Miscellany – not security

Auto convert inked shapes in PowerPoint–coming to OneNote

I happened upon a blog post by the Office team yesterday which surprised me, because it talked about a feature in PowerPoint that I’ve wanted ever since I first got my Surface 2.

Shape recognition

Here’s a link to documentation on how to use this feature in PowerPoint.


It seems like the obvious feature a tablet should have.

Here’s a video of me using it to draw a few random shapes:

But not just in PowerPoint – this should be in Word, in OneNote, in Paint, and pretty much any app that accepts ink.

And at last, OneNote

So here’s the blog post from Office noting that this feature will finally be available for OneNote in November.


On iPad, iPhone and Windows 10. Which I presume means it’ll only be on the Windows Store / Metro / Modern / Immersive version of OneNote.

That’s disappointing, because it should really be in every Office app. Hell, I’d update from Office 2013 tomorrow if this was a feature in Office 2016!

Let’s not stop there

Please, Microsoft, don’t stop at the Windows Store version of OneNote.

Shape recognition, along with handwriting recognition (which is apparently also hard), should be a natural part of my use of the Surface Pen. It should work the same across multiple apps.

That’s only going to happen if it’s present in multiple apps, and is a documented API which developers – of desktop apps as well as Store apps – can call into.

Well, desktop apps can definitely get that.

How can I put it into my own app?

I’ll admit that I haven’t had the time yet to build my own sample, but I’m hoping that this still works – there’s an API called “Ink Analysis”, which is exactly how you would achieve this in your app:


It allows you to analyse ink you’ve captured, and decide if it’s text or a drawing, and if it’s a drawing, what kind of drawing it might be.

[I’ve marked this with the tag “Alun’s Code” because I want to write a sample eventually that demonstrates this function.]

NCSAM resume–sorry for the interruption

TL;DR – hardware problems, resuming NCSAM posts when / if I can get time.

Well, that went about as well as can be expected.

I start a month of daily posts, and the first one is all that I achieved.

Perhaps I’ve run out of readers, because nobody asked if I was unwell or had died.

No, I haven’t died, the simple truth is that a combination of hardware failures and beta testing got the better of me.

I’d signed up to the Fast Ring of Windows Insider testing, and had found that Edge and Internet Explorer both seemed to get tired of running Twitter and Facebook, and repeatedly got slower and slower to refresh, until eventually I had to quit and restart them.

Also the SP3 refused to recognise my Microsoft Band as plugged in [actually a hardware failure on the Band, but I’ll come to that another day].

Naturally, I assumed this was all because of the beta build I was using.

So, I did what any good beta tester would do. I filed feedback, and pressed the “Roll back” button.

It didn’t seem to take as long as I expected.


That’s your first sign that something is seriously wrong, and you should take a backup of whatever data is left.

So I did, which is nice, because the next thing that happened is that I tried to open a Windows Store app.

It opened a window and closed immediately.


So did every other Windows Store / Metro / Modern / Immersive app I tried.

Including Windows Store itself.

After a couple of days of dinking around with various ‘solutions’, I decided I’d reached beta death stage, and should FFR (FDISK, FORMAT and Reinstall).

First, make another backup, just because you can’t have too many copies of the data you rely on.

And … we’re good?

That should have been close to the end of the story, with me simply reinstalling all my apps and moving along.

In fact, I started that.

Then my keyboard stopped working. It didn’t even light up.

Plugging the keyboard (it’s a Surface Pro Type Cover) into another Surface (the Surface Pro Type Covers work on, but don’t properly cover, a Surface 2, which we have in my house) demonstrated that the keyboard was just fine on a different system, just not on my main system.

The keyboard for a Surface Pro 3 works on a Surface 2The keyboard for a Surface Pro 3 is not going to fit properly as a cover for your Surface 2

So, I kept a few things running by using my Bluetooth keyboard and mouse, and once I convinced myself it was worth the trip, I took my Surface Pro 3 out to the Microsoft Store in Bellevue for an appointment.

I dream of Jeannie – no, that’s creepy

Jeannie was the tech assigned to help me with my keyboard issue. Helpful and friendly, she didn’t waste time with unnecessary questions or dinking around with stuff that could already be ruled out.

She unplugged the keyboard and tried it on another system. It worked. No need to replace the keyboard.

Can she do a factory reset?

Be my guest – I made another backup before I came out to the store.

So, another quick round of FFR, and the Surface still doesn’t recognise the keyboard.

Definitely a hardware problem, and that’s the advantage of going to the Microsoft Store.

Let me get you a replacement SP3, says Jeannie, and heads out back to the stock room.

Bad news, she says on coming back, We don’t have the exact model you have (an i7 Surface Pro 3 with 256 GB of storage).

Is it OK if we get you the next model up, with twice the storage?

Only if you can’t find any way to upgrade me for free to the shiny Surface Book you have on display up front.

So, now I have a bigger Surface Pro 3

Many thanks to Jeannie for negotiating that upgrade!

But now I have to reinstall all my apps, restore all my data, and get back to functioning before I can engage in fun things like blogging.

I’ll get back into the NCSAM posts, but they’ll be more overview than I was originally planning.

Windows 10 – first impressions

I’ve updated from Windows 8.1 to Windows 10 Enterprise Insider Preview over this weekend, on my Surface Pro 3 and a Lenovo tablet. Both machines are used for software development as well as playing games, so seemed the ideal place to practice.

So here’s some initial impressions:

1. VPN still not working properly

I’ve mentioned before (ranted, perhaps) about how the VPN support in Windows 8.1 is great for desktop apps, but broken for Metro / Modern / Immersive / Windows Store apps.

Still, maybe now I’m able to provide feedback, and Windows is in a beta test phase, perhaps they’ll pay attention and fix the bugs.

2. Stuff crashes

It’s a beta, but just in case you were persuaded to install this on a production system, it’s still not release quality.

Every so often, the Edge browser (currently calling itself “Project Spartan”) will just die on you.

I’ve managed to get the “People Hub” to start exactly twice without crashing immediately.

3. Update after you install

Download the most recent version from the Insider’s page, and you still have to apply an update to the entire system before you’re actually up to date. The update takes essentially as long as the initial install.

4. Update before you install – and make a backup

Hey, it’s a beta – what did you expect?

Things will break, you’ll find yourself missing functionality, so you may need to restore to your original state. Update before you install, and fewer things will be as likely to go wrong in the upgrade.

5. Provide feedback – even about the little things

They won’t fix things you don’t provide feedback about.

OK, so maybe they also won’t fix things that you DO provide feedback on, but that’s how life works. Not everything gets fixed. Ever.

But if you don’t report issues, you won’t ever see them fixed.

6. The new People Hub is awful

The People “Hub” in Windows 10, from the couple of times I’ve managed to execute it, basically has my contacts, and can display what’s new from them in Outlook Mail.

I rather enjoy the Windows 8.1 People Hub, where you can see in one place the most recent interactions in Twitter, Facebook, LinkedIn and Skype. Or at least, that’s what it promises, even if it only actually delivers Facebook and Twitter.

7. Videos can now be deleted

It’s always possible to delete a video file, of course, but in Windows 8.1, after you’ve finished watching a video from the Videos app, you had to go find some other tool in which to do so – and hope that you deleted the right one.

In Windows 10 you can use the context menu (right click, or tap and hold) on a video to delete it from your store.

Still needs some more work – it doesn’t display subtitles / closed-captioning, it only orders alphabetically, and there’s no jumping to the letter “Q” by pressing the “Q” key, but this app is already looking very functional even for those of us who collect MP4 files to watch.

8. No Media Center

I really, really liked the Media Center. More than TiVo. We have several Media Center PCs in our house, and now we have to figure out what we’re going to do. I’m not going back to having a made-for-purpose device that can’t do computing, I want my Media Center. I’ll try some of its competitors, but it’d be really nice if Microsoft relents and puts support back for Media Center.

9. Edge / Spartan browser – awesome

Excellent HTML5 compatibility, reduced chance of being hit by third party vulnerabilities, F12 Developer Tools, and still allows me to test for XSS vulnerabilities if I choose to do so.

Pretty much what I want in a browser, although from a security standpoint, the choice to allow two third party vulnerabilities add-ins into the browser, Flash and Reader, seems to be begging future trouble.

Having said that, you can disable Adobe Flash in the Advanced Settings of your Spartan browser. I’m going to recommend that you do that on all your non-gaming machines. Then find out which of your web sites need it, and either fix them, or decide whether you can balance the threat of Flash with the utility of that service.

The F12 Developer Tools continue to be a very useful set of web site debugging tools, and assist me greatly in discovering and expanding on web site vulnerabilities. I personally find them easier than debugging tools in other browsers, and they have the benefit of being always installed in recent Microsoft browsers.

The “Reader” view is a nice feature, although it was present in Windows 8.1, and should be used any time you want to actually read the contents of a story, rather than wade through adverts and constant resizing of other content around the text you’re actually interested in.

9.1 XSS

Because, you know, I’m all about the XSS.

Internet Explorer has a pretty assertive XSS filter built in, and even when you turn it off in your settings, it still comes back to prevent you. I find this to be tricky, because I sometimes need to convince developers of the vulnerabilities in their apps. Firefox is often helpful here, because it has NO filters, but sometimes the behaviour I’m trying to show is specific to Internet Explorer.

Particularly, if I type a quote character into the URL in Internet Explorer, it sends a quote character. Firefox will send a %22 or %27 (double or single quotes). So, sometimes IE will trigger behaviour that Firefox doesn’t.

Sadly, although Spartan does seem to still be useful for XSS testing, the XSS filter can’t be specifically turned off in settings. I’d love to see if I can find a secret setting for this.

10. Microsoft Print to PDF

Windows has needed a PDF printer since, oh, Windows 3.1. A print driver that prompts you for a file name, and saves whatever you’re printing as a PDF file.

With Office, this kind of existed with Save as PDF. With OneNote, you could Print to OneNote, open the View ribbon, and hide the header, before exporting as a PDF. But that’s the long way around.

With Windows 10, Microsoft installed a new printer driver, “Microsoft Print to PDF”. It does what it says on the tin, allowing you to generate PDFs from anywhere that can print.

11. Tablet Mode / PC mode

I use a Surface Pro 3 as my main system, and I have to say that the reversion to a mainly desktop model of operations is nice to my eyes, but a little confusing to the hands – I don’t quite know how to manage things any more.

Sometimes I like to work without the keyboard, because the tablet works well that way. But now I can’t close apps by sliding from top to bottom, even when I’ve expanded them to full screen. Not sure how I’m supposed to do this.

Turning away from Micro$oft

Yesterday’s unexpected notice from Micro$oft that I am not being awarded MVP status this year has caused me to take stock of my situation.

Now that I’m no longer a paid shill of the Evil Empire, and they’ve taken away my free Compuserve account, I feel I can no longer use their products – mainly because I can no longer afford them if I can’t download them for free from MSDN and TechNet.

Security strengths – OR NOT!

Microsoft has been widely derided in the security community for many years, and despite having invented, expanded and documented several secure development processes, practices and tools, it seems they still can’t ship a copy of Flash with Internet Explorer that doesn’t contain rolling instances of buffer overflows.

Microsoft make a great deal out of their SDL tools – documentation and threat modeling guides – and yet they still haven’t produced a version that runs on Mac or Linux systems, unlike Mozilla who’s been able to create a multi-platform threat modeling tool, called Seasponge. Granted it only lets you draw rudimentary data-flow diagrams, and provides no assistance or analysis of its own, requiring you to think of and write up your own threats – but it’s better than nothing! Not better than a whiteboard, granted, but vastly better than nothing.

Active Directory is touted along with its ability to provide central management by Group Policy Objects simply isn’t able to scale nearly as well as the Open Source competition of Linux, which allows each desktop owner to manage their own security to a degree of granularity that allows for some fantastic incoherence (ahem, “innovation”) between neighbouring cubicles. This is, after all, the Year of Linux on the Desktop.

Unlike Windows, with its one standard for disk encryption, and its one standard for file encryption, Linux has any number to choose from, each with some great differences from all the others, and with the support of a thriving community to tell you their standard is the de-facto one, and why the others suck. You can spend almost as much bandwidth discussing which framework to use as you would save by not bothering to encrypt anything in the first place – which is, of course, what happens while you’re debating.

Something something OpenSSL.

Networking – notworking, more like!

IPv6 has been a part of Windows since Windows XP, and has been enabled by default for considerably longer. And yet so very few of Microsoft’s web properties are available with an IPv6 address, something I’ve bugged them about for the last several years. Okay, so www.microsoft.com, www.bing.com and ftp.microsoft.com all have recently-minted IPv6 addresses, but what about www.so.cl? Oh, OK.

Then there’s the Windows TCP SYN behaviour, where a SYN arriving at a busy socket was responded to by a RST, rather than the silence echoed by every other TCP stack, and which was covered up by Windows re-sending a SYN in response to a RST, where every other TCP stack reports a RST as a quick failure. I can’t tell you how many years I’ve begged Microsoft to change this behaviour. OK, so the last time I spoke to them on this issue, my son was eight, and now he’s driving, so perhaps they’ve worked some more on that since then. It is, after all, a vital issue to support correct connectivity.

It’s never a bag year any more

Finally, of course, the declining MVP swag quality has hit me hard, as I now have to buy my own laptop bag to replace the MVP ones that wore out and were never replaced, a result of Microsoft’s pandering to environmental interests by shipping a chunk of glass instead of a cool toy or bag each year.

My MVP toys were fun – a logo-stamped 1GB USB drive, a laser-pointer-pen-and-stylus which doesn’t work on capacitive touch screens, a digital photo frame – but never as much fun as those given to the MVPs in other Product Groups. The rumoured MVP compound in Florida available for weekend getaways always seemed to be booked.

No more Microsoft for me!

So, how do I get MacOS installed on this Surface Pro 3?

Deploying on the road…

Now that I have a Surface 2, I’m going to leave my laptop at home when I travel.

This leaves me with a concern – obviously, I’m going to play with some of my hobby software development while I have “down time”, but the devices for which I’m building are traveling with me, while the dev machine stays at home.

That’s OK where I’m building for the laptop, because it’s available by Remote Desktop through a Remote Desktop Gateway.

Deploying to my other devices – the Windows Phone and the Surface 2 running Windows RT – is something that I typically do by direct connection, or on the local network.

Windows Phone

For the Windows Phone, there’s a Store called “Beta” as opposed to “Public”, into which you can deploy your app, make it available to specific listed users, and this will allow you to quickly distribute an app remotely to your device.

Details on how to do this are here.

Windows Store

The story on Windows Store apps appears, at first blush, to be far more dismal, with numerous questions online asking “is there a beta store for Windows like there is for the phone?”

The answer comes back “no, but that’s a great idea for future development”.

But it is completely possible to distribute app packages to your Windows RT and other Windows 8.1 devices, using Powershell.

The instructions at MSDN, here, will tell you quite clearly how you can do this.

Thoughts on a New Year

It’s about this time of year that I think…

  • Why do reporters talk so much about NSA spying and Advanced Persistent Threats, when half the websites in existence will cough up cookies if you search for "-alert(document.cookie)-" ?
  • How can we expect people to write secure code when:
    • they don’t know what it is?
    • they can’t recognise insecure code?
    • it’s easier (more clicks, more thinks, etc) to write insecure code?
  • What does it take for a developer to get:
    • fired?
    • a bad performance review?
    • just mildly discomforted?
  • What is it about developers that makes us all believe that nobody else has written this piece of code before? (or that we can write it better)
  • Every time a new fad comes along, whether it’s XML, PHP, Ruby, etc, why do we spend so much time recognising that it has the same issues as the old ones? But without fixes.
  • Can we have an article on “the death of passwords” which will explain what the replacement is – and without that replacement turning out to be “a layer in front of a big password”?
  • Should you let your application out (publish it, make it available on the Internet, etc) if it is so fragile that:
    • you can’t patch it?
    • you can’t update the framework or libraries on which it depends (aka patch them)?
    • you don’t want a security penetration test to be performed on it?
  • Is it right to hire developers on the basis that they can:
    • steer a whiteboard to a small function which looks like it might work?
    • understand an obfuscated sample that demonstrates an obscure feature of your favourite framework?
    • tell you how to weigh twelve coins, one of which might be a fake?
    • bamboozle the interviewer with tales of technological wonders the likes of which he/she cannot fathom?
    • sing the old school song?

Ah, who am I kidding, I think those kinds of things all the time.

For Surfaces rendered

I often thought I’d like to have a career in 3D animation, solely so I could send out invoices with the title of this blog post as their content.

It seems a little late for me to choose that career, so I’ll have to use that title for a blog posting about my Surface, now that I am three weeks in to using it.

There’s no secret (or if there is, it’s poorly hidden) to the fact that MVPs visiting Redmond for the MVP Summit this year received a pretty sweet deal on a 32GB Surface 2 and Touch Cover. Along with hundreds of my brethren, I lined up at the Microsoft Store in Bellevue yelling “shut up and take my money!”

As an actual purchase, rather than a complete giveaway, I did have to pass the purchasing decision through my boss. Fortunately, she agreed that it was a good buy, as long as I treated it as a purchase of a toy for me, and stopped trying to persuade her it was a bona fide business investment for the company. Canny woman, my wife, and skilled at reducing arguments to their simplest and most incisive points.

So, a toy it was pitched as, a replacement for my iPad, which I also got for very little money – I won it in a hacking competition. As a toy, I couldn’t expect to get the Surface Pro, which is convenient, because one wasn’t offered.

What’s it like as a toy?

Does it have the Angry Birds,then? Space and Star Wars versions, yes – Rovio hasn’t been paid to get around to porting the others to Windows 8 yet.

It’s also got Minesweeper and Solitaire, with the added thrill of daily challenges, and an Adventure Mode for Minesweeper that looks a little ripped off from Repton. Mahjong, Jetpack Joyride, Cut the Rope, there’s enough games that while you might find a few individual names here and there that are missing, you’ll be able to replace them with something in the same genre.

The front and back camera make for good Skype use, whether you’re having a face-to-face chat, or showing someone the view out the window.

I can read comics, whether through the dozen or so manga readers, or through the Comics app from Comixology. Books come, of course, courtesy of the Kindle app, and of course there’s a native Amazon app as well, although as usual, it’s hard to get a better shopping experience in an app than Amazon has built into the web version.

That’s right, you actually have a version of Internet Explorer 11 built specially for the touch-screen “Modern UI”, which Microsoft used to call Metro, and which thoroughly needs a new name. This version of Internet Explorer is fairly basic, but fully functional for what most people are going to want it for. For most of what I do on the web, it’s certainly sufficient.

On the fringe of toydom

Social media makes its presence felt nicely in the People hub, like on my Windows Phone, where in one place I can keep up with my Twitter, Facebook and LinkedIn friends/followers/minions. I can also post there, although I miss my phone’s ability to post to multiple outlets at once.

If you’ve been paying attention to my gripes about podcast support on my Windows Phone, I have to say that, out of the box, I have the same – or worse –issues with the Surface 2. The native audio player does allow you to create playlists, but infallibly returns you to the start of an MP3 file almost every time you play it anew, apparently whether you played another MP3 file, skipped to a different app, or received a notification. I await the development of a good podcast / audiobook application with support for local MP3s.

On the video front, things are somewhat improved, with the Xbox Video app being the natively supported method to play my MP4s. Sadly, there’s still no subtitle support, as is the case across every single one of Microsoft’s video playing tools – if the file isn’t streaming across the web, with the closed captions in a separate stream, there’s no way to get captions to display. This is a shame, as there is good support for standard subtitles in MP4s on the Apple competition, whether it’s iPad, iPod or iPhone. Microsoft, this can’t be that hard – support accessibility on all your video players, please! [I’m not deaf, but the bus can get a little loud]

Working up to proper use

The Touch Cover is barely usable as a keyboard – but I’ve added a Bluetooth keyboard to my Christmas wishlist, for the serious typing moments, and the Touch Cover is certainly sufficient for those occasional bon mots on the bus or airplane.

Sadly, Live Writer isn’t available for Windows RT, so I’m not likely to use this for many blogs – although to keep myself honest, I am typing this on the Surface using the Touch Cover keyboard.

To write the blog entry, I’m actually using Word with its blogging template.

Woah, did you say Word? On RT?

Why yes, yes I did – but since the presence of Office 2013 on the Surface was advertised (at least, Excel, PowerPoint, OneNote, Word and Outlook), this was hardly a surprise to me – but it seems like a surprise to many of my Apple-owning friends who are just starting to get excited that Apple have deigned to let them have iWorks on their iPads now.

But the inclusion of Office isn’t the only thing that makes this device veer further into the territory of a non-toy.

Surprisingly functional

I wasn’t really expecting that Windows RT would have a desktop mode. I pretty much thought it would be Modern UI apps and nothing else. That seemed like it would suck, because I can’t then copy files across the network for playing MP3s and MP4s on the bus to and from work.

So a friend of mine set my fears at rest before I bought the Surface, and let me know that there was indeed a desktop, and a Windows Explorer. That was the tipping point to realizing I could get along with my Surface.

Then came the surprises.

There’s a Desktop version of Internet Explorer – and this one is fully functional! It even has “View Source” and the F12 Developer Tools, Microsoft’s best-kept secret in IE for some time now. [On your Touch Cover, you get F12 by holding down the “Fn” key as you press “PgDn”] This means I can carry on my Cross-Site Scripting endeavours on my Surface – which I couldn’t do from my iPad at all.

Also not on the iPad, but present on the Surface, a full version of the Command Prompt – I can run all my old batch scripts. Notepad, too (but no WordPad, sadly). Even, and I can’t imagine using the power of this too much, PowerShell!

Flash Player, as well, which isn’t available on the iPad. Remote Assistance and Remote Desktop, so I can connect to a real computer, something that wasn’t a good experience on the iPad.


Woah, BitLocker? Wow, my hard drive is already encrypted. So too could be the 64GB MicroSD card I’ve attached for extra video and audio storage, again something I can’t do on my iPad.

PerfMon, ResMon, Event Viewer, RegEdit, Windows Scripting Host, all sorts of serious tooling works in the desktop environment. Not Visual Studio, yet, but let’s remember… this is a toy, not a real laptop.

The upshot of which is…

I use my Surface 2 far more than I ever used my iPad.

Despite a few niggling sharp corners that need to be addressed, it irritates me far less than any Apple device I’ve ever owned. This just cements in my mind that, while there are many people who love their Apples, I’m just not their target consumer. I’m not sure that I’m exactly the target consumer of the Surface, but it’s inspired me and continues to grow on me. I’m even starting to write code for it. We’ll see if that becomes anything in due course.

Java not yet available for Surface – one more advantage.

A reminder of who I am, and what I do

Looking at my recent posts, I’ve noticed a few things – not only have I been posting very sporadically and randomly, but also I’ve been avoiding talking about a number of aspects of myself that are key to why I maintain this blog.

In an effort to improve on that, I’m going to start with a quick recap of my biography – not a chronological approach, but a few details to let newcomers know who I am, and old-timers remember my motivations.

1. Family – a father and husband

This always comes first. I work to support my family. I’ve been married nearly twenty years to a fantastically understanding wife, and with her I have a wonderful seventeen-year-old son who is fast becoming the sort of adult whom I’d want to be friends with, if we weren’t already related.

2. Technical interests – general

What makes me prime MVP material, as well as informs the rest of my work, is that I am fascinated with all aspects of technology, from nanotech to 3d printing, quantum computing, cryptography, physics, mathematics – even if it’s unrelated to my own work, or requires tools I can’t afford to use, I’m fascinated by, and try to remain informed about, as much technology as possible.

Sadly, the human brain and attention span can only gather so much information, so there’s always topics I want to know more about. I think this is the eternal frustration of the technologically inclined.

3. Technical background – developer

I’m also a software developer – practically my first job out of college was to develop for Unix platforms, initially, maintaining and porting Fortran code to that platform. Moved from there to Windows, largely out of cussidness (trying to prove to the world that Windows could run a reliable server), and languages like C++, C#, and a few other languages as time and interest allowed.

4. Interest & Current job – security guy

Over time, though, it became clear that my code was getting hacked. So was everyone else’s, but I was unusual in noticing it and wanting to do something about it.

So I became an expert in security. Mostly I did this by reading other people’s books, blogs and articles, and then answering other people’s security questions, to demonstrate that I understood and could explain.

Then, because I didn’t have a career background in security, I had to build one to match my expertise. So I worked my way up “through the ranks”, albeit a little quicker than was expected. Hopefully, that didn’t result in too much missed instruction.

As a result, I’m now a Senior Security Engineer at a large online site. I won’t name them, not because they’re not proud of me, or I’m not proud of them, but because they’ve made it very clear that my blogging is not a part of my job, and my job is not to be a part of my blog.

That means, of course, that nothing I say here is to be construed as an indication of my employer’s position (unless I specifically say it is), and that the stories here and on my twitter feed are pulled from general experience, conversations with others in my field, and general places I have worked, rather than my current employer. I have worked at enough places to tell that developers are, on average, the same no matter where you go. So the stories are the same.

The main area I’m interested in is that of Application Security – how you can build applications that offer functionality while remaining resilient under attack. But I’m still also interested in network security, social engineering (for good and fighting its use for ill), spam fighting, and a number of other topics. I occasionally tell people their web sites are broken.

5. Side work – WFTPD, 2ndAuth, Texas Imperial Software

At various times I’ve also been self-employed, and created Texas Imperial Software as the outlet for my frustrated software development side. Usually, it’s because I’ve seen a need (or had that need myself!) that isn’t being fulfilled by existing software.

“How hard can that be?” is usually the phrase that gets me into trouble.

So I find out how hard it can be. In this manner, I’ve produced:

WFTPD Server / WFTPD Server Pro – FTP servers for Windows. These have been selling for twenty years now, less solidly lately than in the past, when WFTPD was my full time job. But the income is enough to keep up the absolutely minimal support expenditure this software takes.

2ndAuth – an auditing solution for shared accounts in Windows client and server systems. When you try to log on to a Windows system using an account marked as “shared”, you are prompted in addition for your real username and password. In turn, your verified username is logged in the Windows Event Log as a user of this shared account. Sure, shared accounts are against policy, but there are some times they can’t be avoided. In those times, 2ndAuth is a compensating control that allows you to finally answer the question “I know SQLAdmin brought down the server – so which operator do I kick / re-train / fire?”

iFetch – I love BBC Radio and TV, and wrote an app that fetches radio (or TV, if you’re in the UK) shows from the iPlayer, so that you can sync them to your mobile devices that aren’t supported by iPlayer apps.

6. Survivor – cancer

This is a pretty amazing achievement, thinking back on it – but I feel like all the work was done by other people – my wife, who made important surgical decisions while I was under general anaesthesis, and has been a great strength ever since, my surgeon and the doctors who handled the follow-up work, and my son who suffered through many nights of chicken and rice which was all I had the stomach for after radiotherapy. All I did was live through it.

This is why I cringe whenever I hear people talking about “brave” cancer patients. What I did was not brave, it was survival. Running from a bear that you’ve just noticed is eating you is not brave. It’s normal, it’s natural – it’s hard, for sure, but it isn’t brave. Brave is running towards the bear to beat him off.

Oh, and the type of cancer was testicular. The outside world considers that a bad word – and while conversations about breast cancer are plenty, you won’t find a testicular cancer awareness month. [The medical profession, by comparison, thinks cancer is a bad word, and listed my condition everywhere as “testicular C.”]

Men between the ages of 15 and 35 are most likely to be hit by testicular cancer – and there’s good news, and bad news. The good news is, it’s the most easily treated form of cancer (partly because it’s mostly outside the body already). The bad news – it’s fast acting, so delaying seeking treatment leads to many men literally dying because of embarrassment.

7. Microsoft MVP – Enterprise Security

This is an award that I’m constantly proud to have received, and which I think is thoroughly worth having. I’ll be sadder when I finally lose my MVP status (hopefully many years away still) than I was when I lost my CISSP. The network of other smart people is wonderful – and being in a category that has no closely-defined product means that I can continue to give more generally-appropriate advice, rather than specific instruction on an individual product. [It also means we don’t get the exciting swag, but hey, that’s not what I’m in the program for]

There’s an MVP Summit starting on November 17, it’s kind of a Microsoft-centric conference (think TechEd), but at a faster pace, greater depth, and with some material that isn’t public yet. We’ve each signed an NDA, and there are things I know are coming that are really exciting to me, but that I can’t talk about – yet.

8. Hobbies – juggling, unicycling

And occasionally I will draw on my hobbies of juggling and unicycling. This is how I get my exercise, some of the time, passing clubs with my son or riding unicycles around the school gym. I’m not very good, but then I don’t have to be.

Useful Excel Macros #1–compare two columns

I often need to compare two columns, and get a list in a third column of the items that are in one column, but not the other.

Every solution I find online has one common problem – the third column is full of blanks in between the items. I don’t want blanks. I want items.

So I wrote this function, which returns an array of the missing items – items which are in the first parameter, but not in the second.

I’m probably missing a trick or two (I’m particularly not happy with the extra element in the array that has to be deleted before the end), so please feel free to add to this in the comments.

Public Function Missing(ByRef l_ As Range, ByRef r_ As Range) As Variant()
' Returns a list of the items which are in l_ but not in r_
' Note that you need to put this formula into a range of cells as an array formula.
' So select a range, then type =Missing($A:$A,$B:$B), and press Ctrl-Shift-Enter
' If the range is too big, you'll get lots of N/A cells
Dim i As Long ' loop through l_
Dim l_value As Variant ' current value in l_
Dim y() As Variant ' Temp array to store values found
ReDim y(0)

For i = 1 To l_.Count ' Loop through input

  l_value = l_.Cells(i, 1) ' Get current value
  If Len(l_value) = 0 Then ' Exit when current value is empty
    GoTo exitloop
  End If

  If r_.Find(l_value) Is Nothing Then ' Can't find current value => add it to the missing
    ReDim Preserve y(UBound(y) + 1) ' Change array size
    y(UBound(y) - 1) = l_value ' Add current value to end
  End If
Next i
If UBound(y) < 1 Then
End If
ReDim Preserve y(UBound(y) - 1)
If Application.Caller.Rows.Count > 1 Then ' If we were called from a vertical selection
  Missing = Application.Transpose(y) ' Transpose the array to a vertical mode.
  Missing = y ' otherwise just return the array horizontally.
End If
End Function

.csharpcode, .csharpcode pre
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
background-color: #f4f4f4;
width: 100%;
margin: 0em;
.csharpcode .lnum { color: #606060; }

Windows Phone 8 improves podcast support to Windows Phone 7 levels

OK, so that’s a really quite inflammatory headline, for a feature change that actually has me really excited, because I can finally use a feature of my phone that I used to love very much.

TL;DR – New version of the Windows Phone for Desktop App. Get it, it puts podcast support for MP3 files (rather than web hosted) back in.


But not really podcasts

As soon as I start talking about podcasts, most of you are either happily thinking about, or dismissing out of hand, the concept of a few people talking into a microphone about some topic they care about very deeply. I don’t really enjoy those kinds of podcasts, because I feel I can get the same kind of information more quickly and without the fanboy stylings from written material like blogs and the intertubes.

So, no, I don’t listen to podcasts.

But I do listen to something that has a lot of similar features to podcasts. I’ll call them “Sequential Long Audio Files” or SLAFs.

Not really music, either

Episodic in nature, and sequential in that it generally pays to listen in the right order, audiobooks and radio drama are examples of SLAFs – audio files that don’t behave like the typical “Music” that phones are generally designed to play.

Music files start from the beginning every time you play them. If you break away from one music track to listen to another, and then come back, you aren’t upset that it lost your place.

With the exception of concept albums and mix tapes, you don’t tend to need to listen to music files in any particular order.

OK, also the exception of symphonic music, opera, musical theatre, etc. There’s probably a lot of music that people want to listen to in sequence and with the ability to break away to another audio file and then return to the same point once you get back.

But not podcasts

Podcasts are already in this area, and they’re well supported on the Windows Phone 8 platform. So, there’s little need to improve in that feature, says the guy who acknowledges he never listens to podcasts.

What’s not been supported well – in Windows Phone 7 or at all in Windows Phone 8 – is the type of audio file exemplified by audio books, radio drama, symphonic music, opera, and so on. The SLAFs.

Here’s some differences between SLAFs and regular podcasts:

  • You already have the files – they’re not on the web to be subscribed to
  • The files are sequenced by ID3 tags – rather than XML you fetch from a web site
  • Also in ID3 tags, AlbumArt that indicates a thumbnail for the series – rather than an XML file
  • Often, the sequence is finite, there’s an expectation that you will listen to all six (or however many) episodes (chapters, lieder, etc) and then be done with that set – rather than a podcast which may start at “episode 1”, but entices you back for “another great show next week” until such time as the audience and advertising dwindles to the point where the power (and the podcast) gets pulled. This means that “subscribing” makes no sense in sequential audio.

I’m sure there are other differences too.

He’s said this before

Yes, I’ve complained about podcast support on Windows Phone before, over and over and over again.

In Windows Phone 7, I wanted a few simple features added.

In Windows Phone 8, they took the entire feature set away. Podcasts now had to come from a URL and be subscribed to. Great for traditional podcasts, but intolerable for SLAFs. Yes, I could have written a web service that turns a SLAF album into a podcast series, but I just didn’t have the time.

Now, the feature has been brought back – and through a delivery of a new version of the Windows Phone app for desktop. This is what replaced the Zune software. Which really wasn’t all that bad.

So, how do we do this?

Step by step.

  1. Install the new version of the Windows Phone app for desktop.
  2. Now run it.
  3. Click on “pc”, if you need to. Note that, because this is a “metro” interface, “PC” is in lower case, despite all English style guides.
  4. Click on “podcasts”
  5. Check the podcasts you want to put on the phone, and hit “Sync” to send them there.

What if I didn’t see any podcasts?

Yes, that will happen, if you haven’t marked any items as podcasts, or put them into the sync folders.

You see that thing that says “Add or remove folders”?

This is what allows you to pick the folders into which you will put your SLAFs.

Click that, and you’re presented with a familiar-looking dialog:


In Windows Phone 7 and the Zune software, you also had to go and change the genre on your SLAFs to “Podcast”.

I am pleased as punch to say that you don’t have to do that any more. Leave the genre what it was. Not that the phone will make any use of it, allow you to search, sort or filter by it, or in any way act as if you’ve done anything better than setting the genre to “Podcast”. But it makes me feel good to know that I don’t have to assault my files to make them work on the Windows Phone.

What’s left to do?

Clearly the feature isn’t finished – there’s some work to do in the phone to improve support.


As you can see from the image to the left, there’s a whole lot of grey where there ought to be images from the AlbumArt ID3 tag in each of these series.

I can’t help but think that sometimes these titles are going to lose something important off the end. Radio shows like to have incredibly long titles, and I’m sure that something like “The Hitch-hiker’s Guide to the Galaxy Series 2” is going to be truncated so that I can’t tell which series I’m listening to. A little more wrap, possibly a marquee-style scrolling display, should fix this where it makes sense to do so.

Ordering – or sequencing – of episodes seems to still leave a little to be desired. It seems that the series will only play in sequence if the files are date-stamped. It would be nice if the podcast tool would simply read the ID3 tags for “track number” and/or “part of set” rather than rely on file dates, which could simply work off when you downloaded or ripped these files. [Note that I advocate the legal use of such technologies to space-shift or time-shift recordings to which you have purchased, or otherwise legitimately own, rights to possess and listen.]

But I can now listen happily to my radio shows – without the radio – and without the Interwebs – as if they were podcasts (though they aren’t).

Gin & tonic all round.

So, thanks and cheers, then, to all at Microsoft involved in bringing this feature back.

Now, if you don’t mind also making it better, that would be lovely.