Thursday, June 28, 2007

Sometimes your website is dead. Really dead. Designing a user experience can be hard, because there may be no way to gracefully recover.

Google Mail today:

Okay, so I tried again straight away (30 seconds is waaay too long to wait!):

I like the second message. It reassures me that my data is secure, and lets me know that I won't be able to use the site until it's fixed.

TelstraClear's error message from a while ago made me chuckle enough to save it to disk:


Thanks for the offer, but I'm finding it hard to enjoy the rest of the site when I'm in a popup window that has an error. I love the page title too: "Error (TelstraClear - Together, A better way)". Talk about empowerment! I don't think we did that error together.

posted on Thursday, June 28, 2007 9:05:20 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
I'm looking forward to presenting with Philip Cox (Trade Me) at next weeks .NET User Group meeting in Wellington.

The session "C# vs VB.NET - continuing the epic battle" is not really going to be an us-versus-them thing, but rather a presentation of some of the newer language features side-by-side.

The Wellington group is a pretty C#-focussed bunch, so it will be good for the VB.NET members to get some respect -- some of the new VB9 features are pretty compelling.

If you want to come along, check out the session details on the Wellington group site, and RSVP to me soon.

posted on Thursday, June 28, 2007 10:38:32 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Monday, June 25, 2007
I'm enjoying Acceptable TV, the user-contribution, voting, not-reality but borrowing some concepts TV programme for the attention-deficit generation. Each 'episode' is 2.5 minutes.


The exec producer is Jack Black, and the basic premise is that "some stuff is better than other stuff". It's a good blend of modern TV techniques (i.e. low production values, and voting off survivor island), and web 2.0 content generation / sharing concepts.

Some of my favourites are:
Not necessarily politically correct, but what is these days?

posted on Monday, June 25, 2007 9:09:41 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

Dare has a good writeup of the keynote from the Seattle Conference on Scalability. It sounds like a pretty interesting conference, with presentations from Google, Amazon, Verisign and more.

The Google talk covered the three big, gutsy parts of Google's architecture: GFS, BigTable and MapReduce. By building their systems from scratch, Google is able to scale to the phenomenal size it is now.

Technologies like these are how Google can handle millions of different search phrases -- amazingly, one in four queries to their search engine have never been seen before.

Google hires smart people and lets them work in small teams of 3 to 5 people. They can get away with teams being that small because they have the benefit of an infrastructure that takes care of all the hard problems so devs can focus on building interesting, innovative apps.

posted on Monday, June 25, 2007 8:33:12 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Thursday, June 21, 2007

Last year at TechEd I was talking about the drive providers that ship with PowerShell, such as the ENV: drive that let's you view environment variables and the HKLM: and HKCU: drives that let you navigate the registry.

I said it would be cool if you could CD into your database server, and DIR the rows of a table. Here's how you can:

Demo SQL Provider Code

JD Trask has also put together a drive provider for mounting and navigating Zip archives:

How to Write a PowerShell drive provider

JD's example comes with some decent documentation explaining the four core classes that comprise the provider, showing how to install the provider and giving some ideas on how to extend the provider for extra credit.

It rather reminds me of a tcsh extension I used to use to cd into tar.gz's back in the day :)

posted on Thursday, June 21, 2007 10:26:11 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

Miguel de Icaza has written a progress report on their Mono port of Silverlight, called Moonlight.

It's a pretty impressive account of what they have accomplished in the first 21 days of developing Moonlight. It's interesting to see what a team with deep knowledge of a domain can produce in an intense session of hacking.

It will be especially interesting to see what core Silverlight features the Mono team can develop by the time Silverlight 1.1 releases, so we can target our Silverlight applications to the common denominator.

Also, I wonder which will release first: Silverlight 1.1 or Moonlight 1.1?

posted on Thursday, June 21, 2007 9:51:46 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Tuesday, June 19, 2007

Reading Dare Obasanjo's blog, I saw reference to this email (jpg) that is linked from Analyzing the Facebook Platform, three weeks in:

"Do you know anybody that may have excess servers we could borrow for the next 5-7 days while we buy new servers of our own?"
Ali Partovi from Ilike, a day after launching on Facebook

Scale problems like this are good to have -- you have lots of customers after all. But, it must be hard to see all your hardware melting as quickly as you add it!

posted on Tuesday, June 19, 2007 9:04:19 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]

This is another reason why it's good to live in Wellington:

Yet More Speed for TelstraClear Internet Customers
The company will offer customers speeds of up to 25 Mbps downstream by the end of the year. This is an increase on the company’s fastest existing plan which offers speeds of up to 10 Mbps.

TelstraClear is already the fastest and most reliable home broadband in New Zealand, and they're getting faster. It's a pity that their cable network is only available in parts of Wellington and Christchurch, and that they only have 30,000ish cable modem customers.

When we bought a new house, one of the criteria for choosing which street and suburb to live in was whether we could get TelstraClear cable. I'm glad we persisted with that now -- even though it meant many phone calls to TelstraClear asking if addresses had cable coverage.

posted on Tuesday, June 19, 2007 10:21:20 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]
This is a test message from my phone, using Kevin Daly's Diarist!Flower.jpg
posted on Tuesday, June 19, 2007 10:09:54 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]
 Sunday, June 17, 2007

It seems like powerful presentations aren't done using Powerpoint any more. I don't know, maybe they never were...

Why you drink

Edward Tufte (the original Powerpoint detractor) has a new book out: Beautiful Evidence. An article in the New York Mag (via SVN) introduces Tufte and some of his work. He has lead a crusade against Powerpoint (his essay The Cognitive Style of Powerpoint has a good collection of the worst offenders), and his ideas have been absorbed by many designers around the world.

The new style of "multimedia"1 presentations move from slide-based to "flow"-based. Two that I have seen recently deserve mention:

"Le Grand Content"
(via Mark Fowler)

Quite funny, answers the questions of the universe with quasi-logic and witticisms:
There are three types of virgins:
a) Virgins by choice
b) Virgins by way of poor social skills
c) People who should be in group B, but who claim otherwise for reasons of prestige
Prometeus - The Media Revolution
(via Nic Wise)

The future of media and information dissemination. A little more serious...

These presentations really engage the user through zooming images, flowcharts and synchronising speech with animations.

I wonder how long before this type of presentation becomes the norm? How long until we see presentation software that supports the creation of them as easily as a standard deck of slides in Powerpoint?

And how long before people realise that although they're more engaging, they're still hiding and distorting the truth, just in different ways?

1 How weird does it feel to use that word in 2007?

posted on Sunday, June 17, 2007 10:08:54 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Thursday, June 14, 2007
In his post "Why Safari for Windows looks like a Mac Application", Bertrand Le Roy guesses that the Apple release of Safari for Windows may be to increase the number of developers that can competently develop applications for the IPhone.

This makes complete sense, one big problem for Safari users is that many websites just plain don't work in their browser. Windows developers can't test in Safari without Mac hardware, and many websites are accidently broken when view in Safari.

What a smart move from Apple. By releasing a Windows version of their flagship browser, no Windows developer has an excuse not to test on it!

The only challenge remaining for Apple is to keep the two browsers feature-identical. We don't want an IE5 Win vs IE5 Mac debacle...
posted on Thursday, June 14, 2007 9:05:05 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]
 Wednesday, June 13, 2007
Daniel Moth has two good posts on Visual Studio 2008 and the .NET Framework 3.5:
A summary:
  • The CLR isn't changing -- still the same CLR as VS2005
  • New languages C# v3.0 and VB9
  • The framework libraries don't change from 3.0 to 3.5, and just add additional namespaces (just like the move from 2.0 to 3.0)
  • LINQ is the big ticket item for me, but there are also some interesting networking and addin libraries, as well as enhancements to WCF and WF
A big feature of Visual Studio 2008 is the multi-targeting ability, which allows you to target the 2.0, 3.0 or 3.5 libraries from one IDE. No more side-by-side Visual Studio installations!

posted on Wednesday, June 13, 2007 9:44:26 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
The left-hand guy on the Vista Business DVD isn't me, I swear!

posted on Wednesday, June 13, 2007 10:01:03 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Monday, June 11, 2007
Watching PrimeTV after Letterman has finished has always been hard. Previously it was Fox News that I would fall asleep to, recently it is "infomercials". I'm not quite sure what is "info" about them.

Urine Gone! is apparently a fabulous product "For Pet or People accidents". They have a cheesy bit where they talk about getting rid of urine odours caused by people :)

How many units to they have to sell to pay for the tv advertisements?

(remove BAD from the url, as I don't want to directly link)

The (only) bit that's cool about this product is the black light stain detector. How cool and CSI-like!
posted on Monday, June 11, 2007 10:58:35 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
I watched this video last night: Reverse engineering techniques to find security bugs: A case study of the ANI exploit

From the blurb:
Alex Sotirov is a vulnerability engineer at determina. He will discuss some latest techniques in reverse engineering software to find vulnerabilities. Particularly, he'll discuss his technique that lead him to find the ANI bug (a critical new bug in WinXP and Vista).

Alex will describe the tools he uses for reverse engineering and show how he reverse engineered ANI Bug. He will continue to discussed Windows security mechanisms (ASLR, /GS) and describe how ANI exploit bypasses them.

Alex is one of the good guys. He works at determina on their intrusion prevention system, his job is to create exploits so that they can test if their software can detect and catch them. He often creates exploits by looking at the patches Microsoft releases to find out what bugs they fix.

In the presentation, Alex shows how to use a disassembly tool to analyse the differences between two dlls -- the original and the patched ones. He also explains some of the exploit-protection mechanisms, and how exploit authors can get around them:

  • /GS compiler switch which inserts a trap to check if the return pointer has been overridden (only works for functions with arrays in them, as an optimisation)
  • Data Execution Protection (DEP), which is a CPU feature to disable execution of code within data segments of memory. Stack overflows write into data blocks, and are thwarted when trying to jump to those blocks. It's only opt-in on desktop Windows, even on Vista (due to compat reasons).
  • Address space layout randomization (ASLR) which re-arranges the executable in memory so that jump locations are hard to pre-determine (but there are only 256 possible places, so it's still possible to guess the location).
Hints on how to design secure software:

  • Pick a good language and platform (e.g. Java, Python and I assume .NET). This avoids common pitfalls in languages like C++ and PHP.
  • Design your app to isolate components along trust boundaries. Develop a formal specification that details how areas of code that are accessed by users of different privilege interact with each other.
Things to avoid:
  • ActiveX. Always avoid.
  • Google Desktop Search web integration. [Must've been a popular bullet point in the room!] Exposes all local desktop search data to the possibility of a cross domain vulnerability in a browser. Securing the product relies on a browser being secure -- not a good idea.
  • Really hard to add security to an existing codebase (e.g. Windows, Oracle DB)
Take outs:

  • Assume software has security bugs. Build in things that will make exploitation harder, and will minimise damage.
  • Avoid single sign-on for web services, as if one app is exploited, other services can be attacked.

Alex ended with a diagram showing the exploit prevention features in different OS's:


OSX doesn't use many of the current protection techniques that other OS's currently do. I guess this shows how Microsoft are trying harder with each release, but Apple are finding it hard.

posted on Monday, June 11, 2007 9:34:29 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Saturday, June 09, 2007
Two of my favourite areas of software development are privacy and security. As applications get less siloed and more connected, understanding the boundaries between "mine and theirs", and implementing the system correctly are becoming increasingly important.

A little tid-bit I found interesting today was:
Did you know that the new trend is phone phishing? Criminals use VoIP to emulate the bank’s voice prompt system and lure people into giving their account information.

That's worth thinking about if you're an organisation that provides a phone-based service such as phone banking or checking account balances. Tricking someone to dial a phone number (especially an 0800) is probably as easy as tricking them into going to the wrong website.
posted on Saturday, June 09, 2007 12:32:06 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
TechEd NZ is selling out fast. They have also updated the website since I last went there, but the list of speakers hasn't been finalised yet.

Our TechEd is a catch-all for all Microsoft technologies and releases, but in the US there are 3 different Microsoft events to follow if you're a developer: MIX, TechEd and PDC. MIX and TechEd US have both happened recently, and there's no PDC this year.

This year, MIX has had a lot of the cool stuff for developers -- Silverlight 1.1, the DLR, Dynamic VB, Iron Ruby and more. From the lack of developer buzz around TechEd, and my reading of TechEd Bloggers, it sounds like the TechEd conference had more in store for the IT Pro's than the developers, delivering more in the product / platform space.

Here's looking forward to TechEd NZ. I'm looking forward to hearing how IronRuby has progressed in the intervening months, and hopefully seeing some new Silverlight stuff. I'll (hopefully) be presenting on Powershell again, which is one of my favourites. Check out the Powershell blog too, good stuff regularly pops up on there.

posted on Saturday, June 09, 2007 12:12:12 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, June 06, 2007
Friends of mine at Vic Uni set up NZ Wired, a community organisation that aims to set up a distributed community-based broadband network using cheap equipment.

The idea is that anyone you can see from your house (i.e. line of sight) can potentially send bits your way.

While a great idea, in practice the cheap broadband available in Wellington (thanks, Telstra!) and the difficulties in setting up hardware have made it a bit hard to set up a network. For example, you can't just string network cables along fenceposts due to problems with AC phases and lightning strikes :)

This $99US solar-powered wifi repeater sounds like just the thing for community networks. Anyone in line of sight of Churton Park, Newlands or Paparangi?

posted on Wednesday, June 06, 2007 11:17:43 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
Using these definitions, I'm definitely a LiBeral Programmer, and I love working in the great team at Xero.

Try the test yourself


You're a Doer.
You are very quick at getting tasks done. You believe the outcome is the most important part of a task and the faster you can reach that outcome the better. After all, time is money.

You like coding at a High level.
The world is made up of objects and components, you should create your programs in the same way.

You work best in a Team.
A good group is better than the sum of it's parts. The only thing better than a genius programmer is a cohesive group of genius programmers.

You are a liBeral programmer.
Programming is a complex task and you should use white space and comments as freely as possible to help simplify the task. We're not writing on paper anymore so we can take up as much room as we need.

posted on Wednesday, June 06, 2007 10:56:59 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
I've had the domain for a few years now, and it's my favourite.

The original version of the site (archived as at 6 March 2001) was a bit of a joke, and was my first experience with really crappy search engines sending unwanted traffic to your webserver. I think I served hundreds of megabytes of pages to the unwitting users of a few search engines that thought the page should be a high-ranking result for just about any dictionary word :)

What's your favourite domain name that you own?

posted on Wednesday, June 06, 2007 10:46:32 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
Look what I stumbled on at Nikhil Kothari's Weblog:

(click to enlarge)

$3.35/hr! How can we compete!

posted on Wednesday, June 06, 2007 10:36:55 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
Observing your users while they use your software, either directly, or through A/B usability testing is a good way to discover what they are actually doing.

Jeff Atwood at Coding Horror writes about observing users, and links to a pdf paper Practical Guide to Controlled Experiments on the Web that advocates A/B testing as a way of finding out what your customers really prefer.

"A/B Testing" is putting up two scenarios ("Scenario A" and "Scenario B"), and then measuring the impact of the changes by testing against a control. This is quite common in other areas of science, but less so in software development.

Rowan Simpson and Sam Morgan from Trade Me both show examples of the successes Trade Me has had when doing A/B testing, and they have developed systems to perform A/B tests, such as running one version of feature for one half of their users, and the new feature for the other half.

Learning from your users is very important. They are the best people to ask about your product. Unfortunately, when you ask them, you get different results than when you observe them.

posted on Wednesday, June 06, 2007 10:25:49 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Sunday, June 03, 2007

Subspace: Secure Cross-Domain Communication for Web Mashups

This paper describes a new method of mashup communication that avoids some of the security and privacy concerns of existing approaches.

Exec summary: Create a little eco-system per mashup, perform some setup while you have trust, and then reduce your trust before running the mashup code.

Most mashup systems have to choose between completely isolating a mashup from the containing page using an iframe, or by using a <script> tag to include the mashup, which exposes the surrounding page (and all other gadgets on it) to malicious actions that one gadget can perform.

A few systems have tried different approaches.

At TechEd 06 in Auckland, George Moore described a new Address Book mashup that they were prototyping for (not sure if it was ever released) that used document fragment identifiers (the #blah bits of the url) and a complicated polling and window.location changing mechanism to communicate serialised javascript objects. It was quite fragile because of the need to serialise the information into chunks that could fit on the end of the urls, and because the javascript library to support the communication needs to guarantee delivery and sequencing of the communication.

The "Subspace" approach presented in this paper uses two browser features to sandbox the mashup's executing code from the surrounding page:
  • document.domain = "", which allows javascript to consent to communication by other frames that set the same document.domain
  • a communicating object which is passed in to a frame before it changes it's security context with the document.domain call
The mashup is then run in the sandbox using a regular <script> tag, and data is communicated back up to the surrounding page using the communicating object.

The authors also document some of the differences between the major browsers -- IE6 and IE7, Firefox, Safari and Opera -- and explains how the Subspace solution works within each browser (callback methods on the communicating object for some browsers, polling in other browsers).

The Subspace approach is quite clever, and works in a similar to other programming environments that allow you to do some setup in a trusted configuration, and then lower your privileges before running untrusted code. This approach is common in setuid unix programs, or in .NET AppDomains.

posted on Sunday, June 03, 2007 9:15:16 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

This will be my fifth attempt at blogging -- my first in 2000ish (though not programming related), with several subsequent efforts that have languished since then. Each time there has been some reason to get started blogging again (usually an event of some sort), and then life has caught up with me...

So, thanks to the encouragement of Ivan Porto Carrero, I have a new fandangily blog up here at (RSS / atom)

Who am I?

  • Software developer living in Wellington, NZ
  • Working for Xero
  • Organise the Wellington .NET Users Group, which meets monthly to discuss the latest .NET technologies
  • Help to organise Code Camps around the place (next one in Auckland, just before TechEd)
  • Microsoft MVP
  • Possess an unhealthy interest in the banal details of the Common Language Runtime
  • Two gorgeous kids and a beautiful wife

Who aren't I?

  • I'm not religious, neither in the traditional sense, or the Linux vs Windows / C# vs Java sense
  • I don't dance
  • I don't sing
  • I don’t drink coffee or cola
  • I don't drink, smoke, or ingest any mind altering substances
  • I don't play poker, chess nor go
  • I don't read nearly as many books as I used to
  • I don't read all my email (but I do practice Zero Blog Bounce, for some reason)
  • I'm not That Guy

But I'm not boring. Honest!

I look forward to posting all of those "I wish I had a blog" things once again...

posted on Sunday, June 03, 2007 7:28:57 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]