Scott Hanselman

Open Source is hard.

Security is hard

There's been lots of articles about the recent OpenSSL "Heartbleed" bug. You can spend a day reading all the technical analysis, but one headline that stood out to me was "OpenSSL shows big problem with open source; underfunded, understaffed." A fundamental part of the fabric of The Internet Itself is mostly just one person plus a bunch of volunteers.

"The fascinating, mind-boggling fact here is that you have this critical piece of network infrastructure that really runs a large part of the Internet, and there’s basically one guy working on it full time."

Moreover, we don't sing contributor's praises for their hard work and success while their software work, instead we wait until a single line (albeit one of the more important lines) fails to live up to expectations. Darn that free stuff, mostly working, and powering our connected global network.

Open Source is largely a thankless job. Sometimes in the Microsoft .NET community, it feels more futile because it's often hard to find volunteers. Many folks use the default stuff, or whatever ships with Visual Studio. With Rails or Node, while they have corporate backing, there's a sense that the projects are community driven. The reality is in-between, but with open source projects built on the Microsoft stack volunteers may say "we'll just use whatever the ship."

There's anger around past actions by Microsoft, but as I've said publicly before, they've come a LONG way. I will keep pushing open source at Microsoft until I think I'm done pushing and can push no more. There's a seismic shift going on inside. Mistakes get made, but it's moving in the right direction. Everyone is learning.

Visibility is hard

Jeremy Miller's team recently stopped active development on the "FubuMVC" open source .NET framework. In his exit blog post, the question of the viability of .NET open source comes up:

"Setting aside the very real question of whether or not OSS in .Net is a viable proposition (it's largely not, no matter how hoarse Scott Hanselman makes himself trying to say otherwise), FubuMVC failed because we — and probably mostly me because I had the most visibility by far — did not do enough to market ourselves and build community through blog posts, documentation, and conference speaking."

It's very true that in a large way visibility drives viability for many open source projects. Jeremy's retrospective is excellent and you should read it.

I think it's harder to bootstrap a large framework project that is an are alternatives to existing large frameworks because for many, it's easier to use the default. Frameworks like FubuMVC, OpenRasta, ServiceStack, Nancy and others all "reimagine the default." They are large opinionated (in a the best way) frameworks that challenge the status quo. But it's much more difficult to cultivate support for a large framework than it is a smaller library like Humanizer or JSON.NET.

Still, without these projects, we'd all still be using the defaults and wouldn't be exploring new ideas and pushing limits as a community like the FAKE F# build system, or Chocolatey, or Boxstarter.

Microsoft can better support OSS projects not just with licenses and money, but with visibility. I'd propose dedicate Open Source tracks at all Microsoft conferences with speaking slots for open source community members. DotNetConf is a start, but we can go bigger.

Organizing is hard

OWIN is an example of a small, but extremely important project that affects the .NET world that is struggling with organization. Getting it right is going to be important for the future. There's a small, but influential group of community members that having been trying for months to find middle ground and build consensus around a technical issue.

ASP.NET Web API and SignalR both build on top of an open source project called OWIN (Open Web Interface in .NET) that aims to decouple servers, frameworks, and middleware from each other.

There's an issue open over on GitHub about what may seems like an obscure but important point about OWIN. The OWIN specification doesn't include an interface called IAppBuilder, but IAppBuilder is used by default in most Microsoft examples. Can the underlying OWIN framework remain neutral? The issue is a long one, and goes off on a few tangents. It's a complex problem that perhaps 20 people fully understand.

Scott Koon worked hard on a Governance document for OWIN and hasn't seen any forward motion. He vented his frustration on Twitter, rightfully so. Under the often-used "Lazy Consensus" technique, if folks are silent or don't reply in 72 hours, that is effectively consent and can change the direction of a project. Active involvement matters.

The fun part of open source is the pull requests and writing code, but before the code building, there's the consensus building. Ownership is the most contentious part of this process. Ownership means control; control over direction. The key to finding control and working through ownership issues is by thoroughly understanding everyone's differing goals and finding a shared vision that the community can rally around, then move forward.

This sausage making process is tedious, messy, but necessary. These discussions are as much a part of OSS as the code is. It takes equal parts patience and pushing.

Getting involved is hard

I get dozens of emails every week that all ask "how can I get involved in open source?" Everyone assumes my answer will be "write code" or "send a pull request," or sometimes, "help write documentation."

In fact, that's not all you can do. What you can do is read. Absorb. Understand. Be welcoming, inclusive, and kind. Offer thoughtful analysis and ask questions. Avoid hyperbole and inflammatory language. Show code examples when commenting on issues. Be helpful.

Your blog posts are the engine of community, your open source commits, documentation, promotion, samples, talks, gists are important. But getting involved in open source doesn't always mean "fork a project and send a giant pull request with your worldview." Sometimes it's the important but unglamorous work of writing a governance document, organizing a conference call, or thoroughly reading a giant Github issue thread before asking a question.

Why do we do this? It's not for the glamour or the money. It's because we are Builders. I encourage you all to get involved. There's lots to be done.

* photo by Sweet Chili Arts, used under CC

Sponsor: Big thanks to Novalys for sponsoring the blog feed this week! Check out their security solution thatcombines authentication and user permissions. Secure access to features and data in most applications & architectures (.NET, Java, C++, SaaS, Web SSO, Cloud...). Try Visual Guard for FREE.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Sponsored By

Hosting By

I'm a longtime Kindle fan. Love it. It's not a tablet, not a computer, my Paperwhite Kindle represents books for me.

I have a first-generation Kindle Paperwhite and use it almost every day. It's my go-to reading device. I originally gave it a mixed review but the game-changer was the addition of the magnetic cover, specifically the Kindle Paperwhite Leather Cover in Black. The Kindle turns on and off when it opens and closes, which is lovely, but the important point is the thickness it adds to the bezel. For my hands, a Paperwhite is an insubstantial thing that's too small to hold comfortably. This cover adds just a fraction of an inch all around the Kindle and effectively the cover subsumes the Kindle. The cover melds with the Kindle in a firm and crisp way and you'll never take it off. It's perfectly sized, plus protected enough that I throw it in my bag without worry.

I recently came into possession of a second-generation Kindle Paperwhite and didn't know what to make of it. It's "one better" right? It's the new version. It looks the same.

The main improvement they say is a clearer and higher-contrast display. Here are my 1st and 2nd gen Kindles next to each other, which is the Second Generation Paperwhite?

There's a little glare here but the second gen has a whiter background and darker blacks.

The first gen has a fantastic screen...

But the second gen has darker blacks and crisper text.

The second generation is definitely faster, they say 25% faster. Turning pages is quicker and the screen updates faster. The new updated software also includes a fast "skim" ability so you can move WAY faster around a book to find your place.

They also added GoodReads (a social network for readers) integration directly into the Kindle. This is a fun way to discover new books and see what your friends are reading.

It also includes "Kindle Freetime," a special mode for kids where you can limit the books they see and tracks their reading time, as well as set goals for the number of minutes they read each day.

Upgrade your Kindle Software

Speed and clarity is nice but the most dramatic difference was the software. This new 2nd gen Kindle had a bunch of new software features that my 1st didn't have. Unacceptable! ;) I checked, and I can get many of these new features by manually upgrading my Kindle's software.

If you have a Kindle, head over to https://www.amazon.com/kindlesoftwareupdates and get updated. Most Kindles update themselves, but more and more I'm seeing that these updates roll out either slowly, or not at all. My first-gen was many versions behind.

• Kindle Software Update
• Kindle Paperwhite 1st gen Update
• Kindle Paperwhite 2nd gen Update

It's a basic process, just connect a USB cable and drag the update file into the ROOT (top) of the Kindle Directory. Disconnect and reboot and wait.

Now both my 1st and 2nd gen Kindle Paperwhite's share the same software features!

Conclusion

It's not a "must upgrade" but it's a nice generational step. If you don't have a Kindle reader, this is a great Kindle. If you're a fan (as I am) and your partner needs a Kindle, get a new 2nd gen and pass the 1st gen along with updated software. Everyone wins.

Related Links

• Amazon Kindle - Original Review
• Amazon Kindle Paperwhite 3G/Wi-Fi Review
• A year with an Amazon Kindle (and new Kindle Cases)
• Amazon Kindle 2 gets Better Battery Life and Native PDF Support
• Amazon Kindle vs. Amazon Kindle DX - The Final Word
• Reading more than ever: An analysis of four lazy years with an Amazon Kindle and no dead trees

* FYI: I use Amazon affiliate links

Sponsor: Big thanks to Novalys for sponsoring the blog feed this week! Check out their security solution thatcombines authentication and user permissions. Secure access to features and data in most applications & architectures (.NET, Java, C++, SaaS, Web SSO, Cloud...). Try Visual Guard for FREE.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Sponsored By

Hosting By

The .NET BCL (Base Class Library) moves too slow, IMHO. That's why NuGet and NuGet packages are so nice. It's a joy to find a "rightly sized" library like NodaTime, for example. It's a better date and time API for .NET. Microsoft should just use it, it's lovely.

Another nicely-sized Open Source library, and the focus for today's blog post, is Humanizer from http://humanizr.net. They say "Humanizer meets all your .NET needs for manipulating and displaying strings, enums, dates, times, timespans, numbers and quantities" and it does just that.

It's a lovely joy of a library and you should check it out. Just make yourself a console app now and install-package Humanizer, and explore.

Note: Be sure to check out all the NuGet packages of the week! There's more!

The word "Humanize" evokes, for me, a feeling of making something simpler, more accessible, more useful, more fluent, more flexible.

Here's some great examples of problems that Humanizer solves.

First, Humanzer has a LOT of extension methods to the string type. If you've got a funky string, it will turn it into as close to a normally-cased sentence as possible. This is even more useful if you're using BDD frameworks like BDDfy.

"PascalCaseInputStringIsTurnedIntoSentence".Humanize() => "Pascal case input string is turned into sentence"

"Underscored_input_string_is_turned_into_sentence".Humanize() => "Underscored input string is turned into sentence"

// acronyms are left intact
"HTML".Humanize() => "HTML" 

"Can_return_title_Case".Humanize(LetterCasing.Title) => "Can Return Title Case"

"CanReturnLowerCase".Humanize(LetterCasing.LowerCase) => "can return lower case"

There's dozens of great string methods, but it's the DateTime extension methods that really shine. These will feel familiar to Rails developers and Twitter users.

DateTime.UtcNow.AddHours(-30).Humanize() => "yesterday"
DateTime.UtcNow.AddHours(-2).Humanize() => "2 hours ago"

DateTime.UtcNow.AddHours(30).Humanize() => "tomorrow"
DateTime.UtcNow.AddHours(2).Humanize() => "2 hours from now"

TimeSpan.FromMilliseconds(1299630020).Humanize() => "2 weeks"
TimeSpan.FromMilliseconds(1299630020).Humanize(3) => "2 weeks, 1 day, 1 hour"

Pluralization libraries are always fun, as I've blogged before and Humanizer doesn't disappoint. You can pluralize and singularlize strings, but the "To Quantity" methods are fantastic, doing exactly what you'd expect, even if you do something odd:

"men".ToQuantity(2) => "2 men"
"process".ToQuantity(2) => "2 processes"
"process".ToQuantity(1) => "1 process"
"processes".ToQuantity(1) => "1 process"
"case".ToQuantity(0) => "0 cases"
"case".ToQuantity(1) => "1 case"

Even as words!

"case".ToQuantity(5, ShowQuantityAs.Words) => "five cases"

The Number to Words family of methods go even further:

3501.ToWords() => "three thousand five hundred and one"
121.ToOrdinalWords() => "hundred and twenty first"
8.ToRoman() => "VIII"

We've all written a truncate method to take a long string and add "..." at the end.

"Long text to truncate".Truncate(6, Truncator.FixedNumberOfCharacters) => "Long t…"
"Long text to truncate".Truncate(6, "---", Truncator.FixedNumberOfCharacters) => "Lon---"

I'm just scratching the surface of Humanizer, going through it's Getting Started. There's also samples where you can plug it into your own frameworks or deep within ASP.NET MVC and humanize enums, type names, and properties as a way to keep your code DRY.

Humanizer is even starting to support localization to non-English languages, and helping with the localization of Humanizer is a GREAT OPPORTUNITY if you're looking to get into Open Source as well as learning Git and GitHub Flow.

I like open source libraries like this that look like the code we've all written before...except tested and complete. ;) We've all written utilities like this, except as one-of functions. I look forward to NOT writing methods like this in the future, and instead using libraries like Humanizer. I fully plan to use this library in my next project (a startup I'm working on.)

Go take a look at Humanizer and thank the author on Twitter while you're at it!

Sponsor: Big thanks to Novalys for sponsoring the blog feed this week! Check out their security solution that combines authentication and user permissions. Secure access to features and data in most applications & architectures (.NET, Java, C++, SaaS, Web SSO, Cloud...). Try Visual Guard for FREE.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Sponsored By

Hosting By

ASP.NET Identity 2.0 was released last month and it's got a number of significant updates and new features that are worth checking out. For historical context, read the "Introduction to ASP.NET Identity" article that includes a lot of background and information on why certain decisions were made, as well as an  overview of some of the goals of ASP.NET Identity 2.0 like:

• One Identity system for ASP.NET Web Forms, MVC, Web API, and Web Pages
• Total control over user profile schema.
• Pluggable storage mechanisms from Windows Azure Storage Table Service to NoSQL databases
• Unit Testable
• Claims-based Auth adds more choice over simple role membership
• Social Logins (MSFT, FB, Google, Twitter, etc)
• Based on OWIN middleware, ASP.NET Identity has no System.Web dependency

You can watch a video of Pranav Rastogi and I upgrading the ASP.NET Membership systems on an older ASP.NET application to the latest bits. There's also migration docs in detail:

• Migrating an Existing Website from SQL Membership to ASP.NET Identity
• Migrating Universal Provider Data for Membership and User Profiles to ASP.NET Identity

ASP.NET Identity is on CodePlex today (and soon to be open sourced...paperwork) at https://aspnetidentity.codeplex.com/ or access the NuGet feed for nightly builds.

Adding Two-Factor authentication to an ASP.NET application

I recently changed all my accounts online to two-factor auth, and I really recommend you do as well. Here's how to add Two-Factor Auth to an ASP.NET application using Identity 2.0.

You'll have a class that is a UserManager that handles access to users and how they are stored. Inside this manager there's an IIdentityMessageService that you can implement to validate a user with whatever you want, like email, SMS, or a time-based token.

Here's an example SmsService where I'm using Twilio to send text messages. Again, you can do whatever you want in your implementation.

public class SmsService : IIdentityMessageService
{
    public Task SendAsync(IdentityMessage message)
    {
        // Plug in your sms service here to send a text message.
        message.Destination = Keys.ToPhone; //your number here
        var twilio = new TwilioRestClient(Keys.TwilioSid, Keys.TwilioToken);
        var result = twilio.SendMessage(Keys.FromPhone, message.Destination, message.Body);

        return Task.FromResult(0);
    }
}

If I were sending an EmailMessage, I'd do something like this. Note it's just another implementation of the same simple interface:

public class EmailService : IIdentityMessageService
{
    public Task SendAsync(IdentityMessage message)
    {
        string text = message.Body;
        string html = message.Body;
        //do whatever you want to the message        
        MailMessage msg = new MailMessage();
        msg.From = new MailAddress("scott@hanselman.com");
        msg.To.Add(new MailAddress(message.Destination));
        msg.Subject = message.Subject;
        msg.AlternateViews.Add(AlternateView.CreateAlternateViewFromString(text, null, MediaTypeNames.Text.Plain));
        msg.AlternateViews.Add(AlternateView.CreateAlternateViewFromString(html, null, MediaTypeNames.Text.Html));

        SmtpClient smtpClient = new SmtpClient("smtp.whatever.net", Convert.ToInt32(587));
        System.Net.NetworkCredential credentials = new System.Net.NetworkCredential(Keys.EmailUser, Keys.EMailKey);
        smtpClient.Credentials = credentials;
        smtpClient.Send(msg);

        return Task.FromResult(0);
    }
}

In your IdentityConfig.cs you can register as many TwoFactorProviders as you'd like. I'm adding both Email and Sms here. They include token providers but again, everything is pluggable.

manager.RegisterTwoFactorProvider("PhoneCode", new PhoneNumberTokenProvider<ApplicationUser> {
    MessageFormat = "Your security code is: {0}"
});
manager.RegisterTwoFactorProvider("EmailCode", new EmailTokenProvider<ApplicationUser> {
    Subject = "SecurityCode",
    BodyFormat = "Your security code is {0}"
});

manager.EmailService = new EmailService();
manager.SmsService = new SmsService();

If a user tries to login you need to make sure they are a VerifiedUser. If not, get a valid two factor provider and send them a code to validate. In this case, since there are two providers to choice from, I let them pick from a dropdown. Here's the POST to /Account/SendCode:

public async Task<ActionResult> SendCode(SendCodeViewModel model)
{
    // Generate the token and send it
    if (!ModelState.IsValid)
    {
        return View();
    }

    if (!await SignInHelper.SendTwoFactorCode(model.SelectedProvider))
    {
        return View("Error");
    }
    return RedirectToAction("VerifyCode", new { Provider = model.SelectedProvider, ReturnUrl = model.ReturnUrl });
}

The sender of the two factor code depends on your implementation, of course.

public async Task<bool> SendTwoFactorCode(string provider)
{
    var userId = await GetVerifiedUserIdAsync();
    if (userId == null)
    {
        return false;
    }

    var token = await UserManager.GenerateTwoFactorTokenAsync(userId, provider);
    // See IdentityConfig.cs to plug in Email/SMS services to actually send the code
    await UserManager.NotifyTwoFactorTokenAsync(userId, provider, token);
    return true;
}

When it's time to get the code from them, they need to have logged in with name and password already, and we're now checking the code:

[AllowAnonymous]
public async Task<ActionResult> VerifyCode(string provider, string returnUrl)
{
    // Require that the user has already logged in via username/password or external login
    if (!await SignInHelper.HasBeenVerified())
    {
        return View("Error");
    }
    var user = await UserManager.FindByIdAsync(await SignInHelper.GetVerifiedUserIdAsync());
    return View(new VerifyCodeViewModel { Provider = provider, ReturnUrl = returnUrl });
}

We can sign users potentially a number of ways, like with External Sign Ins (Twitter, etc) but here's the TwoFactorSignIn

public async Task<SignInStatus> TwoFactorSignIn(string provider, string code, bool isPersistent, bool rememberBrowser)
{
    var userId = await GetVerifiedUserIdAsync();
    if (userId == null)
    {
        return SignInStatus.Failure;
    }
    var user = await UserManager.FindByIdAsync(userId);
    if (user == null)
    {
        return SignInStatus.Failure;
    }
    if (await UserManager.IsLockedOutAsync(user.Id))
    {
        return SignInStatus.LockedOut;
    }
    if (await UserManager.VerifyTwoFactorTokenAsync(user.Id, provider, code))
    {
        // When token is verified correctly, clear the access failed count used for lockout
        await UserManager.ResetAccessFailedCountAsync(user.Id);
        await SignInAsync(user, isPersistent, rememberBrowser);
        return SignInStatus.Success;
    }
    // If the token is incorrect, record the failure which also may cause the user to be locked out
    await UserManager.AccessFailedAsync(user.Id);
    return SignInStatus.Failure;
}

If you want this blog post's sample code, make an EMPTY ASP.NET Web Application and run this NuGet command from the Package Manager Console

Install-Package Microsoft.AspNet.Identity.Samples -Pre

Have fun!

Related Links

• Adding ASP.NET Identity to an Empty or Existing Web Forms Project
• Implementing a Custom MySQL ASP.NET Identity Storage Provider
• Create an ASP.NET MVC 5 App with Facebook and Google OAuth2 and OpenID Sign-on
  The tutorial uses the ASP.NET Identity API to add profile information to the user database, and how to authenticate with Google and Facebook.
• Deploy a Secure ASP.NET MVC app with Membership, OAuth, and SQL Database to a Windows Azure Web Site
  This tutorial shows how to use the Identity API to add users and roles.
• Individual User Accounts in Creating ASP.NET Web Projects in Visual Studio 2013
• Organizational Accounts in Creating ASP.NET Web Projects in Visual Studio 2013
• Customizing profile information in ASP.NET Identity in VS 2013 templates
• Get more information from Social providers used in the VS 2013 project templates

* Photo of German Lorenz cipher machine by Timitrius used under CC Attribution 

Sponsor: Big thanks to Novalys for sponsoring the blog feed this week! Check out their security solution that combines authentication and user permissions. Secure access to features and data in most applications & architectures (.NET, Java, C++, SaaS, Web SSO, Cloud...). Try Visual Guard for FREE.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Sponsored By

Hosting By

I have a personal MSDN account so I download and installed the Windows 8.1 Update as soon as I could. It'll roll out to the rest of the world slowly in the coming weeks.

The verdict? It's a significant improvement. I use an X1 Carbon Touch laptop, and while it has a touchscreen, I spend most of my time on the mouse and keyboard. I'm comfortable with moving between Store (fullscreen) apps and Desktop apps but it's always a little jarring. You're leaping between two universes. I want to live in one universe and this Windows update merges them in a measured way that means I'm moving faster when using my computer.

I've just put up a brand new 5 minute YouTube video to give you a tour of just a few of the new features.

After you get the update, you'll notice immediately that the Windows Store - a full screen app, mind you - is pinned to your Windows Desktop's Taskbar. You can now pin any app, desktop or store, to your Taskbar.

Even better, you can close them with a right click, just like you're used to:

And Windows Store apps like Xbox Music that use the Media Controls can also get taskbar enhancements like the Media Controls within the Taskbar button. Here I'm controlling the music in my Windows Store app while I'm in the desktop. The "universal" music controls also pop up when you press your hardware volume keys as well.

The Start Screen now includes a power button and search button, always.

If you right click a pinned Tile with the mouse (or Shift-F10 with the keyboard) you'll get the familiar context menu. You can change sizes, pin to the taskbar, and more.

There's also some nice subtle changes and features added. This is great for me as I travel a lot. I can manage my known Wi-Fi networks now. This was in Windows 7 and was either removed or hidden. I even wrote a utility to manage Wireless Networks because of this missing feature. Well, it's back.

You can move the mouse to the top of a Windows Store app and a title bar will appear. Click in the left side of that title bar, and you can now control Window Splitting.

Windows Store apps also get Minimize and Close buttons as well.

Newly installed apps are easier to find and a notification appears on your Start Screen:

Fullscreen IE11 also has an option to always show open tabs, useful if you're an "out of sight, out of mind" individual.

All in all, it works surprisingly well. I'm moving around Windows faster than before and actually using more Store apps like Mail and Music.

Free Windows 8 and 8.1 Tutorials

I've made this easy link to my free Windows 8 Tutorials. There's a whole playlist up on YouTube and you can get to them from here: http://hanselman.com/windows8 

Please do pass that link along to family and friends, or via Social Media. Thanks!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Sponsored By

Hosting By