Monthly Archives: January 2009

general

Music Magpie review

170 Comments

Rupert Jones in today’s Guardian has a note about Music Magpie, a site where you can sell old CDs, games, and now DVDs. The site calls itself an “online CD recycling service.” I like CDs, so I took a look.

The service is a commercial operation and as far as I can tell isn’t any different in principle from any other online secondhand retailer – I guess they all ought to get some green cred by calling themselves recycling services.

So how does Music Magpie compare to others like, say, Amazon or eBay? Let’s look at it first as a buyer. I love the Cowboy Junkies, so I did a search. I can get their great CD The Trinity Session for £3.99. Amazon has this new from £5.98, or used from £3.91. What about postage costs? At Amazon it is currently £1.21. I can’t so far discover what Music Magpie charges, or whether it is included. The terms and conditions say:

9.2. These prices include VAT but exclude delivery costs, which are detailed on the website.

However I can’t find them detailed anywhere. Maybe it is included after all, but you would have thought this would be flagged as a selling point. So it could be more than Amazon, or less, depending on this point; it appears to be in the same ball park. However, Amazon has a vastly greater stock available and nice features like customer reviews.

OK, how about as the seller? If I decide to sell my Cowboy Junkies CD, Music Magpie will currently offer me 98p (the price varies according to the CD, and can be as low as 25p). There’s no postage cost to the seller; the company sends out a freepost envelope.

There are some alarming terms and conditions. If Music Magpie decides one of your CDs needs refurbishment (polishing), it deducts up to 50p. If it decides it is unacceptable, it neither buys nor returns it. There is no appeal.

Now Amazon. If I sell Trinity Session for the current lowest price of £3.91, Amazon will grab £1.82 in fees (including VAT) but contribute £1.21 for postage. That means I get £3.30. If the postage actually costs that much (it could well work out less), I still get £2.09 net, more than double what Music Magpie offers.

Listing an item on Amazon is not much more difficult than selling to Music Magpie – just type in the barcode and go. The big difference is that with Amazon you have to sit back and wait for a buyer. With Music Magpie I get the money instantly. Another difference is that with Music Magpie I can parcel a bunch of CDs once and send them off. With Amazon, you have to deal with each customer individually.

My immediate impression is that Music Magpie scores well on convenience, but if you need the money and have a little patience you would be much better off with Amazon.

Now, here’s an interesting remark on the Music Magpie site:

We originally launched musicmagpie as an easy way for everyone to turn their old CDs into cash so that they did not have to be thrown away if they had decided to go digital. This proved to be a massive success with thousands of people using musicmagpie as a fast and efficient way to turn CDs into money.

Well, CDs are digital; but I’m guessing that Music Magpie is referring to people who have ripped their CDs to a computer for streaming, or for an iPod, or another MP3 player. Here’s a can of worms though. I’ve heard it argued that even ripping your own CDs is illegal, though it seems a reasonable thing to do. Ripping your CDs and then selling them though – intuitively that seems wrong. Arguably, Music Magpie by its own admission is dealing in stolen music.

Still, I do see the other side of this too. You’ve ripped all your CDs, you no longer need them, you are short of space: isn’t it better to move them on?

When people moved from vinyl to CD they had no choice but to purchase again. In the case of CD to music files though, you can migrate without re-buying. That’s a headache for the music industry.

Personally I hang on to them anyway, as a kind of license and physical backup, and just in case I might want to read the sleeve notes again one day.

Note: Comments to this post are now closed.

Technorati tags: , , ,
microsoft, security, software, software development, windows

Gears of War certificate expiry a reminder to developers: always timestamp signed code

Users of the PC version of Gears of War have been unable to run the game since yesterday (29th January 2009). If they try, they get a message:

You cannot run the game with modified executable code

Joe Graf from Epic has acknowledged the problem:

We have been notified of the issue and are working with Microsoft to get it resolved. Sorry for any problems related to this. I’ll post more once we have a resolution.

The workaround is to set back your system clock. An ugly solution. Of course, some users went through the agony of full Windows reinstalls in an effort to get playing again.

So what happened? This looks to me like a code-signing problem, not a DRM problem as such, though the motivation for it may have been to protect against piracy. Code signing is a technique for verifying both the publisher of an executable, and that it has not tampered with. When you sign code, for example using the signwizard utility in the Windows SDK, you have to select a certificate with which to sign, and then you have an option to apply a timestamp. The wizard doesn’t mention it, but the consequences of not applying a timestamp are severe:

Microsoft Authenticode allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired … If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.

Unfortunately, there is no timestamping for Netscape Object Signing and JavaSoft Certificates. Therefore you need to re-sign your code with a new certificate after the old certificate expires.

I don’t know if this is the exact reason for the problems with Gears of War, and I’m surprised that the game refuses to run, as opposed to issuing a warning, but this could be where the anti-piracy measures kick in. Epic’s programmers may have assumed that the only reason the certificate would be invalid is if the code had been modified.

I blogged about a similar problem in February 2006, when a Java certificate expired causing APC’s PowerChute software (a utility for an uninterruptible power supply) to fail. That one caused servers to run slow or refuse to boot.

As far as I know, there is no way of telling whether other not-yet-expired certificates are sitting on our PCs waiting to cause havoc one morning. If there are some examples, I hope it does not affect software running, say, Air Traffic Control systems or nuclear power stations.

If you are a Windows developer, the message is: always timestamp when signing your code.

cloud computing, internet, microsoft, windows

Hands On with Office Live Workspace beta

1 Comment

I was asked today: how can I share documents with a remote worker? This is a two-person business. There are a zillion and one solutions these days, but all have downsides.

Set up a server and VPN: fine when it works, but what to do when it fails? Backup? Maintenance and patching?

Google Docs: A great solution, but what if you want to work with real Word and Excel documents? Excel in particular is hard to replace if you use it in earnest (big sheets, many calculations).

Netdocuments: This looks promising, though I haven’t tried it.

Subversion: This is what I use (with TortoiseSVN), but it’s terribly techie.

Live Mesh: Brilliant concept; automatic offline copies; just save documents to a shared folder and you’re done. One hesitation is that I’ve known the Mesh client to crash mysteriously. It’s a beta. And how secure are your Mesh documents from prying eyes?

What about Office Live Workspace? This is a form of hosted SharePoint and in theory it’s ideal – except, perhaps, that you have to keep a local copy of documents just in case the service goes down. You can store “over 1000 documents” online for free. I took a quick look. Signed up. Some sort of Live client needed. Client also needed a Vista update. Vista update installed and wanted a reboot. Live client declared it was already installed and setup closed. Rebooted. Back to Live Workspace. Live Client starts to install again, this time succeeds. Try to save from Word 2007, Live ID password prompt pops up numerous times. Word wants a further add-in. Second reboot. Something like that, anyway; the usual Windows merry-go-round.

Still, eventually I appear to have all the pieces in place. I type a new document in Word and click the Office button. I now have a new option, Save to Office Live:

Cool. I click Sign in to Office Live Workspace beta. Prompt comes up:

One of my problems is that I refuse to check “Sign me in automatically”. I don’t like it; I consider it more secure to sign in and out of services as I need them. There’s also a problem if you have more than one Live ID. Unfortunately some services deliver a poor user experience if you don’t sign in automatically, and I suspect Live Workspace is one of them. Anyway, I sign-in and wait 10-15 seconds. Then I get this dialog:

I hit Save. Mistake: I get this dialog:

OK, my error was not to select a folder within the workspace. Easy mistake to make though, and the error message could be better. I double-click Documents and retry. I get this progress bar:

Takes a few seconds, and I’m done.

Once your document is online, it is accessible over the web with an neat in-browser preview:

The toolbar has some handy options including versions and sharing:

I love it; but have two reservations. First, the painful setup, sometimes slow performance, and occasional strange errors, like the fact that Office Live sometimes decides my IE7, fully patched browser is not up to scratch:

If I recommend this to my contact, what’s the chance that I’ll get a call concerning some odd behaviour or failure with the Live client, or the Office Live add-in, or Internet Explorer, and end up (as so often) troubleshooting Windows instead of getting on with work?

Second, I’m concerned about availability in a business context. If a customer calls you, and you need to see a document, what if Live Workspace (or Google Docs,  or any online service) is temporarily unavailable? You give that lame excuse, “We’re having computer problems, can you call back?”; or else keep offline copies – but if you keep offline copies, getting the workflow right becomes difficult. I notice that Netdocuments has a Local Document Server option which may fix this. SharePoint solves this to some extent with Outlook lists, but I’m not convinced that these work well enough with large document libraries, and I don’t know if Live Workspace offers them.

That is the beauty of seamless online/offline solutions like Live Mesh, or indeed Subversion, or some future Google Docs with Gears doing the offline stuff.

Finally, why is Microsoft offering both Live Mesh and Live Workspace? Different teams I guess; but it makes a confusing offering overall.

general, john martyn

RIP John Martyn

One of my best musical memories is of John Martyn and Danny Thompson playing through Solid Air at the Cropredy festival – I forget the year, it was during the Eighties. A magical summer evening. News of Martyn’s death came today in a brief entry on his web site.

What can I say? I love his music for its individuality, depth, emotion, jazzy edginess, and yearning.

Solid Air may be his greatest work but my own favourite albums are Sunday’s Child and Inside Out.

Solid Air was written for Nick Drake; I hope someone writes an equally beautiful song for John.

Technorati tags:
adobe, flash, software development

Adobe Flex community at odds over Fx prefix, lack of collaboration

1 Comment

Some members of the community around Adobe’s open source Flex SDK are fuming at a decision made by Adobe back in October 2008, to prefix the new skinnable components in the forthcoming “Gumbo” release with Fx. This means you can disambiguate old and new components such as Button without relying on namespaces. On the other hand, what is wrong with namespaces? The issue has provoked a lot of debate, partly on the merits or otherwise of the Fx prefix, and partly on the open source development process itself. The Fx decision was announced rather than discussed. Simeon Bateman, who is now all-but proposing an Fx-less fork of the SDK, says:

Creating an open source project is about openness in planning and development. Not just about giving people the right to do with the code what they will. And this part of the Flex project is a complete failure … The current Flex SDK team has about 20 developers and they are fiendishly working on the code for the next version of Flex, version 4 code named Gumbo. And they are doing all that development in private, behind closed doors with nothing but commit logs for us to know what is happening. This is an open source project and we have no idea what is going coming or what the timelines are for milestones. What the hell are the milestones?

Manish Jethani argues that Fx is a sign of haste and corporate pressure:

Even though Flex is an open source project, it is very much run per corporate interests. In a truly open source project like the Linux kernel, there are no deadlines — it’s ready when it’s ready. That’s how research departments work. But Flex is no research, Flex is business. Why, wouldn’t the ‘Fx’ prefix give Flex Builder yet another advantage over competing IDEs? Think about it.

Ben Clinkinbeard has created a survey to allow Flex developers to express their opinions, though as a commenter notes, it is more of an objection petition than a survey.

Adobe responded with an online open meeting to discuss this and other matters which took place this morning – you can play the recording online. It may have been frustrating for those who felt strongly about it, since after presenting the reasons for the change the presenters deferred further discussion to the online forum. As far as I can tell, the Fx decision is unlikely to change.

Well, there is open source, and there is collaborative development, and they are not the same thing. Adobe retains tight control over Flex for the sake of its commercial interests. It is a reminder that although the Flex SDK is open source it is not a community property in the same way as Apache.

Once crumb of comfort for Adobe is that this kind of intense debate shows the high value of Flex to its developers. It would be far, far worse if nobody cared.

Update: you can vote against the fx prefix or discuss it in Adobe’s bug-tracking system here.

Technorati tags: , , ,
blogging, internet, microsoft, windows

More RSS madness from Microsoft – this time it’s Live Mail

Once upon a time I was enthusiastic about the “common feed list” in Windows. I thought there was all sorts of potential for sharing and synchronizing content across the network. When it was introduced, Microsoft called it the Windows RSS Platform, though it gets installed as part of IE7.

What’s curious is that even Microsoft doesn’t seem to use the platform in the way it was (presumably) intended. I opened up Windows Live Mail 2009 today (I use it only occasionally as a newsgroup reader), and was puzzled to see 6724 unread feed items.

What’s going on? Well, I use the IE7 feed list and access it either in IE7 or in my own home-brew reader, which uses the COM API to the common feed list.

Windows Live Mail had grabbed the list of feeds and made its own copy of all the data. Am I sure? Yes, first because of this suspicious option in Live Mail:

“When deleting a feed here, also delete it from your Internet Explorer feed list” – implying synchronization, not a common database. Note also the jargon; the Live Mail folk clearly think of this as a feature of IE, not a feature of Windows.

I also took a look in:

C:\Users\USERNAME\AppData\Local\Microsoft\Windows Live Mail\Your Feeds\

and there is was, a copy of all the entries in X-MimeOLE format. The real common feed list, by contrast, is stored in:

C:\Users\USERNAME\AppData\Local\Microsoft\Feeds

It is not quite as bad as it first appears. When I chose to sync the feeds in Live Mail, the unread items synchronized with those in IE7. I am also hopeful that the data is only retrieved from the Internet once. though it is hard to be sure. A quick experiment suggests that if you delete a feed in IE7, it stays in Live Mail, though it no longer updates (one or other of these facts could be a bug). If you delete a feed in Live Mail it is deleted from IE7 unless, presumably, the box in the dialog above is checked.

The Outlook team made a similar error, but worse, because the feeds end up messing up your Exchange mailbox as well.

So why doesn’t Live Mail simply present a view of the common feed list, like my home-brew reader? Well, maybe the API is not robust or fast enough. The solution then is to fix the common feed list, not to do all this error-prone synchronization.

The whole thing would make more sense if the feed list was synchronized with the cloud, so that I could also read my feeds on the Web, in the style of Google Reader. Despite the name, Live Mail seems thoroughly bound to the desktop. It is simply an update to Outlook Express.

multimedia, salesforce.com

Comparing digital snaps on a new camera and one five years old

2 Comments

I purchased a Canon IXUS 400 in November 2003. Good camera (for my purposes); but the battery life has dwindled to the point of nuisance and I figured it was time to replace it. I bought a near-equivalent, the IXUS 80IS, for around half the price the 400 cost 5 years ago. I especially like the idea of image stabilization, since I don’t carry a tripod.

I thought it would be interesting to compare the image quality, so I took a snap across the study (without a tripod). It’s difficult to compare like with like, as the newer camera supports higher resolutions. In the end I decided to use each one at its best resolution. The books in the image are around 3 metres (10 feet) away. Here’s the IXUS 400, image enlarged to match the size of the other:

and here is the IXUS 80IS:

Note that this is a very small detail; the old camera is not that bad. Still, a big difference.

Incidentally, I posted my first picture to Flickr earlier today – a snap of the Foo Fighters at Dreamforce last year. Taken with the old Canon, of course.

microsoft, silverlight, software development, web authoring

Microsoft showing Silverlight 3 at Mix09

Looks like Mix09 (March 18-20) is the stage where Microsoft will reveal details of Silverlight 3 (is it really 3 already?). On the session list is:

What’s new in Silverlight 3 (Joe Stegman)

What’s new in Silverlight 3 media (Larry Olson)

Deep Dive into Silverlight graphics – come hear about the Silverlight 3 rendering pipeline (Seema Ramchandani, Marshall Agnew)

Technorati tags: , ,
security, software development, web authoring

Why are web sites still storing passwords? Monster, USAJobs blunder highlights the risks

4 Comments

Sophos informs us that job sites Monster and USAJobs (an official US Job site) have been hacked. Messages on Monster and USAJobs confirm this. I’d like to draw attention to the fact that passwords were stolen:

We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords.

says Monster. And USAJobs says:

We recently learned that the Monster database was illegally accessed and certain contact and account data were taken, including user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.

Same wording – because Monster is the “technology provider” for USAJobs.

Sophos observes:

There is even more potential for danger, however, because passwords have been stolen. We know that too many people use the same password for every website that they access.

Right. But why is Monster even storing passwords? It is not necessary. All you need store is a one-way password hash, so the site can verify a password without recording it. This is easily done in every web platform out there.

There is a disadvantage. It means the site cannot email your lost password. Instead, it must reset your password. Since email passes in plain text, emailing passwords is a bad idea anyway, and I hate to see sites doing this; it’s a useful alert though that the site places a low value on security.

Any site can get hacked, but what isn’t stored can’t be stolen.

Technical blunders like this can be costly; there’s no excuse for it that I can think of.

Technorati tags: , , , ,