jd/adobe

Seems like Techememe is now listing that Business Week article "Can Adobe Beat Back the Hackers?", which I mentioned on Twitter yesterday.

Here's the hot line: "Vulnerabilities in such widely used software can cause myriad problems. More than a dozen sites, including those of The New York Times, USA Today, and Nature, have been infected with fake ads that exploit Adobe software."

The latter phrase should read "exploit older, un-updated Adobe software." Attackers will use the newest vulnerabilities in hopes of increasing their catch -- no surprise. This article contains the worry, but not the general advice readers need: keep your Internet software current.

The more-interesting part of this exploit is mentioned only in passing... trusted websites cannot always assure the third-party content they serve. The Web, as we know it today, is infected... more last week and last June... even trustworthy sites are not sure what they're serving you.

(There's also a line later on: "Historically, Adobe hasn't had to contend with attacks, so it hasn't been focused on potential weaknesses." The Internet Archive has pages from the Macromedia Security Zone dating back to 2002.)

Summary: Yes, criminals are trying to exploit you. But to reduce the risk, keep your Internet software current. And consider using browser software (such as an ad-blocker) to monitor third-party content which may be attached to a trusted site.

Posted by John Dowdell at Nov 20, 09 12:58 PM (GMT-0800) | Permalink | Comments (0)

Michael Calore, at WIRED Webmonkey, has some current estimates of possible adoption dates for different features within "HTML5". A useful read.

I'm more interested in a minor quote in there: "What's driving the most successful [browser] plug-in, which is [Adobe Flash Player], is video support."

I suspect that might be the other way 'round... Macromedia Flash Player had been solidly above 90% consumer support for many years before video was introduced in 2002. Early adopters started using video via Flash in 2003, but it wasn't until 2004 that we started seeing businesses built atop it, and by 2006 there was widespread awareness.

Why? Video took off only after the production costs were lowered: once producers did not have to multiply-encode video for different audiences, and once support costs for consumer installations were removed. Adobe Flash Player added video in early 2002, then became a practical choice towards late 2004, after consumer support levels rose above 90%.

The same kind of dynamic occured with "Ajax" a few years back... consumer support was already high for Microsoft browsers, and as soon as browsers from Mozilla and Apple added support for live XML requests, developers could immediately build websites which large audiences could immediately view. When Jesse James Garrett coined the name on Feb 18 2005, those startling new "Ajax" projects would magically "just work" for their audiences.

Both Ajax and Flash video were considered "overnight sensations", even though the groundwork had actually taken many years. The hype started only after the capability was already there.

Anyway, linear video playback on a notebook is certainly a lucrative area right now... lots of firms are making lots of money from massive audiences via their video content -- popular video is certainly "a shiny object" these days -- so I can understand the mental shortcut of thinking that video drove Flash.

But history shows that it was Flash's total ecology of creators and audiences -- all the exceptionally diverse people who found value in using Flash -- which successfully drove the later practicality of in-browser video. In a sense, sites like JibJab and NewGrounds made sites like YouTube possible.

Adobe today? The company still establishes publishing technologies, then profits within these new, wider ecologies. That pattern is embedded deep within its corporate culture. Yesterday's view of video will not be tomorrow's view of video, and Adobe is trying to solve newer, harder problems.

Posted by John Dowdell at Nov 18, 09 01:00 PM (GMT-0800) | Permalink | Comments (6)

Remember Usenet? I was very excited by it... people were talking directly together, without barriers or intermediaries... incredibly democratizing, open to all. But, suddenly, that same uncritical openness was used to sell citizenship lotteries and atomic plans.

We were all quite shocked. But Usenet's architecture naively trusted all inputs. Bound to happen.

Email surprised us with the same problem. It was very useful, particularly after Usenet started to get noisy. But then Email clients tried to compete with the colored fonts of HTML, and let anybody send a file to you, then executed JavaScript when an email was opened, and there were plenty of marketers urging them along on this road to perdition. The first big Flash security problem was My Naked Wife, a file-deleting .EXE which called itself a SWF... not all that much different than the latest issue, in wanting to trust any odd file which came along.

Email's architecture also believed anything any stranger said, and so had an initial boom, before becoming parasitized. Like Usenet.

The World Wide Web is also very lauded, very useful. But we've got that same Usenet dynamic of wanting to listen to any speech or visit any site, while following the email-client dynamic of adding all types of extraneous features in hopes of becoming the universal client. The result is that more people are now asking "Can we trust the Web?", not even knowing whose content they're serving up.

"Green Card Lawyers" and "My Naked Wife" arose because they could, once Usenet or Email became attractive enough. Both Usenet and email were successful among early adopters, but neither system could really adapt to their eventual parasites. The Web has become popular too, and also has issues with accepting candy from strangers.

Fortunately, The Internet -- the network of all networks -- is bigger than The World Wide Web and its hyperlinks. Our connectivity is expanding from the desktop to the pocket and the wall. It's time to change again.

Usenet may be moribund, and 90% of email may be spam, and the web's search engines may be full of plagiarized or infected sites, but our networking strength has only increased. I suspect the next architectural design should offer more control over how strangers might gain our attention.

Posted by John Dowdell at Nov 12, 09 09:06 PM (GMT-0800) | Permalink | Comments (1)

On vacation... I'll be travelling in China this month, and will not be able to approve comments on this blog. Back online first week of November.

Internet access in China is still uncertain... sites with user-generated content (Twitter, Facebook etc) have been blocked leading up to the 60th anniversary week for the PRC, and then for a media conference in Beijing (yes, that sounds ironic to me too ;-). I'm hoping things will open up this week... if so, I'll be on Twitter, Typepad, and perhaps I'll even be able to revive my moribund Flickr account.

(If you're into walking or urban orienteering, take a look at Chongqing, near Sichuan, and zoom around a bit... with its mountains, rivers, stairs and curved streets, it's said to be one of the easiest cities in the world in which to get lost, before finding yourself again. Fun challenge! :)

Posted by John Dowdell at Oct 13, 09 07:50 AM (GMT-0800) | Permalink | Comments (0)

Not sure I quite believe this... Techmeme is discussing how a file-download service is apparently complaining to Mozilla about a Firefox extension which removes their advertising.

Meanwhile Google Websearch shows that this site is distributing files claiming to be software that Adobe develops.

I hope I'm misunderstanding it. They can't really be complaining that someone else is infringing on their infringements of others...!?

(btw, thanks to Bing Websearch, which does not list these sites which promise to install Adobe CS4 onto your computer....)

Posted by John Dowdell at Oct 8, 09 10:28 AM (GMT-0800) | Permalink | Comments (0)

Yesterday Peter-Paul Koch followed up on his testing of browser technologies with a piece examining implementations of one particular browser library, and concludes "There is no WebKit on Mobile -- there's iPhone WebKit, Android WebKit, S60 WebKit (at least two versions each), Bolt, Iris, Ozone, and Palm Pre, and I don't doubt that I've overlooked a few minor WebKits along the way."

I'd urge you to read Peter-Paul's original paper, as well as followup essays by Savio Rodrigues, Stefan Constantinescu, others.

WebKit is an interesting situation. In HTML itself the file format is openly published, and implementers are encouraged to build their own versions. The WebKit project, under Apple governance, openly publishes HTML runtime source code, which is then modified and distributed by device manufacturers.

In HTML, a file format is "open", and implementations vary. In WebKit, a reference implementation is "open", and device-specific implementations still vary.

Flash complements these two. The SWF file format is openly published, same as the HTML file format (although governance of file format improvements is within the Adobe ecology, rather than the W3C/WhatWG ecology). With Open Screen Project we're more in the WebKit range, where Adobe establishes the reference implementation, and partners customize this to their device. Flash Player 10.1 will differ across device based upon device capabilities (screensize, input methods, accelerometer, etc), but I don't expect it to vary in basic runtime capability the way WebKit does.

Is one better than the other? Is WebKit better than HTML, or Flash better than WebKit? I don't think so... each serves different purposes. Apple's donation of WebKit sourcecode helps resolve some of the implementation differences of the HTML/JS/CSS/DOM/etc specifications. Adobe donates a standard Flash implementation to the world's screens. These options are better when they work together, when one doesn't try to be the other. They're different... both good.

Posted by John Dowdell at Oct 8, 09 09:27 AM (GMT-0800) | Permalink | Comments (0)

A consequence of diversity, as described by Matt Asay today:

The problem I have with free-software advocates like Richard Stallman is that they think freedom is the primary reason to use open-source software. It's not. Utility is.

After all, we're not talking about essential human rights here. We're talking about getting work done with software.

Over the past 10 years I and the companies with which I've worked have sold hundreds of millions of dollars in open-source software/services. Not once have I been asked about "freedom." For that matter, I've also never heard a customer gush about reduced vendor lock-in.

To the contrary, I've met with CIOs and CTOs who have explicitly told me that this isn't a top consideration for them. Just last week, in fact, I moderated a panel at LinuxCon in which I asked senior IT executives from leading media companies if vendor lock-in is a primary motivation for using open source. Nope.

They have work to do. They want software that helps them get their work done and gets out of the way. That's what open source does.

(Go to the original article to get the links Matt uses to document this section.)

The above will be spun by some as "Business is Anti-Freedom", but I think a more apt description is "Different strokes for different folks". People are seeking solutions to their own problems... their judgments may be very different than your own.

It's finding ways to accommodate all those differences -- developing multiple options to satisfy diverse needs -- that's a trickier problem than assuming everyone shares the same values.

Posted by John Dowdell at Sep 30, 09 11:48 AM (GMT-0800) | Permalink | Comments (0)