cost-cutting. This particular closure was announced in September 2008, though the closure was delayed to enabled the completion of Halo Wars. While I have no idea what the spreadsheets say, I’m surprised to see Microsoft wielding the axe in this area of its business. We’ve recently been reading how video games are surpassing music and video in turnover and that they are relatively resilient in a recession since they are for evenings in rather than nights out. High quality PC games have a spinoff benefit for Microsoft by making Windows a more attractive platform.

The recently announced closure of Aces Studio, responsible for Flight Simulator and the ESP simulation platform, seems even more short-sighted. As James Governor observes, virtual worlds and simulation have huge business potential and environmental benefit.

Crispygamer.com has an extended Ensemble tribute.

PS on a happier note, Ensemble’s Bruce Shelley noted in his last blog entry (which seems to have gone offline):

There are at least two new studios being formed by ES employees and I expect both to do very well. There were a lot of outstanding game developers here and it will be interesting to see how and what they do, both individually and as new groups, in the years ahead.

cloud computing, facebook, internet

Facebook as groupware

1 Comment

There was a brief interview with Joe Gilder, a student at Bristol University, on the BBC Today programme this morning – why does he use Facebook, which is 5 years old today?

For me it’s the most important thing around. I know exactly what’s going on everywhere through what’s on my Facebook profile. Societies, clubs, departmental stuff from my departmental societies, anything from my student’s union, anything from my friends, it all goes through Facebook. 

I found this interesting because it is pragmatic; it’s not just about socializing, but about organizing. I open Outlook to see what’s on today and tomorrow; he opens Facebook.

If Facebook wants to remain essential to someone like Gilder when he moves into the business world, perhaps its management should be considering how Facebook could be an Enterprise portal rather than merely a social network.

Technorati tags: , ,
javascript, microsoft, software development, visual studio, web authoring

Visual Studio 2008 as a JavaScript editor

1 Comment

I’ve been doing some work on JavaScript editors recently, and was impressed by Microsoft’s Visual Studio in this respect. Here’s my post on the subject. By the way, even the free Express edition works fine for this; and you don’t need to use ASP.NET. You do need to use Internet Explorer of course; that’s another story.

adobe, apple, internet, iphone, software development, web authoring

What’s the deal with Flash and the iPhone?

An brief comment from Adobe’s CEO Shantanu Narayen quoted by Bloomberg suggests that Apple and Adobe are actually working on putting Flash on the iPhone:

It’s a hard technical challenge, and that’s part of the reason Apple and Adobe are collaborating. The ball is in our court. The onus is on us to deliver.

Deliver what? I’d have thought it would be straightforward for Adobe to implement some level of Flash on the iPhone. There are at least two reasons though why Apple might be blocking it:

1. Flash is a client runtime. Apple may feel that allowing applications to run within Flash could threaten its App Store lock-in and market.

2. One of the frustrations of Flash on devices is that it lags behind the version of Flash available on desktops, and is often hard to update. That’s frustrating for users. Apple may want to address that by giving iPhone users an experience that comes close to that on the desktop.

So what is Apple waiting for Adobe to deliver? Better mobile performance and usability? Or some other piece that might address the first of the above concerns?

The outcome of this has a significance that goes beyond the iPhone. Although iPhone and iTouch users form only a small proportion of those browsing the web, it is an influential group and one that will grow. The lack of Flash support makes pure HTML and JavaScript solutions more attractive to web developers.

If anyone from Adobe can give us more insight into what it is working on with Apple, I’m keen to know.

Technorati tags: , , , ,
general

Music Magpie review

170 Comments

Rupert Jones in today’s Guardian has a note about Music Magpie, a site where you can sell old CDs, games, and now DVDs. The site calls itself an “online CD recycling service.” I like CDs, so I took a look.

The service is a commercial operation and as far as I can tell isn’t any different in principle from any other online secondhand retailer – I guess they all ought to get some green cred by calling themselves recycling services.

So how does Music Magpie compare to others like, say, Amazon or eBay? Let’s look at it first as a buyer. I love the Cowboy Junkies, so I did a search. I can get their great CD The Trinity Session for £3.99. Amazon has this new from £5.98, or used from £3.91. What about postage costs? At Amazon it is currently £1.21. I can’t so far discover what Music Magpie charges, or whether it is included. The terms and conditions say:

9.2. These prices include VAT but exclude delivery costs, which are detailed on the website.

However I can’t find them detailed anywhere. Maybe it is included after all, but you would have thought this would be flagged as a selling point. So it could be more than Amazon, or less, depending on this point; it appears to be in the same ball park. However, Amazon has a vastly greater stock available and nice features like customer reviews.

OK, how about as the seller? If I decide to sell my Cowboy Junkies CD, Music Magpie will currently offer me 98p (the price varies according to the CD, and can be as low as 25p). There’s no postage cost to the seller; the company sends out a freepost envelope.

There are some alarming terms and conditions. If Music Magpie decides one of your CDs needs refurbishment (polishing), it deducts up to 50p. If it decides it is unacceptable, it neither buys nor returns it. There is no appeal.

Now Amazon. If I sell Trinity Session for the current lowest price of £3.91, Amazon will grab £1.82 in fees (including VAT) but contribute £1.21 for postage. That means I get £3.30. If the postage actually costs that much (it could well work out less), I still get £2.09 net, more than double what Music Magpie offers.

Listing an item on Amazon is not much more difficult than selling to Music Magpie – just type in the barcode and go. The big difference is that with Amazon you have to sit back and wait for a buyer. With Music Magpie I get the money instantly. Another difference is that with Music Magpie I can parcel a bunch of CDs once and send them off. With Amazon, you have to deal with each customer individually.

My immediate impression is that Music Magpie scores well on convenience, but if you need the money and have a little patience you would be much better off with Amazon.

Now, here’s an interesting remark on the Music Magpie site:

We originally launched musicmagpie as an easy way for everyone to turn their old CDs into cash so that they did not have to be thrown away if they had decided to go digital. This proved to be a massive success with thousands of people using musicmagpie as a fast and efficient way to turn CDs into money.

Well, CDs are digital; but I’m guessing that Music Magpie is referring to people who have ripped their CDs to a computer for streaming, or for an iPod, or another MP3 player. Here’s a can of worms though. I’ve heard it argued that even ripping your own CDs is illegal, though it seems a reasonable thing to do. Ripping your CDs and then selling them though – intuitively that seems wrong. Arguably, Music Magpie by its own admission is dealing in stolen music.

Still, I do see the other side of this too. You’ve ripped all your CDs, you no longer need them, you are short of space: isn’t it better to move them on?

When people moved from vinyl to CD they had no choice but to purchase again. In the case of CD to music files though, you can migrate without re-buying. That’s a headache for the music industry.

Personally I hang on to them anyway, as a kind of license and physical backup, and just in case I might want to read the sleeve notes again one day.

Note: Comments to this post are now closed.

Technorati tags: , , ,
microsoft, security, software, software development, windows

Gears of War certificate expiry a reminder to developers: always timestamp signed code

Users of the PC version of Gears of War have been unable to run the game since yesterday (29th January 2009). If they try, they get a message:

You cannot run the game with modified executable code

Joe Graf from Epic has acknowledged the problem:

We have been notified of the issue and are working with Microsoft to get it resolved. Sorry for any problems related to this. I’ll post more once we have a resolution.

The workaround is to set back your system clock. An ugly solution. Of course, some users went through the agony of full Windows reinstalls in an effort to get playing again.

So what happened? This looks to me like a code-signing problem, not a DRM problem as such, though the motivation for it may have been to protect against piracy. Code signing is a technique for verifying both the publisher of an executable, and that it has not tampered with. When you sign code, for example using the signwizard utility in the Windows SDK, you have to select a certificate with which to sign, and then you have an option to apply a timestamp. The wizard doesn’t mention it, but the consequences of not applying a timestamp are severe:

Microsoft Authenticode allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired … If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.

Unfortunately, there is no timestamping for Netscape Object Signing and JavaSoft Certificates. Therefore you need to re-sign your code with a new certificate after the old certificate expires.

I don’t know if this is the exact reason for the problems with Gears of War, and I’m surprised that the game refuses to run, as opposed to issuing a warning, but this could be where the anti-piracy measures kick in. Epic’s programmers may have assumed that the only reason the certificate would be invalid is if the code had been modified.

I blogged about a similar problem in February 2006, when a Java certificate expired causing APC’s PowerChute software (a utility for an uninterruptible power supply) to fail. That one caused servers to run slow or refuse to boot.

As far as I know, there is no way of telling whether other not-yet-expired certificates are sitting on our PCs waiting to cause havoc one morning. If there are some examples, I hope it does not affect software running, say, Air Traffic Control systems or nuclear power stations.

If you are a Windows developer, the message is: always timestamp when signing your code.

cloud computing, internet, microsoft, windows

Hands On with Office Live Workspace beta

1 Comment

I was asked today: how can I share documents with a remote worker? This is a two-person business. There are a zillion and one solutions these days, but all have downsides.

Set up a server and VPN: fine when it works, but what to do when it fails? Backup? Maintenance and patching?

Google Docs: A great solution, but what if you want to work with real Word and Excel documents? Excel in particular is hard to replace if you use it in earnest (big sheets, many calculations).

Netdocuments: This looks promising, though I haven’t tried it.

Subversion: This is what I use (with TortoiseSVN), but it’s terribly techie.

Live Mesh: Brilliant concept; automatic offline copies; just save documents to a shared folder and you’re done. One hesitation is that I’ve known the Mesh client to crash mysteriously. It’s a beta. And how secure are your Mesh documents from prying eyes?

What about Office Live Workspace? This is a form of hosted SharePoint and in theory it’s ideal – except, perhaps, that you have to keep a local copy of documents just in case the service goes down. You can store “over 1000 documents” online for free. I took a quick look. Signed up. Some sort of Live client needed. Client also needed a Vista update. Vista update installed and wanted a reboot. Live client declared it was already installed and setup closed. Rebooted. Back to Live Workspace. Live Client starts to install again, this time succeeds. Try to save from Word 2007, Live ID password prompt pops up numerous times. Word wants a further add-in. Second reboot. Something like that, anyway; the usual Windows merry-go-round.

Still, eventually I appear to have all the pieces in place. I type a new document in Word and click the Office button. I now have a new option, Save to Office Live:

Cool. I click Sign in to Office Live Workspace beta. Prompt comes up:

One of my problems is that I refuse to check “Sign me in automatically”. I don’t like it; I consider it more secure to sign in and out of services as I need them. There’s also a problem if you have more than one Live ID. Unfortunately some services deliver a poor user experience if you don’t sign in automatically, and I suspect Live Workspace is one of them. Anyway, I sign-in and wait 10-15 seconds. Then I get this dialog:

I hit Save. Mistake: I get this dialog:

OK, my error was not to select a folder within the workspace. Easy mistake to make though, and the error message could be better. I double-click Documents and retry. I get this progress bar:

Takes a few seconds, and I’m done.

Once your document is online, it is accessible over the web with an neat in-browser preview:

The toolbar has some handy options including versions and sharing:

I love it; but have two reservations. First, the painful setup, sometimes slow performance, and occasional strange errors, like the fact that Office Live sometimes decides my IE7, fully patched browser is not up to scratch:

If I recommend this to my contact, what’s the chance that I’ll get a call concerning some odd behaviour or failure with the Live client, or the Office Live add-in, or Internet Explorer, and end up (as so often) troubleshooting Windows instead of getting on with work?

Second, I’m concerned about availability in a business context. If a customer calls you, and you need to see a document, what if Live Workspace (or Google Docs,  or any online service) is temporarily unavailable? You give that lame excuse, “We’re having computer problems, can you call back?”; or else keep offline copies – but if you keep offline copies, getting the workflow right becomes difficult. I notice that Netdocuments has a Local Document Server option which may fix this. SharePoint solves this to some extent with Outlook lists, but I’m not convinced that these work well enough with large document libraries, and I don’t know if Live Workspace offers them.

That is the beauty of seamless online/offline solutions like Live Mesh, or indeed Subversion, or some future Google Docs with Gears doing the offline stuff.

Finally, why is Microsoft offering both Live Mesh and Live Workspace? Different teams I guess; but it makes a confusing offering overall.

general, john martyn

RIP John Martyn

One of my best musical memories is of John Martyn and Danny Thompson playing through Solid Air at the Cropredy festival – I forget the year, it was during the Eighties. A magical summer evening. News of Martyn’s death came today in a brief entry on his web site.

What can I say? I love his music for its individuality, depth, emotion, jazzy edginess, and yearning.

Solid Air may be his greatest work but my own favourite albums are Sunday’s Child and Inside Out.

Solid Air was written for Nick Drake; I hope someone writes an equally beautiful song for John.

Technorati tags: