1. Launch PowerPoint (these instructions work for Office 2010).
2. Open the presentation to be fixed.
3. Go to the File menu, and select “Options”.
4. Select “Customize Ribbon”.
5. On the right-hand side of the complex dialog find the “Main Tabs” section. Check the checkbox next to the “Developer” tab.
6. Click “OK” and return. You should now have a “Developer” menu above the ribbon.
7. Select the “Developer” menu to display the developer ribbon.
8. On the ribbon, click the button labeled “Visual Basic”
9. In the upper-left-hand side of the screen there is something labeled “VBAProject” with sub-folders labeled “Modules” some of which have entries with names like “Module1″. You may have to expand the tree-view widget to see some of these.
10. For each module, double-clicking will open it. Those that are completely blank (all of them in my company’s template) are useless and can clearly be deleted.
11. Delete a module by closing it (if you had opened it), then right-clicking on the module and selecting “Remove Module1…”. It will offer to save, but you won’t need to do that.
12. After doing this for all unwanted modules, go to the “File” menu and select “Close and Return to Microsoft PowerPoint”.
13. Save your newly-changed document.

By the way, in case anyone couldn’t tell, after experience with it I really hate Microsoft’s “ribbon”. The old approach “Menus” required people to look around through lots of menus to find the commands they needed (although if they used a command frequently, they could read the menu to see what keyboard command would execute that). Power users could modify the menus if they wanted to (but hardly anyone did). In the new “Ribbon” interface, the commands that people use a lot are just one click away — as long as you know what arcane icon represents the action that you want to perform. If you need to find a new command you no longer have to look through the menus to find it… instead you simply perform a web search to find someone else who ran that command and follow the arcane set of clicks that they wrote in order to locate the mysterious and well-hidden button that performs the action. Power-users are people who know how to perform an action without looking it up on the web.

By very cheap things, I am particularly thinking about electronic goods. People buy information (views of articles and things like that) or applications from an AppStore for prices in the range of $2.00 all the way down to cents (and sometimes less). I was inspired to write this by an article by Rob Walling in which he advised someone not to charge $1/month for a service–almost without regard for what the service was.

That’s an interesting position. After all, things vary in value. There are some things for which $46 is a sensible price and some for which $47 is a sensible price. It stands to reason that there would be some things for which $1/month is a sensible price. But I think Rob is right: I think $1/month is nearly always the wrong price, almost regardless of what is being sold.

It is an interesting fact that thousands of times as many people (or more) will sign up for something I offer for “Free” than for something I offer for one cent. They will do so even if the bandwidth it takes to download it and the electricity it costs to view it or run it cost more than 1 cent. There is, you see, a psychological hurdle, a “cost” to making a purchase at all. There is mental transaction cost: you must stop and think to evaluate whether you think the product is worth whatever they are charging for it. The customer must overcome this hurdle PLUS the amount of money you are charging before they’re willing to buy. One of the reasons for the outstanding success of the Apple and Android app stores has been that they reduced (but did not eliminate) this “cost” by avoiding the need to enter payment details for each transaction.

I will make the economist’s assumption that this mental effort can be considered to be equivalent to some amount of money (because economists believe that anything is equivalent to some amount of money). I wish I had actual measurements of this amount, but since I don’t, I’ll just make up some numbers based on my observations of my own behavior. I will speculate that, for most customers at most income levels in western countries (US, Europe, etc), the psychological “hurdle” for agreeing to a recurring monthly payment is probably about the same as an extra $8-20 up front or an extra $1-2 per month.

Put in those terms, raising the price from $1/month to $2/month doubles your gross, while adding just 1/3 to 1/2 to the customer’s “perceived” cost. That’s usually a good tradeoff, so there are almost no goods that are reasonable to sell for $1/month. (Try charging $12/year instead… that is much more palatable, for psychological reasons.) This is also the same reason that newspapers can’t seem to sell their reporting online at 1 cent per page: the cost of deciding whether to make the purchase costs customers a whole lot more than that. (Financial reporting is an exception.)

1. First, launch Outlook 2010 and look in the lower-left-hand corner. There will be options for “Mail”, “Calendar”, “Contacts”, and so forth. Some may be visible with medium-sized icons and a word, others may be collapsed as tiny options along the bottom. Select the one labeled “Contacts”.
2. In the menu bar at the top, find and select “Home”.This will make the ribbon visible, but in a certain “Contacts” mode.
3. On the far right-hand side of the ribbon, find and click the button for “Address List”. This will bring up a view of the address book. There are other ways to bring up the Address Book view, but this way brings it up with a menu bar.
4. Select “Tools” then “Options” from the menu bar.
5. This brings up the settings panel that allows you to control these settings. For myself, I chose a “Custom” order, I removed “Global Address List” completely and added my own corporate unit right below “Contacts”.

I hope someone else finds this documentation productive. I’m sure I will the next time I need to accomplish this task.

As I see it, the big advantage of estimating in hours is that if you THINK in hours, you tend to get a more accurate estimate. There are lots of development tasks which will seem like they should take “no more than 2 days”, but if you think about all the individual steps (I have write create the page and the new service. And the stored procedure. And I’ll have to get a security review and a code review. And I have to remember to do the unit tests. Oh yes, and save time for bug fixes), the total comes out a big bigger.

As I see it, the big advantage of estimating in days is that it’s quicker and simpler. If you team is sitting there arguing whether a task is 3 hours or 4 hours, then you’re wasting time — after all, development estimates are never THAT accurate anyway: we always need to allow for the unexpected.

Considering these, I could be persuaded to do it either way. What is NOT useful is to think how many days it will take, multiply by the number of hours per day, then spend time arguing about whether it is one more or one less than this number.

costs.jsp

<% Cost[] costs = CostHelper.calculateCosts(loanData, currentDecision); %>
<h3>Current Costs:</h3>
<table border="0">
  <tr>
    <th>Cost</th>
    <th>Amount</th>
  </tr>
  <% for(int i=0; i<costs.length; i++) { %>
    <tr>
      <td><b><%costs[i].getName()%></b></td>
      <td>$ <%costs[i].getValue()%></td>
    </tr>
  <% } %>
</table>
<p style="text-align: center; font-style: italic">
  <a href="costHelp.html" 
      onclick="
        window.open(this.href, 'Help');
        return false;
      "
  >Explain these</a>
</p>

And it was confusing. But after a time we became enlightened and we realized that we should separate out the business logic from the rest of the presentation. We used tag libraries or velocity macros or any of a host of other technologies, and the code looked something like this:

CostController.java

Cost[] costs = CostHelper.calculateCosts(loanData, currentDecision);
modelAndView.addObject("costs", costs);

costs.vm

<h3>Current Costs:</h3>
<table border="0">
  <tr>
    <th>Cost</th>
    <th>Amount</th>
  </tr>
  #foreach( $cost in $costs )
    <tr>
      <td><b>$cost.name</b></td>
      <td>$ $cost.value</td>
    </tr>
  #end
</table>
<p style="text-align: center; font-style: italic">
  <a href="costHelp.html" 
      onclick="
        window.open(this.href, 'Help');
        return false;
      "
  >Explain these</a>
</p>

And it was confusing. But after a time we became enlightened and we realized that we should separate out the styling from the rest of the presentation. We used CSS markup in separate files, and the code looked something like this:

CostController.java

Cost[] costs = CostHelper.calculateCosts(loanData, currentDecision);
modelAndView.addObject("costs", costs);

costs.css

.costName {
  font-weight: bold;
}
.helpLink {
  text-align: center;
  font-style: italic;
}

costs.vm

<h3>Current Costs:</h3>
<table border="0">
  <tr>
    <th>Cost</th>
    <th>Amount</th>
  </tr>
  #foreach( $cost in $costs )
    <tr>
      <td class="costName">$cost.name</td>
      <td>$ $cost.value</td>
    </tr>
  #end
</table>
<p class="helpLink">
  <a href="costHelp.html" 
      onclick="
        window.open(this.href, 'Help');
        return false;
      "
  >Explain these</a>
</p>

And it was confusing. But after a time we became enlightened and we realized that we should separate out the dynamic JavaScript from the rest of the presentation. We called this unobtrusive JavaScript, and the code looked something like this:

CostController.java

Cost[] costs = CostHelper.calculateCosts(loanData, currentDecision);
modelAndView.addObject("costs", costs);

costs.css

.costName {
  font-weight: bold;
}
.helpLink {
  text-align: center;
  font-style: italic;
}

costs.js

$(function() {
  $('.popup').click(function() {
    window.open( $(this).attr('href'), 'Help');
    return false;
  });
})

costs.vm

<h3>Current Costs:</h3>
<table border="0">
  <tr>
    <th>Cost</th>
    <th>Amount</th>
  </tr>
  #foreach( $cost in $costs )
    <tr>
      <td class="costName">$cost.name</td>
      <td>$ $cost.value</td>
    </tr>
  #end
</table>
<p class="helpLink">
  <a href="costHelp.html" class="popup">Explain these</a>
</p>

And it was better. Things get a little bit confusing because each screen is rendered from several different files instead of from a single one, but separating out the concerns of business logic, styling, and dynamic behavior made each piece easier to understand and work with.

Recently, though, I became enlightened, and realized that we still have too many things going on in the same file. The HTML file still contains two independent concerns: the definition of the structure and the actual text. These facets are not really related, and they tend to be edited by different people. (HTML designers don’t necessarily produce the marketing copy and other text.) So this is a perfect candidate for another separation of concerns. That’s why my current project is organized like this instead:

CostController.java

Cost[] costs = CostHelper.calculateCosts(loanData, currentDecision);
modelAndView.addObject("costs", costs);

costs.css

.costName {
  font-weight: bold;
}
.helpLink {
  text-align: center;
  font-style: italic;
}

costs.js

$(function() {
  $('.popup').click(function() {
    window.open( $(this).attr('href'), 'Help');
    return false;
  });
})

cmstext.properties

cost-title: Current Costs:
cost-col1-label: Cost
cost-col2-label: Amount
cost-help: Explain these

costs.vm

<h3>#cms("cost-title")</h3>
<table border="0">
  <tr>
    <th>#cms("cost-col1-label")</th>
    <th>#cms("cost-col2-label")</th>
  </tr>
  #foreach( $cost in $costs )
    <tr>
      <td class="costName">$cost.name</td>
      <td>$ $cost.value</td>
    </tr>
  #end
</table>
<p class="helpLink">
  <a href="costHelp.html" class="popup">#cms("cost-help")</a>
</p>

The code that processes this allows no markup in the cmstext.properties file — any metacharacters will be properly escaped. So in principle it would be easy to give this file directly to the business to edit without IT help — or even to allow them to edit it on the live website without needing a QA cycle. The down-side is that we have yet another file to deal with: time will tell whether the benefits outweigh that cost.

SQL Injection

The most venerable is the SQL-injection attack (and related attacks for things other than databases). This is the danger that data entered by users will be treated as meta-characters not just as text, and will allow a visitor to your site to execute arbitrary code in your database (or some other system). Nothing illustrates this kind of attack better than this XKCD cartoon:

XSS

There are XSS attacks – which stands for “Cross Site Scripting” (the acronym “CSS” was already taken). XSS is the danger that your site might serve up some content which was entered by a user (or perhaps loaded from a 3rd party site). Normally, this makes sense: whole empires have been built on the concept of allowing users to customize their own pages on your site. But browsers assume that any code served up by your site is trusted, and will allow it to do things like accessing you site’s cookies. Particularly if users can get others to view their content, this can be quite dangerous. The first line of defense is to carefully sanitize and properly escape all content from users that it intended as plain text. As for content from users that is intended to contain markup, some sites just prohibit this, while others can use a solution like Google caja, which provides a secure sandbox for untrusted code to run in.

CSRF

XSS attacks exploited the fact that the user (or the user’s browser) trusted content coming from your website (even if that content wasn’t written by the site owner). The converse is a CSRF attack which exploits the fact that the site trusts content coming from it’s user’s browser. One of your users visits a malicious site which contains some sort of link to your site — preferably a link which causes some action to be taken. The request comes from the user’s browser, it has the user’s cookies and everything, so your site thinks the user intended to send the request. The idea is for a site containing pictures of cute cats to trick your banking site into transferring money to someone’s account. There are several defenses such as always using POST (helps, but doesn’t fix the problem), a per-session unique ID, and double-submit cookies.

Clickjacking

The latest hot issue in the web security community is “clickjacking“. This is a variant of CSRF in that it occurs when your site’s user navigates through a malicious website. But instead of the foreign site trying to generate a “click” on your website by embedding an image or executing some JavaScript, the foreign site embeds your site, perhaps within an IFrame. They then cover it up so you can’t SEE it, but when you click you perform an action on the attacked site. You can see an innocuous example at http://noscript.net/getit, where the “install now” button installs from Firefox’s site, not from noscript’s site. The most evil versions will continually move the attacked site so it stays under the cursor… no matter where you click, the button you don’t see will be under your cursor. Some of the details of this exploit have not been released yet, so it is too early to make clear statements about how a website (or a user) can protect themselves.

Plenty of others

I am sure that there are other fundamental forms of attack against web applications. Go ahead and add your own items in the comments below!

I am sending email copies of the technical postings to this blog to an email list of people at my work (I suppose I’d accept others also) who expressed interest. It started as a bonus goal project. Here is the process I came up with for sending the email from Outlook:

1. First, publish the blog entry to the web normally.
2. Launch Outlook
3. Go to “Tools > Options > Mail Format” and set the email format to HTML while disabling the use of Microsoft Word for editing emails.
4. Go to �View > Toolbars > Web� to enable the web toolbar.
5. Navitage to the website (http://mcherm.com/) and follow the link to the story to be emailed. Manually add “?stylesheet=outlook” to the end of the URL and hit return to view it.
6. Go to �Actions > Send Web Page by E-mail�. This will launch Outlook�s terrible, almost unusable HTML editor. The page will look entirely wrong – for instance, it will ignore the stylesheet. Fortunately, only one thing really has to be fixed (everything else will look OK when viewed. That one thing is to delete the first three characters at the beginning of the page. (Sometimes is messes up quotes too… you can check the body of the story.)
7. Now copy the mailing list and add it to the BCC field. Be sure it’s the BCC field, not the CC or TO field, to protect the privacy of the message recipients.
8. Fix the email subject. It should read “Technical Essay Series: <title-of-article>”.
9. Hit send.

You probably have antivirus software protecting your computer from malicious computer viruses — in fact, you’d be a bit nervous about connecting to the internet if you didn’t have it. After all, viruses can make everything run more slowly, take over your computer and use it to send spam, or worst of all they can even delete files and destroy data. There are even a few viruses that take your data hostage — encrypting it, deleting the original, then offering to decrypt it if an anonymous payment is made to a certain account.

It is less common these days (hard drives have gotten much better), but occasionally you’ll have a catastrophic failure — your hard drive will crash with no way to recover it. This can be a real disaster: the cost of a new hard drive is nothing compared to the loss of all your precious data.

Or it’s even POSSIBLE (unlikely, to be sure), that while you were cooking dinner your five-year-old got onto the computer you had left on (despite KNOWING he wasn’t supposed to) and sort of accidentally dragged into the trash a folder containing some files — files you had been working on for quite a long time. And, unlikely though it sounds, it’s possible that you didn’t notice this until AFTER you had already emptied the trash can and deleted the files forever.

Of course there is one solution to ALL of these problems — backups. Everyone knows that they ought to back up their files. But not everyone gets around to doing it; in fact nearly everyone doesn’t – until right after they have an accident and lose data. In fact, I am guessing that you, yes YOU have data someplace (probably at home) that isn’t backed up properly.

There is an obvious “right” way to do backups; just follow a few simple rules. First, the backups have to be frequent — a 9-month old backup isn’t going to be very useful; every few days is about right for most people. Second, you MUST test your backup. A backup process, even one designed with the best of intentions, can’t be considered safe unless you have tried doing a restore from it. And succeeded. It doesn’t matter whether the backup is to CDs, tape, a spare hard drive, or over the internet, but you should store the backups someplace separate from the computer (otherwise they won’t be much help in case of a housefire).

And doing all this is a pain… particularly the part about doing it regularly. Murphy’s law says that you won’t lose data until sometime after you finally become lax and start skipping your backups. It is FAR better if the backups can be done automatically… so if you are lazy like the rest of us it will still get backed up. But for most of us, setting up some automated system is even harder than doing backups.

So what you really need is some product which will automatically back up your files for you every few days. It should be trivially easy to use, should take almost no time to install, and should work even if your computer isn’t on or net-connected 24/7. It should make restoring files a breeze (and not something you do only in case of catastrophe) and should automatically warn you if backups are NOT working for some reason. It should not require purchasing any special tape drives or other hardware. Oh yeah, and it should be free, or at least cheap.

Fortunately, such a product exists! Actually, several such products exist, but I’m just going to talk about my favorite which is called “Mozy” (it’s for Windows and Mac… you Linux users will need to find a different alternative). Mozy‘s software installs quite easily. Once installed, it asks you to create an account: home use is FREE if you need to back up less than 2GB, and costs $5/month for unlimited amounts. (They have small business backup solutions also.) It will ask you to specify which directories need to be backed up and will send the data over the internet to Mozy’s servers. The documentation says that it is encrypted, so Mozy themselves cannot access your data without the password. (In case you were wondering, that’s a good thing.)

After the initial setup, Mozy runs without any supervision. It waits for a time when your internet connection is up and running but you are not currently working on your computer, and then it sends the changes (only the changes) from the backed-up directories over to Mozy’s servers. If it does not manage to do a backup within 7 days, then it begins to warn you that the backups are not current. And any time that you want to get files back, you can review the files stored on the server and restore any amount from a single file to the entire backup set.

There are a couple of features that I would want in an ideal backup system which Mozy lacks. I would want the entire disk backed up, including the OS so that I could completely swap in a new disk if needed. And I would want all versions of a backed-up file to be saved, not just the latest, so I could return to previous states of things rather like a version control system. But Mozy provides the most important features: it backs up my data, and it is very easy to use (good, because I’m too lazy to use it otherwise).

So now we come to the wager. At this point, as I predicted, you are thinking to yourself “Gee, this Mozy sounds like a good idea. I should really install it on my own computer.” But it’s one thing to THINK about it, and quite another to actually go DO it. There is a certain mental inertia to overcome. So I’m placing a small bet – shall we say $5? – that you won’t actually step up and do it. If I lose… if because of reading this article, you actually DO go install Mozy or another automated backup tool, then post a reply using the reply box below, and I’ll pay up on my bet. (For the record: Yes, Mozy does have an affiliate program but No, I am not participating. I get no kickbacks with this deal – just the warm fuzzy feeling of having saved someone else from losing their data. (Offer good only for the first 12 days after this is posted. Offer may be rescinded if this gets posted to the front page of Slashdot, Digg, reddit, or the like.))� You could have your data safe AND win $5 at the same time… what are you waiting for? Or are you too lazy?

Following a hint I learned from the web, here is the procedure I came up with.

1. Launch Outlook.
2. Go to “Tools > Options > Mail Format” and set the email format to HTML while disabling the use of Microsoft Word for editing emails.
3. Go to “View > Toolbars > Web” to enable the web toolbar.
4. In the web toolbar, navigate to the page containing the HTML you want to send. If the page you are sending is not an existing blog post, you can write it by hand in the HTML editor of your choice then navigate there.
5. Go to “Actions > Send Web Page by E-mail”.
6. This will launch Outlook’s terrible, almost unusable HTML editor. Fortunately, it will prefill it with the content of your web page, so if the web page was correct then you should be able to fill in the headers (subject and To) and just hit “send”. I found some character set problems (e.g.: EM dashes replaced with patches of line noise) so you may want to watch out for these.

I still recommend creating a sample and sending it to an email address beforehand. Test every link and image to make sure that they’re working before you send out the mass mailing.