Miscellany – not security

Deploying on the road…

Now that I have a Surface 2, I’m going to leave my laptop at home when I travel.

This leaves me with a concern – obviously, I’m going to play with some of my hobby software development while I have “down time”, but the devices for which I’m building are traveling with me, while the dev machine stays at home.

That’s OK where I’m building for the laptop, because it’s available by Remote Desktop through a Remote Desktop Gateway.

Deploying to my other devices – the Windows Phone and the Surface 2 running Windows RT – is something that I typically do by direct connection, or on the local network.

Windows Phone

For the Windows Phone, there’s a Store called “Beta” as opposed to “Public”, into which you can deploy your app, make it available to specific listed users, and this will allow you to quickly distribute an app remotely to your device.

Details on how to do this are here.

Windows Store

The story on Windows Store apps appears, at first blush, to be far more dismal, with numerous questions online asking “is there a beta store for Windows like there is for the phone?”

The answer comes back “no, but that’s a great idea for future development”.

But it is completely possible to distribute app packages to your Windows RT and other Windows 8.1 devices, using Powershell.

The instructions at MSDN, here, will tell you quite clearly how you can do this.

Thoughts on a New Year

It’s about this time of year that I think…

  • Why do reporters talk so much about NSA spying and Advanced Persistent Threats, when half the websites in existence will cough up cookies if you search for "-alert(document.cookie)-" ?
  • How can we expect people to write secure code when:
    • they don’t know what it is?
    • they can’t recognise insecure code?
    • it’s easier (more clicks, more thinks, etc) to write insecure code?
  • What does it take for a developer to get:
    • fired?
    • a bad performance review?
    • just mildly discomforted?
  • What is it about developers that makes us all believe that nobody else has written this piece of code before? (or that we can write it better)
  • Every time a new fad comes along, whether it’s XML, PHP, Ruby, etc, why do we spend so much time recognising that it has the same issues as the old ones? But without fixes.
  • Can we have an article on “the death of passwords” which will explain what the replacement is – and without that replacement turning out to be “a layer in front of a big password”?
  • Should you let your application out (publish it, make it available on the Internet, etc) if it is so fragile that:
    • you can’t patch it?
    • you can’t update the framework or libraries on which it depends (aka patch them)?
    • you don’t want a security penetration test to be performed on it?
  • Is it right to hire developers on the basis that they can:
    • steer a whiteboard to a small function which looks like it might work?
    • understand an obfuscated sample that demonstrates an obscure feature of your favourite framework?
    • tell you how to weigh twelve coins, one of which might be a fake?
    • bamboozle the interviewer with tales of technological wonders the likes of which he/she cannot fathom?
    • sing the old school song?

Ah, who am I kidding, I think those kinds of things all the time.

For Surfaces rendered

I often thought I’d like to have a career in 3D animation, solely so I could send out invoices with the title of this blog post as their content.


It seems a little late for me to choose that career, so I’ll have to use that title for a blog posting about my Surface, now that I am three weeks in to using it.


There’s no secret (or if there is, it’s poorly hidden) to the fact that MVPs visiting Redmond for the MVP Summit this year received a pretty sweet deal on a 32GB Surface 2 and Touch Cover. Along with hundreds of my brethren, I lined up at the Microsoft Store in Bellevue yelling “shut up and take my money!”


As an actual purchase, rather than a complete giveaway, I did have to pass the purchasing decision through my boss. Fortunately, she agreed that it was a good buy, as long as I treated it as a purchase of a toy for me, and stopped trying to persuade her it was a bona fide business investment for the company. Canny woman, my wife, and skilled at reducing arguments to their simplest and most incisive points.


So, a toy it was pitched as, a replacement for my iPad, which I also got for very little money – I won it in a hacking competition. As a toy, I couldn’t expect to get the Surface Pro, which is convenient, because one wasn’t offered.


What’s it like as a toy?


Does it have the Angry Birds,then? Space and Star Wars versions, yes – Rovio hasn’t been paid to get around to porting the others to Windows 8 yet.


It’s also got Minesweeper and Solitaire, with the added thrill of daily challenges, and an Adventure Mode for Minesweeper that looks a little ripped off from Repton. Mahjong, Jetpack Joyride, Cut the Rope, there’s enough games that while you might find a few individual names here and there that are missing, you’ll be able to replace them with something in the same genre.


The front and back camera make for good Skype use, whether you’re having a face-to-face chat, or showing someone the view out the window.


I can read comics, whether through the dozen or so manga readers, or through the Comics app from Comixology. Books come, of course, courtesy of the Kindle app, and of course there’s a native Amazon app as well, although as usual, it’s hard to get a better shopping experience in an app than Amazon has built into the web version.


That’s right, you actually have a version of Internet Explorer 11 built specially for the touch-screen “Modern UI”, which Microsoft used to call Metro, and which thoroughly needs a new name. This version of Internet Explorer is fairly basic, but fully functional for what most people are going to want it for. For most of what I do on the web, it’s certainly sufficient.


On the fringe of toydom


Social media makes its presence felt nicely in the People hub, like on my Windows Phone, where in one place I can keep up with my Twitter, Facebook and LinkedIn friends/followers/minions. I can also post there, although I miss my phone’s ability to post to multiple outlets at once.


If you’ve been paying attention to my gripes about podcast support on my Windows Phone, I have to say that, out of the box, I have the same – or worse –issues with the Surface 2. The native audio player does allow you to create playlists, but infallibly returns you to the start of an MP3 file almost every time you play it anew, apparently whether you played another MP3 file, skipped to a different app, or received a notification. I await the development of a good podcast / audiobook application with support for local MP3s.


On the video front, things are somewhat improved, with the Xbox Video app being the natively supported method to play my MP4s. Sadly, there’s still no subtitle support, as is the case across every single one of Microsoft’s video playing tools – if the file isn’t streaming across the web, with the closed captions in a separate stream, there’s no way to get captions to display. This is a shame, as there is good support for standard subtitles in MP4s on the Apple competition, whether it’s iPad, iPod or iPhone. Microsoft, this can’t be that hard – support accessibility on all your video players, please! [I’m not deaf, but the bus can get a little loud]


Working up to proper use


The Touch Cover is barely usable as a keyboard – but I’ve added a Bluetooth keyboard to my Christmas wishlist, for the serious typing moments, and the Touch Cover is certainly sufficient for those occasional bon mots on the bus or airplane.


Sadly, Live Writer isn’t available for Windows RT, so I’m not likely to use this for many blogs – although to keep myself honest, I am typing this on the Surface using the Touch Cover keyboard.


To write the blog entry, I’m actually using Word with its blogging template.


Woah, did you say Word? On RT?


Why yes, yes I did – but since the presence of Office 2013 on the Surface was advertised (at least, Excel, PowerPoint, OneNote, Word and Outlook), this was hardly a surprise to me – but it seems like a surprise to many of my Apple-owning friends who are just starting to get excited that Apple have deigned to let them have iWorks on their iPads now.


But the inclusion of Office isn’t the only thing that makes this device veer further into the territory of a non-toy.


Surprisingly functional


I wasn’t really expecting that Windows RT would have a desktop mode. I pretty much thought it would be Modern UI apps and nothing else. That seemed like it would suck, because I can’t then copy files across the network for playing MP3s and MP4s on the bus to and from work.


So a friend of mine set my fears at rest before I bought the Surface, and let me know that there was indeed a desktop, and a Windows Explorer. That was the tipping point to realizing I could get along with my Surface.


Then came the surprises.


There’s a Desktop version of Internet Explorer – and this one is fully functional! It even has “View Source” and the F12 Developer Tools, Microsoft’s best-kept secret in IE for some time now. [On your Touch Cover, you get F12 by holding down the “Fn” key as you press “PgDn”] This means I can carry on my Cross-Site Scripting endeavours on my Surface – which I couldn’t do from my iPad at all.


Also not on the iPad, but present on the Surface, a full version of the Command Prompt – I can run all my old batch scripts. Notepad, too (but no WordPad, sadly). Even, and I can’t imagine using the power of this too much, PowerShell!


Flash Player, as well, which isn’t available on the iPad. Remote Assistance and Remote Desktop, so I can connect to a real computer, something that wasn’t a good experience on the iPad.


Bitlocker.


Woah, BitLocker? Wow, my hard drive is already encrypted. So too could be the 64GB MicroSD card I’ve attached for extra video and audio storage, again something I can’t do on my iPad.


PerfMon, ResMon, Event Viewer, RegEdit, Windows Scripting Host, all sorts of serious tooling works in the desktop environment. Not Visual Studio, yet, but let’s remember… this is a toy, not a real laptop.


The upshot of which is…


I use my Surface 2 far more than I ever used my iPad.


Despite a few niggling sharp corners that need to be addressed, it irritates me far less than any Apple device I’ve ever owned. This just cements in my mind that, while there are many people who love their Apples, I’m just not their target consumer. I’m not sure that I’m exactly the target consumer of the Surface, but it’s inspired me and continues to grow on me. I’m even starting to write code for it. We’ll see if that becomes anything in due course.


 


Java not yet available for Surface – one more advantage.

A reminder of who I am, and what I do

Looking at my recent posts, I’ve noticed a few things – not only have I been posting very sporadically and randomly, but also I’ve been avoiding talking about a number of aspects of myself that are key to why I maintain this blog.

In an effort to improve on that, I’m going to start with a quick recap of my biography – not a chronological approach, but a few details to let newcomers know who I am, and old-timers remember my motivations.

1. Family – a father and husband

This always comes first. I work to support my family. I’ve been married nearly twenty years to a fantastically understanding wife, and with her I have a wonderful seventeen-year-old son who is fast becoming the sort of adult whom I’d want to be friends with, if we weren’t already related.

2. Technical interests – general

What makes me prime MVP material, as well as informs the rest of my work, is that I am fascinated with all aspects of technology, from nanotech to 3d printing, quantum computing, cryptography, physics, mathematics – even if it’s unrelated to my own work, or requires tools I can’t afford to use, I’m fascinated by, and try to remain informed about, as much technology as possible.

Sadly, the human brain and attention span can only gather so much information, so there’s always topics I want to know more about. I think this is the eternal frustration of the technologically inclined.

3. Technical background – developer

I’m also a software developer – practically my first job out of college was to develop for Unix platforms, initially, maintaining and porting Fortran code to that platform. Moved from there to Windows, largely out of cussidness (trying to prove to the world that Windows could run a reliable server), and languages like C++, C#, and a few other languages as time and interest allowed.

4. Interest & Current job – security guy

Over time, though, it became clear that my code was getting hacked. So was everyone else’s, but I was unusual in noticing it and wanting to do something about it.

So I became an expert in security. Mostly I did this by reading other people’s books, blogs and articles, and then answering other people’s security questions, to demonstrate that I understood and could explain.

Then, because I didn’t have a career background in security, I had to build one to match my expertise. So I worked my way up “through the ranks”, albeit a little quicker than was expected. Hopefully, that didn’t result in too much missed instruction.

As a result, I’m now a Senior Security Engineer at a large online site. I won’t name them, not because they’re not proud of me, or I’m not proud of them, but because they’ve made it very clear that my blogging is not a part of my job, and my job is not to be a part of my blog.

That means, of course, that nothing I say here is to be construed as an indication of my employer’s position (unless I specifically say it is), and that the stories here and on my twitter feed are pulled from general experience, conversations with others in my field, and general places I have worked, rather than my current employer. I have worked at enough places to tell that developers are, on average, the same no matter where you go. So the stories are the same.

The main area I’m interested in is that of Application Security – how you can build applications that offer functionality while remaining resilient under attack. But I’m still also interested in network security, social engineering (for good and fighting its use for ill), spam fighting, and a number of other topics. I occasionally tell people their web sites are broken.

5. Side work – WFTPD, 2ndAuth, Texas Imperial Software

At various times I’ve also been self-employed, and created Texas Imperial Software as the outlet for my frustrated software development side. Usually, it’s because I’ve seen a need (or had that need myself!) that isn’t being fulfilled by existing software.

“How hard can that be?” is usually the phrase that gets me into trouble.

So I find out how hard it can be. In this manner, I’ve produced:

WFTPD Server / WFTPD Server Pro – FTP servers for Windows. These have been selling for twenty years now, less solidly lately than in the past, when WFTPD was my full time job. But the income is enough to keep up the absolutely minimal support expenditure this software takes.

2ndAuth – an auditing solution for shared accounts in Windows client and server systems. When you try to log on to a Windows system using an account marked as “shared”, you are prompted in addition for your real username and password. In turn, your verified username is logged in the Windows Event Log as a user of this shared account. Sure, shared accounts are against policy, but there are some times they can’t be avoided. In those times, 2ndAuth is a compensating control that allows you to finally answer the question “I know SQLAdmin brought down the server – so which operator do I kick / re-train / fire?”

iFetch – I love BBC Radio and TV, and wrote an app that fetches radio (or TV, if you’re in the UK) shows from the iPlayer, so that you can sync them to your mobile devices that aren’t supported by iPlayer apps.

6. Survivor – cancer

This is a pretty amazing achievement, thinking back on it – but I feel like all the work was done by other people – my wife, who made important surgical decisions while I was under general anaesthesis, and has been a great strength ever since, my surgeon and the doctors who handled the follow-up work, and my son who suffered through many nights of chicken and rice which was all I had the stomach for after radiotherapy. All I did was live through it.

This is why I cringe whenever I hear people talking about “brave” cancer patients. What I did was not brave, it was survival. Running from a bear that you’ve just noticed is eating you is not brave. It’s normal, it’s natural – it’s hard, for sure, but it isn’t brave. Brave is running towards the bear to beat him off.

Oh, and the type of cancer was testicular. The outside world considers that a bad word – and while conversations about breast cancer are plenty, you won’t find a testicular cancer awareness month. [The medical profession, by comparison, thinks cancer is a bad word, and listed my condition everywhere as “testicular C.”]

Men between the ages of 15 and 35 are most likely to be hit by testicular cancer – and there’s good news, and bad news. The good news is, it’s the most easily treated form of cancer (partly because it’s mostly outside the body already). The bad news – it’s fast acting, so delaying seeking treatment leads to many men literally dying because of embarrassment.

7. Microsoft MVP – Enterprise Security

This is an award that I’m constantly proud to have received, and which I think is thoroughly worth having. I’ll be sadder when I finally lose my MVP status (hopefully many years away still) than I was when I lost my CISSP. The network of other smart people is wonderful – and being in a category that has no closely-defined product means that I can continue to give more generally-appropriate advice, rather than specific instruction on an individual product. [It also means we don’t get the exciting swag, but hey, that’s not what I’m in the program for]

There’s an MVP Summit starting on November 17, it’s kind of a Microsoft-centric conference (think TechEd), but at a faster pace, greater depth, and with some material that isn’t public yet. We’ve each signed an NDA, and there are things I know are coming that are really exciting to me, but that I can’t talk about – yet.

8. Hobbies – juggling, unicycling

And occasionally I will draw on my hobbies of juggling and unicycling. This is how I get my exercise, some of the time, passing clubs with my son or riding unicycles around the school gym. I’m not very good, but then I don’t have to be.

Useful Excel Macros #1–compare two columns

I often need to compare two columns, and get a list in a third column of the items that are in one column, but not the other.

Every solution I find online has one common problem – the third column is full of blanks in between the items. I don’t want blanks. I want items.

So I wrote this function, which returns an array of the missing items – items which are in the first parameter, but not in the second.

I’m probably missing a trick or two (I’m particularly not happy with the extra element in the array that has to be deleted before the end), so please feel free to add to this in the comments.

Public Function Missing(ByRef l_ As Range, ByRef r_ As Range) As Variant()
' Returns a list of the items which are in l_ but not in r_
' Note that you need to put this formula into a range of cells as an array formula.
' So select a range, then type =Missing($A:$A,$B:$B), and press Ctrl-Shift-Enter
' If the range is too big, you'll get lots of N/A cells
Dim i As Long ' loop through l_
Dim l_value As Variant ' current value in l_
Dim y() As Variant ' Temp array to store values found
ReDim y(0)

For i = 1 To l_.Count ' Loop through input

  l_value = l_.Cells(i, 1) ' Get current value
  
  If Len(l_value) = 0 Then ' Exit when current value is empty
    GoTo exitloop
  End If

  If r_.Find(l_value) Is Nothing Then ' Can't find current value => add it to the missing
    ReDim Preserve y(UBound(y) + 1) ' Change array size
    y(UBound(y) - 1) = l_value ' Add current value to end
  End If
Next i
exitloop:
If UBound(y) < 1 Then
  Return
End If
ReDim Preserve y(UBound(y) - 1)
If Application.Caller.Rows.Count > 1 Then ' If we were called from a vertical selection
  Missing = Application.Transpose(y) ' Transpose the array to a vertical mode.
Else
  Missing = y ' otherwise just return the array horizontally.
End If
End Function



.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

Windows Phone 8 improves podcast support to Windows Phone 7 levels

OK, so that’s a really quite inflammatory headline, for a feature change that actually has me really excited, because I can finally use a feature of my phone that I used to love very much.

TL;DR – New version of the Windows Phone for Desktop App. Get it, it puts podcast support for MP3 files (rather than web hosted) back in.

Podcasts

But not really podcasts

As soon as I start talking about podcasts, most of you are either happily thinking about, or dismissing out of hand, the concept of a few people talking into a microphone about some topic they care about very deeply. I don’t really enjoy those kinds of podcasts, because I feel I can get the same kind of information more quickly and without the fanboy stylings from written material like blogs and the intertubes.

So, no, I don’t listen to podcasts.

But I do listen to something that has a lot of similar features to podcasts. I’ll call them “Sequential Long Audio Files” or SLAFs.

Not really music, either

Episodic in nature, and sequential in that it generally pays to listen in the right order, audiobooks and radio drama are examples of SLAFs – audio files that don’t behave like the typical “Music” that phones are generally designed to play.

Music files start from the beginning every time you play them. If you break away from one music track to listen to another, and then come back, you aren’t upset that it lost your place.

With the exception of concept albums and mix tapes, you don’t tend to need to listen to music files in any particular order.

OK, also the exception of symphonic music, opera, musical theatre, etc. There’s probably a lot of music that people want to listen to in sequence and with the ability to break away to another audio file and then return to the same point once you get back.

But not podcasts

Podcasts are already in this area, and they’re well supported on the Windows Phone 8 platform. So, there’s little need to improve in that feature, says the guy who acknowledges he never listens to podcasts.

What’s not been supported well – in Windows Phone 7 or at all in Windows Phone 8 – is the type of audio file exemplified by audio books, radio drama, symphonic music, opera, and so on. The SLAFs.

Here’s some differences between SLAFs and regular podcasts:

  • You already have the files – they’re not on the web to be subscribed to
  • The files are sequenced by ID3 tags – rather than XML you fetch from a web site
  • Also in ID3 tags, AlbumArt that indicates a thumbnail for the series – rather than an XML file
  • Often, the sequence is finite, there’s an expectation that you will listen to all six (or however many) episodes (chapters, lieder, etc) and then be done with that set – rather than a podcast which may start at “episode 1”, but entices you back for “another great show next week” until such time as the audience and advertising dwindles to the point where the power (and the podcast) gets pulled. This means that “subscribing” makes no sense in sequential audio.

I’m sure there are other differences too.

He’s said this before

Yes, I’ve complained about podcast support on Windows Phone before, over and over and over again.

In Windows Phone 7, I wanted a few simple features added.

In Windows Phone 8, they took the entire feature set away. Podcasts now had to come from a URL and be subscribed to. Great for traditional podcasts, but intolerable for SLAFs. Yes, I could have written a web service that turns a SLAF album into a podcast series, but I just didn’t have the time.

Now, the feature has been brought back – and through a delivery of a new version of the Windows Phone app for desktop. This is what replaced the Zune software. Which really wasn’t all that bad.

So, how do we do this?

Step by step.

  1. Install the new version of the Windows Phone app for desktop.
  2. Now run it.
    image
  3. Click on “pc”, if you need to. Note that, because this is a “metro” interface, “PC” is in lower case, despite all English style guides.
    image
  4. Click on “podcasts”
    image
  5. Check the podcasts you want to put on the phone, and hit “Sync” to send them there.

What if I didn’t see any podcasts?

Yes, that will happen, if you haven’t marked any items as podcasts, or put them into the sync folders.

You see that thing that says “Add or remove folders”?

This is what allows you to pick the folders into which you will put your SLAFs.

Click that, and you’re presented with a familiar-looking dialog:

image

In Windows Phone 7 and the Zune software, you also had to go and change the genre on your SLAFs to “Podcast”.

I am pleased as punch to say that you don’t have to do that any more. Leave the genre what it was. Not that the phone will make any use of it, allow you to search, sort or filter by it, or in any way act as if you’ve done anything better than setting the genre to “Podcast”. But it makes me feel good to know that I don’t have to assault my files to make them work on the Windows Phone.

What’s left to do?

Clearly the feature isn’t finished – there’s some work to do in the phone to improve support.

wp_ss_20130531_0002

As you can see from the image to the left, there’s a whole lot of grey where there ought to be images from the AlbumArt ID3 tag in each of these series.

I can’t help but think that sometimes these titles are going to lose something important off the end. Radio shows like to have incredibly long titles, and I’m sure that something like “The Hitch-hiker’s Guide to the Galaxy Series 2” is going to be truncated so that I can’t tell which series I’m listening to. A little more wrap, possibly a marquee-style scrolling display, should fix this where it makes sense to do so.

Ordering – or sequencing – of episodes seems to still leave a little to be desired. It seems that the series will only play in sequence if the files are date-stamped. It would be nice if the podcast tool would simply read the ID3 tags for “track number” and/or “part of set” rather than rely on file dates, which could simply work off when you downloaded or ripped these files. [Note that I advocate the legal use of such technologies to space-shift or time-shift recordings to which you have purchased, or otherwise legitimately own, rights to possess and listen.]

But I can now listen happily to my radio shows – without the radio – and without the Interwebs – as if they were podcasts (though they aren’t).

Gin & tonic all round.

So, thanks and cheers, then, to all at Microsoft involved in bringing this feature back.

Now, if you don’t mind also making it better, that would be lovely.

Credential Provider update–Windows 8 SDK breaks a few things…

You’ll recall that back in February of 2011, I wrote an article on implementing your first Credential Provider for Windows 7 / 8 / Server 2008 R2 / Server 2012 – and it’s been a fairly successful post on my blog.

Just recently, I received a report from one of my users that my version of this was no longer wrapping the password provider on Windows Server 2008 R2.

As you’ll remember from that earlier article, it’s a little difficult (but far from impossible) to debug your virtual machine to get information out of the credential provider while it runs.

Just not getting called

Nothing seemed to be obviously wrong, the setup was still executing the same way, but the code just wasn’t getting called. For the longest time I couldn’t figure it out.

Finally, I took a look at the registry entries.

My code was installing itself to wrap the password provider with CLSID “{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}”, but the password provider in Windows Server 2008 R2 appeared to have CLSID “{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}”. Subtle, to be sure, but obviously different.

I couldn’t figure out immediately why this was happening, but I eventually traced back through the header files where CLSID_PasswordCredentialProvider was defined, and found the following:

   1: EXTERN_C const CLSID CLSID_PasswordCredentialProvider;


   2:  


   3: #ifdef __cplusplus


   4:  


   5: class DECLSPEC_UUID("60b78e88-ead8-445c-9cfd-0b87f74ea6cd") 


   6: PasswordCredentialProvider; 


   7: #endif


   8:  


   9: EXTERN_C const CLSID CLSID_V1PasswordCredentialProvider;


  10:  


  11: #ifdef __cplusplus


  12:  


  13: class DECLSPEC_UUID("6f45dc1e-5384-457a-bc13-2cd81b0d28ed") 


  14: V1PasswordCredentialProvider; 


  15: #endif 


  16:  

As you can see, in addition to CLSID_PasswordCredentialProvider, there’s a new entry, CLSID_V1PasswordCredentialProvider, and it’s this that points to the class ID that Windows Server 2008 R2 uses for its password credential provider – and which I should have been wrapping with my code.

The explanation is obvious

It’s clear what happened here with a little research. For goodness-only-knows-what-unannounced-reason, Microsoft chose to change the class ID of the password credential provider in Windows 8 and Windows Server 2012. And, to make sure that old code would continue to work in Windows 8 with just a recompile, of course they made sure that the OLD name “CLSID_PasswordCredentialProvider” would point to the NEW class ID value. And, as a sop to those of us supporting old platforms, they gave us a NEW name “CLSID_V1PasswordCredentialProvider” to point to the OLD class ID value.

And then they told nobody, and included it in Visual Studio 2012 and the Windows 8 SDK.

In fact, if you go searching for CLSID_V1PasswordCredentialProvider, you’ll find there’s zero documentation on the web at all. That’s pretty much unacceptable behaviour, introducing a significantly breaking change like this without documentation.

So, how to support both values?

Supporting both values requires you to try and load each class in turn, and save details indicating which one you’ve loaded. I went for this rather simple code in SetUsageScenario:

   1: IUnknown *pUnknown = NULL;


   2: _pWrappedCLSID = CLSID_PasswordCredentialProvider;


   3: hr = ::CoCreateInstance(CLSID_PasswordCredentialProvider, NULL, CLSCTX_ALL, IID_PPV_ARGS(&pUnknown));


   4: if (hr == REGDB_E_CLASSNOTREG)


   5: {


   6:     _pWrappedCLSID = CLSID_V1PasswordCredentialProvider;


   7:     hr = ::CoCreateInstance(CLSID_V1PasswordCredentialProvider, NULL, CLSCTX_ALL, IID_PPV_ARGS(&pUnknown));


   8: }

Pretty bone-dead simple, I hope you’ll agree – the best code often is.

Of course, if you’re filtering on credential providers, and hope to hide the password provider, you’ll want to filter both providers there, too. Again, here’s my simple code for that in Filter:

   1: if (IsEqualGUID(rgclsidProviders[i], CLSID_PasswordCredentialProvider))


   2:     rgbAllow[i]=FALSE;


   3: if (IsEqualGUID(rgclsidProviders[i], CLSID_V1PasswordCredentialProvider))


   4:     rgbAllow[i]=FALSE;



If that wasn’t nasty enough…



Ironically, impacting the Windows XP version of the same package (which uses a WinLogon Notification Provider, instead of a Credential Provider), another thing that the Windows 8 SDK and Visual Studio 2012 did for me is that it disabled the execution of my code on Windows XP.



This time, they did actually say something about it, though, which allowed me to trace and fix the problem just a little bit more quickly.



The actual blog post (not official documentation, just a blog post) that describes this change is here:



Windows XP Targeting with C++ in Visual Studio 2012



What this blog indicates is that a deliberate step was taken to disable Windows XP support in executables generated by Visual Studio 2012. You have to go back and make changes to your projects in order to continue supporting Windows XP.



That’s not perhaps so bad, because really, Windows XP is pretty darn old. In fact, in a year from now it’ll be leaving its support lifecycle, and heading into “Extended Support”, where you have to pay several thousand dollars for every patch you want to download. I’d upgrade to Windows 7 now, if I were you.

New Windows Phone 8. Something to love, something to hate.

Given in to phone envy, Alun?

No, not really – although I will say it was interesting to be around so many Windows Phone 8 users at the Microsoft MVP Summit last week.

But the HTC HD7 I originally bought, which spent a half-hour in a hot-tub (syncing), then a week in a bucket of Damp-Rid, then a year (working) in the hands of my teenaged son, finally bit the dust in the middle of the MVP Summit.

Says the storage card is corrupted.

So, I can’t afford the time to take it apart, mess with the drive and possibly even discover that it is truly dead.

I have to take advantage of the “upgrade” pricing that comes with committing to another year of service from T-Mobile, and upgrade him to a Windows Phone 8 system.

Then my wife gets interested in the phone, and before you know it, we’re all getting new phones.

No problems, then – everything’s good!

Yes and no.

It’s always good to get a new phone, sure, and to enjoy the fun of new features. But you’ve got to reinstall, and in some cases, re-buy (my wife went from a Blackberry to an HTC 8X) all your apps. And the data is all gone. High-scores, messages, settings, there’s no good path to take data from a WP7 to a WP8, let alone from a Blackberry to a WP8.

Some apps, of course, save their data to the cloud – all my OneNote files came with me.

It’s not so bad in the future, because there’s apparently a better upgrade path from WP8 to other WP8 phones. Messages get backed up, as well as your app list and settings.

How’d you get your apps back, then?

The interface to reinstall has improved over the years, from the first version, in which I only found the ability to restore apps installed directly from the Zune software; to a later version, which required a bunch of different click-through pages for each app you want to reinstall. Now, the reinstall interface is so much easier. Just go to the Windows Phone "Purchase History” page, scroll down the list of apps and click “Reinstall” on each app you want to go onto your new phone. No clicking through, no re-checking boxes about allowing location, etc.

Despite the name “Purchase History”, this page lists even those apps which I downloaded for free, whether as Trial software, or because the software was free in the first place.

That’s the good part, and that’s how I got some of my apps back. But the bad part is that this list doesn’t contain all of my free apps, just a limited, and somewhat random, selection. For instance, although it lists Amazon Fresh, the Purchase History page is missing Amazon Kindle, and Amazon Mobile, as well as the majority of my other free apps. This is not good customer experience, and if I was the author of any of the apps that aren’t easily reinstallable, I’d probably raise a big stink.

So now, I have to go one by one through my old phone’s list of apps, finding out which aren’t on my new phone, searching for them in the store, finding them in the search results, clicking on them, then clicking “Reinstall” (the store knows I have already installed them before). This makes me more likely to not reinstall these apps, and since the majority of these are ad-funded apps, whose authors won’t make a dime unless I run them, I think that app developers have a strong incentive to ask Microsoft to fix this behaviour.

And how’s the podcast experience?

Oh, you knew that I’d have something to say about that. Well, this post’s long enough already, so I’ll leave that until next time. For now, I have to say I do like my new phone, but I’m really tired of this whole update process already.

That “are you kidding me?” moment in customer support

So, my Sunbeam electric blanket died yesterday. Second one in a year.

As a dutiful consumer, I’d really like to report this to the manufacturer, get a replacement and move on. I fill out the “Contact Us” form. Then I get this ludicrous error:

image

So, you’re going to ask your customers to contact you when they have problems, and then you’re going to actually limit the characters they’re allowed to use in the QUESTION that they’re asking you?

Asking me to avoid using quotes, colons and semicolons in written English is completely ludicrous.

And yes, I know why they do this. It’s because they attended a course on secure programming which told them how to do input validation.

Input validation is not the shizzle

I am constantly amazed as to how frequently I have to ram this point home to developers who have learned one trick to protect against injection attacks.

“Validate ALL input – reject the bad characters!” – I’ve heard this from a number of people, including security professionals.

When you CAN do strict input validation based off a restricted whitelist, of course, that’s great – “input a whole number between one and ten” is good for input validation. “Input your name” generally isn’t, because names have a habit of containing characters that are known to be ‘bad’ characters in a number of cases, such as “O’Donnell”. Apostrophes are bad in numerous cases. “Input your question”, as in this case, is likely to elicit all kinds of funky characters.

And, as I ask the candidates on my phone screen interviews, what do you do in the case when you have a web app which stores to a SQL database, and its task is to store XSS and SQL injection attacks. <sigh> Clearly, you have to use acceptable output encoding. Apparently, Sunbeam’s web developers are not good enough to know when to stop using input validation, and start using output encoding.

Even less smart

My suspicions are confirmed when, after typing in a correctly formed question, the model number of the blanket (which, curiously, isn’t anywhere on the blanket or its controllers), the date code on the plug, and my contact details, the web page unerringly provides me with this as its response:

image

So, I think our next step is to contact Amazon to resolve this customer service issue properly. And not buying from Sunbeam again.

Removing capabilities from my first Windows Phone app

So, I thought I’d write a Windows Phone app using Visual Studio 2012 the other day. Just a simple little thing, to help me solve my son’s algebra homework without getting into the same binds he does (failure to copy correctly, fumbled arithmetic, you know the thing…)


And I run into my first problem.


The app uses no phone capabilities worth advertising – you know, things like the choice to track your location, so that the app’s install will ask the user “do you want to allow this app to have access to your location”, and you say either “allow”, or “why the hell does a flashlight application need to know where I am?”


And yet, when I run the “Automated Tests” under the Store Test Kit, I get the following:


image


If you can’t read the image, or you’re searching for this in Google, I’ll tell you that it wants me to know that it’s validated all the capabilities I’m using, and has noticed that I’m using ID_CAP_MEDIALIB and ID_CAP_NETWORKING.


Weird, because I don’t do any networking, and I don’t access any of the phone user’s media.


It’s just my son and me using the app right now, but I can picture some paranoid person wondering why I need access to their media library or networking simply so I can solve the occasional simultaneous or quadratic equation!


Quite frankly, I was mystified, too. Did a bit of searching across the interWebs, but all the articles I found said the same thing – the MediaLib capability must be because you’re using something with the word “Radio” or “Media” in it somewhere (I’m not), and the Networking capability because you’re doing something across the network. I removed all the “using System.Net” lines from all of my code files, but still no joy.


[A quick tip: to find all these rules yourself, look in C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v7.1\Tools\Marketplace for the file “rules.xml”, which will tell you what the capability detection code is looking for]


Nothing in my own code seemed to be actually causing this, so I took a step back and had a look at other references being included by the compiler by default.


System.Net seemed to be an obvious offender, so I removed that, to no effect (quite right, too, because it isn’t the offender, and doesn’t, on its own, cause ID_CAP_NETWORKING to be detected).


No, here’s the culprit:


image


Microsoft.Expression.Interactions – what on earth is that doing there?


It’s not something I remember including, and quite honestly, when I went looking for it, I’m disappointed to find that it’s associated with Expression Blend, not something I’ve actually used EVER. [Maybe I should, but that’s a topic for another time].


Removing this reference and rebuilding, the XAP tests clear of all capabilities. Which is nice.


So, now I have my “Big Algebra” app in beta test, and it doesn’t tell the user that it’s going to need their media library or their network connection – because it’s not going to need them!