Sep 24, 2009

How I Learnt To Love A Password Manager

For the longest time (i.e. since I first used a password) I’ve always kept passwords in my head.  In the early days it was easy since systems were isolated and pesky password policies hadn’t yet become the norm.  It was usually easy to remember, because the number of unique passwords I had was, um, just one.

Then over time those password policies started to appear and I had to start thinking of new passwords for more places that wanted more security, typically by varying my single core password.  Then they introduced password history, and dictionary checks and all sorts of things which now meant I had to remember what all the various incarnations were.  My capacity for password rememberising was fast reaching full.

What made it harder is that with more and more things being on the internet I was also getting an account explosion and starting to forgetting what login id I was using, especially when it was for a site I hardly used, so I’d often find myself doing the ol’ “forgotten password” thing.  Side note: It’s a scary experience when the forgotten password thing results in you being emailed your current password.  Yikes!

Anyway, I knew this wasn’t best practice,and there were plenty of people saying “use a password manager” but the conceived hassle for me of trying to keep passwords in sync between different machines was a massive turn off.

Anyway, after reading Jeff Atwood’s little cautionary tale and his follow up about how his own password got hax0red I decide enough was enough, time to man up and get over my anti-password-manager mentality.

KeePass screenshot So first things first, I did some poking around the googleweb and found KeePass and decided to give it a try.

Why this one and not others? Well, first – it’s free! :-) But mainly it’s because

it’s portable and because it has a really cool AutoType feature where with a single key combo (ctrl_alt_a) I can get my passwords autotyped into whatever app I happen to be using.  So it’s now not only is it remembering my passwords for me, but it’s also saving me keystrokes.  Heaven!  There’s a slew of other things it does as well which I really like, but you can go check those out for yourself.

Anyways, I used it for a while to see if it worked for me and got to enjoy and appreciate what it did.  But it still didn’t solve my problem of wanting to maintain my passwords only once but have them available on any of the machines I have, even when I don’t have an internet connection.  This is where the portability factor becomes valuable.  You can take the app, copy it to a USB stick and just plug it into whatever computer you happen to be using and it’ll work.  However the idea of chewing up a USB slot just for the password manager didn’t appeal to me.  It’s too clumsy to keep plugging the thing in all the time and there’s a good chance I’d do something stupid and lose the USB drive.

imageEnter Live Mesh.  To get the “on every machine” thing working I just created a live mesh folder and synchronised the KeePass folder with my mesh.  Now whenever I update my passwords all I have to do on the other machines is make sure Mesh had synced and do a quick restart of KeePass to pick up my new changes and I’m all set.  Everything just works beautifully

I’ve been doing this now for about 3 months and I’m loving it!  I’m gradually replacing all my crappy passwords with stringer ones generated by the tool and feeling a lot more secure about my online identity.

As a note, I probably won’t change my twitter password as I use twitter from web kiosks, my windows mobile phone (though there is an unofficial KeePass port for the mobile) and other places where I don’t have access to my mesh folder.

If you’re in the same situation i was in before, then maybe it’s time you started looking at how you too can get to love a password manager :-)

Sep 22, 2009

Solved: Connection Issues with Communicator 2007

At Readify we use Microsoft Office Communicator 2007 R2 as the internal IM and presence tool, with the added bonus that since we are federated with Microsoft we are also able contact the people we know in Microsoft through the same tool.

Unfortunately I’ve had a recurring problem where communicator wouldn’t connect when I was plugged in at home.  I had just assumed it was an ISP issue and since it was only a minor annoyance I never really bothered to do much about it.

That was until today. Today I finally pulled my finger out and decided to see what the problem was.

Firstly, I turned on event log error logging in Communicator via the Options…-> General settings area.


Next I looked at the event log itself and saw this:

Communicator was unable to locate the login server.  No DNS SRV records exist for domain, so Communicator was unable to login.
Please double-check the server name to make sure that it is typed correctly.  If it is correct, the network administrator will either need to use manual configuration to specify the login server's fully-qualified domain name (FQDN), or add DNS SRV records for the domain in order to allow automatic client configuration.  The DNS SRV records, and/or may need to be configured if automatic configuration is desired.

No SRV records? Really, so how does it connect on other networks? Hmm, I sense something fishy.

So I then ran an nslookup from the command prompt and got this:


That address is the internal address of my DLink DSL-G604T router that I’ve had for years.

At this point I decided to check the DNS server that my router talks to:


Oh, so that works! OK. So it rules out my ISP as the problem (sorry for assuming it was you IINet).  So then why doesn’t my router pass through the information it needs?

Turns out that SRV records are relatively new to the DNS scene and my old faithful router that has served me well for many years now doesn’t have a clue about what they are or what they should do and so simply ignores any request to resolve them.  Even better, none of the firmware updates add any support for them either.

So I decided to switch my laptop’s DNS settings to the ISP’s DNS server directly, and try again.  Whalla! That works!  Cool.

Now the only problem I have is that I can’t use those settings permanently as the ISP won’t respond to DNS requests made from outside it’s own network, meaning it won’t work for me when I’m on the road.


To solve this I wanted to use a DNS available from anywhere – and so I decided to give OpenDNS a try..  Talk about easy.  Just point my IPv4 settings to the OpenDNS name servers and try it again.

It all worked beautifully, and best of all I’m now network independent and able to use the same DNS server settings everywhere I go.  Problem solved.   All connected.  Happy me.

Missed TechEd Australia? Get the content anyway

Close on the heels of TechEd Australia, Readify have announced the latest Dev Days events for both Sydney and Melbourne.

When we last ran these we had multiple tracks which presented tough choices on what to see at times, so we’ve changed things around and will now run separate morning and afternoon tracks instead.  It means you can now get to everything, or just come for the half day session you are interested in and go to the beach for the other half of the day (or do some work if you must).

I'll be presenting the morning session in Sydney, covering Software Quality and Application Lifecycle Management split across two subjects:

  • Gathering Quality Requirements for Agile Development Teams, and an
  • Introduction to Visual Studio Team System 2010.

In the afternoon, Tatham Oddie (MVP) will be covering Building for the Web with .NET through three different presentations:

  • Building Fast, Standards Compliant ASP.NET Websites,
  • ASP.NET MVC: Building for the web, and an
  • Introduction to the ASP.NET Web Forms Model-View-Presenter framework.

To find out more or to book just point your browser to  See you there!

Australian Virtual Alt.Net – Influence Strategies

I attended the QCon conference in London earlier this year and during it I was lucky enough to attend one of Linda Rising’s workshops on Influence Strategies.  Recently I presented my own take on her content at the Oz Virtual Alt.Net group, and here it is for your enjoyment.

P.S. The credit for the good content goes to Linda, anything dodgy in there is all me.

Sep 18, 2009

Using P4Merge with Visual Studio 2008 and TFS

The merge and diff utility included with Visual Studio 2008 is, let’s face it, not the best tool on the market.  Sure, it does the job, but it could be so much better.  Thankfully, Visual Studio gives you a way to customise the tool that is used for merging.

Now, in the past, I’ve usually gone for WinMerge as my tool of choice to replace the out of the box offering, but WinMerge is starting to show it’s age and whilst it does a great job at comapres it doesn’t do 3-way merges, so I’d rather use something else.  By the way, I keep WinMerge installed because of it’s great directory comparison feature.  Oh, for those who don’t know, a 3-way merge is a merge that shows both your current version of the file, the file you’re merging with, and the root file from which the two other files are derived (i.e. the original).

Many people talk about how great the BeyondCompare product is, but for the sake of my wallet I’d rather use a tool that was free.  Enter Perforce’s P4Merge.

The only hassle with using this tool is that it doesn’t integrate that easily into Visual Studio as a merrge tool – you can’t just call the executable and supply arguments, you have to work around it a little.  Here’s how:

As a Comparison Tool

Setting P4Merge up as your comparison tool is simple enough.  Go to Tools->Options and navigate to Source Control and Visual Studio Team Foundation Server.  Select the Configure User Tools… option.


Then choose Add and set the options as shown:


Hit OK, and that one’s done.  Note you may have to supply a different path to the P4Merge program if you installed it in a different location.

Merge Tool

For merging things get a little tricker because P4Merge wants the output file for the merge operation to exist before you actually do the merge.  This is where the VS integration presents a small problem, since VS doesn’t create the result file before calling the tool.  It expects the tool to create it instead.

To work around this we need to create a simple batch file that we will get Visual Studio to call.  For the sake of sharing across multiple users on my machine, I’m placing the file in C:\Users\Public\Documents\p4merge.bat.

The contents of the file should be:

START /WAIT /D "C:\Program Files\Perforce" p4merge.exe %1 %2 %3 %4

Once you’ve created that file, go through the same steps as above for Compare, but this time select the Merge operation and point to the batch file instead of the P4Merge program.  The end result should be something like this:


Note that the arguments are passed in a non-standard order. It’s %3 %1 %2 %4

Once this is done, get out of the options and try it out.  Here’s the tool in action






Sep 17, 2009

A Simple SQL Performance Tip

For those who don’t follow me on twitter (and why not!) you might have missed me having a whinge about a SQL database I was looking at recently from a performance perspective.

Anyway, I found this little INSERT INTO statement in one of the extremelyy slow stored procedures they were having problems with (table names changed to protect the innocent)

xx ON ps.xxID = xx.xxID INNER JOIN
EH ON ps.psID = EH.psID
WHERE p.EID = @ParamID AND (p.Processedflag = 1)

It executed in about 25 seconds. After a look at the indexing I decided to help SQL out a little by making the join to EH a little more selective, as follows:

xx ON ps.xxID = xx.xxID INNER JOIN
EH ON ps.psID = EH.psID
and EH.EID = E2.EID
WHERE p.EID = @ParamID AND (p.Processedflag = 1)

That little change reduced the query to under a second, even though I’m now joining to two extra tables.

If only all performance improvements were as simple. And if looking like a hero was always so easy! :-) And the lesson for you? Remember to keep your joins as selective as possible, even if it means taking the long way round on joins at times.

Sep 9, 2009

How to Build a Small Software Enterprise From Zero

At the moment, I’m at Tech.Ed Australia and have just been in Joseph Albahari’s session on building micro-ISV’s.  For those who don’t know Joseph Albahari is the author of an number of .NET books and also of the handy LinqPad utility.

Here’s a run down of his talk.  Obviously I didn’t capture everything said during the talk, so the following is based on the things I picked up from the session.

First up – this is all about building a business, either as a side business or a full time venture.  The main focus though was on building things up as a side venture with the intent of generating a passive income for you.

Firstly, Joseph talk is based on his experiences with LinqPad.  LinqPad is offered in two versions – a free version and paid version that has premium features such as Intellisense.  In terms of some stats, the product was written in 2 months, has been around for about 2 years and has had over 130,000 downloads and over 2,000 sales.  That’s a nice little earner for a product that requires only minimal effort to keep it up to date.

Based on the lessons learned during this Joseph came up with the following 3 phases for launching a Micro-ISV.

Phase 1 - Preparation

So, first up.  Ask yourself if you meet the pre-requisites for doing this?  Do you have strong technical skills because you’ll need them in order to create a product that does something useful.  And secondly, do you have broad skills?  Can you do a UI? And the back end? And the business rules? And the security? And integrate to other tools? And anything else you’ll need? Remember that as a Micro-ISV you’ll need to do it all, and to do it all well.

Assuming that you have that, you then need to decide if you want to have a business that earns passive income or active income.

If you want an active income then you’re looking at a business that is working in a vertical market with a potentially complex product, and is likely to expand and employ people over time (assuming you are successful).  You’re also going to be creating a business that is hard to sell and one that you will need a lot of commitment to make successful.

For a passive income, you’re really looking at simple products that do one thing and do it well.  This is the domain of utilities & specialist web sites.  You want to create a product that requires minimal support, that enables you to still earn income whilst you do other things and in the end something that becomes a business that is easy to sell.

By the way, there’s a risk of starting passive and becoming active by accident.  All you need to do is sell features that don’t yet exist, write support intensive features or write components that require a lot of integration effort such as developer components for WPF.

As for what your product should do?  Well, obviously you’ll need an idea.  The good news is that “Pain is the source of ideas” so find something that bugs you or hurts and use that as the basis for doing something better. Keep a constant watch for pain points, pain experienced by yourself or, more importantly, by others.  In fact it’s OK as a Micro-ISV to have multiple projects on the go all trying to deal with different pain points.  One word or warning though - watch out for good but unmarketable ideas. They’ll kill your time and will have very little return, if any.

So once you’ve got your idea, you’ll need to think about marketing.  This is _before_ you write your software.  At this point you may have an idea that someone else has done, especially a big company, and you may ask “How do I compete with those big companies? Big companies have big resources”.  Yes, but they also have  big overheads.  And they are slow to innovate.  And they need a large market share.

Micro-ISVs follow different rules to big companies – they have no rules.  You can innovate any time you like, you don’t need a huge market share and you can be much more profitable than a large company with it’s large overheads.   Don’t be afraid of the size of the elephant, there’s still a market there.

And here’s the most important part of marketing.  You don’t have to write the best product.  You can still do well with a technically inferior product as long as your marketing is good enough.

Finally, consider how you’re going to make money and how that affects marketing.  Will you offer a free and premium product mix or will you use a timed trial.  It appears that the first option is better, as the free version helps drive people towards the premium one, whilst the timed version drives people towards free alternatives after the product has expired.

Oh, one other thing, make sure you get involved with your target community.  Before you launch your product.  Be helpful and harmless, establish your reputation.  Don’t be see through by being involved at the same time you launch your product.  People will see through it.

Other marketing ideas include all the usual things – building business relationships, giving freebies to early adopters, etc.  Basically try lots of things and test the results, don’t just speculate.

Phase 2 – Building Market Share

Release Version 1.0 quickly.  Don’t aim for perfection.  Just write whatever works and once it’s out there and earning some income, then you can start cleaning it up.  Also, if it’s out there and getting no response, you haven’t wasted too much effort on something that needs to be killed.

Whatever you do, follow the agile principles. Don’t over engineer your product.  Avoid wasting time on features you don’t absolutely need for a first release.  Just get the big picture items done.  On the other hand don’t under engineer things either.  That path leads to crippling technical debt and a millstone around your neck.  Basically, keep your code clean and your features lean.

What about the UI and design of your product?  Keep the design simple and clean.  Focus the UI on the main use cases and ensure the program is self-updating from day 1.

In terms of deployments, offer both a standalone executable and a setup.exe.  Standalone executables are favoured for downloads by a 2:1 ratio so it’s important to have them, but it’s also important to offer people the ability to click through via an installer.  To add a sense of safety, offer setup.exes for download on sites like that guarantee things are virus free and won’t screw over your machine when you install them.

Keep your product’s web site clean.  Don’t get hung up on fancy graphics and remember that if you are offering downloads to make sure you have plenty of bandwidth for updates and new installs.

As for how to get people to the site? It’s the same old rules – have useful, original content and let the search engines do the rest.

Once the initial version is out there, make sure you get feedback.  Solicit feedback via the app. Do it via the web site.  Do it via  Just don’t forget to ask for an email address so you can talk to them about their feedback once you receive it.

Also, once you have that feedback make sure you improve the product and establish relationships with the early adopters.  They’ll have great ideas that you won’t have thought of.  Just remember that it’s also OK to say No to feature requests.  it’s still your product after all.

Finally, ensure users can auto submit errors to your web server so you can look for problems in the app that wouldn’t otherwise be reported.

Phase 3 – Getting Paid

If you offer a premium version choose wether to offer a single exe or a different exe for the paid version.  Just consider what happens with updates if you offer different exes. A single exe is probably the easiest to manage in most cases.

As a tip, obfuscate the code for premium features, but be aware that if will affect stack traces for auto-reported bugs.  Obfuscation helps protect your code, but it doesn’t prevent hacking.

It might be obvious, but you need to make sure the upgrade option from the free version to the paid is obvious but not intrusive.

On licensing – your licensing model needs to suit the application and it needs to be strong, but don’t make it draconian otherwise you’ll prevent honest people paying for it.  Vertical products can be licensed per-seat. Components can be licensed via serial numbers. Utilities are probably best licensed via activation. Just provide plenty of licensing options – single user, multi-user, teams, educational licenses, etc.  Think about how people might want to buy your app and help make that process easy for them.

One note – utilities are the most targeted apps for cracking.  You won’t be able to prevent it, but you can definitely make it harder than it is to just pay your license fee.  As a note, being a Micro-ISV probably means you’ll fly under the radar for quite a while, though this doesn’t mean you shouldn’t lock the app down.  If you go for the activation licensing model, use the motherboard serial number and _full_ cpu description as a key for for locking licenses to physical hardware, then when you create the license file, you can make sure the license is not only encrypted with that hardware ID, but that it’s signed as well. You can also include strings required by the premium features in the license to make it harder to crack, and that the premium features are hard to understand without those strings.  You could also include some red-herring code for fooling crackers but realise that it’s only a deterrent and it will be all but impossible to create an app that is uncrackable.

A note on credit cards, especially in non-US countries – hand off the processing to another provider.  Most sales will come from other countries, especially the US – so offer US pricing.  For Australia, PayPal is probably the best option as it supports payments in any currency and pays into Australian dollar bank accounts. Just be aware of the currency transfer fees are higher, though there’s no real alternate options at this point in time.


And that’s it.  Joseph’s talk was excellent.  Now it’s time to start thinking of some ideas!

Sep 1, 2009

Are You a Victim of Analysis Paralysis

Maybe it’s just the teams I’m helping but there seems to be a spate of analysis paralysis occurring in the IT world.  Of course if I was a media outlet I be calling it an breakout, nay an epidemic! No! A pandemic!! Run for the hills people we might all be infected!!!

If you are experiencing any of the following symptoms then see the guidelines below:

  • Analysis has taken more than a month already and shows no sign of ending anytime soon
  • The documentation you’ve written has fine grained details in a few areas and is completely lacking any information at all in others (especially the tricky bits)
  • Your analysis efforts are going around in circles
  • No one can decide what the “right” approach is to some of the problems

Steps for curing this disease:

  1. Stop analysing!! Right now!
  2. Write some code based on what you have done.
  3. When that code is working, go and analyse/design a little bit more.
  4. Go back to point 2

Good luck with the cure and I hope your health improves!