Anyway, I've been out of the loop, and have not been in direct contact with Adobe's security team, but see in the security blog that there is a new security advisory... it details how to turn off your webcam through a dialog, instead of just turning it away when not in use. But I also see there's a whole bunch of news commentary bashing Flash on a "clickjacking" exploit. Flash is taking the piss on this.

What is "clickjacking"? Details are starting to emerge, from people who have reverse-engineered the prior (and rather thankfully vague) reports. It seems to be just using IFRAME and other old DHTML techniques to slide something atop an innocuous clickable link in an HTML page. There are variants using JavaScript or other techniques.

The Flash connection? Someone was able to slip something atop Flash's webcam permission dialog, so you could grant access to your cam without knowing.

Flash seems incidental to the exploit, but is taking the brunt of the PR damage. This is becoming a common pattern. I am annoyed.

Now remember this is me talking, not Adobe corporate, but there seem to be two takeaways here, and neither involves Flash at all:

1. Today's browsers cannot guarantee click integrity. They are all broken and insecure.

From everything I can read in the public record, Flash is doing just exactly what it says it will do, and it's the surrounding WWW Browser rendering engine which is setting up the clickjack exploit. Flash just happens to be more powerful than browsers, and works across all of them too, so it's naturally a dramatic storyline.

But web browsers cannot assure that you're clicking what you think you click. All the noise about HTML5 and "Open Web" posturing and such becomes more ludicrous when you can't get even the basics right.

Today's browsers cannot guarantee click integrity.

This wouldn't be quite so bad, if it weren't for takeaway two:

2. "Web 2.0" mashups and third-party content are not properly vetting the instructions they are asking your website to republish.

Think about which types of webpages would host this exploit. Warez sites open you to infection, of course, so untrustworthy websites are now risky. Your bank's site is probably safe, unless their server was hacked and is serving malware unknowingly. But generally, this IFRAME clickjack occurs when nice sites promiscuously accept instructions from bad webservices.

Take a look at a TechCrunch page sometime, or any other big Web20-y kind of site, using a utility like AdBlock Plus or a website speed analyzer or even monitoring your IP address's HTTP requests. There are hundreds of assets retrieved for each page, notifying many, many domains that your IP address has visited that page. These "web beacons" enable cross-site tracking of your surfing history, and most tech pundits aren't copping to the fact that Google AdSense is potentially enabling Al Gore's old visions of Clipper Chip and Echelon surveillance.

It's the MySpace-like, Facebook-like mashup which seems to enable this class of deception and vulnerability. Web 2.0 is broken, if it accepts unknown, untrustworthy instructions from strangers. It's like picking up and eating a sandwich that you find on the sidewalk... might be a viable tactic the first few times, but sooner or later the odds will catch up with you. The mashup culture is not adequately validating its inputs.

Okay, that's my rant. I'm angry that headlines are copying each other with "ooh flash vulnerability!" and don't seem to be addressing the real core issues. Browsers are currently clearly broken, and mashups are currently clearly broken, and we've got to buckle down and deal with it.

Browsers can get fixed by limiting their scope of functionality so that you can safely visit any strange page, and by putting advanced functionality into a separate abstraction layer (like Flash) which is distinct from the browsers' layer of scope. HTML5 is moving in precisely the wrong direction.

Web 2.0 can get fixed by everyone viscerally realizing that you cannot just blithely accept instructions from strangers, whether it's an IFRAME into your webpage, or an anonymous comment on a weblog, or a Digg recommendation or whatever... there needs to be accountability, people need to bet their reputation on the info to which they're asking you to attend.

Sliding evil content atop dialog boxes to catch clicks and reuse them otherwise... a basic flaw in DHTML, a basic flaw in trusting untrustworthy third-party content.

And if the newspaper headlines can't get this right, it's a basic flaw in online commentary, too.

(NB: Comments on this old weblog are not enabled, but it's the only password I've got stored on my nifty Nokia Internet Tablet. I'll be developing these ideas further on my current blogs.adobe.com/jd once I return from vacation.)

I'll be updating this post throughout the day... not that I have anything particularly interesting to say, but I know there are a lot of extreme-weather freaks out there, and writing from a hotel room is what most bigshot reporters do in world troublespots anyway. Finding news on the web has been hard, so I'll pull together what I can find here.

(And please accept my apologies for doing a non-technical webpost on this old work-related weblog, but my personal blog at jdowdell.typepad.com/global_jd switched to an Ajax-based Rich Text Editor recently, and it now consistently crashes the browser on my pocket computer. This is part of why I think HTML5 is short-sighted, a significant risk to HTML in general, but that's a topic for another post.)

Updates follow, in reverse-chronological order:

Followup, Mon 7am: Weather remains relatively calm where I am in the city, tree branches below my hotel window barely swaying in the breeze. Clouds above are still massive dark cumulus, now moving south to north as we get on the far side of the anticlockwise spin. TV shows new scenes of massive damage, particularly in the mountains where the force of running water is concentrated.

Many regions received over a thousand millimeters of rain. One station measured 1400 millimeters. That's about four-and-a-half feet. Have that funnel down a mountainside, and it's bad.

Japanese coast guard is searching for a yacht with four people. I've heard reports of coastal waves three to four stories tall.

Confucius' Birthday has been moved back a week. I'm sure he understands.

Google News and other web reports are really dysfunctional. They certainly have the technology to detect duplicate text and properly place it in context, instead of merely listing certain sites by publishing date, and indexing incidental boilerplate or anonymous comments instead of just the true bodytext. We have a crying need for a service to actually "organize the world's information", instead of really "organizing consumer information for advertisers". I want to learn what's new, I don't want to play hide'n'seek in a garbage pile. Search today feels like it did with Yahoo ten years ago, and we now need something like the breath of fresh air Google was when it first appeared.

Epoch Times has one of the best wrapups I've seen this morning. Many of the other reports are just rewrappings of snippets of older articles, designed to garner advertising revenue without adding anything new. Google both abets spam and profits from spam, and at some point a new force will emerge which will eat their lunch.

Anyway, I plan to stay an extra day in Taipei, and take the railway to Taichung tomorrow. But other people have paid a heavy price for this storm.

Sunday, 9:30pm: All right, I guess I just don't get this "Super Typhoon" business at all....

A few hours ago it was looking apocalyptic, both from the news forecasts and from what I could see outside the hotel window. So I packed together and decamped for the lobby.

It was pretty quiet, somber. I spent an hour reading a dictionary. Every now and then I heard the wind roar, some glass breaking outside.

A Japanese tour group started gathering in the lobby. People seemed sort of nonchalant, almost jolly... "Anoo, kyo no tenki de wa, chotto warui so da nee?" "Ah, soo desu *nee*...!" and such. Then they tossed on some yellow plastic parkas and marched outside. Maybe they hadn't heard the news, seen the video of food-stocking in supermarkets, seen the crushed automobiles on the highways, people rolling down the sidewalk blown by the wind. Or maybe Japanese grannies on vacation have just seen it all already and take things in stride better than I do. I chalked it up.

Then a family strolled in, three young children seeming rather bored. They gathered at the elevator and went up to their room. Maybe they were just driven to the hotel and the parents were trying to keep the kids calm.

Then in trooped the volleyball players, sweaty but not soaked, as if they had been playing indoors all day. No obvious clues from them, but they didn't look all wild-eyed from the weather.

So I walked through the little wooden portal at the front door, and it was calm outside. A little warm, no rain. Could it be the eye of the typhoon? I didn't think the timing was right, not from the graphs and charts I had seen.

Had some dinner at the hotel restaurant, looked outside again. Some light rain, but not enough to prevent a snack run to the 7-11 next door. Went back to the hotel room, and Google News was just re-running copies of old stories as fresh news, and the weather sites with their bloated HTML pages had no pertinent info either, just massive animated GIFs of radar pictures I had already seen infinitely repeated on TV.

Much of the local news stations had moved onto dramas or gameshows like match-the-cleavage or an oyster-eating contest, although I did see that the scaffolding near Snake Alley which I had passed under a few days ago had collapsed and smashed some vehicles, did see screaming children withdrawn from an overturned bus.

Bottom line? I have no freakin' clue what's going on. I do know that schools and many businesses are closed tomorrow, and it seems like the railroads and buses are still down, and there's much carnage on local TV. But from what I can discover for myself right now, it looks like just another normal rainy night. I'm going to sleep, I'm beat, and I'm not yet sure whether I'll be in Taipei or Taichung this time tomorrow. Keeping my bags near the door, ready to roll just in case. G'night.

Sunday, 5pm: [This may be the final entry for awhile... it's getting a little hairy up here on the 14th floor. Less time spent editing, so notes may be out-of-order.]

Watching waves role over a little plaza in Damshui where I stopped and looked across the water a few nights ago... I recognize a statue that they're using in the TV shots.

TV shows some permanent external signage, once attached vertically across stories of buildings, now lying in the street. I think I saw a large metal ship container being transported by truck blown over onto its side, blocking a freeway offramp.

The official meteorological press briefing at 2:45 seems to be showing that the typhoon is adjusting its course, and is now estimated to be passing right over Taipei.

TV news shows a house whose roof has already been wind-damaged, rain dripping down into the living room. CNN is showing a tennis match; local English radio is still playing old commercial pop music.

3pm Landfall now expected towards early evening, 80km off shore, slowing to 12km/hr. 13 bridges closed, flights are 'way iffy. MRT running on shortened schedule. School suspensions expected to be announced towards 6pm.

3:30, and the rain has been heavy for quite awhile now. My window is leeward, so I can see out. It's blowing horizontally from north to south... I guess that's counterclockwise then. I was going to go next door to the 7-11 for munchies and beer, but it looks too gusty.

A weather fan is in Hualien has good notes and some amazing photos: http://theweatheroutlook.com/twocommunity/forums/p/20929/587926.aspx#587926 His weather-fan friends almost seem a little deferential to his experience, which alarms me a little.

I learned that "Jangmi" is a Korean name, for rose... might be a Chinese loanword meaning "fragrant beauty". That might be comforting, in other circumstances.

4pm radio news: Thousands of homes without power. Jangmi has already made landfall, north of Hualien. Waves forty feet high. Many swept away to sea, including a motorcyclist when the road gave way. Transportation buses flipped over, passengers injured. All railways stopped, but metro still running on reduced schedule.

The hotel TV went out an hour ago. I waited about fifteen minutes, then took a stroll downstairs. Walked outside, holding onto the handrail outside the hotel. No way I could walk across the little lane to the 7-11, not now. Parked scooters made like dominoes already.

A four-foot square of metal, possibly a rooftop heating vent, slammed atop a van ten feet from me, bounced to the ground. I stayed holding onto the railing. I saw metal signs across the street stripped from their moorings, ratlling down the street like paper. Held on. Then I started thinking of all those abandoned umbrellas, zigzagging in the gusts like giant crazed blowdarts, and I went inside. "Tai da le, tai da le."

When I got back upstairs the hotel TV was back on, but some of the stations are having transmission difficulties. The English-language radio still has nominal updates on the hour, then resumes vapid music. Local TV crews are really working hard.

I packed my stuff away into drawers and suitcases, made sure everything was stowed away in case the windows up here on the 14th floor blow out. Got all the vital documents and gear on my person, and have a daybag with survival stuff and a change of socks. It's almost dark out. I'm smoking a final pipe while I'm still in the room, and drinking one of the two cans of Taipei Beer in the fridge. I'll finish this entry out then go downstairs, in case the power fails and the elevator stalls.

Don't know when I'll be able to update this again... WiFi is on a different system downstairs. I'm not frightened, but I do want to be prudent... don't want to do a Dorothy in Oz type of routine out the window, 'cause the shoes I'm wearing are brown.... ;-)

Sunday, 2pm: Landfall is estimated in five hours or so, on the eastern coast. Typhoon progress has slowed, from 18 km per hour last night, to 13 km/hr now. That's usually not a very good sign, because the storm will spend more time dumping energy onto an area while it's above.

Jangmi is about 110 km offshore at 1pm, via radio reports. The storm radius is estimated by Taiwan News at 280km, about 175 miles. Entire island is now in radius of storm. A meter of rain expected in Taipei. Expected to leave island at 8am. Air flights? Ferget it... I think even Hong Kong is cancelling flights, and they're south of the expected course of the typhoon.

Current maximum sustained winds at 227 km/hr, about 140 miles per hour. But it's still not too bad in Taipei, from what I myself can see... just a stormy, gusty day.

East of the old city is the Damshui River, with low marshy land surrounding it. There's a thick concrete floodwall about thirty feet tall protecting the city from flooding, and they're now rolling in the iron gates to close the passageways to the coast. If your car was parked outside the floodwall it's probably at the city lot, because they've been towing away any still parked there... can't risk them becoming waterborne projectiles.

TV news is now extensive, with teams on-location in eight to twelve locations. CNN, when I check it, shows Nancy Pelosi appearing concerned about Bush or such. Local English news on radio currently updates on the hour, with the remainder being Beyonce and other musical products.

Taipei High Speed Railway will halt at 3pm today, and other railways already on hold.

Traffic on the elevated highways, seen from my hotel room, seems to be quite light, but I've little experience to compare a typical Sunday.

TV shots show some low-level bridges already blocked off. Although the blocks may have been blown down, I think people still get the idea. I've seen some video of waves crashing over seawalls already... scary.

Landslides are already occurring in the mountainous interior. Ground may be saturated from the smaller typhoon last week, which caused many fatalities. Some have already been reported being swept away by rapid water runoff today. Hills are being covered by sandbagged tarps.

Traffic lights and power lines are already down in Taipei... not lots, but enough to make the TV news.

Some people are still using umbrellas, but there are many blowouts. Thin, full-length parkas seem to work quite a bit better.

Weather-wise, yesterday was overcast and drizzly, but was one of the most pleasant days so far... I could walk around in the middle of the day without overheating, more like high 70s than low 90s. Right now it's balmy warm winds outside.

The Santos Hotel may sound Spanish, but the "san" is the character for "three", and my pocket dictionary doesn't have the "do" character. I appreciate that the staff is staying here working, taking care of visitors, when they're probably worried about their own homes and families.

The hotel is on the east side of the north/south Chengde Road. This means the winds approach from behind the building. This morning the maintainence crews stripped streetsigns from their poles, and strapped flagpoles and ashtrays to the building's railings. The hotel's front is in the lee of the wind, and with both the left and right sides of the hotel having traffic passages, there's a potential low-pressure venturi effect to the glass front doors. They've already blocked the front doors with wood paneling, to prevent a pressure shockwave from blowing the glass into the street.

There's a few Taiwanese travellers here, but I think the bulk of their guests are Japanese tour groups. The hotel is also hosting the 14th Annual Junior Womens Volleyball Tournament teams, and flags are flying for Korea, Sri Lanka and more. The New Zealand team speaks English, and their Maori members have tattoos. The Kazakhistan players seem even more rugged. I saw a couple who appeared to have European ancestry, but I may be the only American/European here.

I'm keeping my camera and computer batteries topped off, and have flashlight, radio, and water. I'm not particularly worried, but just want to increase my odds. Some of the reports say that this is expected to be one of Taiwan's most powerful typhoons... certainly for this year, possibly for many years. Ten or twelve hours from now we'll be in the center of it.

Sunday, 11am: Today is Confucius' Birthday, celebrated Sept 28, and my hotel is a twenty-minute walk from the temple. I chose this location in part to avoid the commute crowds for the celebration -- the temple re-opened after restoration only yesterday, so it's a big deal.

I woke up just before 6am, looked out the window and saw only a light drizzle, and thought I could take a quick jaunt before the main front of the typhoon hit. Wrong-a-rola... by the time I put on my socks there were sheets of rain barreling across the street. And by the time I finished getting dressed for breakfast it was calm once again. No way I'm taking the chance of getting caught outside in that.

That's the big surprise for me so far -- the inconsistency of the gusts, the rain. Outside the hotel I can see giant tour buses swaying in the heavy wind, and then five minutes later a bicyclist with an umbrella is good to go again. I'm not quite sure of the location of the eye of the hurricane, but the big meteorological surprise for me so far is the on-and-off nature of the storm.

I've already seen bursts where I could just make out buildings on the opposite side of the street, the rain blowing nearly horizontally or even up again vertically as it crosses a building corner. Ten minutes later I've got a clear view across the river, miles away. I didn't expect such variance.

What's a "Super Typhoon"? I'm still not quite sure, and will keep researching it throughout the day. I had heard that there was a typhoon coming, but at this time of year they usually pass to the southwest of the island, so here in the northwest I wasn't too concerned. But last night I heard Jangmi got upgraded to "Super" status, which seems to be equivalent a Class 4 or Class 5 hurricane, with sustained winds above either 135mph or 150mph (there are different definitions of what "sustained" means). And the latest predictions show Jangmi veering north once it hits the central western side of the island, so it may pass pretty close to Taipei.

I'm on the 14th floor of the 15-story Santos Hotel, near the Minquan W. Road metro station, on Changde Road. It's the tallest building in the area, and from the hotel room window I've got a clear view across the south and west of the city. When the gusts calm I can see the mountains surrounding the city, and can look down upon the elevated highways on Minchuan Road and Huanhe Road, paralleling the storm walls that protect against flooding from the Damshui River. To the northwest I can see parts of Guanyinshan Mountain in the distance, at the mouth of the Damshui.

Connectivity is sort of wonky. I'm taking photos, but neither my Canon Powershot nor this Nokia Internet Tablet can host USB connections, only serve as a USB client, so they don't talk to each other. I've got the hotel's internet set up to an Apple Express, and there's occasional downtime, but it generally works. The biggest disconnect seems to be on the Web itself, where there's a consistent bias to news important to Silicon Valley, and where the search engines have increasing difficulty separating news from spam, encyclopedic information from Wikipedia trivia. It has been hard for me to search for actual info on this storm.

Even the CNN-Asia on the hotel TV is running stock feature footage for a Sunday morning, and the sole English-language radio station is playing Top 20 hits of the week and mentioning the typhoon only in passing. I can pick up a little from the Mandarin and Japanese telecasts, but they tend to keep repeating the same animated clip of the typhoon's progress with an inset of the studio talking-head, buttressed by on-location shots from outside Taipei, and I can't always pick out the location.

Let me publish this up to get started, then update it with more info....

They used a woodblock to print it -- carve the words into a block of wood once, then roll ink and press paper onto it many times. One publishing operation, many many books.

For some reason this moved me deeply, more than the hand-copied book nearby which was twice its age, or the carved stone tablet which was twice the age of that.

This was at the National Museum in Taiwan, home of the greatest collection of China's antiquities -- thousands of valuables of tribute to emperors from vassal states, aggregated dynasty through dynasty, first catalogued when China became a Republic in 1911, then massively transported to safety during the invasion of World War II, safe from the Cultural Revolution on the mainland in the 1960s.

A book which was printed before Columbus was born. I came back, and back to the display to look at it again. Why did it move me so?

It took me awhile to figure out, that it's much like the work we're doing today. Today it's faster, and there's not as much ink or wood chips to clean up, but that early woodblock work is in the same vein as Aldus PageMaker or NCSA Mosaic. We're helping ideas to live.

Representational art and painting predated writing, and conveyed a feeling which others could appreciate. The written word carried ideas, though. I don't know what we humans are intended to do on this planet, but I have the strong intuition that it has to do with ideas. Plants were alive, and fostered animals, which became more complex until primates started dealing with ideas stretching beyond themselves. The spread of ideas -- memetic diversity -- seems to be the path we're on at this stage.

The writing-in-stone from the time before Christ... a dramatic evolutionary step, but one which took massive effort to create. The production of such artifacts was limited to the few and mighty, and as for its audience, well, few other people had much to practice reading with.

The writing of books by hand lowered production costs, and also increased portability during consumption. But it still took one skilled artisan a very long time to copy a book out with ink on paper. And who could afford to learn to read?

But, using carved wood to print many copies -- now that was a true advance. Each page's woodblock was still expensive to carve, but once you had a page of text, the marginal cost of extra copies dropped sharply. We finally started to enter the period when many people could find it worthwhile to learn to read, when it started to become practical for ideas to spread among more brains than just the privileged few.

I believe in the work that Adobe is doing, and I've devoted a good part of my life to advancing this mission. PostScript and desktop publishing slashed the cost to produce the written word, and the World Wide Web has similarly slashed the distribution costs for abstract ideas. What once required a potentate and host of artisans to record in stone is now achievable by anyone. Ideas can live.

And five hundred years ago, the idea to carve a book into wood and make many copies... that small step led directly to today.

I didn't expect to be so emotionally moved by standing next to a book, printed before Columbus was born. But I was.

... and the guy who sewed its pages together by hand, I bet he'd be moved by seeing how far a nice Ricoh collater has taken his work today.... ;-)

Check out Jeremiah's "Key Takeaways" at the end: "(a) Lack of identity confirmation continues to plague the web; (b) Companies must monitor their brand; (c) An opportunity for the real Exxon to step forward; (d) The community (myself included) need to first validate identities." I'm not sure what Exxon or other companies "should" do... Adobe has a lot of customer/influencer conversation on Twitter, and a gas company probably doesn't... their choice. But I really like the focus on openness of identity and source evidence in his first and fourth lines.

Let me boil them down to two:

1. Corporations are best protected from impersonation, astroturfing, sockpuppetry and other online identity problems by consistently having all employees clearly identify their name and corporate affiliation on each page, each snippet in which they speak on corporate matters. Make it verifiable.
2. Readers do need to Question Authority. Quit being such a goober, believing anything you're told. There are not just two little boxes of "I believe" and "I disbelieve", but a spectrum of how much you have to take on faith. Verify.

If you're a "corporate blogger" or other representative of a group, make sure your realworld name and corporate affiliation clearly appear whenever you discuss issues related to the group. It not only avoids questions regarding your own integrity, but the practice of consistent disclosure within the group protects against such outside impersonation.

(And bloggers, you've got to get rid of that "anonymous sources say" kind of revenue-generating linkbait. Provide links to source information, so that any reader can confirm what you say. Please do opensource your data, and ditch the "faith-based reporting".)

• We've got to get this functionality to cheaper mobile devices, because most people will never own a computer. The Flash Lite runtime is getting there, across the more affluent sections, and the AIR runtime will eventually provide a solid baseline of functionality. Right now, though, digital creation still requires a computer, a connection, and usually some level of English skills.
  
• We've got to figure out ways to beat Sturgeon's Law and filter out the bad talk from the good. If you're trying to learn something, how can you pull that information from the efforts of people to sell you something, or the casual rants of the popular? We've got to reduce the reading costs, make it easier to find the desired info, while still surprising with the unknown-yet-useful. Filtering will probably be a harder problem than creation.
  

Check out the comments at Matasano and OSNews... lots of "proprietary garbage" type of prejudice. The reality is that these people are not harvesting information effectively, not analyzing their harvested information effectively, and not responding to feedback effectively.

Update Thu Apr17 8am PDT: ZDNet Security Blog ran with the story last night. The guy spent paragraphs writing about basketball games and his mother, but never even checked Adobe sources to see the problem was already addressed. He is part of the problem which must be fixed... our world is taken up too much by those who speak too much, yet do not listen, do not question.

(Thanks to "Skila", a member of OSNews, who added in comments "This was fixed in the latest version of Flash Player - released 8 April 2008 so this is olds not news.")

Followup: I got an internal email last night that the ZDNet reporter did mention "new version" down towards the bottom of his text.

Update Sat Apr 19, noon PDT: It seems that most of the conversation now is focusing on the vulnerability in coding practices, rather than the Flash aspects... Computerworld had the "Adobe already fixed it" datum as the first sentence in the fourth paragraph, and with this highlighting, subsequent reporters have followed suit. Even the Slashdot discussion is more about the coding than about the Player.

I want to emphasize that the original discoverer, Mark Dowd, did act in good faith -- he notified Adobe security, and published his whitepaper only after the Player changes were public. He helped everyone by handling this the way he did. (I also understand how the early bloggers were excited by the coding acrobatics, but I wish they had clearly advised concerned readers to keep their software current. The increasing moderation of useful blog comments is a separate issue. No blame, just room for increased openness.)

Update Mon Apr 21 8am PDT: Most of the followup reports do a little bit of research, but today's BBC account is another lengthy personal reaction to the Matasano paper and the new type of coding exploit, and despite its length and extraneous details, does not advise readers that they should just update to the software already available. (Meanwhile, in comments below, the original popularizer wants me to retract that I submitted a comment there which was not published, even though he hasn't published it yet, nor amended the article to include the vital non-inflammatory news that the vulnerability was addressed before the publicity.)