Orcmid's Lair  

Welcome to Orcmid's Lair, the playground for family connections, pastimes, and scholarly vocation -- the collected professional and recreational work of Dennis E. Hamilton

Click for Blog Feed
Blog Feed

Recent Items
Republishing before Silence
… And It Came to Pass
Amaze Your Friends: Datamine Unlimited Statistical...
Don’t You Just Hate It When …
Blog Template Unification: Template Trickiness
OOXML Implementation: Can Expectations Ever Trump ...
February Frights Redux: Unification for Creative D...
Worst Nightmare: OpenDocument Format Embraced-Exte...
Abstraction: Einstein on Mathematics+Theory+Realit...
Document-Security Theater: When the Key is More Va...

This page is powered by Blogger. Isn't yours?

Locations of visitors to this site
visits to Orcmid's Lair pages

The nfoCentrale Blog Conclave
Millennia Antica: The Kiln Sitter's Diary
nfoWorks: Pursuing Harmony
Numbering Peano
Orcmid's Lair
Orcmid's Live Hideout
Prof. von Clueless in the Blunder Dome
Spanner Wingnut's Muddleware Lab (experimental)

nfoCentrale Associated Sites
DMA: The Document Management Alliance
DMware: Document Management Interoperability Exchange
Millennia Antica Pottery
The Miser Project
nfoCentrale: the Anchor Site
nfoWare: Information Processing Technology
nfoWorks: Tools for Document Interoperability
NuovoDoc: Design for Document System Interoperability
ODMA Interoperability Exchange
Orcmid's Lair
TROST: Open-System Trustworthiness



Don’t You Just Hate It When …

… You visit a site, create a comment, and

You are asked to log in and you have no idea that you have a password for the particular site.

… You attempt to register at a site, and

They tell you that your e-mail is already registered with them because they are part of a conglomeration of sites none of which you recognize at all and/or have saved a password and account entry for in your password safe.

… They prefill a form with your user name or e-mail address

But it is because you created an account on some other blog of the same service but you filed the password under the name of that other place, having no idea you were registering for wordpress or typepad all over the galaxy and actually had no intention of doing so and you don’t remember what that other place was anyhow

… They will take an OpenId

But you have to explicitly register an account anyhow, and your already-filled comment form is lost in the process.

… They insist on inviting your automatic Disqus logon if the cookie is spotted

But then you have to disable the indiscriminate e-mail river of Disqus commentary because it drowns your inbox and so, tell me again, why did I want to use Disqus?

… You can’t find your password and you seek their help

Only they clearly send you what must have been your original password in a plaintext e-mail.

This situation makes me very happy that I use a random-password generator for every new account, so that the password protects only that one logon and nothing else.  I am unwilling to have the key be more valuable than the lock.

You may notice that I have stopped using Technorati tags, since they seem to have no effect whatsoever and I haven’t figured out how to have them make a difference with any alternative source of tags.  I should figure out de.licio.us, I suppose, except in that case I should first figure out why my de.licio.us feed has stopped.

I also use categories, well no … I use Blogger Labels which are sort of like categories except it is hard to find out what they are and place a current list and links on my sidebar.  Blogger backlinks and Blogger labels remind me of the propensity of some Microsoft developer types to do-it-their-way when there is already an established practice out there.  Yes, developers just want to have fun. But inflicting their NIH syndrome on the rest of us is not OK.  Go do that in the privacy of your own home, please.

For the labels, I think I will periodically post a message that simply goes into every category I have used (Windows Live Writer knows what they are), so I can remind myself not to make up more and maybe even prune the list where I tend to always use multiple labels in combination.

Aren’t you happy that I have spiffed up this blog to the point that it serves as an invitation to my regular blogging on whatever strikes my fancy in the moment?  Just wait, there are five more blogs and I have a great deal of pent-up blogging from my 18 months nose-down in document-standards work.

Labels: , , ,



2010: You Say Two Thousand Ten, I Say Twenty Ten

We all say Happy New Year!

This first post for 2010 brings more blog-template cleanup.  I need to post something to confirm that the template is working, and here it is.

  1. I moved the change history of the template, a long comment, to the end of the template page so that it should not interfere with blog-page loading (so much).  You should not observe any evidence of this unless you View Source on the blog page.
  2. The sidebar Atom Feed link stopped being filled in correctly by Blogger.  I have no idea how long that has been going on, although there are ways to check by looking at old posts.  I simply replaced the special template codes with the correct absolute links.
  3. I added an Associated Sites list of links as a companion to the Associated Blogs list.  I removed Associated Blogs that I do not author.  I am not sure what to do for links to blogs of friends now.  Something else is called for.
  4. I don’t know what happened with Technorati and I don’t know how to fix it.  But using Technorati tags doesn’t seem to be useful.  The Technorati insert on the blog sidebar has gone invisible and I have no idea if it has any function.  I am going to attempt to use de.licio.us tags and see what that accomplishes.

I am making these adjustments to this, my longest-standing blog, so that I can then ripple the same adjustments to other blogs.  That will induce my priming the pump with a new post on each of those as I proceed.

Update 2010-01-02T12:47: Well, I have no idea how making del.icio.us tags accomplishes anything.  Perhaps I need a place to “ping.”  What I do know is that although Windows Live Writer things comma-separated tag lists are sufficient, del.icio.us doesn’t deal with spaces or “+” as space at all.  That’s why you see the wonderful use of “_” characters in this repost.  I think I still don’t have it figured out.  I’ll settle for this serving as an example of system incoherence, for now.

Labels: ,



The Fate of Microsoft Outlier Customers

I recently noticed that three of my favorite Microsoft products are to be no more: Windows OneCare (why are they still selling it?) , Microsoft Encarta, and Microsoft Money.  That was striking for me and I have created a contingency plan for each of those products.

On reflection, it is not a new thing for various Microsoft applications to transmogrify and eventually disappear.  Although I have never had an interest in Flight Simulator, I am still a devoted user of Microsoft FrontPage.  If Microsoft Works were as clean and simple as the MS-DOS version, I would still use it.  I have also used a variety of picture editors and photo editors that were bundled in various Microsoft products and that seem to come and go with each new computer system and occasional Microsoft Office upgrade.  Some day, I suppose I will have to do without Windows Live Photo Gallery and Windows Movie Maker, especially as future versions/replacements demand hardware capabilities I don’t possess.

Now, Microsoft is not making a fortune for me as an occasional upgrader of these products (though I quietly paid my OneCare subscription renewal each year).  It is interesting that not until the abandonment of FrontPage was announced did I begin to feel the squeeze and the lack of an appropriate replacement for abandoned Microsoft products.  (E.g., Expression Web is both more and less than what suits my current web-development practices.)  Now I now need to look for three more substitutions and also look at long-term measures for protecting my systems and my electronic financial records as well as maintaining my web sites.  For the three latest-discontinued products, I find that I have three different contingency measures in place. 

Wait, I Like Encarta

When I read that Encarta was to be no more, I resolved to go find a copy of the latest version.  I have a version completely installed on my hard drive and it is a handy reference.  I confess that I mainly use the dictionary (the default setting for the Encarta Search Bar kept handy in my Windows XP task bar).  The encyclopedia is handy but it doesn’t get searched by Windows Desktop Search (a little incoherence there) and I find myself on the web (and Wikipedia) more often than in Encarta because that’s where Windows Desktop Search (and now bing) lead me best.

I’m currently running version 14 (Encarta 2005) and I actually had one monthly update that I didn’t install until last week.  The reluctance to update has to do with needing to be administrator when I do it, and I usually forget Encarta updates when I am running as administrator for other maintenance purposes.  It is a demonstration of my unnoticed waning interest that I didn’t know I had one update left from 2005.

Nevertheless, I wanted to have the latest and greatest if there were to be no more.  Unfortunately, the latest version seems to be Encarta Premium 2007 and it is still pricey, even though pro-rated refunds were cut off on April 30.

I settled for the less-expensive Britannica 2009 Deluxe with the hope that the included dictionary and thesaurus is as easy to use as the one I am abandoning from Encarta. 

Not Money Too.   No, Not Money!

The shocker for me is last week’s announcement that Microsoft Money will also be no more.  I checked, and my oldest Microsoft Money backup is dated 1999 and it has entries from 1998-01-01.   I tended to hold onto versions of Microsoft Money.  I didn’t switch to Money Plus 2007 until the version I was running under Windows 98 couldn’t be installed on Windows XP as I was off-loading the Windows 98 machine at the end of 2007.

I don’t like Money Plus 2007 as much as the older pure-desktop versions.  The change of the user experience to one with integrated web features is mostly a nuisance.  The software performs more slowly and I don’t do those on-line things.  But I like the reports and the extensive history of purchases (and depreciation records) is important for me.  I prepare my tax returns from records maintained in Microsoft Money, and I have had some success balancing my bank accounts using downloads that Money will rely on.  (The experience is rather variable and I often simply balance statements manually instead rather than deal with what it takes to correct for a failed automatic account update.)

I discovered that my version of Money Plus “expires” in September at the end of November.  Ones activated this summer will have support extended through January, 2011. 

It seems like a no-brainer that what I want to do is install another downloaded version and continue to use it until I have a satisfactory replacement.  I will also want to keep a copy around as long as possible to enable my use of existing records.  I will need to discover how to export some of those for use in other products, or as spreadsheets that I can preserve in OOXML/ODF.

So I have another Money Plus Home and Business download and a product key for it.  I will install it at a point this summer when I am carefully backed up, exported, and ready to risk an upgrade.

Goodbye OneCare, It’s Been Good to Know Ye

Microsoft OneCare arrived at just the right time for me.  I had tired of Norton Antivirus upgrades and a growing drift from what worked just right for me starting before Norton/Symantec Systemworks and going back to a time when there really were Norton Utilities.  I valued the simplicity all-in-oneness of OneCare for the following provisions:

  • Annual support on up to three SOHO computer systems (exactly what I had that needed the protection around here)
  • Constant nagging and support for regular backups
  • Outgoing firewall protection

It wasn’t the most wonderful product, but it was also steadily improved over the time I used it, right from the beginning of its availability.  It did deal with my dominant computer security concerns. 

OneCare also provided me with a great source of system-incoherence anecdotes, and I must recount some of those while I can still capture screen shots of the experience.

Actually doing backups onto DVDs was not the most exciting experience, as much as OneCare made that possible.  Once backup functions were taken over by WHS, the cleverly-named HP Mediasmart Server (with its Windows Home Server version of Windows Server 2003) now on the network, that difficulty was mitigated and there are now automatic, incremental backups every night. 

Still, OneCare works well and effortlessly for us, even if it reports that backups are woefully out of date (a new little incoherence on how OneCare has forgotten WHS is on the job). 

It was also great that Microsoft announced that all OneCare support agreements will continue until their expiration.   That means mid-September 2009 here. 

On the other hand, the promised Microsoft replacements for OneCare are not in sight.  I believe the last promise was for around August.  I am beginning to squirm.

There appears time to find an adequate substitute, taking into consideration that Microsoft will offer some sort of solutions for some unknown degree of protection where I find it the most valuable for the computers here.  Unfortunately, it is not clear that there is a decent non-Microsoft product that works here, regardless of the high reputation a number of Antivirus producers have achieved.  The low reputation that is Microsoft’s automatic prize is apparently more myth than reality in my experience.  On balance, OneCare works better than anything I have attempted to replace it with.

Here’s how my search is working out so far.

Since OneCare is to be no more, Windows 7 beta and Windows 7 RC not only had no provision for it, those releases were actually hostile to OneCare.  So on Quadro7 I have been going through trials of other Antivirus products, partly to determine a good candidate to be installed uniformly on all of the systems here.  None of the products tried so far seem to integrate well with Windows 7, which has apparently changed the rules enough that AV producers are having some difficulty.  In particular, I have not found an AV product (even the Windows 7 directed beta releases) where Windows 7 reports that it is protected and the Windows Home Server concurs in reporting that my systems are protected. 

Having tired of Symantec (and enjoying the liberation that OneCare provided), I haven’t gone back.  My latest experience with McAfee was on WHS and that led me to prefer no AV there instead.   (That experience also led me to be more cautious about the judgment of folks at Hewlett-Packard and the trial installations they chose to push to WHS.)

Meanwhile, on Quadro 7 I have gone through one trial of Kapersky and another of Trend Micro.  I actually bought a retail copy of Trend Micro but Windows 7 chokes on that.  Instead, I now possess an useless license since the Trend Micro beta for Windows 7 won’t accept the older-product registration code except when it installs as an update, and that doesn’t work on Windows 7.  I’m moving on to F-Secure’s beta for Windows 7 right now and the trial lasts out past August.  With luck, I might have a consistent Microsoft solution to deploy across all of the computers here.  And if not, I will need to find a product that has an affordable multiple-machine license (as Trend does) and that doesn’t require me to use a web site to know my status (as McAfee Total Protection does). 

There are clearly interoperability issues here, and the level of coherent integration is a challenge.  It is a challenge for Microsoft too, but as one might expect, OneCare integrates more cleanly and, apart from an apparently-inescapable level of Microsoft paternalism, works most consistently and coherently than anything else I have attempted to use in its place.

Update 2009-06-15-04:06Z Correcting an expiration date for Microsoft Money.

Labels: , , , ,



Monday Morning NaN: Confirmable Experience with my Coffee

F09xx20-2009-05-11-0645-ThreadedTweetsDarren Rowse tweeted about Threaded Tweets, and I went for a look.  I can’t remember the last time I saw a NaN delivered up by a web page, and this may be a first.  I’m not sure whether 14996 replies is a very successful number, but I guess any thread that lives that long deserves some respect [;<).

There are three interdependent themes that I see around the development and sustenance of dependable systems: system coherence, confirmable experience, and trustworthiness.  These and dependability itself are not independent notions.

I think this one is about confirmable experience

Something odd is happening.  Thanks to screen-capture software, I can show you (and the producers of ThreadedTweets) what happened.  In fact, I will tweet about this and if the cycle of learning and improvement is operating, the Threaded Tweets folk will pick up on it, if they aren’t aware of the glitch already.

It would be fun to create a threaded tweet about this as well, but I am not about to provide my Twitter credentials to ThreadedTweets in order to do that (and you can see the reason for distrustfulness here even though they claim to be using OAuth to protect me, yes?).

There is a part of the confirmable-experience cycle that figure in trustworthiness that I can’t account for.  I have no idea how to the tweet threading folks are able to identify the specific difficulty, although it appears to be a stand-out no-brainer, so long as they can see the data on which the failed time-lapse calculation is being done.  Smells like there is a division by zero or a failed data conversion in there somewhere too.

But as an end-user, I don’t know about any of that and my speculation is not the same as having visibility on the process for confirming what is happening, as opposed to confirming how users experience it.  That’s the part I provide.  Also, I notice that the NaN message has disappeared in the past few minutes, possibly because the defect has been noticed, possibly because it is transient and difficult to find.

The tie-in to trustworthiness

ThreadedTweets has a feedback and a support link that I could use to communicate what I noticed to them.   Now that it the NaN is gone, I’m not sure whether that will help.  They want an e-mail to the support address.  I’ll send them a link to this post.

The tie-in to trustworthiness has to do with the demonstration of care for the adopters (a.k.a. users) by the producers of ThreadedTweets.  In this case, it is how friction is removed from the ability of adopters to communicate their experience to the producers.  The back half is how the producers demonstrate remedies or other solutions in a reliable way. 

Since I am very much into identification of confirmable experiences and occasions where system incoherence show up, I have a screen capture utility at the ready at all times.  This is necessary but not ordinary behavior required to to demonstrate what my experience is. 

An interesting problem for an organization that wants to be trustworthy in delivering a dependable web-based service is this: what can be done that would allow ordinary, casual adopters to convey their experience to the producers in a way that is confirmable?  That’s the question to consider.

And your assignment, if you choose to accept it …

That’s the bigger point of this tiny object lesson.   Look for more to come.  Notice ones in your own experience.  Collect the full set.  Entertain your friends. 

Most of all, begin to notice those little moments of truth where your experience of products raises “uh oh” and “ick” experiences for you.  What do you do about them? 

This is not a trick question.  I don’t do much about many that I experience.  It is valuable to notice and even question that, though.  What is it you are putting up with?

I arose at 5:30 am to be prepared for the 7:00 am Monday morning conference call of the OASIS OpenDocument Format (ODF) TC.  The cancellation notice went out about 2:00 am, my time, from Germany, and I had the opportunity to crawl back in bed after a poor night’s sleep or start my day early.  Oh wait, I can post on my much-neglected blog.   Aren’t you the lucky ones.

Labels: , ,



Social-Grid Identity: Please Enter Your Twitter Credentials Here

[update 2009-03-06T20:43Z Hmm.  I just checked onto Twitter over lunch and the first update was from Ed Yourdon about Twitter being hacked in some way that allows accounts to be used or users impersonated in some way.  The instance on Yourdon’s update page suggest that these came in under the guise of posts using the web, so the exploit appears to be against the Twitter home page or the web site.  Ideally, Twitter has finer-grained detail about the path over which these tweets arrive and what the likely exploit is.  I had no knowledge or suspicions about this when I researched and created this post yesterday.]

It’s still happening.  First it was Facebook credentials.  Now it is the new hot: Twitter.

There’s an onslaught of web-based applications that integrate with Twitter and provide additional functions and services for you.  Sounds exciting, yes? 

But all of them want my Twitter credentials.  Like TwitPic, when I wanted to make a comment on this photographic complaint about someone taking a single bite out of the P-I newsroom’s fat-pill supply.  That stopped me short.  They wanted my Twitter credentials simply to comment on the photograph.  I passed.

WAIT!!  Have I already fallen for this?

This has me wonder who else I may have already given my Twitter credentials too. 

  • FriendFeed?  No, they just wanted to know my Twitter name in order to include my tweets in FriendFeed.
  • FriendFeed posting to Twitter?  Not sure.  I can’t tell what it took for those tweets to be forwarded.   I’ve turned it off, turned it on, and turned it off again.  No credential request, but I’m leaving it off anyhow.  I don’t remember providing my Twitter credentials though.  That sort of request usually triggers instant uh-oh on my part.  I know the Linked-in connection ceremony does not involve disclosure to FriendFeed, and expect that no other arrangements like this do either.
  • Twhirl.  Well, this is a desktop (Adobe AIR) application.  It does know my Twitter and my FriendFeed passwords.  It also will forget my passwords if I tell it to.   Apart from the prospect of the application simply stealing that information via my authorization to access the Internet through my firewall, there is no more exposure here than my entering the a password on the Twitter and Friendfeed pages.  Not perfect, but at least retained only on my machine and not someone else’s.

So there are mixed results. 

It doesn’t have to be that way.  When I configured Windows Live Photo Gallery to update to my Flickr account, I never divulged my Flickr (that is, Yahoo!) credentials to the program.  Instead, it worked more like a PayPal transaction, with Flickr arranging a unique credential for Photo Gallery to use that applies only to it, apparently.  I don’t know the details of that arrangement; I will find out more.  This sort of arrangement needs to be more widely understood.  (I’m pretty sure that I can use an Information Card to accomplish arrangements like this too.)

And Now, Some Security Theater

I have resisted two invitations to supply my Twitter credentials, not counting the one at TwitPic today.  On reflection, they are each instructive.

Mr. Tweet Sends Me a Message

Mr. Tweet sent me a direct message.  Well, that means I am following Mr. Tweet, doesn’t it?  Apparently not.  If I go to this page, it tells me I need to follow Mrtweet to start receiving the benefits.  And when I check MrTweet on Twitter, I am not shown as already following it.  Since my only contact with Mr. Tweet was 76 days ago, I have no recollection of anything I might have done that invited that original direct message to me, but I could have. 

On the other hand, this appears to be an interesting arms-length arrangement.  Mr. Tweet apparently provides support that does not require my credentials to access.  Furthermore, its communication with me is via Twitter direct messages.  My opting-in by direct-messaging Mr. Tweet does not require me disclosing my Twitter credentials. 

I would say I am safely intermediated by this clever use of existing Twitter provisions. 

Because I’m not interested in this service, especially not enough to receive direct messages, I am not following Mr. Tweet.  This personal choice has to do with my direct messages coming to my e-mail inbox and also my mobile phone.  I want to limit that traffic. 

Hmm, looking deeper while researching this post, I see that the Mr. Tweet page does have a (Twitter?) login panel at the very top.  Maybe this isn’t cool after all?   Worse yet, if I choose to follow any of those Mr. Tweet lists as interesting followers using buttons on the Mr. Tweet page, it requests my Twitter credentials.  Even though I can click through the links provided to the Twitter pages of those followers and follow them there.

FAIL!!  I did notice someone that I thought I should be following, but I went to the Twitter site to do it.

Mr. Tweet should stop being so helpful and take those follow links of their recommendation page, letting us use Twitter to do it.  Links to individual Twitter pages are all we need.

Now I wonder what the direct-message enablement is all about.  It should be a way to establish that I am the user of the account I would use Mr. Tweet for, but they don’t really need to establish that, it appears.

Mr. TweetSum has Data just for Me.  Not Really.

Tweetsum was being recommended in a Twitter update from Andrew Woods.  I still don’t know what a DBI is, but I saw immediately that I must use my Twitter credentials to get started.  That stopped me cold, as usual. 

On questioning Andrew about this, I was not inspired by his remark that he knew the developers and one was a security expert so he had no problems with providing his credentials.   What failed to inspire my confidence is that there does not seem to be any need for my twitter credentials for them to accomplish what they offer. 

I now see on the TweetSum blog that they know they don’t need the credentials too.  They promise not to keep them and “don't worry, we don't keep this info -- twitter merely tells us you are who you say and we believe twitter.”  

So, wait a minute.  They don’t need my Twitter credentials to do what they do, just as I thought. 

Yet they want to be sure it is me?  Why? 

Someone who asks for Tweetsum analysis for orcmid still can’t impersonate me to Twitter or any of my followers or anyone else.  They can’t do anything with information from TweetSum that they couldn’t do anyhow (like, stalk all my followers or something), with or without automated assistance.  So what’s the point? 

TweetSum having my credentials even for that one check is just security-theater ceremony.  There are a lot of those being passed around these days, but that is no reason to tolerate them. 

There is value in learning to spot security theater illusions, though.   When we encounter these charades it is also legitimate to wonder what else is not being understood about security on the behalf of a service’s users. 

Labels: , ,



WTF: Umm, Flash 10 Detection Not So Simple

Just after midnight coming into Saturday, 2006-12-06, I unloaded my sad experience with Flash Player detection since updating to Flash 10 in IE 8. The details are in the article “WTF: The Adobe Flash Version 1x Crisis.” After that, I created a question on Stack Overflow to explore the geek side of the problem.

I just confirmed that the problem is more subtle than my original suspicions: Flash 10 Detection works in IE 8 beta 2 when I’m elevated to admin and it fails on many (but not all) sites when I am running as a Limited User Account (LUA). So I am seeing what may be a permissions problem that only shows up for users who browse as limited users on Windows XP SP3.

This leaves two mysteries: (1) what is the permissions problem and (2) why does Flash detection work on some sites anyhow?

Not Exactly What I Was Looking For

Thanks to a lead from RoBorg on StackOverflow, I was given some useful leads on Flash Player detection resources. This led me to experiment with Adobe Flash Player Detection Kit 1.5. The Kit’s sample for client-side (that is, in-browser) detection failed, suggesting to me that this would be good code to explore for isolation of the problem. I began to conduct an autopsy on Adobe’s sample code.

My first discovery in using the Client-Side Detection sample code is that the failure to detect Flash 10 is not about an incorrect comparison for desired-or-later version. The client-side detection doesn’t get that far. An internal procedure, GetSwfVer, for finding an installed version of Adobe Flash Player is unable to detect any Flash Player at all. So it reports that it failed to find any version installed.

This had me suspect there is something going on with the Windows Registry (where I can see that there are entries for ShockWavePlayer, the Macromedia name that continues to be used). I can also see that there is an entry for Flash Player version 10. Internet Explorer also shows that it has the player installed and enabled when I check the Tools Manage Add-ons menu selection for all add-ons:

IE 8 beta 2 reports having Flash 10

My plan is to dissect the GetSwfVer JavaScript and bench-test it by parts until I see where the procedure is failing to find the installed Flash Player control and report its version.

I also have observed that the Adobe Flash Player Detection Kit and recommended detection methods have a poor reputation among some developers. I have no reliable evidence to support that. I will, however, also check into the recommended alternative, <swfobject>. If I find that it works where the Detection Kit Client-Side solution does not, that will be worth exploring for what the workaround is. There is a handy article by Bobby van der Sluis on the Adobe Development Center. The sample files there should get me started the same way I have made use of Detection Kit 1.5.

Another Country Heard From

Meanwhile, I noticed that there is also support for Google Chrome. Chrome is the other in-beta browser I keep around to compare with IE 8 beta 2 results and to sometime use as an alternative for some sites that I just can’t get to work with IE 8 beta 2, even in compatibility mode.

I managed to install Flash Player 10 for Google Chrome today. It turns out that Google uses plug-ins, not ActiveX controls, and the same plug-in that works with FireFox and other browsers sharing some of the same code base works with Chrome. It is actually tricky to get Chrome to install a plug-in, but I managed it.

Plugin Setup works for Chrome

This is a plug-in, not an ActiveX control, so its detection and use can be rather different. Nevertheless, I confirmed that Chrome will play Flash 10 for all of the sites where I am unable to have it work for Internet Explorer, including YouTube and the CBS Television NCIS program page. That solves my immediate desire to catch up on programs that I’ve missed. That makes me happy, as a program watcher.

I still want to get to the bottom of this and complete my diagnosis of Flash Payer detection difficulties with Internet Explorer.

A Small Matter of Privilege

Because I had to be running as administrator to install the Flash Player Plug-in, I first tested Chrome-based Flash Player detection and video playing while my Windows XP SP3 account was still elevated to administrator. Everything worked.

As an afterthought, I also attempted to use IE 8 beta 2 under administrator privileges. It works!

Flash 10 Detects and Plays in IE8 when I'm an Administrator

But when I restore to my account to Limited User, it doesn’t:

With IE 8 back in LUA: FAIL!

Hmm, it doesn’t pick up the icon in the address bar either. IE 8 offers compatibility mode for this page, but it doesn’t make any difference to pretend to be IE 7 here.

OK, What’s Next?

I have solved the problem of being able to continue watching my favorite Internet-available programs.

I have not solved the problem of client-side detection in IE8 and what about account privileges has detection work where it doesn’t when I am operating as a limited user.

I will continue my dissection of available client-side code to isolate the problem and determine how some sites manage to get around the limitation I am experiencing.

This business of having applications work while I am administrator and not as limited user is not new. I tend to associate this with my upgrade from Windows XP SP2 to SP3, and it may be related to more-recent security updates. I cannot be certain. I do know I have been putting up with this for some time.

I am hopeful that if I get to the bottom of this one, I may be able to solve other problems (such as having a NewsGator Inbox plug-in for Outlook that only runs when I am administrator).

As far as the specific problems of reliable Flash Player detection in IE8 go, I will continue to work on that as well, but not with the same urgency.

Also, because anything I do from now on will be very geeky, I will provide an account on places like Professor von Clueless in the Blunder Dome and Stack Overflow, as appropriate.

The Incoherence of Confirmable Experience

Although I have wandered off into the weeds on this exploration, there are a number of examples of system incoherence, something where the web is a bountiful source of examples. The difficulty of confirming my experience and isolating it to something that is reproducible by others is also well-demonstrated here.

I am also mindful that the reason there is no great hue and cry over Flash 10 detection problems is that I may be part of that select and small population of devoted LUA users who are seeing the problem at all. This is, of course, fodder for a different sort of rant.

Labels: , , , ,



WTF: The Adobe Flash Version 1x Crisis

Had any problems with Flash Player version detection lately?  Try updating to Adobe Flash Player Version 10.  Prepare to be shocked by the poor quality of Flash version detection in the wild.

After upgrading to a clean install of Adobe Flash 10, I discovered that nearly all video sites that worked for me in the past began denying that I had a version of Flash as good as what that they required.  Still other sites deliver Flash video to me just fine and, on occasion, I am able to experience the higher quality HD streaming that some sites now support.   It is amusing to see who fails to deliver video to me and what they have to say about it. 

I leave as an amusing puzzle how one determines what is going on and what the bug is likely to be.  My suspicion is that the bug is hilariously simple yet spread like some sort of plague throughout the Internet.

Adobe is experiencing its own version of the Y2k disaster, only in a simpler and more hilarious form.  As far as I can tell, the problem is not Adobe’s.  The difficulty is that many sites are completely unprepared for this version of the Flash Player.

[2008-12-08T20:37Z update: Further analysis reveals that my particular problem is related to permissions in some way, not simply comparing version numbers incorrectly.  I have no trouble with Flash 10 detection and playing when I am running as administrator.  The difficulties arise only when running as a limited user.  This doesn’t explain why I am successful some of the time as a limited user, and more forensic work is required.  For details on the dissection so far, see “WTF: Umm, Flash 10 Detection Not So Simple.”
 2008-12-07T00:37Z update: Well, the sample Client-Side Detection in the Adobe Flash Detection Kit 1.5 definitely fails to detect Flash 10.  The script is a bit hairy and one problem may be related to how Flash Player 7 and later versions are recorded in the Windows Registry.  Assuming that the version string is found properly, the next problem may be in the logic of JavaScript function DetectFlashVer.]
 2008-12-06T22:43Z update: I put the questions about this up as a teaser on StackOverflow.  I am already seeing a couple of interesting comments.  The frightening prospect is that the bug is in detection code that Adobe (still) recommends.  So, I had to add the eReader page’s failing of its own demonstration of the proper solution, below.  Stay tuned.]

Here’s how I experienced the widespread (for me) Flash 10 detection failure.

Flash Reports Successful Install (click for larger image)

Updating Flash.  On November 24, I encountered a pop-up advising me of an update to the Adobe Flash Player.  This one promised full screen HD playback, faster performance, and security enhancements.  I wanted it.

Because I run as a limited user when on-line, actually installing the plug-in took a little more effort.  Before I was done, I had removed Flash completely from my computer and then done a fresh install. 

On November 25, I had a successful installation in Internet Explorer 8 beta 2.  (No cracks: IE is not the problem here.  Sometimes I need compatibility mode for a site to render properly, and those issues are separate from whether or not Flash will play.  I have Google Chrome, and could try its Flash plug-in except I need to be admin to install it, as usual.)

This display appeared in IE8 when the install succeeded.

If I select updating any time later, no downloading will occur and I see this display near-instantly.  At this time, version is the latest and I have it installed already.

Hulu shows HD of recent Fringe episode (click for larger image)

Successful HD Video.  Here’s an example of the high-quality video presentation available on Hulu, my favorite site for watching movies and television episodes.  This snapshot is a few seconds into the 480p feed of a recent episode of Fringe.

Hulu works so consistently, while so many other sites are failing, that I was concerned that the site wasn’t serving up Flash at all.  To make sure I wasn’t receiving Silverlight video, I inspected the source code of the web page.  Yes, it is using the Flash Player.  The code is in nice AJax structure and I can find where the player is operated, although I can’t determine how the version is checked.  I also see how messages that I need Flash are produced.  That isn’t happening.

The Flash 10 Player is recognized by Hulu, which plays everything just dandy. 

Change.gov little embedded video works great (click for larger image)

Nice embedded play on Change.gov.  On December 4, I also visited change.gov because of an interesting phenomenon there. 

Here’s a simple video in its own frame on the Change.gov site.   The video and audio play just fine.

I don’t know where this particular video is hosted, so I looked for another that was part of the YouTube video collection for change.gov.

This YouTube-branded video also shows up on change.gov (click for larger image)

Change.gov shows YouTube well.  Here’s a larger video frame from a different page on change.gov.  You can see that the video is YouTube-branded in the lower right corner of the video frame.

What’s fascinating about this and any other YouTube video is that viewing directly on a YouTube page will fail, as shown below.

It also fails if I go to Y! Video for the Yahoo presentation.  The MSN Video works just fine.

Kyte has the most-accurate message of all (click for larger image)

The best rejection of them all.  This is the only accurate message that I received.  About Face author Alan Cooper should be very pleased that someone is learning how to present straight-talking, factual messages.

It is valuable that this message reports the only thing that the Kyte site can be sure of.  It doesn’t speculate anything about my computer and what the problem might be.  If you’re going to fail, do it this way.  This is evidence for a level of care that inspires trustworthiness.
YouTube Fails Flash Detect (click for larger image) YouTube the know-it-all.  Here’s brash You Tube guessing what’s wrong with me.  The statement is completely false.  Also, remember that YouTube video that plays just fine from change.gov?

So, somebody is doing Flash Player version detection differently (i.e., properly) compared to most everybody else.  I wonder how we’ll learn what the difference is.

PS 2008-12-06: Ironically, Google Video does play through Flash 10.  Viddler plays beautifully (and that says a lot about Chris Brogan’s relationship to trust).  MSN Videos play as well, also using Flash for delivery.
This particular CNN page reports that it detected Flash 0 CNN Fails Twice in One Blow.  Notice the version it reports that I am using.

At first, I thought the problem was that all of the failing implementations are truncating “10” to “0”, but that would be misleading.

All we know for sure from this display is that the version was truncated in making the message, assuming it is using a detected version at all.

An interesting aspect of the CNN site is the number of different implementations of Flash viewers there are.  I include two more in the rogues gallery below.
Yahoo! Pretends It Is Stuck (click for larger image) Yahoo! wants my attention.  I went to the solutions page. 

Meanwhile, back on the page that had this message, I start hearing audio.   Returning to the tab with that page, I see that the video is indeed playing.  It is a reduced video image that does not play in the full frame of the Yahoo! player on the page, but the video is playing.

It is difficult to get to the AP feeds in a direct way, and I haven’t tried comparisons with other sites that carry AP or other services delivered via Yahoo!
Yahoo! offers this solution while playing he video anyhow (click for larger image) Not so great, Yahoo!  This “solution” is amusingly inaccurate.  It may be true that they require the version they do, but upgrading won’t get it for me.  The fact that the video was playing while I looked at this makes for a rich Internet experience.
The Site for Demonstrating Flash Detection Done Right: FAIL! (click for larger image)

Oh Oh, Adobe FAIL?  This image shows failure of Flash 10 detection on a web page that is proudly showing off the correct way to detect Flash 8 or higher.   I found this in a link on the Adobe Developer Center article “Best Practices for Flash Player Detection.”

The article has some great demonstrations of hubris:

”Well, folks, today is a good day: The search is over. The wheel has been invented. And tested. And taken on a nice, long road trip.

“Say hello to the newest detection script, which you can implement easily using Macromedia Flash 8. Much like the Six Million Dollar Man, it's better, faster, and stronger. And as an added bonus, you can actually rely on it.”

ending with

”Finally, tell every web developer you know about this article. The sooner Flash Player Express Install becomes standard, the sooner we can stop frustrating users and start handling Flash experiences in an effective manner and improving user experiences on the web.”

Apparently, that is exactly what happened.

The late Michael Williams provided, in 2005, an Adobe Developer Center article on “Future-Proofing Flash Player Detection Scripts.”   There are some weird solutions, but it looks like they should detect Flash 10 (but maybe not Flash 26).
The Client-Detection Sample from the Adobe Kit: FAIL! (click for larger image) Adobe’s Example Fails.  The Client-Side Detection example in the Adobe Flash Player Detection Kit 1.5 fails to detect Flash Player version 10.

Examining the JavaScript file suggests a number of ways that DetectFlashVer might go wrong.  Determining the actual defect requires some careful forensic reconstruction.
Adobe Action Script Example Tries Update (click for larger image) Adobe Unhelpful Helpfulness.  The Flash Player Detection Kit also provides an example of an ActionScript detection technique.  This sample will automatically invoke installation of an ActiveX plug-in, but when I allow it to run all it does is quickly report that the version I have installed is present (as if it has installed it anew).

This “ Installed Successfully” has no impact whatsoever on the already-reported detection difficulties.  In particular, the Client-Side Detection example still fails.

It is time for that careful forensic reconstruction.  I am also curious about the way that the Windows Registry is accessed as part of ActiveX detection activity.
Joi's site reports I have an old version of Flash (click for larger image) Joi’s Wedding-Present Clue.  I have a theory about what is happening here.  It is the kind of thing that is going to embarrass a lot of Web developers while those who got it right are laughing their heads off by now.

[update: The Vimeo video is working fine on Joi’s own site and the link-through to Vimeo.  The full-screen HD rendering is not bad.  But the above message still occurs when I use the direct video link on Joi’s FriendFeed stream.  That makes this a self-contained systems-incoherence demonstration along with the confirmable experience (until they fix it).] 

OK, Let’s Figure This Out, Aye?

I can’t be certain that every detection failure has the same bug, but the odds of a Y2K sort of failure are pretty high.  The way I think it happens is a little different, but it requires having gone from “9” to “10”, giving lots of time for the defective code to be shared among far too many Web developers around the globe.

I’ll leave it at that.  This is a great challenge question for novice developers and experienced ones, the latter probably having committed this one at least once themselves.  I can see how I might have been caught by this myself, although I’d like to doubt that I would simply because I am always aware of representation issues from my experience in early programming languages and machine-language programming.  I am also inclined to over-engineer edge cases, and that might have been appropriate in this case.

Meanwhile, here’s a rogues gallery of other sites that have an unfortunate approach to Flash Player version detection.

CBS insists on Flash 9? (click for larger image) Dylan's Video optional anyhow (click for larger image) 

CNN claims 8 or better (click for larger image) Well, OK, 9 or better (click for larger image)
So 10 not newer than 8?  (click for larger image) Did I leave home without Flash? (click for larger image)
Funny or Die? (click for larger image) Oh, sorry (click for larger image)

There you have it.  I’m sure this is not pleasing for Adobe.  Let’s just hope that the detection problem is not from an Adobe-provided sample of how to do it.  [Update: It appears that the problem has been promulgated in Adobe-promoted materials.] 

[2008-12-06T19:20Z update: I went through and added links to the actual sites and videos where there is narrative.  I also noted some successes where sites simply worked as expected.]

Labels: , , , , , ,



Punishing Standard Users: When Will It Stop?

[update 2008-11-27 This page is moved from Orcmid’s Live Hangout and retained here as part of the topical archive on confirmable experience and software incoherence.  I was moved to do this, and salvage more Hideout material, by some remarkable experiences a full year later.]

There is a slippery tug-of-war going on between Microsoft and third-party application developers.  This even has Microsoft application-product and developer-product development teams fighting/ignoring/neglecting/throwing the mud that is piling up on the user doorstep. 

I'm talking about the effort to have users operate safely and snuggly in Standard User Accounts (SUA) and the actions taken by application developers and their employers that completely fail to respect the user in this matter.  No matter how much has been said and published about how to deploy applications in a way that works easily for standard users, there are continuing expectations that users run as administrator all of the time.  This is made the simple case, reinforcing a practice that we all know to be unsafe (although Vista has a mitigation that some people insist on disabling). 

Picking on Second Life

Here's an example of what I mean.  I choose it because it is typical and because it all happened while I was looking for a way to illustrate this.  Second Life is representative (although no less disheartening).

The Setup: I haven't been on Second Life for a while, which means there is doubtless a mandatory update that I'll be required to install before I can get "in-world."  This is so predictable that it actually keeps me away from Second Life even longer once I have been away for more than a week.  I start putting off the pain of downloading and installing another release.

Today I was doing some system clean-ups and celebrating the new power-backup unit I installed after a series of storm-related power hits defeated my old battery backup.  As a reward, I was tidying up some loose ends after running system tune-ups and catching up on important things like my Facebook presence.

Nice New Update Announcement

SL-2007-10-20-1120-UpdateAvailable  I decided to check into Second Life and see what's new.  When I brought up the application (and I was running as administrator because I had been installing some other updates), I found a message that I have never experienced before.  The message was in a corner of the Second Life client user interface.

I hadn't logged-in yet, but the application apparently checked on-line for an update and it had that message for me.  I went ahead download the release into a location on my computer where I save Second Live releases.  (I usually keep the current one and its immediate predecessor, along with screen shots of my experience.)  Now, I usually don't turn on any automatic check for updates, and I don't recall ever being offered an option in the matter.  Since Second Life is an on-line application, I am not surprised.  I am surprised this showed up before I opted to connect to the on-line system though.

Not So Fast There, Sparky!

SL-2007-10-20-1121-UpdateRequired  I downloaded the announced update while still elevated to computer administrator, but I didn't install it.  I was excited by that "now the choice is yours" phrasing.  I wanted to see that in action.  I clicked the Connect button to sign into Second Life.  Oh, what have we here?  The usual.  Not exactly a choice, huh?  This is the dreaded message I have come to expect. 

Since I don't want to do this as an on-line administrator, I clicked Quit.  I already have the update.  I can install it when I am good and ready.

My previous experience using the Download button is that Second Life will download and attempt to run the install.  Because my computer account is normally set to "limited account" the install will fail and I will still have to go to the Second Life site, log in to that site, download the new version, and then install it myself while temporarily upgraded to a computer administrator account.  The new Update Available notice has saved me the need to hunt down the download on my own.  That is a nice improvement.

Say Stranger, New in These Parts?

SecondLife-2007-10-20-OneCarePopUp I wanted to demonstrate how painful it is to go through a 33-megabyte download only to be told the install can't be done.  I switched from Computer administrator back to Limited account to demonstrate what happens.  I haven't taken this path since March 2006, the first time I discovered that Second Life does not have a non-administrative way of updating itself.  (This was no surprise, but I tried it to be certain.)  [This is from a photograph of my screen, slightly defocused to avoid interference patterns in the image.  The OneCare pop-up refuses to be screen-captured with the software that I use.  The yellow-alert condition there is because I need to run backups.  I have to be elevated to administrator to do backups and also to have the correct account data be backed-up too.]

When I opened the Second Life client and got to the download button again, the download didn't even start: Second Life tripped over my firewall.  That's interesting because my firewall is already conditioned to allow Second Life access to the Internet.  What's even more interesting is that whatever program is being used to install the dowSL-2007-10-20-1639-Firewallnload, it is one I (and OneCare) have never heard of.   I can go no further without checking with OneCare.  

I could take Second Life's advice and install using the download that I already have.  I certainly don't want the auto-update to succeed.  I do want to understand why it failed in this particular way.

I switch users and quickly log into a computer administrator account to consult with OneCare on the matter.  I do so, and OneCare's notification comes up immediately.

Uh, I Don't Think So

SL-2007-10-20-1644-Firewall As a computer administrator, I now have something to say about the program that was blocked.

Now, what program is that exactly?

Let's see, it is not signed code (that's what Publisher Unknown means).  There is no version or company identification.

The name of the program is a made-up tmp.exe with a random name.

In fact, the program is in my user-account Temp directory.  None of this is reassuring in any way.

My intention is to block this program forever, assuming that it ever runs again, but I'm curious to know if it will still attempt running.  [Next I have second thoughts and block it permanently on the second notice which was apparently already stacked up.]

There are two things going on here.  First, I am willing to believe that the Second Life client creates a copy of a down-loader in the Temp directory so that the install can happen atop the Second Life location without weirdness.  I am almost willing to give that some credence. 

Secondly, I am satisfied that the update would attempt to run automatically.  There's no danger that the down-loader can accomplish anything, however.  Writing to C:\Program Files\Second Life\ on my machine can only be done under an Administrator account.  I'm not operating in one of those, which is what I had started out to demonstrate until the firewall intervention occurred.

Reviewing the Situation

So, the easiest way to install all of those interminable Second Life updates is to be running on-line as administrator without a firewall. 

Cool huh? 

Clearly, the Second Life folk know that and they design that as the inviting case.  Look, they suspect that their connection attempt with this weird little program is blocked by a firewall. 

That's what I mean by the slithery tug-of-war.  I also hate it when applications check automatically for updates and then nag me about it.  Being denied access to the service until I install one of the interminable updates is worse.  Of course, the fact that I put up with this in order to enjoy Second Life eye candy and all the in-world denizens just shows how tempted I am.  Even I, a devout Standard User.

Apparent convenience trumps security and safety.  Almost all of the time.  And we mostly put up with it.

Installing the Usual Way

Today's experience has me thinking that I would be better off not playing in this game with the Second Life developers, regardless of any seductive appeal of their application.   But let's see how well I do when I employ my safe practice to install the update and finally return in-world. 

SL-2007-10-20-1645-Install  This is the file I downloaded earlier.  The message applies to that file.

See how complacent I am?  The code is not signed, and I don't do anything about refusing to accept unsigned software, especially when downloaded from the Internet (although probably under safe conditions). 

As you see, I am going to go ahead and install it.  I am now running with my account switched from Limited User to Computer Administrator.  I am not on-line, although I am connected. 

My intention is to install and run the application once while I am administrator so I can condition my firewall for the new version of the application.

Second Life Installer Firewall Hit (click for larger image)  Oh yes, installers have a habit of wanting to access the Internet too.  I often experience requests to condition my firewall before a Setup program gets very far.  That is also true here.  No surprise.  We haven't even started up the program and already there is Internet activity.

On continuing, the revised Second Life version starts up for the first time.

SL-2007-10-20-1746-Terms (click for larger image)  Oh, What's this?  We get all of this way and now I am given an absolute click-through requirement to accept a lengthy Terms of Service agreement.  That seems to be one of the improvements of this release.

I couldn't even get it onto my clip board for closer review later.  You can see I selected the text, but I couldn't get it where I could preserve it.  And it is long.  And mind-numbing.  The part that I have scrolled to is section 5.3 where I am informed that everything that I have done on Second Life, any Linden Dollars that I happen to have, and any credit for any purchases can disappear at any time for any reason whatsoever.

Well, I'm certainly happy that they require me to promise to have read this terrible document before I am allowed to continue on and connect into Second Life, the world. 

After my exploration was over, I went to the Second Life site and did manage to find a web page with the Terms of Service at  http://secondlife.com/corporate/tos.php.  I can't testify that it is the same document, but Section 5.3 is definitely the same and I did download a copy for my reference.

About now, I am wondering why I am continuing to put up with this.  I wander around in-world for a while, mainly pruning my list of landmarks of places that seem to be dormant or not that interesting.

The Prize in the Bottom of the Box

SL-2007-10-20-1747 Another Firewall Hit (click for larger image) OneCare let me know about a second program not long after I allowed the main Second Life program to have access to the Internet.  For some reason, the extensions to allow direct voice audio in Second Life are provided or installed using a second program, one that my firewall wants me to consider whether or not to allow. 

I opt for the program to run.  I didn't put on my headset and microphone nor did I find any avatar to talk to this way. 

I am grateful for this little addition though.  When I closed Second Life, I experienced a frightful system slow-down.  Everything turned to molasses.  Windows were blank and took forever to paint, that sort of thing.   At the end of that prolonged seizure, I received a wonderful message.  

SL-2007-10-20-1812 VC++ Runtime (click for larger image)I have been waiting almost two years for one of these.  It is worth a completely separate blog post by Professor von Clueless, but here is the message.  I wanted a real-world example of one of these and now I have it.  Thanks, Second Life developers. 

[Dear developer: This condition may be a consequence of the temporary blockage that OneCare instituted during the first-time execution of the new version.  If the program never noticed that the block had been removed, or was somehow derailed by the block, this Runtime Error might be a consequence.  I did run Second Life one more time after restoring to a limited account and there were no further errors and no unusual slow-down conditions.]

A little more background:  Even though my main development system runs Windows XP (Media Center Edition 2005), I operate in a Limited User Account (LUA) whenever possible.  I have an administrator account that I use only when I need to perform a purely-administrative function (including allow Microsoft Update to install goodies it has ready for me).  I'm effectively implementing the equivalent of User Account Control by manual procedure.  This is in the spirit that Dennis Wallentin expresses in his 2007-10-20 blog post on being UAC Compliant:

"UAC stands for User Account Control and is the new technology in Windows Vista to provide users with different level of administrative rights and privileges. UAC main purpose is to support a more secured environment then what Windows XP offers.

"Microsoft has a good white paper that covers UAC in detail and therefore I have no intention to cover it here:

"Most developers I know have intentionally disabled it because they found it to be rather annoying, time consuming and too restrictive.  [orcmid: my italics]

"Although I can agree with these opinions I try to have it enable as much as possible simple because that will be the most likely scenario for many of my customers. In addition, from a general point of view I support it because by default all users (except Guests) are logged on to Windows Vista as standard users and get extended rights only when needed.

When I need to do something different, such as install new software or update downloads from other sources, I will carry out the download, parking the file in a safe place that I can use for any future re-install.  Before installing, I switch my normal account to being a computer administrator and I install under that account.  This is to ensure that the software installs properly for operation under that account and not all accounts, if possible.

Second Life, as do many other applications, installs for all accounts on the machine, including all Administrator-group accounts.  When I detect this, I remove all icons, shortcuts and start menu occurrences from "all users," confining them to my normal account instead. Automatically installing for use from all accounts on the machine is another action that punishes my efforts to be a Standard User and only allow pure administrative activity in my separate administrator account.

[update 2007-10-21T16:59-0700: I provided a link to the detailed post about Visual C++ Library runtime error messages and also cleanup up some rough edges in the text of this post.]

Labels: , , ,

Construction Structure (Hard Hat Area) You are navigating Orcmid's Lair.

template created 2002-10-28-07:25 -0800 (pst) by orcmid
$$Author: Orcmid $
$$Date: 10-04-30 19:00 $
$$Revision: 69 $