Category Archives: microsoft

Government security advice is misguided; switching browsers will not make you safe

I have mixed feelings about the recent government recommendations from France and Germany to switch from Internet Explorer for security reasons.

Although raising security awareness seems on the face of it to be a good thing, this is naïve advice and may do more harm than good. Security is a complex and multi-faceted problem, and it does people no service if they believe it can be fixed by switching browsers. Another common illusion is that running anti-virus software, or even up-to-date anti-virus software, makes you safe. It does not. Anti-virus software does not detect all viruses, and in particular it frequently fails on those that are most dangerous, in other words, those which are newest.

Another factor is that many of the most successful malware attacks come via social engineering. That’s not browser-specific, though there are attempts to maintain bad site lists, which don’t in my experience work very well.

The danger is that people think they are safe, and take fewer other precautions, ending up less safe than before.

Is FireFox, Chrome or Opera safer than IE? I’m not even sure about that. The latest versions of each are massively safer than IE6, for sure. But how does a fully-patched IE8 compare to the latest fully-patched versions of the other browsers? At least one test [pdf] says that IE8 is actually safer, though unfortunately it dates from March last year and does not cover drive-by downloads:

Microsoft Internet Explorer 8 (RC1) was the standout in our tests, achieving a best-in-class 69% catch rate against Malware. It is clear that Microsoft is making an effort to provide security to their customers with IE8.

Know a better one? I’d be interested in more recent tests.

Microsoft is not always competent; read this blog for evidence. But it has made genuine efforts to improve security and has a comprehensive update mechanism that mostly works. IE now has protected mode on Vista or Windows 7, which is no panacea but helps a little.

But what about the known zero-day vulnerability in IE? Isn’t that enough to make switching browsers necessary, if only temporarily?

I’m not so sure. Frankly, it would surprise me if there are not known multiple vulnerabilities in all the major browsers, if you move in the right (or wrong) circles.

How then do you do secure computing? Don’t connect to the internet. OK, how else? The risk cannot be eliminated but it can be reduced … don’t run with local admin rights, don’t run unknown executables, only enable plug-ins and scripting for web sites you know to be safe, keep your operating system patched and up-to-date, and so on.

Another thing you can do is to browse the web in a virtual machine – a sort of super protected mode – not perfect, but would prevent some attacks at the expense of convenience.

If you are really serious you can use AppLocker, or another whitelisting technique, to control what can run on your box.

And passwords … one thing I do hold against Microsoft is that the company has a brilliant authentication mechanism called InfoCard that is almost never used, even by Microsoft. Unfortunately that’s not something any individual can change; but it is possible at least to use more complex passwords and not to pass them over the internet in plain text.

I’m not sure, even today, that many people realise that when they use Twitter on an airport or hotel or conference wi-fi, or collect email via POP3, that they are likely passing their credentials in plain text over the internet for any smart hacker to read.

I am also depressed how often I see “security questions” on registration forms, asking for things like mother’s maiden name to be used in case of lost password. It is obvious that these are actually insecurity questions; they lower security while easing the burden on support desks. All too often, these organisations then lower it further by emailing your password back to you in plain text. It also sometimes turns out that the password itself is stored in plain text on their web-connected databases, accessible to hackers.

Overall the IT industry is desperately bad at security, and by and large convenience has won. Yes, I think that should change. No, after years of reporting on IT I am not optimistic that it will, certainly not soon. And knee-jerk instructions to switch browsers may please Mozilla and Google, and web developers for whom Internet Explorer is a constant irritation especially in old versions, but will do little else to improve the situation.

SharePoint Explorer View hassles show benefits of cloud storage

Many of us want access to our documents from anywhere these days, and if you are still storing documents on a Windows server then remote access to documents usually means either VPN or SharePoint. VPN is heavy on bandwidth and not great for security, so SharePoint seems the obvious solution.

SharePoint is a mixed bag of course, but once it is up and running the browser user interface seems reliable as a means of getting at your documents over the internet. That said, it is inconvenient to run up the browser and navigate to a web site whenever you want a document. A user recently highlighted another issue. Their company uses a web application that frequently requires documents to be uploaded. This is straightforward if the document is on a local hard drive or network share, but not if it is in SharePoint. The workaround is to save the document out of SharePoint to the local drive, then upload it.

Fortunately there is another option. SharePoint Explorer View lets you access documents through Windows Explorer; you can even map SharePoint as a network drive. Now you can browse documents without a web browser, and upload directly to a web application.

Sounds great; and when it works, it is great. Troubleshooting though is a world of pain. If you have looked into this, you will know that there are really two Explorer Views, one using Internet Explorer and ancient FrontPage protocols, and the other using WebDav and Explorer. It’s the second of these that you most likely want. However, achieving this is notoriously troublesome, raising uninformative messages such as “Your client does not support opening this list with Windows Explorer", or from the command line System Error 67, or System Error 53 “The network path was not found”.

image

Another common complaint is incessant login dialogs.

I discovered a few useful resources.

This white paper on Understanding and Troubleshooting the SharePoint Explorer View is essential reading.

From this you will discover that if you are using Windows XP, the WebDav SharePoint Explorer view will not work over SSL or on any port other than 80. You are stuck with the FrontPage view, which is less useful. Apparently Microsoft has no intention of fixing this. Upgrade to Vista or Windows 7.

In addition, many XP and even Vista users find this update essential before anything starts working. It is necessary on Windows 2003 since the web client is not installed by default. It does not apply to Windows 7 though.

A good resource on the repeated login issue is here. It can be tamed.

Windows 7 is better, though I experienced an odd issue. One Windows 7 machine cheerfully opened the Explorer view to a remote site on port 444. I could engage Explorer View from the SharePoint web site, or from Network in Explorer, and it just worked.

On another machine, same network, also Windows 7, same web client settings, I could not get it working. I was on the point of giving up when I happened on the right incantation from a command prompt:

net use s: https://your.domain.name:444\shared%20documents /user:domain\username password

In this example S is the drive letter for a mapped drive, your.domain.name is the URL for SharePoint, 444 is the port number, shared documents is the folder name. For some reason this worked instantly.

Well, SharePoint is an option. Before leaving this subject though, I would like to mention Gladinet, a third-party utility which is able to mount a variety of cloud storage providers as network drives, including Amazon S3, Google Docs, Windows Live SkyDrive, and in the latest version Windows Azure.  It works on XP, Vista, Windows 7 and Windows 2003, comes in 32-bit and 64-bit editions, and worked immediately in my quick test. The ability to mount drives in Explorer itself, as opposed to an Explorer-like application, makes a big difference in usability.

image

Gladinet does not support SharePoint, sadly. Still, before you roll out SharePoint it is worth considering that something like an Amazon S3 account requires no CALs (though third-party clients like Gladinet may do), is maintained by a cloud provider rather than on your premises, is not hooked in any way to Windows clients, and might be a lot less hassle to deploy.

I do also understand the attraction of SharePoint, if you don’t or can’t trust the cloud, and like the way it integrates with Active Directory or its other clever features such as versioning or workflow management. What I don’t get is why Microsoft makes basic features like Explorer View so hard to get working.

Finally, this aspect of SharePoint should get better in Office 2010 and SharePoint 2010, which includes SharePoint Workspace 2010. This will synchronize with SharePoint 2010 document lists, giving you an offline copy you can access in Explorer. Agnes Molnar has a summary with screenshots.

New HP and Microsoft agreement commits $50 million less than similar 2006 deal

I’ve held back comment on the much-hyped HP and Microsoft three-year deal announced on Wednesday mainly because I’ve been uncertain of its significance, if any. It didn’t help that the press release was particularly opaque, full of words with many syllables but little meaning. I received the release minutes before the conference call, during which most of us were asking the same thing: how is this any different from what HP and Microsoft have always done?

It’s fun to compare and contrast with this HP and Microsoft release from December 2006 – three years ago:

We’ve agreed to a three-year, US$300 million investment between our two companies, and a very aggressive go-to-market program on top of that. What you’ll see us do is bring these solutions to the marketplace in a very aggressive way, and go after our customers with something that we think is quite unique in what it can do to change the way people work.

$300 million for three years in 2006; $250 million for three years in 2010. Hmm, not exactly the new breakthrough partnership which has been billed. Look here for what the press release should have said: it’s mainly common-sense cooperation and joint marketing.

Still, I did have a question for CEOs Mark Hurd and Steve Ballmer which was what level of cloud focus was in this new partnership, drawing these remarks from Ballmer:

The fact that our two companies are very directed at the cloud is the driving force behind this deal at this time. The cloud really means a modern architecture for how you build and deploy applications. If you build and deploy them to our service that we operate that’s called Windows Azure. If a customer deploys them inside their own data centre or some other hosted environment, they need a stack on which to build, hardware software and services, that instances the same application model that we’ll have on Windows Azure. I think of it as the private cloud version of Windows Azure.

That thing is going to be an integrated stack from the hardware, the virtualization layer, the management layer and the app model. It’s on that that we are focusing the technical collaboration here … we at Microsoft need to evangelize that same application model whether you choose to host in the the cloud or on your own premises. So in a sense this is entirely cloud motivated.

Hurd added his insistence that this is not just more of the same:

I would not want you to write that it sounds a lot like what Microsoft and HP have been talking about for years. This is the deepest level of collaboration and integration and technical work we’ve done that I’m aware of … it’s a different thing that what you’ve seen before. I guarantee Steve and I would not be on this phone call if this was just another press release from HP and Microsoft.

Well, you be the judge.

I did think Ballmer’s answer was interesting though, in that it shows how much Microsoft (and no doubt HP) are pinning their hopes on the private cloud concept. The term “private cloud” is a dubious one, in that some of the defining characteristics of cloud – exporting your infrastructure, multi-tenancy, shifting the maintenance burden to a third-party – are simply not delivered by a private cloud. That said, in a large organisation they might look similar to most users.

I can’t shake off the thought that since HP wants to carry on selling us servers, and Microsoft wants to carry on selling us licences for Windows and Office, the two are engaged in disguised cloud avoidance. Take Office Web Apps in Office 2010 for example: good enough to claim the online document editing feature; bad enough to keep us using locally installed Office.

That will not work long-term and we will see increasing emphasis on Microsoft’s hosted offerings, which means HP will sell fewer servers. Maybe that’s why the new deal is for a few dollars less than the old one.

Crazy Microsoft stuff

I have a theory that Microsoft’s Small Business Server (SBS), which is meant to be easy to manage, is actually more complex than a full-blown multiple server setup – though you can now emulate the latter nicely using virtual machines.

Yesterday I spotted a post from Paul Culmsee which makes the point well:

A former colleague called me up because he knew of my dim, dark past in the world of Cisco, Active Directory and SharePoint. He asked me to help put in SBS2008 for him, configuring Exchange/AD/SharePoint and migrating his environment over to it.

“Sure”, I say, “it’ll be a snap” (famous last words)

Culmsee is a SharePoint expert. His mistake was to attempt installing Search Server Express (built on SharePoint) into SBS 2008:

Search Server 2008 Express, uses SQL Server Express edition when performing a basic install. As a result, an additional SQL Server Express instance (SERVERNAME\OFFICESERVERS) gets installed onto the Small Business 2008 server. Then, to make matters worse, the installer gets mixed up and installs some Search Server express databases into the new instance (a Shared Service Provider), but then uses the SQL Embedded Edition instance to install other databases (like the searchDB). Then later during the configuration wizard, it cannot find the databases that it needs because it searches the wrong instance!

The problem: there is too much installed on that box, and SBS comes way down low on Microsoft’s priorities, so it issues products and patches that ought to work on SBS as well as on mainstream Microsoft servers, but do not. Culmsee apparently gave up on Search Server Express.

Evidence 2: Exchange 2007 Service Pack 2. Released in August 2009. Does not work on SBS 2008 without daunting manual steps. Six months later, Microsoft releases a special Exchange Server 2007 SP2 Installation Tool for SBS. Even with the tool, the install may be problematic.

In some ways it would not be so bad if SBS were a totally locked-down product with its own patches and no possibility of installing generic Microsoft products – though third parties might scream. As it is, it falls betwixt and between.

You can make it work. You can make it work very well, if you have patience, read SBS blogs like that of Susan Bradley and David Overton, and maintain it carefully. But … don’t pretend it is not complex.

Note also the hassles Culmsee had configuring his HP server. Google Apps anyone?

Store any type of file in Google Apps – in effect, GDrive

Google has announced a new feature – the ability to upload any type of file to its online storage.

Over the next couple of weeks, we are rolling out the ability for Google Apps users to easily upload and securely share any type of file internally and externally using Google Docs. You get 1 GB of storage per user, and you can upload files up to 250 MB in size…Combined with shared folders in Google Docs, the upload feature is a great way to collaborate on files with coworkers and external parties.

Additional storage is available at $0.25/GB/yr according to this post.

Is this “GDrive” – the long-rumoured generic online storage from Google? Pretty much. Note however that Microsoft’s excellent SkyDrive already offers 25 GB of unrestricted online storage for free.

Enterprise customers who use the Premier Edition of Google Apps are also getting this service, but at a higher price: additional storage is $3.50/gb (or €3.00/gb in the EU). This storage is accessible via the Google Documents List Data API, enabling developers to create applications that backup or synchronise files between Google and client devices, and is therefore more comparable to Amazon’s Simple Storage Service (S3). Amazon has no free offering but S3 is modestly priced at $0.15 per GB per month, between Google’s consumer and business pricing, though note that Amazon also charges for data transfer.

Once third-parties do their stuff to make this look like any other network folder, this looks like a handy new feature. One advantage is that you can store Microsoft Office files in their native format, rather than having to convert them to Google documents with loss of fidelity.

It may also mean less usage for a popular workaround – emailing attachments to yourself in GMail.

Update: post revised to include information on Premier Edition.

Going Mobile

In the back of my mind I knew that this blog looked terrible on a mobile, but I did nothing about it until @monkchips complained that it was unreadable on his HTC Magic, which runs Google Android 1.6.

I don’t have an Android device, but I grabbed the SDK, ran up the emulator, and had a look. The page took ages to load, and did not work properly even when fully loaded.

I figured “there’s a plugin for that”, and there is – several in fact. I settled on the WordPress Mobile Pack. Installed, configured, and a short time later was up and running.

I had a few hassles, mainly because most of my wordpress installation is not writeable by the web server, and this plugin needs to write themes on installation and temporary images after that, so I had to loosen permissions slightly. I then set the themes directory back to read-only, and configured the cache so that Apache will only serve images.

I still only get a score of Fair (2 fails) from the MobiReady report. Still, progress. I am ahead of bbc.co.uk which gets Bad (10 fails); but behind microsoft.com which rates Good (0 fails).

The plugin also tells me that 5% of the traffic to this site is from mobile users. More than I had expected.

Beep beep.

Windows Presentation Foundation now ready, too late

The immortal film The Railway Children has a scene in which a band plays during an award presentation. Unfortunately a series of false starts delay the performance, until finally it all comes together and the music begins. The camera pans – the audience has already departed.

Is it like that for WPF (Windows Presentation Foundation), Microsoft’s user interface framework which is built on .NET and DirectX and was intended to replace the ancient GDI (Graphics Device Interface) and GDI+?

In this new post I make the case that with WPF 4.0 is the framework is now truly ready to use, not least because Microsoft itself is using it in Visual Studio and the interaction between these two teams has solved a number of problems in WPF.

But who now wants to develop just for Windows? Well, it makes sense in some contexts, though I note that in the Thoughtworks paper on emerging technology and trends about which I wrote yesterday, neither Windows nor WPF gets a mention. Nor for that matter does the Mac, Linux, or OS X, though iPhone and Android feature strongly. The only emerging desktop technology that interests Thoughtworks is the browser.

What’s wrong with Microsoft Hotmail?

Joe Wilcox has a good post about Microsoft’s decade of shattered dreams. These are all things in which the company invested, but did not get right: eBooks, HailStorm web services, digital music, Origami small computing devices.

The list is longer than that of course. Tablet PC is a big one; we’ll see what happens to Apple’s efforts. And when I researched a retrospective on .NET recently I was struck by how well Microsoft got the mash-up idea: building block services pulled together by .NET web sites or client applications.  And let’s not forget that Microsoft demonstrated Ajax partial page refresh in September 2000. These ideas have not been total failures at Microsoft, but their potential has been realised mainly by others.

That brings me to Hotmail (also known as Live Mail), the web-based email service that launched in 1996 and was acquired by Microsoft in late 1997. Microsoft was long teased for keeping it running on Unix while promoting Windows Server; that is emphatically no longer the case, as explained in two recent blogs by Arthur de Haan and Dick Craddock. It was moved off Unix in 2004, and rewritten in C# and ASP.NET in 2005. According to de Haan, it is the largest SQL Server 2008 deployment in the world. Impressive.

It would be absurd to call Hotmail a failure, when it has 1.3 billion inboxes and 350 million active users. Nevertheless, when I read or hear people recommending a web-based email service, it is almost always Google Gmail, not Hotmail (nor Yahoo for that matter). There are several people with whom I communicate professionally at Gmail addresses, none that I can think of on Hotmail.

Last year, Information Week reported that in the USA Gmail was set to overtake Hotmail in 2009; I do not know if it did so, but it would not surprise me, though internationally Hotmail is likely still ahead. Yahoo was well ahead of both, but will not be immune to the Google effect.

How has Google managed to steal mindshare away from Microsoft’s long-established service?

One reason is that Google got it right pretty much from the first public beta, whereas Hotmail has made pretty much every mistake in the book, though it has gradually corrected most of them. For a long time my Hotmail account was nearly unusable because of spam, whereas Gmail has great spam filters. Hotmail had inadequate storage, until Gmail turned up with 1GB of storage and its competitors quickly followed suit.

Another factor is the user experience. When I go to Gmail, I get a full page dedicated to email, and it is responsive and generally pleasant to use. The Hotmail UI is busier, the ads are more intrusive, and it takes longer to load.

Still, Hotmail is usable and much better than it once was. What else is wrong?

There is a clue in comments to de Haan’s blog. Hotmail has traditionally been awkward if you want to use offline mail clients, which is odd considering Microsoft’s “software plus services” approach. The Outlook Live Connector has always been troublesome. POP3 support eventually arrived, but users want IMAP as offered by Google.

Another problem is that Hotmail has never seemed core to Microsoft’s strategy. We all know how Microsoft does email, and it is not Hotmail, it is Exchange. Hotmail is a consumer service. Both marketing and product integration efforts are mainly focused on Exchange.

Despite its 350 million users, I reckon Hotmail needs a Bing-style makeover.

Joining the Smartphone dots

Google has made a big splash with its launch of Nexus One, even though technically it is not all that exciting. A neat phone; 1 Ghz Qualcomm processor; runs Android 2.1; good for web video with its inclusion of Adobe Flash 10.1, along with the ability to capture your own videos at 20 frames per second in 720×480 pixels. No keyboard though; and the q&a at the press briefing revealed a few limitations, such as lack of tethering support (using the phone to connect a laptop to the Internet), and that downloaded applications all end up in the 512MB on-board RAM rather than on an SD card, making it more likely that you will run out of space. Tethering is being worked on, apparently, and the application restriction is for copy protection, supposedly making it more difficult to pirate paid-for downloads.

My biggest disappointment is the price. It is a fraction cheaper than an Apple iPhone, but still far from a mass market product; though it won’t feel that way in the tech influencer community.

All this is rather unimportant; even prices will fall eventually. What matters is that attention is shifting from web+desktop (or laptop) to web+smartphone as the computing platform of the moment. That shift is far from complete; most of us still need the large screen and comfortable keyboard of a laptop to do our work. It is real though, and it is obvious that the need to carry around a bulky laptop with a short battery life is diminishing. Netbooks and Apple’s rumoured tablet are part of the same movement towards smaller, lighter and web-connected.

Although these gadgets are getting more capable, there is no sign of them following the desktop model with feature-rich local applications and heavy use of local storage. The applications being downloaded in huge numbers from Apple’s app store – a breathtaking three billion to date according to today’s announcement – are small, single-purpose apps where speed and usability is valued over richness of features, and where data comes from the Internet. This is the new model of application development.

Google’s announcement is also an important move in the identity wars. Most computer users have multiple identities: maybe an Active Directory account on a Microsoft network, a Facebook account, an Apple ID for iTunes and MobileMe, a Google account for Gmail and Google Docs. All these competing players gain hugely if they can increase the importance of your identity on their platform versus the others. If Microsoft can keep your Active Directory account at the centre of your world, then you will be a customer for Exchange, Office, SharePoint and so on. On the other hand, if your Google sign-in becomes more important, then Google’s products are correspondingly more attractive and it can sell you more services and advertising. Buy a Google phone and you hook directly into Google’s world. In ChromeOS the link is even more obvious, since you sign onto the computer with your online Google credentials.

The power shift is obvious. And as Tim O’Reilly implies in his excellent post, Google’s lack of legacy desktop baggage is helping it to compete against Apple as well as Microsoft.

A year of blogging: another crazy year in tech

At this time of year I allow myself a little introspection. Why do I write this blog? In part because I enjoy it; in part because it lets me write what I want to write, rather than what someone will commission; in part because I need to be visible on the Internet as an individual, not just as an author writing for various publications; in part because I highly value the feedback I get here.

Running a blog has its frustrations. Adding content here has to take a back seat to paying work at times. I also realise that the site is desperately in need of redesign; I’ve played around with some tweaks in an offline version but I’m cautious about making changes because the current format just about works and I don’t want to make it worse. I am a writer and developer, but not a designer.

One company actually offered to redesign the blog for me, but I held back for fear that a sense of obligation would prevent me from writing objectively. That said, I have considered doing something like Adobe’s Serge Jespers and offering a prize for a redesign; if you would like to supply such a prize, in return for a little publicity, let me know. One of my goals is to make use of WordPress widgets to add more interactivity and a degree of future-proofing. I hope 2010 will be the year of a new-look ITWriitng.com.

So what are you reading? Looking at the stats for the year proves something I was already aware of: that the most-read posts are not news stories but how-to articles that solve common problems. The readers are not subscribers, but individuals searching for a solution to their problem. For the record, the top five in order:

Annoying Word 2007 problem- can’t select text – when Office breaks

Cannot open the Outlook window – what sort of error message is that? – when Office breaks again

Visual Studio 6 on Vista – VB 6 just won’t die

Why Outlook 2007 is slow- Microsoft’s official answer – when Office frustrates

Outlook 2007 is slow, RSS broken – when Office still frustrates

The most popular news posts on ITWriting.com:

London Stock Exchange migrating from .NET to Oracle/UNIX platform -  case study becomes PR disaster

Parallel Programming: five reasons for caution. Reflections from Intel’s Parallel Studio briefing – a contrarian view

Apple Snow Leopard and Exchange- the real story – hyped new feature disappoints

Software development trends in emerging markets – are they what you expect?

QCon London 2009 – the best developer conference in the UK

and a few others that I’d like to highlight:

The end of Sun’s bold open source experiment – Sun is taken over by Oracle, though the deal has been subject to long delays thanks to EU scrutiny

Is Silverlight the problem with ITV Player- Microsoft, you have a problem – prophetic insofar as ITV later switched to Adobe Flash; it’s not as good as BBC iPlayer but it is better than before

Google Chrome OS – astonishing – a real first reaction written during the press briefing; my views have not changed much though many commentators don’t get its significance for some reason

Farewell to Personal Computer World- 30 years of personal computing – worth reading the comments if you have any affection for this gone-but-not-forgotten publication

Is high-resolution audio (like SACD) audibly better than than CD – still a question that fascinates me

When the unthinkable happens: Microsoft/Danger loses customer data – as a company Microsoft is not entirely dysfunctional but for some parts there is no better word

Adobe’s chameleon Flash shows its enterprise colours – some interesting comments on this Flash for the Enterprise story

Silverlight 4 ticks all the boxes, questions remain – in 2010 we should get some idea of Silverlight’s significance, now that Microsoft has fixed the most pressing technical issues

and finally HAPPY NEW YEAR