Fundamental Software Solutions

I know that when developing software for Windows Vista, several companies out there are still adding something like "If UAC is turned on, you will want to ... <insert steps to turn off UAC here>" in their manuals.

Here is something worse that I had the fun of working with last week, Credit card processing software.  The software connects using a socket to a port at the bank and allows a company to process credit card transactions.  Pretty simple, really.  However, even the banks can't seem to get security right on such a simple application.  (So far, a week's worth of work in our labs could yield a similar product with proper security - it isn't rocket science...)

From my day of working with the installer, application and tech support - the application fails the following of my security checks (and we haven't even been able to get it running yet on the system - and the Bank support is dumfounded about it, of course...)

1. The support person on the phone asked me to allow users to read and write the whole program directory.  (It self-updates apparently, and stores all of its transaction files in the same directory.
   
2. I asked if I should open TCP or UDP port xxx on the corporate firewall for the application to communicate.  The result was: "Just to be safe, open them both."  another technician said "It shouldn't matter" and a third seemed to know just TCP.

The first issue is Windows programming 101.  Directory permissions (and almost every resource controlled with a HANDLE) are set up to secure data and the operating system.  In this case, the program data itself.  A malicious user could, when the program directory is marked read/write - add a new .EXE that would create a keyboard hook, launch the real .EXE and - have access to ALL the credit card data entered.  The accounting department would never know it happened, and nor would the directors of the company (who signed the "we are responsible for all transactions" contract...) 

Now the network traffic isn't such a problem.  There has only been one instance that I can recall of a staff member port-scanning a firewall to see what ports they could connect outward with and use that port to proxy web traffic.  But still, a bank should know the absolute minimum configuration without any question.  The software already has some requirements that make it seem like they are paying attention, claiming within the documentation that both antivirus and a firewall are necessary.

I guess you have to use them.  You have to detune your system, end of discussion.  I can't receive credit card numbers and process them without having some bank connection.  And, I have to de-tune my systems to allow unsecured access to the programs, yet even sign a document saying that I will keep everything secure.

Banks: 1, Customers: 0

I often am asked "what do you think about..." and other similar types of questions.  One that was particularly interesting was a presentation to a group of independent salespeople about web marketing.  The claim in the meeting was "we can get your web page to the top of Google" and most of the salespeople left the meeting having signed up on the thought of being on top.

I had to wonder.  Since the salespeople were all wanting to be on top - and most of them live in the same place, have the same type of businesses and want the same keywords, how was this company going to get their pages all to be the top listing - guaranteed?

The answer is that they cannot do it for those common "normally" looked up keywords.  The marketers have to separate the keywords and choose something significantly different, such as the client's name or the client's slogan.  You just can't have everyone on the top listing at the same time for the same thing.  (And, if they promised they could do just that, it would mean that they would have to bump the previous client that was at the top - a client that had paid and now was going to have to pay again  [... and again...])

If the web promoter used the client's name, most often than not, they were already at the top to begin with.  Nine out of ten names out of some of the attendees of the meeting, I found this to be the case already.

I don't think that all internet marketing is a scam - internet marketing takes careful design and implementation and definitely some hefty work to get right.

The only way to beat the scams is to ask questions and research.  Make the scammers work so hard that it isn't worth their time, or your money.

We found a Microsoft technology recently that sparked some interest for anyone with information to reveal, called Microsoft Tag.  The basic idea is that on your camera-enabled mobile phone, you install an application that can read tags.  When you see a tag in the future - you use your phone to scan the tag, and the phone browses a website, or dials a number, or does something else based on the tag itself.

Some other technologies have been attempting to use Near Field Communication where other electronic equipment is involved, but this is a highly simplified way of doing it - and what we feel is currently the cheapest.

The idea isn't new - cash registers do it with bar codes already, shipping companies do it to track packages.  The difference is that the bar code in this case has been separated from just a scanner/database and has been linked with phone functions that anyone can use regularly.  Microsoft even went further to design something that could be completely customized, so it doesn't even look like a traditional bar code on a package. (The image on the left of the balloons is actually a bar code!)

 For one of our Real Estate customers, it meant that people with supported smart-phones could scan a for sale sign and instantly be directed to the mobile portal of the agent's website - with information about the house, images, etc.  Further to that, once the listing information is downloaded, a user can tap a link on the web-page to dial to request an appointment.

Admittedly, there is a chicken and egg situation forming with the technology that may be insurmountable in making the technology viable everywhere.  The tag reader application has to be on the phone to read the tag - and most people would not install the tag reader until tags were common, tags not being common because nobody has the reader, etc. 

Marketing something with new technology however may mean a new audience and new clients - in this particular case, technically intrigued clients that normally would have passed the sign by without giving it a look.  Now, they have something interesting to try.

I am sure that you have personally witnessed the new trends in UI.  Everything seems to be 'glassy', reflective or whatever the term is these days. 

I think it was Apple that first mass-produced virtual glass on iTunes in their CoverFlow control - but it has been in other applications and now all over the web.  I recently had a requirement within one of my web projects that asked for glass - but it had a twist.  The client also wanted the site to be able to be themed.

Creating a shadow in an object in code is simple - you take the image, add some space to the bottom, flip the image and draw it upside down, add a gradient from partially opaque to the background color as you go down, and, you have a fancy, glassy, faded shadow!  

But what if you can't determine what the background is at runtime, for example like on a website?  This is the exact problem with themes and glass together.  The design of the site meant that anything could be a background - even another image.  I could never use a project like Kel whipped up on CodePlex - because I can't pass in a background Color parameter, since I don't know it.  I could have forced the theme to a consistent color, but that would be limiting, and potentially not what the client wants. 

Our next course of action was to see if Internet Explorer and the other browsers could handle Alpha-Blending in the PNG format, since PNG is one of the formats that supports alpha. (JPG and GIF don't, although GIF can have fully transparent sections.)  Luckily, most modern browsers could. 

The final challenge - how do you get an alpha-blended shadow in an image?

I went back to some Windows Mobile code that I had worked on that I had based on another article on-line (where, oh where did that article go?)  - where I copied the alpha from a GradientFill stencil. The basic process for the entire operation is as follows:

• Take the original image and resize it to add space for the shadow.
• Draw the original image at the top
• Rotate the original image 180 degrees and flip it.
• Draw the "shadowed" image under the original.
• Create a new bitmap as a stencil
• Draw a GradientRect with alpha blending
• Lock the bits of the stencil
• Copy the bitmap bits into an array
• Lock the new image, put the new image bits into an array
• Copy the alpha channel from the stencil to the new image.
• Release the bits for the new image.

... Stay tuned for part 2 and source...

I had a chat with some former collegues the other week, and was reminiscing about the days of old.  We happened to discuss the days when Kernel versions were held and never changed.  In fact, any company playing with our very stable kernel version 1.3 would have some testing to do before we would adopt the new 1.4 version with something-or-other added to it.

Times have changed, or at least in my new client and working environment.  Now, needs decide the kernel and focus has left the "don't you dare change my kernel or-else" stance to one of "well, if it squeezes some power out of the processors, I will look at it."

In fact, I like what is happening.  I like the change.  I like taking hardware and running the OS of the day, then upgrading it and finding it runs about twice as fast.  To me, that is like putting updated software in my car and getting twice the speed, and twice the economy.  (I wish my car would do that.)  I like feeling like there is a something-for nothing equation in place, and perhaps only in software - it is possible and is happening more and more.  I think improvements should occur.  At the risk of signing my own death warrant, perhaps this model of software should be annually paid for in favour of speed and other updates - never having to purchase upgrades again.

Ok, wait - let me clarify.  I support that licensing model ONLY if I get something out of it.  If the OS or software using this model becomes stale and I am paying annually for absolutely nothing in return - forget it.  I do that now with other licensing.  Pay 1.5x the purchase price, and IF any upgrades come within a year, you get them free.  I don't think that has ever worked in my favour.