Microsoft Windows

Microsoft loves Twitter; Windows developers aren’t as fawning

If HTML had an <IMHO> tag, I’d use it right about now: but I can’t help thinking as I read various articles about Microsoft bidding to power Twitter search that it’s a lot more enamored of Twitter than are many of its third-party developers.

</IMHO>

If you’ve been to a Microsoft conference recently, you may have noticed the Twitter notification screens it puts up before keynote speeches. They basically consist of differently shaped boxes, each containing a Tweet with the event’s hashtag, falling like Tetris pieces. (In case you’re wondering, the app that powered that was Flotzam.)

But at a DevCon I attended here in Boston not long ago, the Microsoft emcee kicked off the keynote by asking for a show of hands of Twitters in the crowd. Only a handful of hands showed.

I only recently jumped aboard the Twitter bandwagon (follow me @WinDevelopment), but it seems to me, anecdotally, that Windows developers are a bit behind — or some may say skeptical of — the Twitter trend. It’s clear Microsoft is trying to push them toward it, but many of them don’t seem impressed. That’s not to say that Microsoft shouldn’t try to power Twitter’s search engine: Twitter has decently strong consumer support, and that’s something Microsoft wants regardless.

But I do wonder why Windows developers, who are on the whole a fairly tech-savvy bunch to say the least, haven’t embraced this latest child of Web 2.0. One of our in house Twitterati, Alex Howard, has an interesting observation that may explain it: Microsoft’s Twitter account has zero updates and isn’t branded, meaning it’s likely being Twittersquatted. Amazon, by contrast, has 93 updates, and Google has 152; the three companies have 67, 1,128 and 362,550 followers, respectively.

To be fair, Microsoft has other accounts that are more active, like MicrosoftVSTS. But without a unified front on Twitter, how can the company expect its developers to see the site as serious business and not just the latest Web toy?

Developing Windows 7 apps in managed code

Windows 7 has some great new UI improvements. I use it as my main (in fact, only) OS at home, and I downright miss it when I come to the office and muddle through on my XP laptop. I haven’t felt like this about a windowing system since I discovered virtual desktops on Linux and started yearning for them on Windows. (Ahem, Windows 8, I’m looking at you.)

There’s just one problem: many of the new features need application-level support to really shine, and the code samples in Microsoft’s beta Win7 SDK are mostly for unmanaged code. Microsoft has a “Windows Vista Bridge Project” that provides managed wrappers for unmanaged APIs, but it doesn’t include the Windows 7 APIs yet.

In short, learning how to use Windows 7’s newest features isn’t easy if you’re writing managed apps.

Come Microsoft to the rescue: the company has been putting out .NET interop libraries that provide just that wrapping. The libraries are unsupported, but developers itching to get a jump start on Windows 7 development should find them helpful. Microsoft’s Windows 7 technical evangelist Yochay Kiriaty highlighted some of these Windows 7 code samples on MSDN, along with copious links.

Worst Microsoft product name

On a lighter note…

PC World published a fun little piece yesterday in which they listed the 10 worst product names ever to come from Redmond. There were some interesting picks, but they missed the first thing that came to my mind. This one’s not really Microsoft’s fault — they’re just using a popular acronym that happens to have been poorly thought out.  But still, I humbly submit as the 11^th worst Microsoft product name ever: Microsoft Dynamics POS.

As in: “Hey Bob, did you get a chance to install that new POS from Microsoft yet?”

Microsoft addresses Windows 7 security hole — partially

Microsoft has announced that it will be fixing a UAC security flaw in Windows 7, but the new system still leaves open one of the biggest security holes: people.

A few days ago, I mentioned that Microsoft was getting some flak for a security flaw in Windows 7’s implementation of UAC. In an effort to cut down on superfluous prompts, the default in Windows 7 is to not warn users about changes to system settings. The problem is that UAC’s settings are system settings, so a crafty hacker could silently silence UAC. The hacker’s code can now elevate to Administrator privileges without warning, thus defeating the whole point of UAC.

Microsoft’s initial attitude was that this is how things should work, much to the consternation of many developers. Yesterday, the company relented; UAC settings will now be a special case that always requires user approval in the form of that dreaded UAC prompt.

That’s all fine and good, but it doesn’t address social engineering, which is still one of the biggest problems facing desktop applications. The MSDN blog entry addresses this without quite emphasizing it:

We have also heard of security concerns that involve multiple steps to demonstrate a potential exploit. It is important to look at the first step—if the first step is “first get code running on the machine” then nothing after that is material, whether it is changing settings or anything else.  We will treat very seriously the ability to get code on a machine and run without consent.

The problem is that users tend to consent to everything. It’s a well-known phenomenon, and even most power users tend to power through confirmation prompts with just a cursory glance. Having used Vista and Windows 7 as my primary OSs, I can say that the UAC prompts are not all that helpful —they tell you that something needs Administrator privs, but that’s a very broad statement. Click “yes” for enough installers, and you may not notice when UAC actually catches something.

Perhaps what’s needed is a two-tier UAC prompt that distinguishes between commonly-used privileges and rarer or more critical ones. Most actions will get the basic prompt, which would look much the same as today’s UAC, but the higher-importance prompts would warn users that unless they really know what they’re doing, “no” is probably the safer bet.

In other words, don’t just give the dry facts: help people interpret them. The Achilles heel of most prompts is that users don’t know what to do with them. A two-tier system would solve this by telling users, “it’s probably safe to confirm if you trust this vendor” or, “if you don’t really know what this means, we suggest denying the request.”

Windows 7’s UAC has a security flaw

A couple blog entries ago, I mentioned that among Windows 7’s improvements is a fix to the user account control (UAC) functionality introduced in Vista. UAC was always a good — and overdue — idea, but Vista’s implementation was annoyingly chatty. Windows 7 would fix that, I wrote.

A security hole in Windows 7’s UAC has been found that uses a script to disable future UAC warnings, according to blogger Long Zheng. I haven’t tested it yet (our work machines still run XP), but Zheng’s blog entry includes proof-of-concept code. According to the blog, the issue had previously been marked as a bug on Microsoft Connect, but Microsoft closed the issue as “by design.

The easy fix is to set your UAC warning level to always ask for confirmation, even if it’s just to set system settings. That means malicious code won’t be able to disable UAC behind your back, but it also  means UAC will be back to its annoying Vista persona.

Let this be a reminder to us all: convenience and security are often at odds.  The problem is that too many warnings are also a problem, as users are apt to just click “yes” without reading your warning message. Striking the right balance between giving users power, giving them options, giving them convenience and giving them security is always difficult.

Microsoft’s open source projects may help it sell software

If you’re linking to outside JavaScript code in your Web pages, you’re probably (hopefully!) aware that there are certain security risks. Microsoft’s Scott Isaacs talked about the problem at a session at PDC 2008 and said there are essentially two ways most sites handle this threat: some ignore it and hope for the best, while others bring in IFrames — which have their own problems, like clickjacking.

The problem remains unsolved, but one approach Microsoft is trying is a new technology called Web Sandbox, which it announced at PDC. The Web Sandbox is a server-side program that retrieves outside scripts, transforms them to make them secure and embeds them directly to the HTML. You can see Isaccs’ complete talk explaining how to use Web Sandbox on Channel 9.

Which brings us to today’s news: Web Sandbox is now being released as open source, under the Apache License 2.0. What’s interesting here isn’t just that Microsoft is continuing its overtures into OSS, but that it’s continuing to do so primarily on the Web front. Two of its other major flirtations with open source have been its support of jQuery and its release of the code for its business-oriented Silverlight controls.

I don’t think anybody is accusing Microsoft of being altruistic, so I won’t bother making the case that this is an obvious example of “if you can’t beat ’em, join ’em.” But it seems to me that Microsoft’s open source strategy hinges on being open on the Web and sticking with proprietary software everywhere else. Pricing for Windows 7 hasn’t been released yet, but I’m guessing it’ll cost more than Ubuntu.

That two-pronged approach makes a lot of sense. The Internet has always been free to use, and if people aren’t going to pay for your software, you may as well give away the source. Desktops and enterprise apps, on the other hand, still provide major sources of income for software vendors.

For Microsoft to stay relevant as a software company, it has to continue to attract top developers, both to itself and to the ISVs who develop for Windows. Playing nice with OSS on the Web may help Microsoft keep up with the cool new upstarts so that it can continue to make money where there’s money to be made.

Obama’s inauguration will be streamed with Silverlight

When millions of eyes tune in to see president-elect-but-about-to-be-President Obama’s inauguration at noon on Tuesday, Microsoft will be working behind the scenes. The Presidential Inaugural Committee (PIC) will be streaming the Obama inauguration live using Silverlight, Microsoft announced today. The stream will be available at the PIC’s website.

The inauguration will be the biggest event that we know of to be broadcast using Silverlight 2 since it came out of beta in October. This announcement is good news for Microsoft, given that MLB announced in November that it would be switching from Silverlight back to Adobe Flash.

Microsoft executives have donated heavily to the inauguration: Bill Gates and Steve Balmer each gave $50,000 for the event, and other executives also donated five-figure sums. Microsoft also donated to the Obama campaign heavily during the election, giving it $2,124,186 — over twice what it gave to the McCain campaign, according to opensecrets.org. Most of that money came from individuals, so it doesn’t look like the company overtly bought what will likely turn out to be a huge surge in Silverlight downloads. But with Adobe not even appearing on opensecrets.org’s “heavy hitters” list, I can’t help but wonder if Microsoft’s generosity helped it get this event.

Microsoft extends Windows XP availability, but layoffs on the horizon

Here’s what we’ve been seeing around the Web…

Microsoft extended Windows XP’s lifespan for OEMs who want to put it on low-end machines. Manufacturers have until the end of January to put in their orders, which can get them XP licenses through May. The move seems to support Windows-based netbooks, low-end laptops primarily designed for browsing the Internet, by letting those computers use the less resource-hungry XP.

But higher-end computers got to see a better glimpse of the future when a beta of Windows 7 was leaked. Torrents of Windows 7 started spreading late last week, but the leak may be good news for Microsoft: early reports say that Windows 7’s development is farther along than that of previous betas of its Windows line.

Continued »

Microsoft patches critical IE bug, warms up to open source software

Here’s what we’ve been seeing around the Web…

Microsoft was hit hard by a zero-day Internet Explorer bug late last week. The bug affected IE versions 5 - 8 and let hackers run code remotely. Microsoft’s initial advice was to change security settings to “High,” thus disabling scripting. The company issued a patch for IE on Wednesday, prompting discussions about whether IE’s auto-upgrade feature is less robust than other browsers’.That was in addition to another critical bug that targeted WordPad’s handling of Word 97 files. That bug made it possible to hijack systems if Word 97 files are opened in WordPad, as might happen on systems that don’t have Microsoft Word or other office suites installed.

Microsoft also continued its slow-but-steady warming to open source. The company hired an open source liaison, although Microsoft senior director Robert Duffner also said that the Microsoft isn’t trying to promote OSS to its customers.

And a Russian entrepreneur tried to get a monopoly on snark when he trademarked the winky emoticon, ;-). Close derivations, like noseless winkies, may also be covered.

Happy holidays and new year!

News Roundup: Release dates announced for Vista SP2 beta and Win7 beta

Here’s the Microsoft news we’ve been seeing around the Web….

The big headliners this week were release dates for two Windows OSs from Microsoft, both betas. The first, Vista SP2, came out yesterday; even before it came out, sites were writing about Vista SP2 beta’s new features. The release is expected to go RTM in April 2009.

Separately, the first beta release for Windows 7, the operating system’s major release, was rumored to be set for January 13. That came from a blog comment by Microsoft employee Keith Combs.

But those two news items came with a damper: market share for Windows dropped below 90% for the first time, and Internet Explorer’s market share dropped below 70% as Firefox grabbed a record high of over 20%, according to Net Applications.

Continued »