Great link from Jules: http://www.pbs.org/cringely/pulpit/pulpit20051117.html

If this is the future of the internet, count me in.

There is a new breed of imaging apps that have come up, at the moment I'm thinking of Adobe Lightroom (mac only, currently beta) and Apple Aperture (mac only, v1.0 and could use some polish).  The good thing is they are rethinking the UI for the specific tasks at hand.

But the old stalwart in this space is Photoshop (currently in 9th revision a.k.a "CS2").  So why does the world need both?

I think it comes down to the UI paradigm. 

One of the strengths of Photoshop has always been that it presents the user with a toolbox.  There isn't a button to make embossed text for example, however useful it might be.  The UI design expects you to know how to combine selections, masks and blend modes to create an embossed look for you text. 

This is a benefit not a limitation because PS is a creative application - your text bares the look of your experience and technique and matches the rest of the image perfectly.  If you want you can then record an action to make your own embossed text button.  Next to this, a generic embossed text button would give very average results.

The downside however is it requires considerable understanding of all the tools at hand to get the best results.

Compare to that the UI, or more the user experience, of Lightroom and Aperture.  These are focused on the needs of specifically digital photographers using high-end cameras (even one of these or these!) and pro workflow.  Because the UI is so focused they are able to encapsulate things that use to be a dozen clicks in Photoshop & Adobe Bridge & Adobe Camer RAW into one slick UI.  This is also a good thing.

So to examine the general case what does this tell us about UI design and user experience that can be applied to the applications we write?  I think it just underscores the need to directly address the outcomes the user is working towards in the UI, rather than having the UI just as a way for the user to interact with your program logic.

So look at your apps and ask... which UI are you; the toolbox or task-focused? 

Tracking stray connections using profiler.  Times when this can come into play is in multithreaded apps, or apps where you may be supporting simultanious users like in an ASP.NET application. 

 

Generally any time you are asking resources from the server it should be using the Try... Catch... Finally pattern for allocating server resources and releasing them as soon as you know you can do without them.  (Nod to Andy Rich on Deterministic Finalization)

One thing that is going to help with this however is to set the appname in your connection string (Application Name={1};) for filtering the Profiler results.

So here is a Profiler trace useful for keeping an eye logins, logouts and stored procs executed inbetween:

Download: deepdark.net_Connection_Monitor_20060112.zip

Something I have been giving thought to is that the .NET Framework exposes perfmon counters for all manner of useful stats. 

 

An unlikely tool?  Not so much... Of particular use is the feature where perfmon can track exceptions thrown throughout all managed apps or, alternatively for any chosen running managed application.  You can then compare the number of Finally blocks hit after an exception was reached (there is a counter specifically for this!) vs. exceptions thrown.  In normal conditions I don't think I'd like these todiffer significantly.

 

Really this is using perfmon to track stats from .NET apps provided by the framework; but performance isn't far from the surface.  Throwing and Catching exceptions is a very costly operation for the Framework and is a significant performance hit to a running application.

 

Three things, and some links: 

 

1. You don't have to be looking at your dev machine.  If you have administrative access to a test server you can remotely watch any perfmon counters.  Useful if your application runs as a service or for ASP.NET applications. 

Also, create a shortcut to perfmon.exe in your System32 directory to get to quick access to the Run As... command for those running their developer environment with least privilege (nod on this to Don Kiely, Michael Howard).

 

2. If you need to track these in a running app like a Windows Service or a ASP.NET application consider using MRTG to graph

the results for you.  I've used this before as a make-shift NMS console monitoring server system health. It's more secure than SNMP and very low on resource use.

The official MRTG site has the basics for setting up MRTG on Windows, but Castellan has a _{(slightly dated)} but much more relevant guide.

 

3. Consider logman to configure the Performance Monitor service.  Again this is worth a blog post by itself.  Open a command prompt and logman /? for more

 

Where to next?  One day I'd like to automate perfmon logging as part of an NUnit test harness to give another measure of quality parallel to Nunit.  I'll keep you posted.

Well first of all thanks to NETGEAR.  I'm back.  This time it should be for good.  But tell me this; why can't I get a router that will take some moderate load on a hot Sydney day and not explode?!?!  Even my new (expensive!) Netgear hardware runs hot (50oC+) under *no* load.  I'm gonna have to casemod this sucker to add a fan if it's gonna last me until Feb '06.

Anyway, authentication.  It's not the first time Crypto-Gram has been mentioned on my blog.  This time it relates to a post therein about the kind of fingerprint readers that have become popular in Keyboards/mice or as USB peripherals, and how with some skill and the right tools and circumstance you can foil them in about the same time it takes to make a sandwitch.

What it comes down to is this (I am drawing from many sources here).  Authentication comes in three factors:

• Things you know - passwords/passphrases*, PINs, mothers maiden name (how many web sites will ask this!) and so on...
• Things you are - your retina, your fingerprint^, etc
• Things you have - Smartcards, USB dongles, key cards, your passport yadda yadda...

If you require 2 forms of authentication and draw from only one pool, then you have only one factor!

(I have a secret about OfficeWorks SAP system, remind me to tell you about it some time...)

Anyway, that's enough for tonight :)

* Jesper on Passphrases here (1/3), here (2/3) and here (3/3)
^ Wikipedia, The Register

Transmission has been up and down like a fiddlers elbow of late as my damn router is giving me grief.  Please stay tuned...

After blog mint [?]:  Seems I suffered a sudden case of F.E.R.S.  (a slight variation on the standard E.R.S. a.k.a Exploding Router Syndrome)

Quick post today about my favourite SQL Server “feature”.  This is when you create a user account the default database is master.

The only sensible reason for installing the Northwind database I think is so that you can set it to be the default database for logins! 

I wonder how many times in history people have just opened the Query Analyser and ran a script accidentally against master rather than the database they intended. 

(Humph!  What ever that number is... add one to it)

It's been a little while between posts, so I thought I'd share a tip about using Fiddler to debug .NET SOAP Web Service Clients.

Once you install Fiddler it sets itself up as a proxy on port 8888.  You then use the Fiddler UI to inspect sessions made from your application to the IIS hosting the web service.  Fiddler lets you inspect the raw HTTP traffic that is exchanged in a SOAP call, and you can even modify an old session and resubmit it with modified data!  Great for debugging.

Below is a sample (VB.Net 2003) adapted for readability from an actual project I'm working on.  The point of the sample is setting Proxy property of the web service reference to a WebProxy object.


Dim NewUser As RemoteWebHost.User
Dim UserServices As RemoteWebHost.DatabaseSync

' Adding this line lets Fiddler track the HTTP Sessions.
UserServices.Proxy = New WebProxy("http://127.0.0.1/", 8888)

With NewUser
   .UserName = "fred"
   ' [...]
End With

Try
   UserServices.UserAdd(NewUser, Nothing)

Catch ex As SoapHeaderException
   ' [...]

Catch ex As SoapException
   ' [...]

Catch ex As Exception
   ' [...]

End Try

Looks like it's about time for another post!

This one is about the SQL Server system tables.  These are a fav of mine because I find them so useful in scripts. 

The caveats when dealing with them are you need to be mindful of SQL Server versions.  Everything that worked on SQL Server 7.0 will work on SQL Server 2000, but there are some minor tweaks in SQL Server 2000 that are not valid in SQL Server 7.0.  Now is not a good time to mention SQL Server <= v6.5 because the system tables had an overhaul for 7.0, and I haven't checked any of this code on Yukkon/SQL Server 2005 yet.

My fav thing to use the tables for is dealing with object existance in scripts.  In my books a good T-SQL script can be run over and over without damaging the database.  Put another way, if your SQL Script throws an error if it is run twice against the same database it's not a good T-SQL script.

Consider we are dealing with the following table:

CREATE TABLE testing_data (
    pkey INT IDENTITY (1,1) NOT NULL,
    created DATETIME DEFAULT getdate() NOT NULL,
    modified DATETIME NULL,
    deleted BIT DEFAULT 0 NOT NULL,
    testing_val_1 NVARCHAR(15) NOT NULL,
    testing_val_2 NVARCHAR(255)
)

For whatever reason we want to drop and recreate this table each run, you could put the following statement before it:

IF Exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[testing_data]')
    AND OBJECTPROPERTY(id, N'IsUserTable') = 1)
    DROP TABLE testing_data
GO

This is the syntax you will see if you choose to include Drops in scripts you generate from the Enterprise Manager, but I don't use it much, mainly because I can never remember the OBJECTPROPERTY() syntax!

Typically I do the following:

IF Exists(SELECT [id] FROM sysobjects
    WHERE sysobjects.[name] = N'testing_data'
    AND sysobjects.[type] = N'U')
    DROP TABLE testing_data
GO

I feel that Microsoft are hinting us towards using OBJECTPROPERTY() for future version compatability, but I still favor this syntax because apart from being easy to remember it's easy to adapt for other kinds of objects, e.g:

IF Exists(SELECT [id] FROM sysobjects
        WHERE sysobjects.[name] = 'prGetTestingDataRows'
        AND sysobjects.[type] = 'P')
    DROP PROC prGetTestingDataRows
GO

So if the Type column in sysobjects is 'U' for user tables, and 'P' for procedures then there are no prizes for guessing what TR, D & V might mean.

For a more complex example, lets say you want to change the type of the fileds testing_val_1 to NVARCHAR(35) ONLY if it has not been changed before, you could wrap the ALTER TABLE stateement in the following BEGIN... END:

IF Exists(SELECT syscolumns.[name]
    FROM syscolumns
    LEFT JOIN sysobjects
        ON syscolumns.[id] = sysobjects.[id]
    LEFT JOIN systypes
        ON syscolumns.[xtype] = systypes.[xtype]
    WHERE syscolumns.[name] = 'testing_val_1'
    AND systypes.[name] = 'nvarchar'
    AND sysobjects.[name] = 'testing_data')
BEGIN
    ALTER TABLE -- ... Implementation ommited for clarity
END

So having only touched two or three sys tables we have a couple of good tools that are easy to use.  I'll cover more at a later date, in the mean time enjoy the extra metadata!

After blog mint [?]:

Here's an actual practical example from a script I have been working  on recently (user name changed).  This script makes a dozen or so procs, the svcapp account is a login used by a service that only has rights to exec these procs, and no rights granted to the base tables.  This automates granting access to the created procs, and it much quicker than doing it in the SQL EM:

PRINT 'PART 4 - Granting access to user account'
GO

DECLARE @sql NVARCHAR(512)
DECLARE @name NVARCHAR(128)
DECLARE @usernm NVARCHAR(128)
DECLARE cr CURSOR FOR
    SELECT [name] FROM sysobjects
    WHERE type='P'
    ORDER BY [name]

SET @usernm = 'svcapp'

OPEN cr
FETCH NEXT FROM cr INTO @name

WHILE @@fetch_status = 0
BEGIN
    SET @sql = 'grant exec on ' + @name + ' to ' + @usernm
    EXEC sp_executesql @sql
    PRINT 'Granting EXEC on ' + @name + ' to user: '
    FETCH NEXT FROM cr INTO @name
END

CLOSE cr
DEALLOCATE cr

PRINT 'Done.'
GO

Firstly, the credits.  This post would not have been possible without Jesper Johansson.  Look at his notes no Anatomy Of A Hack.  He's an authority on securing Windows networks, and has given me a lot to think about.

Prime among them is the problem that while running secure web applications on secure Windows servers has never been more possible, it's still too much of a black art.  I'm just scared that too many apps will be bumped up to run as administrative accounts because it's just too much hard work to get them to run.

Even following good quality (but slightly dated) patterns and practices guides like Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication (2002, extra comma theirs) aren't the full story.  You can still be forced to resort to tools like Filemon and Regmon to work out why your least-priv account cannot be started as an application pool.

This isn't meant to be a Windows is insecure rant, because they are 10-a-penny.  This is just meant to be a heads-up and link-fest.

Final link for the bandwidth-endowed.  You can watch a couple of sessions presented by Jesper at the Tech.Ed 2005 Australia site.

 

After Blog Mint [?]:

I thought I'd post some more links to resources I can personally recommend:

• Crypto-Gram mailing list.
• patterns and practices Secirity Wiki.
• A book called Innocent Code.  ( [ELX] [Dymocks] )
• A more general book called  Practical Guidelines & Best Practices for MS Visual Basic & MS Visual C#. ( [ELX] [Dymocks] )