Scott Hanselman

My car ships with crapware

April 10, '12 Comments [97] Posted in Musings
Sponsored By

Toyota Entune In Dash computerThere are few things sadder than the software that ships with your car's in dash computer. it's 2012 and we have hybrids that can regenerate power from inertia but the car manufacturers haven't figured out that we just want the in-dash car screen to be powered by our smartphone. Sure, there's a few products in the space like the hobbyist-grade "Mimics" from MP3Car and some weird hybrids like AppRadio from Pioneer but they are all aftermarket and a little Frankenstein's Monster.

The Toyota Prius V that we just bought comes with a system called Entune. This is a little computer in the dash itself that includes Applications (yes, applications) like Bing Search, Pandora, Traffic and others. I've got a dual-core internet connected super-computer in my pocket and you can get one yourself for $99 at AT&T but my new car includes an underpowered, low-resolution, low-memory tiny computer of its own. It would have made far too much sense for them to spend the money on an awesome 6" or 7" screen that mirrored the phone.

Think about this. My car has Pandora. Yay, right?

To use Pandora on my new car I have to:

  • Register for an Entune account at - This is a required step.
  • Link my existing Pandora account with my Entune account. Note that this can't be done on your phone. Gotta use a PC. Didn't work on the iPad either.
  • Pair my phone with my car using Bluetooth.
  • Have a phone that supports Tethering via Bluetooth
  • Pay for a tethering account from my phone provider (Personal Hotspot from AT&T, for example)
  • Perform a second pairing to authorize the car to use my phone for Internet
  • Enter my Entune password into my car using their touch screen. It then uses my phone to talk to Entune (I hope it's using SSL!)
  • Run Pandora on my car which uses Bluetooth to my phone over tethering which uses 3G/4G to talk to the internet.
  • Send a check to Rube Goldberg to pay for royalties given this is a complete rip-off of his best contraptions.

Seriously friends, drink that in for a moment. My car has a crappy computer that runs a version of Pandora that talks to my phone to use its internet to get music from Pandora.

Here's a thought. Why don't I just run Pandora on my phone?

Do you think that my car will ever get a new version of Pandora? Do I need to get on the app update treadmill with my car's appstore?

Will my Entune system update? No.

Well, let's see. The Entune FAQ says that I should "check back often for updates."

Check back often for updates? Ok, so the answer is NO. This Pandora application will never be updated, ever. I have a pale shadow of a tablet PC in my new car that requires tethering from my super-powered and often updated internet connected phone with a thriving app store. It would have made far too much sense to use the phone as the heart of this system.

In ten years my car will still be running. AOL was hot 10 years ago. Will Pandora even exist in 10 years?

Will Toyota put out a user-serviceable update to my car's system to remove the Pandora icon or will it remain on my dash for eternity, a lonely symbol of a dead company reminding me each ignition of a bubble long past?

The phone connectivity ecosystem is so messy right now that there are actually wizards to walk you through the complexities. Toyota's Connect site will show you which of the 150 features their in-dash Entune system will support given your phone and car and phone carrier. We're doing Cartesian products here to find out if I can listen to streaming audio?

This is a ridiculous table that shows that my iphone supports SOME of the features of my car, but not all

Here's the final irony. I have the latest and greatest and fanciest fruit-based smartphone with the latest hardware and software. It doesn't support 30% of the things my car does. In fact, no phone does. I was thrilled to see that the car supports text messaging, a sync'ed calendar and more (when stopped.) Does my phone support that? No. A Blackberry does though. And I'm sure they'll be around in the future.

May I just point out, as a final hilarious indignity that this system has won awards?

I know this is ranty and if you worked on this system and show up in the comments, forgive me. I'm not trying to pick on the trench developers of these things but rather the architects/designers/planners. I wish they'd show some foresight and create future-proofed systems that use and embrace open specs and protocols. VNC anyone? The fact that I can place calls and stream Bluetooth audio in this car is great. But it'd be nice if with all this dancing back and forth and tethering and pairing that the maps and navigation would just use Google or Bing maps for always updated high-res, high quality maps. Do they? Nope, that would make too much sense.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

It's not what you read, it's what you ignore - Video of Scott Hanselman's Personal Productivity Tips

April 9, '12 Comments [55] Posted in Productivity | Speaking
Sponsored By

I've done a number of talks on Productivity in the past. Lots of folks ask me what my tips are for being productive. I've taken all those tips as well as tips from Kathy Sierra, Stephen Covey, David Allen, The Pomodoro Technique and many more and aggregated them into a system that works well for me. I talk about how to effectively handle large amounts email, sorting your personal data stream, how to conserve your keystrokes, the "one email rule" that you need to be effective

I'm giving this talk in a few places in the coming months like StirTrek in Ohio, DevCon in Russia, and possibly "That Conference" in Wisconsin. If you will be attending one of these events, you might want to wait and see it in person. ;)

There's a few jokes in the beginning of the talk that refer back to some discussion about Gamification and a funny back and forth that Kathy Sierra and I had. If they don't make sense, that's the context.

I hope you enjoy it. It's about 42 minutes long. There's lots of other great talks from WebStock '12 up at their event site. Do check them out. I particularly like Lauren Beuke's talk on Kinking Reality, Matthew Inman (The Oatmeal) and his talk on getting people to read what you write, Adam Lisagor (the world's quietest pitchman) and Rob Malda on the Rise and Fall of Slashdot.

Of course, feel free to share this post with your friends. I hope it helps them.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Back to Basics: Dynamic Image Generation, ASP.NET Controllers, Routing, IHttpHandlers, and runAllManagedModulesForAllRequests

April 7, '12 Comments [33] Posted in ASP.NET | ASP.NET MVC | Back to Basics | Learning .NET
Sponsored By

Warning, this is long but full of info. Read it all.

Often folks want to dynamically generate stuff with ASP.NET. The want to dynamically generate PDFs, GIFs, PNGs, CSVs, and lots more. It's easy to do this, but there's a few things to be aware of if you want to keep things as simple and scalable as possible.

You need to think about the whole pipeline as any HTTP request comes in. The goal is to have just the minimum number of things run to do the job effectively and securely, but you also need to think about "who sees the URL and when."

A timeline representation of the ASP.NET pipeline


This diagram isn't meant to be exhaustive, but rather give a general sense of when things happen.

Modules can see any request if they are plugged into the pipeline. There are native modules written in C++ and managed modules written in .NET. Managed modules are run anytime a URL ends up being processed by ASP.NET or if "RAMMFAR" is turned on.

RAMMFAR means "runAllManagedModulesForAllRequests" and refers to this optional setting in your web.config.

<modules runAllManagedModulesForAllRequests="true" />

You want to avoid having this option turned on if your configuration and architecture can handle it. This does exactly what it says. All managed modules will run for all requests. That means *.* folks. PNGs, PDFs, everything including static files ends up getting seen by ASP.NET and the full pipeline. If you can let IIS handle a request before ASP.NET sees it, that's better.

Remember that the key to scaling is to do as little as possible. You can certainly make a foo.aspx in ASP.NET Web Forms page and have it dynamically generate a graphic, but there's some non-zero amount of overhead involved in the creation of the page and its lifecycle. You can make a MyImageController in ASP.NET MVC but there's some overhead in the Routing that chopped up the URL and decided to route it to the Controller. You can create just an HttpHandler or ashx. The result in all these cases is that an image gets generated but if you can get in and get out as fast as you can it'll be better for everyone. You can route the HttpHandler with ASP.NET Routing or plug it into web.config directly.

Works But...Dynamic Images with RAMMFAR and ASP.NET MVC

A customer wrote me who was using ASP.NET Routing (which is an HttpModule) and a custom routing handler to generate images like this:

routes.Add(new Route("images/mvcproducts/{ProductName}/default.png", 
new CustomPNGRouteHandler()));

Then they have a IRouteHandler that just delegates to an HttpHandler anyway:

public class CustomPNGRouteHandler : IRouteHandler
public System.Web.IHttpHandler GetHttpHandler(RequestContext requestContext)
return new CustomPNGHandler(requestContext);

Note the {ProductName} route data in the route there. The customer wants to be able to put anything in that bit. if I visit http://localhost:9999/images/mvcproducts/myproductname/default.png I see this image...

A dynamically generated PNG from ASP.NET Routing, routed to an IHttpHandler

Generated from this simple HttpHandler:

public class CustomPNGHandler : IHttpHandler
public bool IsReusable { get { return false; } }
protected RequestContext RequestContext { get; set; }

public CustomPNGHandler():base(){}

public CustomPNGHandler(RequestContext requestContext)
this.RequestContext = requestContext;

public void ProcessRequest(HttpContext context)
using (var rectangleFont = new Font("Arial", 14, FontStyle.Bold))
using (var bitmap = new Bitmap(320, 110, PixelFormat.Format24bppRgb))
using (var g = Graphics.FromImage(bitmap))
g.SmoothingMode = SmoothingMode.AntiAlias;
var backgroundColor = Color.Bisque;
g.DrawString("This PNG was totally generated", rectangleFont, SystemBrushes.WindowText, new PointF(10, 40));
context.Response.ContentType = "image/png";
bitmap.Save(context.Response.OutputStream, ImageFormat.Png);

The benefits of using MVC is that handler is integrated into your routing table. The bad thing is that doing this simple thing requires RAMMFAR to be on. Every module sees every request now so you can generate your graphic. Did you want that side effect? The bold is to make you pay attention, not scare you. But you do need to know what changes you're making that might affect the whole application pipeline.

(As an aside, if you're a big site doing dynamic images, you really should have your images on their own cookieless subdomain in the cloud somewhere with lots of caching, but that's another article).

So routing to an HttpHandler (or an MVC Controller) is an OK solution but it's worth exploring to see if there's an easier way that would involve fewer moving parts. In this case the they really want the file to have the extension *.png rather than *.aspx (page) or *.ashx (handler) as it they believe it affects their image's SEO in Google Image search.

Better: Custom HttpHandlers

Remember that HttpHandlers are targeted to a specific path, file or wildcard and HttpModules are always watching. Why not use an HttpHandler directly and plug it in at the web.config level and set runAllManagedModulesForAllRequests="false"?

<add name="pngs" verb="*" path="images/handlerproducts/*/default.png"
type="DynamicPNGs.CustomPNGHandler, DynamicPNGs" preCondition="managedHandler"/>
<modules runAllManagedModulesForAllRequests="false" />

Note how I have a * there in part of the URL? Let's try hitting http://localhost:37865/images/handlerproducts/myproductname/default.png. It still works.

A dynamically generated PNG from an ASP.NET IHttpHandler

This lets us not only completely bypass the managed ASP.NET Routing system but also remove RAMMFAR so fewer modules are involved for other requests. By default, managed modules will only run for requests that ended up mapped to the managed pipeline and that's almost always requests with an extension. You may need to be aware of routing if you have a "greedy route" that might try to get ahold of your URL. You might want an IgnoreRoute. You also need to be aware of modules earlier in the process that have a greedy BeginRequest.

The customer could setup ASP.NET and IIS to route request for *.png to ASP.NET, but why not be as specific as possible so that the minimum number of requests is routed through the managed pipeline? Don't do more work than you need to.

What about extensionless URLs?

Getting extensionless URLs working on IIS6 was tricky before and lots of been written on it. Early on in IIS6 and ASP.NET MVC you'd map everything *.* to managed code. ASP.NET Routing used to require RAMFARR set to true until the Extensionless URL feature was created.

Extentionless URLs support was added in this KB and ships with ASP.NET MVC 4. If you have ASP.NET MVC 4, you have Extentionless URLs on your development machine. But your server may not. You may need to install this hotfix, or turn on RAMMFAR. I would rather you install the update than turn on RAMMFAR if you can avoid it. The Run All Modules options is really a wildcard mapping.

Extensionless URLs exists so you can have URLs like /home/about and not /home/about.aspx. It exists to get URLs without extensions to be seen be the managed pipelines while URLs with extensions are not seen any differently. The performance benefits of Extensionless URLs over RAMMFAR are significant.

If you have static files like CSS, JS and PNG files you really want those to be handled by IIS (and HTTP.SYS) for speed. Don't let your static files get mapped to ASP.NET if you can avoid it.


When you're considering any solution within the ASP.NET stack (or "One ASP.NET" as I like to call it)...

The complete ASP.NET stack with MVC, Web Pages, Web Forms and more called out in a stack of boxes

...remember that it's things like IHttpHandler that sit at the bottom and serve one request (everything comes from IHttpHandler) while it's IHttpModule that's always watching and can see every request.

In other words, and HttpHandler sees the ExecuteRequestHandler event which is just one event in the pipeline, while HttpModules can see every event they subscribe to.

HttpHandlers and Modules are at the bottom of the stack

I hope this helps!

Sponsor: Thank you to my friends at Axosoft for sponsoring the Hanselman feed this week. Do check out their product! Imagine agile project management software that is brilliantly easy to use, blazingly fast, totally customizable, and just $7 per user. With OnTime Scrum, you won't have to imagine. Get started free.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Hidden Gems in Visual Studio 11 Beta - .NET Portable Class Libraries

April 5, '12 Comments [28] Posted in Learning .NET
Sponsored By

.NET Portable SubsetI'm realizing there's a number of subtle but important new things in the next version of VS that streamline some previously difficult tasks. For example, there's the .NET Framework, but .NET is also in Silverlight, the Windows Phone, the Xbox, etc.

If you create a regular Class Library it has a single Target Framework. However, if you are doing a multi-platform application and you want to maximize your code reuse, you can run into trouble as you may not have all libraries available on the smaller platforms.

Thus, Portable Class Libraries were created. You can get Portable Class Libraries via an extension on Visual Studio 2010 or they are built into Visual Studio 11 Beta.

These Portable Class Libraries (PCLs) will generate a managed assembly that can be referenced by Windows Phone 7, Silverlight, the Microsoft .NET Framework and Xbox 360 platforms. This really helps to maximize reuse of code and reduce the number of projects in multi-targeted application solutions.

I talked about multi-targeting a little in the .NET Versioning and Multi-Targeting - .NET 4.5 is an in-place upgrade to .NET 4.0 post. Visual Studio is smart enough to tell you before compilation what APIs are available. The compiler knows and Intellisense knows. The Reference Assemblies down in C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\ tell you a lot.

Reference Assemblies include .NET Portable Assemblies

If you create a new Portable Class Library, right click on it and hit Properties. You can target specific frameworks and the build system and Intellisense will adjust. Some libraries are on some device. For example, XML Serialization isn't on the Xbox 360, but WCF is on the Windows Phone.

Select the Frameworks you want

Bill Kratochvil has an article in MSDN Magazine that includes the source for a project that targets Windows Phone 7, Silverlight and WPF with shared libraries. David Kean has an article this month in MSDN Mag on how to Create a Continuous Client Using Portable Class Libraries.

Remember that Portable Class Libraries are constrained by design. You're targeting the lowest common denominator to maximize what you can use between projects. The MSDN article on Portable Class Libraries has a table that show what's available on each platform. You can do MVVM work across Windows, Metro style aopps, Silverlight and Windows Phone, for example.

Here's some good advice that David Kean sent me:

One thing [about] using portable [is that it] doesn’t mean you can’t use platform specific features, you just need to spend a little more time thinking about your dependencies. For example, instead of having a low level class that handles your persistence layer using the File APIs (which aren’t usable/available on Phone, Silverlight, etc), have it instead take work on an abstraction such as a stream, which these gets passed that from the platform specific project. Or have it call through an platform adapter (called out in my article), or inject the abstraction using your favorite IoC container (in my case Autofac, just published a portable version)

MSDN Help also shows what works with Portable Libraries as well so you're supported when looking at Help, Intellisense, and at Build time.


The BCL Blog mentioned that they are talking to the Mono guys about this as well. It'd be great to get Mono for Android and other frameworks as appropriate in here as well. I was excited to discover that this work was happening, even though it's been over a year in the making.

For folks like my friends at Rowi who have a great Windows Phone 7 application, or MetroTwit with a great WPF app, I wonder how Portable Class Libraries might change the architecture of their applications and enable cleaner builds and reuse scenarios they haven't thought of.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

What geeks need to tell our parents about shopping online safely and securely

April 4, '12 Comments [18] Posted in Musings
Sponsored By

Creative Commons "StopHerJones" on FlickrMom and Dad, it's a dangerous Internet. You like it and you use it but you don't understand it. I totally get that. I don't understand plumbing. I know that the sink drain goes into the bendy thing and then into the wall. After the pipe hits the wall, as far as I know, it's turtles all the way down. I assume the Internet feels about the same to you.

I don't want to condescend or imply that the web is a series of tubes. You're not interested in knowing all the details and I'm not a plumber, but there's a minimum amount of stuff you should know to be safe. You don't need to memorize this stuff, but it's nice to know generally where the pipes go and when to call a plumber. Or me.

Looking up web addresses

When you type in an address in your browser, your computer queries the Internet's Yellow Pages and tries to find out exactly where is. These yellow pages are called DNS (Domain Name Services). This is just like me taking your home address and getting a latitude and longitude location on a map, then going there. 

Just like it's easier to remember an address like "6 Main Street" than some numbers like latitude and longitude. It's easier to remember "" than it is to remember a number like An address is a convenience.

However, do you trust the Yellow Pages? One day a book showed up on your doorstep, you reference it and it tells you where stuff is. What if an evil-doer dropped pretend Yellow Page books on everyone's doorstep and folks who wanted to go to the store were sent somewhere evil? Hopefully at some point you'd "feel wrong" about the directions you were given and you'd question yourself.

For the most part, you're usually OK, but if you ever type an address and go somewhere that feels wrong, ask someone. There are toolbars and weird little evil bits of software (called malware or adware or spyware) that can "hijack" your browser. They deliberately give your browser incorrect directions in order to get you to go to their site.

It'd be like calling the operator and asking for directions to the Safeway Market and having the operator give you directions straight to Thriftway. You didn't know you couldn't trust the operator!

Develop your Internet Street Smarts

If I tell you to go to you should usually feel OK about that.  If someone tells you to go to you should think that smells fishy. Keep your head up and protect your neck.

See the picture below? It looks like a link to and I'm about to click on it, but see the down at the bottom there's a little window that shows a different website. The blue link is under evil guy's control and can say anything, but the one at the bottom is a hint from your browser that something is fishy.

Totally Not

The browser you use might show this in a different way, but the idea is the same. If someone gives you a link that smells fishy, use your judgment. Develop a healthy - but not paralyzing - suspicion. Everyone in the world isn't out to get you, but pickpockets do exist.

Totally Not

Here's some hints on what to look for. Try to think about not as a scary computer thing but rather use the common sense you've developed in the real world. When you go to Macy's to shop, does it look and smell and feel like Macy's? How do you know it's not a fake Macy's façade that someone put up with cardboard?

Does the address match the logo?

Take a look at this screenshot. Is this a real Abercrombie & Fitch store? The logo says it is, but that address is kind of smelly, don't you think?

Fake - Shop Abercrombie & Fitch UK Online - Discount Abercrombie and Fitch Clothing Sale

Lets say I start shopping at this fishy site anyway. When I start putting things into my shopping cart and giving a store money OR my personal information, a reputable site should change our conversation to a secure line.

Just like in spy movies we hear the lead say "Is this phone encrypted? Don't call me from an insecure line, do you want to get us all killed!?!" you want to think in the same terms.

A Private Conversation

Is your conversation with a website private? Here's the fake site on the left and the real one on the right. See how a little lock appeared? That means the conversation we're having with that site is private.

Now, please, read this part carefully, Mom and Dad. The lock says the conversation is private, but the lock doesn't say I should trust them. You can have a private conversation with a bad guy. There are bad sites with this little lock.

HTTPS (SSL) doesn't mean "I can trust this site," it means "this conversation is private." You still might be having a private conversation with Satan. - Scott Hanselman

Trust and Privacy are different things. "Do I trust this person" and "Is our conversation private?" are different questions. You want to answer yes to both questions before you give a company your credit card number.

A fake site and a real site, side by side

I can click on the lock at the website to see a bunch of techie stuff. That techie stuff is not as interesting as is the other locks and information. There's two green locks assuring me of the privacy of our interaction, but more importantly I can see I've never visited this site before.

But what if I know I have visited the site? What if I visit this site every day and now here it is saying I don't? This is a good time to look around and make sure I am where I think I am. Check the address again, just like you would in real life before you ring the doorbell.

Clicking on the SSL Lock gives more information

Compare this to Amazon, a site I do visit all the time.

Clicking on the SSL Lock gives more information

A Trusted Conversation

If you're going to do some online banking, you should expect to see that lock as soon as you get to the bank's site.

Large, reputable banks should use a special lock on their sites. See this site in three different browsers below? The address bar has turned green. This means that not only is our conversation private but that a company has checked to make sure it's really Bank of America. This means I can trust them AND our conversation is private. These are called "high assurance" or "extended validation" certificates if you want to tell your local credit union or community bank to get one.

Just like Scully and Mulder check other agent's IDs before talking to them, you should be checking the identification of websites you talk to.

EV SSL Certificates are high trust

Questions to Ask

Ask yourself these questions when you start giving away your name, address or credit card online.

  • Does the address for this website look correct?
  • Does the site look real? Have I been here before?
  • How did I get to this site? Did I use a bookmark or did I click on an email from a stranger?
  • Is there a lock in the address bar?
  • For banks or finance sites, is the address bar green? What does it say when I click on it the lock?

What can Techies do to help our parents?

Consider setting Mom and Dad up with OpenDNS. It's not only a trusted DNS Service (That's Yellow Pages, Mom, if you're still here) but OpenDNS can block inappropriate sites for the whole family no matter what browser you use.

If you (or Mom) had the Web of Trust installed, this is what you would have seen when visiting an evil site like this. I'm installing this free tool on Mom's machine today. It's a browser plugin that uses other people's experience to augment yours!

web of trust

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.