Monday, May 21, 2012

Bungie News

I've been at Bungie for a little over 6 months now, and they just slotted me into their "Breaking In" interviews on the Bungie blog.


Although, arguably much more interesting, is the recent Penny Arcade Report on Bungie which shows a bunch of cool pix from the their studio walkthrough.

Monday, April 16, 2012

Camouflaj Kickstarter Game

A good friend of mine, Jing (whom I worked with on Xbox) just started over at Camouflaj a newly minted game studio started a little over a year ago by Ryan Payton (who just came off of working on Halo 4). They are looking to create some AAA games for iOS devices, so if you are looking for some awesome gaming on your phone or pad, you should take a look at their kickstarter project which looks pretty sweet.

Saturday, January 28, 2012

Free Tool: Color Selector

Whenever I'm working on a color scheme, I often start with an image or photo to use as a basis. I will then go and suck out some of the colors I like. For the longest time I had been using a freeware tool to grab the color under the cursor, but the blasted tool had a bug which would cause it's window to blank out, and otherwise cease to function correctly.

Having finally reached my limit of patience this weekend, I went and wrote my own version of it:


Basically it shows whatever color is underneath the cursor. Pressing Alt-C will copy the RGB value onto the clipboard allowing you to paste it into your CSS file (or wherever you need the color value).

Color Grab Download (zip 160k), free to use, runs under Windows.

Tuesday, November 1, 2011

Benchmarking Preparation Checklist


In gathering performance metrics on a piece of software, you will want to spend some amount of effort in minimizing the noise in the system (reducing the standard deviation on the numbers collected). Here are some actions which may be beneficial in giving you tighter control of your environment.

System Preparation
  • Remove any extraneous peripherals. Additional peripherals may cause hardware based interrupts to fire which can interrupt the application you are attempting to profile.
  • Disconnect from the network. Incoming network requests from other systems can cause spurious events to occur. If you need network access, you may want to disconnect from a Domain which has the ability to run various tasks in the background (without your knowledge).
  • Disable or pause any unnecessary services. You can programmatically pause specific services using OpenService then calling ControlService with SERVICE_CONTROL_PAUSE.
  • Disable UI effects. Calling SystemParametersInfo will let you disable (and then restore) miscellaneous UI elements.
  • Turn off the screen saver: SPI_SETSCREENSAVEACTIVE
  • Minimize popup durations: SPI_SETMESSAGEDURATION
  • Turn off blinky animations: SPI_SETCLIENTAREAANIMATION
  • Remove drop shadows: SPI_SETDROPSHADOW
  • Enable flat menus: SPI_SETFLATMENU
  • Disable font smoothing: SPI_SETFONTSMOOTHING
  • Remove the mouse shadow: SPI_SETCURSORSHADOW

Process Preparations
  • Flush caches. You will want to ensure that the benchmarks start from a consistent system state. One approach is to start with all caches warmed, the other is from a cold state. For the latter, here are some APIs which can help clean things up for you, assuming you don't have the time to do a full cold reboot:
  • Close or minimize any other applications. Any process which is running may have the chance to interrupt you and aside from the time lost, it will destroy any cache coherency you've built up.
  • Move all remaining processes onto a single CPU core. By isolating all the remaining processes onto core 0 (for example), we can prevent as much disruption to your process as possible. You may want to run under the SYSTEM account, otherwise you won't have permission to move some processes via SetProcessAffinityMask.
  • Drop priority on any above-normal processes. We will want to run at real-time, so let us make sure that nobody else has a chance to compete for time slices (SetProcessPriorityBoost and SetPriorityClass).

Running
  • Set the processor affinity. Run your application on a core which it has all to itself.
  • Set priority to real-time. Max out the scheduler priority so it is less likely to be interrupted.
  • Capture the pipes to memory. If you are profiling a console application, piping the output to a file will probably defeat your performance metrics. Instead stick the data into a memory buffer (assuming you are launching the application under test via CreateProcess).

Afterwards

Thursday, October 27, 2011

Securing Chickens and Eggs


I saw a question get posted to an internal discussion group that went something like this:

I have a console application which uses CredUICmdLinePromptForCredentials. How can I add support to allow a user to pipe a password from a file into my tool? For example:

type password.txt | myTool.exe /user:user1

Answer: You don't.

The Long Answer:
The whole purpose for CredUICmdLinePromptForCredentials, its entire reason for existence, is to provide users a slightly more secure mechanism for supplying private authorization information.

  • If a password is stored in clear text on your hard-drive, then it is not secure.
  • If a password is sent in clear text via the command shell's pipe/redirection mechanisms, then it is not secure.
  • If a password is cached somewhere (clear or obfuscated) that can inherently be used by an un-authorized person (replay attack), then it is not secure.

If you aren't attempting to be secure with a user's password, then there is no reason to use CredUICmdLinePromptForCredentials, just read the file or input stream yourself and be done with it.

Public Service Announcement: If you use one of the CredUI*PromptFor*Credential APIs, be sure to either nuke the password (SecureZeroMemory) or encrypt it (CryptProtectMemory) as soon as possible (i.e. immediately after the call and/or after any verification that needs to happen).


Now, the better question revolves around how one should secure credentials such that they can still be used in an automated process. Unfortunately this quickly degenerates into a philosophical question as computers are inherently insecure, especially if you have physical access to it (debuggers, physical analysis of hardware, etc. can expose your secrets). The issue becomes even more philosophical considering that the objective of the tool hasn't been scoped or discussed (and wasn't in the original post).

For the purpose of this (now philosophical) exercise, we assume that we are not on a single computer - as we are dealing with automation and want to distribute the credentials in a file. If we were on a single computer we might utilize the Credential Manager to help store this information locally.

To secure some chunk of data, we need to encode it. In order to decode the information we need a key. Unfortunately we now need to store the private key in a secure manner. Do we encode the key to secure it? If we fast-forward a bit, you can easily see that this quickly turns into a "which came first, the chicken or the egg" type of problem.

Since computers are insecure, the best place to store private information is not in a computer. The typical place is in a human. Now we've come full circle. In order to secure the file that contains a password, we need someone to remember a password (and people wonder why security is tricky). Now you can see that our philosophical exercise is flawed, so really the question is not "how do we secure the file", but "how secure is good enough?"

Saturday, October 22, 2011

Team Cohesion


Every year Microsoft sends out a survey which the execs and managers use to help get the pulse of the worker bees. One of the areas where our group didn't do as well as we would have liked was around inclusion / team cohesion. My manager asked me what I thought we could do in this area, and here are my generalized thoughts.


Common Goal and Purpose
            To start with, there must be an underlying goal which is understood and believed. If the goal is not clear and concise, then there is no coordinated direction. This leads to wasted work (if it isn't truly important to the vision) and marginalizes peoples' contributions or places greater rewards on other team members. Dissatisfaction and discord can also set in if the team doesn't think the goal is reachable or doesn't agree with its direction. The vision is the foundation which your team needs to rally behind and gets everyone marching in the same direction. Changes are needed if people don't believe or understand why their work is important. Often this can be helped by improving communication or cutting unnecessary features and focusing the team on what is important.


Communication
            Good communication is fundamental in ensuring everybody feels included, this means that decisions which impact team members must be understood and believed. Ensure that decisions are not created a vacuum, at the wrong level, or by the wrong people. This is where strong leaders and program managers pay off, they will help drive the features and make sure all the necessary players are informed and brought in on decisions. Additionally, small changes such as office layouts and organization chart optimizations can help foster easier coordination between the individuals who are working on related technologies.


Rewards and Motivation
            Exclusion is a sure way to alienate someone from the team. Recognition, cool projects, gifts, benefits, etc. all need to be appropriately spread around. Militaries across the world have all used unit citations to help build a collective level of pride in a team. It doesn't matter how much an individual contributed (if at all) because, when recognized, everyone in the unit got them. Individual rewards have their time and place but they can weaken the overall team cohesion. Also, make sure that events, entertainment, food options, etc. are all open and inclusive. You definitely don't want a morale event to do more harm than good by alienating the very individuals you most desperately need to improve the morale on.


All of these things can make an impact to how tightly an individual will be integrated within an organization; all it takes is a good leader to help kick some of these into place. But keep in mind that one of the underlying concepts here is empowerment. Do you encourage the employee to make a meaningful difference, or are they just tools to get a job done?

Wednesday, September 28, 2011

HRESULTS: FACILITY_ONLINE_ID


This is page contains raw error codes. It is meant as a software developer reference, not a customer support site.

CodeHRESULTDescription#define
10x8A020001 Authentication target is invalid or not configured correctly. ONL_E_INVALID_AUTHENTICATION_TARGET
20x8A020002 Your application cannot get the Online Id properties due to the Terms of Use accepted by the user. ONL_E_ACCESS_DENIED_BY_TOU
30x8A020003 Application is incorrectly configured or not yet enabled. ONL_E_INVALID_APPLICATION