Fast on the heels of the Chinese government, the Orwellian Department of Homeland Security has officially announced that it is claiming new police powers this week: to seize travelers’ laptops, cell phones, cameras, PDAs, iPods, video tapes, books and even magazines … without any suspicion or probable cause and keep them as long as they like without any specified process for returning them whatsoever.

DHS claims that business data will be protected, and that all data will be destroyed when the review is completed if no probable cause exists to keep the information — but bear in mind that there was no probable cause to start with, so there’s actually no incentive for them to ever declare the review complete and destroy the data.

It’s important to note that these policies apply to anyone entering the country — including citizens and foreigners, tourists and visiting businessmen. If you leave the country, you suspend your rights to privacy and property at the border upon your return along with everyone else. I wonder how we would have reacted if France started seizing laptops, cameras, cell phones and books from every American who entered their country? What about if this had happened in 1984? or 1999, for that matter?

P.S. If you’re an American:

Remember: no matter how much the authoritarian “security” forces would like you to think you live in a different world now than we did 10 years ago — the Constitution and your Civil Rights have not been suspended yet — if you don’t think the government should have the right to take your things, and root through your photos, phone calls and emails whenever they like for no reason whatsoever… you should write your representatives in Washington and let them know that you hold them personally responsible for this ridiculous power-grab by our so-called homeland security department.

My Personal Response

Here’s the letter I sent to my representatives, maybe you’d like to do the same: (more…)

Someone earlier today was gushing about how neat Evernote is … it’s a OneNote-like application which features add-ins for browsers and email clients to let you clip text and images, or record voice, take notes in handwriting, etc … and it’s cross-platform and has a version for Windows Mobile and iPhone! I thought it sounded interesting, although the key feature of sharing all your notes automatically across all your clients made me a bit suspicious, so I went online to check it out.

By now, those of you who have previously read my rants about software licenses know to avoid Evernote. But let me tell my story anyway. I downloaded the installer and ran through it, noting that the click-through license displayed in the installer is for the software only, and references possible additional terms for a “service” ... So far, so good, the most annoying thing I noticed while scanning was:

9. Monitoring and Removal of information. ... Evernote Corporation and its designees shall have the right to refuse or remove any information that violates this Agreement or is otherwise objectionable, in Evernote Corporation sole judgment…

I didn’t particularly like that in a software license, but it wasn’t enough to get me to stop installing the software. However, I have to say, the license it is ridiculously huge:

• Roughly 3500 words
• On 330 lines of text
• (which you’re expected to read in a 10-line window)
• Making 33 pages of license (about 8 pages printed on letter size paper)

Nobody should be expected to put up with this. Let me say this for the record:

Put your license on the download page.

This will allow people like me to read the license before we download the software and possibly save us the trouble. Pretending you think people will read something like that in the tiny little window is a cruel joke.

The worst joke, however, was yet to come.

(more…)

So I’ve been asked to add a feature to one of the apps that I nominally took over when my former manager left … they want a management pane where certain authorized super users (to be decided later) can add data to the main lookup tables, and must be able to do clean up by deleting data which has been entered erroneously … including cleaning up any references to the now missing data.

I’m currently trying to figure out what database tables I need to be concerned with, and I just have to vent, because this system is the worst mess I’ve ever seen.

• There’s one database supporting five or more applications…
• There are 87 tables (with names like tblAQ_DcSs, tblAQ_SwNw, tblSFM, and tblSW_PWSOS, tblTestCaseTestLayout )
• There are three duplicate user tables: tblPeopleLookup, tblUser, and tblUser3 — tblUser2 is a view onto an external user database which is what is supposedly being used … and apparently, tblPeopleLookup is some sort of mapping from tblUser2 to tblUser3 … and tblUser1 is the original user table. I don’t know why these are all still here — I can only hope none of these others are still being used.
• There are 144 stored procedures (with names like sp_Fix, sp_Fix2, sp_Fix3, spLeftToTestMulti, spLeftToTestMulti2, spLeftToTestMulti3, sp_Whatever, and the awesome spTestCaseTestLayoutTestsUpdate, spTestCaseTestLayoutTestsSelect, etc.)
• There are no Foreign Keys. Yeah. None.

Technically, there are lots of foreign keys — it’s just that none of them are declared as such, so there’s no referential integrity (did I mention that there’s an access database floating around out there with linked tables and a hard-coded login which the end-users pass around to each other so they can insert data into some of the tables by hand because the original developers didn’t get around to writing this management app that I’ve been asked to write now?)

You can tell that some of the columns should be Foreign Keys, because obviously a column in a “tblReq_Tag” table named “Feature_ID” must be an external lookup of some sort … but there’s 86 other tables … and at least two of them have Primary Keys called “Feature_ID” ...

So, I’m spending a lot of time searching the source code and the 144 stored procedures … An astonishing number of these stored procedures involve cursors and multiple nested case statements. I just picked one at random which I thought sounded simple: spEnterGroupResults ... it’s about 150 lines of SQL, and it uses a single cursor variable “crsUnit” which it redefines three separate times onto three different queries which it iterates over. Each of these queries involves joins onto nested subqueries, and I count myself lucky because the tricky part is actually enclosed in a transaction, and at least this one isn’t doing all of that just to dynamically generate a further SQL query to execute.

So yeah, I’m literally looking through source code to try to understand the database design. The problem is that there are more than five different applications, each using slightly different technologies.

• One of them which has never been migrated from classic ASP ... with the business logic written entirely in Javascript, and the data handling performed entirely by sending huge XML files back and forth to a “do all” webservice.
• One of them was written in VB.NET in VS 2003, and has never been upgraded.
• The rest are in C# — with most in VS 2005, and at least one in VS 2008 and C# 3.0 — some are Asp.Net, some are rich client …

The tables I’m most concerned with right now (for this app) have some ahem ... impressive design decisions of their own. Of the 8 tables that I’m looking at directly (I think these are the only ones I need to modify as part of this app), five of them have multi-column primary keys that involve more than half the columns in the table, including columns which are, in fact, unconstrained foreign keys. And there are so far 5 foreign key looking columns which I haven’t been able to find the primary key column for …

Edit: Oh yeah, and half of these tables have columns like [Enabled] [char](1) NULL … That’s a boolean value folks, stored in the database as a y or a n … and it’s nullable even though a null (or any value other than y or n, really) will most likely blow up some code somewhere. And no, there’s no script constraint or trigger to ensure that this doesn’t happen (I checked). For extra fun, the other half of the tables use ‘bit’ columns for things like this — because they were written after I started working with this team (on a different project) and happened across one of these char columns during our one and only code review ever and wondered aloud why we needed to pretend it was still 1992. Why they just switched, without changing the others, I’ll never know…

Here’s a snippet from the latest update to my resumé ... you’ll notice I struck out the “create” portion of the descriptions — as long as we just talk about maintenance and support tasks, everything you see here is what I did in just the last two weeks since one of my teammates transferred to a different division and our temp/contract was stolen away to a full-time position with a different company.

Software Engineer, Test Tools Development.

Lead developer for in-house software solutions for a 100-strong quality assurance team at a Fortune 500 company … responsible for creating and maintaining all custom software solutions and database systems.

1. Create and maintain a randomized software test-case generation tool capable of managing hundreds of test projects with dozens of variables and using pseudo-random weighted generation to create thousands of test cases for each of our hardware and software tests.
2. Maintain a custom HR tracking and reporting tool for billing internal customers based on hourly rates for work done testing hardware and software products for dozens of internal and external customers.
3. Create and maintain a custom requirement and test-case tracking system for internal tracking of spec-based testing and reporting.
4. Create and maintain a custom defect tracking system which interfaces with and provides metrics for over half a dozen different defect tracking systems (DDTS, ClearQuest, MS TFS, SourceForge, etc) used by the development teams we support.
5. Create and maintain internal test-results reporting system capable of capturing test-case pass/fail/waive information and tying it to internal requirements and test case tracking systems as well as external defect and work-request tracking systems.
6. Create and maintain various reporting systems providing charts and reports of counts and rates to support capacity planning, software quality metrics, test effectiveness and efficiency measures, software quality predictions etc, as well as tracking post-release defect discovery and analysis to improve the effectiveness of pre-release testing.

Work with a multitude of languages and technologies to provide the most effective solutions for each request in a timely manner on multiple platforms … from client apps and scripting solutions to cross-platform web apps.

• Using Asp.Net with HTML/CSS/Javascript and VB.Net and C#.net to provide “AJAX” web-based applications.
• Using PHP and Perl to provide web-based defect query and search services.
• Using C#, Windows Forms and WPF to provide rich-client tools for test planning and test-case generation.
• Using PowerShell, VBScript, TestBasic, and AutoHotkey to automate testing, as well as maintenance and data-entry tasks.
• Using and maintaining SQL Server, SQL Reporting Services, and SQL Analysis Services to provide reporting and business intelligence and to support tool development.
• Tracking work and changes in various source control and defect tracking systems such as VSS, ClearCase, ClearQuest, Bugzilla, SVN and TFS.

10 languages, 5 software platforms, 7 separate applications … and the apps I wrote myself (and am therefore most familiar with) seem to be the only ones that I’m not fielding support calls for multiple times a day. I need a vacation (or rather, a couple new coworkers).

Fingers don’t fail me now!

Of course, in my spare time, I’m working on my capstone project for my Masters degree in Computer Science …

Can’t someone put a stop to this stuff? Where are our representatives when you need them? I started to sign up to try digsby this evening, but when I read the terms of service, I had to quickly back away and abort. Let me just say this for the record: these are not acceptable terms of service.

We may change this contract at any time. You must review this contract on a regular basis. You can find the most recent version of the contract at http://www.digsby.com/tos.php. The changed contract is in effect right away.

I do not agree to “review this contract on a regular basis” — that’s preposterous. I have several hundred software applications installed — imagine if they all required me to review their contracts every day before I used them, just in case they had modified them. Imagine if I had to read 16 points spread out over 1200 lines of legalese for each application I use, just in case you decided that the terms of service should require me to mew like a cat every 15 minutes while using it or pay a $1500 monthly user fee…

I most certainly do not agree to any changes that go into effect right away before I’ve even been notified of them or had a chance to read them. What if you change them to involve a daily fee …. while I’m on vacation?

All upgrades, updates or enhancements of the Software shall be deemed to be part of the Software and will be subject to this Agreement…. By installing the Software, you hereby agree to automatically request and receive Updates from dotSyntax’s servers.

I most certainly do not agree that you should be allowed to change your software at any time automatically without my permission. And especially not when you also say …

DOTSYNTAX IS NOT RESPONSIBLE OR LIABLE FOR (1) ANY VIRUSES OR OTHER DISABLING FEATURES THAT AFFECT YOUR ACCESS TO OR USE OF THE SOFTWARE, (2) ANY INCOMPATIBILITY BETWEEN THE SOFTWARE AND OTHER WEB SITES, SERVICES, SOFTWARE AND HARDWARE...

Unbelievable!

Oh, yeah, and don’t forget … you would also have to check their privacy policy:

The Privacy Policy available at http://www.digsby.com/privacy.php explains dotSyntax’s information practices that apply to … information about you and your use of Digsby.

Normally I post responses as edits at the bottom of a post, but apparently Don Jones was offended by this post, so I figure, as a gesture of peace, I’ll post this as a fresh story, with just a link to the original post and the comments posted by Don and Karl. Apparently Don Jones heard about my blog (someone had to tell him, so apparently he hasn’t heard of the PowerShell Pipe), and he’s taken offense at my criticism …

The frustrating thing is that he’s upset at my post, and yet he lambastes me without even having the decency to mention me by name (or even by nickname ) . Although Don says in his blog that I didn’t make “much in the way of actionable, constructive comments” he actually fixed several of my largest concerns, and in his post he specifically addresses most of my remaining issues: specifically detailing the level of relationship between the common members of the community and its paying members, and adding a statement about the 501.3c incorporation. They’ve also fixed my biggest problems with the script repository, (although, the search is still broken — it turns out that it does work, if you click the “Go” button instead of hitting enter). There is a privacy statement at the top of their sign up page now, which I may have simply not noticed missed when I signed up — I’m used to seeing a link for the Terms of Service and Privacy Policy, rather than having a simple statement on the page. I commend Don for keeping that simple.

The clarification of ownership and the privacy statements are vital, ‘cause now I can encourage you to sign up. Actually, signing up is basically a prerequisite for getting anything out of the community, since unlike on this blog where there is an open comment form that anyone can fill out, the contents of which are emailed directly to me (yes, Don, I got your note this morning, thanks) — it really is impossible to provide any sort of feedback on the PowerShell Community site without first signing up. As a personal side note, considering I had already signed up on the community site (despite the lack of a privacy policy), and that he posted a comment on my blog, I’m rather surprised Don said I was so hard to get in touch with. :’(

Now, all of that said, I will repeat three of the things that I said before, which are still true.

I expect this to succeed

In fact, go, sign up now! ShellTools have jumped on board 100% since I last posted, actually shuttering many of their forums in such a way that half my Google searches last night returned hits on pages that no longer exist on PowerShellLive.com (kind of frustrating, by the way). Karl’s started a blog there (no content yet) and is moving everything he can to the new community.

It is a commercial junta

For those of you who don’t speak Spanish, the word junta comes from a Spanish word meaning ‘council’ and it’s use in English refers to governing councils which rule after taking power by force. Don said this:

The community is not a “commercial junta.” The members of the business league do not control community content, only broad direction through an advisory board.

I never said they would control content. In fact, it’s quite clear that those of us being asked to “help” (translation: give them our scripts and answer questions on the forums to build traffic for their website) are the ones expected to provide all of the content, in the form of blogs, taking the time to add links on the community site to any content outside the community, and writing scripts. Nevermind the fact that we were already providing this content on our blogs and various forums already … please come join the central one. We weren’t asked should be in charge. The “business league” sprang upon the scene without so much as a “do you think it’s a good idea” to the community at large (the only people clued in were the MVPs and financial sponsors which were felt to be crucial to it’s success) ... I think it’s quite fair to call it what it is. You tell me: am I wrong? (Oh, in case I’m not being clear, tell me means fill out the comment form at the bottom of this page).

To be clear (especially for those of you who aren’t familiar with Latin American politics and the implication of the word), a Junta isn’t necessarily a greedy dictatorship that interferes with personal liberties — usually you have a Junta as a transitional government with the idea that you will eventually have elections and democratic rule. Sadly, it doesn’t always work out that way — sometimes a Junta gives way to a military dictatorship instead … which eventually leads to another coup d‘état and another temporary military junta … who said politics are dull?

They launched it too early, and with too little content

Personally, I’ve been sort-of waiting for the site to mature before diving in. That’s the answer to the question Don asked: Will you help… or just sit back? When it comes to participatory websites, I prefer to wait until they have some of these glitches worked out and at least have the various sections working before I jump in. I think PowerShell Community (the website, and the amorphous collection of users and developers) could have benefited a lot from a short invitation-only stealth period during which they could have build up some content (scripts, links, imported blog posts … etc) and a structure with “civilian” moderators for the forums, etc. as well as ironed out some of the bugs. It seems to me that they sprang the site out barely formed in order to forestall any other efforts to create a central PowerShell site.

With that as background, I will add that the attitude of entitlement doesn’t help. There seems to be some expectation that since Microsoft and it’s other commercial partners have declared this to be the community site, not only will other sites shut down and join the community for the greater good (farewell PowerShellLive, so long Scripting Answers) but apparently we the users ought to be contributing as well, and ought not to put our opinions on our blogs without first submitting it to their forums. All I’m saying is: eventually this expectation of participation may be realistic, but you’re not there yet.

My point is: just because you pay a prominent MVP to run the site, and convince all of your partners to join a business league doesn’t automatically mean the site deserves effort from the rest of the community — particularly when it’s easier to continue doing what we have been doing. Honestly, I figure that posting my opinions on my blog is at least as helpful as posting in the community forums, since my review post will actually boost their PageRank™ My original post was a gut reaction on the first day the place opened, and honestly, I thought that they’d appreciate the link, even with negative feedback. I guess I was wrong.

More ideas

I’ve posted a comment on Don’s blog, but it’s the last time I’ll do that until they remove the captcha that asks me to prove I’m human every time I post a comment — even though I’m also required to log in as a member of the community first. That’s just adding annoyance on top of roadblocks, and makes me assume they don’t really want to get feedback on their blogs anyway.

Now that the script vault on the community site is improved, I’ll probably be submitting some of my scripts on their site too, just to help people out — although I take a bit of a dim view of the fact that scripts I post there have to wait for a moderator before they show up. So many roadblocks …

I’m unlikely to submit links to their links section just because quite honestly, I’m lazy, and I feel that putting links in my delicious and diigo sites (not to mention Furl, Blinklist, Simpy, etc) or linking them from my blog is more than enough effort to help people find things (after all, how many people browse community link lists instead of using Google when they’re really looking for something). I would be willing (if asked) to help develop a tool to automatically include links from delicious (which has a ton of links, but isn’t moderated) or from the Diigo PowerShell group which I already moderate (and would be more than willing to let Don or others also moderate) ... That seems like the best way to manage link collections to me — since Diigo has tools for moderation and for link submission that are built into the browser as extensions.

So I was asked to try to figure out what we would have to do to get a Code Signing certificate for our in-house software development team. Just to be clear, that team is about 4or 5 developers, writing software, databases and web sites that are primarily used by our workgroup — consisting of about 400 people — within a larger company of … well, lets just say over 10,000 employees.

The problem, of course, is that generally speaking, such a certificate is issued to a legal entity: a person or a corporation. I figured there was no harm in asking, however, whether it was possible to simply have the certificate issued to our team. I was wrong. Here is a transcript of two conversations I had over “live chat” on a couple of web pages.

Just to be clear about expectations: both of these are large companies chosen by Microsoft to be one of the Trusted Root Certificate Authorities that are included by default in XP and Vista, and had links on their web pages with a photo of a very Caucasian female with text like “Chat with a sales support rep now” and “Click for live assistance” ... so I tried Verisign:

Welcome to VeriSign you are now speaking with Tumelo Manale. How may I help you?
Tumelo Manale: Hello, from which location are you chatting from today?
Customer: Rochester, NY
Customer: I have a question about your code-signing certificates … I work for a small internal software development team at a large corporation, and we need to be able to sign code at our team level
Customer: Is there any way we can get a certificate issued to the team, as opposed to, say, an individual, or the whole corporation — which would presumably involve so many levels of red tape that I wouldn’t finish until 2020
Tumelo Manale: I can get a agent to provide you with clarity regarding this issue?
Customer: Uhm, that would be great.
Tumelo Manale: May I please have your Name, contact number and e-mail address?
Customer: Joel Bennett, I gave him my work phone and email
Tumelo Manale: Thank you.
Tumelo Manale: An agent will contact you soon.

Well, not much luck there — and I still haven’t gotten a phone call, either. The only positive spin I can put on that experience is that (compared to the next attempt) at least Tumelo Manale’s name made it clear from the start that he was probably not a native English speaker … Next I tried Comodo (the cheapest of the four code-signing capable root certificate authorities available in Vista). (more…)

So this goes in the “WORSE THAN FAILURE” bucket …

I got an email from my dad this week wondering if I knew “What in the world is this message that keeps coming up every time we start Mom’s computer? It began appearing right after I inserted the removable hard drive to do the most recent backup.” He attached the following screen shot from Windows XP which pretty much speaks for itself (as much as such a thing can):

To be honest, I’ve never heard of it. No Disk? Exception Processing Message? What on earth … I did a web search or two and came up with several fairly recent threads on every tech support site out there … none of which had anything resembling an authoritative answer.

My best guess from the DaniWeb and TechGuy threads is that there is some media app running on startup, but I’ve already had them disable everything in their MSConfig startup tab without getting rid of this annoying message which takes multiple clicks to actually go away.

I had them bring up Task Manager and determined that the message window seems to be owned by the csrss.exe process … apparently it’s only started happening recently after a reboot when my dad switched out the removable hard disks they have been using for backups for years … seems like maybe it’s a recent Windows update but at this point I have no idea, so I guess I’ll try poking around when I get over to their house next time. Anyone have any ideas?

So I recently got some new AOL buddies in a folder called “AIM Bots” ... which as far as I know of, I never asked for, and don’t know where they came from. A couple of them looked interesting … but this one in particular I couldn’t figure out what it was, so I figured, what the heck, it must be a bot, lets just try asking it …

I’m taking my AIM nick out of this page, because annoying teenage girls keep IMing me because they actually want to chat with a bot and they can’t tell which one of these is me. (Maybe they just don’t bother reading the article). So where you see “Me” below, imagine you see my nickname.

Me > What are you, and how did you get on my buddy list?
spleak > Hi, I’m Spleak, your guide to everything celebrity, from Lindsay Lohan to My Chemical Romance. What’s your name?
Me > ew
spleak > Very creative name, but I’m afraid it’s too long for me to type over and over again. Can you please try again with a shorter name?
Me > Shorter than two letters?
spleak > Okay, I will call you Shorter than two letters?. So… I’m a 21-year-old girl. How old are you?
Me > 205
spleak > 205? Ha ha… are you sure? Please enter your age again… your REAL age, that is …
Me > 2
spleak > 2? Ha ha… are you sure? Please enter your age again… your REAL age, that is …
Me > 8
spleak > Sorry, you are not eligible to talk to Spleak at this time.
Me > Hurray!
spleak > Sorry, you are not eligible to talk to Spleak at this time.

So, yeah … apparently this is some new form of advertising.

So, Privacy International has made official and extremely public what I’ve been muttering about for years: Google doesn’t care about your privacy. A recent study they published rated Google as the worst internet service. In fact, in light of the results, they actually called the study A Race to the Bottom – Privacy Ranking of Internet Service Companies=x-347-553961

We are aware that the decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google’s approach to privacy that go well beyond those of other organizations. While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy. This is in part due to the diversity and specificity of Google’s product range and the ability of the company to share extracted data between these tools, and in part it is due to Google’s market dominance and the sheer size of its user base. Google’s status in the ranking is also due to its aggressive use of invasive or potentially invasive technologies and techniques.

I can’t really add much information that the news and reviewing
magazines, radio, and blogs have written … The bottom line is that Google’s gathering unbelievable amounts of data, and not providing users with any way to have most of that data deleted. According to Privacy International this is because_they don’t believe_ that they are collecting sensitive information ... even though they track your use of blogs, email, maps, and searches, as well as what links you click on, et. On top of that, their corporate culture leads them to mix together the login, cookie, and tracking data from all their different services without explicitly telling you they will do so, and they retain the data for years. Ultimately they have a “track history of ignoring privacy concerns” and their response to this report doesn’t make one think they’re taking it seriously.

Oh, and just as a postscript, this reaction from Kevin Bankston (an attorney at EFF) to Google’s new street view photos (streams of 360° photos taken from vans driving through dozens of major cities across the US):

There are a lot of people on the Web who are, I think, freaked out by this they find it kind of icky and uncomfortable, I don’t think Google has done anything illegal here, but I do think they’ve done something that’s exceptionally rude.