‘Open’ does not mean what you think it means

• Google gives early, priority access to select partners. ¹ This is hardly ‘open’ nature.
• Google buys partners. This not only is merely to get access to patents to use as defense in litigation, it also is hardly fair to other device manufacturers.
• Google takes an average of 100 days to open source Android code. ² The point of the ‘open’ principle is to allow everyone to contribute to the same set of code.
• Android is encumbered by patent lawsuits. More than half of Android OEMs have signed patent license agreements with Microsoft ³, and Samsung has well-publicized patent lawsuits from Apple. Google steals hard work and ideas from other companies, makes it ‘open’ (not free), and considers themselves justified. If you don’t like the patent rules, work to change the system, don’t abuse it. Play by the rules while working to change them.
• Slavish copying of the iPhone by Android manufacturers. See here ⁴ and here. ⁵
• Carriers block versions of Android if they choose ⁶. This is one of the flaws (features depending how you look at it) of the Android model. Every carrier can customize and distribute Android as they see fit. Unfortunately, this also means that they can choose to not distribute entire versions of their customers if they so choose.
• The idealisms of ‘open’ and ‘free’ are not enough to win. Linux zealots have been claiming for as long as I can remember that ‘this is the year of Linux’, that Open Source will triumph. Yet, the desktop market share of Linux has never gone much above 1% market share ⁷. Idealism is not enough. Just like communism, Open Source promises much in its ideology, but there are many practical matters in life that hinder reaching ideal. Only the billions of dollars thrown at Android by Google have given it any headway whatsoever.
• Developers live by the profit generated from their code. They will go where the money is. iOS generates 4 times as much return for developers as Android ⁸, so this leads to more investment in the platform, and better apps for the platform.

‘Open’ does not mean safer

• Android has seen a rise of malware (37% increase last quarter, 1000 detected infections, doubled over the past year). ⁹ Almost all new mobile malware targets Android. Just because software might be ‘open’, does not mean that exploits are patched and gone.
• CarrierIQ. Precisely because the Android distribution model allows carriers to install their own customizations/bloatware on devices before distributing, nefarious apps like CarrierIQ can be installed and customized to scrape all your data, including text messages and email. So the average customer gets a device that they believe is safer because it’s ‘open’, but the carrier may have already exploited that ‘open’ nature and implemented spyware.
• Viruses are prevalent on Android. Because apps are not vetted, it is free range for coders/hackers to distribute malicious apps. There was a 400% increase in malware Year Over Year in May 2011, and in 2H 2011, another 472% increase.¹⁰
• I’ve heard arguments that Android has permissions that can be set on a per-app basis, and that this makes the device secure. This model of security however, has been broken, using the very model designed to protect it.¹¹ It does not make your device secure.
• Another excuse I hear frequently is that the user should make sure that they are installing legitimate apps. No, just no. Respecting a user means taking all that background gunk out of the picture and giving them peace of mind. They should not have to worry about whether the app is safe or not… that is up to the distributor. Users in general are not inclined toward technology, and just want something that works. You don’t ask to see your bus driver’s license every time you get on the bus because you trust the transit commission. Why should a user have to worry about whether the app they’re installing is safe if coming from a primary distributor?
• I also hear the excuse that a user may need to sacrifice security for choice. Again, no. Microsoft and Apple have managed to bring the best of both worlds in a closed model, so this is merely an excuse for selling Android’s ‘open’ness with its security flaws.
• I also hear that if users want security, they should only stick with ‘trustworthy’ sources. This violates the entire principle of ‘open’! A user should not have to go to ‘trustworthy’ sources at the expense of ‘open’, if you are selling to them on the principle of ‘open’!
• A misconception I often hear is that viruses infect iOS and WP7, proven by the jailbreak toolkits. No. Exploits are not viruses, and viruses are not exploits. An exploit is a vulnerability, a virus is something malicious that takes advantage of the vulnerability. Android is the only major smartphone platform invaded by viruses, thanks to its ‘open’ model.
• Carriers distribute updates infrequently. Typically, after 6 months, carriers/OEMs of Android phones no longer distribute updates.¹² This means all those security vulnerabilities that have been discovered, are no longer patched. New security enhancements and features in new phones are not available on the old phones. This is because there is too much cost and no incentive to either the carrier or the OEM in the ‘open’ model to distribute updates to their users. Compare this to the iOS and WP7 platforms, where updates are mandatory on WP7, and updates are still being distributed for the latest OS to even 2.5 year old iPhone models.

‘Open’ does not mean better

• As we saw above, ‘open’ systems will always lag behind ‘closed’ systems in areas of design and UI/UX, thanks to the very nature of those developing ‘open’ systems.
• ‘Open’ systems will generally be significantly weaker in security, thanks to the principle of allowing anyone to distribute whatever they want. There is no real safeguard to prevent coders with malicious intent from distributing their wares to unsuspecting users.
• As MG Siegler points out¹³, comparing an iOS device to an Android device is a bit like comparing a Mercedes to a Honda. Those who appreciate design and experience will get much more out of the Mercedes, but have difficulty telling someone who only appreciates functionality why.
• Android has poor integration with enterprise services. No native IPsec VPN, and varying Exchange compatibility between OS versions. Thanks to the carriers who choose not to ensure updates to their devices, the support effort required to support Android on an enterprise deployment becomes astronomically larger in comparison to properly governed systems in a closed model.
• There is no official support desk for Android. This is a huge barrier for many enterprises. Sure, there are many forums with coders and hackers to come up with fixes, but how many of them have experience in an enterprise setting, and would be able to resolve issues involving infrastructure beyond the device itself?
• ‘First’ is irrelevant. Arguing that one OS or piece of UI was developed before a competitor is irrelevant when it comes to which is better. Stop sidetracking!
• In general, Android apps are not as polished as iOS or WP7 apps, thanks to reasons I outlined previously. Low-quality apps from more sources is not ‘better choice’ than high-quality apps from a single source.
• ‘More Choice’ does not necessarily attract a customer. Simple is often better, and when you look at the lineup of iOS phones (4 phones) vs the hundreds of phones from other vendors, a user will often pick from a simple, easy to understand lineup. A very interesting study on this here.¹⁴
• Feature phones do not equal smartphones. By stripping down Android as a base OS for cheap/free phones that provide basic phone service with a few extra features increases market share. However, this increased marketshare does not make Android a better smartphone OS, as it’s no longer a smartphone. It merely speaks to the flexibility that Android can function.
• Being able to install Flash because it’s ‘open’ does not make it better. Mobile Flash has proven to be a battery and performance killer on every platform. Installing a now-deprecated¹⁵ battery and performance killer does not make the platform better.
• ‘Open’ software does not mean able to change your battery. This is something that is at the discretion of the manufacturer. Some will choose to make it user-serviceable, others will not. The only thing that really matters in this scenario is the cost and downtime to fix it.
• ‘Open’ does not mean better quality of code. Firefox for example, is incredibly bloated on the Mac OS, and runs poorly. It also has hit the 32bit limitation for compiling.¹⁶ Open does not mean better code or coding practices.

extension-dll-exception

Cause

Figured out that the error is happening due to .Net Framework 4 being installed, and FIM attempting to use .Net 4 instead of .Net Framework 2. This is a new issue that occurred in the June 2011 CU for Sharepoint 2010, and unbeknownst to us, the June CU was re-released to fix it. We were still utilizing the original June CU.

Resolution

This issue can be fixed by either installing the latest version of June CU, or by following the steps below.

1. Open

   C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\miiserver.exe.config

   for editing.
2. Locate the below section:
   
   

   <startup useLegacyV2RuntimeActivationPolicy="true">
     <supportedRuntime version="v4.0.30319"></supportedRuntime>
     <supportedRuntime version="v2.0.50727"></supportedRuntime>
   </startup>

3. Delete or comment out the reference for the .NET v4 version. Like this:
   
   

   <startup useLegacyV2RuntimeActivationPolicy="true">
     <!-- <supportedRuntime version="v4.0.30319"></supportedRuntime> -–>
     <supportedRuntime version="v2.0.50727"></supportedRuntime>
   </startup>

   or
   
   

   <startup useLegacyV2RuntimeActivationPolicy="true">
       <supportedRuntime version="v2.0.50727"></supportedRuntime> 
   </startup>

4. Restart the two FIM services in the services console.
5. Run the sync again.

SMS_MP_Control_Manager errors:

Navigate to %windir%\\System32\\inetsrv\\config\\schema, take ownership of webdav_schema.xml,  remove the readonly attributes, and edit them to these:

attribute name=”allowAnonymousPropfind” type=”bool” defaultValue=”true”
attribute name=”allowInfinitePropfindDepth” type=”bool” defaultValue=”true”
attribute name=”allowCustomProperties” type=”bool” defaultValue=”false”

If issues, still exist, and your authoring rules are correct, try removing WebDAV, rebooting, re-installing WebDAV.

Clients not talking to server:

• Is the client push installing? If not, check WMI is enabled on the client firewalls
• Are site boundaries defined?
• Is the install flag cleared?
• Is a sitecode defined in your AD schema? If so, are the clients picking it up? Sometimes your clients may appear to have a site code assigned (from the SCCM console), double-check on your client machines to be sure they are actually picking it up. If this has occurred, please see the following note.
• Are you using a GPO with the Configuration Manager ADM template to control the site code? If so, be aware that it works by applying a registry key (also considered a preference, so it’s stickied unless you explicitly define a removal policy for it). This registry key defaults to an x86 portion of the registry. The actual key for an x64 machine is located elsewhere, and needs to be defined in the following key:

‘HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\SMS\\Mobile Client\\AssignedSiteCode’

I recommend pushing this registry key out by GPP in one of your GPOs, and then initiating a re-install of the SCCM client on the machines affected.

WSUS MP issues:

1. Remove WSUS, delete the existing database.
2. Remove WSUS component from SCCM.
3. Reboot server. Re-add the WSUS role. You may have to manually download WSUS with SP2 from Microsoft Download Center if you are encountering errors re-adding the role. Do NOT configure the WSUS role when re-adding.
4. Re-install WSUS component in SCCM.

Forefront Endpoint Protection 2010 installation on SCCM failing:

When installing FEP2010 on SCCM, you may be hit with an error just before installation completion that ‘Setup was unable to create unknown machines. 0×80070003‘, and/or that sms_def.mof couldn’t be updated. This occurs because the FEP2010 setup is looking for the x86 Program Files directory for one of the last steps, and not using the default Program Files directory on an x64 machine.   To resolve the first error, do the following:

1. Manually create this folder structure:  Program Files (x86)\\Microsoft Configuration Manager\\inboxes\\auth\\ddm.box  (give folder same ACL’s as is on existing installed directory)
2. Run R2 setup again. When install completes, copy the two DDR’s from the C:\\Program Files (x86)\\Microsoft Configuration Manager\\inboxes\\auth\\ddm.box and place them it into the “C:\\Program Files\\Microsoft Configuration Manager\\inboxes\\auth\\ddm.box” (where SCCM is actually installed):
3. Once the DDR’s processed the R2 installation should succeed.

To resolve the error about sms_def.mof not updating, do the following:

1. Manually create C:\\Program Files (x86)\\Microsoft Configuration Manager\\inboxes\\auth\\clifiles.src\\hinv
2. Copy C:\\Program Files\\Microsoft Configuration Manager\\inboxes\\auth\\clifiles.src\\hinv\\sms_def.mof to the folder you just created
3. Re-run FEP2010 setup and then copy C:\\Program Files (x86)\\Microsoft Configuration Manager\\inboxes\\auth\\clifiles.src\\hinv\\sms_def.mof back to the original Program Files path.

On the existing SCVMM share, I noticed that it had the local Users and Administrators groups added to the NTFS permissions. After adding both these to the ACL on the share I was trying to add, SCVMM was able to add the share. I’m assuming this is related to how the SCVMM agent operates.

So, if you’re having issues adding a network share to an SCVMM library, check the local NTFS ACL, and try adding the local Users and Administrators group to the folder.

I could be wrong, but it looks like they’re enabling home WiFi streaming via Home Sharing in iOS 4.3 and iTunes. This is something I’m definitely excited about.

Watching some of the Engadget videos I must say the new device looks fast as hell. I didn’t think they could make iPad 1 look slow, but watching those videos I get the feeling that my iPad lacks some of the power and speed of the new ones, particularly in regards to real-time media editing in the Photo Booth application.

Speaking of movie editing, it looks like they’re really targeting home media production with this new device. Those new movie/audio apps, the HDMI out, and AirPlay turn iPad into a powerhouse for media generation.

I appreciate and agree with Steve’s comment near the end. “Our competitors are looking at this like it’s the next PC market. That is not the right approach to this. These are post-PC devices that need to be easier to use than a PC, more intuitive.” An important distinction in mentality I think. The PC market was for reasonably tech-savvy people, or people with reasonably tech-savvy relatives. The tablet/post-PC market is a new generation, one where anyone can pick one up and being computing. There’s no fear of technology, just something that stimulates curiosity.

Those are my thoughts for now. I won’t buy one now as the only benefit I get is the new form factor and Facetime communication. The speed is not something I need at this point since I don’t produce home movies or audio. However, while it’s not a jaw-dropping new product, it is definitely a quality upgrade to the product line.

Next I checked the ISA 2006 event logs. I started seeing a lot information events about packets dropped because of invalid data. These packets were coming from the servers configured in the root hints. It seemed odd, as they were literally filling my event logs. I stumbled across this¹ gem. Windows Server 2008 comes with a new protocol called EDNS turned on by default. These EDNS UDP packets are often well over 512 bytes. ISA 2006 apparently has issues handling these packets. Quickest solution: turn off EDNS.

EDNS can be turned off by the following command from an elevated command prompt: “dnscmd /config /enableednsprobes 0″

Immediately after disabling EDNS, clients had normal DNS lookups again. No more failed page lookups resolved by a refresh. There was one catch though: web browsing was drastically slow. In some cases it appeared an “ipconfig /renew” would fix it briefly, but for the better part of the day web browsing was slow. What was particularly odd was that speed tests would report the performance that we expected from our lines. After some Googling, I found this² Microsoft KB which describes slow web browsing performance between ISA and SBS 2008. While I don’t have SBS in my environment, I thought it might be related. I ran the hotfix, and after it did its thing, it restarted the firewall. I’m not sure whether the hotfix or the firewall restart (or both) was the solution, but after that our browsing performance was speedy again!

In the registry, browse to HKLM\\SOFTWARE\\Microsoft\\Microsoft Data Protection Manager\\Notification\\

Delete the SMTPPassword and SMTPUserName keys

That’s it, anonymous SMTP authentication works now!

Earlier this year my music collection started to seem a little stale, and I started to wish for more variety, more music I have not listened to. This lead me to consider a VPN, which would essentially tunnel my Internet connection to a server in the US, allowing me to access Pandora and other sites such as Hulu ⁴. I considered paying for a subscription to a VPN, but was having difficulty finding one that was reasonably priced and would tunnel my connection properly (all my data needs to flow through the US IP, not just a HTTP proxy). The other requirement was that the VPN be accessible via my iPad and iPhone as well as my desktop computers (Windows and Mac), and the only type of VPN connection that seemed to adequately satisfy my needs was an L2TP/IPSec VPN.

Since I couldn’t find a VPN service that seemed to satisfy my needs, I decided to create my own, which means I need root access to a server. I also plan to tunnel a lot of data, considering I will primarily be using it for media streaming. I also didn’t want to pay Windows Server licensing fees, so decided to take the route of Ubuntu Server. OpenVPN does not do native L2TP/IPSec, so was out of the question considering my iPad/iPhone requirement. This left StrongSwan and FreeSwan as the potential VPN platforms.

I started looking at LowEndBox ⁵ for cheap Virtual Private Servers (VPS) that came with copious amounts of data. I don’t need much processing power… just a lot of bandwidth. Initially I thought I found a great service for $5/mo… an OpenVZ based VPS with unlimited data. I purchased a couple months worth, and began setting up an Ubuntu 10.10 server, using the guide at ByBacon.com ⁶.

It was then that I hit a major stumbling block. Every time that I attempted to initiate a connection with the VPS from any one of my clients, the server would fail to respond. Checking the server logs, I didn’t see any record of either PPP connections or IPSec initiations. Obviously there was an issue with the NIC interface.

On investigation, I found that OpenVZ creates virtual, emulated ethernet devices, using the name VENET, with no MAC address. IPSec VPN service I was attempting to use requires root-level access to the device itself, as well as an accessible MAC address. Now, this can be accomplished using a TUN/TAP device… but requires some not-so-simple changes by the OpenVZ administrator. I put in a ticket to have one created, but unfortunately the service I’d paid for happens to not support creating these devices for clients.

So… I needed to find a different service… either Xen-based or VMware-based. Eventually I found a service from ENScloud ⁷ that seems to work well, and provide me with copious amounts of bandwidth. It took about a week for them to provision my server and IP, but after the initial hiccup everything seems to function well (their support guy Brandon was more than helpful after I put in a ticket requesting update). I’ve been listening to Pandora a lot since the VPN was created.

I eventually plan to rent out access to my VPN to family and friends, as I want to recoup my costs, so I figure that if I can rent out access for $5/yr if I get 12-15 people interested. I’ve managed to get it working easily under Windows (certificate-based), Mac, iPad, and iPhone, so no matter what platform family and friends are using, it will be accessible to them. I would eventually like to get a WebDAV service running as part of the service, so those with iWork for iOS can use it for cloud document storage.

I’d like to start with one of the changes to application state management. Starting in OS X 10.7, developers will have API’s similar to iOS, and possibly requirements as well, to auto-save their application state. This means that when a user exits an application, and relaunch, it will re-open right where they left off. In addition, a few keen-eyed observers have noticed a lack of running application indicators in 10.7′s dock. This indicates to me that the dock will become similar to iOS’s dock, merely a launch area for frequently used applications, and not a means of managing open applications. This, combined with auto-state saving for applications, and an emphasis on full-screen application view, also indicates to me that the operating system will also handle memory and process management the way iOS does. Developers should no longer expect to leave their applications running at all times.

Obviously, if application state management changes to an iOS style system, then we should expect drastic performance increases on the Mac computing platform. If an iPad or iPhone can perform the way they do with the A4 processor and limited RAM, imagine what a desktop can do with copious amounts of RAM and processor power.

Another item I found very interesting was the introduction of the Mac App Store. While a logical next step for Apple, it caught me by surprise. I think this is a particularly noteworthy evolution of the Mac platform for both developers and end-users. To my eyes, the Mac App Store brings:

• Exposure for end users to indie software. Many new users to the Mac platform miss out on a lot of the capabilities of their Mac, simply because they are unaware of third-party hole-in-the-wall websites for software. Now they will see new and nifty applications highlighted for them, as well as Genius results for software they might also like.
• Exposure for developers. No longer a little site in a corner of the web, with their software going un-noticed. Now a proper repository, with great exposure, and millions of eyeballs viewing.
• Easy software maintenance for end users. Once a user has purchased software, updates will become something routine, a habit formed when they visit the App Store. Developers will have much less likelihood of having to troubleshoot out-of-date software. Not only easy maintenance of updates, but also easy maintenance of licenses. No longer a requirement to store different license files or keys in some central backup location or email.
• Easy software distribution for developers. Developers no longer have to worry about creating proprietary licensing or activation mechanisms. They no longer have to worry about creating a website to host their software. They no longer have to be concerned about creating proprietary updating mechanisms. All can be done through the App Store.
• Easy in-app upgrades. A new mechanism for developers to add extra content into their applications. Enough said.

The Mac App Store is a noteworthy addition to the Mac platform. I completely understand Apple’s decision to push it out within the next 90 days.

Another item of note is the coming of Push Notifications in the FaceTime beta. I suspect we’ll see this fully implemented in OS X 10.7. I suspect this will give rise to a new class of desktop applications and services.

These are the things I think particularly noteworthy in Apple’s next OS. Snow Leopard was a performance upgrade. OS X Lion looks like it will be an upgrade that brings huge advances in refinement to the desktop computing experience.