Dear readers, I would like to extend my sincere apologies to lost images on this blog. The hosters last weekend tirelessly upgraded our system to the latest and greatest (and of course, most expensive) infrastructure. I am currently working closely with them to either restore the images, or if they can't find it, I'll have to upload the stuff back.

Well, they never say anything about upgrade/migration woes in marketing materials, right? :D

Cheers!

P.S.: Visual Studio 2008 SP1 is coming today! Subscribers will be able to download tomorrow... This update is required for SQL Server 2008.

Yay, my newest gadget addition is here. Thanks to Chewy who is kind enough to bring the device from far away land called America.

The box:

The contents of the box:

But before I can do anything with it, it must be recharged... argh!

Finally, up!

Well, Microsoft finally hit Zune Pass with a lot of track restriction (you can't download, you have to buy). We're not even owning the tracks, why the need to have restrictions?

I've put up a forum post complaining about this issue here. Vote if you think that Zune Pass should lift track restrictions.

Yesterday evening, I've delivered a talk on protecting your code. Frequent readers would recognize that the first half of the talk was actually written in depth in the first SLPS post. It's not perfect, but I had fun. But definitely the best I did in English, so far.

So for you who didn't quite caught up with what I was talking (I know, I mumble here and there trying to buy some time :D), I'll explain in depth through this post.

First of all, I'm going to reemphasize my point of view; open source does not work, for business. It might be good for education, community, or charity, but not for business. You're trying to sell something you share, that's just doesn't make sense. This is why, there's an inherent requirement to protect your code.

When we're thinking about protection, we'll think: "It's compiled! They won't/don't/can't have the source code." Wrong.

If you're still on this mind set, then you should visit (or revisit) the first part of this post. There I demonstrate how easy it is to convert any compiled .NET assembly back to it's original source code. This actually made up the first of three parts of the talk. Compiling a small application and decompiling it using Microsoft and third party tools.

The next part is about basic protection. Microsoft have bundled Visual Studio with Dotfuscator Community Edition. It doesn't do much (even though the UI provided so many different features -- disabled), only some simple renaming. I've demonstrated how to use Dotfuscator.

This is the original code, which is 100% reproducible:

And after obfuscation using Dotfuscator Community Edition, it will become, even though it's 100% reproducible, but it's harder to understand:

Several important points on obfuscation:

• The external interface to an obfuscated code will never be modified. This is to ensure that any code that depends on the interface will not break. Of course, this is basic logic.
• Dotfuscator stripped all namespace and rename everything to single letter alphabets (sometimes numbers if it runs out of z's).
• The obfuscation process happens after your code is done. Which means, it doesn't affect development, at all.
• Obfuscation, given enough time and effort, eventually will be broken. It's still reverse engineering, but with added hurdles to slow down progress.

You've seen Dotfuscator in action, now you'll want more. Unfortunately, more means money! You can easily search for obfuscation products using Google Live Search, so finding one is not on the scope of this post. I don't have any product ready, so I just try to open one of the users of obfuscator.

The company is Intersoft, the product is a UI control library. I "volunteered" to crack open their authorization code. Since good product requires good adversaries, therefore I embark upon the journey of the dark.

Here's one piece of the code which I have successfully decompiled:

This is only one part of the code which is the constructor. As you can see the obfuscator actually renamed parts of the code with unidentified characters. It's not easy to distinguish one with another, and in come parts of the code, Reflector crashes when trying to decompile it.

Long story short, I've been able to crack half of it (only the runtime component) in 8 hours. After that I lost interest, since buying it will be cheaper than hacking it.

Several important points on (expensive) obfuscation:

• The external interface is not change. Again, this is basic logic.
• Obfuscation, given enough time and effort, eventually will be broken. But since the hurdles are higher, the economics become: which one is cheaper; to hack or to buy?
• You get what you pay for. Expensive obfuscation will make your code less interesting to hack (except for hardcore hackers out there).

The third part of the talk is actually about Microsoft's product, Software Licensing and Protection Services, or in short SLPS. They have a product web site at root level (which means it's quite important) at www.microsoft.com/slps and if you have MSDN Subscription, you can get a free basic subscription to play with.

The difference between Microsoft and partner offerings is in the way the code protection does. While partners sell obfuscators, Microsoft sells encryptors. So your code is 100% not modified, but encrypted. This encrypted code will then run in a Secure Virtual Machine, or in short SVM. SVM itself runs on top of CLR (so it's still managed code). Moreover, Microsoft also offer activation services for your protected code. So when you pay for protection from Microsoft, they give you the ability to sell your software. Money out, money in.

Details will be in part three.

Decompiling means converting a program back to the original source code. Previously, decompilation is difficult because you need to understand assembly (which is the least human readable language). Assembly code is translated into machine language (readable by CPU) by the operating system. In .NET, this is not the case. Decompiling is easy.

.NET Compilation

Before we jump into how to decompile, we need to undestand compilation first. In .NET, compilation means converting from .NET language (Visual Basic or C#) to MSIL (Microsoft Intermediate Language).

DLL and EXE file you distribute will contain MSIL. When run, the .NET runtime will do another set of compilation before execution (that's why it's called Just-In-Time Compilation) to the platform's assembly language. The assembly language then sent to the platform's operating system.

This means, one set of DLL and EXE file can be run on multiple platform without changes, since translation to the platform's instructions are done after distribution or just before execution. The .NET runtime is also called virtual machine, since it acts as an intermediate machine.

The bad thing is, since the compilation does not generate assembly language, instead a standardized intermediate language, someone can easily take this and translate it back to the original source code with little difficulty.

.NET Decompiler

In fact, the .NET Software Development Kit includes a tool to help you open up the DLL and EXE file to retrieve the MSIL code. This tool is called ildasm.exe (IL De-Assembler). For example, we will decompile a simple Hello World application.

1. Run ildasm tool. This tool is included with all Windows SDK distribution. You can run it from the Start Menu > Programs > Microsoft Windows SDK [version] > Tools > IL Disassembler.
2. Once the window is opened, drag and drop the file you want to disassemble. You can use the attached HelloWorld.exe file or any .NET assembly.
3. To see the IL code, just double click on any method. For this demo, you can double click on Main to see how the console application retrieves the current user name.

   .method private hidebysig static void  Main(string[] args) cil managed
   {
     .entrypoint
     // Code size       29 (0x1d)
     .maxstack  8
     IL_0000:  nop
     IL_0001:  ldstr      "Hello {0}!"
     IL_0006:  call       string [mscorlib]System.Environment::get_UserName()
     IL_000b:  call       string [mscorlib]System.String::Format(string,
                                                                 object)
     IL_0010:  call       void [mscorlib]System.Console::WriteLine(string)
     IL_0015:  nop
     IL_0016:  call       string [mscorlib]System.Console::ReadLine()
     IL_001b:  pop
     IL_001c:  ret
   } // end of method Program::Main

4. I won't dig in to the details of the IL, but suffice to say, you can see that the application calls System.Environment.get_UserName() method to retrieve the current user name. Easy enough.
5. If you need a more developer-friendly code, you can download Reflector (at http://www.aisto.com/roeder/dotnet/). This tool will convert the IL code back to the language of your choice.

Why Do I Need to Worry?

So people can easily get back my source code. So what? Well, there are several reasons why source code is important.

1. With source code, you can modify and recompile a modified code. This is easier than changing a compiled binary file. To overcome this, .NET have a feature called Code Access Security. With CAS, you can sign a compiled DLL or EXE with a private key. During execution, you can enforce that the DLL you create have the specific sign. Any tampered DLL will have a different sign.
2. With source code, your intellectual property; like algorithm, process, or even secret, can be exposed. Imagine you have a product key generation algorithm. Anyone with access to your source code will be able to reverse engineer and generate a valid key for your product, without even paying. This is the part where Microsoft SLPS comes in.
    

What is Microsoft SLPS Then?

In short, Microsoft SLPS enables you to encrypt parts of your source code. The encrypted parts will not be able to be decompiled. Second part, Microsoft SLPS also enables product feature management. You may want to create three version of your product with different features (and price). You can easily do this with Microsoft SLPS.

I saved the discussion about how to use Microsoft SLPS in the next topic. For those eager to know may visit Microsoft SLPS web site at http://www.microsoft.com/slps. MSDN Subscribers can request for a limited account to try the service.

I went to a computer book store today, and found lots of interesting books that we can only download back in Indonesia.

They are pictured sitting on top of my trusty laptop.

• The Wisdom of Crowds, James Surowiecki
• The Mythical Man-Month, Fred Brooks
• Code Complete, Steve McConnell

I already went 2/3rd of Wisdom of Crowds, after that I'll re-re-read MMM (I went through it twice during my undergrad years - read on computer screen, bad for eyes).

I spent around $200 for all three. This should keep me reading for the next 2 or 3 months... :D

I also found more good books (which I can't buy yet, out of budget):

• Design Patterns, GoF (this is definitely the next buy!)
• Refactoring Databases, Scott Ambler

Another book is also coming from U.S. together with my new mouse, it's about the history of personal computer... Fire in The Valley by Paul Freiberger. This book have been turned into a movie titled Pirates of Silicon Valley. Can't wait to read this one.

Yes, I am hiring...

I am looking for several freelancers for the following positions:

1. Web Designer
2. Application Developer
3. Technical Writer

General requirements for all position:

1. Reads, speaks, and writes English fluently. Do submit proof of English fluency (be it a TOEFL cert, IELTS cert, sample writings, or anything that shows off your English). I am very sensitive to bad English, if you can't read MSDN properly, you are not encouraged to apply.
2. Have good access to Internet, preferably during meeting sessions (usually Saturday mornings). Anywhere, anytime access is even better. Work is exclusively online, from anywhere, anytime you like.
3. Citizen of Indonesia. I want the work produced by an all-Indonesian team. Reason: http://wss-id.org/blogs/narenda/archive/2008/04/03/berbuat-sesuatu-demi-bangsa.aspx.

Specific requirements for Web Designer:

1. I will use Microsoft Visual Studio 2008 and Microsoft Expression Design exclusively. Your Photoshop/Flash/Dreamweaver skills does not count.
2. Have the ability to create XHTML 1.0-compliant page. If you don’t know XHTML, you are not encouraged to apply.
3. Have the ability to use CSS 2.1 effectively. If you don’t know CSS, you are not encouraged to apply.
4. Be able to create a Web 2.0-style design. Do submit proof of your past designs / design concepts.

Specific requirements for Application Developer:

1. I will use Microsoft Visual Studio 2008 and C# exclusively. Express editions does not count (since we are going to use Team Explorer add in).
2. Have the ability to write unit test. If you don’t know what unit test is, you are not encouraged to apply.
3. Have the ability to write code that conform with a written coding guidelines. If you don’t know what coding guidelines are, you are not encouraged to apply.
4. Be able to write working code to satisfy application requirements. Do submit proof of your past code.

Specific requirements for Technical Writer:

1. I will use Microsoft Visual Studio 2008 and Microsoft Word 2007 exclusively.
2. Have the ability to understand a code and write documentation for it. If you can’t do either or both, you are not encouraged to apply.
4. Be able to write technical document for public consumption (both techie guys and business users). Do submit proof of your past writings.

I will personally test all applicant which passes the written requirements (unlike some lazy HR guy who just skips through applicants who does not have a famous university degree, for example). Accepted applicants are expected to do 5 hour work week, with payment billable by hours worked. Do submit your expected hourly rate.

Accepted applicants will work on an open source product.

Send your application to me, e-mail address below.

--

Adrian Godong
adrian.godong@gmail.com
Microsoft MVP
https://mvp.support.microsoft.com/profile/adrian

I just got the latest bits of the next Windows this morning. I've been playing with it on a Virtual PC on my trusty 10-core laptop.

Here's a little bit of review of what I have found:

You now have access to truly everywhere computing. Microsoft has finally created a product that's true to my vision of future computing. No longer are you tied to a specific computer to do your entire computing task. With Windows 7, all computing is in the clouds (a.k.a. Internet)! Amazon have jump started this trend with Amazon S3 (storage in the clouds) and Amazon EC2 (computing in the clouds). Now Microsoft pushes these two together to build a truly virtual private desktop to users.

How do they achieve this? Well, the OS is built on top of proprietary communication protocol (I don't think this is part of WCF released earlier with .NET Framework 3.5). All processing and storage is done via the network to Microsoft centralized server farm. Local resources are shared via Hyper-V technology to the farm, so everyone gets maximum available performance, limited only by the network bandwidth.

Installation is a breeze, or should I say, installation is instant. Basically it will install every time you boot your computer. The boot up time itself is very fast, since the OS only needs to initialize audio, video, and network devices. Once all three drivers are up, you will see the now-familiar Windows Vista startup animation. They’re still using it to save resources. If you see this animation, you’ll know that audio and video drivers are loaded and running properly.

Next up is network log in. All the functionality is delivered via network. Processing, storage, even logging in is handled via network. You might think Windows 7 will work like Internet browser and Google applications. Well, Microsoft took one step further. By implementing their proprietary communication protocol, you don’t need a browser anymore. Your OS is your “browser”. In this preview version, the Vista taskbar is still there. But if you click the Start orb, what you will get is the list of application available on the cloud. Any computer you use will always have the same application/settings/layout, since all of them are stored in the Internet.

How about USB accessories? If you recall, Windows Server 2008 and Windows Vista SP1 with the latest Remote Desktop version have the ability to forward a USB device to terminal server. In other words, you can do Remote Desktop from your laptop at work to your home server, plug your Zune, and sync the Zune as if it is plugged to your home server. Windows 7 took this approach, so you can plug your USB device from any computer in the world, and it just works! No driver installation is required (after the first one, of course), since the USB port is forwarded. No one can beat this, even Macs!

For applications, Windows 7 preview have very simple applications available; Notepad, calculator, and FreeCell to show off the system’s capabilities to date.

Notepad is just your standard notepad. And since it is based on the existing code, the “bush hid the fact” Unicode trick is still there. Improvement to it is web-based dictionary, spell check, and grammar. These feature use to be available on Word, but since the Web 2.0 era, several web sites provide the service for free. So why not leverage them and put it to Notepad? Dictionary is from Wiktionary, spell check is from SpellCheck.net, and grammar is from proprietary Microsoft service (based on Word).

Calculator is also your standard calculator. Although now it does provide a Web 2.0 finish, there’s a new option of “post to community”, just like the one in Visual Studio. It’s not working yet right now, but I’m envisioning something like community-based home-work discussion portal that revolves around Calculator.exe. Cool.

FreeCell is now multiplayer-only. Since you will need to go online to access it, why not implement a transparent multiplayer lobby? You will have the same problem set, and compete with others to solve it. You now have three empty cells, and four empty shared cells between other three players.

OK, my laptop configuration is a 10-core processor with 10 GB of RAM. If everything runs on the network, then what would my top-of-the-line hardware will be used for? Well, Microsoft knows this, and they are surely tapping it up. While all the operations are being done on the server, what you don’t know is, they forced you to donate your computing powers for public use. So when you’re playing Starcraft 2, one of your units could’ve been rendered on your rival’s processor! This grid computation is derived from Hyper-V technology, again from Windows Server 2008. Microsoft promises to tweak this technology to improve load balancing with peer to peer communication. Since this is a preview version with very few users, my CPU never hit 10% on idle. Memory usage is even lower than Vista, clocking only 50Mb on idle.

I will also hear IT Administrators complain. If everything is stored on Microsoft servers, then how do they manage data security, policy, etc? Well fear not, Microsoft will launch the server part of Windows 7 to corporate enterprises. This server will enable you to act like Microsoft servers. In fact, during log in, you will be able to choose which server you want to connect. You can optionally sync these servers to achieve the same look and fell between accounts on different servers.

Unfortunately under NDA, no pictures/video/screen shot will be available for public consumption. Can’t wait for the public beta!

Post testing from Internet Explorer 8 Beta 1. Acid 2 Test successfull. Download from Microsoft here.

Some years ago, Norman wished that we conduct a tech talk with a real architect to get the real feel of what an architect does. Well, we never did that, but there's something (actually, a lot) you can learn from Singaporean architecture related to software engineering.

Right now I'm talking about a facade. I'm sure you all have heard or used this pattern. I've heard this once, and then again recently. Both are bad design, IMO. In both design, a business facade is merely a middleman between web service and O/RM. The facade was doing nothing other than being another layer of indirection (which is bad, if done overly). Imagine something like this:

 

Object has a collection of ObjectB which needs to be populated on load (eager-loading). Every time an Object is retrieved from the web service, the client will need to call the second web service (that retrieves the collection of ObjectB). All calls made by the web service could've gone directly to O/RM, but in this case, we add another layer between them. We don't need it.

So what's a facade, anyway?

An example of a very distinctive facade is an old cinema redeveloped just downtown Singapore.

This is The Cathay. You can find the history of the building on Wikipedia, this is not a history blog.

Back to the topic, you can see the brown, art-deco style part on the center, this is called the facade of the building. It's the front face of the building, covering the massive construction behind it. The idea of a facade is an indirection so that you don't need to deal with the complexity of logic. Security check on the facade doors, for example, will almost screen all visitor to the building.

Taking the analogy to software engineering, a facade should hide the complexity of the logic, too. Fixing the diagram above, it should look like this:

Now, the client will only need to call one web service to retrieve Object and all related ObjectB. The facade becomes a composition orchestrator. The facade have the knowledge of what objects required when retrieving another object, the facade have the knowledge of how to retrieve it, too. A facade can call more than one O/RM function, can include logic, but should not call another facade function.

Now that you know have learnt a good facade by example of a physical building architecture, I invite you to start using this analogy when creating a facade. Please save us, developers, from the need of writing a useless middleman code. Thank you.