Penguins are sneaking into my house and leaving the doors unlocked.

In the past 3 weeks I have purchase, installed and used 2 Linux systems in my house....accidentally. First, I purchased a Roku High Definition Photo Viewer and MP3 video player for my TV. This is a nice little device that acts as a screen saver for your TV/Plasma Screen to avoid burn in....say of the DVD logo that you see from your DVD player when there is no disc inserted. The device sits between the TV and the rest of your home theatre video inputs - daisy chain style. It monitors the video traffic for no signal or no motion and after a time duration kicks in with your family photos. The photos can be retrieved over the network jack to a series of shares on your home network, or via a plugged in USB wireless adapter. It also has Compact Flash, SD/MMC, SmartMedia and memory stick slots. Not to mention of course I find out its running Linux. There was a bit of novelty involved in telnetting into my TV and using VI. That soon wore off when I discovered that the root password was blank, and that the change password binary was missing off install of Linux so I couldn't even change the password. Combine this with the fact that the setup wizard walks you through finding the network shares in your house and storing your userid/password credentials - this becomes a rather obvious security hole that could have been fixed by the manufacturers fairly easily.

Is this security attitude prevalent in the Linux world? I hope not, because yesterday I discovered another Linux box in my house.

I also recently acquired a NetGear Media Router. It's a regular router with the addition of a USB host port. This allows you to plug in a memory stick or a USB external drive to share as NAS storage. I was a bit surprised to see it show up in my Network Neighbourhood as a UPnP device named “Linux Internet Gateway“. There is also a GPL license in the box so I think that all points to it running Linux.

The device also has a nice feature that when you turn it on and it detects a network connection, it automatically decides to download and install updates to the flash bios. God forbid I turn the device off while it is doing this unbenounced to me. Bam, too late. I guess the power light goes from green to yellow when it's doing this. The 1 page card manual included with the device doesn't mention this nice “feature”. I found out the hard way. When you go the web page to administer the device in this mode you get to see that file system in it's raw form.

Downloading the manual tells me to reset the factory bios I have to hold down the reset switch with a pin for 90 seconds. Nice. I was able to do that but can't seem to get an IP out of the device any more.

I'm still evaluating the security risks of this device. It is slightly more secure with my data (via USB storage) by including a password on the administration of the machine - which is “password”. There is no password on the share it exposes and I can't see an option to put a password on the share so every body on my network (say when my geek friends come over and plug in) will have access to my financial records and family photos. Nice.

So I have accidentally installed 2 Linux boxes in my house with major security holes. I'm savvy enough to discover this on my own, but I doubt the typical residential consumers of these products would realize the security hole they are introducing into their personal data stores.

With the proliferation of these types of Linux devices into the average home, I'm sure this will draw the attention of script kiddies. Wouldn't it be cool to take over somebody's television set?  Maybe they'd throw some porn up during daytime TV, or steal my personal data - or delete it. Scary.

Building Mobile Applications, Metro Toronto .NET Users Group

Tomorrow night I'm presenting at the downtown Toronto .NET users group - topic Pocket PC development with the CE framework. I'll have a new HP 4700 device with a VGA resolution screen for folks to take a look at - courtesy of your friendly neighborhood HP rep. I'll also have my trusty 5650 with the old form factor for you to play around with. Hope to see you there.


My Long Weekend Vacation, Pocket Excel and the Time Value of Money

I just came back from a lovely weekend at Blue Mountain Village near Collingwood in Ontario. I hadn't been to the area since I was a kid. It's changed a lot.

The good:

  • every room has high speed internet for a reasonable cost.
  • a lovely private beach onto Georgian bay for guests that included lounge chairs, towel service, toys for the kids, and kayaks to borrow. You can walk out close to a kilometer before it gets past your knees so it's great for the little ones, and you don't really care that the water is only a couple of degrees higher than freezing. Of course in the hot sun, the shallow water warms up nicely.
  • our room looked out into a lovely village square. Panoramic Photo here (2.3mb).
  • can you say beer festival? We came back Saturday afternoon from the beach to find there was a Blues, Brews & BBQ festival outside our room. Waterloo, Brick, Big Rock, Creemore, Sleeman's, Rickard's, Steam Whistle and a slightly out of place Coors Lite booth. All appreciated though. Pig roast too - strangely right across the aisle from some place giving out samples of vegetarian hot dogs.
  • the square had some kind of computerized fountains with a small waterfall and man made river - not only artistically pleasing, but the designers knew kids would want to play in this fountain - so they embraced that idea and made a nice entry into it and put lots of chairs around so grown ups could watch their kids (right side of photo)
  • a big fire pit in the middle for pseudo-camp fires which the kids loved.
  • Friday night they had an outdoor movie in the square with popcorn.
  • a surprising amount of things to do right in the village square. Many shops and watering holes. Lots for the kids: scooter rentals, remote control cars & boats for the pond nearby, peddle boast, catch & release fishing, a small water park with water slides & splash pad for the kids. Rock Climbing, face painting. If you've never tried a beaver tail, you must.
  • there is some good golf & tennis available, and in the winter, best skiing in Ontario (not saying much). On the "mountain" there is some good downhill mountain biking to be had during the summer. There are also lots of hiking trails and scenic caves.
  • handy underground parking for the hotel.
  • only 2 hours from Toronto!

The Bad:

  • it's not really a mountain - just an edge of the Niagara escarpment. May not be great vertical, but the largest horizontal around.
  • the open air gondola which was suppose to be open July 1st wasn't.

The Ugly:

The same old timeshare crap sales pitch reminded me of my first day in business school. My Econ101 prof said: "If you learn one thing from university, remember this: At some point in the future, some salesperson is going to try and tell you that money today is worth the same as money in the future." Boy did I run into that here this weekend. I don't mind hearing a good sales pitch, and I had pleasantly enjoyed my vacation to date, so when somebody in the activity centre asked if I wanted to go see a presentation and they would give us a $100 gift certificate for anywhere in the village, I willingly obliged. I also knew it was going to rain that afternoon.

I was a bit surprised that the presentation was not high pressured at all. Intrawest has probably one of the better point systems for Timeshares. You can go anywhere, any time of the year, and for any length of stay. You basically buy points into the system to spend throughout the year. You pay a premium if you book through their travel agent to an external real estate but you basically aren't screwed if you don't like their resorts. Since we don't ski or golf all that much, and not on family vacations to date, I'd be in the “paying extra“ category pretty much every year.

It all boils down to you pay a large chunk of money up front as an equity “investment“, in this case $26K, which gives you 150 points per year, which works out to about 7-10 days depending on what time of the year, what location and what kind of accommodations you want. You also pay an annual maintenance fee of $850. I quickly bumped that up to $1200 to account for the premiums I'd have to pay to book outside the system. The salesperson was quite friendly, but at some point said that "your annual vacation - hotel room part anyway, is basically only costing you $1200 per year". That would probably give me on average 10 days of hotels. So $120/night for a 1 bedroom suite on average was quite good.


What about the $26K? That would probably earn between $800-2000 as investment income if invested somewhere else. The timeshare equity doesn't really appreciate under the point system. It can, but you have a very limited market to where you can sell it, so it generally doesn't. Intrawest will buy back your investment at par in 8 years should you want out of the system.

The salesperson offered all kinds of perks if we accepted - right there on the spot, but if I returned tomorrow I wouldn't get those perks. She said the last 20 people who bought in, all did so on the spot. Of course they did - all the other folks who went home and entered a few numbers into a spreadsheet figured out they could invest their $26K in a t-bill and do much better and have more flexibility. She told me that "just last week" they had a customer come in with a laptop and crunch the numbers and ended up jumping on the deal. I happened to have my pocket PC and before I could enter in a single formula into Pocket Excel, she said, "you know what, this probably isn't going to be for you". I'm guessing she knew the answer to the spreadsheet and didn't want all the other people in the showroom listening to me figure out that my vacations were going to cost about 50% more than we pay now.

To make matters worst, I was being sold Intrawest points at a price of $170/point CDN. You can find these points for sale from existing people not satisfied with the program for less than $120/point CDN.....working out to roughly a 40% markup over current market rates. No wonder they don't want you to go away and “think about it“.

While stupidity and income aren't mutually exclusive, it strikes me that the average joe that meets Intrawest's financial requirements and has $20-$40K to invest in their vacations doesn't always factor in the time value of money. So here is a good refresher on the Time Value of Money that takes an IT perspective and shows you the formulas in excel. OK, we should all generally know this, but it's so easy to forget when you've just seen a great video of how your vacations are going to look for the next 10 years. Or you've just test driven a vehicle that's just a little nicer than you would have otherwise purchased, but has an “interesting financing option“.

So we didn't exactly waste 90 minutes. We saw some nice vacation resorts and a nice sales presentation. There was a torrential rain storm while we were in the meeting and our kids were getting treated to some fun arts & crafts activities in the next room. We ended up going out to a nice dinner on the house that evening. It's a little ugly when somebody tries to sell you something that they know is not a financially sound decision. It would have been a lot more honest had somebody just tried to sell us real estate on its own merits without the confusion & mis-direction.

DevCan 2004

I'm co-chairing two tracks of DevCan coming up in Setp/Oct in Vancover/Toronto (exact dates to follow) - see for more.

I'm doing the architect track and web track. If you have ideas for content you'd like to see, or have a topic you'd like to present in either of those categories, send them to me. You don't have to be canadian, but it helps :)

Next Generation Developer Training

I've been (in some manner) involved in the software developer training business for over 10 years now. Over the past 3 years however, I've really been questioning the value and purpose of classroom training for software developers. So has Don Box. The internet has had a lot to do with that I think and the # of developers taking a week off work to sit in on a class has dropped in recent years. There was a buzz about elearning for awhile - but it hasn't really gone mainstream - and you hear about blended learning now too.
Vendor-based classroom training typically amounts to not much more than reference manuals. A component is introduced, a few demo's or scenarios on how you can use it - and a lab to follow. About 80% of what I see in these classes I could find on google. And the best part about google is that I can find it when I need it....just in time, on the job. After I learn something on google, I get to use it in a real life scenario so absorption is pretty high that way.
Classroom training has the advantage of taking you outside of your typical day (usually for a week) and forces you to sit and spend some quality time with some new technology on a grand scale. The problem with googling for small bits of information is that you miss the bigger picture and a full architectural understanding of how best to accomplish something. The instructor is an important part and can make the difference between a good class and a great class. But the problem remains with traditional training in that they are really just showing you how to swing their hammer. There is only a small percentage of leeway when an instructor can add extra value above and beyond the curriculum. The good ones do, but there is never enough time.
Several months ago we took a hard look at what people really needed and what kind of value we could bring to bear above and beyond what people could learn from reading the online help or googling. That extra value is of course the experiences of the instructor and the resulting set of best practices....stuff that you rarely find in any book.
The problem of course with relying on an instructor to make the difference is that sometimes they don't. And sometimes their experiences are different than others. You end up with a very inconsistent delivery.
So we decided to create new courses based primarily around the best practices captured from the experiences of several developers. We still cover some fundamental tools & techniques but quickly move beyond that into the best practices of how to apply that. The idea is to have students spend less time on things they can learn on their own time. How often to you get to spend a week with an expert who has been using a new technology for a few years? The idea is to maximize the time for that week.
We haven't relied on just our own experiences either. We've decided to lean heavily on the community in this regard, in particular, the content coming out of the MS Patterns and Practices Group. The culmination of all this work was the first delivery of our new courseware based on "Best Practices" a couple of weeks ago. It was also John Lam's first course with ObjectSharp. I had the opportunity to talk to a few students, including a couple of our own instructors who sat in on the course, and I even managed to drop in for about 30 minutes on the last day.
The comments are great on the evals too. Our evals are always good, but these evals were awesome. "The most professionally run course I have ever taken." "The best course I've ever taken". Our salesperson told me that she even had a student ask in the middle of the week if we were going to be handing out evals because he wanted to make sure he had an opportunity to comment on how great the course was. I'm really proud of what we accomplished but I'm even happier that we've touched a nerve with our customers and found a way to maximize the value to them for taking a full week out of their lives. I can't wait until I get to teach one of these new courses.

Smart Client Deep Dive

Myself and Adam Gallant delivered an MSDN Deep Dive last week about developing Smart Client applications. I covered the overview & secure data access sections. The samples and IssueVision (1.0 C# & VB) along with the slides are available over here. Thanks to those who came out.

Update: If you want to take advantage of getting this stuff (and more) on the DevDays CD, you can fill in the form here.

VS Live Party

We threw a party on Thursday night after VS Live Toronto to help blow off some steam. VS Live in Toronto was a good time. A few people agree.

  • Jay Roxe was one of the speakers and joined us for a night on the town.
  • Datagrid Girl Marcie Robillard too. Turns out we share some PowerBuilder history from back at her days with Anderson Consulting. Marcie was also one of the speakers. I watched her presentation to see if I could pick up any public speaking tips, but I left learning some technical things. A) You can do a DataSet.ReadXml and pass it an url, not just a filename. B) The file/url you point it at can be any reasonably formed xml document - not just a previously saved dataset. She loaded the RSS feed from the Code Project. Cool. In practice, an untyped DS does lots of inferring which can be problematic so stay tuned for a fully fleshed out tip on doing some typed DS loading of XML docs.
  • Mike Flasko has posted some pictures from VS Live. Mike is on the Imagine Cup Canadian winning team. Be sure to check out the sub folder from our party. Elisa Johnson and Jason Kemp also from the team were there. A very nice group of people I was glad to meet.
  • Thanks to Billy Hollis, Keith Pleas, Paul Yucknovic??, Rob Windsor, David Totzke, Chris Kinsman and of course the rest of the ObjectSharp clan for coming out on the town.


Upcoming UG Meetings

Kate Gregory is starting a new UG in the east end in Oshawa. They are meeting Apr 20. The topic is an overview presentation of .NET. to register.

The regular meeting of the Canadian Technology Triangle meets next Tuesday Apr 20th as well. This special meeting is part of the MSDN User Group tour and the topic is The .NET Compact Framework. A special note that this event is not in its usual location, but rather at the Peter Benninger Theatre. to register.

ASP.NET Whidbey at CTTDNUG Tonight.

I'm presenting an overview on ASP.NET 2.0 tonight at CTTDNUG.

There isn't a great abstract on the site - and in fact, I will physically be unable to do the objectspaces stuff since the new version of VSNET CTP doesn't even have it in it anymore. Don't read into that - objectspaces will still be coming out - at some point. I should be able to give some nice objectspaces PPT's if the crowd is interested - but I'm guessing that Demo's are going to be more enjoyable.

So I am going to do my best ScottGu thrie impersonation and give a good solid demo lap around ASP.NET. IDE Improvements, Master Pages, the new datasource stuff, Site Navigation, Security, Personalization, SqlCaching.

Downtown Metro Toronto .NET UG Inaugural Meeting!

Finally a downtown user group.  First week of every month - and the first one is April 1st - no 200 Bloor St. East (Manulife) at Jarvis. This is also the first date on the MSDN Canada .NET User Group Tour across Canada. There is also a raffle for an XBox.

The sad news is that this meeting is going to get cut off at the first 200 people - so register soon by sending an email to

speaker: Adam Gallant
location: Manulife Financial Building 1st Floor 200 Bloor Street East Toronto

Better Web Development

In this session, we will focus on some fundamentals in web development, including a special drill-down on security and caching. We will cover an overview of the .NET security, and specifically important aspects in ASP.NET security and best practices. We will also cover, at a high-level, the caching mechanisms used by ASP.NET.