Last night I had the absolute joy of spending a little more than an hour taking about Visual Studio 2013 & (more importantly) Visual Studio LightSwitch at the Developer User Group. It was great to have a standing room only session with loads of participation and hopefully I got to show off why I love LightSwitch.

This talk was mostly just me doing massive demo fun and running ALL OVER the place, we covered:

• LightSwitch 101 (create forms, add data etc…)
• Some more advance layout tricks in LightSwitch
• How LightSwitch works under the covers
• Visual Studio 2013 profile & notification features
• Visual Studio extensions
• Visual Studio Code Lens
• Building custom clients with OData
• Wrapping data in Web API

and so much more. This really was a session driven by the audience so it was great fun for me. The slides (which likely won’t be of much use) are below & after that is the download for the demos!

Thank you everyone for making it a super special evening for me!

Visual Studio is The Best IDE For JavaScript. I’ve said that many times before & it remains true that as JavaScript developer on ANY platform Visual Studio will make you life easier than any other IDE. So all good JavaScript developers know that fact now and those same good JavaScript developers also know you ALWAYS Use Strict in your code.

While it is trivial to type the thirteen key strokes (I just did that to count how many it was – *sigh* thirteen less from my allotment of keystrokes), you may want to make it even easier by using a great feature in Visual Studio called snippets and since Visual Studio 2010, we have had support for JavaScript snippets.

So I have created a simple free snippet for you to use: the use strict snippet. Once added to Visual Studio, the snippet will let you type us and hit tab & get the use strict line in your JavaScript! Yay for simple things!

Download the snippet!

For most of the software development projects in the world, GitHub is the wrong choice for their hosting needs. This is because for most of the world is NOT developing open source software and thus the pricing model for GitHub fights against you, as the GitHub pricing model is designed to charge the daylights out of those who do not develop open source software.

To help me explain this – let us look at two examples.

An open source example

We will use Git itself on GitHub, as our example for open source. Here is a project that is open source and makes use of a three public repositories. Looking at git repository there have been 702 contributors to it. 

When you look at the GitHub pricing model this could be run on any plan, including the free one since we are only constrained to have no private repositories in GitHub (you can have unlimited public repositories) and unlimited contributors, which makes it perfect for open source.

When you apply the recommendation I mentioned in yesterday’s post about lightweight repositories to this model (with the free unlimited public repositories), it makes even more sense for open source projects.

A corporate example

The other side of the coin, is a company that is doing consulting or maybe in-house development work that needs to be stored somewhere and (for whatever reason), that work cannot be open sourced. Thus you will need private repositories & you will need a lot of them to follow the lightweight repository principals. Even if you do not intend to follow those principals, you may find that splitting up your repository in an organisational way still creates a lot of repositories.

For example: I worked at a small company (< 30 developers) who would deploy and develop on top of Microsoft CRM & SharePoint. There we split things based on customer (so each customer got a repository) and after 3 years we had almost 200 hundred repositories! For them to use GitHub by simply moving over would mean a custom price negotiated with GitHub, as GitHub doesn’t offer standard pricing to that level. If they changed their structure to properly follow the lightweight repository principle they could’ve easily have tripled the repository count!

So if not GitHub, then who?

In a company, you need to view the issue from the other way around – you need loads of repositories. However you also have another difference to open source, you have limits on something that open source cannot and really do not want to have limited: contributors. In a company you really are only going to have staff or people who are working on the project contributing – so limiting the number of people who are involved is useful. It also gives you an easy way to cost the hosting, because it really boils down to per head costing.

So who offers Git hosting, with unlimited private repositories and charges per head? There are two main players in this space and I have used both found both to be great solutions. BTW I also use GitHub & think it is great too – but for more for collaboration in open source.

BitBucket

BitBucket, which started off life as the Mercurial hosting to GitHub’s Git hosting, now days offers Git too. Their model is pretty simple, unlimited private repositories and basically a cost of $1 per user per month. It is that simple.

TF-Service

Who expected Microsoft to understand Git hosting do well?! They have understood it marvellously with their TF-Service offering which offers unlimited private Git repositories. TF-Service is currently free, but it won’t stay that way and my gut says Microsoft can’t compete with BitBuckets $1 per user cost.

The reason it can’t compete with BitBuckets pricing, is that that TF-Service offers more than code hosting. Microsoft offers build servers, work item tracking and more! Plus if you have Visual Studio Premium or Ultimate then you also have a MSDN subscription, which means you will be covered by your MSDN subscription so it will be free.

Summary

This post is not about knocking GitHub – it is an amazing service & has changed the way the world interacts with code for the better. What this is meant to do is show you that even though it is popular, it may not be the best solution for you!

The REAL number one issue to avoid GitHub

While this discussion is about the pricing model (which is often ignored when choosing a platform), I do need to say what the number one blocker for GitHub is. This is also the number one blocker for TF-Service & BitBucket. Simply put it is my customers. Many of my customers will not give permission for me to host outside the company and in a foreign country and thus we need to run our own infrastructure to accommodate those customers.

I have had the joy of working with some great teams and learning how they use Git, but I have also seen it misused and the number one issue I helped teams resolve when using Git is what I call, the Fat Repository. The fat repository (not to be confused with the funny & NSFW Fat Git Enterprises), is an especially easy trap to fall in for teams who have come from the client/server source control world (SVN, TFS, CVS etc…) because in their world, a fat repository isn’t a harmful thing and even may be a good thing – but in the DVCS world the fat repository is a major problem.

Fat Repository

A fat repository can be one of the following two characteristics, or it can have both of them. I think both of these characteristics will be familiar to most developers who have used some sort of source control any period of time.

Characteristic One: Multi-tasked Repository

The multi-tasked repository is where you have a single repository which has multiple root folders and each folder is for a different customer or project. This is very common with internal focused items. For example a consulting company may develop a set of common libraries that are used in a variety of projects and put all the common libraries code in a single repository, so they are easily accessible for everyone in the company. Another example would be a department in a company, which has all the projects that single department has developed in a single repository.

Many people, myself included have multiple Visual Studio projects inside a single repository, that is no problem – where it becomes a fat repository is where those items/folders/projects are not related to each other from a delivery perspective. Often those projects only are lumped together, because they share some common organisation relationship.

The reason this is called multi-tasked repository, is because the single repository is responsible for multiple unrelated deliverables.

Characteristic Two: Multi-focused repository

The repository where it has not fallen into the multi-tasked trap can still become fat. This often happens when a single repository is used to handle many requirements beyond code of a single deliverable. A common example of this characteristic is when you have a documents folder or database backup folder in your code repository. Here the core issue is that while everything is related to the software development, not everything relates to the building of the code.

This is named a multi-focused repository because the focus is split between specs, database backups, virtual machines and the code (for example). I find this issue hits not only repositories, but tools like DropBox where you get a folder shared because you need one document and you end up syncing 100’s of other documents, backups, install files and what-nots that you don’t care about too!

Fat repository – Summary

In short a fat repository is one where there is more going on in a repository than just code & just the code that is needed for a single project or deliverable.

There is a simple test to identify a fat repository just ask: Is everything in here vital my deliverables? If there are items that are not vital – you have a fat repository.

Client/Server and the fat repository

In the client/server world of source control, like SVN or TFS, this isn’t actually an issue and it is very common to find fat repositories. In fact I would say if you are using a client/server source control – having a fat repository is an advantage since there is a single place to go to get everything you need.

The reason this isn’t an issue in the client/server world, like we will find out in the DVCS world, is because of two key differences:

1. In client/server you have only a working set, not the entire repo. So you initially need to pull a smaller set down to your machine, compared to pulling down the working set & all the history in DVCS.
2. in client/server because you are working with a server, you can checkout a single sub-folder or even a single file without needing the rest of the files in the repository.

DVCS and the fat repository

The DVCS world of Mercurial & Git works completely differently to the client/server world. Firstly the repository is comparatively cheap to create – just type git init and viola, a repo. In client/server you need a server admin to create one, this relative cheapness encourages you to create loads of repositories – some may last & get a remote version on a server and some may live short lives just on your machine – that is perfectly fine.

Secondly, when you grab a repository for a team you not only get the one folder you want in a working set version – you get EVERYTHING. Every folder, every file & ALL the history for it.

This is where it becomes painful to deal with a Multi-tasked repository or a mutli-focused repository because you are forced to pull down content that you do not care about.

Issues a fat repository causes

Initial check out times that are ridiculously long. Most of the time this is a once off pain but it is still a pain. I say most of the time, because I went to help a team that had each deliverable in a separate multi-focused repository and while the working sets were small and the team members had no issue with the one long initial check outs – the senior developers that floated between the teams to help out found that pulling the repositories down was ruining their productivity, especially if they were just trying to help with a single bug. This teams repositories were so huge that most people couldn’t keep more than two around, even though the working sets were less than a gig.

Disk space usage. You developers want a SSD and while it will make them more productive it also means that space is a premium or you will be forking out a lot for those massive SSDs. With DVCS, they get everything in the repository including all the history. Check in a 1Gb database backup, then delete it… in the client/server world the working set wouldn’t be impacted, but in the DVCS world everyone will pull that 1Gb file down initially and that means a lot more disk space usage.

Solution: The Lightweight repository

So when using a DVCS, the solution is simple:

1. Keep the repository as lightweight as possible – only check in the things you NEED. This means taking care about what is checked in & using functionality like .gitignore & using staging to ensure you only check in what you should.
2. Since DVCS repositories are cheap, have loads of them – have one for documentation, have one for code, have one for artwork etc… That way those who need something can cherry pick the repositories they need.
3. Avoid the Law of the instrument – just because you can put things in repo’s doesn’t mean you should. Do you need the history on every DB backup, not likely – a file share or DropBox maybe enough for those! Or why not use a tool that is better suited to Word documents, with the ability to index their contents so that they can be searched, for example SharePoint. TFS does this with the full version – where every repository gets an SharePoint site to put the documents in.

In short a happy repository is a lightweight repository!

When I develop a Windows Store app, one of the core things you need to do worry about is all the logo’s, splash screens, file icons & lock screen badges. It can be a pain to create these every time – so I have created a logo pack which provides you with ALL thirty three (33) of the images you need.

These images all (but 3 – for badges) have a bright pink background making it easy to see which of your logo’s are using these original place holders compared  to those you have updated. They also contain the details (type, dimensions & scale) on them, so you can easily see when one is being used. The three that are for badges are monochromatic as that is a requirement for the badge logos.

The idea is you will use them as place holders for your real logo’s and also as a set you can provide to your designer or graphic artist who now has a base to work with and doesn’t need to figure it out themselves.

The usage of the logo’s is totally free and there is no rights on there usage, so GO WILD! You can download the logo pack below the video, which gives you a quick tutorial on how to use these.

Two years ago I used Netflorist to buy some flowers, but first I needed to login. I had forgotten my password, so I used the "Forgot Password" option.

In the email I got was my actual password - which shows a MASSIVE problem in the design of the system that Netflorist uses. The password is either:

1. Stored in plain text
2. Encrypted

Why am I talking about it now? Because after two years, Netflorist has not fixed it! They have had the time to fix it, so let’s talk about it & if this info helps some horrible person hack them (& am not suggesting people do that) then tough for them.

What is plain text?

This is plain text - it is just the text. Why is this a problem for passwords? The reason is that if someone gets access to the database (physically, remotely, via hack, restoring a backup etc...) they can see ALL the passwords.

This has low risk for Netflorist since credit card details are not stored but this has a MASSIVE risk for Netflorist customers.

The sad truth is that most people are lazy & reuse the same password across multiple websites, which means the details on Netflorist can be used to commit fraud & theft elsewhere.

Scenario

Netflorist, being a good company, keeps 5 year’s worth of backups off site. Someone at the offsite company accesses those files, restores the DB and gets all the email addresses & passwords for everyone. They then go to TakeALot and log in with those details. Since TakeALot's credit card provider stores credit card numbers the criminal then purchases tons of stuff!

Just imagine the damage that could be done if someone uses the same password for their email & their second factor bank authentication goes to email – all your money is stolen… thanks to Netflorist not doing it right. If that happens and since the bank wasn’t at fault you wouldn’t be able to get the money back from the bank!

Encryption is enough! Right?

So we going to get a little technical now, there is actually many types of encryption (2 way, public/private key) but the core here is that in all cases there is encrypted data & a salt (or key or password - they are all synonyms) is used to decrypt the data.

So if we store the password encrypted in the database, we also need to put the key somewhere so it can be decrypted when the mail is sent out. The issue here is if someone can get access to the database, there is a high chance to get access to the salt too. Once someone has the data & salt - it is plain text.

Yes, this is tougher to do than plain text - but tougher is not the same as impossible.

So how should Netflorist this be fixed?

This is not simple, because we are working with security & doing it correctly isn’t easy. Thankfully OWASP has created some guide to help with this:

• Password Storing
• Forgot password features

In short they should do three things. Note this is the SUPER simplified version. If you are doing this, read the above documents for all the details.

• We do not store the password in plain text or even encrypted. We hash it. Hashing can be think of a way one encryption – so we can take the password + salt and a result (the hash), but we can never go from the hash to the original password.
• The hash relies on a salt too, so we should use a salt that is unique per user. This solves the possibility of rainbow attacks.
• Lastly is “The Forgot Password” system, since we can never get the password back from the hash, it cannot send it to the user requesting the password. The solution is to have a password reset option, where a user puts in some unique info and using a secure channel can put in a new password when they forget their password.

What can you do?

First, communicate with Netflorist (Twitter, email) about this risk and hopefully they fix it. Second, you can lower your personal risk by never share passwords across websites. This can easily be done by tools like LastPass (which manages the passwords for you & ensures strong & unique passwords are used) or find a trick that enables you to easily remember a unique password for each website. For example use a pass phrase like:

• Netflorist could be: This is netflorist222
• TakeALot could be: This is takealot222

It is easy to remember the unique password plus it is a pretty strong password. This is just an example, so come up with your own & be sneaky!

It has been an entire year since my last presentation dump, so following that tradition – here are some of the talks I gave in the last year that were not immediately available:

Protection of Personal Information Bill (POPI)

Description

A short presentation that focuses on the proposed POPI law, how it impacts businesses, technology, IT depts & the cloud. It was based on a draft so some aspects may have changed.

Thoughts

This was a tough talk for me, because the law isn’t something I spend much time focusing on. I spent a lot of time reading the bill & analysis for it and really was impressed how approachable all of it is. This is definitely a law we need to be aware of, but for most companies (who do things correctly now) it will mean either no changes or a slight update to some documents.

Open Source Licensing

Description

This talk focuses on what open source licensing is, how it should be applied inside & outside companies. It also looks at how Open Source != Free.

Thoughts

This talk looks at how open source licensing works & more importantly how it applies to company projects. Once again a bit of legal focus but very valuable info in it!

JavaScript Toolkit

Description

This presentation provides a quick glance at a number of tools that make development with JavaScript easy, quick & bug free. Loads of tools & ideas in it :)

Thoughts

The JavaScript toolkit talk looks at a LOT of tools and libraries for JavaScript & as I do a lot of this day by day – it was easy to get ready & a lot of fun to present.

How to give a great presentation

Description

This slide deck was used to give students an overview on how to give a great presentation, especially a technical presentation. It covers aspects like purposeful movement, technology, slide creation etc....

Thoughts

This is a talk I gave to some students about how to do a great talk & it pulls a lot of my own learning’s & learning’s from experts like Hanselman into it.

.NET 4.5 Async

Description

A look at some of the complexities of .NET 4.5 Async

Thoughts

The newest talk here which covers the Async keyword. The core focus here was not on the simple scenarios but rather to dive into the more complex scenarios and areas of pain that can occur with this new keyword.

For the Rangers Treasure Map, we had an amazing development focused sprint where we all just dug in and got stuff done. The sprint after that became minor feature work but mostly just work on bug fixes & UX improvements. This meant that for each item we needed to identify the fix and apply it – the problem is that some of those fixes couldn’t easily be applied with our existing “tools”.

Tools in this case, refers not to Visual Studio or TFS – in this case it refers to our design pattern (MVVM) & the Microsoft guidelines. Let’s look at three examples of where we came up against those:

Keyboard support

The first issue was the keyboard support was bad for our app – you would not be able to navigate easily through MANY of the levels because of it. Windows is normally thought of mouse & touch – but there is a lot of keyboard support & keyboard guidance, so for us, it was vital to give an amazing experience with this too.

The core problem was our way of using SelectedItem on our lists for navigation, which works great for mouse/touch but doesn’t work for keyboard. So, with the VERY limited time left, what do we do? We had three options:

1. Leave in bad keyboard support.
2. Develop a ton of additional code to allow the view to work with this model or change the view some how – basically allowing us to keep PURE MVVM.
3. Break the MVVM pattern to solve this.

Option one, wasn’t even an option for us – so that left options two & three. Since we had limited time & other issues, if we did two, we would’ve had to drop other parts or leave other issues unfixed. The choice really was to break the pattern & have the code behind for the View handle the calling the View Model for the navigation.

This isn’t really my a smart idea, it comes from people like Sam Guckenheimer wrote in his book, this is the standard tetrahedon for software development:  time, money, features & quality. Since time & money for us are not movable – we have to chose quality or features.

At the end of the day, focusing on what is important, making sure what we ship is awesome for the user, even if the code base has a few ugly spots in it – meant we broke MVVM. You know what is awesome here though? Windows development allows it, because not every scenario is a perfect fit for a pattern every time.

Aside: I do hope in our v3 release we will get a whole sprint, or two, to do refactoring's, which will include moving this to the point two solution & making it better to unit test!

Right click – show appbar

Another example is that if you right clicked a list item, the appbar would not show (because item grabbed the event & the page never got it). Here the solution is once again, to go to the code behind. However, I do not personally feel this breaks MVVM. I acknowledge we could’ve found a MVVM way to do it, but this sort of experience is PURELY View related & so the code behind for the view is the right place to do this.

I know a lot of MVVM people believe all code behind is evil, but really, there is no evil here – these are just tools to make our lives easier & ship better software. We should use them, but not believe in them.

Alt+Left

The final example is a bug with pressing Alt+Left, which the Windows guidelines state, should take you back a page. However it breaks if you and Alt+Tab to get to the app (the Alt key is seen as stuck then, and just pressing left will make it go back). For us, the solution here is to not implement this guideline.

The experience of our users MUST triumph all guidelines, even those from Microsoft.

References

• ALM Readiness Treasure Map (Table of Content) TOC Post
• ALM Readiness Treasure Map Windows Store App

Today I got to present to the ever amazing audience at JSinSA (it is one of my favourite conferences, so I may be biased). The talk I gave was very simple: Visual Studio, it is THE BEST tool for web developers, regardless of what technology you use. So if you use ASP.NET, PHP, Ruby, CoffeeScript etc... it does not matter – Visual Studio is right for you!

If you attended and are looking for the slides, demo bits, or a script of the demo – have a look below! For those who couldn’t be there, I have since done a recording of it to YouTube, which is also below!

YouTube

Slides

In the short video below I cover how you can configure Nuget package sources to either local copy, which is great for backups when doing a presentation which relies on Nuget, or the the cache, which can provide an emergency store for recent packages if you have no Internet access.