MIXing Bowl

Microsoft's MIX07, the touted 72-hour conversation with Web developers and designers, is drawing to a close as you receive this. The Las Vegas-hosted conference was first launched last year, but quickly rose close to the top of the Microsoft road tour stack, thanks in part to Redmond's frantic Web development tools efforts. From ASP.NET AJAX to Expression Studio to Silverlight, Microsoft has been working in overdrive the past year-and-a-half.

The MIX07 event certainly reflected that. While an awful lot of news has trickled out over the past six months, Ray Ozzie and crew were able to hit a few long balls. Among them: news that the next version of Silverlight (formerly code-named "WPF/E") will support the Common Language Runtime (CLR) of .NET, as well as dynamic languages like Ruby.

What's clear is that Silverlight is not simply a media play. Instead, Microsoft is aiming to take its managed code environment to the broader Internet. With Silverlight as a target, .NET developers can use the same skills (and much of the same code) that they employ to build Windows applications to build rich Internet applications.

Also announced was the Microsoft Silverlight Streaming service, a free online hosting service that will allow developers to serve their Silverlight content off Microsoft servers at no charge. Obviously, the service is an effort to nudge Silverlight out of its cage and get it into the wild.

Executive Web Editor Michael Domingo was at the show and managed to track down several key Microsoft representatives. You can find out more about his reporting and that of our news editor Chris Kanaracus in the special MIX07 coverage, in the May 15 issue of Redmond Developer News magazine.

What are your impressions of Microsoft's MIX07 activities? Has Redmond hit critical mass with its Silverlight effort? Write me at mdesmond@reddevnews.com.

Posted by Michael Desmond on 05/02/20070 comments


Most Definitely Digging This

I love digital rights management (DRM), honestly I do. Never has a technology forced so much inane drama onto so many. Every time I turn around, it's something new. Whether it's Sony dropping rootkits (rootkits!) onto its audio CDs or Steve Jobs, the most successful purveyor of DRM on the planet, abruptly posing as a champion for unencumbered online music sales, I know that every morning, the wonderful world of DRM will surprise and amuse me.

So I experienced no small amount of glee watching Kevin Rose and his massively popular Digg.com community site wrestle over the issue of publishing the hexadecimal code used to crack the AACS encryption on HD-DVD movies and content.

Now, like most of you, I expected Digg to salute the establishment with a grand middle-finger salute and allow its members to freely publish the hex string in every post and comment. Instead, in response to a cease-and-desist letter, Digg began deleting posts and nuking threads that displayed the offending digits. And just like that, the game was afoot.

Digg posters began posting and reposting the proscribed hex code. And by 9 p.m. yesterday, Kevin Rose posted a mea culpa, saying that he would respect the will of Digg subscribers who would "rather see Digg go down fighting than bow down to a bigger company."

So Digg won't squelch posts containing the AACS hack. And the surreal comedy that is DRM is sure to enjoy another rousing act. Most telling, though, is Rose's last comment: "If we lose, then what the hell, at least we died trying."

What do you think? Is Rose right to ignore the cease-and-desist letter, even if it means risking a sizable lawsuit? And if Digg gets dropped by legal action, what does it say about the future of technical speech in public venues, forums and the Internet? E-mail me at mdesmond@reddevnews.com.

Posted by Michael Desmond on 05/02/20070 comments


Caught in a Legal .NET

Big companies like Microsoft and Intel can attract lawsuits like a mosquito trap on a hot summer evening. After all, when you have the technology footprint of Sasquatch, you're bound to stomp on the occasional patent or two.

At least, that's what Vertical Computer Systems contends. In a suit filed a week ago today, Vertical complains that Microsoft infringed on a patent for a "system and method for generating Web sites in an arbitrary object framework." (You can also find a minimally informative press release regarding the lawsuit here.)

The system and method in question is Vertical's SiteFlash, an XML-based technology that (and I quote) "separates the key elements of complex Web sites -- form, content and functionality -- into individual components." It's classic componentization, separating out domains so that changes can be made to individual components independently.

There's no word on how much merit this action might have, or if Microsoft will need to actively defend itself. But if the years-long battles with the U.S. Department of Justice and European Union have proven anything, it's that Microsoft is not afraid of a court challenge.

Are you surprised that Microsoft's .NET Framework is drawing legal scrutiny? Write me at mdesmond@reddevnews.com.

Posted by Michael Desmond on 04/25/20072 comments


Secure Your Code

Microsoft technical fellow Michael Howard has probably forgotten more about secure software development than you or I will ever know. During a recent interview, the man behind Microsoft's strategic Security Development Lifecycle (SDL) program and the co-author of the book Writing Secure Code told me that young programmers entering the industry are simply not being trained about security issues.

"Really good software engineering skills are in incredibly short supply. We see that when we hire engineers out of school. They know nothing about building secure software," Howard told me. "They don't know the issues -- it's as simple as that. They don't understand the issues."

This is a lament I've heard before, and one that extends forward to deep concerns about the general state of corporate software development. Internal development shops are simply not doing enough to harden their code, particularly in an era when attacks are increasingly moving to the application layer.

Howard points a finger at universities that fail to integrate security concepts into their computer science curricula. He also singles out corporate development shops for failing to address secure development concepts, both from a training and operational standpoint. And that's not the worst of it, says Howard.

"You know, the most dangerous thing is the number of people who think they know how to build secure software, when they don't. That's the scary thing," he said.

Is Michael Howard on to something? Tell us what your company is doing to secure code against attacks and vulnerabilities, and how flawed development might have helped create a crisis in the past. Write me at mdesmond@reddevnews.com.

Posted by Michael Desmond on 04/25/20070 comments


Make Way for Orcas

Soma Somasegar and Prashant Sridharan are a couple of the heavy-hitters behind the Visual Studio IDE. The two, along with program manager Amanda Silver, made their way through some truly awful weather to meet with us in our Framingham offices and talk about the imminent beta 1 release of Visual Studio "Orcas."

Rumors that Orcas could slip to May 15 and beyond seem to be off the mark. In fact, the beta is likely to be available very soon -- within the next few days. You can find information about Visual Studio Orcas here.

One thing is certain: Beta 1 is going to be a significant event for Visual Studio developers. There is a raft of important new technologies represented -- from the ASP.NET AJAX tooling to XAML support for working with WPF and sharing projects with Expression Studio designers, to code support for Language Integrated Query (LINQ) for advanced, programmatic data access. And that's honestly just scratching the surface.

There will be more CTPs and, Somasegar says, at least one more public beta before Orcas ships. We're told the WPF Designer (code-named "Cider") module will get a lot of work after the upcoming beta. Also, word on whether the final version of Visual Studio Orcas will include tooling for Silverlight (previously "WPF/E") won't emerge until the MIX07 conference starting on April 30.

Still, for the moment, the upcoming beta 1 gives Visual Studio early adopters plenty to work with.

Do you plan to start working with the Orcas beta 1 right away? We want to hear your takes and publish them in our next issue. Write me at mdesmond@reddevnews.com and tell us your thoughts on the beta.

Posted by Michael Desmond on 04/18/20070 comments


Silverlight: Alphabet Soup No More

As Microsoft product code names go, "WPF/E" had to be among the all-time worst. Windows Presentation Foundation/Everywhere got its unfortunate nickname from Windows Presentation Foundation (WPF). The idea was to convey that WPF/E presents a subset of the incredibly rich graphics and UI environment delivered with WPF as part of Windows Vista and the .NET Framework 3.0.

Last week, Microsoft finally coughed up a name for WPF/E: "Silverlight."

If you find the title a bit underwhelming, join the club. Microsoft, of course, faced a tough task in putting a palatable moniker onto this vital technology. After all, WPF/E (I mean, Silverlight) is supposed to be a lot of things to an awful lot of people.

On the one hand, it's a decidedly Flash-like software runtime that installs on Windows and Mac PCs so that various Web browsers (IE, Firefox, Safari) can display video, animation, vector graphics and the like. On the other, it's a design and development target that will feature tooling and resources for crafting rich media for online delivery. And it's intended to cast its magic on everything from desktop PCs to smart phones.

One thing Silverlight won't do, though, is run on Linux -- at least, not yet. Interesting, that.

Silverlight seems to convey a couple things. One, the branding announcement came at the National Association of Broadcasters (NAB) show, and it's clear that Silverlight is intended to evoke the idea of the "silver screen." Look for Microsoft to push this technology early and often on studios, broadcasters and media providers of every stripe.

Second, Silverlight seems to convey a bit more of a "durable" presence than its nearest competitor, Flash. It's interesting to me that Microsoft passed on a catchy, single-syllable name (like, say, Spark) and went with a concatenation.

Ultimately, what really matters isn't the name, but the force that Microsoft can put behind Silverlight developers. Silverlight will find itself quickly installed on a ridiculous number of client systems, thanks to the wonders of Windows Update. But what Microsoft really needs to do is convince designers and coders that Silverlight is easier, cheaper and more effective to work with than Flash.

Can they do it? You tell me. What would it take for you to switch allegiances from Flash to Silverlight? Write me at mdesmond@reddevnews.com.

Posted by Michael Desmond on 04/18/20070 comments


Space Madness: Charles Simonyi Edition

As a guest columnist filling in for Doug Barney in Monday's edition of the Redmond Report newsletter, I opined on reports of former Microsoft executive Charles Simonyi's $20 million-plus orbital joyride on a Russian Soyuz rocket.

Since Monday, the man behind Excel, Word and, later, Microsoft Office has been kickin' it with astronauts on the International Space Station. In addition to helping perform sundry experiments on the station, Simonyi also showed up at the ISS door with a gift from Martha Stewart -- a gourmet dinner of quail, duck breast, chicken parmentier and rice pudding that was specifically prepared for microgravity.

One thing is certain. The ante for enriched ex-Microsofties has officially been upped. By about 220 miles. And it looks like Bill Gates may be taking the orbital bait, if the second-hand account from Russian cosmonaut Fyodor Yurchikhin is to be believed. You can read about it here.

Closer to home, NASA recently announced a program called CosmosCode, an open source project designed to bring together developers to work on software for future manned space missions. The idea is simple: Catch the kind of lightning in a bottle that helped charge popular software like Linux, Apache Web server, OpenOffice and Firefox.

You can find more information about CosmosCode at the NASA CoLab Web site here.

It's an intriguing concept, and one that brings up an interesting question. Would you want your space shuttle flight software provided by a distributed, open source project? More to the point, is there any software that shouldn't be developed under open source? Write me at mdesmond@reddevnews.com.

Posted by Michael Desmond on 04/11/20070 comments


Enterprise Library 3.0

Back in February, Redmond Developer News reported on the release of a community technology preview of Enterprise Library 3.0.

The software enables developers to streamline common enterprise application development tasks for .NET-aware projects and improve overall code quality. The final version of Enterprise Library 3.0 went live on Friday.

Tom Hollander, product manager in the Microsoft Patterns & Practices Group, says this latest version will prove much less troublesome to deploy than earlier editions of Enterprise Library, which had to keep pace with major changes to the underlying .NET Framework.

"It really just builds on what the two first major releases really provided. A lot of people are still wearing some scars, as we are ourselves, in the upgrade from Enterprise Library version 1 to version 2," says Hollander. "There were quite a number of breaking changes in that release. We are very pleased that the changes between version 3 and version 2 are much, much, much simpler."

Key updates to the new library include Validation Application Block, which integrates with Windows Forms, ASP.NET or WCF to provide data validation, and Policy Injection Application Block, which Hollander says "separates cross-cutting concerns from the core business logic."

Perhaps most interesting is the Application Block Software Factory, which Hollander says uses Guidance Packages or Guidance Automation to generate code within Visual Studio that conforms to a particular architectural style. Hollander says Microsoft will be releasing new software factories, though there was no information on what types of scenarios these might target.

For more information on Enterprise Library 3.0, visit the download page here.

Posted by Michael Desmond on 04/11/20070 comments


AJAX: Savior or Security Scourge?

"Computers have enabled people to make more mistakes faster than almost any invention in history, with the possible exception of tequila and hand guns." --Mitch Ratcliffe

After a recent announcement by threat identification and remediation tools vendor Fortify Software, maybe we should add AJAX to that list. The company says a security vulnerability could make AJAX-based applications susceptible to "JavaScipt hijacking," which lets unauthorized parties read private content within JavaScript messages. You can read all about it in Jeffrey Schwartz's article here.

Of course, JavaScript exploits are nothing new. In January, Adobe kicked off a bit of JavaScript madness with its thoughtless implementation of JavaScript in the ubiquitous Acrobat browser plug-in. The setup pretty much opened the floodgates to phishers -- all they needed to do was get someone to click on a valid PDF file link.

But Brian Chess, co-founder and chief scientist at Fortify, says this is not your father's browser-based security problem. "It's not a new name for an old kind of problem. This is a new JavaScript-related problem that arises in AJAX-style applications," Chess said.

At issue are the AJAX frameworks and client-side libraries used for AJAX development, which Fortify found are often not designed to prevent JavaScript hijacking. The Microsoft ASP.NET AJAX tool (code-named Atlas), Google Web Toolkit and libraries such as Prototype, DoJo and Yahoo! UI are all affected, says Fortify.

The good news? Patching the hole should be quick work for tool providers, and developers can certainly prevent private information from being transmitted without authentication. Of course, all this argues back to the biggest issue with JavaScript and, going forward, AJAX. That is: In an era of intensely connected applications, you cannot afford to write crappy code.

What do you think? If we set down the hand guns and tequila bottles and focus on writing good code, can we ever hope to avoid calamitous mistakes? How is your company making sure its AJAX code isn't vulnerable? E-mail me at mdesmond@reddevnews.com.

Posted by Michael Desmond on 04/04/20070 comments


Worse Than Failure

I spent a little time this week speaking with Alex Papadimoulis, better known as the man who runs TheDailyWTF.com, recently renamed "Worse Than Failure." His site recounts tales of disastrous development, from project management gone spectacularly bad to inexplicable coding choices. Over the past three or four years, Alex has seen a lot of bad programming, and he offers a few solutions in an interview to appear in the April 15 issue of Redmond Developer News.

"It's amazing. It's kind of disheartening to see how this is just so common in the industry," he says of the epic programming meltdowns. "It really shows that the industry as a whole has a lot of maturing to do. We're getting there. But it's the same pattern, time and time again."

Papadimoulis says programmers are often their own worst enemy, creating overly complex systems to solve problems that haven't emerged yet. His solution? Simplify. Focus on the challenge at hand, rather than build lofty frameworks and systems in the hope of shortcutting an issue down the road.

Is it frustrating, watching allegedly smart people make the same mistakes over and over? Absolutely, says Papadimoulis.

"At the same time, we can have fun laughing at it because we all have the same experience each day. And there's a lot of take-away to these stories and how to avoid these things yourself," he says.

Have you learned from bitter experience? We'd love to hear your stories of great WTF moments in development. Maybe, just maybe, you can save one of our readers from making the same, tragic mistake. Write me at mdesmond@reddevnews.com.

Posted by Michael Desmond on 04/04/20070 comments


Visual Studio Turns 10

Being the father of a 10-year-old son, I know a thing or two about the frustrations, joys and pride that come from a decade of parental toil. So I think I might have some clue how Prashant Sridharan, senior product manager for Visual Studio at Microsoft, felt on Tuesday, when he gave a keynote speech about Visual Studio at the VSLive! conference in San Francisco. I spoke to him soon after that speech.

"I've been around all 10 years -- I started out as a peon," he recalled. "Ten years ago the idea was let's build one unified environment for all developers. Let's build one integrated environment that would enable you to share services across your projects and your language types, et cetera."

What started with Visual Studio 97 as a decidedly kludgy solution (he describes languages like J++ and Visual InterDev being "sort of glommed on") has grown remarkably in 10 years. Today, Visual Studio is a well-integrated and expansive tool that allows for powerful plug-ins, rich features and guidance, and increasingly comprehensive language support, as witnessed through the emergence of Visual Studio tools for Ruby, PHP and other dynamic languages.

Of course, a lot of effort lately has been expended in stretching Visual Studio both out and up. Various Team System flavors of Visual Studio have helped rope in critical project tracking and management activities. And recent extensions to the brand -- like Visual Studio Tools for Office and Visual Studio Tools for Applications -- are bringing the development interface to new classes of users.

What's next for Visual Studio? Obviously Orcas, which should finally pay off on the foundational promise of .NET Framework 3.0 when the new IDE emerges late this year or early next. Orcas remains months away, but like a parent who worries about his 10-year-old's college prospects, I couldn't resist asking Sridharan what's next.

"I don't even presume to know of programmer productivity level -- Anders Hejlsberg productivity level -- that is going to happen. But I can trace the meta trends of the industry," Sridharan said. "Larger and larger software teams, and larger and more complex products will come out. More geographically dispersed development teams. More complex projects. I look at the size and scope and complexity of teams, and it is going to create a lot of problems in the software development process."

Did you use Visual Studio during its early years? We'd love to hear how Microsoft's IDE has evolved in the past decade. E-mail me with your takes at mdesmond@reddevnews.com.

Posted by Michael Desmond on 03/28/20070 comments


Welcome to the Sunset Grill

They say bad news always comes in threes, and for loyal developer groups that could be the case. When Visual Basic 6 is fully retired
in March 2008, it will be the last version of VB not slaved to the managed code model of .NET. While the tools will still work and VB6 apps would continue to run, the "retirement" of VB6 means no more updates, fixes, patches and upgrades to meet emerging platforms.

Then came the news last week that FoxPro, the uniquely capable data-savvy development platform, would see its last tweaks with the "Sedna" project and the Visual FoxPro Service Pack 2 release. There will be no version 10, says Microsoft, though the Sedna extensions and other components have been released into the wild as open source code.

So I shouldn't have been surprised when Burton Group analyst Peter O'Kelly mentioned that Visual Basic for Applications (VBA) could be next. The long-running macro and programming tool for Microsoft Office has been sharing the stage with Visual Studio Tools for Applications and Visual Studio Tools for Office. But with Microsoft working overtime to turn Visual Studio into the ubiquitous face of Windows-based development, the writing has been on the wall.

We're working on a feature now that talks about these retirements, what they mean for developers and what strategies dev shops can take to adjust to the changes (including migrating to new languages and tools). We'd like to feature your experience and insight. Write me at mdesmond@reddevnews.com, and you could be featured in an upcoming issue of Redmond Developer News.

Posted by Michael Desmond on 03/28/20070 comments


Subscribe on YouTube