Bill Sempf

You’ve been asked to make sure that the Client Search screen will stand up under load, because it will be most used screen in the application.  You set up a test user, and then run the Web Performance Test wizard in visual Studio 2010 to record the test.  You make a new test project, save it in TFS and add a new Web Performance Test.  the browser launches, and you log in as your test user.  You do a few client searches representative of the use of the system and log off.

Next, you create a Load Test.  The wizard launches, and you prescribe a 50 user test over a half hour.  You save the test, launch it and go to lunch.

When you come back, there are 23,856 errors.

What happened?  Oh, that’s right, one user can’t log into this system more than once – it was an early requirement.  Oh!  How am I going to do this then?  Do I have to record 50 Web Performance Tests? No.  You can parameterize the login.

Making a data source

Start with a CSV file of usernames and passwords.  You can make it in NotePad or Excel.

Next, we will need a datasource that points here.  Open your webest and click on the Add Data Source icon up in the test’s button bar.

You can select CSV file as the source of the data.

Pick the excel file you created and you’ll see the sample data.

The new data source will show up as one of the data sources for this test.  Probably shoulda named it something better, huh?

Binding the fields

The next major step is to bind the data to the fiends in question.  This is insanely easy.  find the step where you enter the data.  In my case, it was the Login.aspx page.  Open the Form Post Parameters folder and find the parameters for the login and password.  In this app, they are pretty easy to find.

Then follow these steps to get to the next image:

Open the properties panel with F4

Click on the fiend in your application that has the user name.  Mine is txtUser_Name

Click on the Value parameter in the properties panel.

Click the dropdown arrow.

Open the data source in the treeview.

Open the testdata table (or whatever you named it)

Click on UserName and there you go.  Teat field is now bound to the value.

This will work for any form

Remember, this isn’t just for login.  Actually, I am making a mashup of performance testing and training, adding the training data to the system using the performance test for the New Item pages.  Load testing isn’t just for performance anymore!

Being in the design phase of a large-scale project for the State of Ohio, I have been giving a lot of thought to the problems of Modeling and Design.

You see, I am in an interesting position on most projects – I am an actual Solutions Architect.  In today’s IT environment the term ‘architect’ has grown to mean “good coder with big mouth” and I don’t really fit that mode.  I am not the best coder in the room most of the time – although the size of my mouth could be debated.

What I excel at is the designing of solutions, which leads me to use the term ‘software designer’ to describe myself.  This isn’t terribly good either, as it leads people to believe that I produce pretty graphic design and UX, which isn’t my specialty either.

What I am, in truth, is a Software Modeler.  I am the person that figures out what the domain model looks like based on the requirements of the system and the realities of the project.  The one who stands at the end of the room and scribbles boxes on the whiteboard?  Yeah, that’s me.

Thinking about this has really helped me to hone down the definition of SQL Modeling in my head.  People ask me “Why is Oslo hooked to SQL Server?  Is it just another data language?  Don’t we have enough of these?  I thought M was a language not a database thingie!  Oh woe is me!”  Well, the key is in the difference between design and modeling, and how tightly coupled the model and the database really are.

Software modeling begins and ends with data.  The user interface is, I hate to point out, now the purview of the business analyst.  When I get a functional specification for a project, it has the UI in it right there.  I don’t have to ‘design’ that any more.  All I have to figure out is how to do it.  This effort is modeling, and it is about data.

Today I needed to estimate an inventory system with a few quirks.  Without thinking, I got out my notepad, sketched an ER diagram, and worked from that.  How many POCOs?  How many adapters?  How big is the entity model?  Yes, eventually I had to estimate how long it would take me to build the screens, but the bulk of the work was in the domain model, where the work is done, as it should be.

Imagine if I could have instead described my model in text, without all of the brittleness that the ER diagram entails, and have that text description emit both the databases and the POCOs for me?  And then, if something changes, I could change my scratch model and my other code changes?  What if it didn’t break my changes or additions?  What if it didn’t create scores of stored procedures that are impossible to manage? 

Wouldn’t that be nice.

This, though, is the goal of SQL Modeling.  It is clear as day exactly where it fits in the product lifecycle – right there overtop of my fancy notebook scrawls.  Those boxes and chicken feet have a place somewhere, but it’s time for a modeling solution that actually is a solution.

I am working on the table of contents for my new book on designing software with SQL Server Modeling, or TheModelingSystemFormerlyKnownAsOslo.  There is a lot to be shared, but TOCs are kinda boring.  I thought I would use a post to fill out any random thoughts.

I think I am going to break the book into three parts.  First, some Microsoft-centric bits about modeling in general.  Second, a detailed look at M.  Finally, we are gonna build an app.  I want to make this thing functional.  If I can't build real, usable software with it and make my life easier, then I don't want it, and I don't want you to use it.  Proves how much I think of the SQL Modeling team if I am writing a book on it, huh?

Anyway.  The tl;dr on M is that is eats examples and poops your database AND your POCOs.  If they eventually get to the point where complex examples are handles gracefully, then we might have something here.

I am still not sold on Quadrant.  They need to stop showing SQL Server table level examples.  That's.  Not.  The.  Point.  If I can't gain visibility into my AD and my file structure and my partner's accounting system, I'll just use Crystal Reports or Query Analyzer.

Most people don't understand that we have been given unprecedented access into a technology that probably won't be ready for prime time for a couple of years.  M is rough.  Quadrant is rough.  There is a lot of SCOPE work to do, not to mention a little coding.  This concept is just starting to find itself.  There are technologies that SSM depends on that haven't been built yet.  Have a little patience, people.

Now, this  Linq to M idea is a very interesting look into the thinking of the SSM team. We describe something in M.  We upload to the repository.  We can 'query' the example in C# with Linq.  Great.  Are we ever going to use M to move REAL data, rather than example data?  No?  Then how is this different from Linq to SQL?  It isn't?  Oh, OK.

Generally, though, this is something I have been saying since my "Web Design With The End in Mind" article back in 1999.  The data is the application.  If you understand the behavior of the data - which you somehow must store and business rules (or metadata) then your application is done. Skin it and go get a beer.

Wow, Shawn Wildermuth's article on Textual DSLs is really good.  Why haven't I seen this?  I thought he was just a UI geek.  Color me impressed.

Sorry this is so stream-of-consciousness.  It is late and this cough is keeping me from sleeping.

I think that SQL Server Modeling has the potential to dramatically change how Microsoft architects design software for clients.  I think it has the potential to improve design too, by making good, principled design part of the fabric rather than a documented rule.  I really, really wish they hadn't pinned it to SQL Server, but I guess I get it.  The data is the application.  Tha'ts why I have called it the Data Driven Web for fifteen years.

I am sitting in as team lead for a large project at ICC.  This is a multimillion dollar effort with over 100,000 installed user base.  We are using WPF and WCF and all of the latest TLAs.  In short, it is a big deal.

We are using Scrum Alliance’s TFS template to manage the development effort.  This is new to me – I am usually a functional independent, and not constrained by sprints and scrums and whatnot.  I am used to just getting the job done and that’s that.  when you have forty people on a project, however, you need to have some system.  This one is as good as any, I suppose.

Anyway, we did estimation for our first sprint last week, and I was here with a few other people entering the estimates into TFS Friday afternoon.  because TFS and Excel work well together, I chose to have the team enter the estimates into Excel, so that I could munge the CSV file with a script, and then import directly into TFS using the Excel integration.  Pretty slick, I thought.

The task names needed to be <document>.<entity>.<tasktype>.<taskname>, and I had those in a hierarchy format, like a legal format outline.  I write a little console application in C# to take the CSV file and figure out what all of the values were to create the task format.

static void Main(string[] args)
{
    StreamWriter streamWriter = new StreamWriter(@"C:\Users\wsempf\Desktop\R1S1 Backlog  Estimates Import.csv");
    using (TextReader testReader = File.OpenText(@"C:\Users\wsempf\Desktop\R1S1 Backlog  Estimates For conversion.csv"))
    {
        string line;
        string tasktype = string.Empty;
        while ((line = testReader.ReadLine()) != null)
        {
            string[] fields = line.Split(',');
            if (fields[2].Length==0 && fields[3].Length==0)
            {
                //do nothing
            }
            else if (fields[2].Length > 0)
            {
                //This is a type header
                tasktype = fields[2].ToString();
            }
            else if (fields[2].Length==0 && fields[3].Length>0)
            {
                //This is the data, write the line
            streamWriter.WriteLine("{0}.{1}.{2}.{3},{4}",fields[0],fields[1],tasktype,fields[3],fields[4]);
            }
            else
            {
                //whoops, do nothing
            }
        }
    }
}

It worked good – just a quick, one off script.  took me about 5 minutes to write.  I even had to refactor once when the task name format changed.  Anyway, I was pretty proud of myself when Larry Beall, the other dev working on the project, says “Done!”  I thought ‘Hey wait!  I have a cool script!’  but you see, Larry had done the same thing, but he had actually used Excel to do the work.

="Air Tariff." & A371 &"." & B371 & "." & C371

He went through and manually filled down the columns, but other than that … pretty simple solution.  The moral of the story – not everything is a nail so don’t always get out the hammer.  Sometimes the simple solution is the best.

Defcon 17 is in the books, and Gabrielle and I had another fantastic time.  Props go out to all of the Defcon staff.  The Locksport International team and TOOOL put another fantastic lockpicking village together.  Coffee Wars pulled a record turnout of thirty-six brews, and we met some great people there.  (We lost badly.) And thanks to the hard working goons we met.

We arrived on Thursday, but with the new Defcon 101 tracks, we were practically late.  The lines weren’t much worse than usual but there was a badge shortage right away thanks to the fine people at Chinese Customs.  Gabrielle and I ended up with paper badges at first, but Gabrielle social engineered us into two actual badges soon thereafter.

The badge, as usual, is fantastic.  Kingpin did an over-the-top job of building a sleek, simple badge that still has lots of hacking potential and out-of-the-box functionality.  It uses the 32 pin MC56F8002 processor, with a microphone and an RGB LED to produce visual effects from aural input.  Wired Magazine actually published the open source firmware.  I am not a hardware hacker, but I have been working on getting it to produce different visual output based on pitch rather than volume.

I didn’t get his name, but one of the engineering team from Freescale (the company that made the microprocessor on the badge) came to the con.  He just set up shop in the Hardware Hacking Village and helped people program the board.  It was one of the coolest things I have seen at any con.  As some of you probably know, my hardware experience is circa 1979.  He effortlessly moved between helping me with the most basic soldering questions to the most advanced programming questions.  I was blown.  Get me his address, someone.  I want to send him a bottle of Scotch.

It seemed like the traffic flow was worse at first compared to Defcon 15, but it soon leveled out.  Part of the problem was the need to clean out the rooms fully and then count them coming back in due to the fire code.  The marshals were around, and very visible, throughout the con.

There is a lot of talk about the Riv being too small.  I happen to disagree – I think that DT just needs to find a logistics volunteer that will orchestrate the talks in such a way to control the crowds.  I have seen Gabrielle do it.  It is possible.  (You hear that Jeff?  She will work for Absolut.)  The people at the Riv work their collective asses off to make it a good con and you just can’t replace that.  Let’s change the logistics instead.

Oh wait, there was technical content too!  Who knew?

The most significant thing I learned is that for all of the protections for CAS in the .NET Framework, there is a mind blowing flaw.  The framework assemblies are just called by name.  If you replace an assembly, EVERY .NET program on that machine will use the altered DLL to run the program.  Does that mean if you replace the encryption protocol to email the keys to China, that all programs will send that key to China?

Yes.

Discuss.

Props to Erez Metula.

There was a great talk on using iMacro to do screen scraping for AJAX sites, and I plan on getting some new PoCs for that up in the future.  It wasn’t rocket science, but it was a really good implementation of a simple idea that I sure as hell didn’t come with.  I mean, if it was easy, everyone would be doing it, right?  Screen scraping is a massively underused art.  There is a LOT of information out there and the web browser just sucks for really making use of it.

So much net development was done on Metasploit in the last 12 months that they got an entire track dedicated to it.  The biggest piece is undoubtedly the Oracle module, which really puts all of the disparate Oracle attacks into one place for ease in testing.  I can’t recommend its use enough if you are a pen tester or in charge of db security

The civil liberties content was significant compared to 15.  Nearly one whole track for three days was filled with lawyers telling us how not to go to jail when we fly to Italy on vacation with some music of questionable origin on our laptop.  I just popped in and out of these, but every time I did I learned something.

 Did you know that if you are asked to give up your password in the states you can say “come back with a warrant” but if you are flying overseas, they can just take the machine without your permission, copy the whole hard drive, and say “Thanks for the warez, d00d.”  Lesson learned?  Carry an empty laptop overseas and download your data set from a secure channel once you get there.   When done, upload results and clear the machine again.  Microsoft doesn’t even LET you carry a machine overseas.

Speaking of privacy (weren’t we, really?) social networking was a huge topic this year.  Tom Eston and Kevin Johnson gave a great talk on some proof of concept work they did on social networks and trust.  For instance, set up a parody account of a ‘B’ celebrity, and gain trust of followers.  Then send out a link for a fun quiz with an XSS attack.  Gain twitter cookie, get password, rinse and repeat.  Social Butterfly is another of their tools, which manages the creation of apps in social networking sites like Facebook.  It collects user accounts to be used for research purposes.  Check it out.  It’s not just that picture of the Christmas party last year that will get you in trouble on Facebook.

Locksport village was very informative, very well attended, and very well stocked.  I picked up some new equipment and finally met both Schuler Towne and Doug Farre in the flesh.  Doug and I are going to make some moves toward getting the Locksport International organization a little more, well, organized, and get things up and running there. 

Gringo Warrior was a hoot.  I supplied the live guard with a cigar (which he really needed!) and watched.  Deviant had a whole boatload full of people, and I hadn’t practiced enough, so I didn’t do it this year.  Maybe next year.  The ah-ha moment for that was watching a very accomplished picker run the whole gamut in three minutes, and then spend ANOTHER three minutes trying to open the car door.  After that, Deviant stood by the auto locks and yelled “Everyone look!!”  Took out his auto jigglers.  “Easy lock,” pop.  “Medium lock’” pop.  “Hard lock,” pop.  “GET some jigglers people!  They aren’t that expensive!”  I got some jigglers.

My Defcon moment had to be standing in the elevator lobby waiting for a ride down from my floor, when thmping bass – LOUD thumping bass – became clearly audible.  I thought “that’s one hell of a boom box.”  Wait.  Aren’t those lights?

The door opens, and there is a full mobile DJ station in the elevator.  I kid you not.  There was a mini-rave going on right there in the elevator with a DJ and dancing babes and the obligatory big white guy who can’t dance just bobbing his head and looking cool.  It had to have been the coolest thing I have ever seen in an elevator, bar none.

Can’t wait for next year, folks.  This one was fantastic.  Till then, see you at PhreakNIC!

I have started and deleted this post three times because I am so fired up.  I ended up just making a comment on this guys blog, but I thought I would post it here since there is exactly 0% chance he will approve it.  The post is by an internet lawyer and points out how 'nasty' Defcon is and that it should be 'shut down' if it doesn't 'clean up it's act'.  I am tense.  Very, VERY tense.

OK, here is my comment:

Imagine you are in charge of infosec for a large bank, running Oracle. There are 3,000 developers - most of them contractors - working with various databases inside your firewall. It's you, with nothing, versus 3,000 people you don't know backed potentially by 22,000 Russian and Chinese criminals with the latest 0day exploits. What are you going to do?

Well, first, you are going to go to Defcon, where without telling them which bank you work for you will learn the latest on these exploits from hackers who would be glad to give the information away nearly for free (since Oracle rarely does anything about them). This way, you know what you are faced with from the people who aren't so open. We usually call those people the criminals. I am sure you have heard the term.

Second, you are going to use Metasploit to test said database. Why? Because it is a framework for penetration testing with all of those exploits already in place. You can make sure that your database can't be compromised by those nameless criminals (there's that word again), all due to the VERY hard work of just a few extremely smart ... wait for it ... hackers.

You, my "internet lawyer" friend, have completely failed to get the point. You mention "finding an alternative approach for sharing knowledge and information away from the public eye." All of this information is already out there for those who care to find it. Defcon makes it available to the overwhelmed many who are tasked with protecting what we have. And that's a bad thing exactly how?

Thoughts are welcome from the peanut gallery.  Remember to read his post first, and the comments.  I do give him credit for allowing a few comments through.  Gah, sorry, I am just astounded that there are people still like this in the industry.

EDIT:  Ok, I was wrong.  He actually did publish my comment and published his own rebuttal, and my respect for him increased somewhat.  Nonetheless, it's that old argument: if you make owning a gun criminal, only the criminals will own the guns.

As posted earlier by Brian Prince and Stephen Giffin, the MVC4WPF project will be launched to CodePlex on Thursday.  We will be having a spash at the Columbus Microsoft office in the morning - if you would like to attend, please RSVP here.  I'm actually quite proud to be involved in this effort,, even if jsut as a tester and tech writer.  The thought that went into this product is very impressive.  If you are doing large WPF projects you certainly owe it to yourself to check it out.

A little about MVC (from the Developer Guide): Model-View-Controller is a pattern for software development.  It doesn't provide development tools of its own, but is rather an agreed-upon way to go about developing software.  It builds upon the concept that divides the basic functions of a contemporary application into component parts:

• The model, which represents the underlying data;
• the view, which represents what the user sees; and,
• the controller, which manages the business logic and communication between the view and the model.

The three parts of the software communicate with the use of agreed upon contracts that define communication between the parts, and property bags that hold configuration values and data objects. 

MVC works well with WPF because Microsoft has done some of the heavy listing for us in the division-of-duties arena.  Like ASP.NET, the View code is physically segregated into a code file all its own with hte XAML file (ASP.NET of course uses the ASPX file).  This basic architectural decision makes things appropriate for MVC.

MVC4WPF has a ton of automation to make development much simpler than many other MVC environments.  It is appropriate for junior developers, and is very forgiving to work with.  It is rather open ended, and will cut you if you don't read the recommended usage.  The project will come with a boatload of documentation (some of which I wrote) that will help a lot.

Keep an eye on the codeplex site, and come on up Thursday if you get the chance to see what I am talking about.  Should be a good time.

I was honored to be asked late last year to write Windows Server Licensing 2008 for Dummies as a joint project with Wiley and Microsoft.  This is a custom book – an eighty-six page minibook specifically for Microsoft to give to customers working on licensing Windows Server 2008.  I finished it in March, and finally got a few copies.  If you want a copy, you have to ask you local Microsoftie!

Anyway. the book came out very well.  The people in the licensing office are so very knowledgeable and easy to work with; the project was a complete joy for me.  What’s more, I think it really is a win for the average IT manager – the book is readable, easy to understand and accurate.  Licensing is foreign to many people, but with a few basic points in mind, you really can keep legal and save yourself some money!

I think the custom book concept is a real win for Microsoft too – they get a great, well known format for not much more cost than it takes to develop and print all of those whitepapers that no one ever reads.  People actually real dummies books, you know what I mean? 

Anyway, they gave them out at TechEd, and I think there will be more at PDC when the time comes.  Drop by the Windows Server book and snag a copy in November.

I get a lot of crap for being a VB programmer.  People who think it is cool to be smarter than someone else like to point out that they code in C# (though it was Java last year and C++ the year before) and I keep writing programs that work in whatever language best suits.  Why?  I learned how to program, not how to program in X language.  I recommend it for everyone - I recommend it in the book, and Scott Hanselman says it better than I ever could.

When programming (that is, expressing your intent to the computer) you should select a language that matches up with the program you're trying to solve. Every language is, in a way, a Domain Specific Language.

Regardless of what your language of choice is, you might be someone who says all languages eventually become, or try to become Lisp, or you might think Visual Basic is the best or that PHP is God's Language, you should learn a new language every year. I code, and have coded, for many years in C#, and before that C++, but it's important for me in my personal development to remember why I learned Haskell and Lisp (I suck at Lisp) and Smalltalk, and why I return to them occasionally for a visit.

This year, I'm learning Ruby. Does that mean my team is moving to Ruby?  Probably not, but it does mean I'm learning Ruby this year because I believe in sharpening the saw. You might be too busy sawing to sharpen, but I'd encourage you - no matter what brand or type of saw you use - to remember that there are other folks out there cutting wood successfully with a different kind of saw. Maybe they know something that you don't.

The man is a genius.  Pay attention.  Learn a new language every year.  If VB is your language this year, may I suggest a good book.  For the record, I am learning Ruby too ...