Flickr Downloadr 3

downloadr-large-promoThe day have come for the public availability of Flick Downloadr 3. This is a photo download tool I first released back in 2007, later updated in 2009 to version 2 and now, after many iterations the third release is available.

Back in 2010, I had a prototype built on WPF, it was never released as an update. Next I started working on one built on HTML-technologies and using Adobe Air as the delivery mechanism. Adobe Air embeds the Chrome-runtime. Later I figured using the Chrome Web Store, as this will improve the delivery and cross platform support.

After a lot of work, and constant refactoring and changes, the first public release is now available. You can install it in the Chrome Web Store and check out the product website.

If you continue to read, I’ll explain some of the work that went into the making of Flick Downloadr 3.

How it was made

downloadr-screenshot-01As mentioned, this app went through many rewrites and changes in the technology. This was primarily due to getting to learn new technologies, to gain the experience and knowledge.

The UI itself have evolved, from a completely custom UI to one that is now built on Material Design guidelines by Google.

Some time before the end of 2014, I decided to reduce the amount of functionality to speed up time to market. In doing this, the new version lacks some features that existed in the previous version. I’m planning on adding these features moving forward, but ensuring high quality in the base functionality, I decided to remove all the unnecessary features and focus on simplicity and primary functionality.

One of the biggest changes from version 2 and the early WPF prototype, is the need to secure the API keys with Flickr. It’s virtually impossible to protect secrets in an HTML-based application, while also hard in Windows Forms/WPF, it’s harder in JavaScript.

First iteration of OAuth token service was built on ASP.NET SignalR using Web Sockets, eventually I turned to Node.js, Express and as a replacement. Luckily there was NPM packages available for some of the Flickr API calls, so the rewrite was not that hard. After a while, I replaced with regular HTTP REST calls, due to Web Socket limitations on Azure websites.

The service is hosted on Azure website and utilizes DocumentDB for storage, which is very easy to use in Node.js thanks to the NPM package.

Source Code

The app source code is freely available to anyone, to use and learn from. Hosted on GitHub:

Big thanks to all all the developers who have built open source components used by this app, and thanks to all existing users of my app. Please give feedback and help steer the development in the future!


Text Editor

BracketsHaving a good text editor when you are writing source code is important. With almost two decades of experience with writing code, I have had my share of time with different editors. In these times with modern web apps, we have a different need than before and there is a lot of new players in the game.

In this article I’m only mentioning a few of the many editors I’ve tried throughout the years and in the last few months. Here you can find a list of HTML editors on Wikipedia, and I suggest you look around to find what fits your own needs.

A little background

I have used Visual Studio as my primary text editor for many years, though my favorite web editor of all times must be Homesite 3. It was fast, efficient and powerful. It was originally developed by Allaire Corporation, and acquired by Macromedia in 2001. Version 4 was at the time of release, a bit bloated and slow for the current computers compared to 3, so I relied on version 3 for a long time. Last version of HomeSite was 5.5, released in 2003 by Macromedia.

Macromedia was an amazing company in many ways, some younger developers getting into our industry might never even know that name, as the company was acquired by Adobe in 2009. The same guy that made HomeSite (Nick Bradbury), started building TopStyle when he left Allaire in 1998. TopStyle have a lot of features from Homesite, but it does belong to another age, with outdated and complex UI.

Popular editors

While my primary editor is Visual Studio, as I’m doing a lot of work with Microsoft .NET, for my Node.JS, Web Apps and other needs, I try to work with different editors to see which one is optimal when the requirements for features such as debugging is less. Visual Studio is a fully integrated development environment, it makes sense to have a separate text editor that is faster and more lightweight.

A lot of people use Notepad++ and Sublime Text. I do think those are some of the most widely used editors around. I do love Sublime Text, it’s fast and powerful. Yet there is a new breed of editors, that are built on a completely different foundation than previous editors. That’s the editors of the future, as they are built on the same technology that you build using them.

Modern editors

The new breed of editors is built on the Chrome/Chromium engine and some embed Node.js as well. That means it’s built on the same foundation as the Google Chrome Web Browser.

That means you get the same great developer tools to analyze and debug the editor itself. Additionally the editor is extensible with web technologies, as oppose to proprietary technologies that is used in some of the older editors available.

The first editor I started using actively built on Chrome, was the Atom text editor. It is developed by GitHub, which was a big reason for my to start using it. I have used it for many months already and followed it’s development. It’s a great editor, and I have written a couple of extensions for it.

Biggest issue I have with the Atom text editor, is the fact that it’s built around CoffeeScript and not JavaScript. While it’s fairly easy to learn CoffeeScript, it does increase the barrier to entry for customization and extensions.

So I started looking elsewhere, and I found Brackets text editor, which is developed by Adobe. Which was released in it’s first 1.0 release yesterday.

It is very similar to Atom in many regards, including it’s extensions. Some of the must-have extensions for both Atom and Brackets, is: Git support (built into Atom), File Icons (makes the different files more clearly distinguishable), Stylus (I recently moved to Stylus as my primary CSS pre-processor).

Building extensions to Brackets is very simple. All you need to do is open the extensions folder, available in the Help menu. Inside the “user” folder, you can create a folder for your extension. Within your extension folder, create a “main.js” and you are “done”!

Run Chrome App

My extension for Atom and Brackets is one that enables a run command for your Chrome Apps. This is something that is built into the Chrome Dev Editor by Google, so I wanted to replicate this to make it fast and easy to run a Chrome App while editing. If you want to quickly test your Chrome App on Android phone, I suggest checking out that editor. It relies on the app “Chrome App Developer Tool” that you install on your Android-device and I plan on adding support for this in Brackets using cca.

My new favorite text editor is now Brackets, while it used to be Atom. I suggest you try both!

What are your favorite text editor? Why do you use it and what makes it good? Leave a comment below!


Threshold To The Cloud

Microsoft is working on the new major release of Windows, which will be released some time in 2015 and be named Windows 10. It’s available now in a technology preview. It’s not advisable for regular users to upgrade at this time. This time around, Microsoft will have a single OS that spans across all screens and devices: Phones, Tablet, Laptops, Desktops and big screen TVs (Xbox One).

We are now about to entering what I call, threshold to the cloud.

Full Circle

The following is based upon my own personal experience and memories of my time in the software industry. Memories can play tricks on us, so please remember that as I might not be entirely correct (I did verify the release dates and some other details).

We have now come full circle when it comes to software development. I did some (in my own view) impressive intranet-solutions back in 1999-2001, utilizing HTML features such as hidden iframe and DHTML to make rich web applications. These ran only on Internet Explorer version 5, 5.5 and later 6 that was released in 2001. At which time it had won the browser war and become the most widely used browser. From IE4 there was a very rapid release cycle and lots of “innovations” in terms of features extending the HTML specification. Some of those innovations stuck around, other’s disappeared.

With the growing popularity with Java (released 1996) as a development platform for Client and Server, and that Microsoft was forced to discontinue their own Java VM, Microsoft had to come up with an alternative platform to avoid loosing too many developers from their Windows-platform, and then .NET was born in early 2002 (beta version in 2001).

After IE6, they won the browser war and had +90% market share. That’s when Microsoft abandoned their browser, which effectively have held the World Wide Web back in development for a whole decade. Yes, the effects was a major step backwards for the software development world. The standards work came to a halt, HTML 4.01 was finalized in 1999. It’s now 2014 and HTML5 is in a proposed recommendation state.

Wired wrote about Bill Gates and his strategy letter The Internet Tidal Wave for Microsoft back in 1995:

“Gates proceeded to outline a strategy for Microsoft to not only enter the internet, but to dominate it.” – Wired

Their strategy after -95 was in some terms a great success, with a complete defeat of web browser competitors. It did have negative effects on the company, which have been found guilty in anti-trust cases in Europe. Before -95, they failed to see the importance of Internet.

– Microsoft failed to understand the Internet in 1995.
– Microsoft failed to understand the Web in 2001.
– Will Microsoft get it right the third time? I do think they will!

It took 5 years, 2006, for Microsoft to release Internet Explorer 7. Mozilla had major issues with bloated software, so FireFox was born. It was a long struggle to gain back market share. And eventually Google launched Chrome.

As this graphics show, it took a whole decade for the innovation to start growing in the browser space again.


Race of the giants

From the release of .NET, there was a race between Sun and their Java, and Microsoft with their .NET. This gave us technologies such as Windows Forms, Windows Presentation Foundation and more recently, Silverlight. The race was for the desktop client and the servers. Microsoft won the desktop easily, yet struggled more on the servers. ASP.NET Web Forms was a technology to more easily ease client developers onto the web. It somewhat accomplished that, but also added a lot of bad stuff to the web. At the same time, the open source communities had rapid innovation with projects such as Ruby on Rails. Microsoft responded with ASP.NET MVC released in 2007. Yes, almost as long time for Microsoft to upgrade their web browser as it took for them to truly understand the web development platform.

After the first version of ASP.NET MVC, Microsoft changed. They changed to a cycle of rapid releases, lots of great innovations. Their recent efforts with turning major parts of ASP.NET into the open source space, will help a lot. What’s happening with the next version of Visual Studio and the ASP.NET-platform is amazing and empowering to developers.

Apps comes to town

Apple have had unprecedented success with their App Store. The amount of apps developed and millions of money that app developers have received is amazing. It changed our life’s and it still is. Apps for everything in our lives. Here is a video that illustrates how everything on our desk have now become digital.

The traditional way of searching, finding, downloading and installing software is tiresome and prone to many errors. I have had to fix many computers that have ended up with a lot of malware. Having dedicated app stores for any platform, ensures that the games and apps are tested and verified. With Windows 8, Microsoft added their own digital store into the OS.

At the same time as the Windows 8 announced, it was clear that their software development strategy was about to change. The future was web technologies.

I believe that the strategy behind Windows 8 was a good and correct, but it failed the proper execution. Biggest issue was the separation of desktop and touch. The apps where all full screen, even a utility such as calculator. The market responded negatively, something had to change.

Web Apps

The title on this section is called Web Apps, with this I try to encapsulate all the world of HTML-based apps. Microsoft call them Universal Apps, Google call them Chrome Apps, Mozilla call them Open Web App. One thing for sure, there will continue to be changes in this space. All of these 3 platforms have gone through revisions of naming already, see my blog post Packaged Web Apps.

I’m betting that Web Apps will stick, it’s short and concise. I love it, Web Apps!

And I do realize that the term “Web application” is already widely used for different things, with different meaning to many individuals. I’m still betting on it to win.

Google have had web apps for a while now, enabling developers to build software using web technologies (HTML5) that runs on Windows OS, Mac OS, Chrome OS and Linux OS. That’s right, the old pipe dream of Java, write once run everywhere, was realized with web technologies.

On the threshold

Now we are on the threshold to the cloud, desktop apps, or rather web apps, will now link our computer desktops directly to the cloud. The lines between what is local and what is remote, will blur even more than what it already have. Apps will update automatically, in the same way websites have for years.

I believe we are living in interesting times, as we did more than a decade ago in 2001. The DotCom crash hurt our industry a lot, and one can only speculate if that might be part of the reasons why Microsoft suspended their Internet Explorer efforts. I don’t know the historic details of that tail, other than what has been publicly made available throughout the years.

I have for years pushed web technologies, HTML5, as the future of software development. Now is the time to get serious, go develop web apps.

Universal Apps for Windows devices

Multi-Device Hybrid Apps

Apache Cordova

Chrome Apps

The final proof that we are at the threshold, have a look at my screenshot that shows two versions of the same app running, one Universal App and one Chrome App. Enjoy!



One Store to rule them all?

One final thought: Is there room for two app stores on Windows? Will developers be on both platforms?

We have to remember that, even though Windows is the most important platform in regards to market share, developing Universal Apps for Windows devices means that your apps will only run on those devices. I don’t think many developers would want to leave OS X, iOS, Android, Linux and a whole range of other platforms behind.

I believe that web technologies is the answer to this question, it enables developers to make software that more easily can be deployed using different mechanisms and platforms. The code-reuse across Windows Store Apps and Chrome Apps can be immense, if you plan for it and develop with a cross-platform in mind.

Here is another example of Amazon Kindle Reader, one is a Windows App the other is a Chrome App. Take care and be safe!




Code Like A Girl


It’s a well established fact that our industry (software development) has a majority of male programmers. I think it’s important that we all promote the software engineering field towards girls, ensuring the future will have a higher percentage of girls who write code.

Today, the majority of software are developed by 20+ year old boys who develops software used by approx. 50% female users, often at twice the age of the developers. It’s one of the root causes of a lot of user frustration.

Writing Beautiful Code

Software developers care to little about beauty and elegance. We often stretch ourselves towards writing good unit tests and follow established object oriented best-practices. But we rarely think about how to make our architecture, design and code look beautiful. It’s not exactly in our nature, sort of speak.

As you can read in the excellent post on the same topic on the Creating Passionate Users blog:

“Because caring about things like beauty makes us better programmers and engineers. We make better things. Things that aren’t just functional, but easy to read, elegantly maintainable, easier–and more joyful–to use, and sometimes flat-out sexy. “

We should never forget that we rarely look at our own code more than once or twice, but eventually the code we write will be read by many others. It’s important to always recognize this fact and position ourselves in the minds of our fellow programmer.

Simplicity and Beauty

One of my mantra’s whenever I communicate with people through presentations and in my daily job, is to focus on simplicity. Making things simple is important, as a means to reduce complexity and improve communication.

Though it’s important to not forget about beauty and making things beautiful is similarly as hard as making things simple.

If you achieve simplicity and beauty you will be successful.

So from now on, try more to Code Like A Girl!

(This post is not meant to be sexist in any way, it’s a natural fact that females have a genetic advantage on beauty, one which we can learn from.)

Get your Code Like A Girl stuff from


Trying to understand Microsoft.Data.dll

Here is my analysis of the recently “released” (embedded) Microsoft.Data.dll assembly, the namespace and the types it includes. It’s been the topic of a lot of heated debate recently, with viewpoints I’m unable to relate to and understand just from reading, so I needed to understand.

The debate is stemming from a blog post by David Fowler and his example that shows how some data-related tasks have a simpler syntax with Microsoft.Data and the ASP.NET WebPages with Razor Syntax.

What is inside the Microsoft.Data namespace?

There is very little code inside the namespace and the assembly. It’s simply some helper types that makes life's a little bit easier. It’s not a new data access framework, like Linq to SQL or Entity Framework.

It contains the following classes: ConfigurationManagerWrapper, ConfigurationConfiguration, Database, DbProviderFactoryWrapper, DynamicRecord, IConfigurationManager, IDbFileHandler, IDbProviderFactory, SqlCeDBFileHandler and SqlServerDbFileHandler. Of which only Database and DynamicRecord are public available, the others are internal.

All data access inside the Microsoft.Data types are using the common ADO.NET types, not the providers specific for any SQL platform. This means it’s not restricted to SQL Compact Edition nor SQL Server. It relies on DbConnection, DbTransaction, DataTable, etc.

Microsoft.Data on ASP.NET Web Forms

While Microsoft.Data.dll is currently not accessible in the Add References dialog, you can find it by looking on your computer, it’s located in the Global Assembly Cache (GAC). Microsoft probably don’t want us to use it outside of WebMatrix in the current release… but if you just take a copy of the assembly out of the GAC, then you can reference the assembly in any .NET project and it will load it from the GAC (you just need the file so you can add a reference).

In my project I added a database to my App_Data folder (which you normally would never do, unless you are working with a local read-only cache in a large-distributed system or working with SQL Compact Edition) and added the following code to my web form, to make it render the Name column of my Users table.

	var db = Database.OpenFile("Database1.mdf");
	var users = db.Query("SELECT Id, Name FROM Users");
	foreach (var user in users)

Take notice of the OpenFile parameter, it’s simply the filename on disk. I don’t have to care about any specific details of the connection string, nor how to figure out where the App_Data folder is.

Obviously though, if you added an entity framework (EF) model of your database, you would have very similar example to achieve the same and you don’t have to care about the connection string, at least not in theory.

	using (var db = new Database1Entities())
	var users = db.Users;
	foreach (var user in users)

The two big distinctions betweens these examples is that the first one is dynamic, I can modify the database schema whenever I want and it won’t (necessarily) break my web app, while the latter example with EF will need to refresh the entity types based on the database model.

The other distinctions is that the first example doesn’t require a connection string, while the latter generates one for you automatically, a rather cryptic looking one.

<add name="Database1Entities" connectionString="metadata=
provider connection string=&quot;
Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database1.mdf;
Integrated Security=True;
User Instance=True;
MultipleActiveResultSets=True&quot;" providerName="System.Data.EntityClient" />


While all of this are peanuts for me and anyone who’s been developing on .NET for a while, I think that making things simple where possible is positive, rather than negative. It doesn’t mean we will stop using NHibernate, do proper n-tier and layered architectures just because Microsoft makes some tasks simpler for beginners. It also means some of us probably will eventually have to maintain and possibly migrate solutions built on Microsoft WebMatrix, but does that give us any right to restrict beginners the privilege of building their own solutions and feeling the immense joy of realizing their dreams?

Other’s feedback and comments

Ayende Rahien comments on his blog on the example, where he mentions the use Response.Write within the loop. Understandable this is probably not the best way to do this, but it’s understandable with the sample in question, which was already using Response.Write. There are slightly better examples available out there. He also points out that having the SQL queries directly in the view code is an open invitation for SQL injection. Using proper parameterized queries will reduce this potential security problem. Looks like David updated the sample to use parameters after the initial reactions. After the security push at Microsoft some years back, they really cleaned up their practices with examples in the MSDN documentations, I think we should expect the same level of security thinking on employee blogs as well.

Ayende quotes David, which (David) made the assumption that Microsoft.Data is tied to Sql Server in any way, which my investigations has shown is not correct.

David tried to respond to some of the feedback on embedding SQL directly in the view, with hacking around to get the new dynamic keyword to work properly with LINQ. To me, this defeats the whole purpose of simplicity with Microsoft WebMatrix, Razor and Microsoft.Data.

KristoferA comments on the post and suggests generating Linq to SQL datacontext using a page-level directive, which would essentially give the developer entity objects to work with (and query against). This again defeats the purpose of simplicity, and now you can no longer change the database scheme without “recompiling” your web-app.

The namespace naming is another sour point for some, and I can agree that there is little point is “abusing” the Microsoft.Data namespace for such a trivial little helper, perhaps Microsoft.WebMatrix.Data or Microsoft.Data.Connection?

Who is this for?

Microsoft WebMatrix (and ASP.NET WebPages) is not a tool built for “professional” programmers, additionally is it not a fully generic framework for building everything. It’s a domain specific language that is optimized for building simple web applications without to much resources.

It is not meant for enterprise applications that handles millions of transactions. Will it be used for that? Yes, it probably will! We’ve seen plenty of classic examples of websites that starts with simple web-frameworks and find themselves in big trouble when their services become popular. Services like Twitter and Facebook was not built to scale to their current levels, yet they started as simple concepts and services and has grown to become important services which affects global policies and real-life social interactions.

It's Not Rocket Science, But It's Our Work:

And obviously, it’s for those of us who still miss the old days with ASP Classic, here is a pretty good (and funny) read, 8 Reasons to Stick with ASP 3.0 in 2006 (and 2007).

Final thoughts

It’s very clear that Microsoft WebMatrix (and related technologies) are primarily is focused towards beginners and it’s a great tool to build simple websites. I wouldn’t advice anyone to use this if you already know ASP.NET MVC and want to build complex web solutions, ASP.NET Web Forms, MVC or other more general purpose frameworks would probably be more fit.

Additionally I think it’s important to remember that WebMatrix is primarily focused on SQL Compact Edition for data access, the built in editor doesn’t allow you to modify SQL Server database. So the question (and response to some of the comments) is how many layers do you want to wrap your data access logic for a SQLCE database?

Been a while since Microsoft did a push towards simplifying development for beginners, when we went from VB6 to VB.NET, everything was more complex and the entry level for VB.NET is on-par with C#. With the release of .NET Framework 4, the complexity and total amount of features is mind blowing. I for sure welcome tools, languages and frameworks that simplifies how we develop software.

Simplicity is hard and it's something we should strive towards in all that we do.


Complexity that rules us all

4184803610_ca1bcc685c_o Complexity is the number one cause [1] of failures on IT-projects. It’s probably the number one reason for any type of project failure. Failed projects and bad software makes our customers and users unhappy.

What are the reason we initiate IT-projects? It’s all about reducing complex problems to meaningful tasks that can be completed by humans.

Law of Software

Let’s focus on software development and what value software have for the users. Building software is what I and thousands of others are doing every single day, and we’re not exactly becoming better at what we’re doing, we’re actually only able to successfully complete aprox. 30% [2] of the projects that are initiated.

According to David S. Platt’s 3 Laws of Software, the software we build have zero value in and of itself. It doesn’t matter how technically good your code is, the only individual who cares are you and your own mother.

Platt’s 3 Law of Software [3] says the following:

1. Your software has zero value in and of itself. Only value it ever has is how it enhances the happiness of the user.

2. Software can increase users’ happiness in one of two ways. It can help a user accomplish a task that she wants done or it can give the user pleasure. Example: Outlook helps you read and write emails, HALO on the Xbox gives you pleasure and fun.

3. The users should not think about your computer program. At all. Ever.

(Click the link above to read the full law, I’ve just included the highlights)

What is writing software?

Writing software is the undertaking of understanding any arbitrary complex problem and writing software instructions to solve those complex problems.

The goal of writing software should be to reduce complex problems to simple tasks. Simple tasks that humans can initiate, often without requiring much need for thinking. The less the user is required to think, the happier and more productive they will be.

Thinking simple

When you have a complex problem you want to solve, what do we tend to use as mechanisms to solve them? It’s obviously not thinking in simple terms, this is pretty obvious when you look at the software we’re building.

As our understanding of a complex problem increases (as we work out the details of a software design), we can’t seem to be able to come up with simple solutions, we often take this route of thinking: Complex problems requires complex solutions.

This is wrong, and it’s the root cause of so many software project failures.

We need to start thinking simple. We need to figure out how we can reduce the complex details of a design, until we have an design and architecture that is as simple as possible and still delivers the value for our users.

Our goal should be: Least complex architecture possible [4].

There are many reasons why something ends up being complex, one important factor is the amount of functionality we put into our software. According to Robert L. Glass [5] in his book Facts and Fallacies of Software Engineering, the fact is as following, 25% increase in functionality increases complexity by 100%.

Next time you are faced with a complex problem that someone wants to be solved using software, start by thinking about the users and how you can increase their happiness. Then start reducing the initial complex solution of the complex problem, into the most simple solution you can which still achieves the goal: Making your users happy!



[2]: The CHAOS report by The Standish Group (






MSDN Live: Solution Architecture Slides

Here are the slides from my talk on Solution Architecture at MSDN Live in the spring of 2010. The slide decks alone isn’t enough to appreciate the presentation, so I have included all notes that was written for the presentation. This means you can read through the presentation and the points I made when delivering it in Stavanger, Bergen, Trondheim and Oslo. Download the full presentation or watch below.

For more background on the presentation, also read my blog post that I wrote during the preparations. The final result is very different than I initially planned and I didn’t deliver what was promised in the agenda. I still hope the presentation gave enough value to those who attended and I hope it inspired to enable change and sparked a move towards simpler solutions with reduced complexity.



New job: Principal Architect for Microsoft in Redmond

April Fool: It was fun participating in this years April Fools’ day, I hope nobody got hurt ;-). Thanks for all the congratulations and responses on Twitter and Messenger, and special thanks to Clemens Vasters for helping me out! Please enjoy the Geek and Poke cartoon at the bottom.


I’m thrilled to announced I’m starting in a new job at Microsoft Corporation, in Redmond! I’ll be working together with my good friend Clemens Vasters on the Windows Azure AppFabric team.

Will be working on a brand new technology for Windows Azure AppFabric that is meant to seamlessly interconnect and bridge between IIOP, RMI, CORBA, COM+, XMPP RPC, XML RPC, ‘Facebook-style REST Service’ and Web Services.

Clemens is the Principal Technical Lead for Service Bus and I will additionally be working together with Justin Smith who’s a Senior Program Manager for Access Control.

Some of you might remember back when I meet Steve Ballmer here in Oslo during MSDN Live last year? Since then I have been in talks with Microsoft in Redmond and the result is what I’ve announced today. Here is the photo from last year (I’m number two from the left-back):

Do you want to work for Microsoft?

Then make sure you attend MSDN Live (Norway) this April for some kick-ass presentations and learn more about Visual Studio 2010, SharePoint 2010, Windows Azure, Team Foundation Server 2010, Windows Identity Foundation, Silverlight 4 and more! With these skills you’ll be better fit to deliver successful projects and deliver the business value that your customers expect!

Signup now:

With your improved skill set, check out available careers at Microsoft:

My existing (“old”) company, Steria, is a great place to work, they are still looking for more skilled Microsoft consultants:


It’s been very long discussions with Microsoft over the last year, I’m very tired but also happy. It’s time for me to relax and enjoy the Easter!



MSDN Live: Solution Architecture

At the next MSDN Live tour in Norway (in April), I’m doing a talk about Solution Architect and SharePoint 2010 for Developers.

I would like to air some ideas I have for the Solution Architecture talk and hopefully get some feedback, perhaps some tips and hints that can improve my talk.

What’s in a name?

There is no way I’m going to even start to try defining the name architecture or the architect role. It is something different to every single individual, in the same way as I’m never going to define what a developer truly is.

Though we can talk about distinctions between what it means to be a developer and what the role of an architect in comparison could potentially be.

Architecture is primarily about the bigger view of things and the spider web of interactions between humans and systems in an organization and across organizations. There are many forms of architects, from functional architects, enterprise architects, software architects and what I’m going to talk about: solution architects and architecture.

Architect? You make diagrams, right?

Well sure, architects often use tools to draw their ideas and conclusions, even if it’s just on pen and paper. Source code is the primary language for a developer and diagrams is the primary language of an architect. More than that, I’m not going to talk about diagrams. Other than say, they are a good tool for communicating intents, ideas, thoughts and meaning. Architecture is not about diagrams, it’s about everything else.

The Solution Architect Role

When I talk about the solution architect role, think about the role from a technical perspective, not a functional one. Here is a diagram that tries to illustrate some of the interactions that the architect has with other roles in a project.


Depending on the scale and form of a project, the architect is often involved early in the process – and hopefully part of the project until the final delivery date. Unfortunately the identity of the architect have been put on some negative weight. Some people see the architect as someone distant from the project, someone that makes decisions that developers feel the pain from. And this can be true for some projects, and that is a bad position to be in, both for the developers and the success risk of the project.

It’s important that the solution architect is closely involved with the project all the way. Initially they work with the client to gather all the requirements, depending on what type of architect and his or hers responsibilities, they might be both functional and non-functional requirements. Initially often with project leaders and members on the client side and often the upper-management often has a stake in the project and unfortunately sometimes do technical decisions ahead of involvement of others, often after reading an report by Gartner… So often the architect and developers have to work with pre-existing decisions, most of the time, this works out fine though.

The green person in the illustration is the clients network and system administrator, who often have requirements and demands regarding security and deployment. If you’re lucky to be on a project with a designer, the typical black-suite guy using a Mac, they often have insane demands on the interface. I say this with a sense of humor, as usability experts and designers are very important individuals for the success of a project.

Then you have all the others, which are different individuals from inside and outside the organization. Computer security experts might be utilized to do reviews of the architecture and eventually the complete solution.

Users of the final solution is very important, it’s for those we do what we do. If we can’t satisfy them, then there is little point in going forward with a solution.

After a project has been planned, contracts have been agreed upon and signed, the project starts with the project team. Depending on the size, the project team could include advisers, project leaders, developers and others.


The architect often have interactions with all of these roles in a project and their focus and responsibility is often the quality of the overall delivery. Architects are not the individuals who manages the projects and it’s resources, which is a whole different and challenging arena, which luckily as an solution architect, you normally avoid directly. Though it’s a constant battle to ensure the developers get the time, knowledge and tools they need to ensure the quality of a delivery, which is not compatibility with the goal of a project leader who first and foremost want to deliver on time.

Topics for the talk

These are some of my other potential topics on the agenda for my talk, there are so much to talk about on the subject of solution architecture, though I have only an hour and I’m interested in finding the topics that gives most value for my audience.

Topics: Security, Infrastructure, Products or Custom, Cloud Computing, Frameworks, Scalability, Tools, Why you should care about architecture, Become an solution architect.

What do you want to hear about?

Come to MSDN Live!

If you haven’t signed up for MSDN Live yet, it’s about time! The tour starts with Stavanger the 16th of April and ends 26th of April in Oslo.

I work as a senior solutions architect at Steria, who’s one of the partners for MSDN Live. Check out our stand at MSDN Live!


I know your passwords

Computer security is one of the hardest things in computer science and engineering. It’s easy to make software today, anyone can do it. Though, not everyone knows how to develop security into their software. Every week I come across insecure solutions and it frightens me, it gives me the willies.

Was looking for a provoking title for this post as I want people to read it. I hope it worked and please keep on reading.

Today I only want to touch upon one issue; passwords. This is an area that affects every one of us and is pretty easy to explain. If you’re a software developer and you read this, make sure you don’t make the same mistakes. If you’re a consumer, make sure you tell your service provider that they need to change their practices. This is a major industrial issue, please raise your voice. If you have little time, please skip forward to the “Learn by Example” section.

Stubbornness or Cluelessness?

116033885_fdbe8fc197 Whenever I come across a web site that has a potential secure issue, I contact the offenders and try to explain the problems I’m seeing.

A lot of time, I’m only meet with ignorant support personal that doesn’t understand what I’m saying.

That’s OK, I’m a pretty technical guy and I don’t expect everyone to understand this, there’s no reason for it. But, when they for some reason argues with my request to forward my message to someone technical and responsible for security, I’m baffled.

Many don’t seem to take their customers privacy seriously, and they are reluctant to react to issues.

Next time you come across a web site that has problems, like those I’m about to elaborate, I hope you take the time to let them know you won’t use their service until they improve their systems. What does all of this have to do with Tom Cruise in the photo? I found him when I searched for a tech support photo and he looks just like a tech-support :-)

Username and Password

2505803867_913846f3ed_b In the beginning of the computer industry, we rarely cared much for the security on our local machines. We shared the same user accounts and we mainly used different usernames to individualize the computer. We were disconnected and the way we distributed software was with diskettes and later on using CD-ROMs.

The information we stored on our computers was often school and work related, it didn’t contain much personal details or communication. No matter what you put on the computer’s hard drive, it required someone to physically steal it to peek at your data.

Then came the local network, where we hooked up computers in offices and with our friends for a LAN party. Information was spread freely on the networks, sharing games, videos, music. Just as we previously burnt CDs and recorded tapes with music and videos on VHS, we could now share our stuff must quicker and more cheaply than ever before.

Enter the Internet.

Suddenly our local insecure computers are connected to the online digital world. A myriad of software and services was created, in a global mess of information that makes it impossible for anyone to really know who or what you can trust. And everyone want your username and password, it’s their way of distinguish You from Me.

We’ve all heard the lesson that you should make sure your password is a hard one to guess, yet many of us have a hard time coming up with any sensible password that we’ll remember easily. It’s also important to don’t reuse the same password everywhere. As you will understand if you read on…

Please Enter…

Please enter your username and password, and we’ll open the door for you and let you into our fine establishment. That’s how it starts, if you’re not already registered on the web site you’re required to fill out, often an extensive, form that tries to capture some personal details from you. Part of this process is filling out your username of choice, password and email address.

This is where the problems starts…

Let’s start with Google’s GMail as our first example. Creating a new account involves filling out the first name, last name, desired login name and password. Additionally, Google wants’ you to pick a “Security Question”? What’s the purpose of this, you might wonder? Does this make you more secure? No, it doesn’t.


There are only four default security questions proposed by Google, and they have a help page that explains what type of question and information you should avoid. Things like your mothers maiden name and other information that is easily discoverable about yourself. You can write your own question, but my advice is to completely forget about the security question, it’s way to easy to put something that someone can guess or figure out.

Then we have a field called secondary email. This is a very nice solution to be able to restore access to a new email account, it’s better than the security question.

If we look at how we humans work, you’ll quickly see that most of the time we will fill out all fields in a registration form, even though we probably don’t need too.

So the issue with this Secondary email field is the following: People without existing email addresses might fill out something in this field, just because they intuitively think it’s required information.

Important: Always make sure you enter the correct email address.

Let me give you a very scary example on what might happen if you write wrong email address when registering a new Gmail account (please excuse the screenshot being in Norwegian).


As the above screenshot is in Norwegian, I will just quickly explain it.

It’s a confirmation email you receive from Google with a confirmation code that is used if you have any problems with your account in the future, for example if you loose the password. I have received multiple of these emails. With this information, I can take over someone else’s email account and read all their communications.


You should be and this is only the beginning… I receive invoices, usernames, passwords, photos, personal messages and what not…


Phone subscription invoices…


Lego account activation… what if your kid filled out personal details, like their full names, address, birth date and other details? That information will be accessible by the person who receives this email.


Online Game registrations that sends passwords in clear text…


Property descriptions… that probably was suppose to go to someone, somewhere…


I could be a Gladiator… I loved the movie, I already hate the online game… and you can see why I hate it.


Love to watch photos… especially the dull and boring family photos from last Christmas.


Guess he won’t see that flat after all…

I’ve received invitation to board meetings, mobile MMS messages sent by mail, photos, responses to job applications, all kinds of crazy stuff. Let me give an example where I actually, for the purpose of this article, click the activation link just to see what kind of information I could stumble upon.

Learn by Example

Disclaimer advisor: I would never try to hack or steal anything from anyone. My intentions in this example is only to show how vulnerable you can be when a service provider doesn’t care about your personal information safety. This is the first and only so-called activation link I’ve clicked that did not belong to me. When I went through with this example, I was scared how easy it was and it was only one of potentially many examples I could do. I had to censor the names, details, URLs to protect the innocent.

1. You register on a website, by filling out your personal details. Potentially information like full name, home address, phone number and finally your password. Which you probably used before on another website as well.

2. This is where things get’s problematic, I own the email address that the user supplied. If I where an evil system administrator, I could potentially steal this email as it hits the servers. There are many ways I could potentially get hold of the specific email or the users email account. Do never presume that your emails are secure.

3. Someone receives your confirmation email about your account. Sometimes this email contains the original password in clear-text. Sometimes it require you to activate the account to “prove” that you are the owner of the email account.


4. After clicking the activation link, I come to the website. Some services actually automatically log you in at this step. This service did not, so I had to use the “recover my password” functionality.


5. I then receive email with a password. Some service will NEVER expose your original password, which is what they never should. When you forget your password, a service should return you an auto generated password. The service in question, returned me the original password that another person had used.


6. Login to the website and check out the users profile too see if there is any interesting information. What I got from this service was full name, birth date, phone number and at the end, there is a empty field for bank account number.


7. I was surprised to see there is a password and confirm password text field on the user profile page. It made me think that possibly the website renders it’s users passwords in the HTML source. And surely they did.


8. I know have this individuals full personalia. Since I have the persons phone number, I can validate that everything is correct, and it is. There are so many ways one can utilize this type of information. The person had an income of approx. $53,000 in 2007, thanks to the public Norwegian tax lists. I know what interests he has and what he looks like, from his Facebook profile photo.

9. I’m not going to take this any further, what I potentially could do is to login to the individual’s Facebook account, as he is probably using the same password there…

Example Conclusions

The scary part of this whole example is that this was done using an online auction website, which probably have a lot of traffic and users. There are just so many security mistakes done on this example that I’m not believing it. They handle VISA and MasterCard transaction, they don’t use HTTPS/SSL for anything. They have probably outsourced the VISA/MasterCard transactions, I hope.

Can you consider what would happen if their database was stolen, with all this information available for all their customers?

Clear Text Passwords

This is the most common mistake made by developers, and it amazes me that there are services out there that still relies on storing your password in clear text. Let me illustrate how this works.

1. User enters a web service and registers with the credentials.

2. Credentials are sent over the Internet, often over an secure HTTPS (SSL) connection. Never fill out important information on an HTTP connection.

3. Credentials are stored in the database.

4. The user comes back to the website to authenticate, password is again sent to the web service and it’s validated against the value that is stored in the database.

When you have trouble remembering your password, those services that store your password as clear text, often allows you to retrieve insecurely them by email. Just because you can’t retrieve the password by email, doesn’t mean it’s stored securely, it can still be clear text in the database somewhere.

Secure Password Communication

With the above example in mind, I want to quickly give you an example on how the web service should handle your passwords securely.

1. User enters a web service and registers with the credentials.

2. Every data is sent over a secure HTTPS connection.

3. The web service generates a non-reversible hash based upon your password and any type of hidden secret (algorithmic salt).

4. The hash of your password, which is not reversible except with an awfully powerful computer and a lot of time, is then stored in a database.

5. The user comes back to the websites to authenticate, password is again sent to the web service, but this time it will generate the hash all over again, retrieve the existing hash from the database, and compare those two values. If they are the same, you are authenticate.

There are absolutely no reason why a service provider should require to store your password in clear text. If they have a reason, it better be a very good one.

Simple Passwords

A lot of web services demands that you enter a fixed password length, sometimes between 4 to 12 characters ( and American Express has limited your password too 6-8 characters. Characters and numbers is required, not sure if they allow non-ASCII characters. You don’t need to be a mathematician to understand that a brute force attack on American Express is easy, considering the requirements for user passwords.



You’ve been Hacked!

How do you know that your service has not been hacked or leaked customer details? Every month there are news stories about information that has been lost and systems taken down by hackers. I promise you that we’re just seeing the tip of the iceberg in this regard. Do you really think that hackers will tell anyone that they’ve gained access to your information?

Spotify was recently hacked and they published a letter to all their subscribers. Luckily for us users, they follow best practices and did not store your passwords as clear text, only as an cryptographic hash. This ensured a minimal consequence of Spotify being hacked. There is today more than a million users on Spotify, consider the consequences if they didn’t do security properly?

If you uncover a service that has a potential to leak any personal information, please inform those in charge and make sure they change their practices. I do it all the time, and it does make a difference.

That’s it and make sure you follow some best practices regarding your passwords.


Copyright disclaimer: “Passwords are like pants” photo by Richard Parmiter and licensed under Creative Commons. Photo of "Tom Cruise by banky177 and licensed under Creative Commons.