Scott Hanselman

When is it stealing?

February 26, '14 Comments [89] Posted in Musings
Sponsored By

Image by Duncan Hill, used under Creative Commons from http://flic.kr/p/7YkGurAnything you put on the internet is gonna get stolen. It's preferable if it gets shared or linked to but often it gets copied and copied again.

RSS is magical but it makes it even easier to programmatically syndicate (copy) content. Search around and you'll likely find complete copies of your entire blog mirrored in other countries'.

There's so many websites (now "media empires") that have taken aggregation to the extreme, giving it the more palatable name "content curation." Now, to be clear, I respect the work involved in curation. Sites like http://dumbesttweets.com require work and attribute creators. But taking a post, copying unique content, even paraphrasing, and then including a small link just isn't kind. Forget about the legality of it, remembering IANAL, but it's just poor netiquette to not to ask permission before using non-Creative Commons content.

Every week or two I get an email from some large aggregation site that says "We'd love to reprint your post...it'll get you more readers." The few times I've done this they've gotten 50,000 views and I've gotten 300 referral views. Likely because the "originally appeared on Hanselman.com" link a the bottom is in 4 point font.

Sites like ViralNova and BuzzFeed are effectively reblogging and embedding machines powered by linkbait copyrighters. "What happened next will shock you."

Even if you make a piece of software, someone may just wrap/embed your installer with their own installer and build a whole business around it.

Narrating your blog posts

Today It was pointed out to me that a nearly 7 year old (and not very good) blog post of mine had be narrated - effectively turned into a podcast - by a startup called Umano. BTW, it's more than a little ironic that my post wasn't even mine. It's an excerpt - published with permission - of my friend Patrick Cauldwell's larger post.

I've used the Umano developer tools and embedded the narrated version here.

First, let me just say that this is essentially a great idea. It's the opposite of transcribing a podcast. It's creating podcasts from existing content using professional narrators, not just text to speech. This could be great for not just the visually impaired but also for anyone who wants to catch up on blogs while commuting.

UPDATE! Umano has narrated THIS blog post! Have a listen! http://umano.me/c/AExmo

Where did the Content come from?

Here's a screenshot of the post on Umano's site. You can see my name "Hanselman" is there, but it's not a link. The headline is a link, but you'd never know until you hovered over it. There's really no easy way to tell where, when, and how this content came about. I think that Umano could easily redesign this site to put the content owner front and center.

image

Podcasts and audio snippets from blog posts? Great idea, except I wrote the script for this podcast. If I wrote the script and they did the narration, then this must be a partnership, right?

However, if we look at Umano's own Terms of Use:

SoThree claims no ownership or control over any of the content you post to the Service ("Your User Content"). You or a third party licensor, as appropriate, retain all copyright, patent, and trademark rights to any of the content you post on or through the Service. You are responsible for protecting those rights.

Ok, they don't own the content.

By posting Your User Content on or through the Service, you grant SoThree a universal, non-exclusive, royalty-free license to reproduce, adapt, distribute and publish such content through the Service and for the purpose of promoting SoThree and its services.

I'm pretty sure I haven't granted them a universal license to my content as I didn't submit this link. On their home page they say that "you tell us what articles should be voiced." The community submits links, sometimes to content they are a fan of, but don't own, then Umano narrates it.

You may not aggregate, copy, or duplicate any SoThree Content.

Wait, but I can't copy their content? Their content that was generated from my content.

Does this mean I can get a book from the library and narrate it? Turn it into a podcast?

I am told by Umano's twitter account that I'm the first person to object to their content being copied without permission.

I certainly don't think Umano is are malicious. Umano is perhaps naive, if they think can narrate blogs without someone speaking up. That said, their narrators are top notch and their site and app are both attractive and usable. Frankly, I'd be happy if they narrated my whole blog (or at least the good stuff and not the lousy decade-old stuff) and made a podcast feed of my blog like their competitor Castify. But I'd like Umano to do it with me.

Sites like this should ask creators first and their business model should be based on partnerships with content creators, not assumptions. Stitcher has the right idea. I've submitted my content to them and entered into a partnership. They didn't just suck my podcasts in and make a radio station.

Even a single email from Umano like "hey, we would love to narrate your blog, click here and sign this little form" would have be sufficient. 

Narrate first, ask questions later? Michael Dunbar nails it with this tweet:

This is an easily solved problem, and it's not just a problem with Umano. This applies to all businesses and startups that rely on content created by others. I think it's important to honor attribution. This isn't about money or even copyright, although those things do apply. Rather, this is about netiquette. When you're building a business model, build it around partnerships and transparency, not assumptions around fair use and copyright. Aask first.

What are your thoughts, Dear Reader?

(If they narrate this one, I'll update the post and complete the circle. ;) )

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Announcing the new Roslyn-powered .NET Framework Reference Source

February 24, '14 Comments [40] Posted in Musings
Sponsored By

.NET Framework Reference Source SiteIn 2007 ScottGu's team announced they were releasing the .NET Framework source code for reference. Just a little later, Microsoft made it possible to step through the .NET Framework Source code while debugging. This was announced to much fanfare, and for a while, it was very cool. It wasn't "Open Source" but it's definitely "Source Opened."

However, as time passed, the original Reference Source website for the .NET Framework sucked for a number of reasons, mostly because it wasn't updated often enough.

Fast forward to today...we're back and the .NET team is launching the fresh new and updated .NET Reference Source site with a Roslyn-powered index!

The new beta site is at http://referencesource-beta.microsoft.com and it'll move over to replace the existing http://referencesource.microsoft.com site soon.

It's easy to browse the code, but if you'd prefer you can also download the .NET Framework source in a ZIP from the download link at the top of the site.

The Roslyn-powered .NET Reference Source browser

There's some very cool .NET-related stuff happening this year, and you'll be hearing about it all soon. The new "Roslyn" compiler-as-a-service replacements for the C# and VB compilers have had the "Big Switch" flipped. We're now getting an amazing totally-rewritten managed compiler that can enable features that weren't possible when .NET started over a decade ago.

Today there's a new team working on the .NET Reference Source, and Roslyn let the team generate a complete syntactic and semantic index of the .NET Framework Sources.

From the team: The version of the framework that we currently have indexed is .NET framework version 4.5.1.  If this is something that folks agree is useful, our ongoing commitment towards this feature is to update this every major release i.e. an update for 4.5.2 and so on.  

This is a crucial feature, IMHO, and they are recommitted to making it happen, and most importantly, keeping it fresh and updated. They are also thinking about maybe using the Monaco editor for the site as well.

Be sure to explore the browser and click on everything, as there's a lot more there than just "search box and results."

Here's a few cool things you can do with the URLS on the new site that you should explore. I like being able to reference a line number in the URL for tweeting or IM'ing.

There's also a lot of flexibility in the search:

You can also actually click on types directly within the editor and find where they are referenced in the code.

clip_image002

They will switch the beta site at http://referencesource-beta.microsoft.com/ to take over the existing Reference Source site soon. Until then, use the Feedback link on the site and email the team directly! They are listening and actively working on this site.

The next thing the team is working on, and they are very close, is getting .NET Source Stepping (meaning you can just F11 into the .NET source code) to again work reliably when debugging, no matter what patch version you have of the .NET Framework on your local machine. Look for that in a few days on the .NET Team Blog.

BONUS: Community Visual Studio Extension

Here's an exciting bonus. Community member and fabulous coder Schabse Laks has created a Visual Studio extension for VS2010, 2012, and 2013! This extension sends calls to Go To Definition (or pressing F12 on a symbol) directly to the code online (when it's .NET Framework code, not yours).

You can download this companion "Ref12" Visual Studio Extension now! Just Goto Definition on any .NET type we have source for and it'll launch your default browser so you can explore the .NET Framework source yourself! Thanks Schabse!

.NET Reference Source Code Licensing Clarified

Finally, the licensing before was originally the very straightforward Microsoft Reference Source License,  but then started to get other caveats tacked on like "don't look at this if you aren't using Windows" until it wasn't really the MS-RSL at all.

They've changed that stuff. They're back to the straight MS-RSL which is easy to read and clear. This means that folks can now look at this Reference Source and not have to gouge their eyes out afterwards. Which is great!

We all hope you like the new site and the team looks forward to your comments!


Sponsor: Big thanks to Red Gate for sponsoring the blog feed this week! Easy release management: Deploy your SQL Server databases in a single, repeatable process with Red Gate’s Deployment Manager. There’s a free Starter edition, so get started now!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Microsoft killed my Pappy

February 22, '14 Comments [327] Posted in Musings
Sponsored By

Photo by Frank Swift used under Creative CommonsI was talking to a young (<25) Front End Developer recently who actively hated Microsoft. Sometimes I meet folks that are actively pissed or sometimes ambivalent. But this dude was pissed.

The ones I find the most interesting are the "Microsoft killed my Pappy" people, angry with generational anger. My elders hated Microsoft so I hate them. Why? Because, you wronged me.

"You killed my pappy," said the youth, "and my pappy's pappy. And his pappy's pappy. And my brothers Jethro, Hank, Hoss, Red, Peregrine, Marsh, Junior, Dizzy, Luke, Peregrine, George and all the others. I'm callin' you out, lawman."

One person said that he was still mad about the Microsoft Anti-Trust thing. "Hey, 10 years ago Microsoft did this..." That was initiated in 1998 for actions in 1994. That's 20 years ago.  And for bundling a browser in the operating system that couldn't be uninstalled or easily replaced? Sure, no operating systems do that in 2014. I wonder if I can swap out Chrome from Chrome OS or Mobile Safari in iOS. Point is, it's common now.

This "generational technology pain" seems to persist long after the root causes have died. Do I hate Japan for World War II? My 6 year old wanted to know this as he's learning world history. I said, "No, we're cool with Japan. We've done some good stuff together." And he was like, "Cool." 

I realize that you, Dear Reader, are a thoughtful and respectful lot, the Internet tends to be a bit of a motley crew. I fully expect the comments to be on fire later. But know this, I didn't work for The Man when all this went down, and I was as outraged as you were 20 years ago (assuming you were alive). But now, I've been here pushing open source and the open web for over 5 years and things are VERY different. I know you all have stories about how you were wronged, but we all have those about various companies. You're pissed about IE6, about FoxPro, about Silverlight, heck, maybe VB6. Sure, I hear you. I'm pissed about DESQView and my Newton, and Snow Leopard not running on my PowerPC. At some point you let go, and you start again with fresh eyes.

Embrace, Extend, Hugs?

We're putting source on GitHub, many groups are using Git with TFS internally for projects, we've open sourced (not just source-opened) huge parts of .NET and are still pushing. We've open sourced Azure hardware specs, opening SDKs, and we're making systems more pluggable than ever. Frankly, we're bending over backwards to NOT be dicks about stuff, at the very least in my corner of the company. Could we do better? ALWAYS. Are we pure evil? Nah.

Is Microsoft circa 2014 worse than Google, Apple, or Facebook? We're not nearly as organized as we'd need to be to be as evil as you might think we are.

Moreover, I think that Microsoft is very aware of perceptions and is actively trying to counter them by actually being open. I'd say we're more concerned than a Google or Apple about how folks perceive us.

I don't speak for Microsoft, I'm not a mouthpiece or a marketer. Sure, I promote the stuff I work on, because some of it is damn cool stuff. I'm a programmer with a blog who likes to speak on technology. But I am not my employer.

That said, I will quote myself (again, opinion, don't fire me) from my own Hacker News comment regarding the direction we're going:

It's worth noting that under Satya [Ed: And ScottGu] (in my org, Cloud and Enterprise) we open sourced ASP.NET, use 50+ OSS libraries in Visual Studio, have all the Azure cloud SDKs on GitHub, and on and on. We made Portable Libraries happen and now share code between iOS, Android, and Windows. This is not your grandfather's MSFT, and now the dude who helped us (Azure) change things in a fundamentally non-MSFT and totally awesome way is in charge. I'm stoked - big things coming, I think.

Sure, we do stupid stuff sometimes, usually because someone in one org isn't talking to another org, or some marketing vendor overreaches, every big company makes these mistakes.

But I like the direction we're heading. I work here to fix stuff. Some folks complain, some tweet complaints, I'm here to fix it. If it was a lost cause, I'd quit, as I truly don't need the job that badly. I'm happy to be a small part of a small part of pushing us. I will push until I can't push anymore.

I said, find a new reason to hate Microsoft. I didn't kill your Pappy, son.

* Photo by Frank Swift used under Creative Commons


Sponsor: Big thanks to Red Gate for sponsoring the blog feed this week! Easy release management: Deploy your SQL Server databases in a single, repeatable process with Red Gate’s Deployment Manager. There’s a free Starter edition, so get started now!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Distributed Automated Browser Testing with Selenium and BrowserStack

February 20, '14 Comments [26] Posted in Musings
Sponsored By

imageI'm a huge fan of BrowserStack. They are a cloud-based browser testing service that lets you remote into effectively any browser version on any version of any operating system. They've even got Visual Studio integration so you can just hit F5, choose the browser you want, and start debugging.

COUPON: BrowserStack is a service (a cloud of machines do the work) but you can get 3 months free from the IE folks at Modern.ie. To be clear: I'm not affiliated with either of these folks, just letting you know that it's cool. I do personally have a BrowserStack subscription that I pay for.

I've long been a proponent of integration testing websites by putting the browser on a string, like a puppet. I used Watir (Web Application Testing in Ruby) almost 10 (!) years ago, and write WatirMaker (and later WatirRecorder) to make that easier.

I also spent time with Selenium as early as 2007, although it was a very different Selenium than it is today. I also interviewed Jim Evans from the Selenium Team on my podcast.

BrowserStack as a Selenium Cloud with RemoteDriver

Selenium today uses a "Selenium Server" and a "WebDriver." WebDrivers are language-specific bindings to drive a browser - to put strings on your browser and control it.

Now, there's dozens of choices to make and dozens of ways you can get Selenium working. With much respect due to the Selenium team, the docs on their main page spend a LOT of time talking about different versions, older versions, history of the project, and there's no real "Getting Started FAQ" with stuff like "I'm a Windows person, get this and this and that." Or "I'm on a Mac and like Ruby, just get this and this." There is a fairly extensive Wiki, though, but it's still a lot of terms to understand.

Do expect to spend a few hours exploring and messing up, but do know that there's a few dozen ways to be successful with Selenium, which is part of its charm.

First, you can write tests in whatever language you like. So, C#/NUnit, or Ruby, or Python, for example.

You can download "drivers" for a browser and run them directly, having them listen a port, and make them available to yourself or others in your company.

When writing tests, you can ask for browsers ("drivers") directly by asking for them from your test language of choice, like instantiating a "ChromeDriver" or an "IEDriver."

But, you can also launch a more general-purpose server that will present itself as a "WebDriver," then you give it a list of the capabilities you want and it will then find and drive a browser for you. This is what BrowserStack's cloud does. You can also set these up inside your own company, although it's a bit of a hassle.

There's 8 different OSes. 20 mobile devices, 300 browser/version combos. For the free automated trial you get 100 minutes of "drive time" free. Also, it's half the price if you only want desktop browsers.

The Web Interface for BrowserStack showing the tests I've run

I like to use Python for Selenium Tests, for some odd reason. Again, you can use whatever you like. Doesn't matter.

If you don't have Python...

  • Get Python 2.7 - I'm on Windows and I got the x86 one.
  • Get setuptools for 2.7 - note the py2.7 in the file name.
  • Get the latest Pip for 2.7 - Note the py2.7 in the file name.
  • Then run "pip install -U selenium"

Your Python code might look like this. Here I'm using BrowserStack's cloud and asking for IE7 on Windows XP.

from selenium import webdriver
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities

desired_cap = {'os': 'Windows',
'os_version': 'xp',
'browser': 'IE',
'browser_version': '7.0',
'browserstack.debug': 'true' }

driver = webdriver.Remote(
command_executor='http://hanselman:mysecretkey@hub.browserstack.com:80/wd/hub',
desired_capabilities=desired_cap)

driver.get("http://www.google.com")
if not "Google" in driver.title:
raise Exception("Unable to load google page!")
elem = driver.find_element_by_name("q")
elem.send_keys("Hanselman")
elem.submit()
print driver.title
driver.quit()

Note I have "browserstack.debug" on, so I can actually go to the BrowserStack site and see screenshots of each step!

Screenshot of BrowserStack automatically typing Hanselman into Google on IE7 on XP

Here's the next step...

The results of the Google Search for Hanselman

Details on how this automation works are all up at https://www.browserstack.com/automate. Again you can use any language you want. Here's the same thing in C#:

using System;
using OpenQA.Selenium;
using OpenQA.Selenium.Remote;

namespace SeleniumTest {
class Program {
static void Main(string[] args) {
IWebDriver driver;
DesiredCapabilities capability = DesiredCapabilities.Firefox();
capability.SetCapability("browserstack.user", "hanselman");
capability.SetCapability("browserstack.key", "superfancypantssecretapikey");

driver = new RemoteWebDriver(
new Uri("http://hub.browserstack.com/wd/hub/"), capability
);
driver.Navigate().GoToUrl("http://www.google.com/ncr");
Console.WriteLine(driver.Title);

IWebElement query = driver.FindElement(By.Name("q"));
query.SendKeys("hanselman");
query.Submit();
Console.WriteLine(driver.Title);

driver.Quit();
}
}
}

If your site is only available at localhost, you can make a temporary tunnel and make is accessible to BrowserStack, as well. If you've got Chrome or Firefox, there are extensions to make this even easier.

I hope you check out both BrowserStack and Selenium, and perhaps consider how you're testing your site today (humans who click?) and if you could be more effective with different tools?


Sponsor: Big thanks to Red Gate for sponsoring the blog feed this week! Easy release management: Deploy your SQL Server databases in a single, repeatable process with Red Gate’s Deployment Manager. There’s a free Starter edition, so get started now!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

How do we know if mobile apps are secure?

February 17, '14 Comments [20] Posted in Musings
Sponsored By

You know how we're always telling out non-technical non-gender-specific spouses and parents to be safe and careful online? You know how we teach non-technical friends about the little lock in the browser and making sure that their bank's little lock turned green?

Well, we know that HTTPS and SSL don't imply trust, they imply (some) privacy. But we have some cues, at least, and after many years while a good trustable UI isn't there, at least web browsers TRY to expose information for technical security decisions. Plus, bad guys can't spell.

image

But what about mobile apps?

I download a new 99 cent app and perhaps it wants a name and password. What standard UI is there to assure me that the transmission is secure? Do I just assume?

What about my big reliable secure bank? Their banking app is secure, right? If they use SSL, that's cool, right? Well, are they sure who they are talking too?

OActive Labs researcher Ariel Sanchez tested 40 mobile banking apps from the "top 60 most influential banks in the world."

40% of the audited apps did not validate the authenticity of SSL certificates presented. This makes them susceptible to man-in-the-middle (MiTM) attacks.

Many of the apps (90%) contained several non-SSL links throughout the application. This allows an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.

If I use an app to log into another service, what assurance is there that they aren't storing my password in cleartext? 

It is easy to make mistakes such as storing user data (passwords/usernames) incorrectly on the device, in the vast majority of cases credentials get stored either unencrypted or have been encoded using methods such as base64 encoding (or others) and are rather trivial to reverse,” says Andy Swift, mobile security researcher from penetration testing firm Hut3.

I mean, if Starbucks developers can't get it right (they stored your password in the clear, on your device) then how can some random Jane or Joe Developer? What about cleartext transmission?

"This mistake extends to sending data too, if developers rely on the device too much it becomes quite easy to forget altogether about the transmission of the data. Such data can be easily extracted and may include authentication tokens, raw authentication data or personal data. At the end of the day if not investigated, the end user has no idea what data the application is accessing and sending to a server somewhere." - Andy Swift

I think that it's time for operating systems and SDKs to start imposing much more stringent best practices. Perhaps we really do need to move to an HTTPS Everywhere Internet as the Electronic Frontier Foundation suggests.

Transmission security doesn't mean that bad actors and malware can't find their way into App Stores, however. Researchers have been able to develop, submit, and have approved bad apps in the iOS App Store. I'm sure other stores have the same problems.

The NSA has a 37 page guide on how to secure your (iOS5) mobile device if you're an NSA employee, and it mostly consists of two things: Check "secure or SSL" for everything and disable everything else.

What do you think? Should App Stores put locks or certification badges on "secure apps" or apps that have passed a special review? Should a mobile OS impose a sandbox and reject outgoing non-SSL traffic for a certain class of apps? Is it too hard to code up SSL validation checks? '

Whose problem is this? I'm pretty sure it's not my Dad's.


Sponsor: Big thanks to Red Gate for sponsoring the blog feed this week! Easy release management: Deploy your SQL Server databases in a single, repeatable process with Red Gate’s Deployment Manager. There’s a free Starter edition, so get started now!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.