All posts by onlyconnect

internet, software development, web authoring

More Future of Web Apps hits and misses

The Carson Future of Web Apps London conference is over; here are my quick reflections on day two.

Adobe covers old ground

Adobe’s Mark Anders (formerly at Microsoft and much invoved in ASP.NET) spoke about Flex and Apollo, explaining how FlexBuilder and MXML form a developer-firendly way to compile Flash binaries; this is familiar ground for me and I was disappointed that he didn’t go into more depth, expecially considering that we had a similar talk from Andrew Shorten at this event last year. Still, there were some interesting performance comparisons showing off the JIT compiler in Flash 9.0 – it is much faster for ActionScript, as I’ve confirmed with my own tests.

Chris Wilson on IE

Microsoft’s Chris Wilson (co-author of the first NCSA Mosaic for Windows) spoke on IE7; his talk was billed as “The Future of the Browser” but it was not about that, it was more of an apologia concerning why IE was frozen for 5 years between IE 6.0 and IE 7.0 (I think it is worse than that, since IE 6.0 was not really a major advance on 5.0). He gave three main reasons: in 2001 few people were building browser-based rich web apps so there seemed little point investing in the technology; in 2002 Microsoft’s security push drained resources; and complacency from lack of competition. Wilson assured us of Microsoft’s commitment to standards, reminded us of compatibility issues (“don’t break the web”), and said that we can expect better standard support, improved user experience, and further security features in future versions of IE. A good bridge-building talk.

I caught Chris Wilson afterwards and explained my disappointment with Outlook’s use of the IE7 RSS platform, which is a botch (see here for why). I’ve asked several others at Microsoft this same question and received mumbled answers and promises to follow up that have not materialized. Wilson by contrast says he is aware of the problem and that many of Microsoft’s employees are complaining about it as well; he’s turned off RSS sync in Outlook 2007 himself, for exactly this reason. He says it will be fixed somehow but gave no clues as to when; at worst it could be the next version of Office.

I also asked when we can expect IE8. Wilson says it will be no later than two years from the release of IE7, but probably close to that. IE is no longer tied to major releases of Windows itself.

Design challenges at the New York TImes

Khoi Vinh is Design Director at NTTimes.com and gave us some great insights into the problem of maintaining strong design when content is changing rapidly. In essence, he said that tools cannot keep pace with real-time, forcing compromise. He also spoke about how changing media means many-to-many interaction (not 1-to-many), and how user interface design should risk offending experts, by going for ease of use with perhaps some compromises on advanced features, rather than offending novices with UIs they cannot make sense of. Excellent talk.

The promise of OpenID

Simon Willison gave an animated talk on the future of OpenID, enthusing about the benefits of single sign-on. This was mostly a great presentation, pitched at the right level with examples, and honest about the risks and pitfalls as well as the advantages. He mentioned how Microsoft’ s CardSpace helps solve the phishing problem, by moving the authentication UI into the browser, but mistakenly said this is a feature of Vista – it is not, it is a feature of .NET Framework 3.0 and available for Windows XP. (I spoke later to Chris Wilson about this, who hinted that progress in implementing CardSpace for other browsers such as FireFox and Safari is well advanced). I particularly liked the way Willison brought out some potential future benefits from a well-supported Internet identity standard, such as networks of trust enabling whitelists to combat problems like comment spam.

Google, Vodafone disappointments

After three strong presentations in a row I was feeling upbeat about this conference, but sadly it took a dive. Carson had decided to experiment with user-generated content, giving attendees the chance to put forward their own presentations; attendees voted on which ones they would like to see, and the top three got 15 minutes each. Good idea, but didn’t work well in this instance for several reasons – lack of presentation skills, not enough participation, perhaps none of the submissions was really strong enough.

Jonathan Rochelle from Google spoke on “How web built Google Docs & Spreadsheets”. I had been looking forward to this session, but it was a big disappointment, very high-level with no real insight into how the application was put together. Rochelle is too much a company man and gave little away. Then Daniel Applequist from Vodafone spoke on the mobile internet, observing that there are 1000 million XHTML-capable mobile phones versus a mere 150 million wi-fi equipped laptops. Unfortunately Applequist didn’t succeed in enthusing the conference, perhaps the mid-afternoon timing was to blame.

Great PHP talk and closing words

It was worth hanging on for Rasmus Lerdorf’s presentation on PHP. This was outstanding and I am going to post separately about it. In part this may be because I had not heard him speak before; but I really enjoyed this talk.

This post is already too long, and I’ve already posted about NetVibes, so I will close by just mentioning the entertaining Moo session from Richard Moross and Stefan Maddalinski. They love the UK’s Royal Mail.

Thanks to Carson for a thought-provoking couple of days – but please make the wi-fi work properly next time!

internet, software development, web authoring

Netvibes Universal Widget API and OpenID

Widgets are a great concept – the user interface components of Web 2.0, perhaps? Problem: which widgets? Google Desktop? Microsoft Live? Dashboard on the Mac? Konfabulator? Or Netvibes?

Netvibes CEO Tariq Krim reckons he has the answer, announcing at the Future of Web Apps conference in London his Universal Widget API. Not sure exactly how this will work, but the idea is that you write your widget once and it runs everywhere. Dashboard and Google were specifically mentioned, along with “a bunch of others.”

After the announcement he left the stage, then dashed back, grabbed the microphone, and added a promise to support OpenID. More momentum.

Technorati tags: , , , ,
internet, software, software development, web authoring

Notes on the Future of Web Apps

6 Comments

This is the beginning of the second day at Carson’s Future of Web Apps conference in London. I was drawn by the excellent speaker line-up, including Kevin Rose from Digg, Werner Vogels who is the CTO at Amazon.com responsible for services including S3 and EC2 (web storage and on-demand virtual servers), Mike Arrington from TechCrunch, and PHP inventor Rasmus Lerdorf. There are also speakers from Adobe, Microsoft, Yahoo, Google, NetVibes and various other organizations flying under the Web 2.0 banner.

The first day was worthwhile but mixed. I am a little jaded I guess, having been to a number of these sorts of conferences. There is too much Web 2.0 tub-thumping, too many sales pitches, and not enough investigation of hard questions. In particular, I would like to hear more about business models. Cool free apps are great, but sustainability is important too.

I was disappointed by Werner Vogels’ talk yesterday. A shame, since I remain impressed by what Amazon is doing. He gave pretty much a repeat of what we already know about S3, EC2 and Mechanical Turk. Having heard Jeff Barr present the same stuff on two other occasions (including this same conference last year), I was hoping for more. How is S3 coping when stressed, is performance holding up, what have been the pressure points? Is the pricing sustainable (I think it is too cheap)? Why is there still no SLA? What are the main feature requests from users, and how will they be addressed?

I don’t mean to pick on Vogels; some of the same criticisms apply to other speakers.

Fortunately there is good stuff here as well. The second part of Rose’s talk on Digg was interesting and I plan to cover this separately. Bradley Horowitz from Yahoo gave a though-provoking talk on automatic content filtering, detecting “interesting” Flickr images, and distinguishing between synonyms like Jaguar (car) and Jaguar (animal) in user-generated content. I enjoyed the brief talk from ThinkFree on its online Office suite, though TJ Kang mystified me by being seemingly unconcerned about the business aspect. ThinkFree has an online Microsoft Office viewer which looks useful – upload your .doc or .xls, have users view it in HTML.

There is a small exhibition here with stands from Google, Yahoo, Microsoft, Adobe and others. Adobe has a neat Apollo app on show, a desktop application which uses the EBay web service API to give you full access to EBay without having to visit the site. I’ve asked for a screenshot as this type of application will be increasingly common in future. Of course it could just as easily be written in Microsoft’s WPF, but without the cross-platform compatibility.

A couple of notes on Microsoft, a newcomer to this conference and showing off the Expression range of design tools. First, I noticed that several ex-Macromedia folk are now working for Microsoft, including Andrew Shorten who presented Flex here last year. Shake-out from the Adobe merge, but good for Microsoft in my view. Second, the first release of WPF/E will be soon, but without C# and CLR support; this will follow in the second release. Interesting, especially since Flash 9 already has a JIT compiler for its JavaScript implementation. However the plan is that there won’t be a long wait for the updated WPF/E – less than a year, I was told.

Microsoft is giving away free copies of Expression Web Designer. It is actually a decent product, but what do you do when everyone (at a conference like this) is using Dreamweaver?

Oh yes, and Java? Hardly mentioned here (though ThinkFree uses it, so does Flex server-side of course).

internet, security

Digg will support OpenID

1 Comment

I’m at the Carson Future of Web Apps conference in London, where Kevin Rose is talking about Digg. My favourite comment:

You have to take it for what it is, it’s not a perfect system

Rose threw out a few comments about how he sees Digg evolving. One which interested me: it will support OpenID, which describes itself as:

an open, decentralized, free framework for user-centric digital identity.

I’m not sure that OpenID is going to solve many problems in itself – it is not necessarily a stronger form of authentication – but here as least is some progress in improving identity management.

AOL is also supporting OpenID, making all its accounts automatically OpenID accounts. I observed out to Edwin Aoki, an AOL Chief Architect who is also here, that using a single identity for multiple sites could make the problem worse, since when it gets compromised multiple sites are then at risk. He said that happens anyway, because users already use the same email address and password on multiple sites. A fair point.

I’m actually hoping to see Microsoft’s CardSpace getting wide adoption in tandem with OpenID, as it appears to be more resistant to phishing attacks.

Still, the story here is that OpenID is gaining momentum.

blogging, internet

A WordPress flaw: no paged comments

2 Comments

A snag with the most wonderful WordPress is that comments to a post are not broken down into pages. With over eighty comments and climbing fast, this post on slow Outlook 2007 is getting slow to load. Fitting, I guess, but I’d rather it performed better. I looked in vain for a WordPress option to split the comments into pages. I did find this plugin, but although it works it looks bad with the theme I’m using. I suppose a few hours hacking would fix it. I reckon a paging option should be built into WordPress as it will always be a problem on heavily commented posts.

 

Technorati tags: ,
Uncategorized

Where’s the business model in Web 2.0? Don’t ask MyWebAlert.

Today IT Week has my piece on the lack of any business model in Yahoo Pipes, a thought underlined by an unusual press release which popped into my inbox. It is from John Earley of MyWebAlert, a company set up to monitor web site availability. Press releases are not usually so dejected:

Following a series of reports (copies available) that proved website availability is miserable in both the public and private sectors, we had thought folks would pay a paltry sum for monitoring and management services. This has proved not to be the case. Having sunk the investment in the software and architecture, we have abandoned hope of a business plan and are now making the service available free-of-charge.

Intrigued, I took a look at the site. The About page confirms this gravity-defying business endeavour, but looks forward to a bright tomorrow “somehow”:

There is no fancy business model, the Company can exist without revenues. It is managed in the belief that somehow, the momentum that it creates, will bring about a means for expanding the range of services that it offers.

It appears that the strategy is working, at least in terms of expanding the business. That’s presuming that site overload is the reason for what happened when I tried to sign up:

One presumes the outage will be short-lived, bearing in mind the company’s raison d’etre.

Incidentally Web site monitoring is also available from Netcraft and no doubt others. For a fee.

 

multimedia

Tony Visconti on the CD loudness wars

Noted producer Tony Visconti made an interesting, sad comment on the CD Loudness wars over on Steve Hoffman’s forum. Visconti has worked with Thin Lizzy, Morrisey, David Bowie and many other well-known artists.

I asked him for his take on this issue, bearing in mind that two of the three most afflicted Bowie releases were produced by him, according to this fan. Visconti replied:

Without mentioning names, many mastering engineers perpetuate the loudness wars. One once turned to me after I made a request for more dynamics and said, “I have a reputation to uphold, I can’t make it that quiet.” Really, I was just asking for the carefully mixed quiet intro to stay quiet until the rest of the band crashed in.

How depressing.

 

internet, multimedia, software, windows

Microsoft Soapbox uses Flash

4 Comments

Took a quick look at Microsoft Soapbox which seems to be a me-too version of YouTube.

The first thing I noticed was the absence of any content I wanted to view, whereas YouTube is really dangerous if you want to avoid distraction. That will change if the service is popular; but I’m not clear why someone would use Microsoft’s service instead of YouTube which gets the traffic.

The second thing I noticed is that Microsoft is using Flash for these videos, as does YouTube. I gave it a cross-platform test, and was able to use the site on the Mac with Safari and on Linux with FireFox, so kudos to Microsoft for that. I’m puzzled though, because the system requirements state Windows Media Player 9 as well as Flash 8, and Windows Media Player 9 isn’t available for Linux. Nevertheless, it works.

That said, I’m surprised that Microsoft isn’t using SoapBox to show off WPF/E. I appreciate that this is still in beta, but then so is Soapbox. Does Microsoft not intend to use its cross-platform, video-capable solution for its own site? Or will it transition in future?

 

Technorati tags: , , ,
security, software, windows

How secure is Windows Vista?

4 Comments

Tech journalists have a tough job. They are meant to take the vast complexity of things like computers and operating systems and translate them into terms that ordinary people can understand.

Of course there is never a one-to-one mapping between the complex and the simple. The simplified explanation is a compromise.

So let’s look at the question: how secure is Windows Vista? Unfortunately the question is not amenable to a simple answer. Perhaps the best you can do is to try and explain the issues, the ways in which it is more secure than earlier versions of Windows, the ways in which it remains insecure.

Now read this piece on weaknesses in Vista’s UAC (User Account Control). Looks bad, right? About some insightful researcher who “found out — from Microsoft officials — that the default no-admin setting isn’t even a security mechanism anymore.”

This is a misunderstanding of a typically balanced and well-reasoned piece by Microsoft’s Mark Russinovich on UAC in Vista. At least the link is there in the ZDNet article, so you can read it for yourself.

Apparently, “In an e-mail interview, the Polish malware researcher said she was “pissed off” by what she perceived as Russinovich’s flippant attitude to the potential risk.”

Frankly, I defy anyone to read and understand Russinovich’s article and call it “flippant”. He explains how the mechanism works, he explains why it works as it does, acknowledges areas of compromise, and shows how to achieve higher security if you want it:

Without the convenience of elevations most of us would continue to run the way we have on previous versions of Windows: with administrative rights all the time. Protected Mode IE and PsExec’s -l option simply take advantage of ILs to create a sandbox around malware that gets past other security defenses. The elevation and Protected Mode IE sandboxes might have potential avenues of attack , but they’re better than no sandbox at all. If you value security over any convenience you can, of course, leverage the security boundary of separate user accounts by running as standard user all the time and switching to dedicated accounts for unsafe browsing and administrative activities.

He’s right. And personally I think ZDNet is giving too much weight to the strident researcher who calls Vista security “a big joke“, while doing too little to examine the real issues which Russinovich explains.

Of course that doesn’t prevent Slashdot and others picking up the story and presuming, because that’s what they want to believe, that Vista security is shot to bits.

It’s not. It is a real advance on XP, not least because of the point Russinovich highlights:

Why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

Update

This story gets more curious the more you investigate. The gist of this researcher’s original complaint was that Vista forced her to run setup and installer applications with local admin rights:

That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing e.g. to load kernel drivers!

It’s a fair point, though problematic on examination. Installing applications is an administrative task. Still, it’s correct that many installers do not need full admin rights, so the system could be more granular. Fortunately Vista covers this. You can disable the automatic elevation of setup applications in local security policy. In fact, enterprise rollouts have this disabled by default. The researcher is actually aware of this, but says:

Even though it’s possible to disable heuristics-based installer detection via local policy settings, that doesn’t seem to work for those installer executables which have embedded manifest saying that they should be run as administrator. I see the above limitation as a very severe hole in the design of UAC.

Now she’s lost me. The complaint has shifted – there is no problem running setup applications with less than full admin rights, but if the developer specifies with a manifest that full admin rights are required, then Vista automatically prompts for elevation. This of course is working as designed. If you downloaded a “freeware Tetris game” and discovered a manifest insisting on full admin rights, you would likely be wary in any case.

So where is the “very severe hole in the design of UAC”? There is a “severe hole” here, but it is not in the design of UAC. The core problem is that users may try to install malware. They are browsing the web, and perhaps come across a flashing advertisement that says their PC has spyware, but this utility will fix it. They download it. They pass a dialog warning that the file is from the internet and might not be safe. They pass a dialog requesting elevation. At this point, only anti-virus software or something like Windows Defender might save them. How do you fix this, without taking away the user’s right to do what they want with the computer they own?

That said, there is a weakness in UAC in the potential of non-elevated processes to interfere with elevated processed. Mark Russinovich covers this well in his post referenced above. Bottom line is that it’s still best not to run with full admin rights, even with UAC enabled. The long-term purpose of UAC is to get Windows across the hump of legacy applications to a point where local admin rights for day-to-day use are unnecessary.

Technorati tags: , ,

blogging

Read this blog in French

5 Comments

My first go with Yahoo Pipes.

Fascinating stuff, but I’m finding it frustrating. I tried to do an illustrated blog using For Each Annotate and the Flickr module. I can’t get it to work. I managed to get some images retrieved, but couldn’t get them to display, and their relevance was marginal, even using the Content Analysis module which is meant to retrieve key words. Noticed that the official example which does the same thing doesn’t seem to work either (at the time of writing), which makes me feel better.

Another problem is that the output always truncates each feed item. Any French readers trying the above link will be disappointed when they click the link, as it reverts to English. Not easy to fix, since Yahoo does not publish a Babel Fish API. I could put a Translate link on the blog page, but that wouldn’t be Yahoo Pipes.

 

Technorati tags: