Franci Penov : Software

Yahoo! Mail Web Service - interesting business model

Franci Penov — Fri, 30 Mar 2007 10:15:00 GMT

Dare posted some thoughts on the limitations of the new Yahoo! Mail Web Service . One thing he missed to mention though, is how that Web Service ties into Yahoo! Mail subscription model: "Yahoo! Mail offers an incentive for developers to build applications...(read more)

Windows Live Toolbar build 130

Franci Penov — Thu, 22 Feb 2007 11:08:00 GMT

We just released the latest build of Windows Live Toolbar. There are no new features in this release, it's fucosed mostly on stability and performance improvements. If you use the toolbar, I'd suggest you upgrade. And if you're not using WLT, well, be...(read more)

ASP.NET Ajax 1.0 RTW

Franci Penov — Tue, 23 Jan 2007 21:02:00 GMT

ASP.NET Ajax 1.0 (formerly "Atlas") has been released to the web. You can read more about the framework and the control toolkit at http://ajax.asp.net (including some really nice viedeo demos), or grab the bits from here and the toolkit from here ....(read more)

Google Maps

Franci Penov — Tue, 08 Feb 2005 18:19:00 GMT

Google Maps is one slick web application. It's very fast and the interface is quite intuitive. On the other hand, searching for One Microsoft Way is definitely showing the wrong place. :-)

Couple more complaints:

Searching for my home address shows nearby businesess (good), but the mark for one of them cover entirely the mark for my appartment complex (bad). I can certainly understand why this happens - that particular business is in my appartment complex. However, that doesn't help me much. They should play with the pins shape a bit to figure out how to show that there are omre than one pins at the same place.

Searching for my appartment complex using the name Google showed me returns about ten hits between Marysville, WA and Seatac, Tacom, WA (about hour and a haf driving range). Only two of them have something common in their name with my appartment complex (one of them being "the" :-)). Same thing happens when searching for any place name - the range of the results is too big.

The map data is somewhat old. If I were buying a cd I wouldn't be surprised by this; however, this is online app.

It would've been good if there was data for Europe as well. (Ok, I admit this is nitpicking. :-))

On the good side:

I like the popup when selecting a particular place.

The driving directions are very slick.

I like the fact that Google is listing the phone number for each place.

Overall I like it very much. I'll be giving it a try every once in a while.

Google Desktop - Part 2

Franci Penov — Thu, 21 Oct 2004 18:13:00 GMT

Nathan Weinberg apparently spoke to Google's Marrisa Mayer and comments on my concerns.

Nathan claims that #10 and #1 are by design. Yes, apparently they are by design - it would be quite hard to incidentally hook up the WinInet.dll or to install a BHO. That doesn't answer my concerns about them, though.

#10 - The BHO is probably the way Google Desktop intercepts the Google.com search results and injects the desktop results in the page. But it also means that GD also has access to any page I browse, even if it's https: and my IE is set to not cache on the hard drive secured pages. I hope this doesn't turn out to be same as the AIM chats case.

It's interesting though that the only indication there is a BHO installed was a dialog box when GD installation hit IE with disabled BHOs. Why isn't this mentioned somewhere else, like in the documentation? Why isn't there an option to not install the BHO?

#1 - Why does a desktop search tool needs to hook up WInInet.dll? My guess is that this is how they inject the desktop search results in other browsers. But why not do it this way in IE as well? Or if it does it, then what's the BHO for? Why isn't there an option to not do hook up WinInet.dll?

And then comes the matter of AIM, which for the sake of the discussion I shall name Number Twelve and which everybody conveniently skips.

Some "interesting" reactions to my Google Desktop concerns...

Franci Penov — Wed, 20 Oct 2004 20:59:00 GMT

Overall, most readers that commented on my Google Desktop post took it for what it is - a list of my personal concerns with it. However, there are two "interesting" posts I'd like to comment on.

Lazyboa thinks (post in Russian) I posted it because I am disturbed Google came out with desktop search before Microsoft. Lazyboa, my contract does not have a fine print about what I should feel and think (and contrary to the popular belief, it is not signed with blood). My post is based purely on what I feel as a regular computer user.

Arcadi says "As you will see, he is a Microsoft empoyee..." as if revealing a fact that I tried to hide. It's fairly obvious to anyone that reads my blog that yes indeed I am Microsoft employee. (In fact, I believe that most people read my blog because of that). I fail to see how this is related to my concerns with Google Desktop, though, and I don't think it invalidates them in any way.

He then continues: "I don't see Google Desktop more intrusive than other Microsoft products (i.e. the default redirection of IE to MSN Search)".

Arcadi, read item #2 in my post again. The example you give is similar to Google integrating their desktop search results with Google.com search results. I never said ithis is intrusive and I don't have problems with such integration. Google.com and Google Desktop are both their products and it's just normal (at least to me) that they would work together. The only concern I have about this is that I have to be aware of it and keep it in mind when doing search in front of other people.

What Google Desktop does with AIM is not the same though. AIM can be set to not produce chat logs, yet Google Desktop still indexes the chats. But AIM is not a Google product. Of course, this is a matter of personal opinion and some people might disagree with me, but I personally consider it as intrusive. I don't like the fact that Google Desktop intercepts the network traffic of a third party program. The only programs I think should do this are firewalls and antivirus programs - neither of which Google Desktop is.

Btw, if some future version of Microsoft Word hooked up Adobe Reader and converted on the fly any PDF I open to Word document as well, that would've been a better comparison with the Google Desktop/AIM "integration". And I would be as much troubled with such "feature" as with Google Desktop's one.

Google Desktop

Franci Penov — Tue, 19 Oct 2004 18:19:00 GMT

There are lot of people that think the new Google Desktop is great and revolutionary. However, there are several things wrong with it that make me stay away from it. Here's the short list (in no particular order):

It hooks up WinInet.dll. Hooking up system level component and intercepting all incoming/outgoing traffic on my machine has nothing to do with my desktop search. (Btw, it's amazing how many antivirus programs Google Desktop is incompatible with because of this)
They inject desktop search information in the Google web search results. While this might seem like a reasonable thing to do, it also means I should now be aware that when I do web search with somebody over my shoulder that I might be divulging private information.
Google desktop can be installed only as admin. The only reason I can think of for this limitation is the WinInet.dll hooking up. I want desktop search to search my files - files that belong to me and I have exclusive access to them. I shouldn't have to be admin to search my data.
It can be used only by the user that installed it. This means non-admins can't use it. That alone rules it out from my home machine, where admin user is logged only for Windows Updates and application installations.
It can be installed by one user only. Another reason I can't use it at home, where my wife and I have separate accounts. What, Google doesn't think people are entitled to their own privacy on computers?
It uses the browser as interface. Webpage is probably not the best way to list couple of thousand search results now, is it?
It uses the browser as interface. That means that any search strings in the Google Desktop will show up in the Google.com page if you double-click on the Search for text box and you have Autocomplete for Forms enabled in the browser.
It runs a webserver on your box. While it's supposedly listening for localhost requests only, it still means that every malicious webpage out there can possibly access it and do post back with the results to their server. A Java applet, for example, with 1px UI. Also, what are the chances that the desktop search page doesn't suffer from the same XSS exploit the main Google page suffers from? (You can search for Google Desktop Exploit on Google)
It makes copies of your browser cache without warning me about this or giving me any option to clear its cache as well when I want to clear the browser cache. I have not tried this with Outlook email, but I wouldn't be suprsied if they do it for email as well. Btw, if they do it, it might be in direct violation of the email retention policies of some companies. (Of course, IANAL disclaimer aplies)
It installs as a browser extension. Hm, I wonder why that is if it has hooked up WinInet.dll anyway.
There is no way to limit the size of the Google Desktop index.

The list above is compiled from half a day looking at it. There might be other issues or plain wrong things with Google Desktop that I missed or overlooked. I'd be interested to hear what else people found out they don't like about Google Desktop.

Update: I was reading Fred's blog and stumbled upon another disturbing fact:

Everybody knows that Google Desktop index all messages from AIM. It’s not really news in itself. The thing that most people don’t know is that if you turn off the logging property of your AIM it seems that Google Desktop index your messages anyway.

I know I can turn off indexing AIM in Google Desktop Preferences. But I shouldn't have to make my privacy choices there. I am aware that I've already made the explicit chioce of allowing Google to index my AIM chats. However, that does not implicitly allow Google Desktop to search my whole network traffic. The privacy preferences of the primary program that produces the indexed data SHOULD be respected. It's that simple.

Update 2: Removed the rethorical question about adding a keyboard logger. I want to keep this post just as a list of things that bug me in Google Desktop. I can talk about my paranoia in other posts. :-)

Indigo Belote - Part 1

Franci Penov — Fri, 08 Oct 2004 21:34:00 GMT

George posted the first part of of multipart article on Indigo Belote. Go read it here...

Steve, does this post count or do I have to post something else? :-)

Why I don't play with Linux...

Franci Penov — Thu, 02 Sep 2004 05:21:00 GMT

It's not because I work for Microsoft. It's because I am not able to install Linux on my home machine.

[Waiting patiently for all the laughing to die...]

So far I've tried two different distros. Both of them died before the install process even started.

Gentoo 2004.0 Live CD freezes while trying to load the kernel from the CD. The gentoo kernel at least shows a nice bluish screen. The smp kernel just dies.

Fedora Core 2 blows up with an exception in Anaconda when it tries to load the packages. I am trying to install the Personal SKU (hm, what's the appropriate name in the Linux world?) on an extended partition.

To the Fedora's credit, Anaconda gave me a nice call stack and offered to write a dump to the floppy. The tester in me liked that a lot. On the other hand, I can imagine what my mother's reaction would be to that.

Btw, the machine is P4 HT @3.2 GHz, ASUS P4C800E-Deluxe mobo, ASUS Radeon 9800XT with 256MB, Seagate Baracuda HDD, Hauppage WinVPR 250 tuner, Windows Media Center remote control/receiver, Microsoft wireless keyboard and mouse, ActivCard smartcard reader. That's about it. Nothing too fancy or too alien on the hardware front.

Oh, well, I guess I am out of luck. I'll just have to give it a try in several months...

"Two Things I Hate" or "Macromedia, please help me!" - Part 2

Franci Penov — Tue, 17 Aug 2004 18:42:00 GMT

John Dowdell from Macromedia has a very good point on my post about Flash ads.

Bad ads and bad pages are indeed a problem, regardless of delivery format... GIF ads blink just as much, in-page MP3 are fortunately an aberration whose time has gone.

The issue I am having is not the ads themselves (well, I do have an issue with the ads, but it's not the topic of these posts :-)). It's the fact that the end user is not given control in Flash over when content is presented and this is by design. Flash is not doing anything to help me protect myself from bad ads.

I understand that such design makes a lot of sense for Macromedia. Not because they are evil or something; it's just they are a business and as such their goal is to maximize their profit, not to please the end users. Macromedia is not getting money from me when I watch content in Flash. They are getting the money from the ads companies that buy their development tools.

For what it's worth, a good advertisement won't go all soapbox-y until you give it explicit direction... take a look at how video is controlled in this "Go Away Spray" example:
http://www.macromedia.com/devnet/mx/flash/articles/video_ads_fak.html

I totally agree with that. However, most ads are not good. Most ads will do anything to steal my attention and make me click through them. It's not yet as bad as spam, but it's getting there. (An example - when "Walking Tall" came out on the big screen, there wasn't a single day when The Rock wouldn't pop on my Yahoo! Mail screen. I must've clicked on this ad like fifty times or even more while trying to read my mail. In fact, that was the straw on the camel's back.) And, as John himself puts it:

People at Macromedia are trying to influence good advertising design, but it's hard to enforce it...

I commend Macromedia for these efforts, but that is not going to solve the problem.

Frankly, I don't really expect Macromedia to do anything about this. Still, one must never cease to hope. Plus, I just had to vent out... :-)

SIDE NOTE: John pointed me to XP SP2 as a possible solution. (Btw, it's interesting to note that the article John points to uses Flash ActiveX as an example :-)) This is would work only in IE and will most probably work only until somebody comes up with the idea of having a Java applet that internally instantiates the Flash object. I haven't tried this, but I wouldn't be surprised if the Browser Add-ons manager misses that.

There is also a wonderfull system tray utility that helps with installing/uninstalling Flash in IE. Several other people pointed me to a Firefox extension. Albeit these are great tools, they are still just workarounds. They target the problem in particular browser only. I'd love to have a generic solution, that wouldn't require me to install third party tools in my browser or on my OS.

Adam Robertson says in a comment:

Why blame Flash? These overlay ads can be made in any technology (admitedly 99.9% are flash) but only work in IE (due to it's lax security model and non-standard treatment of layers), so why not blame IE? Simple answer, switch to Firefox.

The topic of my post was a particular problem I have with Flash. Switching to Firefox is not the simple answer to world hunger and peace in Middle East. Flash will still work in Firefox and it will still be on by default and unless I install an extension to Firefox, Firefox will not prevent Flash from playing those ads. (Please, correct me if I am wrong)

I happen to like Firefox a lot; however, the fervor with which some people tend to push their political agenda is utterly frustrating. It's the single thing that puts me off of open source technologies and OSS community. Fanatics are not my favorite type of people.

'They shoud not be making money out of it!'

Franci Penov — Fri, 14 May 2004 16:21:00 GMT

'I have about 20 authors with twice as many blogs and I don't make money from this site. I can't afford to pay for MT.'

'I love it, it's good product, but there's no way I am paying for it.'

'They want us to pay for it? It's outrageous!'

'SixApart are evil, since they want to stop giving their work for free!'.
(Ok, that last one I made up, but I wouldn't be surprised if somebody somewhere said it)

By now everybody probably has heard about MT3 and the reaction from the users. Ben and Mena came up with a good product at the right time. They spent two years of their time on Movable Type. Let's say they worked two years at another paying job and they did $30K a year (and I am sure they would've made more than that, being the smart people they are). This is an investment of at least $120K between the two of them. In other words, Ben and Mena paid $120K. If you have a site and are using MT, part of these $120K have covered some of your expenses (indirectly, of course).

Let's say MT didn't exist. Let's say you had to write it yourself. What's the price of all the time you would've spent on it? What's the price of two years of your life?

We are not talking here about a big 'evil' software house. We are talking about two people that have a house, have to pay their bills and have to eat something. Did they not work hard? Are their efforts worth nothing?

People would write a $70 check to the cable company every month without even thinking that most value they get out of it is watching reruns of old shows. That's $840 anually for things you most probably have seen at least once before. Yet these same people wouldn't even consider paying $100 for something that enables them to express themselves and reach hundreds or thousands of people.

And that concludes this month's rant...

Update: A lot of people complain about the pricing structure of MT. That is not what I am ranting about here.

Update 2: Some of the Slashdot's comments are amuzing:

“...Not only do they still have a free version but also, no-one is forced to upgrade. It seems people aren't interested in whether it's free as in speech but when it's free as in beer, changes in the pricing structure bring bitter recriminations...”

“...If it was free as in speech, then a group of developers could fork it and keep a free beer version.
A lot of people like free as in speech because it gives a good chance of a free beer version existing...”

The Ten Rules of Performance

Franci Penov — Thu, 12 Feb 2004 18:38:00 GMT

Check out Paul Vick's ten rules of performance. It's very interesting read, even though it won't tell you how exactly to speed up a particular chunk of code.

Paid drivers?

Franci Penov — Fri, 30 Jan 2004 16:41:00 GMT

If you have Pocket PC or Palm, chances are you've seen the Pocketop wireless foldable keyboard. At a very reasonable price you get a great product. If you use your PDA everyday to enter a lot of information, you will find it probably the best $79 bucks you spent for peripherals.

Or might turn out to be the useles device you ever bought... unless you are ready to cough some more dough. The reason - every piece of hardware is as good as the drivers you get with it. Otherwice it's just a scrap of plastic you can use to bang your head with.

In the case of Pocketop's keyboard you have to buy the drivers for additional $10 to $20. The price just jumped up with 12.5% to 25%. And if you change your device, you might as well face another 12.5% to 25% increase int he price.

I am sooo looking forward to the moment when my cable company will send me the cable box and small note that I could download the software for it for the small amount of $30...

Security Readiness Kit

Franci Penov — Thu, 29 Jan 2004 18:51:00 GMT

Another great tool to have handy - Security Readiness Kit. Here's what TechNet says about the tool:

“The Security Readiness Kit (SRK) CD and its companion web site at http://www.microsoft.com/technet/security/readiness are designed to give you easy access to the documentation and tools you need to ensure that your network operates with the best security possible.”

If you have TechNet, I believe you should have it in there (but don't quote me on that :-)). There is upcoming web page to order the CD as well.

Can a printer be a security threat for your computer?

Franci Penov — Sat, 17 Jan 2004 04:59:00 GMT

Everybody has printer at home. Well, mostly everybody. Chances are if you have computer at home, you most probably have a printer as well. It is just sitting there on the shelf or on your desk and silently (or not so - depending on the model) waits for you to use it. You open an email from your significant other or a page on the internet, hit the Print button and there it is - a hard copy of whatever you need. However, in all the years you did that, have you ever thought about the privacy and security implications of using a printer?

Yes, that is right, you read it correctly. By the fact of using your printer, you might actually disclose private information to anybody that can access you computer. You might even disclose information that can help other people to compromise your system security.

Case in example - my HP 7150. The drivers for the printer create a log file. Nothing unusual, almost any software on the planet creates some type of log, where it stores information about what happened. Anyway, the log files can always be deleted. Besides, the file is on the local disk and is protected by the file system security, so it is not a big problem. Furthermore, the file is in proprietary binary format, thus, it cannot be read easily. So we are safe, right?

Wrong. Open the file in notepad and the first thing you notice is that it contains the names of every single document you printed. Now, this would not be that big of a problem, were it not for a couple of bad choices the developer made:

The log file is not per user, it is a single log file for the whole system. Most probably, the arguments went on like: “This particular printer targets mostly home users. Most home users run Windows 98 or ME, or if they run Windows XP, they do not use separate users. If the majority of the computers to run this software are going to be “single-user” systems, why bother with multiple log files? “
Once the choice one was made, it is very easy to make the second bad choice - put the log file in the root folder. Arguments: “It's the only folder which is predictably on place on any computer. So why bother with complex logic of attempting to figure out where the Windows folder or the Temporary folder is? “

On default NTFS disk, the permissions for the root are admin - full, users - read-only. If you are logged on as regular user (you are, aren't you?), you cannot delete the file but you can still read it. In addition, if you have multiple users, all the documents every single one of them printed are in there. Moreover, if they print web pages, the name of the document is the web page.

One can argue that the amount of information that can be found this way is very small. However, any information can be used in some way. Here is an example - let us assume that every user on the machine has printed only one document from their documents folder and let us say that both documents are named test.html. If there are two users, the log file will contain two document names, both of them test.html. There is no way you can get any useful information from such a log file, is there? Yes, there is - the document names in the log file are given to the printer driver by the program. It just so happens that Internet Explorer gives names that contain the full path of the file and the full path to your documents folder contains the account name. Therefore, by looking at the file, you now have a list of all the user accounts on the system. Share the printer with your peers on the dorm over the network and you could probably see their user names on their machines. If you open a web page that reads the file and sends it back to the server, somebody else can have this information.

I am sure you can think of other ways in which this could be used by malicious people, so I will stop here with the examples. Besides, I think I already made the point of the post - next time you decide to store some information, be smart about it and think not only what, where and how you store, but also who has access to it and how can they use it. And for Pete's sake - please, do not put log files in the root folder...