Archive for February, 2009

Casual prejudice

Two writers try to debate with each other “Are all browser plug-ins a security risk?” (The question actually covers both cross-browser plugins as well as single-browser extensions… longtime semantic imprecision.)

Objectionable line: “Moreover, you’re putting Adobe Flash (which is a commodity plug-in full of documented security holes) with NoScript, which is the very security tool providing that ‘per-site granularity’ in disabling plug-ins like Flash that you’re advocating…”

If you read through the security alerts and can work through the rather politic language of the addressed issues, you’ll see that most of the recent Player security improvements the last few years have been to prevent browsers from fulfilling requests they really don’t want to fulfill. The biggest recent exploit was clipboard pollution from untrustworthy ads hosted in your HTML pages. The biggest black eye for Player last year was the clickjacking issue, in which Player was a victim of browsers’ inability to guarantee their own clicks, yet for which Player took the fall. Nothing is perfect, but Flash is actually pretty good.

“Full of documented security holes” means… what?

Check out with what fervor he defends his own baby, and with what casual ease he slurs other babies.

(Disclaimers: I’ve been a Mosaic/Netscape/Mozilla/Firefox user straight through. I like how Giorgio has implemented whitelisting for JavaScript, to help protect against the promiscuous use of unknown third-party instructions in many websites, even though I currently use AdBlock Plus to develop blacklists. I like the person and the goals; I just don’t like the errant mental shortcuts, the unwarranted divisiveness, the raw prejudice.)

[Update, after two hours: Added source link in first paragraph!]
[Update, after three hours: My characterizations of “errant mental shortcuts” etc were too strong, apologies… a cumulative reaction to a series of similar bashings from varied writers.]

IBM fixes Flash?

Some scary headlines today… IBM AppScan Takes Aim at Securing Flash, IBM Targets Adobe Flash Vulnerabilities with New Tool, IBM software scans for security holes in Flash, Ajax, IBM’s AppScan tool adds Adobe Flash, SOA scanning.

The headlines seem to overstate the case, but it looks like not all of the information is publicly published yet.

The AppScan minisite links to a PDF, but their press room doesn’t yet seem to have a press release or FAQ which Adobe participated in. My best guess is that there was a press pre-briefing and embargo which wasn’t backed up by the full release of info. Hard to tell, from my position right now.

Bottom line, IBM’s Rational AppScan is a tool for enterprise to check the content they generate. The recent release adds a lot of “best practices” checking for HTML and SWF, such as averting SQL Injection on HTML formfields, overly-broad cross-domain access or JavaScript-ability for Flash, etc. It helps to reduce the amount of new web content with known authoring vulnerabilities, and has nothing to do with “vulnerabilities” in Flash Player per se.

There are some more informational materials in the pipeline that haven’t made it out yet. I believe the Adobe PSIRT folks will also have info on this whole area of enterprise content-checking. If you get questions about this morning’s press, the best answer may be “Wait just a little for full information to become available, on that useful best-practices validation tool.”

Now, if only we had some way to protect people from vulnerabilities in new headline generation…. ๐Ÿ˜‰

This round of Flash/iPhone stories

Last Friday asked Adobe’s CEO about Apple’s iPhone, and reported:

“‘Itโ€™s a hard technical challenge, and thatโ€™s part of the reason Apple and Adobe are collaborating,’ Narayen said today in a Bloomberg Television interview from the World Economic Forum in Davos, Switzerland. ‘The ball is in our court. The onus is on us to deliver.'”

I saw it Friday afternoon in SF, and by Saturday evening it was all over Techmeme, then picked up on Sunday with the newspapers. Many, many pageviews, just from those three little sentences in a newspaper.

I checked with Adobe PR folks today, and the sense I get is that it’s just as innocuous as it sounds… no new info, no news. That “iPhone Question” is usually asked whenever an Adobe exec is interviewed… you’ve probably heard it asked at tradeshows too. Sometimes it “pops” in subsequent commentary. There was no news announced or hinted here, though.

If you’re reading for iPhone news, stop there. If you’re reading for Flash news, keep reading. ๐Ÿ˜‰

There is one thing you can count on in all this. Adobe is committed to making it easier to publish. Establish a new capability, build atop it with others, cannibalizing yourself if necessary, all the while surfing the new platform curves. It’s Adobe’s corporate DNA to innovate standards, transforming the company along the way… it’s the core part of the corporate culture here.

It should become as easy to publish a screen, as it already is to publish a book or a video. Not just to your computer, not just to your phone, but to any digital screen in your environment. Interactive publishing must become easier, more accessible, more economical for more people.

And Adobe’s betting on Flash to do it.

I think it’s an achievable goal. Last March there were half-a-billion devices with Adobe Flash runtimes, and analysts predicted a doubling by 2010. But it looks like we’ve already hit one billion shipping devices with Adobe Flash Lite capability, eighteen months early. Demand has been massive, higher than expected. And when Open Screen Project devices start shipping, things will pop wide open.

(Just how big is “one billion Flash mobiles shipped”? I hope Apple PR won’t mind me reminding that there have been 17 million iPhones sold, a 60:1 disparity… for every iFart or Sound Grenade, there are two entire Flash-savvy devices out there. A billion devices is still a drop in the bucket, compared to getting everybody wired, but we’re on our way to doing so. Future’s coming very fast.)

If you want to understand Adobe’s goals, think of universal publishing platforms… new types of capability with widespread support. Options, not mandates. There are no conflicting priorities about selling a device, selling an OS, selling a data service. “Innovate a platform and build atop it”, that’s the driver. Adobe’s betting on establishing new publishing capability across the range of screens you see.

It’d be great to get such screens atop Apple’s devices too. But work on the platform continues regardless. You can bet on that.


[Comments will be on heavy moderation… seeking discussion of publishing capability, not more rumors or fanboyism, thanks. (And the above was written on my own, in an hour or two, without collaboration… please don’t read too deeply into it!)]

Doubt overcoming belief; belief overcoming doubt

This week there was a story about Mozilla allocating $100,000 to codec development, and another about the majority of consumer computers supporting Player 10’s functionality within eight weeks of its release. I’ve kept reading the comments, following the conversations.

I saw two types of Flash-negative articles. One type bothered me, but the other doesn’t.

One style of essay went “Is Adobe hyping AIR? Are people really using it? How can we get more numbers? What are the most popular applications? Isn’t it just hitching a ride on Reader?”

Another type of article went “Web browsers are better than they were five years ago. But they still need common extensions for video. Adobe has proprietary lock-in, dangerous, evil! Endusers must not be at the mercy of corporations! Don’t hurt the web, use open standards!”

Both types of articles are reflexively negative about what everyone is accomplishing with Flash video. Not the most inspiring type of theme to invest time in reading…. ๐Ÿ˜‰

But I’m far more comfortable with that first set of articles than the second. I like question marks, I like demands for proof, I like skepticism about what we’re told… even though the questioning goes in a negative direction, at least it’s questioning. There’s a possibility to converse, to learn something new together, to reach agreement.

The second type of article… well, you can see it right there, more exclamation points than question marks. Little skepticism, much dogmatism. The first paragraph may start by asserting things as “open web standards” and “proprietary lock-in”, and then build upon that structure, and heaven help you if you’re not on the bus by that point. It instructs you what to think, using social pressure rather than reason.

If you wonder why a doe-eyed graphic urging “Please don’t hurt the Web, use open standards!” is saved as license-laden JPEG rather than the more appropriate PNG, you will not receive a reply.

And if you do manage to gain their attention, you will be instructed to not notice or remark upon the reality of the emperor’s attire.

The most consistent thing about “open web” commentary is how it yearns to close things down.

If someone asks a tough question about the technology Adobe develops, then it may be difficult for me to find a good answer (a la iPhone), but I appreciate the interest, and the chance to work together.

I’m not particularly keen to being preached at though, where any question is regarded as an affront. There’s enough of that in the world already, and it usually ends up increasing misery rather than reducing it. No thanks.

I prefer a more open style. More question marks. Fewer exclamation points. Sound good to you too…?