jd/adobe

Mozilla staffer Chris Double has one of the best blogposts I've yet seen on using the currently-proposed VIDEO tag in a realworld environment. It's more realistic than other markup I've seen in that it goes beyond a single-browser audience. I would have commented there, but he requires either Google notification, or OpenID (which has been funky for me), so I'll make a larger blogpost about it instead.

One of the most interesting aspects is that he's addressing the age-old nesting of OBJECT and EMBED tags by [drumroll] wrapping a VIDEO tag around them both... VIDEO tag on the outside, then an OBJECT tag, then on the inside an EMBED tag. It makes sense, considering how HTML4 blessed Microsoft's later OBJECT while dysfunctionally deprecating Netscape's original EMBED, but to see three nested tags just for one media element, I got a kick out of that, and you might too.

The real reason I wanted to comment was on Chris's line about transport controls: "These fallback options don't allow creating your own controls with JavaScript and using the nice HTML5 media API." There's hope... Flash, of course, has been providing the world's computers with customizable UI elements for a very long time, no browser variance to worry about.

But you can still do it in JavaScript, if you prefer... the varied protocols for plugin/browser intercommunication have all been quickly supported by Flash, and it's quite possible to have JavaScript control a Flash video. For practical work you'd also need to include the Microsoft protocols for browser/ActiveX intercommunication, to reach the majority of people on the web, but it's doable.

(I know that other people have driven video from JavaScript before, but I'm not sure how to search it up... if you happen to know of existing libraries they might use, could you drop a note in comments here please?)

The unspoken question in all this, of course, is "Why?" Making two formats of a video is something that very few people would find worthwhile to do. But as an intellectual exercise it's certainly novel... VIDEO enclosing OBJECT enclosing EMBED, the tagging inspires a certain perverse fascination. Check it out!

Posted by John Dowdell at 4:53 PM | Permalink | Comments (2)

There was a lot of press Friday on a new "malformed PDF can crash Reader, potentially leading to foreign execution code". Unfortunately, there was far more press text than source text. The Adobe Security team has better source info in this blogpost.

If you regularly open PDF files from untrustworthy sources, it can help to disable JavaScript, but this does not address the root issue, for which Adobe will be issuing new versions of Reader and Acrobat.

Better than disabling JavaScript is to make sure that your security software is updated. The Adobe Security blog has a list of third-party vendors who have already updated their scanners to deal with such malformed PDF.

I do not know whether non-Adobe PDF renderers are vulnerable. I do know that folks within Adobe have agonized about the wait for public information disclosure, and that organizationally we'll be able to move faster in the future, but (as the "disable JS" rumor showed) it's vital to go past the surface issue to the root issue, and it's vital to consult with industry partners to meaningfully improve the security situation.

Anyway, please accept my apologies for the delay, but solid info is now at hand. New software due in 14 days.

Posted by John Dowdell at 7:18 AM | Permalink | Comments (0)

Thought experiment: What might the world be like today, if Netscape Navigator 2.0 hadn't exposed a plugin API back in 1995?

The decision back then was based on sound history, of course... tools like Adobe Photoshop had already made third-party plugins popular... before that, the XCMD/XFCN extension mechanisms in Apple's HyperCard proved useful and innovative, and Macromedia Director followed with cross-OS XObjects and then Xtras (one of which, XCMDGlue, let you bring in prior HyperCard extensions)... in the wider world before that there were COM, CORBA, and you could even see the hints in the UNIX "pipe" process. "Small pieces, loosely joined" was a proven model for the benefits of extensibility.

But suppose Netscape Navigator entered a parallel dimension, and stayed just one big isolated hunk of code, trying to do everything itself... how might history have turned out?

Microsoft Internet Explorer would likely have continued with ActiveX extension of their browser... their business drivers for third-party extensions were wider than just playing catch-up to Netscape at that point. At least one browser would still support open extensibility, but there wouldn't be the cross-OS Netscape Plugins API.

In such a world you could extend the Microsoft browser, but not the other browsers. Microsoft's relative openness would have been a significant advantage over other browsers.

But early on it probably wouldn't have made much difference. There was an intense period of plugin exploration during the mid-90s, hundreds of browser extensions attempted, but few gained enough consumer support to make a difference. VRML authors would have just worked on the desktop, in networked applications, if they couldn't extend the browsers. Shockwave is still one of the most popular plugins, with majority presence on consumer desktops, but there were few Shockwave apps which changed how people used the Web. Adobe Reader worked both in-the-browser and as a separate client application, so we'd probably still have Internet access to documents. Java has a number of roles beyond in-the-browser work, and it would have survived in different form. The inability to add third-party renderers would not have made much difference in the mid-90s.

Oddly, one of the most significant plugins in this alternate history of "a world without plugins" might have been Progressive Networks and its Real Audio. They did the first work in making audio available in browsers, only being eclipsed later by Shockwave's inclusion of Fraunhoffer "MPEG 2 Layer-3" audio, and the later popularization of this as generic MP3 files. Real Video was constrained in its early years by bandwidth and decompression costs, but the whole MP3 revolution, which toppled empires, would not have been possible if third-party developers could not experiment around the edges of the browser core.

Think of the beauty of what Real offered... one codebase for Windows, one for Mac, and you could then use any browser you wished, so long as it supported the common Netscape Plugin API. Every browser had an equal chance to host hot new features... browser-makers were enfranchised, automatically, if your app could be extended.

But without a common extension mechanism, each browser would have to reinvent the wheel, and content developers would have to test against varying browser choices. New browser makers would have a higher hurdle before being able to compete.

The story takes a twist when we get to the late 1990s. Netscape 4 was as reviled by web designers then as Internet Explorer 6 is despised by web developers today.

Netscape dropped from the heights down to single-digit popularity in those dark days.

If Microsoft had added audio and video into its browser directly, rather than through a common extension mechanism, Netscape would have been even less able to compete. Being able to share in the innovation, through plugins for Apple's QuickTime, Real Media, and even Windows Media, kept Netscape in the mainstream of capability.

And if the new Mozilla had been forced to license the codecs Microsoft supported before Firefox could attempt to play the world's music or movies, well... they likely wouldn't have made it.

In our world today you can surf The World Wide Web in Opera, Camino, Konqueror and so on... YouTube, Flash games, election charts, whatever. Those smaller companies didn't have to engineer support for the world's existing video and RIAs on their own. The stability, accessibility, and universality of common third-party plugin capability makes it easier for specialty browsers to participate in the full web.

Plugins enfranchise browsers.

And it goes beyond browsers. The Hypertext Markup Language is useful for desktop applications and embedded devices, not just web browsers. A hypertext markup spec which imposes specific video or drawing, synch or processing requirements on implementers would stunt experimentation and innovation.

If there were no plugins, you'd likely now be going to Internet Explorer to get your real work done. And considering what happened after Microsoft won the browser wars in our world, it's a safe bet that in that "world without plugins" they'd still be at IE6, if that.

A world without shared plug-in capability... well, think about it, a little more, yourself. It's bleak.

Here's my main point. "Small pieces loosely joined" creates a supporting ecosystem of technology... living, breathing, decentralized decisions. But creating a few giant monoliths of feature-creep code is just plain not as lively. I think the Apple/Google drive behind the current over-ambitious HTML5 spec would lead first to confusion, then to anti-competitive barriers, and then to sterility.

I want the HTML planners to focus on making things easier and more predictable for web content publishers. I want a smart kid in a rural third-world village to have a chance to learn how to publish to the world. I want hypertext markup accessible to more creators.

I want the HTML planners to make the basics work right. Make it easy to create a browser. Make it easy for anyone to compete against today's reigning browser brand.

I want webpages which can integrate third-party content with safety. Warn us about web beacons. Beat clickjacking, and give us back "What You See Is What You Click".

I want browsers to improve their handling of plugins... clean up your OBJECT/EMBED hassles now, it's 2009... improve JavaScript/Flash communication and make it consistent... take advantage of today's video. Stop treating plugins as a second-class citizen or, worse, a refugee class.

I want "The Open Web" to work well with others.

I want "The Open Web" to open up, to be "small pieces loosely joined".

I do not want a future where only a few mega corporations can afford to create a browser.

I want HTML to succeed. I do not want to see it fail through ambition and inefficiency, like Netscape did. I want HTML to get smarter by getting simpler. I want HTML to get sustainable, to succeed.

Imagine a world where plugins never existed. Can you picture it? Can you see how history would likely evolve, were cross-browser capability only up to the browser vendors?

Cross-browser plugins have made our web what it is today. They should be celebrated.

And what I want is for browser vendors to acknowledge plugins as first-class citizens.

Posted by John Dowdell at 8:23 PM | Permalink | Comments (0)

... because it is sinful.
... because those are fattening.
... because they are witches.
... because he's a stupid jock.
... because it is indecent.
... because they are sheep.
... because we are the chosen ones.
... because it is God's will.
... because it is healthy.
... because it is perverted.

Because the territory "IS" the map.

Lots of bad things have happened on this planet, because labels were slapped onto realworld things, leading us poor humans to characterize the world in a binary "sinful/non-sinful" way.

"It's our right, because it's a dog-eat-dog world."

"It is safe to drive, because the light is green."

"That is not good, because it is proprietary."

That's what struck me in a conversation today. I've been reading up on Mozilla's Bespin project, trying to understand it, and someone in comments (anonymous, unfortunately) raised the question I had been asking myself

On one hand, we have folks, at Mozilla and elsewhere, telling people that open standards like HTML5, CSS, SVG, the DOM etc. are the way to go for building advanced interfaces on the client side, instead of using proprietary solutions like Flash or Silverlight.

On the other hand, we have other folks, also at Mozilla, saying that none of that stuff was good enough for them, so they had to go straight to 2d drawing primitives and rebuild everything from scratch. At which point, there is no technical reason not to do it with Flash instead, and get the additional benefit of running on all browsers now, with no compatibility concerns.

Two replies followed: "Actually, canvas is an HTML 5 standard, not a proprietary solution. It’s a peer to any other feature of HTML."

Also: "There are huge differences between canvas and Flash: canvas IS an open standard (see HTML5) and there are multiple interoperable implementations, even multiple excellent open-source implementations."

I reacted pretty strongly, mostly about the "is a standard" distortion offered as justification.

But the more I thought about it on the walk home, the more concerned I grew with the structure of the communication, beyond its particular factual details.

"This is this, and that is that, and it's all very clear and distinct" is a useful mental tool in some situations. It makes things easier to learn, for one.

But such binary labeling can become a trap as well. In online debate, many use the phrase "because it's proprietary" as a cheap way to stop thinking. I've been trying in good faith for years and years to pierce past that sophisticated-sounding "proprietary" label, to little result.

Still, the map is not the territory. The menu's not the meal. Slapping a label on something doesn't substitute for thinking it through.

I think it's better to evaluate specific risks and specific benefits of various offerings, and not just reject "because it is dirty". Your labels are your traps. Free yourself.

If you think that "because it's proprietary" is sufficient argument, then please do continue be careful in intersections. "Because the light was green" may not prove quite enough to protect you from reality.

Posted by John Dowdell at 9:13 PM | Permalink | Comments (5)

Big news yesterday... even further industry support of Open Screen Project, redistributable Player for Nokia and Microsoft smartphones, new Acrobat Reader for mobile with reflow layout, a $10M fund for mobile projects, more. Here are the press releases.

I spent most of yesterday reading commentary. Here are some quotes which caught my own interest -- not an overview, more like reading notes -- background info up towards top, third-party reactions down toward the bottom.

The one-sentence summary? Computerworld phrased it well: "Google, Microsoft, Palm and Nokia are all expected to release systems or phones next year that will be able to display the same videos and applications as the most recent Flash 10 player for desktop computers." That's the new cross-device runtime, beyond the old and very successful Flash Lite runtime. Big momentum now.

On stats, you may have heard that "one billion Flash Lite devices shipped" phrase when it broke into news a few weeks ago... Adobe delayed a press release until this World Mobile Congress event, in case you were wondering about deja vu. There was also a stat of "Flash Lite shipped on 40% of all new handsets in 2008" which was new to me, and which I haven't seen sourced... I'll be trying to lock that down, get a link.

[Update, 02/24/09: The stats both came from Strategy Analytics, in this PDF: "We estimate that over the next 2 years alone, around 1.5 billion Flash Lite enabled phones will be shipped globally, taking the cumulative total to over 2.4 billion handsets by the end of 2010. Flash Lite is being installed in a greater number of handset models from more OEMs than ever before and penetration is expected to grow from 40% at the end of 2008 to over 61% by the end of 2010."]

The Reader Mobile news didn't get as much play as the Flash announcements, but it's significant... the concept of "PDF reflow", where existing PDF can change its layout to display efficiently on small screens, is huge... adds one of the benefits of HTML to the predictable-layout capabilities of PDF. There's also support for the EPUB standard (digital books) and Adobe Content Server (protected documents). The press release lays out the significance, and Bill McCoy is a good source for news.

I don't know the support structure for the Redistributable Player -- who handles an update if something goes wrong, etc. It's apparently limited to machines with an operating system which supports live updating, and is geo-restricted.

"Consumers using supported Windows Mobile and S60 phones in India, Italy, Spain, UK, and the U.S. can easily download applications." [Adobe Labs]

Mark Doherty [an Adobe employee] added "OTA is available in US, UK, India, Spain and Italy with more following quickly, anyone can download the player from Adobe Labs if OTA is not available."

In Silicon Valley press, many wove in lines about Apple iPhone. (I didn't find any statements from any Apple employee anywhere about the event.) Adobe's Anup Murarka had the best quote on the simple realities:

"'We would love to see [Flash] on the iPhone, too,' said Anup Murarka, director of Technology Strategy and Partner Development for Adobe. 'But it's Apple's decision on when and how they support any new technology. So we will continue to work on it.'" [CNET]

And for RIM BlackBerry: "...Adobe is at an even earlier stage with RIM. 'We've had some initial conversations and are evaluating different approaches to be taken,' [Adobe's Anup Murarka] said. 'There is a lot of interest from BlackBerry enterprise customers to be able to build Flash apps. But there is no working solution yet.'" [Computerworld]

Adobe's goal is simple -- we want to make it easy to publish to any screen. Any screen.

One of the oddest phenomena of the past year has been how Flash Lite paying licenses have blown past expectations -- even after Adobe announced that the older mobile engine would be replaced by the desktop version and would not require license fees! I credit Apple's iPhone for raising the bar, and proving to manufacturers and operators that consumers enjoy better experiences. (I guess we can now bury last year's meme that Flash Lite licensing fees were holding it back. ;-) A representative quote in The Standard:

"Adobe's Flash Lite multimedia player is spreading like wildfire on mobile phones, according to third-party statistics released by the company on Monday. According to market researcher Strategy Analytics Inc., Flash Lite will have been shipped on 1 billion phones by the end of March this year, one year ahead of Adobe's earlier target... 'The take up of Flash Lite has been staggering to be honest,' Strategy Analytics's Stewart Robinson said in an e-mail... 'I think it also comes down to the fact that competition is almost non-existent,' Robinson said, adding that he expects another 1.5 billion smartphones with Flash Lite to ship in the next two years."

Windows Mobile 6.5 was announced, and the "deathmatch" rhetoric of the blogosphere got trumped by the realities of everyday life:

"The latest version of Windows Mobile is shipping with Flash Lite, but there’s no word on when or if Microsoft will debut its Silverlight on mobile." (Other quotes confirm that Silverlight 1.0 for Mobile will be on Windows Mobile eventually... there may have been dates offered in the past, but no date was offered this week.) [Wireless Week]

"Perhaps the most interesting part of Microsoft’s new OS is an updated version of Internet Explorer for Windows Mobile. The company said the new Internet browser features the same 'engine' as Microsoft’s browser for desktop computers, and can render Adobe Systems’ Flash technology... Strangely, Windows Mobile 6.5 does not support Silverlight, which stands as Microsoft’s answer to Adobe’s Flash on the Internet. Microsoft executives hinted that Windows Mobile would support Silverlight at a later date." [RCR Wireless]

Some of the expert quotes contained jarring notes... I have no idea what the speaker might have intended with this "look how long it took Macs to get Flash" line:
"The other reason, at least with Apple, is business. 'Apple wants to push its own technology, in this case, QuickTime,' Gold said. 'It has its own interests at heart. Look at how long it took to get Flash onto Macs. I honestly don't think you will see Flash on the iPhone anytime soon.'" [Computerworld]

Some made simpler, more direct, and more observable points:
"Say what you will about Flash, it’s unquestionably a significant component of today’s 'real Web,' and I’ve spent enough time being frustrated by its absence that I’m anxious to see how it translates onto a tiny screen." [Harry McCracken]

At The Boy Genius Report, the comments were not deep, but were excited... it was the emotional tone which struck me here. People were involved and committed to a consumer device... doesn't always happen.

Now, for the bobos.... ;-)

Erick Schonfeld's TechCrunch article is snarky, but he gets outdone by the head-in-buttiness of the comments... sample:
"The fact that they left Flex 3 out of CS3 premium suites left me SO BITTER, that I think JavaFX will have to take it’s place."

The most negative (and unrealistic) assertions were from Apple fanboys -- while reading through the comment section at A VC from NYC I wanted a little webcam to see how these anonymous spouters of balderdash lived their days:
"Last time I checked, flash is not an open standard. HTML 5 is open and handles 95% of what flash is used for."
"Mobile flash is nerfed (I believe Steve called this out), and I'm about 99% positive that the version of flash on Nokia and Palm will not support Flex/AIR apps."
"Because Flash is a proprietary technology, while HTML 5 is an open standard. When it comes to the Web, open standards will prevail. Flash is the past, HTML 5 is the future."
"As a number of commenters have pointed out, Flash is a hog."

Just goes to prove that internet text is bloated, I guess. ;-)

I'll keep reading today, and will update this post if I find anything significant. If you caught a novel perspective or useful news, or have questions about any of the announcements, please drop a note here, thanks!

Posted by John Dowdell at 9:03 AM | Permalink | Comments (2)

Inspiring story at WIRED today, of someone making 320,000 sales of a $3 game distributed by Apple iPhone App Store. He quit his dayjob, saying "I'm not going to be a millionaire in the next month, but I'd be shocked if it didn't happen at the end of the year."

Varied takeaways here:

• Sales didn't really start until a free version was available... it's easier for a customer to say "I'd like more of this" than "I think I may like that".

• Large potential audiences are not always as necessary as being able to reach enough of the right people... 17 million iPhones yielding 2.4 million leads and 320 thousand purchases was enough.

• It's great that Apple has provided a way for individual developers to receive a check. (I hope that the consortium involved in the Open Screen Project can help bring about similar models for wider audiences in the future.)
  

The title? The State of California has its own television show, to encourage gambling in its game. It's fun for both winners and the hopeful to discuss how they'll spend the money, even though the odds preclude as many winners as hopers. If he quit his job before getting the first check, then....

Still, this person now has new possibilities open, thanks to an indy development project. Inspiring.

Posted by John Dowdell at 3:26 PM | Permalink | Comments (2)

How did the recent "Don't Click" clickjacking attack on Twitter come about? Pretty innocuously, according to this report... a funny hack went viral, and refused to be defused. (I haven't confirmed the author's account, but it seems plausible, and is interesting in its own right.)

"Clickjacking" is when third-party content tricks a webpage visitor into making an undesired click. Complete remedies are difficult, because DHTML added JavaScript page-rewrites, and Web2.0 added unvetted third-party content. Browser makers are now struggling to find ways to guarantee that What You See Is What You Click.

A novel aspect of the Twitter-jacking is that the third-party content was introduced via URL-shortening services. Fixes have been attempted, and rebuffed. Check out the explosive growth in this chart.

This "Don't Click" isn't a serious exploit in itself, but it's a serious step along an existing vulnerability. Stay tuned.

Posted by John Dowdell at 1:14 PM | Permalink | Comments (0)

Sort of off-topic, sort of not. Tech photographer James Duncan Davidson got mugged outside the TED conference. Fortunately he came through okay, with nothing more than bruises and new things to think about.

No judgment here on how James handled it... none of us can know how we'd do in a situation until after we actually go through it. But some of the comments there alarmed me greatly -- "yeah yeah fight fight!" is a loser's game. Geeks are good people, valuable to the rest of the world, and it would be a shame to lose any more.

After sleeping on it, I think there are three important points: acknowledge that you're a likely target; stay aware of what's going on around you; and defuse rather than escalate any confrontation.

You are a target, and a fat, easy, rewarding target at that. Geeks have more income than street predators, and are usually carrying popular, easy-to-fence goods. Geeks have more cubicle-sense than street-sense, and most of their experience with physical violence has been at the movies. Convention areas are filled with tired, distracted travellers. Stop thinking "it can't happen here", and accept the predator's logic that you'd make a good meal. (Bob Mah shows some additional reasons you may be a target.)

Pay attention. Know who's around you and what they're doing. Over the last six months in San Francisco there has been a dramatic increase in the number of people wandering around the sidewalks, staring at the device in their hands. Newspapers have told of cellphone vehicle accidents, and iPods snatched on buses -- if you're out in traffic you need to stay aware of your surroundings, can't afford "device blindness". Put yourself in a mugger's shoes, and you'll see who the easiest targets are on the street each day. Don't be sorry, just Be Here Now.

You'll lose at violence. If someone has been tracking you and already has you at a physical disadvantage, then this is not the best time to exercise your strong sense of moral outrage. He wouldn't have taken you on unless he knew he had the edge. He wants a conference badge, your wallet, whatever, give it to him. Even if you beat the odds you're subject to a Bonfire of the Vanities afterlife. If you weren't alert enough to avoid a bad situation, and are trapped, your main goal is to get out safely.

Next time you're in a geek-rich area -- a workspace, a restaurant, a convention, even a sidewalk -- look around at how other people are managing their attention. Some may be looking at their hand, others swerve without checking first -- lots of accidents waiting to happen. When a wolf circles a flock, it's the ones on the edges most at risk. Just by watching other geeks, and avoiding the more self-absorbed behavior you see, you can do a lot to increase your own odds.

Keep an eye on the street -- staying aware and alert makes it easier to avoid problems. And if you can't avoid a situation, then work to defuse it, reducing the risk rather than escalating it. Physical training can help beyond that, but your first steps are always awareness, avoidance, and defusing.

Not paying attention to your current surroundings is a good way to get targeted. And an empty sense of moral outrage is then a good way to get hurt.

We need every good geek we've got. Please stay safe out there!

Posted by John Dowdell at 1:31 PM | Permalink | Comments (0)

Excellent security resource here: "2009 CWE/SANS Top 25 Most Dangerous Programming Errors". Lots of apps get burned by improper input validation, SQL injection, cross-site scripting. But it's hard enough to make stuff, much less defend against all the ways to break stuff.

Here's an efficient way to protect yourself. Read through each of the 25 "discussion" paragraphs first, to see the most frequent ways sites are attacked... get the big picture, fast. You can then drill into any particular topic if you want. Very efficiently organized.

Thanks to Brian Prince at eWeek for the tip, in "Keeping an Eye on Adobe Flash Security Means Catching Common Programming Errors". Related recent story: IBM Rational AppScan.

Posted by John Dowdell at 6:39 PM | Permalink | Comments (0)

Great interview at EffectiveUI from Doug Schmidt (of Dryerfox fame ;-) as Adobe's Anup Murarka discusses the goals and progress of the Open Screen Project.

It's a long interview -- printed out for me at 13 pages -- and seems to have flown beneath-the-radar since published two weeks ago. I'm remixing some of the highlights topically below, but I'd urge you to read the original conversation too... OSP is an ambitious yet convincing proposal to gain the ability to write to any display, and I think this interview will help you predict the shape of the next few years.

What are the goals of the Open Screen Project? To make it both practical and economical to deploy to any digital screen.

We've centered on two key goals. First is the development and distribution of a consistent runtime that’s available across all sorts of screens, not just the desktop, but also mobile, television, set-top, and other consumer electronic products.

Second, is the notion that it needs to be easier to publish and distribute content to those screens, not just from a technology perspective, but also from the business relationship perspective. Too often, Adobe hears horror stories from developers about how hard it is to get their content to a mobile phone or to a television. Companies in the Open Screen Project would like to see that become easier.

... The Open Screen Project is really more about allowing developers a much greater level of flexibility to design and move assets from one screen to another without having to rebuild applications every time.

We've got to improve, not just the technical capabilities, but also the business realities. That's why such a diverse partner list is needed:

When the Project was originally announced, we had companies from all segments of technology ecosystems participating. We have companies at the silicon layer actively participating — organizations like Intel and ARM. We also have OEMs, including all of the top five mobile OEMs: Nokia, Samsung, Motorola, LG, Sony Ericsson, and also companies from other industry segments that build other a wide range of consumer products — like Cisco and Toshiba.

We have service providers NTT DoCoMo, Verizon Wireless, and Comcast who most recently joined the effort, as well as major studios, content producers, and media brands including NBC Universal, MTV Networks, a division of Viacom, and others. We see the Open Screen Project as a very broad industry collaborative effort rather than just something that is applicable only to software companies... Since the original public announcement, we reached a very significant milestone in seeing some additional companies join the effort.

Why is such a diverse consortium of stakeholders so necessary? Examples here from service providers and hardware manufacturers:

One of the key Open Screen Project goals is to allow for over-the-air and over-the-wire updating of the core run time, just as we allow for that on the desktop now with Flash Player. If we can make that a seamless process and as easy to use as it is on the desktop, we think developers will get really excited and they’ll be able to do even more wonderfully creative things.

That’s why it was essential to have service providers participate in the project from the start — to help guide how we would do this successfully. The idea of tens of millions of wireless subscribers suddenly doing simultaneous downloads over a network is frightening. Consumers can undoubtedly overwhelm the network. So it’s something that has to be done carefully, and again, that’s why we wanted to make sure that we had partners in the project that could educate us on what the risks and struggles will be.

... One of the most complex problems we’re seeing right now is getting ActionScript 3 running in low-end, mass-market devices. It’s not easy. We’d love developer participation there. It’s going to require a lot of energy. We’ve had a number of the Open Screen Project partners participating in that — companies like ARM, Intel, and Qualcomm — working on getting a well-performing, just-in-time compiler working on current and future processors. There’s a lot of juicy work to be done in that regard...

One example is the announcement we made with ARM stating that Adobe is working with ARM directly to optimize Flash Player 10 for playback on processors. So much of the early engineering work is happening at the very low hardware levels in order to take advantage of hardware acceleration. ARM has made key contributions to the Tamarin project by getting the just-in-time compiler working with ARM processors instead of just desktop X86 processors. These optimizations are for core Flash Player 10 and Adobe AIR.

Adobe's motivations and business goals?

As we shipped millions of units of Flash Player onto various mobile phones, we didn’t see real global success in terms of broad amounts of content being available everywhere. We saw many little ecosystems, smaller silos that made it challenging for Flash developers to see their content become globally available. If you look at the way Flash content has grown on the desktop and the Web, comparing that to growth outside of the desktop, it has been slow to develop.

We’d like to accelerate that. We’ve certainly played a role to some extent for mobile, particularly in Japan, in parts of the U.S., and parts of Europe. But we’d like to see mobile become a more consistent environment that developers can take greater advantage of.

... We don’t want designers to worry if Flash Player 10 on devices shipping now will work on devices that ship three years from now. I think this is a key aspect of what we’ve heard from Flash Lite developers over the last several years.

... We see consumers demanding greater access to the content they enjoy and the services they want. Rather than forcing developers to learn a completely new set of APIs, a completely new set of capabilities, we think if they have a common tool set, and a common language to deliver those applications and services, they’re much more likely to make them consistent and make them available on a wide range of screens so that experiences can move with users and not be dependent on a desktop in any one location.

Again, our goal is to make Flash more open and more appealing to developers around the world. That represents a significant step to allow for new innovation and for faster development to happen.

What about commitments and progress?

We've made some significant commitments to the Open Screen Project, as well as financial commitments by agreeing to waive the royalty fees, for example, for device-based implementations of Flash Player technology.

... We published the first round of specifications and details for development, as well as a schedule for releases that would be 'Open Screen Project compatible.' These future releases of Flash and Adobe AIR will really move the the Project's goals forward.

... We’ve also published Flash information, including Flash technology specifications. We’ve made available various protocols over the course of the last year, such as the FlashCast client server protocol. The goal for that portion of the effort was to ensure that companies didn’t feel locked into some other piece of Adobe technology just because they wanted access to this runtime. Our other products and solutions, tools, and server services will compete on their own merits and not just because there’s any sort of proprietary lock-in to the Flash Player runtime.

... One of the exciting elements of dealing with ActionScript 3 is the fact that the Tamarin Project and Tamarin-tracing have been created as open source projects of the Mozilla Foundation. The Tamarin project is incredibly essential to making this effort one that’s going to truly be multi-screen.

Specifications, roadmaps, timelines?

For the desktop, nothing really changes. For smart phones, we think the specs are somewhere in the 300 to 400 MHz processor range — the really high end of the smartphone category for now. That means devices like the G1 or the iPhone, or some of the higher end series 60 devices are the best — basically the PDA class of devices.

The lower-end smartphones and mass-market phones won’t get all of the same desktop compatibility that we’re offering. They’ll miss some of the class libraries or actual APIs, but the core runtime will be identical. It will be better than what you have with Flash Lite today, but still not 100 percent equal to the desktop.

We think the profile is going to be somewhere in the 300 MHz range for the device processor on, let’s say, a quarter VGA, half VGA screen. We’re also targeting a similar footprint for set top boxes and mass-market TVs, although with some hardware acceleration.

... Schmidt: Did you say that you foresee the first Open Screen Project devices coming to the market in Q4 of 2009?

Murarka: That’s our hope, and things look like they’re on track for that. But ultimately it’s in the OEM and service providers’ control. So I think that’s certainly the target that we’re all trying to work towards, but I would expect the volume of the products to be available in 2010.

What's the general strategy for developing atop common runtimes spanning diverse device types?

Today, Flash Lite developers have to consider the specific device and the specific operator, and what version of Flash Lite is in use. Our hope is that all these Open Screen Project devices will be able to support a consistent ActionScript environment and a consistent Flash environment. Yes, the physical differences of the device will still be there. Is there going to be a keyboard, is there going to be a mouse, is the screen resolution going to be HD resolution or is it going to be a quarter VGA on a small phone? Designers have to worry about those things even today on the desktop, although not quite as extensively.

We want to simplify the language constructs, we want to simplify the class libraries, we want to make sure that the same authoring tool is in play — and ideally even the same Flex framework and SDK in the future.

But today, many of the richer tool sets that are available to desktop developers are not available to Flash Lite developers. We think that’s a big obstacle to overcome — one that will help simplify the development process for all different screens.

... One of the biggest challenges that developers have described to us is trying to keep track of all the many different devices, and all the different implementations of software on them... The idea of testing everywhere is cumbersome, it’s expensive, and Device Central is a great way to help mitigate some of that cost in time and money. We expect that to continue; Device Central is going to be just as useful as it was before to help designers get a feel for what’s available across devices, but the big steps are really to try to close the gap.

The core focus is on the "big three" screens (laptop, mobile, television), but the principles and capabilities should also extend to any upcoming types of Internet-enabled digital display:

Adobe Flash technology has been used in such a wide range of devices — from digital signage to ATM machines, to toys to informational gadgets, and developer platforms like the Chumby. There is broad adoption of Flash across devices, but it has not reached the penetration and mass-market consumer awareness that televisions, phones, and desktop computers have.

We talk about those three categories most because they are the three largest consumer products categories, but the technology evolution we’re undertaking should benefit other industries and other segments over time. So you can imagine car navigation systems utilizing some of the same benefits that we’re working on for these other three categories of desktops, mobile, and television.

Just as PostScript made it easy to publish to any printer, Flash must make it easy to publish to any screen. I've been waiting for this convergence a long time, and the strength and diversity of its ecosystem makes the Open Screen Project look capable of realizing this goal. Nothing's shipping yet, but if you want to better predict where we're going, then Doug's interview of Anup offers a very good return on investment.

Posted by John Dowdell at 1:40 PM | Permalink | Comments (0)

Two writers try to debate with each other "Are all browser plug-ins a security risk?" (The question actually covers both cross-browser plugins as well as single-browser extensions... longtime semantic imprecision.)

Objectionable line: "Moreover, you're putting Adobe Flash (which is a commodity plug-in full of documented security holes) with NoScript, which is the very security tool providing that 'per-site granularity' in disabling plug-ins like Flash that you're advocating..."

If you read through the security alerts and can work through the rather politic language of the addressed issues, you'll see that most of the recent Player security improvements the last few years have been to prevent browsers from fulfilling requests they really don't want to fulfill. The biggest recent exploit was clipboard pollution from untrustworthy ads hosted in your HTML pages. The biggest black eye for Player last year was the clickjacking issue, in which Player was a victim of browsers' inability to guarantee their own clicks, yet for which Player took the fall. Nothing is perfect, but Flash is actually pretty good.

"Full of documented security holes" means... what?

Check out with what fervor he defends his own baby, and with what casual ease he slurs other babies.

(Disclaimers: I've been a Mosaic/Netscape/Mozilla/Firefox user straight through. I like how Giorgio has implemented whitelisting for JavaScript, to help protect against the promiscuous use of unknown third-party instructions in many websites, even though I currently use AdBlock Plus to develop blacklists. I like the person and the goals; I just don't like the errant mental shortcuts, the unwarranted divisiveness, the raw prejudice.)

[Update, after two hours: Added source link in first paragraph!]
[Update, after three hours: My characterizations of "errant mental shortcuts" etc were too strong, apologies... a cumulative reaction to a series of similar bashings from varied writers.]

Posted by John Dowdell at 7:27 AM | Permalink | Comments (0)

Some scary headlines today... IBM AppScan Takes Aim at Securing Flash, IBM Targets Adobe Flash Vulnerabilities with New Tool, IBM software scans for security holes in Flash, Ajax, IBM's AppScan tool adds Adobe Flash, SOA scanning.

The headlines seem to overstate the case, but it looks like not all of the information is publicly published yet.

The AppScan minisite links to a PDF, but their press room doesn't yet seem to have a press release or FAQ which Adobe participated in. My best guess is that there was a press pre-briefing and embargo which wasn't backed up by the full release of info. Hard to tell, from my position right now.

Bottom line, IBM's Rational AppScan is a tool for enterprise to check the content they generate. The recent release adds a lot of "best practices" checking for HTML and SWF, such as averting SQL Injection on HTML formfields, overly-broad cross-domain access or JavaScript-ability for Flash, etc. It helps to reduce the amount of new web content with known authoring vulnerabilities, and has nothing to do with "vulnerabilities" in Flash Player per se.

There are some more informational materials in the pipeline that haven't made it out yet. I believe the Adobe PSIRT folks will also have info on this whole area of enterprise content-checking. If you get questions about this morning's press, the best answer may be "Wait just a little for full information to become available, on that useful best-practices validation tool."

Now, if only we had some way to protect people from vulnerabilities in new headline generation.... ;-)

Posted by John Dowdell at 1:18 PM | Permalink | Comments (2)

Last Friday Bloomberg.com asked Adobe's CEO about Apple's iPhone, and reported:

"'It’s a hard technical challenge, and that’s part of the reason Apple and Adobe are collaborating,' Narayen said today in a Bloomberg Television interview from the World Economic Forum in Davos, Switzerland. 'The ball is in our court. The onus is on us to deliver.'"

I saw it Friday afternoon in SF, and by Saturday evening it was all over Techmeme, then picked up on Sunday with the newspapers. Many, many pageviews, just from those three little sentences in a newspaper.

I checked with Adobe PR folks today, and the sense I get is that it's just as innocuous as it sounds... no new info, no news. That "iPhone Question" is usually asked whenever an Adobe exec is interviewed... you've probably heard it asked at tradeshows too. Sometimes it "pops" in subsequent commentary. There was no news announced or hinted here, though.

If you're reading for iPhone news, stop there. If you're reading for Flash news, keep reading. ;-)

There is one thing you can count on in all this. Adobe is committed to making it easier to publish. Establish a new capability, build atop it with others, cannibalizing yourself if necessary, all the while surfing the new platform curves. It's Adobe's corporate DNA to innovate standards, transforming the company along the way... it's the core part of the corporate culture here.

It should become as easy to publish a screen, as it already is to publish a book or a video. Not just to your computer, not just to your phone, but to any digital screen in your environment. Interactive publishing must become easier, more accessible, more economical for more people.

And Adobe's betting on Flash to do it.

I think it's an achievable goal. Last March there were half-a-billion devices with Adobe Flash runtimes, and analysts predicted a doubling by 2010. But it looks like we've already hit one billion shipping devices with Adobe Flash Lite capability, eighteen months early. Demand has been massive, higher than expected. And when Open Screen Project devices start shipping, things will pop wide open.

(Just how big is "one billion Flash mobiles shipped"? I hope Apple PR won't mind me reminding that there have been 17 million iPhones sold, a 60:1 disparity... for every iFart or Sound Grenade, there are two entire Flash-savvy devices out there. A billion devices is still a drop in the bucket, compared to getting everybody wired, but we're on our way to doing so. Future's coming very fast.)

If you want to understand Adobe's goals, think of universal publishing platforms... new types of capability with widespread support. Options, not mandates. There are no conflicting priorities about selling a device, selling an OS, selling a data service. "Innovate a platform and build atop it", that's the driver. Adobe's betting on establishing new publishing capability across the range of screens you see.

It'd be great to get such screens atop Apple's devices too. But work on the platform continues regardless. You can bet on that.

.

[Comments will be on heavy moderation... seeking discussion of publishing capability, not more rumors or fanboyism, thanks. (And the above was written on my own, in an hour or two, without collaboration... please don't read too deeply into it!)]

Posted by John Dowdell at 8:04 PM | Permalink | Comments (2)

This week there was a story about Mozilla allocating $100,000 to codec development, and another about the majority of consumer computers supporting Player 10's functionality within eight weeks of its release. I've kept reading the comments, following the conversations.

I saw two types of Flash-negative articles. One type bothered me, but the other doesn't.

One style of essay went "Is Adobe hyping AIR? Are people really using it? How can we get more numbers? What are the most popular applications? Isn't it just hitching a ride on Reader?"

Another type of article went "Web browsers are better than they were five years ago. But they still need common extensions for video. Adobe has proprietary lock-in, dangerous, evil! Endusers must not be at the mercy of corporations! Don't hurt the web, use open standards!"

Both types of articles are reflexively negative about what everyone is accomplishing with Flash video. Not the most inspiring type of theme to invest time in reading.... ;-)

But I'm far more comfortable with that first set of articles than the second. I like question marks, I like demands for proof, I like skepticism about what we're told... even though the questioning goes in a negative direction, at least it's questioning. There's a possibility to converse, to learn something new together, to reach agreement.

The second type of article... well, you can see it right there, more exclamation points than question marks. Little skepticism, much dogmatism. The first paragraph may start by asserting things as "open web standards" and "proprietary lock-in", and then build upon that structure, and heaven help you if you're not on the bus by that point. It instructs you what to think, using social pressure rather than reason.

If you wonder why a doe-eyed graphic urging "Please don't hurt the Web, use open standards!" is saved as license-laden JPEG rather than the more appropriate PNG, you will not receive a reply.

And if you do manage to gain their attention, you will be instructed to not notice or remark upon the reality of the emperor's attire.

The most consistent thing about "open web" commentary is how it yearns to close things down.

If someone asks a tough question about the technology Adobe develops, then it may be difficult for me to find a good answer (a la iPhone), but I appreciate the interest, and the chance to work together.

I'm not particularly keen to being preached at though, where any question is regarded as an affront. There's enough of that in the world already, and it usually ends up increasing misery rather than reducing it. No thanks.

I prefer a more open style. More question marks. Fewer exclamation points. Sound good to you too...?

Posted by John Dowdell at 4:16 PM | Permalink | Comments (2)