One of the items being announced today by Microsoft at MIX is the SilverLight Analytics Framework. The Silverlight Analytics Framework will let designers and developers visually build analytics into their Silverlight applications using Microsoft’s Expression Blend.

Now, most readers of my blog already know that Developers can already inject Runtime Intelligence analytics into Silverlight (and any other managed code) using Dotfuscator inside Visual Studio. I am excited about this new framework because it offers an entirely new way to configure runtime intelligence (using Expression Blend) and that means a whole new community of users also have access to analytics for the very first time. This is also being echoed by Michael Scherotter, principal architect evangelist at Microsoft Corp. and architect of the analytics framework. He writes that we have “successfully used the Silverlight Analytics Framework to open its application instrumentation to a new audience of designers.”

Runtime Intelligence offers the following advantages over traditional Web analytics services:

· The analytics endpoint (and the resulting data) can be self-hosted and managed by the application provider (you don’t have to send your data to a third party – but that option is also available too).

· While the resulting Web analytics maps to the Silverlight Analytics Framework data model, the underlying SOAP schema is shared with Dotfuscator’s instrumentation.

The common schema allows Dotfuscator to provide a complimentary instrumentation mechanism for any .NET Framework component. THIS means that

· Middle and back-office application tiers can be instrumented providing a deeper view across distributed application workflows.

· Older or alternative applications using WPF or some other non-Silverlight form factors can be benchmarked against the newer Silverlight applications to track both user behaviors and application usage.

The world of application analytics is about to take a big step forward. In fact I believe that one day in the not too distant future application analytics will be as common as web analytics is today and the distinction will eventually disappear.

What decisions could you make to better serve your customers, to reduce your costs, and improve your products if you had ready access to usage data streamed to you from the wild?

Tell me what you would do - I would love to hear from you.

Online viewers of the Vancouver Olympics on NBCOlympics.com are using Silverlight based video and photo viewers delivering full HD quality content for viewers and helping content owners monetize their content. I am pleased to say that Dotfuscator had a hand in all of this innovation providing both protection and optimization for the high performing video player at the heart the NBC online Olympic experience.

For an overall description of the Silverlight solution, see: http://team.silverlight.net/events/let-the-games-begin/

For Microsoft’s own description of the role of partners (including us of course), see: http://team.silverlight.net/customer-evidence/vancouver-olympics-ndash-how-rsquo-d-we-do-that/

The development teams especially appreciated the fact that Dotfuscator can accept and output XAP files (instead of low level DLLs that force developers to manually edit XAP files).  This shortens and simplifies the release process – and was critical for an event like the Olympics.

On an unrelated Silverlight note, I was pleased to see David Kelly’s recent blog entry . This Silverlight MVP has identified Dotfuscator’s Silverlight analytics as “a critical tool in your tool Silverlight toolbox.” Good Stuff.

We’re familiar with big software vendors including Customer Experience Improvement Program (CEIP) features in their applications allowing them to gather anonymous usage data showing which features people are actually using. Analyzing that data allows them to focus their development efforts on what their users are actually doing, as well as obtaining hard measurements of how features are actually adopted in the wild. As someone whose paycheck depends on meeting the users’ requirements I really like to know how much of my time is being spent developing stuff that people actually want and use. Unfortunately, I don’t have the huge number of person-years and dollars to spend on something that is not directly related to my core application functionality to get a CEIP into my products.

Instrumenting an application to send its usage data back to the free Runtime Intelligence portal hosted by PreEmptive is covered in some previous blog posts (here and here ), but today I am covering a slightly different scenario. While there are great analytics capabilities in the hosted portal, my current needs are only basic usage tracking and that I must store the data at my own facility. As is normally the case in proof-of-concept situations, I have no budget, no time, and am highly visible to non-technical decision makers.

The first problem, no budget, is easily solved by using freely available tools. First, I am going to use Dotfuscator Community Edition 5.0, included in my copy of Visual Studio 2010, to perform injection of the application analytics functionality into my binaries. Since I need to store the usage data at my location I can’t use the hosted free endpoint and reporting portal, but I can use the new open source (Ms-RL license) Runtime Intelligence Endpoint Starter Kit (RI Starter Kit) to build my own application usage listener service, data repository, and basic reports.

The fact that I have no time to implement this is also solved by my selection of tools. Since this is a proof-of-concept, I don’t need to create any extra code to obtain the users opt-in consent for tracking application usage. This means I can leverage Dotfuscator’s post compilation code injection model, similar to IL Weaving in Aspect Orientated Programming, to inject usage tracking directly into my test application binary without changing any source code or recompiling. In a matter of minutes I navigate through my applications structure and define the injection points from within the Dotfuscator user interface. To create a database using either SQL Express 2005 or higher or MySQL 5 or higher only takes a few minutes. Finally, setting up the WCF service project only requires updating the connection string in the web.config. Using the outstanding documentation included in the RI Starter Kit as my guide in less than an 30 minutes I have a proof of concept for tracking how often my application is run and which features the users are actually using.

Finally, I have to show something useful to the non-technical users. I know that application analytics data is being sent to my endpoint and stored in the database. I can easily run a few queries to get a feel for how the application is being used but not everyone is as comfortable with SQL as I am. As I review the source code included in the RI Starter Kit I see that there is also a SQL Server Reporting Services solution that contains two prewritten reports that show application and feature usage over time. A quick update of the data source, a deploy to the SSRS server, and now the business users have an easy way of seeing what our users like best about our products. To add application analytics data to executive dashboards, there’s also a SharePoint Web Part included so you can easily put an application usage graph directly into any SharePoint site (WSS 3.0 / MOSS 2007 or higher).

All in all, I have spent around an hour and no money adding basic application usage tracking and analysis to an existing product and exposed that data to both technical and non-technical users. With only a small amount of code, I easily add an opt-in dialog to my product so my users can choose to send their usage data for analysis.  Now I have the start of my very own Customer Experience Improvement Program.

PreEmptive is always looking for feedback on our products, please take this new solution for a spin and leave us comments, feature requests and ideas on the project’s Codeplex page.

There are a number of updates to fix small issues in packaging support, improve handling of mixed mode assemblies and address some issues with Visual Studio integration.

For a summary of the changes in Dotfuscator 4.6.1200 check out the change log here or subscribe to the change log in your RSS reader here .

This update is available to all customers who are current with their maintenance.  Download it here , give it a try, and let us know what you think.

That the audience would see an “easy way to use Visual Studio to allow your application to tell you how it being used in the field” – or a breakthrough that takes feedback driven development to an entirely new level.

And that a year from now these techniques will be familiar and some of them would be accustom to using this information to drive application development decisions.

I talked about how Dotfuscator continues to evolve and now includes Runtime Intelligence, the ability to instrument applications to gather real world runtime data.
And I showed them runtime intelligence information within the Visual Studio 2010 code editor and demonstrated it being used to make better decisions faster.

You can watch the entire presentation on our YouTube channel.

With Packaging, Dotfuscator is significantly more flexible and it’s much easier to have a fully integrated obfuscation/instrumentation process for Silverlight, ClickOnce, or a project with a fluctuating list of component assemblies.

This means we can gladly retire a few of our KnowledgeBase articles! Now, you can take the XAP file or ClickOnce deploy manifest that Visual Studio emits, include it as an input to Dotfuscator, and Dotfuscator will parse it and allow you to work with the all the contained assemblies in the user interface just as you would any other assembly.  When you build, Dotfuscator outputs a new XAP or full ClickOnce application (including updated and signed manifests). You have now just roundtripped a XAP or ClickOnce application through Dotfuscator with no additional outside steps required to rebuild your deployment artifacts.

In the above screenshot you can see a demonstration of the new Packaging support.  I have added a Silverlight XAP (SilverlightEuCountries.xap) and Dotfuscator shows the application library that will be processed as well as the System.Xml.Linq assembly, embedded manifest and the XML data file that will be included in the XAP file that Dotfuscator will output.  I have also added a ClickOnce application by selecting the deploy manifest (ClickOnceDemo.application) and we see that Dotfuscator will process the application assembly and include the icon file that was originally deployed with the application in the new deployment that Dotfuscator will output.  Finally I have added a directory wildcard (C:\temp\MedicalImage\MedicalImage\SourceCode\CSharp\bin\x86\Debug\*.*) as a third input.  The directory package will process the MedicalImage.exe application as well as it’s ContosoFunctions.dll library.  The the files listed in the Package Artifacts will be copied to the output directory so that the application config file and Microsoft Access database file are now included in the output from the build process.  I now do not have to invoke any post build file copy process in order to have a fully functional application and supporting files as the output from a Dotfuscator build. You can view short instructional videos on the See It Work page for Dotfuscator.

If that were all that was included in this release, it would be big news. But we’ve also added a new feature to our Runtime Intelligence instrumentation as well.  You have always been able to create extra data at runtime and send it back as a name/value dictionary embedded in your usage messages with the Extended Keys feature.  Now we have added a new property (“ExtendedKeyMethodArguments”) to all attributes that support extended keys. This tells Dotfuscator to inject code that gathers the names and values of the instrumented method’s arguments and send them as additional Extended Key data.  This means that if you are interested in exactly which values are being passed to your methods at runtime you no longer have to write additional code to gather and present the data as Extended Keys; you can specify that you want the names and values of all parameters or a subset of the parameters to be collected each time the method is invoked and included in any other Extended Key data that you may be sending back.  We also changed how some of our instrumentation works to provide a better experience for instrumenting add-ins for Office, Visual Studio, or any situation where your assembly may be hosted in a different process.

Since we stay on the bleeding edge our releases always include support for the very latest from Microsoft.  Dotfuscator 4.6.1000 is no exception.  We provide full integration with Visual Studio 2010 Beta 2 and support for .NET 4.0 applications, both obfuscation and instrumentation.

Since Visual Studio 2010 Beta 2 has a Go Live license we also provide a similar Go Live license for the Community Edition of Dotfuscator Software Services included in Visual Studio 2010.  This allows you to use the Runtime Intelligence instrumentation features included in Dotfuscator and to send usage data from your application to the free Runtime Intelligence portal which allows you to analyze your applications’ runtime environments and usage patterns.

Also included in this release are bug fixes and UI enhancements.  The best way to stay informed of any updates to Dotfuscator is to watch or subscribe to the changelog .  You can also follow us on Twitter for updates on what we are doing.

We have been working hard on this release and have much more in store for the future.  Please feel free to contact us at support@preemptive.com with any feedback or stop by and see us at TechEd EMEA , PDC 2009 or CodeMash 2010 .  Keep up with where we are going and interesting articles on our News & Events page.

With that I would like to congratulate the entire development team at PreEmptive for the extraordinary amount of work they have been doing and give a warning to Codemash that the entire development team from PreEmptive is going to be there in force this year.

So “what’s love got to do with it?” (Private Dancer, Tina Turner) Hint: if people live for love, then businesses live for money

On July 14th, Microsoft announced Azure pricing and a “grace period” through PDC 2009. A primary rationale here is to enable development organizations to optimize deployment and monetization models to maximize Azure commercial opportunities.

So, whether you are a romantic (like Ms Browning above) or perhaps more hardened like Tina Turner’s Private Dancer (or Stanley Kubrick a la Full Metal Jacket), one thing is for sure - Microsoft wants Azure to “love you long time.” How deep, wide, high or long is the question.

Check out a this article in SD Times - PreEmptive’s Dotfuscator instruments Azure applications By David Worthington – where Dave Worthington makes many of the very same points.

Of course, we announced Runtime Intelligence Service (RIS) Azure support to help developers answer these very questions. While perhaps not as soaring as a sonnet – Runtime Intelligence allows for any .NET component deployed into Azure to be injected (post-build) with session, feature and method level monitoring. The runtime intelligence is streamed out of Azure for analysis. Other than writing a custom solution, this is perhaps the only means to measure adoption, usage patterns and performance inside Azure in near real-time.

Now, my posts are all intended to help you (blog followers) find more ways to make more money (we want to spread the love). So, you will note that I very specifically said the RIS helps to answer these questions. What the Azure development community really needs is an ROI calculator that will combine real usage data (from both legacy and piloted Azure applications) with Microsoft pricing and the offset IT expenses to come up with an Azure ROI calculator. I know there are lots of calculators being written – but how many of them can incorporate actual usage data before and after deployment to the cloud? That’s not our business – but could it be yours?

If yes, let me know and I will make sure you have what you need to call our RI Service via our RESTful API – making your calculator uniquely able to reliably predict cloud ROI.

As always, i have a more philosophical take on this issue on my personal blog at http://apps-are-people-too.blogspot.com/2009/08/how-do-i-love-thee-let-me-count-ways.html

My job was rather easy as I just had to hire someone to get the servers secure - not actually do the work. I happily found a crackshot security guy that had done large installations at maximum security. And he didn’t disappoint. I know my way around UNIX systems pretty well but he worked magic I’ve surely never seen.

One of the last things he did was to install an intrusion detection system. That is, a system that monitors all interesting system activity and sends out (a lot) of email about everything it noticed. Change a UNIX config file? Get an email. Add a user? Get an email. Issue a command as root? Get an email. Needless to say I started getting a lot of email.

At one point during a discussion we had about the system I asked him why we had the system at all. I mean, if this guy was so good (and to this day, I still believe he is) - an intrusion detection system is sort of like a prenuptial agreement. You get one in the event of something bad happening - but at the same time you can’t really get one without sort of admitting you *expect* something bad to happen.

Wasn’t his system secure? Did he really personally think he left a hole somewhere that would allow a hacker to get into the system?

He responded that he was 100% confident that after his work, the system was as secure as possible. He left no holes and patched all known vulnerabilities. He followed his declaration that of course - regardless of all that - of course the system can still be broken into. His response was utterly matter of fact. Of *course* break in was still possible - even likely.

I suppose this wasn’t a huge surprise. Despite locking the doors to our houses and cars - we still have alarm intrusion detection systems that detect entry. No one is foolish enough to think a car or house door lock keeps out a real thief. A reasonable defense after that is to get immediate notification when an intrusion occurs. Another reasonable defense that many people follow is to hide valuables. You typically don’t leave your stash of cash on your dresser - you hide it somewhere. In your sock drawer or under your mattress - but typically, even though you have a front door lock, and maybe an alarm system, its clearly prudent to add time and difficulty to a prospective thief’s job.

After some more discussion my security guy invited me to attend Defcon. A yearly security/hacker conference held in Las Vegas. I was intrigued and agreed. When I went to pre-register online - I found out that there wasn’t any such thing. No pre-registration, on-site registration only. And - no credit cards - cash only $120.

I arrived early at the convention and gave a nice lady my $120. In return she gave me an anonymous badge. She didn’t want my name or my address or my email. Everyone at the convention was to remain as anonymous as they wanted to be. The convention itself was jam packed. Wall to wall humans mostly in black t-shirts wth typically funny hacker slogans on them.

In one room they had situated 5 teams with networked computers in a competition where they simultaneously defended their servers and attacked the other teams’ servers. Another room had a large projected screen showing passwords of people at the convention that sent them unencrypted over the wireless (I shut-off my laptop and phone for the rest of the weekend). They showed the IPhone hack that could own a remote iphone with a single sent SMS message. I saw talks on hacking websites with request forwarding and one by an MIT student that beat stock spammers at their own game.

Needless to say - the folks at this conference weren’t messing around. To this day I get into discussions with developers as to the appropriateness of code obfuscation. Obfuscation technology has come a very long way past simple identifier renaming. These days it’s more about things like control-flow obfuscation and opaque predicates. Their argument usually circles around to some variation of “If an expert really wants your code - they’re going to get it”.

I couldn’t agree more. In fact, after attending Defcon I believe it even more. The only place I start to disagree is when they contradict themselves with solutions that they think will actually work. If your code is reachable, in any form, by users - its vulnerable. Software-as-a-service is often cited as safety. If that was true, then I wouldn’t have needed to hire a security expert. And he wouldn’t have told me point blank that no matter what you do - an expert can hack your server.

Protecting your software is not about 100% sure solutions - because there are none. It’s about throwing as many obstacles in the way of attackers as you can. Like I said - your front door lock hasn’t a prayer at stopping a thief - but for some reason you still always lock your door. Alarm systems don’t stop thieves; they just let them know that they’ve only got a few minutes to get their job done. Hidden valuables will be found - but the act of hiding them just makes the job harder.

The name of the game is risk and reward. Simple security measures by you that cause major headaches for attackers are what you’re looking for. Obfuscation makes deciphering your IP harder. Software tampering detection lets you know someone is tinkering with your application. By nature, attack surfaces start out pretty large. The best you can do is reduce that area as much as possible.

In this article, I will offer you a unique look at the rise of agile practices. You will see how core agile values of instant feedback and communication manifest themselves in different forms throughout history. You will see how Runtime Intelligence embodies the essence of agile software development, and how it helps software succeed.

The Age of Antiquity

Athens and Jerusalem! The rivalry between them resulted in major battles throughout history and spilled over to our times.

The book of Talmud, a magnificent compilation of biblical commentary and legal analysis, was put to writing in the ancient Babylonian academies of Sura and Pumbedita. Similar to Extreme Programmers of today, scholars worked in pairs, pouring over and discussing the meaning of incredibly difficult texts. To the Sages, the Text was the embodiment of the Master of the Universe Himself. It communicated to them in a very real and tangible way. Greek logic was an extremely useful tool, but not a solution to all of the world’s problems. In the dusty halls of ancient academies, the Sages perfected the art of close reading, reasoning by analogy, and pattern recognition.

The Greeks, on the other hand, perfected the art of logic, philosophy, and mathematics. The Universe could be a living organism to them, but it did not interfere with the lives of mere mortals. In the Greek mindset, the Universe did not actively communicate with us. The notions of theory, formalism, and proof - all made their way into our worldview through the Greeks.

The Age of Reason

Similar to the Greeks before them, the great men of the Enlightenment saw the world as a big mechanical device. The Universe functioned like a big clock, and human beings were like specks of dust in this gigantic mechanism. The world abided by a strict set of mathematical rules, and the future could be predicted if only all the variables were known.

The Age of Reason exerted its influence on software engineering as well. The field of program verification was consistent with its worldview. Programs were seen as mathematical structures whose correctness could be proven by analytical means without ever executing them. Program verification made great contributions to computer science, but it never replaced the empirical and intuitive approaches to software engineering.

The Age of Modernity

Our age witnessed the birth of quantum, chaos, and the Big Bang theories. The Universe is no longer a mechanical clock it used to be. All of a sudden, a human being becomes an active participant once again.

In modern software development, we see a shift from formal and theoretical approaches to people-oriented ones. Active participation and communication start running like golden threads through agile practices of today.

In the art of unit testing, for example, unit tests collaborate with you on several different levels. They communicate the intentions of your programs and allow you to concentrate on the implementation details later. Unit tests let you break the dependencies in your code and make your programs decoupled and cohesive. They provide you with an instant feedback about the overall health of your system. You can execute thousands of them and get a result within seconds or minutes. Unit tests give you the confidence you need when you try to adapt to changing requirements of the outside world.

In the age of modernity, your applications become active participants and communicators too. Enter Runtime Intelligence.

Runtime Intelligence and Agility

In the world of Runtime Intelligence, there are no theories to predict which features your customers will like. There are no formal proofs about your software usage. There are no surveys to figure out how your applications are used.

Similar to unit tests of the art of unit testing, your applications themselves communicate with you. Based on their instant feedback, you can quickly make important business decisions. You can see which features provide the most value for the money you spend, which features your customers rely on the most, and which features need further development. You can adapt much faster to the rapidly changing world around you. This is the essence of being agile.

Great ideas do not exist in an intellectual vacuum. They are often a reflection of their times. If we want our software to succeed, we must pay close attention to the lessons of history. As we embark on a journey back to the future, one thing is certain. Our past is behind us. Our future is still in our hands.