“We clearly missed the mobile phone”

Slashdot: Satya Nadella: “We clearly missed the mobile phone.” What is so frustrating to those of us whose fortunes were tied to Microsoft’s (I was an intern in 2001 and an employee from 2002 to 2004) is that it wasn’t for lack of trying.

There was constantly something going on in mobile, often with senior leadership taking the reins. But too often it was trying to push a version of the Windows user experience into a handheld format.

The lesson? Don’t let your product portfolio strategy overrule user experience, or users will overrule you.

Ten year lookback: the Trustworthy Computing memo

On the Veracode blog (where I now post from time to time), we had a retrospective on the Microsoft Trustworthy Computing memo, which had its ten year anniversary on the 15th. The retrospective spanned two posts and I’m quoted in the second:

On January 15, 2002, I was in business school and had just accepted a job offer from Microsoft. At the time it was a very different company–hip deep in the fallout from the antitrust suit and the consent decree; having just launched Windows XP; figuring out where it was going on the web (remember Passport)? And the taking of a deep breath that the Trustworthy Computing memo signaled was the biggest sign that things were different at Microsoft.

And yet not. It’s important to remember that a big part of the context of TWC was the launch of .NET and the services around it (remember Passport)? Microsoft was positioning Passport (fka Hailstorm) as the solution for the Privacy component of their Availability, Security, Privacy triad, so TWC was at least partly a positioning memo for that new technology. And it’s pretty clear that they hadn’t thought through all the implications of the stance they were taking: witness BillG’s declaration that “Visual Studio .NET is the first multi-language tool that is optimized for the creation of secure code”. While .NET may have eliminated or mitigated the security issues related to memory management that Microsoft was drowning in at the time, it didn’t do anything fundamentally different with respect to web vulnerabilities like cross-site scripting or SQL injection.

But there was one thing about the TWC memo that was different and new and that did signal a significant shift at Microsoft: Gates’ assertion that “when we face a choice between adding features and resolving security issues, we need to choose security.” As an emerging product manager, that was an important principle for me to absorb–security needs to be considered as a requirement alongside user facing features and needs to be prioritized accordingly. It’s a lesson that the rest of the industry is still learning.

To which I’ll add: it’s interesting what I blogged about this at the time and what I didn’t. As an independent developer I was very suspicious of Hailstorm (later Passport.NET) but hadn’t thought that much about its security implications.

Comprehensive security guide for Windows Communication Foundation

The developer challenge in developing secure code is two-pronged: first, understanding the threat landscape; second, coding defensively and following best practices to avoid creating security vulnerabilities in code. The WCF Security Guide, now available for download from Microsoft, is a pretty impressive document (600+ pages) that combines aspects of both threat landscape definition and specific coding practices, leveraging Microsoft’s Windows Communication Foundation (part of the .NET Framework in version 3 and later).

WCF is an impressive framework that allows the creation of applications that do everything from turnkey SOAP web services to custom communications channels, with tons of flexible configuration options. The downside of the flexibility of the framework is that a lot of the choices it offers have serious security considerations, and the tradeoffs aren’t necessarily clear at development time. For instance, WCF allows the definition of the security mechanism used to protect a communication stream–transport level, message level, or none; encryption, message signing, or both–and using some of the options can make deploying services more complex (must run the service as a user who belongs to a domain, for instance). The guide walks you through a lot of these decisions, as well as basic secure coding practices ranging from input and output sanitization to developing to survive a DoS attack.

BrowseRank and the challenge of improving search

I posted a quick link to an article about Microsoft’s new BrowseRank search technology a few days ago. Here’s why the paper is informative, why I think BrowseRank is an interesting technology for improving search, and why I think it’s doomed as a general-purpose basis for building relevance data for the web.

Informative: This paper should be required reading for anyone who wants to know the fundamentals of how web search ranking currently works, what PageRank actually does for Google, and how to objectively test the quality of a search engine. It also offers an interesting two-pronged critique of PageRank:

  • PageRank can be manipulated. PageRank assumes that a link from a page with authority to another page confers some higher rank on the second page. The paper points out the well-known issue that, since the “authority” of the first page is also derived from inbound links, it’s possible to use Google bombing, link farms and other mechanisms to artificially inflate the importance of individual pages for fun and profit. It’s pretty well known that Google periodically adjusts its implementation of PageRank to correct for this problem.
  • PageRank neglects user behavior. The paper argues this somewhat tendentiously, saying that PageRank doesn’t incorporate information about the amount of time the user spends on the page–of course, the paper’s whole hypothesis is that time on page matters, so this doesn’t reveal any deep insight into PageRank. But it’s an interesting point that PageRank does assume that only web authors contribute to the ranking algorithm. Or does it? I’ll come back to this in a bit.

Interesting: The proposed BrowseRank algorithm uses user data–pages visited, browse activity, and time on page–to create a user browsing graph that relies on the user’s activity in the browser to confer value on pages. The authors suggest that the user data could be provided by web server administrators, in the form of logs, or directly by users via browser add-ins. A footnote helpfully suggests that “search engines such as Google, Yahoo, and Live Search provide client software called toolbars, which can serve the purpose.”

The claim of the paper is that user behavior such as time on page confers an “implicit vote” on the content in a way that’s harder to spam than PageRank. I’ll come back to this point too.

Doomed: BrowseRank relies on the following:

  1. A way to obtain a statistically valid sample of user browsing information
  2. A reliable way to determine intent from user browsing information, such as session construction
  3. Time on page is a statistically valid indicator of page quality.

There are problems with each of these requirements that are non-trivial.

User browsing information. The paper proposes that user browsing data can be obtained by the user of a client-side browsing input or by parsing server logs, and says that this practice would eliminate linkspam. Well, yeah, but it opens up two concerns: first, how are you going to recruit those users and site administrators so that you get a representative sample? And second, how do you ensure that the users are not themselves spamming the quality information? In the first case, we have plenty of evidence (Alexa, Comscore) that user-driven panel results can yield misleading information about things like site traffic. In the second case, we know that it’s trivial to trick the browser into doing things even without having a toolbar installed (botnet, anyone?), and it’s been proven that Alexa rankings can be manipulated.

There are two main problems with the user browse data model: it’s difficult enough to recruit a representative panel of honest users to install a browser plugin that will monitor their online activities, but screening out spam activities becomes far more difficult.

Session construction: Knowledge about the user’s session is one of those interesting things that turn out to be quite difficult to construct in practice, especially when you care about meaningful time on page data. The method described in the Microsoft paper is pretty typical, and neglects usage patterns like the following:

  1. Spending large amounts of time in a web app UI opening tabs to read later (web based blog aggregator)
  2. Going quickly back and forth between multiple windows or multiple tabs (continuous partial attention)
  3. The last page in a session gets assigned too much time on page because of the arbitrary 30 minute session limit (the “bathroom break” problem)

Time on page as an indicator of search quality: This is where my main gripe with the article comes from. The authors conclude that their user browsing graph yields better results than PageRank and TrustRank. The problem is, better results at what? The tests posed were to construct a top 20 list of web sites; differentiate between spam and non-spam sites; and identify relevant results for a sample query. The authors claim BrowseRank’s superiority in all three areas. I would argue that the first test is irrelevant; the second was not done on an even playing field; and the third is incomplete. To wit: First, if you aren’t using the relationship between web pages in your algorithm, you shouldn’t need to know what the absolute top 20 sites are because the information is completely irrelevant to the results for a specific query. Second, conducting a test on spam sorting with user input that operates on a spammy corpus without spammy users is not a real world test.

Third, the paper’s authors themselves note that “The use of user behavior data can lead to reliable importance calculation for the head web pages, but not for the tail web pages, which have low frequency or even zero frequency in the user behavior data.” In other words, BrowseRank is great, if you only care about what everyone else cares about. The reality is that most user queries are in the long tail, so optimizing how you’re doing on the head web pages is a little like rearranging deck chairs on the Titanic. And because we don’t know what the sample queries were for this part of the study, it’s impossible to tell for which type of searches BrowseRank performs better.

Finally, there’s a real philosophical difference between BrowseRank and PageRank. BrowseRank assumes that the only interaction a user can have with a web page is to read it. (This is the model of user as consumer.) PageRank makes a more powerful assumption: that if a user is free to make contributions to the web by adding to it, specifically by writing new content. The paper talks a lot about Web 2.0 in the context of sites like MySpace and Facebook, but arguably PageRank, which implictly empowers the user by assuming their equal participation in authoring the Web, is the more Web 2.0-like metric.

Outlook 2007 annoyances: keyboard shortcuts

Things you can’t do with Outlook 2007: assign custom keyboard shortcuts to Ribbon items.

This is annoying if you have certain keyboard shortcuts hardwired. For instance, in Outlook 2003 (and Word) one could access the “Paste Special” command (which gives a number of optional formats in which content can be pasted into a document, including unstyled text) with the keyboard shortcut alt+E, then S. Alt+E is an old Windows keyboard shortcut that allows accessing menus using their accelerator key, and for several Outlook releases, “Paste Special” has had S as its accelerator command.

Fast forward to Outlook 2007. The editing window uses the Ribbon, rather than menus, and so alt+E doesn’t do anything. However, alt+S does. So if you happen to hold down the alt key and type E S, thinking you’re going to paste something in the message, Outlook will merrily send it, minus whatever you were going to paste, instead.

Is there a solution? The only way around the issue that I’ve found requires writing a macro to invoke the functionality, assigning the macro to a custom toolbar button, and then mapping that button to a keyboard shortcut (say, alt+E). Convenient? No. Quick? No. In fact, there doesn’t seem to be a way to make it work consistently in Outlook at all.

Sigh. Hope we can get this fixed at some point.

Bill Gates’ Movie Maker experience, as seen from the inside

Yesterday I posted a quick link (last entry) to one of the epic Billg emails that somehow became evidence in the Microsoft antitrust trial. The mail was sent in January 2003, when I was working in the marketing group that was responsible for Microsoft.com, which was one of the groups implicated in the email about Bill’s being unable to find, download and install the updated version of Windows Movie Maker.

As someone who spent most of his next 18 months at Microsoft working on some of those challenges, here’s how Bill’s experience matched up to problems with the Microsoft customer experience at that time. (Microsoft.com has completely changed by now, almost five years later, so I feel safe in describing the way it was then):

“The first 5 times I used the site it timed out while trying to bring up the download page. Then after an 8 second delay I got it to come up. This site is so slow it is unusable.” I don’t remember the specific issues here, except to note that capacity management was an ongoing challenge for a part of the site that typically saw between 60 and 80 million unique users a month.

“It wasn’t in the top 5 so I expanded the other 45. These 45 names are totally confusing. These names make stuff like: C:Documents and SettingsbillgMy DocumentsMy Pictures seem clear. They are not filtered by the system … and so many of the things are strange.” The Download Center was something of a battleground and the user experience showed it. The thought process was that search would be the primary way to allow people to get targeted downloads and the default experience would just be ordered by download frequency; the only filter was by which country you accessed the site. The top 5/top 50 list that Bill refers to accordingly mixed downloads aimed at consumers, IT pros, developers, and business users without regard for audience or for operating system.

When the web marketing groups that I worked with did research to figure out how to fix this issue and present more targeted downloads, we found that there was no easy way to “fix it.” You couldn’t do it by OS–if an IT pro were logged in from his XP box and searching for server downloads he wouldn’t find them. You couldn’t even do it by cookie, because business users were consumers when they got home.

And the best part? Some execs who read this part thought that the answer was editorial promotion of “featured downloads.” Never mind that 99% of the users who came to Microsoft.com weren’t looking for Movie Maker; if Billg wants to see it in the top 5, let’s jam it into the top 5!!!!

“I tried scoping to Media stuff. Still no moviemaker.” The product groups owned the keywords used to describe their products, and though we had acres of search data to inform them, very few of them mined the search strings to figure out how to categorize their products. Usually the categories were driven by product group, and so “media” would have meant Windows Media–at that time a separate product group and totally disconnected from the Movie Maker team.

I typed in movie. Nothing. I typed in movie maker. Nothing.” Ah, Search. I spent so long on problems with Microsoft.com Search that it’s not even funny. At this point in time the search engine behind the 4 million pages of content on Microsoft.com was based on the one that came with Commerce Server. Did Commerce Server scale to cover that much content? Did it do well with dynamically generated content like those download pages? Let’s just say there’s a new engine there now.

“So I gave up and sent mail to Amir saying – where is this Moviemaker download? Does it exist? So they told me that using the download page to download something was not something they anticipated.” Heh. This is my favorite point. Sadly it’s not as insane as it sounds. The product groups had control over their own content areas on Microsoft and so they thought that customers just knew to come to the Windows site to start looking for Windows downloads. This is one of the reasons that the Downloads site was such a ghetto; a lot of marketing groups didn’t understand that it was a destination for a lot of users and thus spent no time on it.

“They told me to go to the main page search button and type movie maker (not moviemaker!). I tried that. The site was pathetically slow but after 6 seconds of waiting up it came.” Search again. There was no internal search engine optimization effort, no one (in the program groups) looking at actual search keyword strings, and the search engine wasn’t smart enough to match moviemakerto movie maker. Since the keyword moviemaker didn’t appear on the page, the search didn’t return the content.

“I thought for sure now I would see a button to just go do the download. In fact it is more like a puzzle that you get to solve. It told me to go to Windows Update and do a bunch of incantations.” The product group had chosen to deploy MovieMaker as an optional download through Windows Update, rather than as a regular software download. Why? Well, the Windows product group had more control over WU than the downloads area. Plus, apparently they thought no one would ever want to download it. How many times do you look for optional downloads through Microsoft Update? Yeah, me either. And from this point the story becomes the familiar one of the nightmare of WU.

It’s really no wonder everyone hated Microsoft at this point. The web experience really showed no understanding of how users actually used the site and what they were trying to do.

So what would the right answer have been? Some of the steps that were taken right away were a dedicated focus on improving Microsoft.com search by providing more scalable indexing and tuning and much better search algorithms. (Unfortunately the guy who headed up the part about “better algorithms” famously was sniped away by Google.) There was a better editorial focus across the entire site starting around this time, based on user behavior data, to improve the user experience. There was significant improvement of the internal BI tooling to help us better understand what people were trying to do on the site (I worked on this part).

I wish I could say that the product groups started working together more closely to figure out an integrated user experience. I don’t know that I can give a fair perspective on what this part of Microsoft’s culture now, since I left in July 2004. But at the time this was the big drawback of Microsoft’s legendary empowerment of their product teams; all the incentives were there for individual product marketers to do everything they could for their particular product or product segment without considering how it played with the rest of what Microsoft did. While the Microsoft.com team that I worked on had this as its charter, we didn’t have the power to change things or override the product groups. In fact, Billg’s email and others like it were critical to Microsoft’s success because there were so few other mechanisms that considered the customer experience as a whole–and had the power to change it.

links for 2008-05-30

Getting Things Done with Outlook 2007, revisited

A while ago I posted a few things that I found about implementing the GTD methodology with Outlook. Since I recently changed jobs, I’ve had an opportunity to carry some of the best practices forward as well as start from ground zero (a true Inbox Zero!) in some other areas. Here’s a quick roundup of what I did on my brand new inbox to facilitate maximum productivity.

The very first thing I did was to download and install Taglocity, which has saved my bacon so many times. I don’t know why people who design software to manage large volumes of information don’t get this, so I’ll just say why I find this so superior to the built-in Categories feature: it is much much faster to type in multiple tags for an inbound email than it is to make multiple mouse movements to pick multiple categories from a list. It’s fundamentally the same principle as why Keyword Assistant is absolutely necessary with iPhoto (at least, pre-2008). Email may be full text searchable, but from an actionability standpoint it’s just as opaque as photos until you give it context through tags. And the more tags, frankly, the better. All the UIs that assume that you’ll only be assigning one or two categories or tags are fundamentally broken because they don’t help solve the problem of how to find something later.

The second thing I did was to create exactly one sub-folder in my Inbox, called _archive. The underscore is a habit; it’s left over from when I had a billion subfolders and wanted to be sure my Archive folder bubbled to the top of the list.

The third piece was adopting the discipline that I’ve learned from practicing a little (a very little) GTD:

  1. Scan each mail for actionability.
  2. If it’s calendar related, triage it (right now that means “accept it” but a more complex triage process is required as my calendar actually gets full).
  3. If it’s a task, do it quickly (< 2 min) or tag it and add it to the task list.
  4. If it’s useful reference, tag it and add it into the archive.
  5. If it’s none of those things, delete it.

Lastly, I set up a few smart folders: Tag folders (smart folders that look at categorized items across all my mailboxes, created through Taglocity) for all my projects; a smart mailbox for Unread Mail and for Unread or For Follow Up items. Today, I added one other smart mailbox—items in my inbox that weren’t flagged, meaning that they hadn’t been processed or moved to the task list. I also set up a custom Shortcut bar and added task age to my To Do list view. The last three items were based on the helpful advice from David Ornstein in this blog post.

Some stuff I might try to do in the future: custom button bars based on the posts by Simon Guest (and again) and Omar Shahine, and maybe tweak some of my task creation settings based on the advice by Melissa Macbeth.

And what has fallen by the wayside? The Hipster PDA was cool for about five minutes. I’ve graduated, on those occasions where I don’t have my laptop, to a little Moleskine notebook. But increasingly everything goes directly into Outlook. Likewise, I’m not bothering with the customized Project form hack mentioned in the same old post; it never worked well enough under Outlook XP for me to try bringing it forward into Office 2007.

And I’m on the edge about Google Desktop; while I was hooked on it before, I’m starting to think critically about the tradeoff between security and functionality that it provides, and I’m not sure I like the conclusions I’m drawing. More later.

Getting to Inbox Zero with Outlook and Taglocity

A follow up to my earlier note about tags and Microsoft Outlook: I am happy to say that Taglocity has changed my life. I used to have folders in folders in folders and dealing with any received mail was torture. Now I’ve implemented tags and my workflow has totally changed.

I used to deal only with my unread mail, which was nice but it meant crud built up in my inbox. I used to flag mail messages as To Dos, but half the time I never got to reviewing the To Do list. Now I tag each mail message as it comes in (unless Taglocity can tag it for me), take whatever action is necessary on it, and move it to one archive folder. If I need to see a collection of messages about a particular subject, I use Taglocity’s filters or have it create a search folder for me.

My morning routine is a lot simpler too. I come in in the morning and the only things in my inbox are the ones that have come in since the night before. I delete most of the bacn, tag anything that I responded to the prior evening through Outlook Web Access (which doesn’t support tags), archive all tagged messages, and start processing all the new stuff.

The best part: that empty inbox. Now I work from my action list like I should have been doing all along. Inbox Zero is a good thing.

Some specific notes on Taglocity: using the Tag Cloud and other parts of the UI to assign tags and filters is a little challenging, since I tend to have a lot of tags. As in my tag collection in iPhoto, I find typing the tag name to be much, much easier. But having a Tag Cloud for my email is kind of cool anyway.

Outlook tags

I am an email junkie. There, I said it. So the question is, what to do about it?

I have two problems with my work email (home is a story for a different day). First, I tend to save every message that isn’t outright spam or one-word answers—and it’s only recently that I started deleting the latter. Second, I have a file folder for everything, a habit that I started back when I first used Eudora in the mid-90s. It’s the second habit that is especially bad; it doesn’t scale worth a tinker’s when you are receiving over a hundred messages a day that are non-spam. (Yeah, I know. I threw up a little in my mouth when I wrote that.)

So what to do? First thing for me that really has helped is installing Google Desktop on my Windows machine. Much faster than the native Windows search engine, and with the double-control-key quick lookup, much easier to get into and use. But the next thing is to eliminate folders, and that is proving much harder. Because often the title line or even the content of an email doesn’t tell me which customer or software release it is in reference to, Google Desktop can’t find everything.

So I’m going to start exploring tagging. After all, it works well for me for Flickr/iPhoto. Here are some quick links about tagging hacks in Outlook:

Somewhere there is another tool that I really liked at Microsoft—it collapsed all the messages in a thread into a single mail message, deleted all the redundant text, and trashed the original messages. Now that’s efficient.

Great mysteries of life: WPF edition

The Windows Presentation Foundation of Microsoft’s .NET Framework 3.0 gives you a lot of bang for the buck—for instance, it includes a free spell checker. Unfortunately, you sometimes get what you pay for. There is no ability to add a custom dictionary in the current version of the spellchecker. There also appears to be no documentation on which dictionary the information is being drawn from, where it is stored on disk—even where the ignore list for an individual user is stored.

So I tried some experiments: I created a Windows Search index over my AppData folder, opened a WPF application, and told it to ignore a misspelled word. I then searched for the misspelled word in my AppData folder and didn’t find it—meaning that the file containing the ignore list was not stored there. I even searched the registry and didn’t find the word. So where is it stored? It’s not in the base framework folders either…

Scripting data from SQL Server tables as DML

(Warning: technical post ahead.) Ever since leaving the PowerBuilder/Sybase/ERWin world behind, something I’ve missed is the ability to easily generate portable SQL scripts for populating a table with test data. There are plenty of solutions in SQL Server for migrating data—DTS/Integration Services, BCP, and others. But DTS and Integration Services have to be maintained in the increasingly clumsy SQL utilities and cannot be easily inspected to see if things have changed, and BCP is opaque—you can’t really examine a BCP result file in any easy way to see what the data looks like within. No, give me DML—even if it’s bulky, a long list of INSERT/UPDATE statements has the advantage of being easily readable and even modifiable.

Unfortunately, there isn’t an easy way using the Microsoft tools to produce DML from existing data in a table; all the scripting support in the old SQL Enterprise Manager and the new SQL Server Management Studio are aimed at producing DDL scripts that create or modify the tables. Management Studio in SQL Server 2005 will create template scripts for insert or update scripts, but won’t actually put data into them—a curious omission.

SQL Scripter to the rescue. This nifty app offers the ability to script the data from any or all tables from a database as insert, update, or insert when new/update when existing statements. There’s even features for export of the data to CSV, Excel, and PDF. Pretty cool for a free utility. I’m now changing my process for creating a new demo database to use SQL Scripter to move my demo data from one environment to another.

Vista update: CSCService kills puppies

Following up on my earlier post about built in system services sucking CPU: when we last left the story I had disabled the Offline Files service, better known as CSCService, as a likely candidate for my regular out-of-resources situation. Four days later, it looks clear that CSCService is the culprit. I have had no resource errors, no forced reboots, or anything like the pain I was experiencing.

This isn’t to say that life is roses now. Vista is still slow and seems to get slower (to the point of being almost unresponsive) under relatively light loads. But it recovers now and it never did.

So the next question is, what caused this process’s CPU and memory consumption to render the system unavailable, and why did it go haywire in the first place? I don’t know the answer to the second question, but I can only suspect that there’s something in my list of offline files that caused the service to start killing my system. I’ll try purging the list and reactivating the feature to see what happens.

But the other question: I’m pretty sure that the unresponsiveness has to do with the fact that CSCService was running in the same process space with half a dozen other services, including the window manager. Bad, bad, bad, bad, bad, as Juliette Lewis said in Natural Born Killers. I think I read something about changing the affinity setting for svchost processes in the registry to prevent this behavior; that might be the other thing worth trying to get the feature working again.

For now, I’m just happy that the perp has been fingered.

A possible solution to Vista issues

My previous exploration of Vista service packs and hotfixes led nowhere close to fixing my Vista issues. I was a little dejected for a while. But now I may have something to go on.

Excel 2007 just locked up on me today, as did Outlook. Recognizing the symptoms of an incipient total freeze-up of the system, I went in to take a look at the Task Manager. This once, I caught the conditions early enough that I was able to launch it and do some exploration. I quickly found a svchost process that was consuming a fair percentage of CPU (around 33%), and more troubling was also consuming memory—as I watched and investigated, it climbed from around 33 MB to over 60 MB.

I ran tasklist to see what that svchost process was running (svchost can run multiple services), but couldn’t figure out which process was the problem one. I found that if I right clicked on the process on the Process tab and chose Services, it would take me to the first service in the list that was running in that process. I then sorted the list of services by PID, opened a command prompt, and started net stopping the services owned by that PID systematically.

I found a few surprises; for instance, if you stop the uxsms process, which is responsible for the window manager, your screen goes totally black—but still accepts keyboard input. I was able to type in net start uxsms and bring back up the window manager. But none of the services I stopped fixed the climbing memory consumption, until I hit pcasvc, which is a service that is provided for compatibility with older versions of Windows. When I stopped the service, the memory usage stopped climbing and fell back, and I was able to do a clean reboot—though my Excel session never recovered.

A search indicates that other users have trouble with the same svchost process, though they indicate other culprits (ReadyBoost is one that gets mentioned). So there may be something going on here.

Update: Further testing indicates another possible culprit, which I disabled at the same time: CSCService, which supports Offline Files. It now appears pcasvc is OK. We’ll see if disabling CSCService does the trick.