Category Archives: internet

internet, security, sony

Sony PlayStation network hacked, some disclosure, questions remain

2 Comments

Sony has posted information about the “illegal intrusion on our systems” that has caused the PlayStation Network (PSN) to be closed temporarily. PSN is necessary for playing online games and downloading music and videos.

Sony has disclosed that:

Between April 17 and April 19 2011 an attacker gained access to “user account information”

The information includes:

name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

The information might include:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained

The remainder of the information is mainly generic advice on fraud prevention. Many comments to the blog post make the reasonable point: why were they not informed earlier?

How many users are on PSN? The number 75 million is widely reported. In January Sony claimed over 69 million PSN members.

It is easy to say that Sony should have operated a more secure system. Making a judgment on that is hard because there is a lot we do not know. Was this information encrypted? Sony says passwords were stolen, which may mean they were unencrypted though that is hard to believe; or that they were encrypted but likely to be easily decrypted, which is perhaps more likely. On the other hand the fact that encryption is not mentioned in the post tends to suggest that none of this information was encrypted.

The scale of the incident makes it remarkable but the fact of network intrusions and personal data being stolen is not surprising, and likely much more of this happens than is reported.

The state of internet security overall remains poor and what we see constantly is that security best practices are ignored. Convenience and the desire of marketers to grab as much personal data as possible constantly trumps security.

Here is Kim Cameron, Microsoft’s identity architect, writing in 2005:

We should build systems that employ identifying information on the basis that a breach is always possible. Such a breach represents a risk. To mitigate risk, it is best to acquire information only on a “need to know” basis, and to retain it only on a “need to retain” basis. By following these practices, we can ensure the least possible damage in the event of a breach.

The concept of “least identifying information” should be taken as meaning not only the fewest number of claims, but the information least likely to identify a given individual across multiple contexts. For example, if a scenario requires proof of being a certain age, then it is better to acquire and store the age category rather than the birth date. Date of birth is more likely, in association with other claims, to uniquely identify a subject, and so represents “more identifying information” which should be avoided if it is not needed.

Cameron’s thoughtful and excellent “laws of identity” lack take-up within Microsoft as well as elsewhere; the CardSpace system that was built to support it was scrapped.

An example of the low priority of security around the web is the prevalence of “password security answers” as Sony describes them. This is additional information that allow you to recover an account if the password is forgotten, especially if the email address associated with the account is no longer in use. Contrary to the impression given by the forms that require the information, these questions and answers reduce your security in order to ease the burden on support. They break Cameron’s laws of identity by providing the third party with information that it does not need, such as mother’s maiden name, though of course you can provide fictional answers and in fact I recommend this.

Personally I am also one of those people who never tick the “save credit card details” box. I am happy to enter them every time, rather than hand them over to a system of unknown security. Some sites do not let you make purchases without saving credit card details; as I recall, Amazon is one of them, and Apple another. This means the consequences of security breaches at these companies are greater, though I imagine they also make more sales since the friction of the purchasing process is reduced.

I am not optimistic that internet security will improve in the near future, though I guess that major breaches like this one are a force for reform.

Update: In a new post Sony says that credit card data was encrypted but personal data was not. I am surprised if this included passwords; but the IT world is full of surprises.

internet, microsoft, mobile, professional, silverlight, software development, web authoring, windows 7

Microsoft releases IE10 preview, talks up native HTML5

3 Comments

Microsoft has released an early preview of Internet Explorer 10, which you can download now. It shows the company’s commitment – for the moment – to an energetic release cycle for its web browser.

image

Why use IE? Microsoft is pushing the notion that only IE is truly native on Windows:

IE10 continues on IE9’s path, directly using what Windows provides and avoiding abstractions, layers, and libraries that slow down your site and your experience.

In practice, this means using the Windows graphic stack directly and integrating with the Windows shell through features like jump list support on Windows 7.

IE10 supports more CSS3 standards including multi-column layout, Grid layout and Flexible Box Layout,  and Gradients. There is also support for EcmaScript 5 Strict Mode, which enforces tighter standards so reducing the likelihood of errors. Strict Mode is optional; if a web browser tried to apply it to the entire web lots of pages would break.

Microsoft is promising to support additional CSS3 standards including transitions and 3D transforms, though these are not in the preview. New preview releases will appear every 8-12 weeks.

According to Corporate VP Dean Hachamovitch, the company is steering a tight path between falling behind, and implementing immature standards:

When browsers prematurely implement technology, the result is activity more than progress. Unstable technology results in developers wasting their time rewriting the same site.

he writes in a blog post.

IE10 was announced today at the Mix conference in Las Vegas. Mix seems to be featuring equal measures of HTML5 and Silverlight, which makes for an interesting tension. News on Windows Phone is also promised, though I am not sure whether this is the moment when Microsoft will tell us about the next generation of Windows Phone and how it ties in with Windows 8 and with tablet devices. All will be revealed (or not) tomorrow.

.net, internet, microsoft, professional, silverlight, software development, visual studio

Microsoft promises Silverlight 5 beta soon, more love for HTML 5 in uncertain blog post

3 Comments

Microsoft has promised to deliver a Silverlight 5 beta at the Mix conference next week. The team posting is by Walid Abu-Hadba (Corporate VP of Developer and Platform Evangelism), Soma Somasegar (Senior VP or Developer Division) and Scott Guthrie (Corporate VP of .NET Developer Platform) and seems intended to clarify the company’s much-debated strategy concerning Silverlight vs HTML 5:

we have received questions from the community about the future of plug-ins, and how Silverlight is viewed as part of an overall solution set. We’ll provide clarity, background and context below

Despite the high-powered authorship though, the post tells us little. I mean, can you get vaguer than this?

HTML5 is a solution for many scenarios, and developers should make the appropriate choice based on application needs, knowing that we have a heritage and a future vision of supporting a wide variety of technologies to meet those needs.

This sentence is considered so perfectly nuanced that it is repeated at the end of the post.

If you enjoy reading between lines, there is a phrase to ponder here:

Over the coming months we’ll be particularly demonstrative of our emphasis on HTML 5, in Internet Explorer and in tools.

I’m hearing noises about Visual Studio 2012 now, and I imagine we will see some HTML 5 tooling there. I would expect it to include support for rich ASP.NET clients talking to WCF RIA Services or maybe  WCF Web APIs as well as things like the ASP.NET Membership Framework; and I would expect JQuery and ASP.NET Ajax to figure strongly.

I do not think Silverlight is dead though; apart from its role in Windows Phone, we are hearing rumours about the AppX application model in Windows 8 which looks a lot like Silverlight; and I have already noted the extensive use of Silverlight in Microsoft’s own products. I would rather hear the developer division VPs discuss this aspect of Silverlight, rather than reiterate corporate angst over how it relates to HTML 5. I would also like to see a post signed by the Windows team as well as by developer division.

.net, apple, cloud computing, google, internet, iphone, microsoft, mobile, professional, silverlight, software development, visual studio, web authoring

Appcelerator CEO on Titanium, Aptana and the future of mobile development

I met with Aptana CEO and co-founder Jeff Haynie at the Mobile World Congress in Barcelona last month.

Appcelerator’s main product is Titanium, an SDK which takes HTML and JavaScript source files and compiles them to native apps for several platforms, including Windows Mac and Linux on the desktop, and Google Android or Apple iOS for mobile. RIM Blackberry support is in preview. Appcelerator has recently acquired the Aptana IDE for HTML, JavaScript, CSS, Ruby on Rails, Python and Adobe AIR. The company has also partnered with Engine Yard for cloud-hosted Ruby on Rails applications to deliver web services to clients built with Titanium.

Haynie says that mobile is currently a three-horse race between Apple iOS, Google Android, and RIM Blackberry; but he expects further diversification. Microsoft Windows Phone is under consideration, and he says that cross-compiling to Silverlight would be possible for Titanium:

It’s a .NET SDK, we would have to build a translation into Silverlight. That’s how we do it for iOS, we translate code into Objective C. We don’t think it’s technically insurmountable.

I asked about the Appcelerator Freemium business model. Titanium is open source and you can download and use the SDK commercially for free. Haynie says it works well because companies can do a full evaluation and get to understand the value of the software fully before deciding whether to purchase. However he emphasised that larger companies, other than non-profits, are expected to take out a paid subscription.

This point could do with clarification. Indeed, the Appcelerator Plans and Pricing page shows Titanium Indie which is free but for companies of less then 25 employees, and other editions which are paid-for. But as far as I can tell there are no restrictions on the SDK. See the FAQ which says:

Can I use Titanium for a commercial application?

Yes. You can use Titanium in both a personal and commercial application regardless of what your license or price is.

What is your License?

The Titanium SDK is licensed under the Apache Public License (version 2).

I also took the opportunity to ask about Adobe AIR support in Aptana. It strikes me that this is under threat following the acquisition, since AIR competes with Titanium. Haynie was just a little evasive, but at the same time impressed me with his attitude:

Obviously we have a competitive platform from Adobe AIR. But we want developers to have the best choice, the best tools possible. So competitively we need to build the best product. If AIR is a better product and people want to use Aptana to build AIR apps, then fine. That means we need to continue to work to make a better runtime for the desktop.

Nevertheless, Haynie implied that AIR support will only continue if Adobe supports it; I am not sure what support means in this context but I think it includes a financial contribution:

We’re with Adobe on trying to figure out where we go from here … we have to spend a lot of money to support that, so we’re making sure that we’ve got Adobe’s support behind that.

I am not sure what Adobe gains from Aptana support, given that it has its own Eclipse-based IDE called Flash Builder, so I would not bet on there being significant updates to the current AIR 1.5 plug-in.

Finally, Haynie emphasised what to me are familiar themes in talking about the direction for Titanium and Aptana. Cross-platform visual design tools; designer and developer workflow; and integration in a single IDE of rich client and cloud back-end. This integration has long struck me as one of the best things about Microsoft’s Visual Studio, so it is interesting to see the theme reappear in a cross-platform context.

What I enjoyed about the interview is the way Haynie communicates the huge change and volatility that has arrived within the software development world, thanks to the impact of cloud and mobile. Times of change mean new opportunities and new products. Titanium has plenty of competition, but if Appcelerator is able to deliver a robust, cloud to device, cross-platform toolkit, then it will have a bright future.

I have posted a transcript of most of the interview.

google, internet, microsoft, open source, professional, search

Browser wars heat up as Firefox 4 arrives

1 Comment

Just one week after the final release of Microsoft’s Internet Explorer 9, and here comes another major browser, Mozilla Firefox 4.

What’s new in Firefox? Performance, for one thing. There is a new JavaScript engine called JägerMonkey which is more effective than the old TraceMonkey – though TraceMonkey is still there – and there is hardware-accelerated graphics on Windows Vista and Windows 7 using Direct2D, and on Windows and Mac Direct3D or OpenGL are used to speed page composition.

On the appearance side, Mozilla has streamlined the user interface with tabs above the address bar, sorry Awesome Bar, and reduced the number of buttons. By default there are no menus visible, and you are meant to use the Firefox button at top left:

image

I was disconcerted not to find the Tools menu here and one of the first things I did was to show the menu bar, though it does spoil the new UI design.

Firefox is also coming to Android and Maemo devices, and a great feature called Sync will synchronize bookmarks, tabs, passwords and history across all the devices you use.

There is also a new privacy feature called Do not track. This is a way of telling websites that you do not wish to be tracked. Tracking is used by web advertisers to send ads based on your browsing history as seen by that advertiser. Since many websites have scripts served by the same ad agency, this can be considerable. The feature does not block tracking, but only requests not to be tracked. It is off by default and buried in Advanced options, so will probably not be very effective.

image

Firefox is an excellent browser, with many more features than I have mentioned above. A few observations though.

The new features in Firefox 4 echo many of the few features in Internet Explorer 9, which in turn echoes some of the themes in Chrome. However on my system IE9 seems to be a little faster than Firefox 4, the user interface is more polished in my opinion, and the tracking protection in IE9 is more effective since it does actually block tracking.

Then again, there are Firefox add-ons that also block tracking; and in general Firefox seems to have the best range of available add-ons, which could well be the deciding factor for many users.

Firefox 4 still has a separate search box, and in principle I like this. I find it annoying that IE9 and Chrome intermingle searches and URLs in one box. I suspect though that I am in a minority of users. If you switch between browsers, you can find yourself typing searches in the Awesome Bar anyway, though habit, so I am guessing Mozilla will cave in and combine them eventually.

Mozilla is a non-profit organisation with a strong open source and community ethos and that also may be enough reason to use Firefox.

It does face intense competition now though, and it must be a concern that its income comes largely from:

search functionality included in our Firefox product through all major search partners including Google, Yahoo, Yandex, Amazon, Ebay and others.

which in practice is mostly from Google, which has a competing browser.

Personally I think Mozilla will struggle to maintain market share for Firefox; though version 4 is having a good launch complete with a delightful Twitter party

image

and a pretty download stats counter which is currently on 2.75 million and climbing fast.

image

cloud computing, google, internet

Google opens up discussions on docs

6 Comments

I attended a briefing today on Google Apps. Google is celebrating over 1 million business customers in EMEA (Europe, Middle East and Africa) since the launch of Google Apps just over 4 years ago, and over 3 million worldwide. An unknown proportion of those customers are small businesses using the free edition; but there are some well-known names which have signed up, including Rentokil Initial, Virgin America, Motorola, The Guardian, The Telegraph, and Jaguar Landrover.

The big announcement today is called Discussions in Google Docs, and I have had a quick try with a short document that I opened for discussion. One thing I learned is that if you want to allow public discussion on a document, you have to make it world-editable (like a wiki). It should be possible to have the document locked but still enable comments, but I cannot see how to do that; it seems that leaving a comment requires the same rights as editing the document.

Another oddity is that there are two comment panels, a narrow column on the right

image

and a big blue panel that appears if you select Show Discussions from the top menu.

image

If you are logged in, you can request notifications by email and even add comments by replying to email notifications.

image

There is also a per-comment feature mysteriously called Resolve. A resolved comment is semi-deleted; it is removed from the comment stream (narrow panel) but still appears in the full discussion (big blue panel).

My snap judgment is that these comments/discussions will be useful for document collaboration, which is already among the strongest features of Google Apps.

.net, development, internet, microsoft, professional, visual studio

What’s the story with IE9 and embedded Internet Explorer?

1 Comment

There is a certain amount of fuss over the fact that Apple’s latest mobile Safari does not give full performance when either embedded in another application, or pinned to the home screen.

It would help if Apple were more forthcoming on the issue; but in general you cannot assume that embedded browser components will behave the same way as the full browser, even when they share common libraries.

I did some quick experimentation with the released Internet Explorer 9 and the .NET Webbrowser control. First, I tried the SunSpider JavaScript benchmark. I had to use version 0.9 since the latest one gives an error in the Webbrowser control. No great surprise: the embedded version was substantially slower. I ran the tests separately, and for the .NET application I ran in release mode outside Visual Studio. IE9 completed in 314.6ms, the Webbrowser control in 578.2ms.

image

While that may seem a bad result for embedded IE, it could be much worse. Unfortunately I did not think to run this test before installing IE9, so I dual-booted into a Windows install that still has IE8 and ran the exact same application. At 6175ms it was more than ten times slower. It was slightly quicker in standalone IE8, but not by much.

image

Next I tried the Fish Tank demo, which tests hardware graphic acceleration.

image

There were two notable facts about my result here. First, the Webbrowser control reports itself as Internet Explorer 7. Second, the frame rate for the two instances was nearly identical. In practice it varied slightly and some of the time the standalone IE9 was fractionally faster, but still close. By way of reference, Apple’s Safari was around 10 times slower.

Update: embedded IE is slower on the Fish Tank than I first realised. 60fps is a kind of maximum for the demo. Embedded IE9 slows to 45fps with 50 fish, whereas full IE9 does not drop below 60fps until 500 fish on my system. It does makes the fans whir though!

My guess is that Microsoft is more concerned about compatibility than performance, when it comes to embedded IE. However, clearly there is significant benefit from IE9 even when embedded.

How can you get embedded IE not to report itself as IE7 and to use full standards mode by default? If it is like IE8, this can only be done on a per-application basis via setting a registry key. That is awkward for developers, who would prefer an API call to set this. I am not sure if there is any change for IE9.

.net, development, internet, microsoft, professional, Web

Microsoft remakes WCF for REST and the web

3 Comments

WCF is Windows Communication Foundation, the part of Microsoft’s .NET framework that handles service-oriented architecture. When WCF was first designed Microsoft was betting on SOAP web services. SOAP is still widely used but since then the trend has been towards more web-friendly services based on REST (Representational State Transfer) and JSON (JavaScript Object Notation). Microsoft has always argued that WCF is flexible enough to support such alternatives.

That said, a project which I have become aware of here at QCon London is the WCF Web APIs, presented here by Microsoft’s Glenn Block. WCF Web APIs focus on support for REST, JQuery clients, and programming model simplicity for a variety of other clients such as Silverlight and Windows Phone. The bit that surprised me is that WCF Web APIs are not just another wrapper for WCF; it is a completely new library that does not build on the old WCF Service Model. The fact that it is called WCF at all is confusing, though of course it belongs in that space within the overall .NET Framework.

I have not had time to look in detail at the WCF Web APIs, but from what I have seen and heard they are well worth exploring, even if you have found the old WCF somewhat impenetrable.

google, internet, javascript, professional

Google on innovation – or should that be copying?

7 Comments

Patrick Copeland, Google Director of Engineering, gave the keynote at QCon London this morning. His theme was innovation: how it works at Google and elsewhere.

I was expecting some background on Google’s famous 20% time, where employees spent up to one day a week on something not in their job description, but I don’t think Copeland even mentioned it. In fact, he almost argued against it. There is no shortage of bright ideas, he said, and Google has over 100,000 of them in a database; but what matters is not idea, but innovators who have the ability to take a good idea and make it into a product.

He added that whatever “it” may be, building the right “it” is more important than building “it” right. If what you build is the wrong thing, it will not succeed, whereas the right idea will sometimes succeed despite poor implementation. Twitter and its well-known fail whale comes to mind.

Google’s record on innovation is mixed. You can make a long list of Google projects that have failed, from Lively – a kind of Second Life clone – to Google Wave. “You want to fast fail when things aren’t working” said Copeland, making the best of it.

On the other hand, Copeland mentioned GMail as a positive example. I would quibble a bit with this: was GMail innovation, or simply Hotmail done right?

Copeland also mentioned two other examples. The Chrome browser, he said, had two goals: to streamline the user interface so less screen space was wasted, and to have a fast JavaScript engine to show off Google apps. He also observed that rival browsers have copied both ideas; and it is true that Microsoft’s Internet Explorer 9, which will be released on March 14, happens to have both these features.

What about Android? Copeland said that the Android strategy vs Apple is similar to that of the clone PCs vs IBM in the eighties. He tried to make a point of innovation here, observing that IBM could not compete with innovation from many independent vendors, but this seems to me a stretch. The point about the clone PCs was that they were kind-of the same as the IBM PC but cheaper and faster. It was more about copying than about innovating. I think you can see this playing out with Apple vs Android to some extent, in that there are customers who will end up with an Android smartphone or tablet because it is kind-of the same as an iPhone or iPad but cheaper or with better specifications.

On the other hand, Apple is doing a better job at differentiation than IBM achieved with its PC; and technically iPhone apps do not run on Android so the parallel is far from exact. Many of the same apps are available for both iPhone and Android, so from user’s perspective there is some similarity.

The quick summary then: most innovations fail, and you need innovators rather than simply bright idea. The implication is that successful innovation happens when you have a company with lots of money to spend on projects that will likely fail, and that has a culture which attracts innovators. Google ticks both boxes.

Incidentally, when I asked how Google identifies its innovators Copeland said that you do not need to. They make a nuisance of themselves, so if you have them, you know.

internet, professional, Web

nginx market share growing faster than any other web server

According to the latest netcraft web survey nginx market share is growing faster than that of any other web server, even though it is still small relative to Apache or Microsoft IIS. In December 2010 nginx share grew by 0.88% to 7.5% – which can also be expressed as a 13.3% increase.

Apache 59.13%
Microsoft 21.00%
nginx 7.50%
Google 5.53%
lighttpd 0.68%

I did not take much notice of nginx until hearing Ryan Dahl evangelise it at Cloudstock, a Dreamforce event, last month. Now I plan to install it at itwriting.com when I find the time.