Tag Archives: microsoft

.net, microsoft, mobile, professional, silverlight, software development, windows

Windows Phone 7 development hits the big screen

10 Comments

I spent yesterday in the dim light of a Manchester cinema, attending the Windows Phone 7 developer day.

The event was organised by DeveloperDeveloperDeveloper, which is a .NET community group run, as far as I can tell, by a group of Microsoft MVPs. The sponsors were Microsoft, Appa Mundi, and NxtGenUG. Towards the end of the day, Andy Wigley (from Appa Mundi) made a statement that this was a community event and not an official Microsoft event. It was true up to a point, though as far as I can tell Microsoft paid for most of it -“Microsoft UK very kindly provided the venue and logistic support.” says the event description. Microsoft was present showing real Windows Phone 7 devices, and the presenters included Andy Wigley (from Appa Mundi) and Rob Miles, who have also presented the official Jump Start training for Windows Phone 7, and regular TechEd speaker Maarten Struys who is a Windows embedded and Windows Phone evangelist working for Alten PTS in the Netherlands. Community, or Microsoft PR?

Regardless, they were excellent speakers and well informed on all things Windows Phone 7. The community aspect did come to the fore when it came to the catering – there was none – and the venue itself which felt as you would expect a cinema out of hours to feel. I’m guessing Microsoft the community was disappointed with the attendance, around 100 in a venue that seats 330.

image

There is one significant benefit to presenting in a cinema. The screen and projection was first-rate.

image

The sessions themselves were introductory but struck me as useful for anyone getting started with Windows Phone 7 development – which given the devices are not yet available, is probably most of us. Andrej Radinger’s session on creating apps that work offline was particularly interesting to me. I had previously seen the Jump Start course so some of the material was already familiar, though the refresher did no harm.

Much of the challenge of Windows Phone 7 development is coping with the fact that your app will frequently get killed and have to resume later as if nothing happened. We got a lot of input on this topic.

Another challenge is coping with Expression Blend. Designer Tricky Bassett gave a short but insightful view of the design process for a Windows Phone 7 app, with some intriguing asides along the way. He is a design professional, and said that his team had been excited about SketchFlow, the prototyping tool in Blend, but in practice found it little use because they only need sketches, rather then the working controls which SketchFlow gives you. He also commented on Blend, saying that Blend with Windows Phone 7 projects was more stable than it had been before, in his experience with other projects. In previous work with Blend, solutions that did not load have been a recurring problem – I take it that either they loaded in Visual Studio but not in Blend, or vice versa.

Bassett also said that Blend takes some effort to learn, and this was confirmed by the way some of the presenters struggled to do basic operations with the tool. The Blend UI is perplexing and at events like this one I’d suggest that a Blend Basics piece would go down well.

The Silverlight and XNA platforms strike me as pretty good, though I think that lack of native code development will be a problem among the best developers – there are interesting rumours about certain developers getting special privileges.

image

My overriding impression though is that the phone is good, the tools are good, but the demand is lacking. One developer told me that he has been trying to sell an idea for a custom Windows Mobile application to a small business client with 12 employees. They are keen but their employees want either Apple iPhone or Google Android phones. Windows Phone 7 may help by being a better and more attractive device, but getting past the perception that Windows phones are not much good is going to be a problem.

But what can Microsoft do? It is going to take devices that deliver on the promise, a stunning marketing campaign, and aggressive pricing, for this thing to flourish.

.net, microsoft, open source, professional, software development, visual studio

NuPack brings package management to Microsoft .NET

Microsoft has announced the beta release of NuPack, which is a package manager for .NET projects, mainly focused on open source libraries. NuPack itself is open source.

I downloaded NuPack and took a look. It installs as a Visual Studio extension, and I used it with Visual Studio 2010. Once installed, you get a new Add Package Reference option for any .NET project, which opens this dialog:

image

There seem to be around 40 projects currently available, including some familiar names:

  • Castle Inversion of Control
  • fbConnectAuth Facebook Connect authentication library
  • JQuery – though this already appears by default in many ASP.NET projects
  • log4net logging library
  • Moq mocking library
  • NHibernate object-relational mapper
  • NUnit unit-testing framework

Once you find the package you want to add, click install and it is automatically added to your project, complete with any necessary configuration changes. There is also a PowerShell-based console. In some cases it is better to use the console, as a package can add new commands which you can call from there.

NuPack strikes me as a great idea; one comment to Scott Hanselman’s post on the subject calls it GEM for .NET, GEM being the Ruby package manager. That said my quick go with NuPack has not been entirely smooth, and I got an error on my first attempt at adding NUnit to a project, fixed after restarting Visual Studio.

My main reservation is whether Microsoft will really get behind this and support it, or whether it will end up as another promising initiative that after a while is abandoned.

apple, google, microsoft, windows, windows 7

Steve Ballmer ducks questions at the London School of Economics

This morning Microsoft CEO Steve Ballmer spoke at the London School of Economics on the subject of Seizing the opportunity of the Cloud: the next wave of business growth. Well, that was supposed to be the topic; but as it happened the focus was vague – maybe that is fitting given the subject. Ballmer acknowledged that nobody was sure how to define the cloud and did not want to waste time attempting to do so, “cloud blah blah blah”, he said.

image

It was a session of two halves. Part one was a talk with some generalisations about the value of the cloud, the benefits of shared resources, and that the cloud needs rather than replaces intelligent client devices. “That the cloud needs smart devices was controversial but is now 100% obvious,” he said. He then took the opportunity to show a video about Xbox Kinect, the controller-free innovation for Microsoft’s games console, despite its rather loose connection with the subject of the talk.

Ballmer also experienced a Windows moment as he clicked and clicked on the Windows Media Player button to start the video; fortunately for all of us it started on the third or so attempt.

Just when we were expecting some weighty concluding remarks, Ballmer abruptly finished and asked for questions. These were conducted in an unusual manner, with several questions from the audience being taken together, supposedly to save time. I do not recommend this format unless the goal is to leave many of the questions unanswered, which is what happened.

Some of the questions were excellent. How will Microsoft compete against Apple iOS and Google Android? Since it loses money in cloud computing, how will it retain its revenues as Windows declines? What are the implications of Stuxnet, a Windows worm that appears to be in use as a weapon?

Ballmer does such a poor job with such questions, when he does engage with them, that I honestly do not think he is the right person to answer them in front of the public and the press. He is inclined to retreat into saying, well, we could have done better but we are working hard to compete. He actually undersells the Microsoft story. On Stuxnet, he gave a convoluted answer that left me wondering whether he was up-to-date on what it actually is. The revenue question he did not answer at all.

There were a few matters to which he gave more considered responses. One was about patents. “We’re better off with today’s patent system than with no patent system”, he said, before acknowledging that patent law as it stands is ill-equipped to cope with the IT or pharmaceutical industries, which hardly existed when the laws were formed.

Another was about software piracy in China. Piracy is rampant there, said Ballmer, twenty times worse than it is the UK. “Enforcement of the law in China needs to be stepped up,” he said, though without giving any indication of how this goal might be achieved.

He spoke in passing about Windows Phone 7, telling us that it is a great device, and added that we will see slates with Windows on the market before Christmas. He said that he is happy with Microsoft’s Azure cloud offering in relation to the Enterprise, especially the way it includes both private and public cloud offerings, but admits that its consumer cloud is weaker.

Considering the widespread perception that Microsoft is in decline – its stock was recently downgraded to neutral by Goldman Sachs – this event struck me as a missed opportunity to present cogent reasons why Microsoft’s prospects are stronger than they appear, or to clarify the company’s strategy from cloud to device, in front of some of the UK’s most influential technical press.

I must add though that a couple of students I spoke to afterwards were more impressed, and saw his ducking of questions as diplomatic. Perhaps those of us who have followed the company’s activities for many years are harder to please.

Update: Charles Arthur has some more extensive quotes from the session in his report here.

development, microsoft, mobile, professional, software development

Rethinking Developers Developers Developers

3 Comments

I’m waiting for Microsoft CEO Steve Ballmer to speak at the London School of Economics, which seems a good moment to reflect on his well-known war cry “Developers Developers Developers”.

Behind the phrase is a theory about how to make your platform succeed. The logic is something like this. Successful platforms have lots of applications, and applications are created by developers. If you make your platform appealing to developers, they will build applications which users will want to run, therefore your platform will win in the market.

Today though we have an interesting case study – Apple’s iPhone. The iPhone has lots of apps and is winning in the market, but not because Apple made it appealing to developers. In fact, Apple put down some roadblocks for developers. The official SDK has one programming language, Objective C, which is not particularly easy to use, and unlikely to be known other than by existing Apple platform developers. Apps can only be distributed through Apple’s store, and you have to pay a fee as well as submit to an uncertain approval process to get your apps out there. Some aspects of iPhone (and iPad) development have improved since its first launch. A clause in the developer agreement forbidding use of languages other than Objective C was introduced and then removed, and the criteria for approval have been clearly stated. Nevertheless, the platform was already successful. It is hard to argue that the iPhone has prospered thanks to Apple’s developer-friendly policies.

Rather, the iPhone succeeded because its design made it appealing to users and customers. Developers went there because Apple created a ready market for their applications. If Apple CEO Steve Jobs were prone to shouting words in triplicate, they might be “Design Design Design” or “Usability usability usability”. And as for developers, what they want is “Customers customers customers.”

Well, there are vicious and virtuous circles here. Clearly it pays, in general, to make it easy for developers to target your platform. Equally, it is not enough.

Microsoft’s own behaviour shows a shift in focus towards winning customers through usability, thanks no doubt to Apple’s influence and competition. Windows 7 and Windows Phone 7 demonstrate that. Windows Phone 7 is relatively developer-friendly, particularly for .NET developers, since applications are built on Silverlight, XNA and the .NET Framework. If it succeeds though, it will be more because of its appeal to users than to developers.

What do developers want? Customers customers customers.

google, internet, microsoft, mobile, professional, software development, Web, web authoring

Google’s web app vision: use our store

3 Comments

I’m at the Future of Web Applications conference in London, a crazy mixture of tips for web start-ups and general discussion about application development in a web context. The first session was from Google’s Michael Mahemoff who enthused about HTML5 and open web standards, while refusing to be pinned down on what HTML5 is, which standards are in and which may in the end be out.

Microsoft is here showing off IE9; but one of my reflections is that while the HTML5 support in IE9 is impressive in itself, there are going to be important parts of what, say, Google considers to be part of HTML5 that will not be in IE9, and given the pace of Microsoft’s browser development, probably will not turn up for some time. In other words, the pressure to switch to Chrome, Firefox or some other browser will likely continue.

I digress. Mahemoff identified four key features of web apps – by which he means something different than just an application on the web. These are:

  • Local storage – encompassing local storage API and also local SQL, though the latter is not yet well advanced
  • Application cache – Cache Manifest in HTML 5 that lets your app run offline
  • Local installation – interesting as this is something which is not yet widely used, but clearly part of Google’s vision for Chrome, and also in IE9 to some extent.
  • Payments

The last of these is interesting, and I sensed Mahemoff showing some discomfort as he steered his way between open web standards on the one hand, and Google-specific features on the other. He presented the forthcoming Chrome Web Store as the solution for taking payments for your web app, whether one-time or subscription.

I asked how this would work with regard to the payment provider – could you freely use PayPal, direct debits or other systems? He said that you could do if you wanted, but he anticipated that most users would use the system built into Chrome Web Store which I presume is Google Checkout. After all, he said, users will already be logged in, and this will offer the smoothest payment experience for them.

The side effect is that if Chrome Web Store takes off, Google gets to make a ton of money from being the web’s banker.

Outside in the exhibition area Vodafone is promoting its 360 app store, with payments going through the mobile operator, ie in this case Vodafone. Vodafone’s apps are for mobile not for web, but it is relevant because it is trying to draw users away from Google’s Android Marketplace and onto its own store. PayPal is here too, showing its developer API.

The app store and payment provider wars will be interesting to watch.

microsoft

Outlook blues: the annoying blue bar when you reply to a message

I’ve written a long rant about how annoying Outlook is when you reply to a message. It’s the blue bar, you see. You delete the entire original message, but it still appears when you type. Or you type after the blue-barred quote, and your typing gets the blue bar too. Or you try to type within the original message – as recommended here – and your typing is hard to distinguish from that of the original.

The rant with some tips and workarounds is here.

.net, microsoft, professional

ASP.NET Padding Oracle fix released, time to patch for Windows administrators

Scott Guthrie’s blog reports that a fix is now available for the Padding Oracle attack, which enables successful attackers to break the security of ASP.NET applications. There are a few points of interest.

First, there is not one patch but several, and which ones you need depend both on the version of Windows and the version of .NET. Multiple versions of .NET may be installed on a single server.

Second, the exploit is rated “important” in Microsoft security-speak, rather than “critical”. This is apparently because in itself the vulnerability merely discloses information. However, Microsoft is treating it with a high priority because the vulnerability is likely to reveal information that would let the attacker go to to more sever actions such as taking over a server. Confusing, but to my mind it is as critical as they come.

Third, Guthrie’s blog notes:

We’d like to thank Juliano Rizzo and Thai Duong, who discovered that their previous research worked against ASP.NET, for not releasing their POET tool publicly before our update was ready.

The implication is that the POET tool may be publicly available soon – so if you are responsible for an affected machine, get patching! In fact, in the webcast on the subject Microsoft stated that “The potential for exploit is very high during the next 30 days.”

Fourth, the update works by “additionally signing all data that is encrypted by ASP.NET.”

Update: Marc Brooks has investigated and it looks like there is a bit more to it than that.

Finally, the update will be included in Windows Update but not immediately. Your choice is whether to risk a hack in the period before the automatic update appears, or endure the hassle of the manual downloads. Microsoft advises to do it as soon as possible for servers on the public internet.

I am not sure what percentage of systems are likely to be patched soon, but I’d guess that plenty of vulnerable systems will remain online and that we have not heard the last of this bug.

internet, microsoft

Why is Microsoft giving away web traffic and abandoning users?

3 Comments

I am puzzled by Microsoft’s decision to close Live Spaces and send all its users to WordPress.com. Of course WordPress is a superior blogging platform; but Spaces made sense as an element within an integrated Live.com platform. According to Microsoft it has 7 million users and 30 million visitors; and if you accept that business on the web is all about traffic and monetizing traffic, then it strikes me as odd that Microsoft has no better idea of what to do with that traffic than to give it to someone else.

It makes me wonder what exactly Microsoft is trying to do with its Live.com web property. You can make a generous interpretation, as Peter Bright does, and say that the company is learning to focus and losing its “not invented here” religion. Or you can argue that it exposes the lack of a coherent strategy for Microsoft’s online services for consumers.

Part of the reason may be that blogging itself has changed. The original concept of an online diary or “web log” has fractured, with much of the trivia that might once have been blogged now being expressed on Facebook or Twitter. At the other end, blog engines like WordPress have evolved into capable content management systems. Many blogs are just convenient tools to author web sites.

Spaces is also a personal CMS. When combined with other features of Live.com, it provides a way of authoring your own web site, with photos, lists, documents, music and video, gadgets and other modules. You can apply themes, select layouts, and even add custom HTML. Everything integrates with the Windows Live identity system. The blog is just one element in this.

image

Now, although you can move your blog to WordPress.com, much of this is going away. Themes, gadgets, guestbook and lists are not transferred. If you were using Spaces for in effect a personal web site, you will have to start again on WordPress.

What this means is that WordPress, not Microsoft, now has the opportunity to show ads or market other services to these users.

Other services including SkyDrive, which is an excellent online storage platform, and Hotmail for email, are continuing as before. Still, the wider question is this. If Microsoft is happy to abandon 7 million users and all the customisation effort they have put into creating a personal online space, why should I trust it for email, or online storage?

Microsoft’s Dharmesh Mehta does his best to explain the decision here:

When we looked at Spaces, and what we had done with Spaces, and the more we thought about where do we want this to go, where do we think blogging evolves to, what’s important about that, you look at WordPress.com, and they’re building that. They’re doing a great job. And there really isn’t much value in us trying to compete with that.

This seems weak to me. Mehta is even less convincing when it comes to Live ID:

Windows Live ID is not really a means unto itself. There are times when it’s important for us to be able to associate an identity with someone. But there’s many things that we do where you don’t need a Windows Live ID — Photo Gallery, if you’re just using it on your PC, you don’t need a Windows Live ID at all. You can take our Mail app and connect it to Yahoo or Gmail or something like that. You don’t need a Windows Live ID. So I wouldn’t say that Windows Live ID is a goal, or something that we’re trying to drive in and of itself. It’s really more a means when we think it’s valuable for someone to have an account.

Now, I thought the Live ID was a single sign-on for Microsoft’s online services, and the basis of a network of friends and contacts. Perhaps Microsoft is now ceding that concept to Facebook or others? This does seem to be a move in that direction; and while it may be acceptance of something that was inevitable, it is a bad day for Microsoft’s efforts to matter online.

apple, microsoft, sony

A tale of two stores, and a go with PlayStation Move

2 Comments

I had some free time following the NVIDIA GPU Technology conference and wandered up to the Valley Fair mall in San Jose. I took a quick look at the Apple store, there was really nothing for me to see in terms of new product but it has a kind of "bees round a honeypot" appeal.

image

Next I went along to the Sony Style store, another strong brand you might think:

image

Clearly this is a social story as well as a technical story but it is significant.

The Sony store was actually more interesting to me since the PlayStation 3 Move was on display and I had not had an opportunity to try it before. A helpful assistant gave me a demo; we were going to play 2-player table tennis but there was a technical issue with one of the controllers so I ended up playing solo. In conjunction with the huge screen in the Sony store it was a very passable imitation of the real thing. Although it is well done it does not feel like a revolution in the way the Wii did when it first appeared – you may recall that the pre-release Wii was code-named "Revolution".

Adding Move to your PS3 setup is somewhat expensive – you will probably want two controllers as well as the Eye camera – and there are not yet many games which support it, but I reckon it will be a lot of fun. Playing Table Tennis one of the best aspects was the ability to rush forward for a forehand slam.

The Sony guy admitted to being curious about the Microsoft Xbox Kinect which is coming out in a couple of months, and does away with the controller completely. He said Microsoft is opening a store in San Francisco and plans to go up to take a look in due course.

A question: which of the above two pictures will the new Microsoft store most resemble?

microsoft, professional, Web

Crisis for ASP.Net – how serious is the Padding Oracle attack?

6 Comments

Security vulnerabilities are reported constantly, but some have more impact than others. The one that came into prominence last weekend (though it had actually been revealed several months ago) strikes me as potentially high impact. Colourfully named the Padding Oracle attack, it was explained and demonstrated at the ekoparty security conference. In particular, the researchers showed how it can be used to compromise ASP.NET applications:

The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework’s API! … The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise.

This is alarming simply because of the huge number of ASP.NET applications out there. It is not only a popular framework for custom applications, but is also used by Microsoft for its own applications. If you have a SharePoint site, for example, or use Outlook Web Access, then you are running an ASP.NET application.

The report was taken seriously by Microsoft, keeping VP Scott Guthrie and his team up all night, eventually coming up with a security advisory and a workaround posted to his blog. It does not make comfortable reading, confirming that pretty much every ASP.NET installation is vulnerable. A further post confirms that SharePoint sites are affected.

It does not help that the precise way the attack works is hard to understand. It is a cryptographic attack that lets the attacker decrypt data encrypted by the server. One of the consequences, thanks to what looks like another weakness in ASP.NET, is that the attacker can then download any file on the web server, including web.config, a file which may contain security-critical data such as database connection strings with passwords, or even the credentials of a user in Active Directory. The researchers demonstrate in a YouTube video how to crack a site running the DotNetNuke content management application, gaining full administrative rights to the application and eventually a login to the server itself.

Guthrie acknowledges that the problem can only be fixed by patching ASP.NET itself. Microsoft is working on this; in the meantime his suggested workaround is to configure ASP.NET to return the same error page regardless of what the underlying error really is. The reason for this is that the vulnerability involves inspecting the error returned by ASP.NET when you submit a corrupt cookie or viewstate data.

The most conscientious ASP.NET administrators will have followed Guthrie’s recommendations, and will be hoping that they are sufficient; it is not completely clear to me whether it is. One of the things that makes me think “hmmm” is that a more sophisticated workaround, involving random time delays before an error is returned, is proposed for later versions of ASP.NET that support it. What does that suggest about the efficacy of the simpler workaround, which is a static error page?

The speed with which the ASP.NET team came up with the workaround is impressive; but it is a workaround and not a fix. It leaves me wondering what proportion of ASP.NET sites exposed to the public internet will have implemented the workaround or do so before attacks are widespread?

A characteristic of the attack is that the web server receives thousands of requests which trigger cryptographic errors. Rather than attempting to fix up ASP.NET and every instance of web.config on a server, a more robust approach might be to monitor the requests and block IP numbers that are triggering repeated errors of this kind.

More generally, what should you do if you run a security-critical web application and a flaw of this magnitude is reported? Applying recommended workarounds is one possibility, but frankly I wonder if they should simply be taken offline until more is known about how to protect against it.

One thing about which I have no idea is the extent to which hackers are already trying this attack against likely targets such as ecommerce and banking sites. Of course in principle virtually any site is an attractive target, because of the value of compromised web servers for serving spam and malware.

If you run Windows servers and have not yet investigated, I recommend that you follow the links, read the discussions on Scott Guthrie’s blog, and at least implement the suggested actions.