PleaseTech blog

We aim to provide useful, pertinent and sometimes fun insights into the world of document collaboration and the workings of a technology company

Office and SharePoint 2016 appear to be moving in the correct direction - for us

Posted by David Cornwell on 16. October 2015 10:34

Founder/CEO of PleaseTech Ltd - collaborative document review and co-authoring for the enterprise.


So now we know what is happening with respect to co-authoring in Word 2016 when combined with SharePoint or OneDrive.

Microsoft has gone for 'real-time co-authoring'.

How does this work? Well, to quote from Word's Office Blog post: “when two or more users …. open the same Word document from OneDrive they can co-author with others in real-time, which allows them to see the cursor location and text edits made by the other users automatically appear as they happen”. The same is true for SharePoint 2016.

Microsoft has obviously taken their lead from Google as ITPro demonstrates by saying, “The move should bring a major advantage to Microsoft over Google’s Google Docs when Office 2016 is released ……”. Interestingly, its justification for this advantage is that it brings co-authoring to the desktop version of Word.

Some commentators are being brutally realistic. I particularly like Office Watch when they say:

“If you’re having a touch of ‘déjà vu’ right now … it's not your imagination. Microsoft has announced document collaboration so, so many times over the years. But each time the press falls for it and parrot the Microsoft hype. Sigh.

Document collaboration isn’t new in Office.  For some years, two or more people have been able to open the same document and edit it at the same time.

What’s changed is the level of detail in displaying changes to the other users online.  In Office 2013 if you edited a paragraph, that paragraph was locked out for other editors until you’d finished.  Then the paragraph changes were pushed out to the other editors.

In Office 2016, it’s more detailed with edits appearing to other users in what Microsoft calls ‘real time’.   Co-authors can see text edits and even the cursor position of other editors as they all work on a document.”

They go on to add:

“Nitpickers will know that ‘real time’ really means ‘as fast as possible’ which is fast enough.  The speed that updates show to other editors depends on the speed of the various Internet connections and the hosting server.  Our informal tests, with side-by-side computers, suggest that ‘real time’ really means about ’10-20 seconds’.  That’s more than adequate for document collaboration.”

Others are waxing lyrical over this.  John Brandon writes in a ComputerWorld article:

“There’s something really satisfying about working on a business document with another person or in a group. The thoughts often come together in unison. One person adds a paragraph, another person makes a quick correction. It’s about as close to having a video chat as you can get ….” He continues: “ …. brainstorming sessions with a few writers in one document working in tandem is an enjoyable and highly productive experience …...”.

So let’s get back to reality and work out whether this is going to revolutionize the world of document creation.

I doubt that there are many in the corporate sphere who believe that one person adding a paragraph and another making a quick correction in real time is either enjoyable or particularly productive. I fully accept John’s position that, if you are genuinely brainstorming and simply downloading ideas to the page then it may, and I stress may, be useful. But is it really more useful than existing Word co-authoring?

Remember, the only real limitation of the current Office 2010/2013 functionality is that it locks edited paragraphs until the editor ‘saves’ the changes. With Word 2016 many people can simultaneously edit the same paragraph. But, when you stop and think, you’d soon settle on the fact that several users not being able to simultaneously edit exactly the same paragraph is not a major limitation when they could be editing adjacent paragraphs.

Sure, there may be a few converts from Google Docs who are using the Google platform because simultaneously editing exactly the same paragraph is critical for their business process, but I’m finding it hard to think of examples.

What about control? What about the document owner? What about reporting? What about accountability?

This co-authoring functionality offered by Word 2016 (in conjunction with SharePoint 2016 or OneDrive) is what we call ‘uncontrolled co-authoring’. This means anyone can materially edit anywhere in the document. I can delete your stuff, you can delete my stuff and we can all gang up on poor Fred and delete his stuff. No traceability, no accountability, no responsibility.

Our position is quite simply that this type of uncontrolled real-time co-authoring works for specific business processes if you have a small team of trained, rational and courteous users.

So nothing changes our view that SharePoint is fine for casual, light usage. A bit of brainstorming here and there perhaps. However, for industrial strength document review and co-authoring, you are going to need more control and not a co-authoring space with no audit trail and where anything goes.

Thousands of documents, multiple reviewers, potentially hundreds of comments – that’s the reality of the world we and our clients live in. To manage this control is the key. Control of the process but also control of ‘who can do what to where’ in the document.

So, our conclusion is threefold:

1.   Those happy with the current Word/SharePoint uncontrolled co-authoring will continue to be happy with it and will probably welcome this enhancement;

2.   Those struggling with the current Word/SharePoint uncontrolled co-authoring will continue to struggle in the naïve belief that it’s the Microsoft way or the highway – a position unfortunately adopted by many IT departments desperate to justify their investment in Sharepoint;

3.   No-one is going to abandon PleaseReview and rush to the new functionality because the current advantages PleaseReview has over SharePoint for collaborative document review and co-authoring remain. 

Of course, anyone wishing to adopt this brave new land of, this time, real simultaneous co-authoring will have to wait a while anyway. Not only will they need Word 2016 but also SharePoint 2016 (or OneDrive) as Microsoft is quite clear that “Word 2016 co-authoring fails when the file is stored on SharePoint 2013” and the recommended solution is to turn it off with a registry fix!

So, as my title suggests, Office and SharePoint 2016 appear to be moving in the correct direction – for us!

 


The ‘realistic SharePoint’ era?

Posted by David Cornwell on 2. September 2014 12:54

Founder/CEO of PleaseTech Ltd - collaborative document review and co-authoring for the enterprise.


Apparently when you are a CEO of a growing company there comes a tipping point when you stop telling everyone what to do and start being told by your staff what to do! "David, we need a blog entry from you on SharePoint" - was the command from marketing. So, being a dutiful, obedient servant to the cause, here it is.  

It was actually moderately topical because whilst on holiday with friends, a couple of us were chewing the cud over a glass or two and he was complaining that you can’t get SharePoint developers for love or money in central London. I questioned why they were developing in SharePoint but he didn’t know (he is an accountant and was only interested in the money side of the equation). Anyway, we talked through the ‘trough of disillusionment’ and whether we are entering the ‘post SharePoint’ era as some seem to believe. 

Personally, I don’t think we are entering the post SharePoint era but I do hope we are entering the ‘realistic SharePoint’ era. This is the era when  people work out what SharePoint does well and what it doesn’t do well. 

I guess it is what Gartner calls the ‘slope of enlightenment’ in its Hype Cycle model. In the model, the slope of enlightenment follows the 'trough of disillusionment' which follows the ‘peak of inflated expectations’. Check out this link for an overview of the model.

And, let’s be honest, expectations have been inflated. PleaseTech, along with many others I'm sure, suffers from IT departments the world over saying "SharePoint can do that ..... it’s the collaboration platform/it’s the records management platform/and it’s the [insert term here] platform."

In my opinion, this is partly the fault of the Microsoft hype. I’ve personally sat in presentations given by Microsoft personnel where they explain to the audience that SharePoint does everything and there is no need for anything else.  

Unfortunately, some people seem to have been listening to the presentations and appear to have been swayed by Microsoft's marketing. In the trade this is known as drinking the Microsoft 'kool aid'. They emerge from these sessions repeating in rote ‘SharePoint can do that’. 

No it can’t – not everything. Stop people. Take time to understand the problem (aka the requirement) and research the best method of delivering it. BTW, here is a clue: The answer is not always SharePoint. 

When it comes to PleaseReview and what it offers, SharePoint CAN’T DO IT.  Not out of the box, not with lots of clever development of workflow, not at all. And, the unfortunate thing is, organizations waste millions of dollars trying to make SharePoint do what PleaseReview does when all they have to do is buy a license from us, buy our SharePoint integration license, deliver to the business, save a load of development dollars and bask in the reflected glory of a job well done.  

Too often the end user client wants our software but has to fight tooth and nail with IT as their response is ‘SharePoint can do that’.

I am personally aware of several projects where thousands, if not hundreds of thousands, of dollars have been spent trying to make SharePoint do what PleaseReview does. Recently we had a series of emergency presentations with a prospect because the committee was meeting to approve a project which was going to throw ‘good money after bad’ and spend even more money on a failed SharePoint project. The project was trying to emulate PleaseReview functionality. I’m pleased to say that it appears, even at the 11th hour, that common sense has prevailed and PleaseReview looks like it will be the preferred option.

It seems that the basic problem is that, when it comes to SharePoint, the ‘Law of the Instrument’ (otherwise known as Maslow’s hammer) applies. The law is typified by the saying ‘if all you have is a hammer, all problems look like a nail’ and, what it means is, people become over reliant on familiar tools. 

This is perhaps why in their 'Collaborative Credentials'  report, the Mando Group (a UK based web design and SharePoint consultancy) have found that the majority of Microsoft SharePoint users are 'disillusioned' with SharePoint implementations. When you start to believe that every requirement simply needs hitting with the SharePoint hammer you lose sight of the fact that not every requirement resembles a nail. Sometimes it's better to screw things together, sometimes to glue them together and sometimes to weld them together. Hammers are blunt instruments, after all. 

So, I do look forward to the dawning of a new age, the age of ‘realistic SharePoint’. This will be an age in which there is a new sense of enlightenment, where there will be less kool aid consumed, where appropriate tools for the job in hand will be used and, as a consequence, where PleaseTech’s revenue will go through the stratosphere! Let the sun shine in!

For more information on how PleaseReview works with SharePoint, please visit our website or contact us.

  

 

Trials and tribulations of online security

Posted by Tim Robinson on 8. May 2014 14:45

CTO at PleaseTech


For most people working in IT, security is never far from the top of the priority list, and for PleaseTech we seem to get hit all ways because we’re an ISV but also a SaaS provider, our software often integrates with other applications (whether in the enterprise or the cloud), and we’re a distributed company that relies on many cloud and internet systems to get our job done.

We got off lightly with the Heartbleed virus because it does not affect Microsoft IIS, and by definition PleaseReview only works on IIS.

Heartbleed was a very interesting bug because it was such a simple coding mistake that could be understood, if not by everyone, then at least by non-programmers, whereas most attack vectors we see in software vulnerabilities are extremely sophisticated. Essentially what happens in a Heartbleed attack is that the client asks the server to “echo” back some data to show it’s still connected but, by lying about how much data it has sent, it can force the server to copy more data into the response than it should, and that extra data (which is just whatever happened to be stored in server memory at the time) could theoretically contain useful secrets.

Like many security glitches, this one comes down to the fact that C, the language used to implement SSL, allows a program to access blocks of “raw” memory rather than checking the start and end point of each variable being used. Because the attacker can’t choose which piece of memory to retrieve, he would have to rely on persistence and a large amount of luck to get anything useful, but the mass panic came because there was a theoretical chance of retrieving extremely sensitive information and nobody knew (or indeed still knows) to what extent it might have been exploited in the real world.

You can see that in this case, if you are a customer of, say, Dropbox, and a hacker uses the Heartbleed attack and happens to retrieve your password or credit card details, there is absolutely nothing you could have done to stop them.

Outside of direct PleaseTech business, I was affected by another internet security problem which is also quite simple and (hopefully) interesting to understand, and it is related to Hotmail hijacks.

If you’ve got friends or family that use Hotmail (which has recently been renamed Outlook, but let’s not confuse matters) you’ve probably received emails which appear to originate from them but are actually spam. Whenever this has happened to me in the past I have replied to the person in question saying that their Hotmail account may have been hacked and recommending them to change their password, but I’ve never really understood why this seems to happen with Hotmail (and less frequently Yahoo) but rarely or never to other providers. However, recently I was fortunate/unfortunate enough to witness a Hotmail hijack first-hand. Here’s how it works:

DISCLAIMER: I have described the nature of the attack to the best of my knowledge. I consider myself to be a pretty clever computer guy but there’s a chance I’ve gotten completely the wrong end of the stick about this whole thing. If you know better, let me know and I will happily withdraw this.

My girlfriend (who is emphatically not a computer geek) received an email apparently from a friend’s Hotmail account with a short piece of text and a hyperlink. Due to the format, I suspected it was spam but the text was something like “video of my recent holiday” so she had clicked on it before I could dissuade her. Up popped a video about a weight loss pill or something, so she realised it was spam and closed the window. Soon afterwards she noticed a lot of undeliverable and out-of-office replies coming into the inbox, so we checked the sent items and there were hundreds of them, all containing a short paragraph of text plus a hyperlink, and all sent during the few seconds she had the weight loss video on the screen.

This is called a "cross-site request forgery" (CSRF or XSRF). Basically because you are already logged in to Hotmail in one window, another window can also send requests to Hotmail which will automatically be executed under your Hotmail session. This was interesting to me because we have done work in PleaseReview to guard against exactly this type of attack.

There are well documented ways to guard against this kind of attack and recent versions of Microsoft’s own ASP.NET web development framework even have them built in. Why Hotmail doesn't use any of them is a mystery to me but it certainly explains why naïve users can have their Hotmail account hacked even when they have a secure password, whereas Gmail users don't suffer from the problem at all.

Hotmail detected the large amount of sent items, deduced there had been an attack and then made my girlfriend change her password and reset her security details. This might make the user feel like they have done something to counteract the spammers but as you can see, it doesn't make the slightest bit of difference to security because the attack doesn't depend on the spammer knowing your Hotmail password or any personal details, just on you clicking the link.

So how can you guard yourself against this kind of attack? This bug has been around for at least five years so don’t hold your breath waiting for Microsoft to fix it! Treat email hyperlinks that look like spam (i.e. where the text in the message doesn’t seem like the kind of thing your friend would normally write) with extreme suspicion and if you decide you want to click anyway just to find out, copy the URL and open it in another browser or in “private” browsing mode.

Following on from this, just last week there was an Internet Explorer vulnerability which could allow a hacker to access a user’s PC and run his own code. This was considered so serious by Microsoft that they even broke their rule of “XP support ends on April 8th” to release an immediate fix for XP. This isn’t quite so straightforward to explain but it basically comes down again to the fact that the software was written in C and so has no memory protection.

Similar to the Hotmail attack, this one means the attacker has to lure the user to a malicious web page but as we’ve seen, for many users that’s not difficult to do.

For all of us, both as suppliers and users of IT, it’s clear that online security is going to be an ever increasing part of our world. Even though bugs like these can be resolved, it would be extremely naïve to think we’ll ever solve them all when software is being produced at an ever increasing rate.

Plus of course, there are plenty of attacks that don’t rely on faulty software at all. In my own case I had to cancel my cell-phone account with EE because someone else was repeatedly calling up their support line claiming to be me but to have forgotten their password, then they would change their home address and order a new phone to be charged to my account. Even though this happened around 10 times in the course of a single month, EE seemed unable to put in place even the most basic measures to stop it (like calling me on me mobile phone which would have quickly enabled them to ascertain that the “me” trying to change the account details didn’t even have access to the phone connected to the account).

So the only lessons here for suppliers as well as customers are to be continually vigilant, understand what security threats exist and do your best to mitigate them, but don’t rely on any “silver bullet” to resolve your security issues..

 

header bg