Professional

My reading list #1

Colin Angus Mackay — Mon, 01 Mar 2010 07:58:28 GMT

I’ve decided that I need a quick and easy way to remind myself of the useful articles that I’ve read recently or are on my stack to read. Since I use my blog as an aide memoire anyway, I thought why not just put up a blog post once in a while after reading something useful. So here’s the first one…

Web

The Kayak Framework: An easy way to speak HTTP with .NET
Kayak is a lightweight HTTP server for the CLR, and the Kayak Framework is a utility for mapping HTTP requests to C# method invocations. With Kayak, you can skip the bulk, hassle, and overhead of IIS and ASP.NET.
REST APIs must be hypertext-driven
What needs to be done to make the REST architectural style clear on the notion that hypertext is a constraint? In other words, if the engine of application state (and hence the API) is not being driven by hypertext, then it cannot be RESTful and cannot be a REST API. Period.
REST – The Short Version
Getting a clear handle on the definition of the REST architectural style can be daunting. While there is no shortage of descriptions available, I did not find many of them helpful at first. Also, as I began talking about REST to colleagues, I often had a difficult time producing clear descriptions for the key points. Over time, however, I sharpened my summary into a version that seemed to make sense to most of my listeners. I offer here my rendition of the REST model.
Applying the Web to Enterprise IT
This is a blog that contains a number of useful article on ReST.
Building a website for the iPhone
This tutorial will cover the basic setup and creation of a web page for the iPhone that will detect and change the content based on the phones orientation.

Professional Development

Unskilled and unaware of it
People tend to hold overly favourable views of their abilities in many social and intellectual domains. The authors suggest that this overestimation occurs, in part, because people who are unskilled in these domains suffer a dual burden: Not only do these people reach erroneous conclusions and make unfortunate choices, but their incompetence robs them of the metacognitive ability to realize it.
Did your boss thank you for coding yourself to death?
Here is some perspective, you're not doing this for yourself, you're doing it for "the man". Admittedly he might be a nice man, but you don't owe him slavish commitment. Here is even more perspective, how often are you actually playing with interesting problems and cool tech and how many times are you churning out code desperately trying to get something delivered and meet some arbitrary deadline that someone has assigned to you?

Integrating Exceptioneer with OpenRasta

Colin Angus Mackay — Tue, 09 Feb 2010 23:46:52 GMT

[NOTE: This post was created using OpenRasta 2.0 RC (rev 429)]

One service I’ve found to be increasingly useful is Exceptioneer by Pixel Programming. As I’m about to start a new project using OpenRasta I wanted to be able to use Exceptioneer with it in order that I can log any exceptions effectively.

For a basic 404 error it was very easy. Just following the instructions on the Exceptioneer site for the ASP.NET integration worked a treat.

However, a little more work was required for when something like a Handler in OpenRasta threw an exception that didn’t get caught. In this case I had to set up an OperationInterceptor in order to catch the exception and send it to Exceptioneer.

Here is the ExceptionInterceptor class:

class ExceptionInterceptor : OperationInterceptor 
{
    readonly IDependencyResolver resolver;

    public ExceptionInterceptor(IDependencyResolver resolver)
    {
        this.resolver = resolver;
    }

    public override Func<IEnumerable<OutputMember>> RewriteOperation
        (Func<IEnumerable<OutputMember>> operationBuilder) 
    {
        return () =>
        {
            IEnumerable<OutputMember> result = null;
            try
            {
                result = operationBuilder();
            }
            catch (Exception ex)
            {
                Client exceptioneerClient = new Client();
                exceptioneerClient.CurrentException = ex;
                exceptioneerClient.Submit();
                throw;
            }
            return result;
        };
    }
}

Note that you have to include using Exceptioneer.WebClient; at the top of the file.

What this gives us is the ability to log any exception that is left uncaught from the Handler, log it then allow OpenRasta to continue on as it would have normally.

All that remains is to wire this up. In the Configuration class (if you’ve used the Visual Studio 2008 project template, or what ever your IConfigurationSource class is called otherwise) the following is added to the Configure method:

ResourceSpace.Uses.CustomDependency<IOperationInterceptor,
    ExceptionInterceptor>(DependencyLifetime.Transient);

Now any time a handler has an uncaught exception, it will be logged and sent off to Exceptioneer.

Tip of the Day #17: Duplicate input fields

Colin Angus Mackay — Sat, 06 Feb 2010 22:01:38 GMT

Don’t allow duplicate input fields into your form.

The other day I was trying to debug a bug in an application that I maintain. The code created a set of pagination buttons at the top of the page with previous and next buttons. At some point a request had come in that the buttons needed to be replicated at the bottom of the page. Since the HTML was being built up in a string and dumped in a literal control in the first place the developer that was tasked with making the change just dumped the string into two literal controls, the original at the top of the page, and the new one at the bottom of the page. The previous and next buttons use hidden input field to tell the application which actual page number the buttons correspond to. And these were now duplicated and as a result the previous and next buttons ceased to work.

Here is an example of something similar:

<input id="first-hidden-field" value="123" type="hidden" name="some-name" />
<input id="submit-button" value="Submit" type="submit" />
<input id="second-hidden-field" value="456" type="hidden" name="some-name" />

When the form fields are returned to the application and the field “some-name” is queried the result back is a combination of the two fields with the duplicate name. In this case:

string someName = Request.Form["some-name"];

will result in the value of “123,456” being stored in the string. Basically, it is the comma separated form of all the input fields with the given name.

Visual Studio / SQL Server install order on Windows 7

Colin Angus Mackay — Sun, 11 Oct 2009 10:50:22 GMT

Quite a while ago I blogged about the Visual Studio / SQL Server install order on Windows Vista. I’m about to go through a similar exercise on Windows 7 and given the issues I had then I thought that it would be only right to document the procedure in case any problems arose.

Last time, it would seem, the best solution was to install things in the order in which Microsoft released them with the notable exception of the operating system. So this time, that is the strategy that I’m going to take. Windows 7 is already installed on my laptop. Then I’m going to install Visual Studio 2008, then SQL Server 2008, then any patches for either and we’ll see how we get on.

I’m also going to ensure that I do NOT install SQL Server Express Edition on Visual Studio 2008 as I’ve had problems with that before. Essentially, the problem last time was that the SQL Server installer mistook Visual Studio’s SQL Server Express installation has having installed certain things. The SQL Server installation therefore didn’t want to repeat what it didn’t need to so it refused to install the client tools.

Install Order

Visual Studio 2008, excluding SQL Server 2005 Express Edition

MSDN Library (This is optional – I installed it because I’m occasionally developing on the road with no or limited connectivity)
Visual Studio 2008 Service Pack 1 (this is required in order to install SQL Server 2008 – the installation will fail otherwise)
SQL Server 2008 Developer Edition

Install SQL Server 2008 SP1

That’s it – Job done. And it only took me two attempts to get it right this time. My stumbling block here was the order in which I applied the service packs.

Technorati Tags: sql server,sql server 2008,visual studio,visual studio 2008,installation

NMA - Top interactive agencies

Colin Angus Mackay — Sat, 10 Oct 2009 12:49:11 GMT

This years New Media Age top interactive agencies list is out. I’m quite please to see that I work for a company that is doing very well in the list.

I work for Equator which is currently the top ranking agency in Scotland, and #41 in the UK.

The bit I'd like to point out, just to blow my own trumpet, is the last paragraph:

"Key hires include Scottish Developers chairman Colin McKay [sic] as senior developer and Robert Graham as director of application development." - NMA

My First OpenRasta Project - Part 2 (Resource Templates)

Colin Angus Mackay — Wed, 30 Sep 2009 20:08:46 GMT

To get started see part 1.

For this part the Invoice class has been expanded to include another property, you'll see why in a moment. For now, it now looks like this:

public class Invoice
{
    public string Reference { get; set; }
    public DateTime Date { get; set; }
}

Up to this point we are just showing some simple XML based on one of the built in codecs that ship as part of OpenRasta. There is a single URI and it always returns the same thing. So far there is nothing much going on.

You can keep on adding resources to the ResourceSpace when you are configuring the site, but that is hardly a scalable solution when so many applications are based on dynamic data. You need a way to define a resource template.

The way this is done is by adding place holders into the URI. These placeholders are defined by a set of curly braces with a parameter name inside. This is a bit like the string.Format method, except you can use meaningful names instead of the ordinal position of the parameter.

The configuration of the ResourceSpace in the Configuration class is changed to:

ResourceSpace.Has.ResourcesOfType<Invoice>()
    .AtUri("/invoice/{reference}")
    .HandledBy<InvoiceHandler>()
    .AsXmlDataContract();

As you can see the only difference is that the parameter on the AtUri method is changed.

OpenRasta will then look in the handler for a method that matches the HTTP verb and the parameters defined in the template.

The InvoiceHandler now has a method that looks like this:

public Invoice Get(string reference)
{
    Invoice result = InvoiceRepository.GetInvoiceByReference(reference);
    return result;
}

Don't worry about the InvoiceRepository. It simply exists to get an Invoice object from somewhere. It could be from a database, in memory, a file or wherever.

We can now go to the uri /invoice/123-ABC and get the output:

<?xml version="1.0" encoding="utf-8"?>
<Invoice xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://schemas.datacontract.org/2004/07/MyFirstOpenRastaProject.Resources">
  <Date>2009-09-30T00:00:00+01:00</Date>
  <Reference>123-ABC</Reference>
</Invoice>

However, that's not the whole story. You can do some pretty neat things with resource templates.

For example, if the method parameter on the resource handler is a DateTime object you can build up the URI template using the property names in the DateTime object. The template parameters will then be mapped to the properties in the DateTime object.

First the configuration has to be updated:

ResourceSpace.Has.ResourcesOfType<Invoice>()
    .AtUri("/invoice/{reference}")
    .And.AtUri("/invoice/{day}/{month}/{year}")
    .HandledBy<InvoiceHandler>()
    .AsXmlDataContract();

There is only one additional line here and that is to add a URI with a template containing the day, month and year. It is still the same type of resource and the code hasn't changed. All that is new is the URI template. If you were to attempt to create a brand new ResourceSpace for the Invoice resource you'd get an error that the resource type was already registered in the system.

The InvoiceHandler class will need an additional method to handle the new template. The new method looks like this:

public Invoice Get(DateTime date)
{
    Invoice result = InvoiceRepository.GetInvoiceByDate(date);
    return result;
}

The result for the URI /invoice/29/09/2009 looks like this

<?xml version="1.0" encoding="utf-8"?>
<Invoice xmlns:i="http://www.w3.org/2001/XMLSchema-instance" 
         xmlns="http://schemas.datacontract.org/2004/07/MyFirstOpenRastaProject.Resources">
  <Date>2009-09-29T00:00:00</Date>
  <Reference>3e5a4e9e-3b46-4b09-a8f8-45010411501b</Reference>
</Invoice>

Technorati Tags: OpenRasta,ResourceSpace,URI,resource template

My First OpenRasta Project - Part 1

Colin Angus Mackay — Mon, 28 Sep 2009 20:26:46 GMT

On the OpenRasta Wiki there are some instructions on getting your project up and running the manual way, should you so wish. One of the new features introduced at the last beta was a Visual Studio 2008 project template, which installs as part of the binary distribution.

Once installed you can create an OpenRasta project by going to the “Visual C#” Project Types and selecting OpenRasta ASP.NET Application (3.5) from the templates on the right of the dialog.

Once the project is created you’ll see that it has set the project up, added the references to the assemblies that it needs and created an initial handler, resource and views.

Before continuing further a little explanation of what each of these things are is in order.

A resource is a source of information. It is referenced via a URI. This blog post is a resource, an image is a resource, an invoice is a resource. However, a resource does not imply any particular kind of representation. In terms of OpenRasta a resource is simply an object

A handler is an object that manages the interaction of the resources. In MVC parlance it would be the “C” or controller.

A view is a regular ASP.NET page that can be rendered via the WebFormsCodec. It is not compulsory to implement any views at all if you don’t need ASP.NET.

A codec is the class responsible for encoding and decoding the representation of a resource. The built in codecs are WebForms, JSON and two types of XML.

First Code

When you get started you’ll need to configure OpenRasta. It needs to know the details of the resources you want to expose and the handlers that can deal with those resources. To do that OpenRasta looks for a class in your project that implements the IConfigurationSource interface.

If you have two or more classes that implement this interface then the first one that is found will be used. As the project template already contains a Configuration class already set up and ready to go there is nothing additional to do other than set the configuration.

In the example I’m going to show, we will be rendering an invoice. So the configuration needs to look like this:

public class Configuration : IConfigurationSource
{
    public void Configure()
    {
        using (OpenRastaConfiguration.Manual)
        {
            ResourceSpace.Has.ResourcesOfType<Invoice>()
                .AtUri("/invoice")
                .HandledBy<InvoiceHandler>()
                .AsXmlDataContract();
        }
    }
}

The configuration happens through a fluent interface. The ResourceSpace is the root object where you can define the resources in your application, what handles them and how they are represented. In this case this is going to be a fairly simple example. As it is a fluent interface it does seem to be fairly self explanatory.

The Invoice class is a simple POCO DTO that represents an invoice. POCO means Plain Old CLR Object and DTO is a Data Transfer Object. In this example the Invoice just looks like this:

public class Invoice
{
    public string Reference { get; set; }
}

The InvoiceHandler class is another POCO that happens to have methods on it that are picked up by the use of conventions. If you have a method named after an HTTP verb (like GET or POST) then OpenRasta will use it to handle that verb.

In this example we are just going to return a simple Invoice object. I don’t want to complicate the example with other things at the present, so it will, in fact, always return an invoice with the same Reference property value.

public class InvoiceHandler
{
    public Invoice Get()
    {
        return new Invoice
        {
            Reference = "123-456/ABC"
        };
    }
}

As the configuration specified that the XML Data Contract codec was to be used the invoice is rendered using that codec. The output looks like this:

<?xml version="1.0" encoding="utf-8"?>
<Invoice xmlns:i="http://www.w3.org/2001/XMLSchema-instance" 
         xmlns="http://schemas.datacontract.org/2004/07/MyFirstOpenRastaProject.Resources">
  <Reference>123-456/ABC
</Invoice>

Obviously at this stage it isn’t very useful. This is just a quick demonstration showing how quickly something can be set up. In coming parts I’ll be addressing other issues that so that more useful things can be done.

NOTE: This blog post is based on OpenRasta 2.0 Beta 2 (2.0.2069.364): [Download]

Technorati Tags: OpenRasta

SQL Injection Attacks and Tips on How to Prevent Them

Colin Angus Mackay — Thu, 24 Sep 2009 03:29:25 GMT

I’m giving a talk in Dundee on the topic of SQL Injection Attacks. If you are interested in the subject then the registration link is at the bottom of the page.

Wednesday, 28th October 2009 at 19:00 – 21:00
Queen Margaret Building, Dundee University

The Talk

In light of some recent events, such as the man who was convicted of stealing 130 million credit card details through a SQL Injection attack, it is imperative that developers understand what a SQL Injection Attack is, how they are carried out, and most importantly, how to defend your code against attack.

In this talk I’ll demonstrate a SQL Injection Attack on an application in a controlled environment*. I’ll show you where the vulnerable code lies and what you can do to harden it.

Although this talk uses C# as the application language and Microsoft SQL Server 2008 as the database engine many of the concepts and prevention mechanisms will apply to any application that accesses a database through SQL.

* Demonstrating an attack on a real system without the owner’s consent is a breach of the 1990 Misuse of Computers Act, hence the controlled environment.

The Venue

We are meeting in the Queen Mother Building at Dundee University. After the meeting we normally retire to the the bar at Laing's

The Agenda

18:45 Doors Open
19:00 Welcome
19:10 The Talk (Part 1)
19:55 Break
20:05 The Talk (Part 2)
20:45 Feedback & Prizes
21:00 Repair to the Pub

Registration

Space is limited, we would therefore ask that you sign up.

Technorati Tags: sql,sql injection attack,security

If you really must do dynamic SQL…

Colin Angus Mackay — Mon, 21 Sep 2009 18:15:01 GMT

I may have mentioned in previous posts and articles about SQL Injection Attacks that dynamic SQL (building SQL commands by concatenating strings together) is a source of failure in the security of a data driven application. It becomes easy to inject malicious text in there to cause the system to return incorrect responses. Generally the solution is to use parameterised queries

However, there are times where you may have no choice. For example, if you want to dynamically reference tables or columns. You can’t do that as the table name or column name cannot be replaced with a parameter. You then have to use dynamic SQL and inject these into a SQL command.

The problem

It is possible for SQL Server to do that concatenation for you. For example:

CREATE PROCEDURE GetData 
	@Id INT,
	@TableName sysname,
	@ColumnName sysname
AS
BEGIN
	SET NOCOUNT ON;
	
	DECLARE @sql nvarchar(max) = 
		'SELECT ' + @ColumnName + 
		' FROM ' + @TableName + 
		' WHERE Id = '+cast(@Id as nvarchar(20));	
	EXEC(@sql)
END
GO

This is a simple stored procedure that gets some data dynamically. However, even although everything is neatly parameterised it is no protection. All that has happened is that the location for vulnerability (i.e. the location of the construction of the SQL) has moved from the application into the database. The application is now parameterising everything, which is good. But there is more to consider than just that.

Validating the input

The next line of defence should be verifying that the table and column names passed are actually valid. In SQL Server you can query the INFORMATION_SCHEMA views to determine whether the column and tables exist.

If, for example, there is a table called MainTable in the database you can check it with a query like this:

SELECT * FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_NAME = 'MainTable'

And it will return:

There is a similar view for checking columns. For example:

As you can see, the INFORMATION_SCHEMA.COLUMNS view also contains sufficient detail on the table so that when we implement it we only have to make one check:

ALTER PROCEDURE GetData 
	@Id INT,
	@TableName sysname,
	@ColumnName sysname
AS
BEGIN
    SET NOCOUNT ON;
	
    IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.COLUMNS 
               WHERE TABLE_NAME = @TableName AND COLUMN_NAME = @ColumnName)
    BEGIN
        DECLARE @sql nvarchar(max) = 
            'SELECT ' + @ColumnName + 
            ' FROM ' + @TableName + 
            ' WHERE Id = '+cast(@Id as nvarchar(20));	
        EXEC(@sql)
    END
END
GO

Formatting the input

The above is only part of the solution, it is perfectly possible for a table name to contain characters that mean it needs to be escaped. (e.g. a space character or the table may share a name with a SQL keyword). To escape a table or column name it is enclosed in square brackets, so a table name of My Table becomes [My Table] or a table called select becomes [select].

You can escape table and column names that wouldn’t ordinarily require escaping also. It makes no difference to them.

The code now becomes:

ALTER PROCEDURE GetData 
	@Id INT,
	@TableName sysname,
	@ColumnName sysname
AS
BEGIN
    SET NOCOUNT ON;
	
    IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.COLUMNS 
               WHERE TABLE_NAME = @TableName AND COLUMN_NAME = @ColumnName)
    BEGIN
        DECLARE @sql nvarchar(max) = 
            'SELECT [' + @ColumnName + '] ' + 
            'FROM [' + @TableName + '] ' +
            'WHERE Id = '+cast(@Id as nvarchar(20));	
        EXEC(@sql)
    END
END
GO

But that's not quite the full story.

Really formatting the input

What if you have a table called Cra]zee Table? Okay - Why on earth would you have a table with such a stupid name? It happens, and it is a perfectly legitimate table name in SQL Server. People do weird stuff and you have to deal with it.

At the moment the current stored procedure will simply fall apart when presented with such input. The call to the stored procedure would look like this:

EXEC GetData 1, 'Cra]zee Table', 'MadStuff'

And it gets past the validation stage because it is a table in the system. The result is a message:

Msg 156, Level 15, State 1, Line 1
Incorrect syntax near the keyword 'Table'.

The SQL produced looks like this:

SELECT [MadStuff] FROM [Cra]zee Table] WHERE Id = 1

By this point is should be obvious why it failed. The SQL Parser interpreted the first closing square bracket as the terminator for the escaped section.

There are other special characters in SQL that require special consideration and you could write code to process them before adding it to the SQL string. In fact, I’ve seen many people do that. And more often than not they get it wrong.

The better way to deal with that sort of thing is to use a built in function in SQL Server called QUOTENAME. This will ensure the column or table name is properly escaped. The stored procedure we are now building now looks like this:

ALTER PROCEDURE GetData 
	@Id INT,
	@TableName sysname,
	@ColumnName sysname
AS
BEGIN
    SET NOCOUNT ON;
	
    IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.COLUMNS 
               WHERE TABLE_NAME = @TableName AND COLUMN_NAME = @ColumnName)
    BEGIN
        DECLARE @sql nvarchar(max) = 
            'SELECT ' + QUOTENAME(@ColumnName) +
            ' FROM ' + QUOTENAME(@TableName) + 
            ' WHERE Id = '+cast(@Id as nvarchar(20));	
        EXEC(@sql)
    END
END
GO

Things that can be parameterised

There is still something that can be done to this. The Id value is being injected in to the SQL string, yet it is something that can quite easily be parameterised.

The issue at the moment is that the SQL String is being executed by using the EXECUTE command. However, you cannot pass parameters into this sort of executed SQL. You need to use a stored procedure called sp_executesql. This allows parameters to be defined and passed into the dynamically created SQL.

The stored procedure now looks like this:

ALTER PROCEDURE GetData 
	@Id INT,
	@TableName sysname,
	@ColumnName sysname
AS
BEGIN
    SET NOCOUNT ON;
	
    IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.COLUMNS 
               WHERE TABLE_NAME = @TableName AND COLUMN_NAME = @ColumnName)
    BEGIN
        DECLARE @sql nvarchar(max) = 
            'SELECT ' + QUOTENAME(@ColumnName) +
            ' FROM ' + QUOTENAME(@TableName) + 
            ' WHERE Id = @Identifier';	
        EXEC sp_executesql @sql, N'@Identifier int',
                           @Identifier = @Id
    END
END
GO

This is not quite the end of the story. There are performance improvements that can be made when using sp_executesql. You can find out about these in the SQL Server books-online.

And finally...

If you must use dynamic SQL in stored procedures do take care to ensure that all the data is validated and cannot harm your database. This is an area in which I tread very carefully if I have no other choice.

Try and consider every conceivable input, especially inputs outside of the bounds of your application. Remember also, that defending your database is a multi-layered strategy. Even if you have the best firewalls and security procedures elsewhere in your system a determined hacker may find a way though your other defences and be communicating with the database in a way in which you didn’t anticipate. Assume that an attacker has got through your other defences, how do you provide the data services to your application(s) yet protect the database?

Technorati Tags: sql,sql server,sql injection attack,dynamic sql

Technology trends through Google Analytics

Colin Angus Mackay — Sun, 20 Sep 2009 16:10:17 GMT

I’ve been looking at various Google Analytics stats to see some recent technology trends. This started out as me being simply curious about what technologies people were using to access my blog. But then I got to thinking that it would be interesting to see how the statistics on my (Microsoft/Technology focused) blog fair with regard to other websites.

The most interesting thing I found is that my blog does not match other other, more mainstream, sites I looked at. I seem to have some early adopters that cause jumps in the trend. Other sites tend to have more stable trends.

For example, here’s the graph for my blog showing operating system usage:

In mid-2008 there is a jump of Windows Vista users. I tried to figure out why the number of Windows Vista users should jump like this and the only thing that I can actually think of is that this is about the time of “The Mojave Experiment”. Alternatively, perhaps it is something I did on my blog bringing more traffic to me from people running Windows Vista?

In July 2008 20% of visitors were using Windows Vista, the following month that number had jumped to 32%. Incidentally on August 3rd I wrote a blog post that has consistently be in my top-5 blog posts each month ever since. That post was about installing SQL Server 2005 on Vista. In fact, that single post currently represents 14% of the monthly traffic to my blog.

When looking at the browser usage in use the trend doesn’t have such a wild jump in it. Internet explorer is steadily being replaced by FireFox with most other browsers sitting down below 10%. There is, however, a rise in Chrome usage and I expect it to be past the 10% mark by the end of the year.

What is interesting is the jump when Chrome first came on the market, it jumped in at 3.5% and has been steadily rising since. It is up to 8.1% now so that it is now in 3rd place.

Operating Systems

Let’s compare that to some more mainstream sites. I’m just going to put the graphs up one after the other then comment on them.

First the operating system:

There are some very interesting variations between these graphs and my blog. None of these have a big jump in any particular operating system, so that suggests that Project Mojave, an earlier speculation to account for a jump in Vista users, didn’t have a big effect.

What is most interesting is that people looking at Lingerie websites have more Apple Macs (purple line) that people looking at other sites. Mac usage for the lingerie site runs from 10% to 15% over the course of the two years.

Windows XP usage is coming down, more markedly for the Lingerie site. I’d speculate that since businesses seem to be the ones holding on to Windows XP the longest (still installing it on newly purchased equipment, unlike the home market which will most likely stick to what is on the box already) those viewing the Lingerie website are more likely to do so from home. Certainly, if I was so inclined to visit, I’d do that at home.

On the early adopter front, most mainstream sites have not seen much of an increase in Windows 7 (turquoise line) usage yet. It isn’t released to the general public until 22nd of October. Early adopters will mostly be running the beta and release candidate. Those with MSDN Subscription will be able to run the full release already. It would seem that many developers (or at least those inclined to visit a software development oriented blog) are already adopting Windows 7 as almost 7% of visitors used that operating system. The mainstream sites are sitting around 0.5% currently.

Browsers

It looks like developers buck the trend again. 30%-40% use FireFox to access my blog whereas more mainstream sites get 10%-20% of visitors using FireFox. Also, the lingerie site is also slightly bucking the trend by having around 25% of visitors using FireFox.

Universally, IE is losing market share. It just seems to be quicker for software developers to be abandoning it, even on this Microsoft oriented software development blog.

It would seem that FireFox is the browser in line to take the crown, at least in software development circles as it does seem to have a fair way to go elsewhere. However, Chrome has got off to a good start, gaining initial popularity even on more mainstream sites. FireFox may have some real competition. Safari is not doing so badly either, but that trend does seem to follow the Mac OS trend, so perhaps that’s just getting the kudos through being installed as the default browser on Macs.

Technorati Tags: google analytics,windows 7,windows vista,vista,windows xp,xp,IE,FireFox,Chrome,Safari