Creating a small institutional site

Every now and then non-tech friends ask me to get their startup’s site up and running. Usually I tend to choose Joomla for the flexibility, but sometime it’s just an overkill. Just keeping Joomla security updates is something I really don’t want to think about.

So this time, for my dear sister-in-law Sofia pre-scool project, I’ve tried out Weebly. In a couple of hours I’ve chosen a template, defined the organic, uploaded some content and photos and here’s the result: chuvadepapel.com:

To be true this is not entirely free, as I chose to pay for the domain (chuvadepapel.weebly.com was the free version). Ok, this is just the bare minimum needs for a static site, don’t expect too much. But it’s simple to edit, and costs nothing o manage. Cool.

 

PS: on the next opportunity, I’ll probably try out wix.com.

Will IE9 be te one?

People tend to forget the past. Here’s a cool article reminding us of IE past glory: How-To Geek Explains: Why Do So Many Geeks Hate Internet Explorer?

1996: Internet Explorer 3
This version of the browser, introduced in 1997, was the first browser to implement CSS (Cascading Style Sheets). Yes, you’re reading that correctly—in fact, it introduced many new features like Java applets and sadly, ActiveX controls.

1997: Internet Explorer 4
IE4 introduced a blazing fast (at the time) rendering engine as an embeddable component that could be used in other applications—this was a lot more important than people realize. This version also introduced Dynamic HTML, which allows web pages to dynamically change the page using JavaScript, and added Active Desktop integration.

Even more weird? Seems like nobody remembers this anymore, but IE4 was actually cross-platform—you could install it on Mac OS, Solaris, and HP-UX—and by the time IE5 was released, IE4 had reached a 60% market share.

1999: Internet Explorer 5.x
Microsoft invented Ajax. Wait… what? That’s right, it was this version of IE that introduced the XMLHttpRequest feature in JavaScript, which forms the underlying technology behind every web application you’re using today—you know, like Gmail. Of course, the term “Ajax” wasn’t actually coined until years later by somebody other than Microsoft, but this release supported everything required to make it work.

So Yes, Microsoft Innovated
From IE3 until IE6, Microsoft used all their resources to simply out-innovate the competition, releasing new features and better browsers faster than Netscape. In fact, Netscape 3 Gold was a buggy piece of junk that crashed all the time, and Netscape 4 was extremely slow and could barely render tables—much less CSS, which would often cause the browser to crash.

To put it in context: web developers used to complain about Netscape the same way they complain about IE6 now.

 

I’d like to add:

• Netscape was a paid product, IE was free. Funny how this looks like now
• Most of the times IE was closer to W3C standards than Netscape – still, too far from the standards, I’m afraid
• IE was very forgiven to badly written HTML – if I remember correctly on Netscape, an unclosed tag on a table was all it took to stop displaying it
• Probably AJAX actually pre-dates XMLHttpRequest (implemented to support OWA) – old interdev versions had a server object based on a java applet capable of invoking an async remote procedure. We had a series of clients that insisted on making a browser interact like excel – now that a think of it, they were visionaries! But yes, XMLHttpRequest, XML and SOAP did brought it to the masses.

So what went wrong?

The trouble all started when Microsoft integrated IE into Windows as a required component, and made it difficult to uninstall and use an alternate browser. Then there was the whole business with them exploiting their monopoly to try and push Netscape out of the market, and a lot of people started to view Microsoft as the evil empire.

Microsoft Stopped Trying
By the time Microsoft released Internet Explorer 6 in 2001, complete with lots of new features for web developers, since there was no competition and they had a 95% market share, Microsoft just stopped trying—seriously, they did nothing for 5 years even after Firefox was released and geeks started migrating left and right.

Microsoft-Specific Features
…

Security Holes and Crashing

…

IE7 and IE8 Were Too Little, Too Late

…

Supporting IE is Like a Fork in the Eye for Web Devs

…

Geeks Forced to Use Internet Explorer

…

 

The article ends with a vote of confidence to IE9. I agree, finally we see a lot of potential on a new IE, let’s see what happens.

Bottom-line is: boy, do I miss NCSA Mosaic…

Oops, this last security breach is not limited to ASP.NET

It seems like ASP.NET is not the only platform vulnerable to Padding Oracle attack. Platforms like JSF and Ruby on Rails are also vulnerable,  but Juliano Rizzo is convinced that there are more platforms, applications and sites vulnerable to the same attack.

So why all the fuss about ASP.NET?

InfoQ: Why there has been so much commotion around ASP.NET lately and there is nothing related to JSF, Ruby on Rails, if they are vulnerable too?

JR: ASP.NET is more popular than JSF and Ruby on Rails, because approximately 25% of the internet sites use ASP.NET.

BizTalk Server 2010

Here are the main new features:

• Support for the latest platforms from Microsoft including server, database and development environment.

• Enhanced developer productivity and new application life cycle management experience for development teams.

• New capabilities for implementing agile SOA integration solutions across heterogeneous technologies and Line of Business systems.

• Enhanced B2B and RFID capabilities to allow the implementation of flexible end-to-end supply chain management and asset tracking solutions.

Yes, the EPCIS Query and Capture interface event handlers are finally there! And it comes with a free developer edition.

PS: at the time of this post, it wasn’t on the MSDN subscription.

Another testing success story

I’ve been re-architecting our typical .NET web application on a new project we are starting. There are some huge changes: we are adopting MVC over WebForms, Entity Framework over NetTiers, and we are finally adopting a new workflow engine.

To mitigate the risks of starting a project with all these new variables we’ve started stressing the application as soon as we could. And soon meant running load tests over a very crude application.

Web stressing an application on such an early stage poses a challenge on the team itself, as most of the time at least a couple of scenarios fail to execute properly, but this is the phase where the feedback we are getting from the load tests can deeply influence the refactoring of the architecture itself.

We’ve started the load tests with some simple CRUD and workflow scenarios. All it took was 10 virtual users and less than a minute and we’ve exhausted some critical resources on the server (database connection and workflow engine handles). Some of the Entity Framework data layer calls started failing, most of the workflow engine calls failed, and we could no longer login on the workflow engine. We were also eating up memory usage. None of these errors were identified by the development team on the development process.

After a quick code review we’ve identified a bunch of places we’ve missed to call Dispose. We could now run the same load tests with no errors, so we’ve programmed a load test to find out how many virtual users can we project so that the application server’s CPU stays below 80%. The test failed with the following error:

“Limit of 250 virtual users exceeded”

Yes, this is my kind of error! We’ve re-programmed the load test to stay within the licensing limits and left it running for the night: less of 30% to CPU usage on the application server, no error and no leaks. Cool!

At last Apple is (being forced) to move on the right direction

Apple stated that they are “relaxing all restrictions on the development tools used to create iOS apps, as long as the resulting apps do not download any code”.

It’s about time, developers and owners should have full control over the devices and apps.

Also about time Steve Jobs (indirectly) admits iPhone market share is being challenged. To say the least :)

(In)security in your Access Points

Last week a friend of mine asked me to assess his AP’s security. I was shocked to find out his AP was just wide opened! The reason is a little embarrassing for him: the AP’s software (a NetGear) has a form that asks and stores a password for wireless security, and a group of radio buttons with the default choice: no security. A user interface trap for my 65 years old friend.

So I’ve decided to assess the neighborhood where I’ve been taking my summer holidays - being careful not to access any illegal information. Here are the results:

Security	#	%
WEP	8	21%
OPEN	11	29%
WPA/WPA2	19	50%
Total	38

Uau! I’ve 38 APs near me?!? This is madness, people don’t live here, these are weekend and holiday condoms!!! But wait, there’s more: only 50% of these are reasonably covered, the rest are wide open (ok, mostly FON Free Internet, a cool business model, nevertheless a risk if someone commits a crime using your hotspot?) or poorly defended WEP. WEP?! I wouldn’t expect so many of these running out there.

If I could get a neighbor to authorize an assessment I’d choose to attack the poorly defended WEP. Here’s what I would do:

1. Get a security distro already loaded with aircrack-ng – for instance, backtrack;
2. Follow the Simple WEP Crack Tutorial; my attack on my own AP took no more than 30s – provided I’ve forced an ARP query… probably the major obstacle on aircrack, as I am told.

You can also get you luck with dictionary attacks on WPA, or the next gen of security attacks, but that’s not the point. The point is: geeks like me – and you people that are reading this article – , although not safe from security attacks, are aware of these security risks and mitigations. The rest of non techies are calmly waiting to get their traffic and internet identity abused. But now that I’m thinking about it, they are sleeping like babies, I’m the one wake up at 01h30 in the morning worried about security… :)

Turn your laptop into a wireless Access Point

There are a couple of use scenarios where I find useful to providing wireless access from your laptop:

• Creating a network “island” without a router;
• Sharing internet access to other laptops where only one wired point is available;
• Providing network and internet access to your PDA where no AP is available. My favorite usage :)

Here are a couple of tools:

• Virtual Router (Codeplex)
• Connectify

Please note: at least for Virtual Router, there’s a (short) wireless network card short compatible list.

Upgrading HTC Hero to Android 2.1

I’ve finally upgraded to Android 2.1 the HTC Hero (T-Mobile G2) I’ve been using. For the most part this is a safe process, and the chances to brick it are virtually none (if understand it correctly !…).

Here’s the guide I’ve followed: [Guide] Complete Newbie Guide to Install a Custom Rom [Updated 16/07]. And yes, I had to “Goldcard” it…

I’ve tried out a few ROMs and stopped at VanillaEclair 5.0-build7 – for no particular reason. It worked, some of the others had some flaw that I’ve encountered, I’m afraid it wasn’t a very scientific decision...

For the little I’ve tested, I’ve I liked:

• The mail. Finally!
• VPN and proxy support.

What I didn’t like:

• Loosing the cool HTC apps and widget… oh well..

 

<update>

I’m afraid I couldn’t connect to my company’s VPN :(

<update>

32-bit ODBC drivers on a 64-bit machine

Today I had the need to install a 32 bit ODBC driver on my x64 Windows 7. After installing the driver, I couldn’t find it on the 32-bit ODBC administrator.

This tool only configures 32-bit native calls, for 32/64-bit environment we have to set it on %systemdrive%\Windows\System32\Odbcad32.exe. Here’s Microsoft’s support link, and here’s how to debug it on SSIS:

Microsoft Enterprise Library 5.0

It shipped! Here it is.

Here’s what’s new:

This major release of Enterprise Library contains many compelling new features and updates that will make developers more productive. There are no new blocks; instead the team focused on making the existing blocks shine, on testability, maintainability and learnability. The new features include:

• Major architectural refactoring that provides improved testability and maintainability through full support of the dependency injection style of development
• Dependency injection container independence (Unity ships with Enterprise Library, but you can replace Unity with a container of your choice)
• Programmatic configuration support, including a fluent configuration interface and an XSD schema to enable IntelliSense
• Redesign of the configuration tool to provide:
  • A more usable and intuitive look and feel
  • Extensibility improvements through meta-data driven configuration visualizations that replace the requirement to write design time code
  • A wizard framework that can help to simplify complex configuration tasks
• Data accessors for more intuitive processing of data query results
• Asynchronous data access support
• Honoring validation attributes between Validation Application Block attributes and DataAnnotations
• Integration with Windows Presentation Foundation (WPF) validation mechanisms
• Support for complex configuration scenarios, including additive merge from multiple configuration sources and hierarchical merge
• Optimized cache scavenging
• Better performance when logging
• Support for the .NET 4.0 Framework and integration with Microsoft Visual Studio 2010
• Improvements to Unity
• A reduction of the number of assemblies

How to simply starve your windows forms app

I was rewriting on .NET 4 some of our internal benchmarking tools (ok, a cooler way to say I wrote a small utility to stress our components on high concurrent environments…), when I’ve deadlocked the… application itselfe!

Here’s what I’ve done:

            var tasks = Enumerable.Range(1, (int)numericUpDownNumberOfThreads.Value).Select(
                i =>
                {
                    var task = new Task(
                        () =>
                        {
                            Invoke(LogMessageDelegate, ">> I'm in:  " + i);
                            Thread.Sleep(new Random().Next(1000));
                            Invoke(LogMessageDelegate, "<< Bye bye: " + i);
                        }
                    );
                    task.Start();

                    return task;
                }
            ).ToArray();

            Invoke(this.LogMessageDelegate, ">> WaitAll");
            Task.WaitAll(tasks);
            Invoke(this.LogMessageDelegate, "<< WaitAll");

The way the Invoke method works is quite simply by sending a message to the correct thread, and if there is no message pumping no one will process the message. The solution was evolving on yet another thread:

            new Task(
                () =>
                {
                    var tasks = Enumerable.Range(1, (int)numericUpDownNumberOfThreads.Value).Select(
                        i =>
                        {
                            var task = new Task(
                                () =>
                                {
                                    Invoke(LogMessageDelegate, ">> I'm in:  " + i);
                                    Thread.Sleep(new Random().Next(1000));
                                    Invoke(LogMessageDelegate, "<< Bye bye: " + i);
                                }
                            );
                            task.Start();

                            return task;
                        }
                    ).ToArray();

                    Invoke(this.LogMessageDelegate, ">> WaitAll");
                    Task.WaitAll(tasks);
                    Invoke(this.LogMessageDelegate, "<< WaitAll");
                }
            ).Start();