Blog Home  Sign In RSS 2.0 Atom 1.0 CDF  

  def Softwaremaker() :
         return "William Tay", "<Challenging Conventions />"

  knownType_Serialize, about = Softwaremaker()

 Saturday, March 25, 2006


Have anyone of you signed in to Mobile Passport on your PPC ? The above screenshot is what I see on mine.

Some people would argue that so it is to make it easier to get right typing it in multitap the first time or that it is easier to prevent people from prying eyes on a PDA.

I beg to disagree. Isnt that one of the reasons why there is "Remember Credentials" ? It is like saying - If you cannot type and you have a sucky memory, please dont type. In fact, there is a new option called - "Always ask for my username and password" in the defacto Passport mode for the security conscious :)
I just find it too much of a drastic change to remove all these options (in the mobile mode) and NOT use masked passwords instead. It gives the sense that the teams creating these logins are so disparate and so different in thinking and there is not a single philosophical approach. Arent we talking about People, Technology, Integration and Seamless Experience recently
The worst thing is that - the Masked Passwords (*) are so commonly accepted these days that it is becoming some sort of "self-imposed" standard. Thousands of sites, mobile or not, are using this "standard".
Why is Microsoft one of the first (if not, the first) to change that ? I hardly think making it correct the first time typing is a good enough reason to change that and this cannot be categorized as innovation.

MSN and Hotmail are all social sites which means that it is catered for people like my parents and grandparents and such and not for the geekiness. The bulk of the people dont really know what the S in HTTPS stands for and dont really care and would never want to care how it works.
To them - The masked passwords is really part of the secure experience although we know that it is more of a placebo more than anything else.
I wonder how will the masses react when they see that their passwords are not masked anymore, even though there is still an S in HTTPS.

I remember running a test before on a workshop on consistency, standards I conducted a while back. In this test, I reversed the order of the username passwords inputs of the (HTTPS) Login screen to the effect of this:

Password: ________________
Username: ________________
Login Button

The strange thing about the whole result is that: Most people will stop after entering the first character in the Username field. They will rub their eyes to make sure they are NOT seeing things. Besides the fact that they realized they are prompted for their password FIRST - which is NOT consistent. Most of their responses will be "Why is my password NOT secured ?" Of course, if you are reading this, it is likely that you know that the little stars (*) have nothing to do wih security or encryption. In fact, more often than not, it gives people a False Sense of Security. Many people will still post their passwords, thinking it is secure, when it is masked with little stars (*) and there is NO HTTPS.

My point is that - whether or not security is involved here - it mars a user's perception and his or her experience.
I just tested it with my wife and she refused to login - thinking it was "one" of the bugs on a Microsoft site. - And Yes - she is the normal one in our marriage :)

I had a good Aussie friend of mine test this on his accountant wife as well and this was the conversation:

He: Would you use this screen on your phone?
She: Why are you asking?
He: Just curious…Would you use this screen on your phone?
She: Where are the little stars for the password?
He: Dunno
She: No way… something is wrong
(He did not influence her answer)

Does this mean that the masses are normal or that I am just a prude ?

Is this *really* intended behavior ? The least I would do - is to offer this as one of the options as part of personalization.

Friday, March 24, 2006 11:51:44 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Friday, March 24, 2006

    To add to this, I am recently in the market looking to upgrade my current ADSL package running at 1500kbps and I came across an ad saying this ISP will give a free ADSL2+ Wireless modem if I sign up for a 10mbps package. Sounds good. I proceeded to call.

    Pleasantries exchanged...
    Me: "So, you are giving me a free wireless modem, correct ?"
    She: "Yes"
    Me: "Is it just plain wireless ? I mean is there a wired option ?"
    She: "The 10mbps ADSL Transmission speed will only work with a wireless modem..."
    Me: "huh ?"
    She: "Yes, because the speed is too fast, we can only use this wireless modem."
    Me: "What has the ADSL Upload/Download speed gotta do with how I connect the modem to my router?"
    She: "I am sorry, Sir - you *HAVE* to use the wireless modem ONLY"
    Me: "Wait - I dont think I am getting this. I know I need a ADSL2+ modem for the blazing speed of 10mbps, but if it only comes with a wireless option, how do I connect to an existing network of computers, routers that are NOT wireless-enabled"
    She: "In that case, I recommend you to get a Wi-fi card. These are cards that ... ... ..."
    Me: "Wait, I dont need an education in Wi-fi. I just need to know what do you tell your calling and interested customers who wants this blazing 10mbps speed and accepts they need a new ADSL2+ modem BUT has no Wi-fi network, equipment to play with or tap-on"
    She: "I told them - Sorry Sir/Madam. Our advanced ADSL speed requires a wireless option. If you dont have one, it wont work at all and you have to go for a slower ADSL speed. Sorry."

    I decided to check the ADSL modem brand that is given to subscribers and went into the manufacturer's site to look at the specs ...

    "...All our ADSL2+ modems comes with a wireless option PLUS 4-Ethernet enabled RJ45 Ports ..."

    Gosh. I wonder how many customers has she turned away with her knowledge that the ADSL Upload/Download speed is directly tied to the mode at which data is being transmitted from the modem to the connecting machines.

    Polite as she can be, I admit, BUT if I have a sales force of people like that, I will NOT be able to make any money at all to pay them.

    <sigh /> End of rant.

    Friday, March 24, 2006 5:22:54 AM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Wednesday, March 15, 2006

    Ar - Arguments...It does make us move forward at times.

    Richard Grimes has managed to kick up a storm again with his article here, again. While, I would not go very far in saying a kernel Operating System should be written in managed-code. God knows I will not use one if it is and you shouldnt to. As far as I can tell, .NET was not created for writing operating systems?  It sits on top of the operating system and thats that

    It is, however, very important to note, the investments MSFT Corp have on managed code. Instead of giving you the usual bullets and docs. How about this ?

    Lines of Managed Code

    And lets not forget that Microsoft CRM is the first Enterprise Business Solutions that is written on managed code from Microsoft. Read: Dogfood

    And YES - Windows Communication Foundation (WCF, previously - Indigo) is written in C# as well.

    Case Closed. <EOM>


    Tuesday, March 14, 2006 11:44:31 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  • I will be speaking in Kuala Lumpur in a security symposium organized by Microsoft Malaysia on April 4th 2006. The event details can be found here and the agenda here.

    I will be touching on Web Services Security: Locking down the wire - Today and Tommorow.

    Some of my agenda items include:

    Registrations for the IT Pro track is here while the Developer track is here. I would love to see you there.

    Tuesday, March 14, 2006 9:27:15 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Thursday, March 09, 2006

    I remembered talking to someone on the Windows Communication Foundation (WCF, previously - Indigo) team before and the reason they chose [MesssageEncoding].MTOM instead of MessageTransmissionOptimizationMechanism is so that it could *at least* fit on a slide.

    Well, that someone obviously didnt educate the developer who build the [MessageSecurityVersion]. WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 property. [Talk about a mouthful]

    Not only is it hard to fit on a slide, it would be hard to mouth those words as well.

    Besides "bug jail", "secure-programming courses",  "geography lessons", I would highly recommend Microsoft engineers and developers go for "Power-Point Presentation Etiquette 101" lessons as well .

    Speaking of which, I just got handled an exception with a message like this:

    The CLR has been unable to transition from COM context 0x1a0d28 to COM context 0x1a0e98 for 60 seconds. The thread that owns the destination context/apartment is most likely either doing a non pumping wait or processing a very long running operation without pumping Windows messages. This situation generally has a negative performance impact and may even lead to the application becoming non responsive or memory usage accumulating continually over time. To avoid this problem, all single threaded apartment (STA) threads should use pumping wait primitives (such as CoWaitForMultipleHandles) and routinely pump messages during long running operations.

    Talk about being explicit. Exceptions should give a friendly message that enables one to have an idea where to start debugging and troubleshooting. The one just made me want to shut my machine down. .

    Wednesday, March 08, 2006 7:42:23 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Tuesday, March 07, 2006

    Singapore has just announced an bold ambitious move to wire up the entire nation with a extremely high speed backbone that would move data in speeds beyond 1Gbps, or 500 times the common access speed of 2Mbps with the use of optical fibres or other technologies. Most of the crowded centres and streets would be "WI-FI"-ed by late this year.

    My dream of having the entire nation being one BIG hotspot would be coming true in probably a couple of years time.

    I have heard that the term "disconnected applications" will be thrown out of the window in Singapore very soon .

    Ah - the wonders of living in a [garden] city-site.


    Tuesday, March 07, 2006 4:49:07 AM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  • Now if XML-RPC aint enough (I had blogged about this here and here), now we can add REST-RPC into the mix. The main difference would be the use of HTTP to provide application semantics via its verbs. This would mean that there would hardly be any XML or Request payload of any kind.

    Tuesday, March 07, 2006 1:01:34 AM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Saturday, March 04, 2006


    As mentioned here, here is the another article on TheServerSide.NET that I wrote.

    After mcdst, professionals who are interested in comptia certification or another ccda and mcts usually have one goal in mind, to become an mcitp and in this context testking helps them.

    The security features and options mentioned in the above piece are not exhaustive. In fact, it is far from being exhaustive. I will be writing more on those other features and options, either through this blog channel or one of those sites I mentioned.

    Stay tuned for it. Enjoy.

    Friday, March 03, 2006 4:09:32 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Wednesday, March 01, 2006

    TheServerSide.NET, which serves the Enterprise .NET Community, has picked up on a previous piece I wrote earlier here with regards to Windows Communication Foundation (WCF, previously - Indigo).

    Expect more Windows Communication Foundation (WCF, previously - Indigo) and Windows Workflow Foundation (WF) articles to come from me on the TheServerSide.NET as well as MSDN online.

    Wednesday, March 01, 2006 12:23:03 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions