Scott Hanselman

Bug and Fix: ASP.NET fails to detect IE10 causing _doPostBack is undefined JavaScript error or maintain FF5 scrollbar position

August 18, '11 Comments [56] Posted in ASP.NET | ASP.NET Ajax | ASP.NET MVC | Bugs
Sponsored By

__doPostBack error in IE10

Browser version numbers continue to march on. IE9 is here, IE10 is coming, Firefox 5 and 6 are here with 7 and 8 in the wings, Opera's on 11, and Chrome is on, I dunno, somewhere between 14 and 50. Regardless, we'll all be on version 99 before The Singularity.

There is a bug in the browser definition files that shipped with .NET 2.0 and .NET 4, namely that they contain definitions for a certain range of browser versions. But the versions for some browsers (like IE 10) aren't within those ranges any more. Therefore, ASP.NET sees them as unknown browsers and defaults to a down-level definition, which has certain inconveniences, like that it does not support features like JavaScript.

If you want to see this for yourself, create a new, blank Web site (e.g. in Visual Studio 2010), add a control that requires JavaScript for postback (good example: <asp:LinkButton>), and then run the site using IE9 (where it works) and IE10 (where it won't). View the page source and compare the HTML and JavaScript sent to each browser.

A similar bug affects Firefox versions 5 and above, where support for using JavaScript to reposition the scrollbar in the browser is not detected. This basically breaks the MaintainScrollbackPositionOnPostBack property for Web Forms pages.

These "misdetection" bugs affect Web Forms pages in both ASP.NET 2 and ASP.NET 4. If you are using ASP.NET Web Pages, or if you're using ASP.NET MVC or ASP.NET Web Pages and are not using the Browser object to detect JavaScript support, you will not be affected.

Fixes

There are two ways to fix this: one is a machine-wide fix, the other is a way to fix individual sites.

Machine-wide fixes

We're releasing a hotfix that will fix these, which you'll be able to get to via some KB articles. These KBs with fixes are live and are the best way to update your system. The fixes solve the browser-detection issue forever for all sites on a machine. These will be rolled up into future versions of the framework and will eventually also be on Windows Update.

What the fixes do is update the ie.browser and firefox.browser files in \Windows\Microsoft.NET\Framework\<version>\Config\Browsers with new and future-proofed versions of these browser definitions. Nothing else is affected.

Site-only fixes

App_BrowsersIf you don't have access to the whole machine and/or just want to update a single project, use NuGet to install the App_BrowsersUpdate package. Your site structure in Solution Explorer will then look like the image at right. Note that NuGet uses .NET 4, so for systems that have only .NET 2, you'll need to get the ZIP file and put the new browser files in App_Browsers manually.

Updating the whole machine is the preferred way to fix this.

Summary

  • ASP.NET might not recognize the most current versions of some browsers, and will consequently treat them as down-level browsers. (Basically: no JavaScript.)
  • The fix is to get updated browser-definition files.
  • You can install a machine-wide fix or just fix individual projects.

If you're interested in more detail than you need, I’ve uploaded the updated versions of firefox.browser and ie.browser files that are expected to ship with the next version of ASP.NET. The files and source is up at my BitBucket repo if you are interested in the details.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

I'm a phony. Are you?

August 17, '11 Comments [124] Posted in Musings
Sponsored By

pho·ny also pho·ney (fō'nē) adj. pho·ni·er, pho·ni·est
1.
  a.
Not genuine or real; counterfeit: a phony credit card.
  b. False; spurious: a phony name.
2. Not honest or truthful; deceptive: a phony excuse.
3.
 
a. Insincere or hypocritical.
  b. Giving a false impression of truth or authenticity; specious.[0]

Along with my regular job at Microsoft I also mentor a number of developers and program managers. I spoke to a young man recently who is extremely thoughtful and talented and he confessed he was having a crisis of confidence. He was getting stuck on things he didn't think he should be getting stuck on, not moving projects forward, and it was starting to seep into his regular life.

He said:

"Deep down know I’m ok. Programming since 13, graduated top of CS degree, got into Microsoft – but [I feel like I'm] an imposter."

I told him, straight up, You Are Not Alone.

For example, I've got 30 domains and I've only done something awesome with 3 of them. Sometimes when I log into my DNS manager I just see 27 failures. I think to myself, there's 27 potential businesses, 27 potential cool open source projects just languishing. If you knew anything you'd have made those happen. What a phony.

I hit Zero Email a week ago, now I'm at 122 today in my Inbox and it's stressing me out. And I teach people how to manage their inboxes. What a phony.

When I was 21 I was untouchable. I thought I was a gift to the world and you couldn't tell me anything. The older I get the more I realize that I'm just never going to get it all, and I don't think as fast as I used to. What a phony.

I try to learn a new language each year and be a Polyglot Programmer but I can feel F# leaking out of my head as I type this and I still can't get my head around really poetic idiomatic Ruby. What a phony.

I used to speak Spanish really well and I still study Zulu with my wife but I spoke to a native Spanish speaker today and realize I'm lucky if I can order a burrito. I've all but forgotten my years of Amharic. My Arabic, Hindi and Chinese have atrophied into catch phrases at this point. What a phony. (Clarification: This one is not intended as a humblebrag. I was a linguist and languages were part of my identity and I'm losing that and it makes me sad.)

But here's the thing. We all feel like phonies sometimes. We are all phonies. That's how we grow. We get into situations that are just a little more than we can handle, or we get in a little over our heads. Then we can handle them, and we aren't phonies, and we move on to the next challenge.

The idea of the Imposter Syndrome is not a new one.

Despite external evidence of their competence, those with the syndrome remain convinced that they are frauds and do not deserve the success they have achieved. Proof of success is dismissed as luck, timing, or as a result of deceiving others into thinking they are more intelligent and competent than they believe themselves to be.

The opposite of this is even more interesting, the Dunning-Kruger effect. You may have had a manager or two with this issue. ;)

The Dunning–Kruger effect is a cognitive bias in which unskilled people make poor decisions and reach erroneous conclusions, but their incompetence denies them the metacognitive ability to recognize their mistakes.

It's a great read for a Wikipedia article, but here's the best line and the one you should remember.

...people with true ability tended to underestimate their relative competence.

I got an email from a podcast listener a few years ago. I remembered it when writing this post, found it in the archives and I'm including some of it here with emphasis mine.

I am a regular listener to your podcast and have great respect for you.  With that in mind, I was quite shocked to hear you say on a recent podcast, "Everyone is lucky to have a job" and apply that you include yourself in this sentiment.

I have heard developers much lesser than your stature indicate a much more healthy (and accurate) attitude that they feel they are good enough that they can get a job whenever they want and so it's not worth letting their current job cause them stress.  Do you seriously think that you would have a hard time getting a job or for that matter starting your own business?  If you do, you have a self-image problem that you should seriously get help with. 

But it's actually not you I'm really concerned about... it's your influence on your listeners.  If they hear that you are worried about their job, they may be influenced to feel that surely they should be worried. 

I really appreciated what this listener said and emailed him so. Perhaps my attitude is a Western Cultural thing, or a uniquely American one. I'd be interested in what you think, Dear Non-US Reader. I maintain that most of us feel this way sometimes. Perhaps we're unable to admit it. When I see programmers with blog titles like "I'm a freaking ninja" or "bad ass world's greatest programmer" I honestly wonder if they are delusional or psychotic. Maybe they just aren't very humble.

I stand by my original statement that I feel like a phony sometimes. Sometimes I joke, "Hey, it's a good day, my badge still works" or I answer "How are you?" with "I'm still working." I do that because it's true. I'm happy to have a job, while I could certainly work somewhere else. Do I need to work at Microsoft? Of course not. I could probably work anywhere if I put my mind to it, even the IT department at Little Debbie Snack Cakes. I use insecurity as a motivator to achieve and continue teaching.

I asked some friends if they felt this way and here's some of what they said.

  • Totally! Not. I've worked hard to develop and hone my craft, I try to be innovative, and deliver results.
  • Plenty of times! Most recently I started a new job where I've been doing a lot of work in a language I'm rusty in and all the "Woot I've been doing 10 years worth of X language" doesn't mean jack. Very eye opening, very humbling, very refreshing
  • Quite often actually, especially on sites like stack overflow. It can be pretty intimidating and demotivating at times. Getting started in open source as well. I usually get over it and just tell myself that I just haven't encountered a particular topic before so I'm not an expert at it yet. I then dive in and learn all I can about it.
  • I always feel like a phony just biding my time until I'm found out. It definitely motivates me to excel further, hoping to outrun that sensation that I'm going to be called out for something I can't do
  • Phony? I don't. If anything, I wish I was doing more stuff on a grander scale. But I'm content with where I am now (entrepreneurship and teaching).
  • I think you are only a phony when you reflect your past work and don't feel comfortable about your own efforts and achievements.
  • Hell, no. I work my ass off. I own up to what I don't know, admit my mistakes, give credit freely to other when it's due and spend a lot of time always trying to learn more. I never feel like a phony.
  • Quite often. I don't truly think I'm a phony, but certainly there are crises of confidence that happen... particularly when I get stuck on something and start thrashing.

There are some folks who totally have self-confidence. Of the comment sample above, there are three "I don't feel like a phony" comments. But check this out: two of those folks aren't in IT. Perhaps IT people are more likely to have low self-confidence?

The important thing is to recognize this: If you are reading this or any blog, writing a blog of your own, or working in IT, you are probably in the top 1% of the wealth in the world. It may not feel like it, but you are very fortunate and likely very skilled. There are a thousand reasons why you are where you are and your self-confidence and ability are just one factor. It's OK to feel like a phony sometimes. It's healthy if it's moves you forward.

I'll leave you with this wonderful comment from Dave Ward:

I think the more you know, the more you realize just how much you don't know. So paradoxically, the deeper down the rabbit hole you go, the more you might tend to fixate on the growing collection of unlearned peripheral concepts that you become conscious of along the way.

That can manifest itself as feelings of fraudulence when people are calling you a "guru" or "expert" while you're internally overwhelmed by the ever-expanding volumes of things you're learning that you don't know.

However, I think it's important to tamp those insecurities down and continue on with confidence enough to continue learning. After all, you've got the advantage of having this long list of things you know you don't know, whereas most people haven't even taken the time to uncover that treasure map yet. What's more, no one else has it all figured out either. We're all just fumbling around in the adjacent possible, grasping at whatever good ideas and understanding we can manage to wrap our heads around.

Tell me your stories in the comments.

And remember, "Fake it til' you make it."

[0] http://www.thefreedictionary.com/phony

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

A suggested improved customer interaction with the Apple Store (and Cloud Services in general)

August 13, '11 Comments [39] Posted in Apple | Musings
Sponsored By

Alternative Title: "What good fraud detection looks like"

Save me, Clippy, from Internet Fraud! My recent 'screed' called "Welcome to the Cloud - "Your Apple ID has been disabled" got a number of people talking. Yes, Gruber's DF called it a 'screed' which is a common enough term on his site I suppose. Sure, it was a rant, I'll accept that.

MG Siegler from TechCrunch had these comments, some very valid. Emphasis mine.

But what Hanselman, who happens to work for Microsoft, seems most upset about is that Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like. And then they locked down his account with wording he didn’t like. And they made him go through iTunes to double-check his activity.

And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time. What’s the proposed solution here? The perpetrators clearly had the correct Apple ID and password. I’m not sure what you can do to protect against that. Kill the cloud?

I honestly don't how my Apple ID account was compromised. I had a high-entropy generated site-specific password. I've scanned all my systems for trojans, keyloggers and rootkits. However, that's not the point, nor was it the point of the post (although it was a bit of a rant on my part, admittedly.) The point isn't even Apple-specific, although they are an excellent example.

This security related user interaction could just as easily been on Xbox Live, Amazon Kindle, DropBox, or any of a hundred other Cloud services. Regardless of how the fraud occurred, what happens next is a user interaction point that is an opportunity to make things right for the customer.

Before I worked for Microsoft, I was the Chief Architect at an Online Banking vendor. At our high point, 25% of the retail online banking in the US ran through the system I worked on. We worked half the top ten banks in the country, as well as banks overseas. We worked with anti-fraud systems and the FBI. We designed a number of interesting systems around keeping users safe and informed.

For example, in one system, if your account password is compromised the bad guys could be able log into and see your account balances. However, there was a scale of 'risky operations' from seeing your account numbers (hidden by default) to transferring money internally (risky) to transferring money overseas (very risky) that would throw up gauntlets. Using Bayesian algorithms we would assign a user's session and their activities a risk value. When those values passed a threshold, we get challenge them for more information. The user isn't bothered when they do the stuff they always do from the computers they always use. But if you're suddenly on a new browser from a new system in a new country doing something you've never done before, we'll challenge you. This kind of adaptive real-time fraud detection with security gates is will have to become the norm in user interactions with Cloud Services.

MG Siegler calls me out here:

Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like.

Here is the email and what it made me feel. Then I'll propose a solution.

Your Apple ID was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to
iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.

I read this as:

  • We know what devices you have, and a new device we've never seen before has bought something.
  • If it was you, don't worry, this email was FYI.
  • If it wasn't you, you should go to iforgot.apple.com and change your password and protect your account.
  • Whatever happened was probably your fault and you should be more careful with these tips.

It may very well be my fault, but this user interaction isn't designed to comfort me or to make me feel safer. It succeeding in upsetting me and making me feel not only out of control but also helpless.

Here's a email I would have loved to have received

Congrats on your new iPhone/iPad! We noticed you've made your first purchase, as your Apple ID was just used to buy 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
Ordinarily we wouldn't bother you but we noticed a few things about your recent purchase.

  • You've never purchased an app in Chinese. Your last 492 app purchases have been English.
  • This purchase was from the China Unicom carrier, while your other 3 devices are on AT&T.
  • This purchase originated from a location in Shanghai, while your previous app purchases have originated from Oregon.
  • This application included In-App purchases over $20 and you've set your in-App purchase threshold at $10.

We realize this may be inconvenient, but in instances like these, it's best to be extra careful. We need to associate your new device with your Apple ID. This is a one-time operation. If you made this purchase, please click here to confirm. This email was sent as a safeguard designed to protect you against unauthorized purchases on new devices.
If you did not make this purchase, click here and let us know. The security of your account is important to us and we always recommend you

protect the security of your account.

MG Siegler says:

And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time.

I have, according to iTunes, 492 applications. They have all been purchased on either my iPad or my iPhone. I purchase new apps all the time. In fact, the ratio of my app purchases to my device purchases is 492:2. I realize MG says "people buy new devices all the time" but I would argue that a single confirmation email on the first application purchased on a new device would greatly reduce cases of fraud like this (assuming you don't have a @me email account that the bad guys own.)

This is a single example of an Apple interaction, but I would expect nothing less from my Xbox, from my Kindle, or from my Bank. In fact, I get notifications from Gmail that make me feel better about my interaction with them, not worse. Recently I logged into my Google Apps account and a small red banner was at the top that said "You are forwarding email to foo@foo.com. Why is this notice here?"

gmail redirect notice 

I saw this Gmail notice and said to myself, "rock on." I didn't realize I was forwarding emails with certain keywords to another account. This could be an attack vector for bad guys to siphon information out of a compromised email account. And the "why is this notice here?" link is subtle brilliance. Inform the customer and answer common questions.

Gmail also has a "notify me of suspicious activity" setting. I receive this when I am overseas or after coming back. Also brilliant. You don't usually go to Poland, so here's how to protect yourself.

gmail_warning  gmail-redirect-notice[1]

I expect my cloud services to let me know in a way that escalates appropriately with the threat when something that doesn't' match my patterns happens.

The meta-points are

  • The Cloud(s) and all its services are protected only by our passwords and the most basic of fraud systems.
  • Cloud services are totally centralized, which makes them a big target, but they have activity information about what we're doing online that isn't being utilized to keep us safe.
  • We, the Users, need to demand better, more secure interactions from the cloud vendors that we put our trust in.
  • It sucks to lose access to your cloud data.

What are your thoughts, Dear Reader?

Thanks to Matt Sherman for the Alternative Title! ;)

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Welcome to the Cloud - "Your Apple ID has been disabled."

August 12, '11 Comments [104] Posted in Apple | Musings
Sponsored By

Welcome Hacker News, Slashdot, DF and TechMeme. Be sure to read the follow up post on "What Good Fraud Detection Looks Like."

Your Apple ID has been disabled. Evil.

So Apple is America's most valuable company. They are, like everyone else, betting the company on the cloud. You may be familiar with the cloud, as it's where all your valuable stuff is. The stuff that you may lose access to at any moment.

The most valuable companies have your valuable data in the cloud. We may think the cloud is decentralized, but it's not. It's totally centralized. All the valuable data is now in one place with one password that's connected to your one bank account. We've centralized and simplified fraud and the public pays for it.

I've got email in Gmail, Music in Spotify, files in DropBox, documents in SkyDrive, photos in Flickr, and media and Apps in the Apple Cloud.

I got this email out of nowhere yesterday.

Dear Scott Hanselman,
Your Apple ID,
scott@hanselman.com, was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to
iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.
Regards,
Apple

After confirming the email path via headers and checking all the links as well as the HTML source of the email (seriously, you expect my Mom to do this?) I decided it was legit.

The phrasing of this email is irritating and wrong-headed. Here's why.

  1. They know it's a device they've never seen before.
  2. They let it happen anyway.
  3. They tell me it's for my good in a self-congratulatory way.
      This email was sent as a safeguard designed to protect you against unauthorized purchases.
  4. But, if I didn't make this purchase, rather than a Dispute button or Fraud link, they recommend I change my password.

Evil AppStunning.

I changed my password and went into the Apple Cloud of past purchases via the App Store. Note that it's "Not On This iPhone." It's actually not on any of my devices, because I never bought it.

If you look at the App, you'll note that it's got a sudden rash of negative reviews from folks who have apparently also been hit by this issue. Someone buys this app (no idea how) and then uses in-app purchase to steal money.

The part I can't get my head around is this. My password is/was rock solid. I use a password manager, my passwords are insane and have high entropy. Not to mention that Apples knows what devices I have and still allowed the purchase.

Next, I got a Paypal Email thanking me for my $40 purchase from Apple. As an interesting data point, I haven't received an iTunes receipt for these illicit purchases.

Instead, I look in iTunes. Odd that we have to go into iTunes to see purchase history instead of a website.

And there they are. A whole series of in-app purchases for an App I don't have on a phone that doesn't exist.

Evil Receipt

Evil Music.I looked into Recent Purchases on my phone and found a bunch of music and videos I never purchased either. 

Another data point is that the error I get is "This Apple ID has been disabled," NOT "This Apple ID has been disabled for security reasons." Just search around. Everyone has had this problem. Some folks have told me they reset their password every time they buy an app! Others have just given up. We'll never see this fixed until Gruber gets the error.

According to iTunes I've got 479 apps. I've got movies, TV shows, and music. All this is in the Cloud. You know, that amazing thing where all our stuff is stored so we can get to it from anywhere? The Cloud where everything is moving towards, that utopian future where there's no DRM and unlimited storage. Freedom, commerce, and media for all. Except I can't access the cloud. And I have no idea how to fix it.

Protect your neck, Dear Readers. For now, today, I am here and my things are in the cloud and never the twain shall meet.

If you have stores about fraud or hacking, tell me your stories at http://myappleidhasbeendisabled.tumblr.com

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

NuGet Support for Visual Studio 2008

August 10, '11 Comments [12] Posted in NuGet | NuGetPOW
Sponsored By

macgyvertoolWell, not really. A better title would be "How to Cobble Together NuGet Support for Visual Studio 2008 with External Tools and a Prayer." The point is, there are lots of folks using Visual Studio 2008 who would like NuGet support. I'm exploring this area and there's a half-dozen ways to make it happen, some difficult and some less so. The idea would be to enable some things with minimal effort. It'll be interesting to see if there are folks in the community who think this is important enough to actually make it happen. Of course, the easiest thing is to just use 2010 as it sill supports .NET 2.0, 3.0, 3.5, and 4, but not everyone can upgrade.

Someone could:

  • Backport the existing NuGet Package References dialog to 2008 using that version's native extensions (not VSiX)
  • Create MEF (Managed Extensibility Framework) plugins for the nuget.exe command-line to update the references in a vbproj or csproj
  • Use PowerShell scripts and batch files to get the most basic stuff working (get a package and update references.)
    • Maybe write a shim to get DTE automation working...

But that's coulds and maybes. Let's talk about the MacGyver solution.

Launch Visual Studio 2008 and go to Tools | External Tools.

External Tools in Visual Studio

Make a new Tool with these values:

  • Title: NuGet Install
  • Command (I'm assuming this is in the PATH): nuget.exe
  • Arguments: install your.package.name -excludeversion -outputDirectory .\Packages
  • Initial directory: $(SolutionDir)
  • Use Output window: Checked
  • Prompt for arguments: Checked

Next, right click in the Tookbar area and create a new Toolbar called NuGet. From Commands, drag in the correct Tools | External Tool button. Right click it and design to taste:

Creating a new Toolbar with "NuGet Install" on it

Now, when you click Install Package, you should change your.package.name to whatever the you want is, and click OK. Note the output in the console window below.

NuGet in Visual Studio 2008

At this point, because we are only integrating the command line too, you don't get the references added automatically. And where's the packages? Well, they are here, one directory up under Packages. It's still up to you to add the reference yourself and make sure it's the appropriate one (I refer you again to the wish list above.)

The NuGet packages

If you are feeling extra fancy, you can even add a few macros and links in your Toolbar to send you to the NuGet site for searching.  Here's a Visual Studio 2008 macro that launches your default web browser and takes you to http://www.nuget.org/List/Packages.

Public Module NuGet
Sub LaunchNuGetSite()
Dim p As New System.Diagnostics.Process()
p.Start("http://www.nuget.org/List/Packages")
End Sub
End Module

Then make toolbar buttons for those extra buttons, like this one for going to the NuGet site and searching:

More buttons for NuGet

Thoughts, Dear Reader?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.