Some possible reasons:

• VCs didn't learn from the first .com crash
• Technology pundits didn't learn from the first .com crash
• flickr 

Yeah, let the VCs and technology writers (with the exception of Robert Scoble) race each other to the bottom of the ocean.  Long live flickr!

Why I reckon flickr rocks:

• They blog.
• They know about Interestingness.
• You can get practically everything delivered over RSS.
  
• Tagging just rocks.
• You can upload straight from your Windows folders, or by email, or from OSX, or from iPhoto, or...
• The user experience is very nice.  Good implementation of AJAX.  Very clean UI.  Branding is nicely done.

So yeah, hype will always be there but if it was all for flickr, well, it wasn't wasted

(go on, give my flickr page a nudge...)

OK, this is my wishlist for a proximity security device for the Windows platform.  There are a couple out there, but none that do all what I want, and are available locally and are affordable.  Maybe no more than $100-150 initially and comming down with volume.

Backgrounder:  A proximity security device is just a gizmo that is aware of how close you are to your computer, and secures it when you're not around.

• It has to work with Windows integrated security.  This means not starting a new process that covers the screen and requires yet another local password store.  Nor somthing that starts the Windows screensaver.  It has to lock Windows at the NT Security later.  It should also be Group Policy aware, so your AD could stop your account being used on a machine that did not support the device.
  
• You're going to need a dongle on your keyring, and some receiver in your pocket, but No USB!  The system should not be able to be neutralized by ripping out the dongle while you're away from your desk.  Also USB leaves too much of the process visible to the driver stack.
• It needs to be tamper evident.  So if a machine is rebooted while secured it needs to be noted somewhere in big red letters!
  
• It needs to pause Windows Media Player/Winamp/Sonique/iTunes :)
• You must only be able to log in to the machine again when the dongle is in proximity.
• Maybe even some biometric on the keychain dongle so that it can only send back a signal when your fingerprint matches.
• It would be nice if one keychain could lock multiple machines.
• Lastly, and most importantly, it must automatically lock your machine when you move a certain distance from the machine with no questions asked.

Has anyone seen such a gizmo?  Or am I meant to keep dreaming :)

OK, here's my monthly props for CryptoGram...

Bruce Schneier links to a story where some Russians use a 'dead drop' technique via anonymous email systems like Hotmail.

The idea is that 2 or more people share an email account and instead of sending email messages to each other they just save their message as a draft email for the next guy to read. 

I like this as a specific case to illustrate the more general point about security based on "building higher walls" being bad becuase it assumes that all entry points are known!

After blog mint [?]: I've been thinking more about this... the key isn't that the message never went across the wire because it did (from the PC to the Hotmail server) but it's that it didn't leave Hotmail via SMTP, so the goal in sight is to avoid SMTP message detection and signal analysis based on SMTP traffic.  Taking that as the general case leaves open a bunch of other scenarios, like storing secret data on mobile SIM cards for example.  Just a thought...

This last couple of weeks I've been really getting into XPath, and SQL Server's sp_xml_preparedocument and OPENXML() syntax. 

I keep finding cool things to do with it but I can't see a way around the problem of sp_xml_preparedocument accepts only a local variable as the source document, which limits your document size to VARCHAR(8000) size -or half that for NVARCHAR.  I have not seen that limit yet in my work, but it still seems a little low.  What about ntext guys?

I'm gonna have some real-world XPath coming soon, this is just a pre-post warning :)

Apologies.  This site has been down more than up over the last couple of days due to some hard drive issues. If you are reading this... it's back up again :)

Great link from Jules: http://www.pbs.org/cringely/pulpit/pulpit20051117.html

If this is the future of the internet, count me in.

There is a new breed of imaging apps that have come up, at the moment I'm thinking of Adobe Lightroom (mac only, currently beta) and Apple Aperture (mac only, v1.0 and could use some polish).  The good thing is they are rethinking the UI for the specific tasks at hand.

But the old stalwart in this space is Photoshop (currently in 9th revision a.k.a "CS2").  So why does the world need both?

I think it comes down to the UI paradigm. 

One of the strengths of Photoshop has always been that it presents the user with a toolbox.  There isn't a button to make embossed text for example, however useful it might be.  The UI design expects you to know how to combine selections, masks and blend modes to create an embossed look for you text. 

This is a benefit not a limitation because PS is a creative application - your text bares the look of your experience and technique and matches the rest of the image perfectly.  If you want you can then record an action to make your own embossed text button.  Next to this, a generic embossed text button would give very average results.

The downside however is it requires considerable understanding of all the tools at hand to get the best results.

Compare to that the UI, or more the user experience, of Lightroom and Aperture.  These are focused on the needs of specifically digital photographers using high-end cameras (even one of these or these!) and pro workflow.  Because the UI is so focused they are able to encapsulate things that use to be a dozen clicks in Photoshop & Adobe Bridge & Adobe Camer RAW into one slick UI.  This is also a good thing.

So to examine the general case what does this tell us about UI design and user experience that can be applied to the applications we write?  I think it just underscores the need to directly address the outcomes the user is working towards in the UI, rather than having the UI just as a way for the user to interact with your program logic.

So look at your apps and ask... which UI are you; the toolbox or task-focused? 

Tracking stray connections using profiler.  Times when this can come into play is in multithreaded apps, or apps where you may be supporting simultanious users like in an ASP.NET application. 

 

Generally any time you are asking resources from the server it should be using the Try... Catch... Finally pattern for allocating server resources and releasing them as soon as you know you can do without them.  (Nod to Andy Rich on Deterministic Finalization)

One thing that is going to help with this however is to set the appname in your connection string (Application Name={1};) for filtering the Profiler results.

So here is a Profiler trace useful for keeping an eye logins, logouts and stored procs executed inbetween:

Download: deepdark.net_Connection_Monitor_20060112.zip

Something I have been giving thought to is that the .NET Framework exposes perfmon counters for all manner of useful stats. 

 

An unlikely tool?  Not so much... Of particular use is the feature where perfmon can track exceptions thrown throughout all managed apps or, alternatively for any chosen running managed application.  You can then compare the number of Finally blocks hit after an exception was reached (there is a counter specifically for this!) vs. exceptions thrown.  In normal conditions I don't think I'd like these todiffer significantly.

 

Really this is using perfmon to track stats from .NET apps provided by the framework; but performance isn't far from the surface.  Throwing and Catching exceptions is a very costly operation for the Framework and is a significant performance hit to a running application.

 

Three things, and some links: 

 

1. You don't have to be looking at your dev machine.  If you have administrative access to a test server you can remotely watch any perfmon counters.  Useful if your application runs as a service or for ASP.NET applications. 

Also, create a shortcut to perfmon.exe in your System32 directory to get to quick access to the Run As... command for those running their developer environment with least privilege (nod on this to Don Kiely, Michael Howard).

 

2. If you need to track these in a running app like a Windows Service or a ASP.NET application consider using MRTG to graph

the results for you.  I've used this before as a make-shift NMS console monitoring server system health. It's more secure than SNMP and very low on resource use.

The official MRTG site has the basics for setting up MRTG on Windows, but Castellan has a _{(slightly dated)} but much more relevant guide.

 

3. Consider logman to configure the Performance Monitor service.  Again this is worth a blog post by itself.  Open a command prompt and logman /? for more

 

Where to next?  One day I'd like to automate perfmon logging as part of an NUnit test harness to give another measure of quality parallel to Nunit.  I'll keep you posted.

Well first of all thanks to NETGEAR.  I'm back.  This time it should be for good.  But tell me this; why can't I get a router that will take some moderate load on a hot Sydney day and not explode?!?!  Even my new (expensive!) Netgear hardware runs hot (50oC+) under *no* load.  I'm gonna have to casemod this sucker to add a fan if it's gonna last me until Feb '06.

Anyway, authentication.  It's not the first time Crypto-Gram has been mentioned on my blog.  This time it relates to a post therein about the kind of fingerprint readers that have become popular in Keyboards/mice or as USB peripherals, and how with some skill and the right tools and circumstance you can foil them in about the same time it takes to make a sandwitch.

What it comes down to is this (I am drawing from many sources here).  Authentication comes in three factors:

• Things you know - passwords/passphrases*, PINs, mothers maiden name (how many web sites will ask this!) and so on...
• Things you are - your retina, your fingerprint^, etc
• Things you have - Smartcards, USB dongles, key cards, your passport yadda yadda...

If you require 2 forms of authentication and draw from only one pool, then you have only one factor!

(I have a secret about OfficeWorks SAP system, remind me to tell you about it some time...)

Anyway, that's enough for tonight :)

* Jesper on Passphrases here (1/3), here (2/3) and here (3/3)
^ Wikipedia, The Register

Transmission has been up and down like a fiddlers elbow of late as my damn router is giving me grief.  Please stay tuned...

After blog mint [?]:  Seems I suffered a sudden case of F.E.R.S.  (a slight variation on the standard E.R.S. a.k.a Exploding Router Syndrome)