TOP

Threshold To The Cloud

Microsoft is working on the new major release of Windows, which will be released some time in 2015 and be named Windows 10. It’s available now in a technology preview. It’s not advisable for regular users to upgrade at this time. This time around, Microsoft will have a single OS that spans across all screens and devices: Phones, Tablet, Laptops, Desktops and big screen TVs (Xbox One).

We are now about to entering what I call, threshold to the cloud.

Full Circle

The following is based upon my own personal experience and memories of my time in the software industry. Memories can play tricks on us, so please remember that as I might not be entirely correct (I did verify the release dates and some other details).

We have now come full circle when it comes to software development. I did some (in my own view) impressive intranet-solutions back in 1999-2001, utilizing HTML features such as hidden iframe and DHTML to make rich web applications. These ran only on Internet Explorer version 5, 5.5 and later 6 that was released in 2001. At which time it had won the browser war and become the most widely used browser. From IE4 there was a very rapid release cycle and lots of “innovations” in terms of features extending the HTML specification. Some of those innovations stuck around, other’s disappeared.

With the growing popularity with Java (released 1996) as a development platform for Client and Server, and that Microsoft was forced to discontinue their own Java VM, Microsoft had to come up with an alternative platform to avoid loosing too many developers from their Windows-platform, and then .NET was born in early 2002 (beta version in 2001).

After IE6, they won the browser war and had +90% market share. That’s when Microsoft abandoned their browser, which effectively have held the World Wide Web back in development for a whole decade. Yes, the effects was a major step backwards for the software development world. The standards work came to a halt, HTML 4.01 was finalized in 1999. It’s now 2014 and HTML5 is in a proposed recommendation state.

Wired wrote about Bill Gates and his strategy letter The Internet Tidal Wave for Microsoft back in 1995:

“Gates proceeded to outline a strategy for Microsoft to not only enter the internet, but to dominate it.” – Wired

Their strategy after -95 was in some terms a great success, with a complete defeat of web browser competitors. It did have negative effects on the company, which have been found guilty in anti-trust cases in Europe. Before -95, they failed to see the importance of Internet.

– Microsoft failed to understand the Internet in 1995.
– Microsoft failed to understand the Web in 2001.
– Will Microsoft get it right the third time? I do think they will!

It took 5 years, 2006, for Microsoft to release Internet Explorer 7. Mozilla had major issues with bloated software, so FireFox was born. It was a long struggle to gain back market share. And eventually Google launched Chrome.

As this graphics show, it took a whole decade for the innovation to start growing in the browser space again.

Usage_share_of_web_browsers_(Source_StatCounter)

Race of the giants

From the release of .NET, there was a race between Sun and their Java, and Microsoft with their .NET. This gave us technologies such as Windows Forms, Windows Presentation Foundation and more recently, Silverlight. The race was for the desktop client and the servers. Microsoft won the desktop easily, yet struggled more on the servers. ASP.NET Web Forms was a technology to more easily ease client developers onto the web. It somewhat accomplished that, but also added a lot of bad stuff to the web. At the same time, the open source communities had rapid innovation with projects such as Ruby on Rails. Microsoft responded with ASP.NET MVC released in 2007. Yes, almost as long time for Microsoft to upgrade their web browser as it took for them to truly understand the web development platform.

After the first version of ASP.NET MVC, Microsoft changed. They changed to a cycle of rapid releases, lots of great innovations. Their recent efforts with turning major parts of ASP.NET into the open source space, will help a lot. What’s happening with the next version of Visual Studio and the ASP.NET-platform is amazing and empowering to developers.

Apps comes to town

Apple have had unprecedented success with their App Store. The amount of apps developed and millions of money that app developers have received is amazing. It changed our life’s and it still is. Apps for everything in our lives. Here is a video that illustrates how everything on our desk have now become digital.

The traditional way of searching, finding, downloading and installing software is tiresome and prone to many errors. I have had to fix many computers that have ended up with a lot of malware. Having dedicated app stores for any platform, ensures that the games and apps are tested and verified. With Windows 8, Microsoft added their own digital store into the OS.

At the same time as the Windows 8 announced, it was clear that their software development strategy was about to change. The future was web technologies.

I believe that the strategy behind Windows 8 was a good and correct, but it failed the proper execution. Biggest issue was the separation of desktop and touch. The apps where all full screen, even a utility such as calculator. The market responded negatively, something had to change.

Web Apps

The title on this section is called Web Apps, with this I try to encapsulate all the world of HTML-based apps. Microsoft call them Universal Apps, Google call them Chrome Apps, Mozilla call them Open Web App. One thing for sure, there will continue to be changes in this space. All of these 3 platforms have gone through revisions of naming already, see my blog post Packaged Web Apps.

I’m betting that Web Apps will stick, it’s short and concise. I love it, Web Apps!

And I do realize that the term “Web application” is already widely used for different things, with different meaning to many individuals. I’m still betting on it to win.

Google have had web apps for a while now, enabling developers to build software using web technologies (HTML5) that runs on Windows OS, Mac OS, Chrome OS and Linux OS. That’s right, the old pipe dream of Java, write once run everywhere, was realized with web technologies.

On the threshold

Now we are on the threshold to the cloud, desktop apps, or rather web apps, will now link our computer desktops directly to the cloud. The lines between what is local and what is remote, will blur even more than what it already have. Apps will update automatically, in the same way websites have for years.

I believe we are living in interesting times, as we did more than a decade ago in 2001. The DotCom crash hurt our industry a lot, and one can only speculate if that might be part of the reasons why Microsoft suspended their Internet Explorer efforts. I don’t know the historic details of that tail, other than what has been publicly made available throughout the years.

I have for years pushed web technologies, HTML5, as the future of software development. Now is the time to get serious, go develop web apps.

Universal Apps for Windows devices

Multi-Device Hybrid Apps

Apache Cordova

Chrome Apps

The final proof that we are at the threshold, have a look at my screenshot that shows two versions of the same app running, one Universal App and one Chrome App. Enjoy!

500px

 

One Store to rule them all?

One final thought: Is there room for two app stores on Windows? Will developers be on both platforms?

We have to remember that, even though Windows is the most important platform in regards to market share, developing Universal Apps for Windows devices means that your apps will only run on those devices. I don’t think many developers would want to leave OS X, iOS, Android, Linux and a whole range of other platforms behind.

I believe that web technologies is the answer to this question, it enables developers to make software that more easily can be deployed using different mechanisms and platforms. The code-reuse across Windows Store Apps and Chrome Apps can be immense, if you plan for it and develop with a cross-platform in mind.

Here is another example of Amazon Kindle Reader, one is a Windows App the other is a Chrome App. Take care and be safe!

Kindle

 

TOP

Code Like A Girl

code_like_a_girl

It’s a well established fact that our industry (software development) has a majority of male programmers. I think it’s important that we all promote the software engineering field towards girls, ensuring the future will have a higher percentage of girls who write code.

Today, the majority of software are developed by 20+ year old boys who develops software used by approx. 50% female users, often at twice the age of the developers. It’s one of the root causes of a lot of user frustration.

Writing Beautiful Code

Software developers care to little about beauty and elegance. We often stretch ourselves towards writing good unit tests and follow established object oriented best-practices. But we rarely think about how to make our architecture, design and code look beautiful. It’s not exactly in our nature, sort of speak.

As you can read in the excellent post on the same topic on the Creating Passionate Users blog:

“Because caring about things like beauty makes us better programmers and engineers. We make better things. Things that aren’t just functional, but easy to read, elegantly maintainable, easier–and more joyful–to use, and sometimes flat-out sexy. “

We should never forget that we rarely look at our own code more than once or twice, but eventually the code we write will be read by many others. It’s important to always recognize this fact and position ourselves in the minds of our fellow programmer.

Simplicity and Beauty

One of my mantra’s whenever I communicate with people through presentations and in my daily job, is to focus on simplicity. Making things simple is important, as a means to reduce complexity and improve communication.

Though it’s important to not forget about beauty and making things beautiful is similarly as hard as making things simple.

If you achieve simplicity and beauty you will be successful.

So from now on, try more to Code Like A Girl!

(This post is not meant to be sexist in any way, it’s a natural fact that females have a genetic advantage on beauty, one which we can learn from.)

Get your Code Like A Girl stuff from http://www.zazzle.com/code+like+a+girl+gifts.

TOP

Trying to understand Microsoft.Data.dll

Here is my analysis of the recently “released” (embedded) Microsoft.Data.dll assembly, the namespace and the types it includes. It’s been the topic of a lot of heated debate recently, with viewpoints I’m unable to relate to and understand just from reading, so I needed to understand.

The debate is stemming from a blog post by David Fowler and his example that shows how some data-related tasks have a simpler syntax with Microsoft.Data and the ASP.NET WebPages with Razor Syntax.

What is inside the Microsoft.Data namespace?

There is very little code inside the namespace and the assembly. It’s simply some helper types that makes life's a little bit easier. It’s not a new data access framework, like Linq to SQL or Entity Framework.

It contains the following classes: ConfigurationManagerWrapper, ConfigurationConfiguration, Database, DbProviderFactoryWrapper, DynamicRecord, IConfigurationManager, IDbFileHandler, IDbProviderFactory, SqlCeDBFileHandler and SqlServerDbFileHandler. Of which only Database and DynamicRecord are public available, the others are internal.

All data access inside the Microsoft.Data types are using the common ADO.NET types, not the providers specific for any SQL platform. This means it’s not restricted to SQL Compact Edition nor SQL Server. It relies on DbConnection, DbTransaction, DataTable, etc.

Microsoft.Data on ASP.NET Web Forms

While Microsoft.Data.dll is currently not accessible in the Add References dialog, you can find it by looking on your computer, it’s located in the Global Assembly Cache (GAC). Microsoft probably don’t want us to use it outside of WebMatrix in the current release… but if you just take a copy of the assembly out of the GAC, then you can reference the assembly in any .NET project and it will load it from the GAC (you just need the file so you can add a reference).

In my project I added a database to my App_Data folder (which you normally would never do, unless you are working with a local read-only cache in a large-distributed system or working with SQL Compact Edition) and added the following code to my web form, to make it render the Name column of my Users table.

	var db = Database.OpenFile("Database1.mdf");
	var users = db.Query("SELECT Id, Name FROM Users");
	foreach (var user in users)
	{
	Response.Write(user["Name"]);
	}
	

Take notice of the OpenFile parameter, it’s simply the filename on disk. I don’t have to care about any specific details of the connection string, nor how to figure out where the App_Data folder is.

Obviously though, if you added an entity framework (EF) model of your database, you would have very similar example to achieve the same and you don’t have to care about the connection string, at least not in theory.

	using (var db = new Database1Entities())
	{
	var users = db.Users;
	foreach (var user in users)
	{
	Response.Write(user.Name);
	}
	}
	

The two big distinctions betweens these examples is that the first one is dynamic, I can modify the database schema whenever I want and it won’t (necessarily) break my web app, while the latter example with EF will need to refresh the entity types based on the database model.

The other distinctions is that the first example doesn’t require a connection string, while the latter generates one for you automatically, a rather cryptic looking one.

<add name="Database1Entities" connectionString="metadata=
res://*/Model1.csdl|
res://*/Model1.ssdl|
res://*/Model1.msl;
provider=System.Data.SqlClient;
provider connection string=&quot;
Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database1.mdf;
Integrated Security=True;
User Instance=True;
MultipleActiveResultSets=True&quot;" providerName="System.Data.EntityClient" />

 

While all of this are peanuts for me and anyone who’s been developing on .NET for a while, I think that making things simple where possible is positive, rather than negative. It doesn’t mean we will stop using NHibernate, do proper n-tier and layered architectures just because Microsoft makes some tasks simpler for beginners. It also means some of us probably will eventually have to maintain and possibly migrate solutions built on Microsoft WebMatrix, but does that give us any right to restrict beginners the privilege of building their own solutions and feeling the immense joy of realizing their dreams?

Other’s feedback and comments

Ayende Rahien comments on his blog on the example, where he mentions the use Response.Write within the loop. Understandable this is probably not the best way to do this, but it’s understandable with the sample in question, which was already using Response.Write. There are slightly better examples available out there. He also points out that having the SQL queries directly in the view code is an open invitation for SQL injection. Using proper parameterized queries will reduce this potential security problem. Looks like David updated the sample to use parameters after the initial reactions. After the security push at Microsoft some years back, they really cleaned up their practices with examples in the MSDN documentations, I think we should expect the same level of security thinking on employee blogs as well.

Ayende quotes David, which (David) made the assumption that Microsoft.Data is tied to Sql Server in any way, which my investigations has shown is not correct.

David tried to respond to some of the feedback on embedding SQL directly in the view, with hacking around to get the new dynamic keyword to work properly with LINQ. To me, this defeats the whole purpose of simplicity with Microsoft WebMatrix, Razor and Microsoft.Data.

KristoferA comments on the post and suggests generating Linq to SQL datacontext using a page-level directive, which would essentially give the developer entity objects to work with (and query against). This again defeats the purpose of simplicity, and now you can no longer change the database scheme without “recompiling” your web-app.

The namespace naming is another sour point for some, and I can agree that there is little point is “abusing” the Microsoft.Data namespace for such a trivial little helper, perhaps Microsoft.WebMatrix.Data or Microsoft.Data.Connection?

Who is this for?

Microsoft WebMatrix (and ASP.NET WebPages) is not a tool built for “professional” programmers, additionally is it not a fully generic framework for building everything. It’s a domain specific language that is optimized for building simple web applications without to much resources.

It is not meant for enterprise applications that handles millions of transactions. Will it be used for that? Yes, it probably will! We’ve seen plenty of classic examples of websites that starts with simple web-frameworks and find themselves in big trouble when their services become popular. Services like Twitter and Facebook was not built to scale to their current levels, yet they started as simple concepts and services and has grown to become important services which affects global policies and real-life social interactions.

It's Not Rocket Science, But It's Our Work: http://blog.twitter.com/2008/05/its-not-rocket-science-but-its-our-work.html

And obviously, it’s for those of us who still miss the old days with ASP Classic, here is a pretty good (and funny) read, 8 Reasons to Stick with ASP 3.0 in 2006 (and 2007).

Final thoughts

It’s very clear that Microsoft WebMatrix (and related technologies) are primarily is focused towards beginners and it’s a great tool to build simple websites. I wouldn’t advice anyone to use this if you already know ASP.NET MVC and want to build complex web solutions, ASP.NET Web Forms, MVC or other more general purpose frameworks would probably be more fit.

Additionally I think it’s important to remember that WebMatrix is primarily focused on SQL Compact Edition for data access, the built in editor doesn’t allow you to modify SQL Server database. So the question (and response to some of the comments) is how many layers do you want to wrap your data access logic for a SQLCE database?

Been a while since Microsoft did a push towards simplifying development for beginners, when we went from VB6 to VB.NET, everything was more complex and the entry level for VB.NET is on-par with C#. With the release of .NET Framework 4, the complexity and total amount of features is mind blowing. I for sure welcome tools, languages and frameworks that simplifies how we develop software.

Simplicity is hard and it's something we should strive towards in all that we do.

TOP

Complexity that rules us all

4184803610_ca1bcc685c_o Complexity is the number one cause [1] of failures on IT-projects. It’s probably the number one reason for any type of project failure. Failed projects and bad software makes our customers and users unhappy.

What are the reason we initiate IT-projects? It’s all about reducing complex problems to meaningful tasks that can be completed by humans.

Law of Software

Let’s focus on software development and what value software have for the users. Building software is what I and thousands of others are doing every single day, and we’re not exactly becoming better at what we’re doing, we’re actually only able to successfully complete aprox. 30% [2] of the projects that are initiated.

According to David S. Platt’s 3 Laws of Software, the software we build have zero value in and of itself. It doesn’t matter how technically good your code is, the only individual who cares are you and your own mother.

Platt’s 3 Law of Software [3] says the following:

1. Your software has zero value in and of itself. Only value it ever has is how it enhances the happiness of the user.

2. Software can increase users’ happiness in one of two ways. It can help a user accomplish a task that she wants done or it can give the user pleasure. Example: Outlook helps you read and write emails, HALO on the Xbox gives you pleasure and fun.

3. The users should not think about your computer program. At all. Ever.

(Click the link above to read the full law, I’ve just included the highlights)

What is writing software?

Writing software is the undertaking of understanding any arbitrary complex problem and writing software instructions to solve those complex problems.

The goal of writing software should be to reduce complex problems to simple tasks. Simple tasks that humans can initiate, often without requiring much need for thinking. The less the user is required to think, the happier and more productive they will be.

Thinking simple

When you have a complex problem you want to solve, what do we tend to use as mechanisms to solve them? It’s obviously not thinking in simple terms, this is pretty obvious when you look at the software we’re building.

As our understanding of a complex problem increases (as we work out the details of a software design), we can’t seem to be able to come up with simple solutions, we often take this route of thinking: Complex problems requires complex solutions.

This is wrong, and it’s the root cause of so many software project failures.

We need to start thinking simple. We need to figure out how we can reduce the complex details of a design, until we have an design and architecture that is as simple as possible and still delivers the value for our users.

Our goal should be: Least complex architecture possible [4].

There are many reasons why something ends up being complex, one important factor is the amount of functionality we put into our software. According to Robert L. Glass [5] in his book Facts and Fallacies of Software Engineering, the fact is as following, 25% increase in functionality increases complexity by 100%.

Next time you are faced with a complex problem that someone wants to be solved using software, start by thinking about the users and how you can increase their happiness. Then start reducing the initial complex solution of the complex problem, into the most simple solution you can which still achieves the goal: Making your users happy!

References

[1]: http://www.objectwatch.com/white_papers.htm#ITComplexity

[2]: The CHAOS report by The Standish Group (http://www.standishgroup.com/)

[3]: http://msdn.microsoft.com/en-us/magazine/ff646970.aspx

[4]: http://sondreb.com/blog/post/MSDN-Live-Solution-Architecture-Slides.aspx

[5] http://www.robertlglass.com/

[Photo]: http://www.flickr.com/photos/kodomut/

TOP

MSDN Live: Solution Architecture Slides

Here are the slides from my talk on Solution Architecture at MSDN Live in the spring of 2010. The slide decks alone isn’t enough to appreciate the presentation, so I have included all notes that was written for the presentation. This means you can read through the presentation and the points I made when delivering it in Stavanger, Bergen, Trondheim and Oslo. Download the full presentation or watch below.

For more background on the presentation, also read my blog post that I wrote during the preparations. The final result is very different than I initially planned and I didn’t deliver what was promised in the agenda. I still hope the presentation gave enough value to those who attended and I hope it inspired to enable change and sparked a move towards simpler solutions with reduced complexity.

Enjoy!

TOP

New job: Principal Architect for Microsoft in Redmond

April Fool: It was fun participating in this years April Fools’ day, I hope nobody got hurt ;-). Thanks for all the congratulations and responses on Twitter and Messenger, and special thanks to Clemens Vasters for helping me out! Please enjoy the Geek and Poke cartoon at the bottom.

—-

I’m thrilled to announced I’m starting in a new job at Microsoft Corporation, in Redmond! I’ll be working together with my good friend Clemens Vasters on the Windows Azure AppFabric team.

Will be working on a brand new technology for Windows Azure AppFabric that is meant to seamlessly interconnect and bridge between IIOP, RMI, CORBA, COM+, XMPP RPC, XML RPC, ‘Facebook-style REST Service’ and Web Services.

Clemens is the Principal Technical Lead for Service Bus and I will additionally be working together with Justin Smith who’s a Senior Program Manager for Access Control.

Some of you might remember back when I meet Steve Ballmer here in Oslo during MSDN Live last year? Since then I have been in talks with Microsoft in Redmond and the result is what I’ve announced today. Here is the photo from last year (I’m number two from the left-back):

Do you want to work for Microsoft?

Then make sure you attend MSDN Live (Norway) this April for some kick-ass presentations and learn more about Visual Studio 2010, SharePoint 2010, Windows Azure, Team Foundation Server 2010, Windows Identity Foundation, Silverlight 4 and more! With these skills you’ll be better fit to deliver successful projects and deliver the business value that your customers expect!

Signup now:

http://www.microsoft.com/norge/msdn_technet_live/default.aspx

With your improved skill set, check out available careers at Microsoft: https://careers.microsoft.com/

My existing (“old”) company, Steria, is a great place to work, they are still looking for more skilled Microsoft consultants: http://steria-no.easycruit.com/index.html.

 

It’s been very long discussions with Microsoft over the last year, I’m very tired but also happy. It’s time for me to relax and enjoy the Easter!

—-

TOP

MSDN Live: Solution Architecture

At the next MSDN Live tour in Norway (in April), I’m doing a talk about Solution Architect and SharePoint 2010 for Developers.

I would like to air some ideas I have for the Solution Architecture talk and hopefully get some feedback, perhaps some tips and hints that can improve my talk.

What’s in a name?

There is no way I’m going to even start to try defining the name architecture or the architect role. It is something different to every single individual, in the same way as I’m never going to define what a developer truly is.

Though we can talk about distinctions between what it means to be a developer and what the role of an architect in comparison could potentially be.

Architecture is primarily about the bigger view of things and the spider web of interactions between humans and systems in an organization and across organizations. There are many forms of architects, from functional architects, enterprise architects, software architects and what I’m going to talk about: solution architects and architecture.

Architect? You make diagrams, right?

Well sure, architects often use tools to draw their ideas and conclusions, even if it’s just on pen and paper. Source code is the primary language for a developer and diagrams is the primary language of an architect. More than that, I’m not going to talk about diagrams. Other than say, they are a good tool for communicating intents, ideas, thoughts and meaning. Architecture is not about diagrams, it’s about everything else.

The Solution Architect Role

When I talk about the solution architect role, think about the role from a technical perspective, not a functional one. Here is a diagram that tries to illustrate some of the interactions that the architect has with other roles in a project.

The_Solution_Architect_Role

Depending on the scale and form of a project, the architect is often involved early in the process – and hopefully part of the project until the final delivery date. Unfortunately the identity of the architect have been put on some negative weight. Some people see the architect as someone distant from the project, someone that makes decisions that developers feel the pain from. And this can be true for some projects, and that is a bad position to be in, both for the developers and the success risk of the project.

It’s important that the solution architect is closely involved with the project all the way. Initially they work with the client to gather all the requirements, depending on what type of architect and his or hers responsibilities, they might be both functional and non-functional requirements. Initially often with project leaders and members on the client side and often the upper-management often has a stake in the project and unfortunately sometimes do technical decisions ahead of involvement of others, often after reading an report by Gartner… So often the architect and developers have to work with pre-existing decisions, most of the time, this works out fine though.

The green person in the illustration is the clients network and system administrator, who often have requirements and demands regarding security and deployment. If you’re lucky to be on a project with a designer, the typical black-suite guy using a Mac, they often have insane demands on the interface. I say this with a sense of humor, as usability experts and designers are very important individuals for the success of a project.

Then you have all the others, which are different individuals from inside and outside the organization. Computer security experts might be utilized to do reviews of the architecture and eventually the complete solution.

Users of the final solution is very important, it’s for those we do what we do. If we can’t satisfy them, then there is little point in going forward with a solution.

After a project has been planned, contracts have been agreed upon and signed, the project starts with the project team. Depending on the size, the project team could include advisers, project leaders, developers and others.

-

The architect often have interactions with all of these roles in a project and their focus and responsibility is often the quality of the overall delivery. Architects are not the individuals who manages the projects and it’s resources, which is a whole different and challenging arena, which luckily as an solution architect, you normally avoid directly. Though it’s a constant battle to ensure the developers get the time, knowledge and tools they need to ensure the quality of a delivery, which is not compatibility with the goal of a project leader who first and foremost want to deliver on time.

Topics for the talk

These are some of my other potential topics on the agenda for my talk, there are so much to talk about on the subject of solution architecture, though I have only an hour and I’m interested in finding the topics that gives most value for my audience.

Topics: Security, Infrastructure, Products or Custom, Cloud Computing, Frameworks, Scalability, Tools, Why you should care about architecture, Become an solution architect.

What do you want to hear about?

Come to MSDN Live!

If you haven’t signed up for MSDN Live yet, it’s about time! The tour starts with Stavanger the 16th of April and ends 26th of April in Oslo.

I work as a senior solutions architect at Steria, who’s one of the partners for MSDN Live. Check out our stand at MSDN Live!

TOP

I know your passwords

Computer security is one of the hardest things in computer science and engineering. It’s easy to make software today, anyone can do it. Though, not everyone knows how to develop security into their software. Every week I come across insecure solutions and it frightens me, it gives me the willies.

Was looking for a provoking title for this post as I want people to read it. I hope it worked and please keep on reading.

Today I only want to touch upon one issue; passwords. This is an area that affects every one of us and is pretty easy to explain. If you’re a software developer and you read this, make sure you don’t make the same mistakes. If you’re a consumer, make sure you tell your service provider that they need to change their practices. This is a major industrial issue, please raise your voice. If you have little time, please skip forward to the “Learn by Example” section.

Stubbornness or Cluelessness?

116033885_fdbe8fc197 Whenever I come across a web site that has a potential secure issue, I contact the offenders and try to explain the problems I’m seeing.

A lot of time, I’m only meet with ignorant support personal that doesn’t understand what I’m saying.

That’s OK, I’m a pretty technical guy and I don’t expect everyone to understand this, there’s no reason for it. But, when they for some reason argues with my request to forward my message to someone technical and responsible for security, I’m baffled.

Many don’t seem to take their customers privacy seriously, and they are reluctant to react to issues.

Next time you come across a web site that has problems, like those I’m about to elaborate, I hope you take the time to let them know you won’t use their service until they improve their systems. What does all of this have to do with Tom Cruise in the photo? I found him when I searched for a tech support photo and he looks just like a tech-support :-)

Username and Password

2505803867_913846f3ed_b In the beginning of the computer industry, we rarely cared much for the security on our local machines. We shared the same user accounts and we mainly used different usernames to individualize the computer. We were disconnected and the way we distributed software was with diskettes and later on using CD-ROMs.

The information we stored on our computers was often school and work related, it didn’t contain much personal details or communication. No matter what you put on the computer’s hard drive, it required someone to physically steal it to peek at your data.

Then came the local network, where we hooked up computers in offices and with our friends for a LAN party. Information was spread freely on the networks, sharing games, videos, music. Just as we previously burnt CDs and recorded tapes with music and videos on VHS, we could now share our stuff must quicker and more cheaply than ever before.

Enter the Internet.

Suddenly our local insecure computers are connected to the online digital world. A myriad of software and services was created, in a global mess of information that makes it impossible for anyone to really know who or what you can trust. And everyone want your username and password, it’s their way of distinguish You from Me.

We’ve all heard the lesson that you should make sure your password is a hard one to guess, yet many of us have a hard time coming up with any sensible password that we’ll remember easily. It’s also important to don’t reuse the same password everywhere. As you will understand if you read on…

Please Enter…

Please enter your username and password, and we’ll open the door for you and let you into our fine establishment. That’s how it starts, if you’re not already registered on the web site you’re required to fill out, often an extensive, form that tries to capture some personal details from you. Part of this process is filling out your username of choice, password and email address.

This is where the problems starts…

Let’s start with Google’s GMail as our first example. Creating a new account involves filling out the first name, last name, desired login name and password. Additionally, Google wants’ you to pick a “Security Question”? What’s the purpose of this, you might wonder? Does this make you more secure? No, it doesn’t.

SecurityQuestion

There are only four default security questions proposed by Google, and they have a help page that explains what type of question and information you should avoid. Things like your mothers maiden name and other information that is easily discoverable about yourself. You can write your own question, but my advice is to completely forget about the security question, it’s way to easy to put something that someone can guess or figure out.

Then we have a field called secondary email. This is a very nice solution to be able to restore access to a new email account, it’s better than the security question.

If we look at how we humans work, you’ll quickly see that most of the time we will fill out all fields in a registration form, even though we probably don’t need too.

So the issue with this Secondary email field is the following: People without existing email addresses might fill out something in this field, just because they intuitively think it’s required information.

Important: Always make sure you enter the correct email address.

Let me give you a very scary example on what might happen if you write wrong email address when registering a new Gmail account (please excuse the screenshot being in Norwegian).

GMailConfirmationCode 

As the above screenshot is in Norwegian, I will just quickly explain it.

It’s a confirmation email you receive from Google with a confirmation code that is used if you have any problems with your account in the future, for example if you loose the password. I have received multiple of these emails. With this information, I can take over someone else’s email account and read all their communications.

Scared?

You should be and this is only the beginning… I receive invoices, usernames, passwords, photos, personal messages and what not…

Invoice

Phone subscription invoices…

Lego

Lego account activation… what if your kid filled out personal details, like their full names, address, birth date and other details? That information will be accessible by the person who receives this email.

BiteFight

Online Game registrations that sends passwords in clear text…

Garanti

Property descriptions… that probably was suppose to go to someone, somewhere…

Gladiatus

I could be a Gladiator… I loved the movie, I already hate the online game… and you can see why I hate it.

Picasa

Love to watch photos… especially the dull and boring family photos from last Christmas.

Appartment

Guess he won’t see that flat after all…

I’ve received invitation to board meetings, mobile MMS messages sent by mail, photos, responses to job applications, all kinds of crazy stuff. Let me give an example where I actually, for the purpose of this article, click the activation link just to see what kind of information I could stumble upon.

Learn by Example

Disclaimer advisor: I would never try to hack or steal anything from anyone. My intentions in this example is only to show how vulnerable you can be when a service provider doesn’t care about your personal information safety. This is the first and only so-called activation link I’ve clicked that did not belong to me. When I went through with this example, I was scared how easy it was and it was only one of potentially many examples I could do. I had to censor the names, details, URLs to protect the innocent.

1. You register on a website, by filling out your personal details. Potentially information like full name, home address, phone number and finally your password. Which you probably used before on another website as well.

2. This is where things get’s problematic, I own the email address that the user supplied. If I where an evil system administrator, I could potentially steal this email as it hits the servers. There are many ways I could potentially get hold of the specific email or the users email account. Do never presume that your emails are secure.

3. Someone receives your confirmation email about your account. Sometimes this email contains the original password in clear-text. Sometimes it require you to activate the account to “prove” that you are the owner of the email account.

RegistrationMail

4. After clicking the activation link, I come to the website. Some services actually automatically log you in at this step. This service did not, so I had to use the “recover my password” functionality.

LostMyPassword

5. I then receive email with a password. Some service will NEVER expose your original password, which is what they never should. When you forget your password, a service should return you an auto generated password. The service in question, returned me the original password that another person had used.

LostPasswordMail2

6. Login to the website and check out the users profile too see if there is any interesting information. What I got from this service was full name, birth date, phone number and at the end, there is a empty field for bank account number.

 Profile

7. I was surprised to see there is a password and confirm password text field on the user profile page. It made me think that possibly the website renders it’s users passwords in the HTML source. And surely they did.

PasswordInSource

8. I know have this individuals full personalia. Since I have the persons phone number, I can validate that everything is correct, and it is. There are so many ways one can utilize this type of information. The person had an income of approx. $53,000 in 2007, thanks to the public Norwegian tax lists. I know what interests he has and what he looks like, from his Facebook profile photo.

9. I’m not going to take this any further, what I potentially could do is to login to the individual’s Facebook account, as he is probably using the same password there…

Example Conclusions

The scary part of this whole example is that this was done using an online auction website, which probably have a lot of traffic and users. There are just so many security mistakes done on this example that I’m not believing it. They handle VISA and MasterCard transaction, they don’t use HTTPS/SSL for anything. They have probably outsourced the VISA/MasterCard transactions, I hope.

Can you consider what would happen if their database was stolen, with all this information available for all their customers?

Clear Text Passwords

This is the most common mistake made by developers, and it amazes me that there are services out there that still relies on storing your password in clear text. Let me illustrate how this works.

1. User enters a web service and registers with the credentials.

2. Credentials are sent over the Internet, often over an secure HTTPS (SSL) connection. Never fill out important information on an HTTP connection.

3. Credentials are stored in the database.

4. The user comes back to the website to authenticate, password is again sent to the web service and it’s validated against the value that is stored in the database.

When you have trouble remembering your password, those services that store your password as clear text, often allows you to retrieve insecurely them by email. Just because you can’t retrieve the password by email, doesn’t mean it’s stored securely, it can still be clear text in the database somewhere.

Secure Password Communication

With the above example in mind, I want to quickly give you an example on how the web service should handle your passwords securely.

1. User enters a web service and registers with the credentials.

2. Every data is sent over a secure HTTPS connection.

3. The web service generates a non-reversible hash based upon your password and any type of hidden secret (algorithmic salt).

4. The hash of your password, which is not reversible except with an awfully powerful computer and a lot of time, is then stored in a database.

5. The user comes back to the websites to authenticate, password is again sent to the web service, but this time it will generate the hash all over again, retrieve the existing hash from the database, and compare those two values. If they are the same, you are authenticate.

There are absolutely no reason why a service provider should require to store your password in clear text. If they have a reason, it better be a very good one.

Simple Passwords

A lot of web services demands that you enter a fixed password length, sometimes between 4 to 12 characters (Finn.no) and American Express has limited your password too 6-8 characters. Characters and numbers is required, not sure if they allow non-ASCII characters. You don’t need to be a mathematician to understand that a brute force attack on American Express is easy, considering the requirements for user passwords.

AmericanExpress

 

You’ve been Hacked!

How do you know that your service has not been hacked or leaked customer details? Every month there are news stories about information that has been lost and systems taken down by hackers. I promise you that we’re just seeing the tip of the iceberg in this regard. Do you really think that hackers will tell anyone that they’ve gained access to your information?

Spotify was recently hacked and they published a letter to all their subscribers. Luckily for us users, they follow best practices and did not store your passwords as clear text, only as an cryptographic hash. This ensured a minimal consequence of Spotify being hacked. There is today more than a million users on Spotify, consider the consequences if they didn’t do security properly?

If you uncover a service that has a potential to leak any personal information, please inform those in charge and make sure they change their practices. I do it all the time, and it does make a difference.

That’s it and make sure you follow some best practices regarding your passwords.

 

Copyright disclaimer: “Passwords are like pants” photo by Richard Parmiter and licensed under Creative Commons. Photo of "Tom Cruise by banky177 and licensed under Creative Commons.

TOP

The importance of good design

Good_Design For as long as I can remember, I’ve said that design is half the solution when you’re building software. The same can be said to sound and music in a Hollywood movie: The experience of the sound is essential for a good experience.

Some people tend to think that design is not important, a lot of the time these are old developers that has a history of making incredible poor user experiences. In a recent article in InfoWorld, a journalist put forward a hypothesis that good design is hampered by the current economics crisis. My opinion is that this is false, and that good design is even more important today when there is less economic freedom. It’s when the times are good, we can afford doing poor design.

What I tend to hear a lot from developers, is that interface on internal tools, internal software and management application doesn’t matter. They take it for granted that the individuals that will be using their tools knows or easily learns how to use what they are building. Additionally, we tend to think our application that won’t be used often, so we tend to take shortcuts. I’m as much guilty in this as anyone else.

Good design is important. More so in software that is used on a regular basis and with a large user-base.

(Photo by wasabicube, licensed under Creative Commons)

Why is design important?

Let’s track back a bit and see if we can figure out why design is important and why it’s essential that it’s good. To really understand what’s going on with us on a physical level, we have to look at the esthetics of our software. Aesthetics is the study of our reactions to sensory input, how we are mentally effected by the experience of art, music, nature and so forth. Aesthetics(!?), you might ask? What does that have to do with building computer software?

Everything.

In today’s society, computer software is being used by virtually everyone on the planet. We use it to fill out our tax-returns, reading email, keep in contact with family and friends, fill out time reports at work and play computer games. Every time you use any piece of software, we have an experience, one that is shaped by how the application works and performs. If the application is sluggish, slow and crashes, you will have a negative experience. We all know how infuriated we feel when our computer crashes and freezes up. This infuriating feeling can be spawned by the smallest of things. A button on the wrong location, the wrong text in a dialog, error messages when you didn’t do anything wrong, and so forth.

There are many steps and guidance that can and should be used in a project that develops computer software, that is unfortunate beyond the scope of this article.

Another aspect of the human psychics is our pretentious tendencies. When we do the same tedious tasks over and over again, we tend to avoid reading all the text in dialogs, windows and even error messages. We’ve seen them before and our brains recognize them and categorize them accordingly. Have you ever experienced closing a window dialog, only to quickly realize that you have no idea what you actually accepted or declined?

To show an example on how we prejudiced from our experience and living on a society, have a look at this homework assignment turned in by a 1st Grade Student:

Homework-002

(Image taken from the following reference)

What was the first thing entering your mind when you saw the drawing? Many of you probably draw the same conclusions. That is how we are wired and there’s nothing negative about that, the only important thing to realize is that our first impressions and our prejudice shouldn’t be a deciding factor on your opinions, whether it’s another human being, a company or any other entity.

Use time for design

It’s important to use time and resources to work out a good design for any computer software. How much time and money should be decided by the user-base of your software. The more widespread it’s use will be, and how many hours a day it will be used by those users, is the two metrics you should use.

Every second you can shave of the time a task inside your software takes, that is seconds saved by the individual and the corporation that is dependent on your software. If you make a design that doesn’t follow industry standards, your users will require specialized training to be effective. Additionally there can occur situations that’s “attributed to human errors”. Human errors costs billions of dollars every year and it’s a reason for thousands of humans deaths every year (Looking at the human society as a whole, not just specifically the software industry).

Saved time is money saved.

What worst possible case is when an employee’s job is to use a piece of software that is so bad, that they won’t stick around for long. Would you be able to keep calm and quite if you wasted hours every single day due to computer software problems?

This might possibly strike a nerve in one of the problem spaces in computer software engineering – we don’t share our customers pain. It’s a demanding job to successfully and fully understand the problems of a customer and user, and it’s often not a prioritized task. Especially not on the list of developers, who in many instances is not allowed to communicate with the customer or is separated to be able to concentrate on the task of developing the software. That can end very badly. It’s essential that developers understands the needs, requirements and wishes of their users.

Make sure you have time for design and it should not be an afterthought, it should be the first thing you do in the process of developing any software that is directly used by a human being. There are many industry processes for capturing user requirements through mock-ups, wireframes and so forth, all of which is beyond the scope today. My suggestion is to find some good articles and books that teaches the practices of building good user interfaces and how to capture the user requirements.

Why should you care?

So the moral of the story is, design is equally important to function. If those are in unbalance, the chances of problems are increasing. If your functions are lacking and poor, it doesn’t help if your application has an amazing and fancy interface. It will probably help you sell more licenses, but in the end it can become extremely costly – both for you and your customers.

And I want you to care (as a developer, project manager, decisions taker, designer, etc.), because as a software engineer I take pride in the work that we do. Yes, I said what we do. We are all together in this and together we are progressing, and moving forward.

Everyone can make a difference and if you’re currently in a project that is lacking in design and focus on usability, make yourself heard and everyone will be more happy with the end results.