Category Archives: microsoft

google, internet, microsoft, mobile, professional, software development, Web, web authoring

Google’s web app vision: use our store

3 Comments

I’m at the Future of Web Applications conference in London, a crazy mixture of tips for web start-ups and general discussion about application development in a web context. The first session was from Google’s Michael Mahemoff who enthused about HTML5 and open web standards, while refusing to be pinned down on what HTML5 is, which standards are in and which may in the end be out.

Microsoft is here showing off IE9; but one of my reflections is that while the HTML5 support in IE9 is impressive in itself, there are going to be important parts of what, say, Google considers to be part of HTML5 that will not be in IE9, and given the pace of Microsoft’s browser development, probably will not turn up for some time. In other words, the pressure to switch to Chrome, Firefox or some other browser will likely continue.

I digress. Mahemoff identified four key features of web apps – by which he means something different than just an application on the web. These are:

  • Local storage – encompassing local storage API and also local SQL, though the latter is not yet well advanced
  • Application cache – Cache Manifest in HTML 5 that lets your app run offline
  • Local installation – interesting as this is something which is not yet widely used, but clearly part of Google’s vision for Chrome, and also in IE9 to some extent.
  • Payments

The last of these is interesting, and I sensed Mahemoff showing some discomfort as he steered his way between open web standards on the one hand, and Google-specific features on the other. He presented the forthcoming Chrome Web Store as the solution for taking payments for your web app, whether one-time or subscription.

I asked how this would work with regard to the payment provider – could you freely use PayPal, direct debits or other systems? He said that you could do if you wanted, but he anticipated that most users would use the system built into Chrome Web Store which I presume is Google Checkout. After all, he said, users will already be logged in, and this will offer the smoothest payment experience for them.

The side effect is that if Chrome Web Store takes off, Google gets to make a ton of money from being the web’s banker.

Outside in the exhibition area Vodafone is promoting its 360 app store, with payments going through the mobile operator, ie in this case Vodafone. Vodafone’s apps are for mobile not for web, but it is relevant because it is trying to draw users away from Google’s Android Marketplace and onto its own store. PayPal is here too, showing its developer API.

The app store and payment provider wars will be interesting to watch.

microsoft

Outlook blues: the annoying blue bar when you reply to a message

I’ve written a long rant about how annoying Outlook is when you reply to a message. It’s the blue bar, you see. You delete the entire original message, but it still appears when you type. Or you type after the blue-barred quote, and your typing gets the blue bar too. Or you try to type within the original message – as recommended here – and your typing is hard to distinguish from that of the original.

The rant with some tips and workarounds is here.

.net, microsoft, professional

ASP.NET Padding Oracle fix released, time to patch for Windows administrators

Scott Guthrie’s blog reports that a fix is now available for the Padding Oracle attack, which enables successful attackers to break the security of ASP.NET applications. There are a few points of interest.

First, there is not one patch but several, and which ones you need depend both on the version of Windows and the version of .NET. Multiple versions of .NET may be installed on a single server.

Second, the exploit is rated “important” in Microsoft security-speak, rather than “critical”. This is apparently because in itself the vulnerability merely discloses information. However, Microsoft is treating it with a high priority because the vulnerability is likely to reveal information that would let the attacker go to to more sever actions such as taking over a server. Confusing, but to my mind it is as critical as they come.

Third, Guthrie’s blog notes:

We’d like to thank Juliano Rizzo and Thai Duong, who discovered that their previous research worked against ASP.NET, for not releasing their POET tool publicly before our update was ready.

The implication is that the POET tool may be publicly available soon – so if you are responsible for an affected machine, get patching! In fact, in the webcast on the subject Microsoft stated that “The potential for exploit is very high during the next 30 days.”

Fourth, the update works by “additionally signing all data that is encrypted by ASP.NET.”

Update: Marc Brooks has investigated and it looks like there is a bit more to it than that.

Finally, the update will be included in Windows Update but not immediately. Your choice is whether to risk a hack in the period before the automatic update appears, or endure the hassle of the manual downloads. Microsoft advises to do it as soon as possible for servers on the public internet.

I am not sure what percentage of systems are likely to be patched soon, but I’d guess that plenty of vulnerable systems will remain online and that we have not heard the last of this bug.

internet, microsoft

Why is Microsoft giving away web traffic and abandoning users?

3 Comments

I am puzzled by Microsoft’s decision to close Live Spaces and send all its users to WordPress.com. Of course WordPress is a superior blogging platform; but Spaces made sense as an element within an integrated Live.com platform. According to Microsoft it has 7 million users and 30 million visitors; and if you accept that business on the web is all about traffic and monetizing traffic, then it strikes me as odd that Microsoft has no better idea of what to do with that traffic than to give it to someone else.

It makes me wonder what exactly Microsoft is trying to do with its Live.com web property. You can make a generous interpretation, as Peter Bright does, and say that the company is learning to focus and losing its “not invented here” religion. Or you can argue that it exposes the lack of a coherent strategy for Microsoft’s online services for consumers.

Part of the reason may be that blogging itself has changed. The original concept of an online diary or “web log” has fractured, with much of the trivia that might once have been blogged now being expressed on Facebook or Twitter. At the other end, blog engines like WordPress have evolved into capable content management systems. Many blogs are just convenient tools to author web sites.

Spaces is also a personal CMS. When combined with other features of Live.com, it provides a way of authoring your own web site, with photos, lists, documents, music and video, gadgets and other modules. You can apply themes, select layouts, and even add custom HTML. Everything integrates with the Windows Live identity system. The blog is just one element in this.

image

Now, although you can move your blog to WordPress.com, much of this is going away. Themes, gadgets, guestbook and lists are not transferred. If you were using Spaces for in effect a personal web site, you will have to start again on WordPress.

What this means is that WordPress, not Microsoft, now has the opportunity to show ads or market other services to these users.

Other services including SkyDrive, which is an excellent online storage platform, and Hotmail for email, are continuing as before. Still, the wider question is this. If Microsoft is happy to abandon 7 million users and all the customisation effort they have put into creating a personal online space, why should I trust it for email, or online storage?

Microsoft’s Dharmesh Mehta does his best to explain the decision here:

When we looked at Spaces, and what we had done with Spaces, and the more we thought about where do we want this to go, where do we think blogging evolves to, what’s important about that, you look at WordPress.com, and they’re building that. They’re doing a great job. And there really isn’t much value in us trying to compete with that.

This seems weak to me. Mehta is even less convincing when it comes to Live ID:

Windows Live ID is not really a means unto itself. There are times when it’s important for us to be able to associate an identity with someone. But there’s many things that we do where you don’t need a Windows Live ID — Photo Gallery, if you’re just using it on your PC, you don’t need a Windows Live ID at all. You can take our Mail app and connect it to Yahoo or Gmail or something like that. You don’t need a Windows Live ID. So I wouldn’t say that Windows Live ID is a goal, or something that we’re trying to drive in and of itself. It’s really more a means when we think it’s valuable for someone to have an account.

Now, I thought the Live ID was a single sign-on for Microsoft’s online services, and the basis of a network of friends and contacts. Perhaps Microsoft is now ceding that concept to Facebook or others? This does seem to be a move in that direction; and while it may be acceptance of something that was inevitable, it is a bad day for Microsoft’s efforts to matter online.

apple, microsoft, sony

A tale of two stores, and a go with PlayStation Move

2 Comments

I had some free time following the NVIDIA GPU Technology conference and wandered up to the Valley Fair mall in San Jose. I took a quick look at the Apple store, there was really nothing for me to see in terms of new product but it has a kind of "bees round a honeypot" appeal.

image

Next I went along to the Sony Style store, another strong brand you might think:

image

Clearly this is a social story as well as a technical story but it is significant.

The Sony store was actually more interesting to me since the PlayStation 3 Move was on display and I had not had an opportunity to try it before. A helpful assistant gave me a demo; we were going to play 2-player table tennis but there was a technical issue with one of the controllers so I ended up playing solo. In conjunction with the huge screen in the Sony store it was a very passable imitation of the real thing. Although it is well done it does not feel like a revolution in the way the Wii did when it first appeared – you may recall that the pre-release Wii was code-named "Revolution".

Adding Move to your PS3 setup is somewhat expensive – you will probably want two controllers as well as the Eye camera – and there are not yet many games which support it, but I reckon it will be a lot of fun. Playing Table Tennis one of the best aspects was the ability to rush forward for a forehand slam.

The Sony guy admitted to being curious about the Microsoft Xbox Kinect which is coming out in a couple of months, and does away with the controller completely. He said Microsoft is opening a store in San Francisco and plans to go up to take a look in due course.

A question: which of the above two pictures will the new Microsoft store most resemble?

microsoft, professional, Web

Crisis for ASP.Net – how serious is the Padding Oracle attack?

6 Comments

Security vulnerabilities are reported constantly, but some have more impact than others. The one that came into prominence last weekend (though it had actually been revealed several months ago) strikes me as potentially high impact. Colourfully named the Padding Oracle attack, it was explained and demonstrated at the ekoparty security conference. In particular, the researchers showed how it can be used to compromise ASP.NET applications:

The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework’s API! … The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise.

This is alarming simply because of the huge number of ASP.NET applications out there. It is not only a popular framework for custom applications, but is also used by Microsoft for its own applications. If you have a SharePoint site, for example, or use Outlook Web Access, then you are running an ASP.NET application.

The report was taken seriously by Microsoft, keeping VP Scott Guthrie and his team up all night, eventually coming up with a security advisory and a workaround posted to his blog. It does not make comfortable reading, confirming that pretty much every ASP.NET installation is vulnerable. A further post confirms that SharePoint sites are affected.

It does not help that the precise way the attack works is hard to understand. It is a cryptographic attack that lets the attacker decrypt data encrypted by the server. One of the consequences, thanks to what looks like another weakness in ASP.NET, is that the attacker can then download any file on the web server, including web.config, a file which may contain security-critical data such as database connection strings with passwords, or even the credentials of a user in Active Directory. The researchers demonstrate in a YouTube video how to crack a site running the DotNetNuke content management application, gaining full administrative rights to the application and eventually a login to the server itself.

Guthrie acknowledges that the problem can only be fixed by patching ASP.NET itself. Microsoft is working on this; in the meantime his suggested workaround is to configure ASP.NET to return the same error page regardless of what the underlying error really is. The reason for this is that the vulnerability involves inspecting the error returned by ASP.NET when you submit a corrupt cookie or viewstate data.

The most conscientious ASP.NET administrators will have followed Guthrie’s recommendations, and will be hoping that they are sufficient; it is not completely clear to me whether it is. One of the things that makes me think “hmmm” is that a more sophisticated workaround, involving random time delays before an error is returned, is proposed for later versions of ASP.NET that support it. What does that suggest about the efficacy of the simpler workaround, which is a static error page?

The speed with which the ASP.NET team came up with the workaround is impressive; but it is a workaround and not a fix. It leaves me wondering what proportion of ASP.NET sites exposed to the public internet will have implemented the workaround or do so before attacks are widespread?

A characteristic of the attack is that the web server receives thousands of requests which trigger cryptographic errors. Rather than attempting to fix up ASP.NET and every instance of web.config on a server, a more robust approach might be to monitor the requests and block IP numbers that are triggering repeated errors of this kind.

More generally, what should you do if you run a security-critical web application and a flaw of this magnitude is reported? Applying recommended workarounds is one possibility, but frankly I wonder if they should simply be taken offline until more is known about how to protect against it.

One thing about which I have no idea is the extent to which hackers are already trying this attack against likely targets such as ecommerce and banking sites. Of course in principle virtually any site is an attractive target, because of the value of compromised web servers for serving spam and malware.

If you run Windows servers and have not yet investigated, I recommend that you follow the links, read the discussions on Scott Guthrie’s blog, and at least implement the suggested actions.

adobe, flash, microsoft, silverlight, software development

RunRev renames product to LiveCode, supports iPad and iPhone but not Windows Phone 7

3 Comments

Runtime Revolution has renamed its software development IDE and runtime to LiveCode, which it says is a “modern descendent of natural-language technologies such as Apple’s HyperCard.” The emphasis is on easy and rapid development using visual development supplemented with script.

It is now a cross-platform development platform that targets Windows, Mac and Linux. Android is promised soon, there is a pre-release for Windows Mobile, and a new pre-release targets Apple’s iOS for iPad and iPhone.

LiveCode primarily creates standalone applications, but there is also a plug-in for hosting applets in the browser, though this option will not be available for iOS.

Now that Apple has lifted its restrictions on cross-platform development for iOS, it is Microsoft’s Windows Phone 7 that looks more of a closed device. The problem here is that Microsoft does not permit native code on Windows Phone 7, a restriction which also prohibits alternative runtimes such as LiveCode. You have to code applications in Silverlight or XNA. However, Adobe is getting a special pass for Flash, though it will not be ready in time for the first release of Windows Phone 7.

If Windows Phone 7 is popular, I imagine other companies will be asking for special passes. The ubiquity of Flash is one factor holding back Silverlight adoption, so in some ways it is surprising that Microsoft gives it favoured treatment, though it makes a nice selling point versus Apple’s iPhone.

database, microsoft, open source, oracle

Why Oracle is immoveable in the Enterprise

At Oracle OpenWorld yesterday I spoke to an attendee from a global enterprise. His company is a big IBM customer and would like to standardise on DB2. To some extent it does, but there is still around 30% Oracle and significant usage of Microsoft SQL Server. Why three database platforms when they would prefer to settle on one? Applications, which in many cases are only certified for a specific database manager.

I was at MySQL Sunday earlier in the day, and asked whether he had any interest in Oracle’s open source database product. As you would expect, he said it was enough trouble maintaining three different systems; the last thing he wanted was a fourth.

intel, internet, media, microsoft, multimedia, open source, Web, windows

If Microsoft is serious about Silverlight, it needs to do Linux

9 Comments

Today was a significant event for the UK broadcasting industry: the announcement of YouView, formerly called Project Canvas, which is backed by partners including the BBC, ITV, Channel 4, Channel 5, and BT. It will provide broadcasts over IP, received by a set top box, include a catch-up service, and be capable of interactive features that hook into internet services.

Interesting stuff, though it may end up battling with Google TV. But what are the implications for media streaming services and media players? One is that they will have to run on Linux, which is the official operating system for Project Canvas. Google TV, for that matter, will run Android.

If you look at the YouView specifications, you’ll find that although the operating system is specified, the application player area is more open:

Application Player executables and libraries will be provided by 3rd party software vendors.

What is an application player?

Runtime environment for the execution of applications. Examples are Flash player, MHEG engine, W3C browser

I’d suggest that Adobe will do well out of YouView. Microsoft, on the other hand, will not be able to play in this space unless it delivers Silverlight for Linux, Android, and other open platforms.

Microsoft has a curious history of cross-platform Silverlight announcements. Early on it announced that Moonlight was the official Linux player, though in practice support for Moonlight has been half-hearted. Then when Intel announced the Atom Developer Program  (now AppUp) in September 2009, Microsoft stated that it would provide its own build of Silverlight for Linux, or rather, than Intel would build it with Microsoft’s code. Microsoft’s Brian Goldfarb told me that Microsoft and Intel would work together on bringing Silverlight to devices, while Moonlight would be the choice for desktop Linux.

Since then, the silence has been deafening. I’ve enquired about progress with both Intel and Microsoft, but vague rumours aside, no news. Silverlight is still listed as a future runtime for AppUp:

Microsoft® Silverlight™(future)

Silverlight is a cross-browser, cross-platform and cross-device browser plug-in that helps companies design, develop and deliver applications and experiences on the Web.

In the meantime, Adobe has gone ahead with its AIR runtime, and even if Silverlight eventually appears, has established an early presence on Intel’s netbook platform.

There have been recent rumours about internal battles between the Windows and Developer divisions at Microsoft, and I cannot help wondering if this is another symptom, with the Windows folk fighting against cross-platform Silverlight on the grounds that it could damage the Windows lock-in, while the Developer team tries to make Silverlight the ubiquitous runtime that it needs to be in order to succeed.

From my perspective, the answer is simple. Suppressing Silverlight will do nothing to safeguard Windows, whereas making it truly cross-platform could drive adoption of Microsoft’s server and cloud platform. When Silverlight was launched, just doing Windows and Mac was almost enough, but today the world looks different. If Microsoft is serious about WPF Everywhere, Linux and Android (which is Linux based) support is a necessity.

internet, microsoft, software

Microsoft Internet Explorer 9 beta is out

2 Comments

Head over to http://www.beautyoftheweb.com/ and you can download the beta of Internet Explorer 9, which is now up and running on my Windows 7 64-bit machine and looking good so far.

So what’s new? In terms of the rendering engine, this is like the last Platform Preview, but a little bit further along. During the briefing, we looked at at the experimental (and impressive) site put together by EMC, which shows 3D rotation of a motor vehicle along with other effects, put together entirely in HTML 5. At the time I only had the fourth platform preview installed, and the site did not work. Amusingly, I was advised to use Google Chrome, which worked fine. Now that I’ve installed the beta, the same site works in IE9, rather more smoothly than in Chrome.

What’s really new though is the user interface. The two things that jump out are the adoption of a single box for search and URL entry – many users do not understand the difference anyway – and the ability to drag tabs to the taskbar to pin them there like application shortcuts. Once pinned, they support Windows 7 Jump Lists, even when the site is not active:

image

If you squint at this screenshot, you’ll notice that the Discovery site, which is tweaked to use this feature, has a good-looking icon as well as a Jump List, whereas the icons adjacent to it look bad. That’s because you need to create a new large favicon to support this feature, as well as optionally adding metadata to create the Jump List. None of this is any use, of course, if you use Vista; and if you use XP you cannot even install IE9.

There’s also a download manager at last.

There’s no doubt that IE9 is miles better than IE8. Is it better than rivals like Chrome, from which a casual observer might think it has drawn inspiration? Too soon to say; but using the official native browser does have advantages, like integration with Windows Update as well integration with the OS.

That said, I’m not personally a big fan of the single box approach, and I’ll miss the permanent menus. If you press the Alt key the old File, Edit View etc magically appear, but I can’t see any way to make it persist.