I've been running as a non-privileged user (e.g. not an administrator account) for a while now, reducing the security risks of day to day computing. This was spurred on by the rising prevalence of root-kits, which are even being unleashed on an unknowing public by respected corporations. 

While this is simply a well-known good practice, it is remarkable how many ridiculous little irritants one runs into trying to do this: Even widely used applications like winamp fail to run as a non-admin without security tweaks, and of course you can't even open the system tray calendar without customizing your user rights. Thus far I've been very impressed by the behaviour of Visual Studio 2005 and friends, which seem to do a great job of living within the constrained permissions. I have to su every now and then to do some administrative tasks, but the threat window is vastly reduced.

Of course we all know that this is simply a good practice (and I would have done it far earlier if not for some demanding development tools), just as a number of other standard but sadly ignored security precautions should be the norm. On this theme, earlier today I was wondering if there was a "Computer Security Day" - A day when people could be gently reminded to take computer security initiatives (such as not running as administrator) to make the computing world better for everyone: While it might seem like it's only for individual gain, we all gain when there aren't millions of zombie computers at the bidding of hackers and spammers.

Turns out that there already is such a day. It's actually coming up in just a couple of weeks, as it occurs every November 30th. Which brings me to my real comment - scheduling such a largely business-related event to occur on a specific calendar day is ridiculous, and of course almost 30% of the time that's going to fall on a weekend. It seems only logical that it should have been the 3rd Tuesday of November, or whatever.

I needed to post a support question to Electronic Arts support today (long story), and like many sites they force you to create an account.

Fine. So first things first I have to create a user account, and it's asking for a username.

dforbes...sorry that account name is already taken
dwforbes...sorry that account name is already taken
dennisforbes...sorry that account name is already taken
denniswforbes...sorry that account name is already taken
dennis.forbes...ILLEGAL CHARACTERS!
dennis_forbes...ILLEGAL CHARACTERS!
forbesdennis...sorry that account name is already taken
RRR...sorry that account name is already taken
blah...sorry that account name is already taken
blah999...sorry that account name is already taken
RRRRRRR999...taken

I'm not kidding. It was actually proposing ridiculous available alternatives for each, so I didn't have to keep trying, but at this point I was just punching in random strings to see how huge and polluted their database really is. It's big, and it's polluted.

These sorts of user accounts irritate me because I already have a globally unique account - my email address. No one else, in the whole wide world, has the same email address as I do. Furthermore I don't have to remember whatever oddball account you've forced me to take through arbitrary and site-unique username restrictions: Just use an email address and you can allow whatever is allowed in the RFC (it's all documented there for you), and when I get there I'll know what my username is. Why it's my email address! You're forcing me to enter it elsewhere to validate the account anyways, so you might as well go all the way with it.

I wrote about Riya previously, expressing a bit of skepticism about the technology. I should temper that by saying that I've never used it, and the most I've heard about it are some cursory micro-reviews, but my skepticism is based on the history of facial- and scene- recognition technology, and the barriers this product has supposedly overcome: Facial recognition, like character and voice recognition, has to be accurate enough that it is more beneficial than detrimental (e.g. nuisance false positives, and detrimental false negatives), and historically the latter is far more prevalent. Sure we'll get there, but it's just surprizing that a company could go from the primitive stage that we're at today to such an advanced stage, all in just one step.

Anyways, today I happened to look at my keywords to see that there has been an explosion of Riya postings - Google, or so the story goes, has put a $40 or $60 million dollar offer to buy Riya. If you follow the blogs around you'll discover the big circular authority that is prevalent in these sorts of "blog scoops", with A attributing his source to B, but B hilariously points to A as the authority. Remarkable stuff. Like the technology itself, it could very well be true...but I certainly would take it with a mountain-sized grain of salt.

Indeed, if Riya is as capable as we've been told, I'd say that $60 million would be grossly undervaluing the IP - This would make a photo service stand head, shoulders, and torso above its competition, and I'd be looking for a number more like $400-$500 million. Seriously.

One of the oft-mentioned improvements in Visual SourceSafe 2005 is what is affectionately called the "LAN booster" service. Configurable in the SourceSafe Administration tool under Server/Configure in the LAN tab, it can be enabled by checking the misleadingly titled checkbox "Enable LAN service for this computer".

After you've checked and applied, you'll notice a new process running - SSService.exe (appearing as a new service - Visual SourceSafe LAN Service - running under the LocalService account in your service manager).

There are a lot of claims that this module is doing wonders for performance - for instance that it is stream-compressing all of the content on the wire, improving the speed "3-5x!". However, after some analysis I've determined that it's doing nothing of the sort.

• Like the web service, it is only used by the Visual Studio plug-in. If you're using the SourceSafe GUI, local or remote, it is unused, and it's 100% the same old SMB file-database.
• It is basically a short-cut - If it's available (it is probed at an RPC endpoint), the Visual Studio 2005 plug-in will get it to assist in a couple of scenarios. For instance if you do a get latest, Visual Studio will ask it which files are newer, communicating back and forth: The (correct) presumption being that it is local so it'll have faster file-system access. The remote plug-in will get a yay or nay if there are newer files, and will then do the pertinent file share accesses.
• All actual file traffic occurs with the same old traditional SMB.

In other words the "LAN Booster" doesn't make SourceSafe an actual client-server source control system (the Internet web service sort-of does for a limited set of purposes, and again only with the plug-in in Visual Studio 2005), and its performance improvement is marginal at best in real world use.

One of the most important software development tools out of Redmond, remarkably, is Visual SourceSafe - In shops across the land, it is the source control system.

Granted those shops probably didn't kick the tires of the competitors, rigorously choosing amongst the competing SCM tools before investing their time and codebase to VSS. Instead they likely found it bundled in their MSDN subscription, or attached to some other Microsoft product, and read soothing words about the excellent integration with Visual Studio. They brought that poor, weepy-eyed little source control tool in from the rain, gave it some cocoa, and sat it down by the fireplace. Soon enough it became their hammer, and an integral part of their development process (probably a hated part of their development process. If you've ever fought with an offline complex Visual Studio project, you'll know what I mean by that).

The remarkable part of all of this is the absolutely terrible treatment that Microsoft has given this product. It recently got the first real update that it has gotten since Visual Studio 6, remaining largely static over the intervening period (with trivial little changes). While you could say that you shouldn't mess with something that works, Visual SourceSafe has carried some absolutely terrible flaws through the years, most obvious being the file database method of operation that led to endless security and reliability problems. SourceSafe 2005 didn't do anything to fix that fundamental problem.

Even with the new release, Visual SourceSafe users are still used and abused, though. I decided to put the product through its paces, both for consulting purposes, and for yafla software development, and I am absolutely amazed by the problems and pitfalls. From missing options (like turning off HTTPS from the client when trying to use the internet option), to terrible typos and transpositions in their instructions (did they read these things? Things like telling you to run aspnet_iisreg rather than the correct aspnet_regiis), to installs that just completely fail to work under anything but a cleanroom install (for instance it insists that you don't really have IIS if your first website isn't internally coded "1"). On three separate machines the internet hosting option (one of the major new options, finally adding marginal client-server functionality, albeit with a host of caveats and limitations) didn't install properly. I finally had to setup a new, freshly installed virtual machine to give it what was likely the only environment they tested it in, and it appears to install marginally properly.

If, through some magic, I get this product working properly, I'll post a quick summary (I had hoped to get some metrics of the savings that both the internet web service option, and the SSService option, brought to the table), but as it is I'm simply amazed at how botched this whole process has been. They've been working on this product for how long now?

Two weeks back I derisively mentioned Microsoft's Live.com gadget creation contest (where they're trying to egg on development of gadgets for their web app by contest giveaways). Now Ebay is getting into the game - they've announced prizes for the best applications that hook into Ebay, extending the value of their services. So Ebay gets a more vibrant developer community, with more tools and services for their highly lucrative clients, and the developers get...a remote chance at winning some token prize.

As a professional software developer and enterpreneur, this serves as a huge omen, yelling out "There is no money to be made in this market". The normal carrot that draws developers into a niche is revenue, with which there is little need for additional incentives (e.g. Why would I care about your token game machine when I'm planning on selling 50,000 copies of my software at $49.95 each?). So when an organization becomes desperate enough to start doing giveaways, you know that niche is undergoing pretty unhealthy times.

A bubble is expanding, and for those of you who missed out on getting rich like everyone-else-supposedly-did during Bubble 1.0 (being in the technology market, it was confusing to relatives that I wasn't a hundred-millionaire in the late-90s: The newspapers were telling them that everyone in tech was overflowing with cash. On the flip side they were confused that I remained employed and making a good wage after the crash, because the newspapers were telling them that everyone in tech was unemployed and replaced by offshoring), here is your magic machine to tell you what you need to do. Press the button and start raking in the millions!