Category Archives: windows

security, software, windows

Microsoft’s deeply-ingrained local admin culture

If you go along to the Microsoft Office Developer Center you are currently offered a “Developer Map for the 2007 Microsoft Office System”. It’s described as a poster, but is delivered as an executable. I’m normally suspicious of documents that come as executables, but this is a Microsoft site so I downloaded and ran.

You know what? This thing installs by default into a new folder on the C drive, which means it requires local admin rights. And what does it install? Just a PDF.

Personally I think delivering a PDF as an executable is crazy. Perhaps the author wanted to be sure it wouldn’t open within the browser; a zip would have been fine for this.

You can avoid the admin rights requirement by manually changing the target directory. Few people will do this, because we have learned that changing default directories is often a mistake.

This small incident demonstrates something big, which is the deeply ingrained culture of local admin rights on Windows. I presume that whoever tested this little executable was running as admin, otherwise this unnecessary and annoying requirement would have been spotted and removed.

It chimes with a remark made to me informally at last week’s Tech-Ed, that Microsoft staff running Vista commonly disable UAC (User Account Control), thus removing the most significant security feature in the new Windows.

It is a vicious circle. Microsoft runs with local admin rights, so it issues resources that require local admin rights without even noticing. That means users with lesser permissions or UAC get annoying problems, making them inclined to run with local admin rights as well.

The outcome: Windows stays insecure. Windows botnets proliferate. Malware flourishes.

If Microsoft is serious about security – which I believe it is in some quarters, it must get its own house in order. For the vast majority of computer users, including developers, running as local admin should not be necessary. That means a change of culture and will be hard to achieve; but if Microsoft itself does not make the effort, the world at large has no chance.

Technorati tags: , ,
software development, windows

Tech-Ed: Don’t start new projects in Delphi or FoxPro

9 Comments

Yesterday I attended two sessions aimed at FoxPro and Delphi developers, on how and why they should migrate to .NET.

The FoxPro session drew sparse attendance, which did not surprise me. Fox developers do not attend Tech-Ed, as there is nothing here for them. Speaker Remi Caron made the point that FoxPro forms will never look quite right on Vista as the widgets are custom drawn, and the the FoxPro language is not as deeply object-oriented as C#. Many Fox application are utilitarian in nature, and Microsoft is doing and update codenamed Sedna, which focuses on .NET interop and Vista compatibility, so I am not sure that the arguments were fully persuasive. FoxPro applications will trundle on for a while yet. It is also interesting that C# 3.0 is only now getting integrated database query, which has been a feature of xBase from its earliest days. Still, FoxPro is undoubtedly coming to the end of its life as a product under active development.

The Delphi session was more interesting. Of course I make allowance for the fact that this is a Microsoft conference and that Delphi comes from a competitor in the tools space. Even so, it was a grim event from Borland’s perspective. Presenter Hadi Hariri is a Delphi person. He works for Atozed software, whose main product is a web application framework for Delphi. Also present was Chad Hower who worked on the Indy internet components for Delphi as well as Atozed’s Intraweb. Nobody could say that either speaker lacked Delphi knowledge. Around 25 delegates came to debate Delphi’s future.

Hariri and Hower did not advise developers to port their Delphi projects, unless there is really a compelling reason. However they did strongly advise against new projects in Delphi.* The main factor is integration with new .NET goodies such as those in .NET Framework 3.0, especially Windows Presentation Foundation and Windows Communication Foundation.

But surely you could use Delphi for .NET? Indeed, but there are two problems here. One is that according to Hariri the VCL.NET, Delphi’s backward-compatible .NET library, is failing to win significant adoption. He observes that hardly any of Atozed’s customers use Intraweb with VCL.NET, although it is fully supported. They all use either native Win32 VCL, or a few Kylix, the abandoned Linux port of Delphi. Other third-party vendors say the same thing: there is hardly any market for VCL.NET components.

Then surely you could use Delphi’s .NET compiler with Microsoft’s class libraries? Indeed, but will Borland or the new “DevCo” ever catch up with Microsoft? This week the .NET Framework 3.0 is fully released; yet Delphi 2006 only supports .NET 1.1. By the time Delphi appears with .NET 2.0 support, Microsoft will have updated Visual Studio with a designer for Windows Presentation Foundation and other .NET 3.0 features, which Delphi will likely lack for some time.

We used to laugh at vb applications. Unfortunately it is completely reversed now. We are always going to be behind now.

said Hariri. The session lends weight to recent calls for Borland to focus on Delphi capabilities in native code rather than .NET; yet that too is not ideal when so much of Microsoft’s development platform is focused on .NET.

Postscript

* Hower has commented below and also written at length to emphasise that from his perspective this only applies to .NET projects, not Win32.

software, software development, windows

More significant than Vista or Office: .NET Framework 3.0 is released

3 Comments

Microsoft’s .NET Framework is now fully released. There is a handy page of links to the various downloads you might want. Of all Microsoft’s releases in this busy November, this is the most significant.

Why? Here’s what is in .NET Framework 3.0. There are four major pieces. Windows Presentation Foundation (WPF) is an alternative GUI API for Windows, based on a new XML language (XAML) and incorporating the code-behind concept first seen in ASP.NET. Although it is primarily for Windows, Microsoft is promising a cross-platform XAML runtime called Windows Presentation Foundation/Everywhere. On Windows, WPF apps are rendered using DirectX, giving it impressive multimedia capabilities. Summary: biggest change to the Windows API since its first release.

Windows Communication Foundation is a communication framework based on XML web services. If you are familiar with Windows development, the easiest way to define WCF is by what it replaces: ASP.NET web services, MSMQ (Microsoft Message Queue), COM+ (also known as Transaction Server) and Distributed COM, .NET Remoting.

I won’t say that WCF replaces all of COM, though perhaps it might do eventually. COM has many faces.

Windows Workflow Foundation is less important than WPF or WCF, but still interesting as a framework for workflow applications. It fits well with Sharepoint and Office 2007 as a way to program enterprise portals.

Windows CardSpace is an abstraction layer for identity management and authentication. Unlike Microsoft Passport, CardSpace is not itself an identity provider, but a rather a system that works with multiple identity providers. If widely adopted, it will help the Internet move on from the nightmare of usernames and passwords. IE7 is a CardSpace client.

When Microsoft first announted the above pieces, they were meant to be exclusive to “Longhorn”, now called Windows Vista. The company realised that this would stall adoption, possibly fatally, so it was decided to make it a free download for Windows XP as well as part of Vista. That makes .NET Framework 3.0 a viable development platform now, rather than in five year’s time (or never).

Like any new technology, this one could fall flat on its face. Time will tell whether it is really significant, or turns out to be a backwater in the latter days of Windows. Unlike Vista and Office, it is not an immediate profit centre for Microsoft, but in the longer term it is critically important to the company as an update to the Windows platform.

software development, windows

Gyrating AJAX model excites Tech-Ed

Microsoft’s Eric Rudder kicked off Tech-Ed Europe with a keynote extolling the virtues of Vista, Office 2007 (which has just been released to manufacturing), and Exchange 2007. This Tech-Ed, it appears, won’t be characterised by major new announcements; it is more about long-awaited technology finally getting released.

Rudder presented some interesting stuff around enterprise portals built on Sharepoint and Windows Workflow Foundation, using the fictional Fabrikam clothing company as an example.

An eye-catching feature of Fabrikam’s online store aroused attention: a gyrating AJAX-driven model with drag-and-drop clothing. Boo.com lives again.

A more geeky highlight came at the end of the keynote, when Anders Hejlsberg demonstrated LINQ (Language Integrated Query) in C# 3.0 (not to be confused with .NET Framework 3.0, which is the old stuff). I’m already familiar with LINQ, but one thing I hadn’t seen before is a feature of Orcas, the next Visual Studio. Hejlsberg called it “paste XML as the code with creates that XML”, and that’s exactly what it does. Copy some XML to the clipboard, paste it into your code, and it appears as C# code manipulating XElement and XAttribute to build that XML as output. You can then adapt the code to generate more XML according to the same schema. Neat.

software development, windows

Microsoft urges FoxPro, Delphi developers to move to .NET

2 Comments

Here at Microsoft’s Tech-Ed in Barcelona two forthcoming sessions caught my eye. Tomorrow afternoon there is a discussion on “Moving from Visual FoxPro to .NET”. From the abstract:

Looking forward to Vista, .NET is a pragmatic necessity for VFP developers. How will you deal with Vista clients? What will you do? How long can you remain in VFP? How can you move to .NET with the least impact?

On Wednesday it’s Delphi developers who get told there is no future in their programming platform, in “Moving from Delphi to .NET”:

Even if you are not considering .NET now, at some point you will have to move to .NET with new code, or to port existing code. Staying with Win32 may be viable in the short term, but not the long term.

By accident or design, the session conflicts with one from the  father of Delphi, Anders Hejlsberg, on C# 3.0, the next generation of Microsoft’s home-grown programming language.

I’d like to attend both events, if only to discover whether there are really a bunch of FoxPro and Delphi pros here at Tech-Ed, puzzling over how to migrate to .NET. Alternatively, maybe some of them could mount a robust defence of these older tools. After all, there’s no sign of Win32 or COM going away any time soon, though .NET refuseniks may have a bit of WPF (Windows Presentation Foundation) envy. Then again, look what language is riding high in the Computer Language Shootout Scorecard.

software, windows

Outlook 2007: still famously obscure

I am using Office 2007 on Vista for next week’s Tech-Ed conference. That’s the plan, anyway. Both products are on the verge of being released to manufacturing; but for the moment I’m stuck with Office 2007 Beta 2 Technical Refresh, and Vista RC2 (build 5744).

I have a love-hate relationship with Outlook. I like the way it integrates PIM (Personal Information Manager) functions, and I especially like the way it keeps multiple machines in sync with a server-side mailbox. Of course you need Exchange for this to work.

On the other hand, there is plenty to hate. One major complaint is the obscurity of Outlook’s various option dialogs. I often meet people who have missed major pieces of functionality because they could not find them. One recent example was on the verge of purchasing an expensive third-party solution because Outlook cannot make public folders available offline.

It can of course. Non-obvious step one: add public folders you want to use offline into your favorites folder. Non-obvious step two: open Tools – Email Accounts – View or change – select Microsoft Exchange Server and click Change – then More Settings – Advanced – then check Cached Exchange Mode and Download Public Folder Favorites (this last one is not checked by default).

This might be a plot by system administrators to prevent users downloading huge public folders onto their laptops. It is certainly not something you would find by accident.

I’m happy to say (this is irony) that Outlook 2007 continues the tradition of obscurity. Today I was having trouble finding the option to read email in plain text. I know this is a cruel thing to do with beautifully formatted HTML emails, but I regard it as more secure. This option used to be in Tools – Preferences – Email options. No longer.

I looked in Email Options – Advanced Email options. I looked in Options – Mail setup. I looked in Options – Mail format. I looked in Options – Mail Format – Editor Options, though this was desperation: surely even Outlook’s UI designers could not consider reading email an editing function?

Could Microsoft have removed this widely-used preference from the product? Not at all. It is in Tools – Trust Center – Email Security. Silly me.

Here’s my suggestion for Outlook 2009. Throw away all the existing preferences dialogs in Outlook, or hide them in some compatibility mode for those who like a challenge. Then design a new set, with an emphasis on being usable, discoverable, and logical. Please.

 

Technorati tags: , ,
software development, windows

Free final Vista and Office 2007 for UK developers

3 Comments

Here’s a blog you might want to subscribe to if you are a developer based in the UK. Ian Moulster says you can have a free copy of the final release of both Vista and Office 2007 if you:

take part in our UK developer online launch event on January 19th and 20th (yes, I know the 20th is a Saturday).

No, I don’t know what “take part” means; but there are 1000 freebies on offer so I doubt it is too arduous.

Microsoft still recognizes the key role of developers in technology adoption.

Technorati tags: ,

security, windows

Vista application compatibility: it’s not going to be fun

I remain concerned about application compatibility and Vista’s virtualization. Here’s an example. After setting up a Tablet PC with Vista RC2, I installed one of my favourite time-wasters, a game called Jack Bridge; not a major piece of software, but typical of countless existing Windows applications that users will want to install on Vista. Setup seemed to go OK, though Vista threw up this perplexing and alarming dialog:

 

Trouble is, at this stage I did not know if the installation was successful or not. Nor is it obvious what the consequences of the two options might be, or what Cancel will do. I took the view that I would rather try it as-is for the moment, and clicked “This program installed correctly.” And so it seemed, to begin with. Everything was fine until I used an option in Jack to check for updates from the Web. The update downloaded, but failed to install with this error:

   

To be honest, I was expecting something like this. The application was attempting to download the update to its folder in Program Files, and then to execute it. Neither operation could succeed, since UAC makes Program Files read-only. I can’t explain the Dutch; it looks like the app has imperfect localization. As a further test, I tried logging on as a different user and running Jack. This was really bad. Jack failed to run, warned me of severe errors, and advised that I contact my reseller. The problem here is the virtual store. Vista tries to help applications such as Jack by seeming to allow read-write access to Program Files, but in reality writes the data to a user-specific virtual store. This means each user gets a different view of what should be the same files. It all happens behind the scenes; if it goes wrong the user has no idea what has happened. I mostly approve of UAC, but I fear the virtual store may cause more problems than it solves.

In the case of Jack, I found a good workaround. I uninstalled it, then reinstalled to a location in my user directory. Jack has read-write access without trickery, and everything works, provided I always run as that user. How many other applications out there are going to have problems with UAC? My guess is a lot. Some of the above may improve in the final release – maybe the dialogs will be better worded – but I’m not expecting fundamental changes. Existing applications are going to cause users immense compatibility hassle. In consequence, they may disable UAC, which will greatly reduce Vista’s security; or they may decide Vista itself is more trouble than it is worth.

Let me be clear: disabling UAC is not a good idea. Users running with local admin rights is a large factor in the Windows security problem, and UAC is a reasonable solution. But I’m expecting the  worst. When Vista hits the world at large, will the buzz will be: turn off UAC or nothing will work properly?

Update

I couldn’t help wondering what would have happened if I had let Vista “Reinstall using recommended settings”. I had a struggle fulling uninstalling Jack in order to try this option. Eventually I found the registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted, and deleted the reference to install.exe. Reinstalled, and when the dialog appeared chose “Reinstall using recommended settings.” The installation tried to run again, but immediately closed; I guess because the installer considered the application already installed. I removed it through Control Panel and once again reinstalled – my hunch is that the “recommended settings” were automatically applied. If I show properties for the application shortcut, it says “Run this program in compatibility mode for Windows XP (Service Pack 2)”. However it doesn’t seem to help with the specific problems I encounted. Online update still failed, and when I logged on as a different user and tried to run Jack, I got the “please contact your reseller” dialog.

I am not trying to be difficult here. Rather, I’m trying to replicate some typical scenarios when users are confronted with these difficult dialogs.

Technorati tags: , ,

windows

Vista on a Tablet

I’ve been trying Vista RC2 on a Toshiba Portege M400. Toshiba describe this as “Vista ready” and provide drivers in various states of beta. Installation was fairly painful, but that’s to be expected at the bleeding edge. I put in a new hard drive for Vista, and immediately hit problems because the installation lacks a suitable SATA driver and could not see the hard drive.

Thanks to Ken Schaefer, who had been there before me, I overcame that one. It was still a struggle, not knowing which of Toshiba’s drivers were better or worse than those which Vista has already installed. I also confronted the worst of Vista’s UAC (User Account Control). What is so frustrating is when you have to tell Vista again and again that yes, you want to install this thing. I lost count of how many times the UAC elevation prompt appeared when installing the Bluetooth stack. Installing Vista on this Tablet PC was far more arduous than when I put the same OS on a desktop computer.

Still, I got a reasonable result. There is just one remaining “unknown device” in device manager, which I believe is a hard drive protection utility and not critical. The machine itself is fine, runs Aero Glass nicely and scores 3 on the Vista performance scale. The Tablet side of things seems to work OK, though the polished screen is prone to building up a static charge as your hand rubs against it, which isn’t ideal; I didn’t get this problem with the Acer Tablet I was using before. But when Toshiba get all the drivers and utilities properly sorted, this looks likely to be an excellent Vista Tablet. More in due course.

 

Technorati tags: , , , ,
software development, windows

Developers quick to adopt .NET 2.0, slow to leave Visual C++ 6.0

1 Comment

The Code Project is a popular resource site for Windows developers. It has polled its users on what programming language they use; see here for the details. Three points to note:

  • Visual C++ 6.0 still has high usage – nearly on a par with Visual C++ 2003 and 2005 combined. 19.78% vs 20.34% at the time of writing. I wonder if C runtime issues are a factor here. Visual C++ 6.0 is the last version that links to the standard mscvrt.dll; see Visual Studio 2005 DLL Hell for more details. That’s why I still have it installed on my machine. If that’s not it, I’d be interested to know why so many are still using this old product.
  • By contrast, there has been rapid C# 2.0 adoption. 18.93% C# 1.x versus 44.32% C# 2.0. I can understand this; .NET 2.0 is considerably improved over 1.x and there is little reason not to switch.
  • Finally, there is a decent showing for Delphi at 24.54%. No surprise here; it’s a fantastic tool for Win32 coding. I guess the problem for Borland is that many are still using Delphi 7.x or earlier versions.

Note that the percentages add to more than 100% because programmes use mulitple tools; and that this is not a reliable snapshot of anything other than Code Project’s community.