Archive for October, 2008

Alerting customers of customers

How could Adobe have handled WordPress better? I’m still thinking about that “Uploading Gone in Flash 10″ piece last week, from Allen Stern.

Background: Adobe Flash Player 10 had to move to a stricter security model in a number of ways, including explicit user permission for file uploads. There’s been much ongoing guidance, and people who make SWF themselves seem to have made this jump successfully. But there has been higher-than-normal pain among JavaScript developers, bloggers, and video sites: they may not actually create SWF themselves, but they rely on SWFs made by Adobe’s customers. These folks didn’t get the word.

How can things be improved? I don’t know. Do you have ideas?

CNN video FAQ

Eagle-eyed news hounds may have noticed that CNN is now starting to offer a friendlier video experience, taking advantage of existing cross-OS cross-browser capabilities. That’s their story to break, though, and I’d rather not say more about it here. But I do want to point out the address to the CNN video FAQ, which is the source document on the changes. There’s also a peer-to-peer component named “Octoshape”, which has its own FAQ linked at that address. I’ll add more links to this post as they arrive. But if you happen to see anyone confused about the changes, could you drop a note in comments here, so we can make sure they’re taken care of? Thanks, and have fun. ;-)

Keeping third-party SWFfers happy

Flash Player 10 had to tighten some security policies, and most developers are already up on the news… guidance started in 2007, and DevNet and Labs updated their info with each release version, and staffers like Lee Brimelow have held extended conversations on the subject. People who create SWF seem to have already adapted to today’s darker security environment.

But recently I’ve been seeing an impact on people who use SWF, but don’t write it themselves… a few weeks ago Ajaxian reported on Ajax sites which rely on SWF for multi-file upload and who were surprised by the explicit user permission now required… this morning Allen Stern at showed the effect at WordPress, Vimeo, and Flickr.

People who create SWF are in-the-loop, but today I realized there’s a larger group of people who employ SWF who aren’t necessarily up on its use. We need to keep them happy. But I’m not sure how to reach them.

What I’m seeking from you (if you’ve got the time and info ;-) is any of a couple of things: (a) Do you know of other non-developers who are getting similar unwanted surprises? (b) Have you seen other consumer sticking-points besides programmatic file uploads? (c) Got ideas on how I might better track or reach such audiences? I realize these are vague questions, but after seeing Allen’s post this morning I realized we have to get the word out to a larger group of people. Thanks in advance if you’ve got advice for me, no worries if you don’t, ciao.

Player 10 links

Want to find info fast? Check this overview of resources, from Emmy Huang on the Player team. Lists release notes, bugbase, technotes, debug players, lots more. Good to bookmark, ’cause you’ll be in a hurry when you want it.

(I ran this on Twitter yesterday, as fast news, but didn’t see it mentioned much in weblogs today… it’s a very useful page, and is worthy of your attention.)

The De Facto Web

Opera Software makes a web browser. They’ve accumulated a giant database of web URLs for testing purposes. Recently they analyzed the contents of those pages. The results are very surprising:

  • 33.5% of sites use Flash

  • 78% use JavaScript, but only 4% use Ajax
  • 8% of sites have little “W3C Validated” badges, but only 4% actually pass the W3C’s validators

There’s been a lot of lecturing done, over the past decade, about “web standards” and “the open web” and “the proprietary unweb” and so on. What’s interesting is how much that rhetoric diverges from reality: Eight times as much Flash as Ajax, or even “valid” HTML. Lots of JavaScript, but little of it advanced. A false sense of how many sites actually follow the W3C’s lengthy specifications.

What we’ve been told to think, is different than how things are.

Web standards folks seek to dole blame. In over-long, inaccessible, and even polarizing English.

HTML5 promises to make things more complex and unimplementable, instead of focusing on the basics like clicking. The discussion is lengthy and not very readable, even for fast-reading native English speakers, and is presided over by an uncredited Google staffer with an arbitrary manner.

The “open web” just acting… strange.

Early web software acted upon Postel’s Law: “Be conservative in what you send; be liberal in what you receive.” Web discussions the past few years have had a streak of intolerance, of not accepting what is seen as “impure”. But the Opera study doesn’t show such authoritarianism in The Real Web.

What we’ve been told to think, is different than how things are. There’s a difference between the volume of speech, and what the volume of people actually believe. That’s what the Opera survey seems to indicate.

Flash is a real part of the World Wide Web today. A major part. Bigger than “web standards”, bigger than Ajax. It doesn’t replace the web. It’s part of the real web, as real people use it.

But here’s the interesting thing. The conservative standardista/openWeb/inGroup position may be anti-Flash, but Adobe is more than Flash, and not anti-standardista.

Adobe’s about publishing — the ability for creative people to communicate. We love publishing. HTML and the W3C, as flawed as they are, are Adobe’s allies. We’re continuing to work on JavaScript. Improving the world to the standardista’s goal, is also Adobe’s goal.

Adobe makes Dreamweaver, not just Flash. InDesign and AfterEffects too. We enable publishing. The more that people can communicate, the better Adobe tends to do.

And we’re not embedding an advertising/surveillance network in your content. No intermediation between you and your audience. It’s free, unencumbered, open publishing… that’s the goal here.

Getting a predictable renderer atop the world’s desktops takes the heat off HTML. It lets HTML be HTML. But if HTML tries to be SWF, it won’t do as well.

My recommendation? Just keep things in a sensible proportion. We need to improve HTML. We also need to improve SWF. But both are real publishing options today. We need to acknowledge both, and not give in to prejudice. Stay open.

That’s my main takeaway from the Opera report. What we’ve been told to think, is different than how things are.

(Sidenote on the Dreamweaver stats: Very few pages produced with Dreamweaver are actually identifiable as such. The Opera study says “MAMA looked at the META ‘Generator’ value to find popular CMS and editor”. But I can’t recall Dreamweaver ever identifying itself in the META-Generator field. Even if they checked for JavaScript routines like mm_swapImage, not all Dreamweaver pages use it, and not all pages which use it came from Dreamweaver. Adobe just provides neutral publishing technology, and it’s up to each creator how they choose to use it. The survey’s material on editors there, I’m not sure what it might really mean.)

More discussion on the still-unfolding Opera study is at Ars Technica and Slashdot today. Jens Brynildsen has a Flash-oriented perspective.

[ Afterword: A few hours later I re-read this, and realized I should provide some authoring context. That's not "Adobe" talking, that's me talking. I wrote it pretty much at a gulp this afternoon at the office. I sit near Scott Fegette, on the Dreamweaver team, and asked him to give it a quick read for any reasons to kill it, but that's the limit of "the corporate voice" on the stuff above. (I didn't ask Scott if he agreed. ;-) I had caught the news via the Ars Technica article last night, made a quick Twitter to stake my claim on the punchline, but then sat down and really read the initial Opera material, and was impressed. Took the day to digest it. Other people, both within Adobe and within the larger ecology, definitely shape my opinions. But many of them might disagree with parts of what I wrote. The words in the essay above are mine, and not Adobe's.]

Clickjacking, reporters

I’ve written on this before, so will just post a reminder here about how reporters may not always be accurate… PCWorld puts it this way today:

Adobe Systems has released a new version of its Flash Player software, fixing a critical security bug that could make the Internet a dangerous place for Web surfers.

The new Flash Player 10 software, released Wednesday, fixes security flaws in Adobe’s multimedia software including bugs that could allow hackers to pull off what’s known as a clickjacking attack, wrote Adobe spokesman David Lenoe in a blog posting.

Actually, David wrote nothing of the sort, as you can confirm by following the link which PCWorld (thankfully!) supplied. This is not a security flaw in Flash; there is not a “Flash bug” to fix.

The changes in Player 10 just prevent the browser’s existing and unpatched clickjacking flaws from affecting the Flash cam/mic dialog. David doesn’t go into details, but it’s something like Player calling out beyond the browser to the operating system to make sure Flash’s pixels are actually displayed, and the browser isn’t letting something else slide in on top to hide the dialog.

Clickjacking is a browser flaw. It is not addressed. (NoScript addresses some implementations but seems a stopgap.) Adobe took the lead in recognizing the issue, and bringing it to the attention of the browser vendors. Adobe has also mitigated the damage the browsers’ clickjacking problems can cause for Flash. But that’s it — the core problem still exists.

I’m glad that Adobe folks recognized the issue early, worked collaboratively on it, and have the first minimizations of the exploit path. But I’m not glad that reporters are saying it’s a Flash issue, just because other reporters said it was a Flash issue.

In Player 10, the permissions dialog for the webcam can’t be hidden by some other browser element, so you can’t be fooled into clicking on it. This will soon be rolled into Player 9, too, for those who need it. That’s all we did. Until the browsers can assure that what you click is what you think you click, and until websites assure that they’re not hosting untrustworthy third-party content, clickjacking in general will still be an issue. Flash is incidental to this whole clickjack story, not its focus.

(That PCWorld article is requesting material from,,,,,,,, and The ad networks among them receive files from strangers. Third-party requests like these are not only possible infection vectors for a clickjacking attack, but also enable cross-site surveillance through IP logging. Both browser makers and website owners have work to do to disable clickjacking.)

The thing about Player 10

Techmeme is covering the press release. I see Adobe Flash Player a little more simply.

It’s the world’s runtime. It runs across more environments than anything else. When you send it instructions, you know how it will act.

It makes display easy.

Anyone can take advantage of this predictable, ubiquitous runtime engine. It’s out there, you can just use it. Opens you up to an immense audience, costs less to test against. Your data stays your own.

The last generation was supported by over 80% of consumers in less than half a year. If Player 10 gets anywhere near that rate, then by next summer the world’s computers will have been effectively upgraded: new capabilities, that anyone can tap into.

It has been formed by a decade of strong community involvement. Its file formats are published, just like HTML. Its canonical implementation is also opening more to the world. There’s a long tradition of doing so.

Starting tonight, the world’s computers are getting upgraded. And it’s all volitional, all by free choice, decentralized. Lots of people contributed to this generation, and lots more people will benefit. It’s the world’s runtime.

Relying upon the existing

Two items hit the newswires today, from Joost and the BBC. These items seem to reinforce each other.

Joost, a video delivery service, changed its delivery from an installed desktop client to browser delivery via Flash. The requirement to install a plugin download manager also went away.

Result? Joost is now easier to view, and for more people too.

That’s what Adobe does… it provides neutral publishing technology, that anyone is free to use. Adobe’s business model is based on selling optional efficiencies into these new publishing platforms. Has been for years.

People resist downloading and installing things. It’s a hassle, it might not work, it might turn out to be a risk. How do you enable a wide audience for what you publish? Remove the barriers to viewing it. It’s easiest to rely upon what everyone has already installed. Flash makes sense.

(Aside: There’s peer-to-peer support in Adobe Flash Player 10 (“Astro”), but not for constant disk activity like video.)

Joost took advantage of lower viewing costs for their audience. That was probably a bigger driver than their own reduced development costs.

And also today, Erik Huggers broke the news that the BBC is using AIR:

Today, we are announcing that in partnership with Adobe we are building a platform-neutral download client.

Using Adobe Integrated Runtime (AIR), we intend to make BBC iPlayer download functionality available on Mac, Linux and Windows for the first time later this year. Whatever platform you use, you’ll now be able to download TV programmes from the BBC to watch later – on the train, in the garden, or wherever you like.

I don’t know details yet… the BBC’s Internet Blog aggregator has had a lot of good articles in the past, and is the best place to watch for future news. Achieving platform-neutral distribution is a tough task, but that’s what Adobe already specializes in. People have anticipated services like the BBC going beyond the browser, and here it is. Makes sense.

A predictable publishing platform for the world’s interactive display surfaces… tooling and runtimes already de facto standards. That publishing platform already exists. Makes sense to use it, true?

CS4 painpoints

Macromedia joined Adobe in December 2005. Creative Suite 3 picked low-hanging fruit: the most important stuff which could be developed, tested, and released by Spring 2007.

Now Creative Suite 4 tackles some of the harder problems — significant workflow efficiency gets a major investment, Photoshop innovates like crazy, Dreamweaver’s “Related Files” and “Code Navigator” and “Live View” change everything. And then, there’s Flash. And wait, Alan will get angry at me if I don’t mention Fireworks. And…. ;-)

CS4 is the first full development cycle available from the Adobe/Macromedia merging. It’s a great release. Economical. And fun too. I think it’ll make a big splash.

But some things are going to hurt. Here’s where I suspect the biggest painpoints will be:

  1. Global pricing. Why is it cheaper to fly to buy it? I don’t know, but I’ve pressed a lot on this too. My best guess is that pricing decisions are decentralized to different legal regions, so it’s hard for anyone to take ownership for an answer. This was already an issue after announcement, and will continue to be an issue after delivery. I’m sorry, I don’t have a good answer here.
  2. Installers. They’re big. They’re objectionable. And then there’s the Updater. I know that there’s been a large amount of improvement done here, but more is needed. We saw “global pricing” as a big issue after launch, but I think installer complaints will get bigger after delivery. I hope the whole installation/update experience will go well for you personally, but I have to apologize in advance if they don’t. We need to do better at taking the pain out of keeping current.
  3. Trial availability. The big shipping versions get released first. Then the full set of languages and trial versions and other derivatives enter the production pipeline. The FAQ says that CS4 trials are expected online in mid-November. I know it’s maddening to see new software available, and not be able to try it — I expect the pain to be intense. Adobe provides the varied creative tools for everyone in the world, and it takes us a few weeks to crank everything through the pipeline. It’ll hurt, I’m sorry, but the trials will be up in about 30 days, and then this problem will go away.

    (And please don’t be tempted by blackmarket software, ’cause you don’t know where it’s been. Malware scammers will definitely find this gap attractive.)

Anyway, CS4 is great. The people who put it together are amazing, and this time they had the extra months to do some really fun things, some really deep things. I think CS4 will be remembered as a landmark release.

But the above are some areas where we risk not meeting customer expectations. It’s not through unawareness, and internally we’re already trying to do better. We just didn’t get far enough soon enough to ease the above painpoints this time. I can only hope my apology helps take the sting out a bit.

Hope you love the rest of the stuff, though. ;-)

Where’s Adobe blocked?

At PBS Mediashift, Jessica Dheere wrote on “Google Blocks Chrome Browser Use in Syria, Iran”. This made me curious about Adobe, so I searched on “ ‘north korea’”. This turned up the Adobe website’s Terms of Use, which describes it this way:

The export and re-export of Adobe Software are controlled by the United States Export Administration Regulations, and such Software may not be exported or re-exported to Cuba, Iran, Libya, North Korea, Sudan, Syria, or any country to which the United States embargoes goods. In addition, the Software may not be distributed to persons on the Table of Denial Orders, the Entity List, or the List of Specially Designated Nationals.

By downloading Software, you are certifying that you are not a national of Cuba, Iran, Libya, North Korea, Sudan, Syria or any country to which the United States embargoes goods, and that you are not a person on the Table of Denial Orders, the Entity List, or the List of Specially Designated Nationals.

From this, I’m assuming both companies are legally bound by the US regulations on cryptographic export, which were logical enough after cryptography won World War II, but which are in a different environment today. Browsers use cryptography for secure communications with servers. No digital lock is uncrackable, but they do add to the cost of unwanted eavesdropping.

Anyway, if you were wondering too, then that’s the link…. ;-)