As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
There have been a lot of buzz around IE6NoMore campaign.
What's the easiest way to recommend users to upgrade their browser?
Use conditional comments targeting IE. This way other browsers/bots (even when masquerading as IE) won't see it.
Make sure the message is polite and unobtrusive. Focus on benefits of change ("our website is faster and easier to use in up-to-date browsers") rather than negative aspects of IE (otherwise users could interpret this as ridicule of them or anti-Microsoft fanboyism).
Be as non-technical as possible. Average user doesn't know the difference between Internet, browser and search engine (← this video is painful to watch).
You can recommend things to people until you're blue in the face, but the reason people who don't instinctively upgrade their browser actually get around to doing it will always be the same. They do it because there's something they want to use, but can't unless they upgrade.
Want people to quit using an old browser ?
Quit supporting it.
It's that simple.
If no one supported them anymore then you wouldn't have to write code for them. For a certain percentage of people, they upgrade through necessity, not out of choice. If IE6 keeps working then they will keep using. Dont make the extra effort to support IE6.
From a psychological point of view, users will upgrade software due to one of the following reasons:
- Need (they have to have feature)
- Benefit (they'd like to have a feature)
- Fear (they perceive some sort of damage if they don't have a feature)
Based on how well you know your users, you can use one of these approaches to motivate them to upgrade. I.e., Provide extra functionality in your software that works only in new browsers (suggestion: use Ajax for better page update, without the need to call another page or refresh the current). Make those users aware that new, better, safer functionality is available, if they just upgrade their browser.
But remember the following caveats:
Not everyone can upgrade on his own. OS and browser versions are often dictated by IT policies in medium-large organizations.
Not everyone is tech-savvy enough to upgrade - you may need to explain the process.
If the user can dictate behavior, he may require you to provide the shiny new functionality in the old browser - be careful how you present those benefits!
The type of people who haven't yet upgraded their browser will almost certainly be people who don't have the technical knowledge to do so; those users who do know what a browser is, does and how to upgrade (and the benefits of upgrading) will most probably have done so. From this you can see how important it is to explain clearly and concisely both the benefits of upgrading and precisely how to do so for those who aren't technically minded.
Related
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Benchmark
Hacker News Discussion
Hacker News Discussion 2
It's not like Node.js is even really dominant today (except in the Hacker News community of course), it hasn't even had a 1.0 release yet. Funny to be speculating on what might replace it already :)
Performance is nice (though micro-benchmarks are not the right way to judge that) but if that was the only thing that mattered we would all be writing custom web servers in C for every app. One of the other important things is the community support, which Node.js definitely has going for it at the moment. It has a very healthy open source (this being the key) community that has created a large library of tools.
I think Vert.x is interesting and has a different way of looking at things than Node.js which is great. If they are able to continue to make progress, get more people interested in it, and show that it is easier and faster to write web apps then who knows? Maybe in a few years we can have a discussion on what is going to threaten Vert.x's future.
There are some interesting things brought up by this micro-benchmark that may be worth addressing in Node, but it's very important to remember that nobody doing 100's of millions of hits per day (which these benchmarks show) does so on one machine. They do it on many machines.
There are certain levels where faster languages make a difference (see for example Twitter migrating their backend from Ruby to Java), but it's VERY rare to get to that position.
Most people need a language that is clean and easy to program in, and a good ecosystem.
Vert.x has no ecosystem to speak of. If you want a JVM based system you can get plenty of options there. If you want a Javascript based system the best option right now is Node.js. It's that simple.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
What are the best practices for securing a coldfusion webpage from malicious users? (including, but not limited to, sql injection attacks)
Is cfqueryparam enough?
I use a modified portcullis, and filter all incoming var scopes (URL,FORM,COOKIE) onRequestStart.
http://portcullis.riaforge.org/
Pete Freitag has an awesome blog, especially this post on Hardening ColdFusion
Never trust the client.
The most ColdFusion specific "set and forget" is following server administrator hardening guidelines noted above, keeping the server up-to-date, and following ColdFusion on twitter to learn about any new issues immediately.
For app security, which is common across all languages, you should validate every piece of information that touches your server from the client. Forms are are obvious areas of tight control, but don't forget about URL parameters that you might use for application state management or control. Something like &startRow=10&tag=security which isn't "supposed" to be touched by the user is user input. Even if your application could never break with invalid data, you might not know how that data will be used in the future. Validation could be as simple as ensuring that someone isn't entering a 100 character long first name and doesn't contain programming characters or ensuring that &startRow is always a number. These are the little things that application developers sometimes skip because everything works OK as long as you are using the software as expected.
I believe you can look at the Sony Playstation hacking as an example. Unfortunately, they didn't expect someone to hack the client (playstation console) and manipulate the PlayStation console software to hack the server. The server trusted the client.
Never trust the client.
I would say best practices for ColdFusion are similar to those for programming web applications in any language.
I recently read Essential PHP Security Chris Shiflett and the majority of issues discussed affect ColdFusion as well, though the syntax for dealing with them may be slightly different. I expect there are other (possibly better) language agnostic books which contain principles which can easily be altered for use in ColdFusion.
Although using a prebuilt solution will work, I recommend knowing all the possible issues that must be protected. Check out Hack Proofing ColdFusion at Amazon.
Another great place to learn about security (and all kinds of other topics) is to check out Charlie Arehart's massive list of recorded user group presentations: http://www.carehart.org/ugtv/
Here is information on a good tool that can be used to prevent XSS.
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
http://www.petefreitag.com/item/760.cfm
Fairly easy to implement and Java based.
I recommend you the excellent talk by Justin McLean "ColdFusion Security and
Risk Management". It includes a case study.
PDF presentation http://cdn.classsoftware.com/talks/CFMeetupSecurity.pdf
Video streaming: http://experts.adobeconnect.com/p22718297
CfQueryParam is very important, but not nearly enough.
There is a boxed solution we use at my work: http://foundeo.com/security/. It covers most of the bases. And even if you don't want to buy it, you can take a look at it's feature set and get an idea of the things you should be considering.
You may like to check -
http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-8000.html
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I have noticed some developers picking up new skills and moving from one platform to the other? How do they do it? How do they justify for the lack of experience in the said platform they get the job?
Is it based on relevance to their previous experience? do they get certified in the target platform and work at a junior level accepting a pay cut? is it simpler if you are into contracting/consulting? Or is it simply a matter of projecting the resume correctly?
Actually, a lot of seemingly different platforms are really very similar, if you understand what goes on "under the hood," as it were. Though I've barely touched a Microsoft platform for well over a decade, for example, I have little difficulty developing things there because deep knowledge of computer systems in general is quite transferable.
For me, moving from LAMP to .Net was a work necessity. The consulting company I work for needed a PHP guy right away which is how I got in, but that project completed abruptly and they did not have an PHP work on the horizon.
In the closing weeks of the PHP project, I took an online O'Reilly course in C# and worked closely with a more experienced developer on a Windows application for the same client. Once the PHP gig completed I was able to start right away on a .Net project and I've had .Net clients ever since.
The key for me was flexibility. I let my employer know immediately that I was interested in different technologies and platforms and have taken the initiative by requesting access to courses and taking advantage of our yearly book allowance to explore different areas. When opportunities arise for investigating new directions like Mobility (PDAs, specialty devices and tablets) I jumped at the chance.
If your employer doesn't have policies which promote this type of self-directed expansion, then try to build a type of application you are familiar with in a new platform. Once you have you have a decent grasp of the tech, get involved with open source projects in your target platform and look for paid outside opportunities (i.e. Craigslist, elance, etc.) while you are still learning.
Most likely it is a result of circumstances. In these touch economic times being able to move outside your comfort zones is crucial
I really haven't seen a lot of reluctance on anybody's part to put developers on platforms that are new to them. Changes in computer language tend to be far more worrisome to managers than platform changes.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Our group is currently reviewing our toolset and looking for new defect/issue tracking software in additional to source control, and project management software.
For issue tracking, we've looked at bugzilla, fogbugz, bugtracker.net, sourcegear fortres, and bugnet.
I'm not satisfied with the list we've come up with, so I'm curios to know what others are using.
We're looking for Active directory integration for security, although we'd settle for a windows app, a web interface may be preferential, visual studio integration is also a bonus. We need to prioritize defects, mark the version the defect was found in, mark the version the defect was fixed in, and hopefully be able to maintain a discussion around each issue/defect. We'd also like to categorize items as defect, enhancement request, etc. and document workarounds for defects.
Very similar question:
https://stackoverflow.com/questions/101774/what-is-your-bug-task-tracking-tool
Try Unfuddle. If you use their version control hosting (SVN and Git options) with their issue tracker, you get some good integration stuff going on. For example, you can enter a note in your commit message such as "fixes #384: Too much foo in the bar"*, and you not only get that turned into a hyperlink to the issue, but it also marks the ticket as fixed with a link back to the changeset. All good stuff. This is a web-based solution that is hosted by Unfuddle themselves, in a SaaS-type fashion.
Other than that, +1 for Trac which I've used in the past and like very much. It's quite an immature project feature-wise, although it's got a very healthy community around it that has developed plug-ins to do a lot of extra stuff (like the AD authentication you wanted). It also has similar integration with a number of source control systems, but it's much less feature-rich than the Unfuddle stuff. That is to say, you get to use an extended wiki syntax in your commit messages which is parsed by Trac when it's display to create links. It doesn't do any of the two-way stuff that Unfuddle does. Trac is available to host in-house; alternatively, if you want it hosted, there's a list of places that will do so on Trac's wiki.
*I can't remember the exact format off the top of my head.
On our current project, we've amazingly used 6 different tracking tools (2 versions of PVCS), mostly commercial. Here's my opinion on the ones that we've used. I've listed them in order of my most favored to least.
Serena Teamtrack - We use a web client. The interface is intuitive. Performance will vary across installations, but comparing with our same data in each tool, this works the fastest. It also works in Firefox.
HP Quality Center - This is also web based, but it is IE only. On the upside, it's well organized, easy to use, and full-featured. It has reasonable performance for us as well.
It has an odd feature where there isn't a save button. It saves automatically for you. To force a save, you have to navigate to another ticket. Also when you first use it, it has to install so many DLLs that it is practically a thick client. That being the case, IE sometimes gets locked up (usually when trying to reinitialize a session after session expiration). Once locked up, you occasionally have to kill IE to regain control.
Bugzilla - I didn't use this as thoroughly as the other tools, so this isn't a fair comparison. We used it briefly for some internal tickets. I suppose the big upside is the (lack of) cost. IMO, I just didn't find the interface as nice and easy to use as the other tools. Its been awhile so I apologize for lack of specifics for why I'm relegating it below the others.
Siebel - There wasn't much to like about their defect tracking tool apart from that it is better than PVCS. The interface seems hokey. It's as if the Siebel interface has a set of user interface controls and it tries to force all square pegs into its round holes. Another downside is that it uses lengthy generated IDs so its hard to reference them or search by them. Along with that, the ticket IDs aren't sequenced.
Merant PVCS - We had separate databases and used both the web client and thick client. Its been awhile now, so the details are fading. I recall there were bugs in the tool and they weren't getting fixed, for instance reports couldn't display certain fields. Performance was bad. It took a long time to load. It was slow to navigate through tickets.
Issue tracking for support is a different problem from tracking issues during development.
Trac http://trac.edgewall.org/ is a very capable tool which supports a number of large open source projects. You can find Trac hosting at places like http://www.wush.net
If you need more workflow and custom security, you'll want to look at JIRA which is from Atlassian http://www.atlassian.com. Atlassian has a number of products which you might also find useful.
For Issue tracking in a support setting, try RT http://bestpractical.com/rt. RT is deceptively simple, but I've seen it used in the largest environments and it does a good job making sure you are accountable to every you make a support commitment to.
An off-site (www) hosted solution with all the features you mentioned is NetResults Tracker
We use bugzilla, it suits us perfectly. We haven't investigated too many others because honestly it does everything we need and then some.
We don't use Visual Studio so I can't speak for integration compatibility.
Try out HappyFox ( http://www.happyfox.com), an issue and bug tracking software. The clean interface and automation features help you track and resolve bugs smoothly. HappyFox is free for a 2 member and priced economically for larger teams.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Like probably a lot of software developers, I almost never see real users using my software.
It is, of course, quite difficult to get good user feedback in this situation. Even if some users agree to give me some piece of information about the way they use the software, there's a huge difference between how they really use it and how they think they use it.
By chance, my software is client/server, which means I can quite easily technically collect some information on the server.
Of course, nothing equals looking at a real user using the software in real life, but I think it's better than nothing, or at least it's worth trying :)
While I log all the exceptions raised on the client in my database, I've not been beside this point yet.
Has anyone does that before?
What information would you log?
Are there some legal issues? How should I deal with those?
I face the same problem with the software I'm developing, though I have no users for it yet.
I generally think that monitoring should always be opt-in, and that you should have the ability to review before materials are being sent. I think most people would agree to that.
However, from a legal standpoint there are greater issues at stake. Some companies restrict users in installing software that has any components that "call home" for security reasons. Depending on the usage context, any monitoring data can potentially reveal secrets.
For example, my software annotates things in the IDE. If I transmitted "home" details about files that are open (rather than hashes), even without the content of these files, I would still possibly be sending confidential details. If your tool can be used to open images or documents, there may be similar issues.
I would suggest hashing or finding way of obfuscating results on the client side, and ensuring via sufficient tests that there cannot be a situation where your software sends information home without consent and obfuscation. If I'm not mistaken, if your software does so, even by mistake, you may be violating US federal laws.
Also, make sure to encrypt the details as you send them over the wire.
Finally, if some of your users are in the EU, where privacy laws are stronger, your database of exceptions may be legally considered a "database" in itself (e.g., if you store SQL statements as they were executed and failed and these contain production values). So you may have to follow a lot of the rules about personally identifiable information.
When I did UI development, I used to collect every user command (button push, menu selection) and log them to file with my own internal debug information, but auto-delete the log files after a few days. This information is invaluable when trying to debug your own software (user can rarely recall precisely the steps they took when a problem occurs). I also kept a record of every application startup, in case we had a compatibility problem with third party software.
The point is that the information wasn't used unless a problem did occur, it was kept locally with no remote access, and it automatically got deleted if there was no problem. Only if the customer called us in for a problem did we access the log data.
Actively tracking user operations and sending them back to base is a separate issue entirely, and I've always shied away from that.
This isn't exactly what you asked for, but you do have a few options that are not programming-related solutions:
1) Do some hallway usability testing (scroll down to #12).
2) Try a product like Morae to set up a more formal, but remote, viewing session.
3) Ask a client to watch over their shoulder, using something like GoToMeeting, CoPilot or WinVNC. Or go to their site for a day and hang out watching over their actual shoulder.
Any of these will give you a really good idea of what works and what doesn't.
You could do something like this, which captures mouse movements and replays them for you to see using javascript and ajax.