Category Archives: internet

internet, microsoft, silverlight, software development, windows

Missing from Bill Gates Tech Ed keynote: Live Mesh

3 Comments

I watched the video of Bill Gates keynote at Tech Ed yesterday. You can also read the transcript.

I enjoyed the second half more than the first. Gates can rarely resist giving a potted history of computing in his keynotes – maybe because of his own role in that history – but I find it a snooze. It also tends to reinforce the impression that Microsoft is yesterday’s company.

Gates shaped his keynote, which was on the subject of application development, around four themes:  Presentation, Business Logic, Data Access and Web Services. In presentation we got a plug for WPF and Silverlight – more the latter, with a nice demo by Soma Somasegar but nothing we haven’t seen before from Mix08 and the like.

On the business logic theme, we got a demo of a new tool called the Architecture Explorer, said by Brian Harry to be part of the Oslo wave. Microsoft will be pushing Oslo strongly at PDC later this year. Separately, I noticed that the Microsoft’s software factories guy, Jack Greenfield, has recently posted about how his team has moved from Visual Studio Team Architect to Developer and Platform Evangelism. Now I may be wrong here; but my guess is that Microsoft had a huge internal debate about whether to bet on software factories or modelling as the next step in enterprise application development, and that software factories is being sidelined in favour of Oslo. Hence statements like this:

Visual Studio Team Architect team remains actively committed to supporting Software Factories, as do the rest of Visual Studio Team System, the Visual Studio Ecosystem team and patterns & practices.

Phrases like “actively committed” usually mean the opposite of what they say. We’ll see; but note that we got Oslo in the Gates keynote, not factories.

Then we got data access, with Dave Campbell on SQL Server Data Services and the Sync framework. I think this is cool stuff; but having seen it at Mix (where I talked to Campbell and liked what he had to say) it was not new to me.

Finally,  web services. This is where Gates talks about Live Mesh, right? Wrong. Gates gave a nod to cloud computing as the future:

I can run Exchange on premise, or I can connect up to it as a service. But even at the BizTalk level, we’ll have BizTalk Services. For SQL, we’ll have SQL Server Data Services, and so you can connect up, build the database. It will be hosted in our cloud with the big, big data center, and geo-distributed automatically.

but that was it, it was on to fun robotics. I found this a surprising omission. As I see it, Mesh + Silverlight (plus of course things like SSDS) forms Microsoft’s cloud computing development platform. However, I imagine that like modelling vs software factories this is a matter of debate within the company as well as outside; perhaps we are seeing the Gates view vs the Ozzie view here.

By the way, I got my official Mesh sign-up invite this morning and I have the impression anyone can sign up now; why not try it?

adobe, internet, microsoft, silverlight, web authoring

Mac users refusing to install Silverlight

1 Comment

The New York Times has run into a hail of criticism from Mac users over its use of Microsoft’s Silverlight plug-in for its offline reader, Times Reader, in its new Mac version, now in beta.

I took a careful look at the comments. There are 122 at the time of writing, of which around half are complaints about the choice of Silverlight. Here’s a few:

Nope. Not going to use *anything* from Microsoft. If reading the NYT requires MS products then, for this reader, goodbye NYT.

Silverlight? Why? I’m using Mac to escape Microsft’s crappy technology.
No thanks

PLEASE listen to your readers. Macs have a long, successful history of superior page layout, design, and rendering of published content. There is absolutely no reason to require a Microsoft plugin to display text and graphics on a Mac.

Silverlight will not install on Firefox on an Intel Mac (all versions current.) Why, O, why did you choose to go with a proprietary Microsoft technology with all the predictable Microsoft flaws and prejudices?

I was really looking forward to this, but I cannot support Microsoft’s Silverlight platform. Not only is it proprietary, but it runs more slowly than any alternative (Java, Flash) and it does not support end-user choice of browsers (Firefox, Safari not supported).

By way of balance, there are some dissenting voices:

Sometimes I find it hard to admit I’m a mac user. What a community of loud close-minded drama queens. “I’m canceling my subscription because you built an app that requires silverlight.” Please.

I took a look. My Mac is running Leopard (OS 10.5) and Safari is the default browser. I downloaded the beta and ran the installer. It duly invited me to install Silverlight:

Clicking the button took me to Microsoft’s download page, where I clicked the big button:

Downloaded, opened the download, and Silverlight installed:

Installation was quick, and at the end invited me to restart the browser – though it seemed to do so automatically. Microsoft’s web page now informed me that Silverlight was installed and showed an animation.

At this point, I was able to continue the Times Reader installation, which said “A suitable version of Silverlight has been found”. A couple of clicks later, I was up and running:

The application worked well in my brief test. The most obvious difference from the Windows version is that there are four fixed window sizes, rather than on-the-fly reflowing of text. It will be interesting to see if the more advanced Silverlight 2.0 can come closer to the full WPF (Windows Presentation Foundation) version; if it can, there would be a good case for implementing both versions in Silverlight. It is an interesting project, since it runs Silverlight within a desktop application, rather in the manner of Adobe’s AIR.

Maybe Flash would have been as good or better, though as I understand it the New York Times finds XAML, the layout language in Silverlight, an excellent fit for what it wants to achieve. Nevertheless, my experience suggests that blanket hostility to Silverlight on the Mac is hard to justify from a technical perspective. In fact, Microsoft has done a good job in respect of keeping the download size small and making installation smooth. Admin rights were requested, but no restart was needed.

Still, if Silverlight attracts so much bile from readers of the NY Times it suggests Microsoft has a considerable problem on its hands. I’d imagine it is off-putting to others who are considering the development of Silverlight apps, since Mac support is a critically important feature.

internet, linux, open source, security

More on Debian’s OpenSSL bungle

2 Comments

I reported on this in the Guardian. Interesting piece to research. First, the history. You can find the exchange between Karl Roeckx and Ulf Möller here. An unfortunate mistake; I make mistakes too (it was my fault that a name was misspelt in the Guardian piece, for example), so rather than heap blame on individuals I suggest this is more about a problem with the process; the only people making significant changes to the source code of such an critical library should be the committers responsible for that library. No doubt the incident is prompting a review of the process for updating Debian, Ubuntu and other distros; perhaps we will end up with a slower but less vulnerable flow of updates.

Second, a remark from Tim Callan at Verisign which there was not room for in this piece. I asked him whether Verisign knows which of the certificates it has issued are bad. “Unfortunately we don’t have those key pairs to look at them and scan them and tell which ones are good and which ones are not,” he told me. All Verisign can do is to ask its customers to check, which Callan says it is doing “very very aggressively.” In mitigation, Verisign does have a record of what operating system was used to purchase the certificate, but this is not the same thing; it is an imperfect process. The only fix is to revoke and replace the bad ones, which the company is offering to do for free.

Third, there are two distinct risks here. First, weak SSL certificates. Versign is embarrassed because it has been issuing weak certificates; its core product has been undermined. However, according to Netcraft, of the 870,000 secure web servers on the Internet, only 20,000 report themselves as Debian and 4,000 as Ubuntu. The true figure will be somewhat more than that, but that is a relatively small proportion; and exploiting the weakness takes a bit of effort.

The second problem is the possibility of intercepting or cracking SSH tunnels used to administer affected servers. We saw this demonstrated at a hacking briefing run by NCC Group yesterday. Let’s assume that administrators use SSH authenticated with a private key – a common scenario – and that the key was generated by the faulty Open SSL library. I suspect this will have been true for many more than 20,000 servers, though a lot will now have been fixed. All you need to do is to run a script against that server armed with a list of the possible keys – under a thousand, according to the demo we saw*. When you get a hit, you can connect to that server, most likely with full root permissions.

The most hardened servers will not be so easy to crack. They will authenticate as a user with limited rights, and use su to elevate. They will limit access to specific IP addresses. They will use additional passphrases. And they will have changed the keys within hours of the problem being discovered.

Still, there are plenty of less secure servers out there, so what that means is that an unknown number of servers will have been compromised, and more will follow. If you are lucky, the intruders will hack your website and do obvious damage so the server will get cleaned up. If you are unlucky, the intruder will be discreet and quietly start stealing credit card numbers, or taking advantage of any information or privileges obtained to get access to additional servers or data, or make occasional use of the server in botnet attacks. Who knows?

Servers getting rooted is not a new problem; and it’s not yet clear whether this incident is more than a ripple. Colin Phipps at Netcraft doesn’t think it is. “We’ll see a lot of panicked system administrators,” he told me, “and we’ll see a lot of scepticism about open source.” That last point is probably the most significant.

*I’m told this was artificially reduced for the demo – but there are only 32,676 keys possible private keys to brute force access. However, even using the full set of 2048-bit RSA keys NCC Group successfully broke into a system which used Debian to generate SSH keys in 20 minutes, and think it could often be done in half that time.

adobe, flash, internet, microsoft, silverlight, software development, web authoring

Who needs AIR? NY Times does desktop Silverlight app for Mac

The New York Times is porting its excellent Times Reader application to the Mac using Silverlight 1.0:

Times Reader for the Mac is a native Cocoa application, which uses the Safari toolkit and Silverlight to render the pages.

Follow the link for some screengrabs. Adobe’s AIR (which also uses the Safari toolkit) is the obvious choice for this kind of online app; it’s interesting to see the NY Times adapting Silverlight in a similar manner.

I spoke to developer Nick Thuesen about this at Mix07, so this is not news for readers of this blog; though I’d become sceptical about whether it would be delivered because of the delay. Now, I’m surprised that the NY Times is still using Silverlight 1.0 rather than waiting for 2.0.

The Silverlight version appears to have some compromises. In particular, it cannot flow text on the client:

We paginate the pages for the Mac version on our servers (the Windows version does this on the PC). When you sync, we send you pages for the four window and three font sizes described above.

Still, the screens look good and I look forward to trying it – especially as the public beta will be free, whereas you need a subscription for the full release.

There is a high level of hostility towards Silverlight in the comments to the post. Mostly these appear to be religious in nature – ie. Mac users hate all things Microsoft. It does illustrate the difficulty the company has in persuading the world to take its cross-platform ambitions seriously.

Thanks to Ryan Stewart for the link.

google, internet, microsoft, search, yahoo

Microsoft: forget the Live Search Cashback, just improve the engine

Microsoft is paying users to use its search engine with a new search cashback scheme. Looks like an affiliate scheme where the commission is paid back to the customer. US only.

I think Microsoft should focus on improving its search engine. This morning, I needed to call a local electrician and figured that search would be quicker than using a phone book. I entered the name of the retailer and the town. For some reason, this stymied Live Search: the result I was looking for was not on the first 10 pages. Identical search on Google: the first four results matched, and the address and telephone number were at the top of the page with a little map.

In a poll last year 51% thought Google delivered the best results for an example search, while 35% preferred Live Search and 31% Yahoo. That’s an inconclusive result, and this is not an exact science; but personally I find Google almost always delivers better results, sometimes (as in the case this morning) dramatically so.

If Microsoft managed to reverse this I would switch to Live Search in a heartbeat.

Technorati tags: , , , ,
.net, internet, php, software development, web authoring

Cenzic web app report highlights security problems

Will we ever get a secure Internet? There’s no cause for optimism in the latest Cenzic report into web app security. A few highlights:

  • 7 out of 10 Web applications analyzed by Cenzic were found vulnerable to Cross-Site Scripting attacks
  • 70% of Internet vulnerabilities are in web applications
  • FireFox has the most reported browser vulnerabilities at 40%; IE is 23%
  • Weak session management, SQL Injection, and poor authentication remain very common problems
  • 33% of all reported vulnerabilities are caused by insecure PHP coding, compared to 1% caused by insecurities in PHP itself.

OK, it’s another report from a security company with an interest in hyping the figures; but I found this one more plausible than some.

The PHP remarks are interesting; it would be good to see equivalent figures for ASP.NET and Java.

internet, security, software, software development

My high risk blog reader

I posted yesterday about the report from PC Tools saying that Vista is more prone to malware than Windows 2000.

The company kindly sent me its press release on the subject and is promising more information. According to the release, the figures are based on a tool called ThreatFire, available in free and commercial editions, which by default reports threats discovered back to PC Tools for analysis and statistics. ThreatFire is a behavioural tool; that is, it does not rely on signatures of known malware, but detects suspicious behaviour.

I thought I should try this tool on my own machine. I probably count as a high-risk user, since I frequently browse the web and download and run software, sometimes unsigned software. Would ThreatFire find any malware?

It did not take long:

The application is my own custom blog reader, a simple .NET app which calls the common feed list API and renders blog posts in the WebBrowser control.

Looks like a false positive to me. Still, I poked around in the dialog. The risk level is supposedly high. The Technical Details link does not tell you any more about what the app did that was suspicious, but identifies the files I can choose to quarantine. The link that says “Learn more about this threat” does a Google search on the file name.

By the way, doing a random web search on what is potentially malware strikes me as poor practice. Here’s what online help says:

Click the Learn more about this threat link to launch a quick web search on the threat.  In most cases the result of this search provides a clear indication of how to proceed.

Ever tried searching for the name of an executable or process? The bad guys and the scammers know we do this; and you will be offered all manner of “security” products some of which are likely spyware or malware themselves. A foolish thing to encourage. Further, how will a random web search provide “a clear indication of how to proceed”? It’s the wild web, no more, no less.

My blog reader is not very famous, so in this case Google found nothing. I’m puzzled that ThreatFire doesn’t tell you more about the supposedly malicious activity, like what data was sent and where, so that the user would have more chance of judging whether this is really a dangerous app.

I guess the “threat” is now in the PC Tools database, and my machine marked as Vista with malware. I’ll be interested to see what else it finds.

Technorati tags: , ,
email, internet, microsoft, software, windows

Xobni: Outlook users should try this now

1 Comment

Yes, Xobni is brilliant.

Have you ever tried sorting an Outlook inbox by conversation? Of course Outlook goes into a thrash while it prepares the view. Then when it has finished, it does not work right. It has a limited view of what a conversation is, based on the email title. It does not show your sent items, unless you sort them into the same folder. In fact, it is more frustrating than useful, which is why I never use it.

Xobni (the name is inbox reversed) does this right. When you select an email, a panel shows your previous emails from that person, with your replies, which you can read without changing the focus from the message you are attending to. It is based on an index together with some simple analytics. Who else has appeared in the cc list on emails from this person? Where are their messages? What is the sender’s phone number? All of this information is shown automatically; no need to hit confusing menus like Arrange By or Current View.

There’s also a search box; it’s smoother and quicker than Microsoft’s desktop search, also used by Outlook in the latest version. Under the covers lies my favourite desktop database engine: sqlite. I’ve turned off the official Outlook search; anything to speed performance.

Xobni is free right now (it is a beta), so what’s the business model? Still up in the air, apparently. However, given the number of Outlook users, I expect it will be possible to monetize it. Apparently Microsoft tried to buy the company and was refused.

Technorati tags: , , ,
internet, salesforce.com

Peter Gabriel at Dreamforce Europe

1 Comment

Peter Gabriel was a guest at the Dreamforce Europe conference this morning. He was introduced by Salesforce.com CEO Marc Benioff and then interviewed.

Why was he there? He is promoting his work with Witness, which tackles the deniability of human rights abuses by encouraging and enabling victims and observers to publish photos and videos of what is taking place. Apparently the existence of this type of evidence makes a substantial difference, putting pressure on governments or other groups to reform their practices.

The Salesforce.com link is that Witness is one of the recipients of funding from the company’s charitable donations.

While this strikes me as the most worthy of causes, I have mixed feelings about corporate flaunting of good deeds at events like this; PR and philanthropy make uncomfortable bedfellows.

Still, I am easily beguiled by Gabriel being a fan of his musical output. He didn’t talk much about music in his interview, except in saying that it is a great cross-cultural bridgebuilder. The other link is to do with pursuing your passions; thirty-five years ago he had a passion for music; now he has a passion for human rights (I’m interpreting something he said about pursuing your dreams).

His delivery was low-key and he looked almost elfin sitting up there on the stage.