Category Archives: Web

image

Microsoft unveils Office 365, wins vs Google in California. What are the implications for its future?

Today Microsoft announced Office 365, though it is not really a new product. Rather, it pulls together a bunch of existing ones: Business Productivity Online Suite (BPOS), Office Live Small Business, and Live@edu, the cloud  . It also impacts the desktop Office business, in that with at least some varieties of Office 365 subscriptions, users get the right to download and install Office 2010 Pro Plus edition.

This rebranding is a smart move. I have long been mystified by the myriad brands Microsoft users for its online offerings. I hope this will all integrate nicely with the new Small Business Server “Aurora”, a forthcoming version of SBS designed to bridge the cloud and the local network. If it does, this will be attractive for small businesses – who will pay $6.00 per user per month, we were told today – as well as for larger organisations.

Enterprises will pay between $2.00 and $27.00 per user depending on which services they buy, and can get extra features such as unlimited space for email archiving.

I also find it interesting that Microsoft has won what sounds like a bitter battle with Google for the migration of the State of California to online services.

Why would anyone choose Microsoft rather than Google for cloud services? Google was born in the web era, has no desktop legacy weighing it down, has helped to drive browser standards forward with HTML 5 and lightning-fast JavaScript, promotes open standards, and has a great free offering as well as subscriptions? Further, with Android Google has a fast-growing mobile platform which it can integrate with its services.

No doubt Microsoft can make a case for its cloud offerings, but I suspect a lot of it is the power of the familiar. If you already run on Office documents and Exchange email, moving to online versions of the same applications will seem a smoother transition. There is also the document format issue: you can import Office documents into Google Apps, but not with with 100% fidelity, and the online editors are basic compared with Microsoft Office.

When Microsoft seemingly had no idea what the cloud was about, it was easier for Google to win customers. Now Microsoft is slowly but surely getting the idea, and the value of its long-standing hold over business computing is being felt.

Google is also winning customers, of course, and even if you accept that Office 365 is the future for many existing Microsoft-platform businesses – and, Microsoft will hope, some new ones – there are still a host of interesting questions about the company’s future.

One is how the numbers stack up. Can Microsoft as cloud provider be as profitable as Microsoft has been with the old locally installed model?

Second, what are the implications for its partners? In today’s press announcement we were told that customers migrating to BPOS report a 10%-50% cost saving. The implication is that these companies are spending less money on IT than before – so who is losing out? It could be Microsoft, it could be hardware suppliers, it could be integration partners. Microsoft does include potential for partners to profit from Office 365 migrations, presuming it follows the BPOS model, but partners could still be worse off.

For example, if support requests diminish,because cloud services are more reliable, and if Microsoft does some support directly, there is less opportunity for partners support services.

Finally, what are the implications for developers? The main one is this. Organisations that migrate to online services will have little enthusiasm for locally installed custom applications, and will also want to reduce their dependence on local servers. In other words, custom applications will also need to live in the cloud.

Data analysis hot at Future of Web Applications Day One

I’ve been attending the Future of Web Applications conference in London. I spoke to several attendees in the evening and the general perception was that the event had been weaker than usual so far. Complaints concerned uninspiring sessions, lack of deep technical content, and information on HTML 5 that was really nothing new.

That said, several said how much they enjoyed a session from Hilary Mason at bit.ly on data analysis. Bit.ly does url shortening, with 70% of so of its traffic coming from Twitter clients, and Mason is a statistical expert who has worked on analysing and visualising the resulting data. She told us, for example, that news links are more popular than sports links, and sports links more popular than food links. She was also able to discover the best time to post a link for any particular Twitter account, if you want maximum clicks. There is no quick way to discover this, so this type of analysis is valuable for companies using Twitter as a PR tool. Another snippet of information was the half-life of a typical bit.ly link – in other words, the time interval by which it has recorded 50% of its likely total clicks – which in the example she showed us was between 20 and 25 minutes.

The consequence was that I went into the next session, on social gaming, with data analysis on my mind. The  session was presented by Kristian Segerstrale at Playfish, part of Electronic Arts focused on casual games for Facebook and the like. Gaming by the way is a huge part of Facebook, accounting for 30% to 40% of overall engagement, according to Segerstrale. As an insight into the future of gaming, it was a good session, but perhaps did not connect well with typical FOWA attendees.

Nevertheless, Segerstrale made a compelling point about how his company’s games evolve, which is also applicable to other kinds of web applications. He said that there is intense analysis of what works and what does not work, based on the flow of data that is available with web applications. You can see who is playing, when they are playing, which features are used, and get a level of insight into the strengths and weaknesses of your application which is typically unavailable for desktop applications. I imagine this works particularly well within Facebook, because of the rich user profile information there. If you take advantage of that data, you can get a lead over the competition; if you fail to make use of it, you will likely fall behind. There is now a data analytics skills gap, Segerstrale told us.

It was thought-provoking to see how data analytics was a common thread between such different sessions.

Google’s web app vision: use our store

I’m at the Future of Web Applications conference in London, a crazy mixture of tips for web start-ups and general discussion about application development in a web context. The first session was from Google’s Michael Mahemoff who enthused about HTML5 and open web standards, while refusing to be pinned down on what HTML5 is, which standards are in and which may in the end be out.

Microsoft is here showing off IE9; but one of my reflections is that while the HTML5 support in IE9 is impressive in itself, there are going to be important parts of what, say, Google considers to be part of HTML5 that will not be in IE9, and given the pace of Microsoft’s browser development, probably will not turn up for some time. In other words, the pressure to switch to Chrome, Firefox or some other browser will likely continue.

I digress. Mahemoff identified four key features of web apps – by which he means something different than just an application on the web. These are:

  • Local storage – encompassing local storage API and also local SQL, though the latter is not yet well advanced
  • Application cache – Cache Manifest in HTML 5 that lets your app run offline
  • Local installation – interesting as this is something which is not yet widely used, but clearly part of Google’s vision for Chrome, and also in IE9 to some extent.
  • Payments

The last of these is interesting, and I sensed Mahemoff showing some discomfort as he steered his way between open web standards on the one hand, and Google-specific features on the other. He presented the forthcoming Chrome Web Store as the solution for taking payments for your web app, whether one-time or subscription.

I asked how this would work with regard to the payment provider – could you freely use PayPal, direct debits or other systems? He said that you could do if you wanted, but he anticipated that most users would use the system built into Chrome Web Store which I presume is Google Checkout. After all, he said, users will already be logged in, and this will offer the smoothest payment experience for them.

The side effect is that if Chrome Web Store takes off, Google gets to make a ton of money from being the web’s banker.

Outside in the exhibition area Vodafone is promoting its 360 app store, with payments going through the mobile operator, ie in this case Vodafone. Vodafone’s apps are for mobile not for web, but it is relevant because it is trying to draw users away from Google’s Android Marketplace and onto its own store. PayPal is here too, showing its developer API.

The app store and payment provider wars will be interesting to watch.

Crisis for ASP.Net – how serious is the Padding Oracle attack?

Security vulnerabilities are reported constantly, but some have more impact than others. The one that came into prominence last weekend (though it had actually been revealed several months ago) strikes me as potentially high impact. Colourfully named the Padding Oracle attack, it was explained and demonstrated at the ekoparty security conference. In particular, the researchers showed how it can be used to compromise ASP.NET applications:

The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework’s API! … The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise.

This is alarming simply because of the huge number of ASP.NET applications out there. It is not only a popular framework for custom applications, but is also used by Microsoft for its own applications. If you have a SharePoint site, for example, or use Outlook Web Access, then you are running an ASP.NET application.

The report was taken seriously by Microsoft, keeping VP Scott Guthrie and his team up all night, eventually coming up with a security advisory and a workaround posted to his blog. It does not make comfortable reading, confirming that pretty much every ASP.NET installation is vulnerable. A further post confirms that SharePoint sites are affected.

It does not help that the precise way the attack works is hard to understand. It is a cryptographic attack that lets the attacker decrypt data encrypted by the server. One of the consequences, thanks to what looks like another weakness in ASP.NET, is that the attacker can then download any file on the web server, including web.config, a file which may contain security-critical data such as database connection strings with passwords, or even the credentials of a user in Active Directory. The researchers demonstrate in a YouTube video how to crack a site running the DotNetNuke content management application, gaining full administrative rights to the application and eventually a login to the server itself.

Guthrie acknowledges that the problem can only be fixed by patching ASP.NET itself. Microsoft is working on this; in the meantime his suggested workaround is to configure ASP.NET to return the same error page regardless of what the underlying error really is. The reason for this is that the vulnerability involves inspecting the error returned by ASP.NET when you submit a corrupt cookie or viewstate data.

The most conscientious ASP.NET administrators will have followed Guthrie’s recommendations, and will be hoping that they are sufficient; it is not completely clear to me whether it is. One of the things that makes me think “hmmm” is that a more sophisticated workaround, involving random time delays before an error is returned, is proposed for later versions of ASP.NET that support it. What does that suggest about the efficacy of the simpler workaround, which is a static error page?

The speed with which the ASP.NET team came up with the workaround is impressive; but it is a workaround and not a fix. It leaves me wondering what proportion of ASP.NET sites exposed to the public internet will have implemented the workaround or do so before attacks are widespread?

A characteristic of the attack is that the web server receives thousands of requests which trigger cryptographic errors. Rather than attempting to fix up ASP.NET and every instance of web.config on a server, a more robust approach might be to monitor the requests and block IP numbers that are triggering repeated errors of this kind.

More generally, what should you do if you run a security-critical web application and a flaw of this magnitude is reported? Applying recommended workarounds is one possibility, but frankly I wonder if they should simply be taken offline until more is known about how to protect against it.

One thing about which I have no idea is the extent to which hackers are already trying this attack against likely targets such as ecommerce and banking sites. Of course in principle virtually any site is an attractive target, because of the value of compromised web servers for serving spam and malware.

If you run Windows servers and have not yet investigated, I recommend that you follow the links, read the discussions on Scott Guthrie’s blog, and at least implement the suggested actions.

If Microsoft is serious about Silverlight, it needs to do Linux

Today was a significant event for the UK broadcasting industry: the announcement of YouView, formerly called Project Canvas, which is backed by partners including the BBC, ITV, Channel 4, Channel 5, and BT. It will provide broadcasts over IP, received by a set top box, include a catch-up service, and be capable of interactive features that hook into internet services.

Interesting stuff, though it may end up battling with Google TV. But what are the implications for media streaming services and media players? One is that they will have to run on Linux, which is the official operating system for Project Canvas. Google TV, for that matter, will run Android.

If you look at the YouView specifications, you’ll find that although the operating system is specified, the application player area is more open:

Application Player executables and libraries will be provided by 3rd party software vendors.

What is an application player?

Runtime environment for the execution of applications. Examples are Flash player, MHEG engine, W3C browser

I’d suggest that Adobe will do well out of YouView. Microsoft, on the other hand, will not be able to play in this space unless it delivers Silverlight for Linux, Android, and other open platforms.

Microsoft has a curious history of cross-platform Silverlight announcements. Early on it announced that Moonlight was the official Linux player, though in practice support for Moonlight has been half-hearted. Then when Intel announced the Atom Developer Program  (now AppUp) in September 2009, Microsoft stated that it would provide its own build of Silverlight for Linux, or rather, than Intel would build it with Microsoft’s code. Microsoft’s Brian Goldfarb told me that Microsoft and Intel would work together on bringing Silverlight to devices, while Moonlight would be the choice for desktop Linux.

Since then, the silence has been deafening. I’ve enquired about progress with both Intel and Microsoft, but vague rumours aside, no news. Silverlight is still listed as a future runtime for AppUp:

Microsoft® Silverlight™(future)

Silverlight is a cross-browser, cross-platform and cross-device browser plug-in that helps companies design, develop and deliver applications and experiences on the Web.

In the meantime, Adobe has gone ahead with its AIR runtime, and even if Silverlight eventually appears, has established an early presence on Intel’s netbook platform.

There have been recent rumours about internal battles between the Windows and Developer divisions at Microsoft, and I cannot help wondering if this is another symptom, with the Windows folk fighting against cross-platform Silverlight on the grounds that it could damage the Windows lock-in, while the Developer team tries to make Silverlight the ubiquitous runtime that it needs to be in order to succeed.

From my perspective, the answer is simple. Suppressing Silverlight will do nothing to safeguard Windows, whereas making it truly cross-platform could drive adoption of Microsoft’s server and cloud platform. When Silverlight was launched, just doing Windows and Mac was almost enough, but today the world looks different. If Microsoft is serious about WPF Everywhere, Linux and Android (which is Linux based) support is a necessity.

Adobe extends SVG, HTML 5 support in Illustrator

Adobe has released a preview of the Illustrator CSS5 HTML5 Pack. There is already an HTML 5 Pack for Dreamweaver.

Illustrator CS5 could already export in SVG (Scalable Vector Graphics) format, but the pack adds some interesting features.

One is the ability to specify strokes and fills as variables, so that you can modify them in JavaScript.

image

Exporting an image that uses this feature creates a JavaScript file as well as the SVG itself.

You can also mark an Illustrator object as Canvas. This will convert the object to a bitmap that is drawn to a Canvas element within SVG.

There is also increased support for CSS (Cascading Style Sheets). You can use CSS to define fills, strokes, opacity, gradient, position, and named character styles.

Other features in the Pack include the ability to detect the HTML window size and vary the SVG that is delivered accordingly – to support mobile browsers.

When Apple’s Steve Jobs posted his thoughts on Flash – still online despite the company’s change of heart on cross-platform development tools for iPhone and iPad – he remarked:

Perhaps Adobe should focus more on creating great HTML5 tools for the future, and less on criticizing Apple for leaving the past behind.

Of course Adobe was doing this anyway, but it is interesting to see HTML 5 support now being extended. Export more HTML 5 goodness at the forthcoming MAX conference next month.

If you try the new HTML5 Pack read the installation instructions carefully. You have to back up certain files, otherwise it may affect whether you can apply future official updates.

Anti-virus software continues to fail

I received an email from Trusteer noting that anti-virus detection rates for the latest Zeus variant are very low. This analysis shows that at the time of writing only Panda, among the major anti-virus products, picks it up. Does this mean we should all switch to Panda? No, because next time it will be one of the others that works, or none of them will work. You can only sympathise with users who imagine they are protected from malware because they have security software installed which tells them so.

The solution? Well, white-listing, visiting only trusted web sites, not opening attachments, keeping your OS fully patched, and so on. None of them perfect.

Alternatively, a new model of computing. One of the attractions of locked-in platforms like Apple’s iPhone and iPad is that they are harder to infect. Google’s forthcoming Chrome OS is even better designed from a security perspective. I am surprised that this aspect of cloud+device computing does not get more attention.

Open season for patent litigation makes case for reform

It seems to be open season for software patent litigation. Oracle is suing Google over its use of Java in Android. Paul Allen’s Interval Licensing is suing AOL, Apple, eBay, Facebook, Google, Netflix, Yahoo and others – the Wall Street Journal has an illustrated discussion of the patents involved here. Let’s not forget that Apple is suing HTC and that Nokia is suing Apple (and being counter-sued).

What’s next? I was reminded of this post by former Sun CEO Jonathan Schwartz. He confirms the supposition that large tech companies refrain from litigation – or at least, litigate less than they might, refrain is too strong a word right now – because they recognize that while they may have valid claims against others, they also most likely infringe on patents held by others.

The gist of Schwartz’s post is that Microsoft approached Sun with the claim that OpenOffice, owned by Sun, infringes on patents held by Microsoft thanks to its work on MIcrosoft Office:

Bill skipped the small talk, and went straight to the point, “Microsoft owns the office productivity market, and our patents read all over OpenOffice.”

Sun’s retort was in relation to Java and .NET:

“We’ve looked at .NET, and you’re trampling all over a huge number of Java patents. So what will you pay us for every copy of Windows?”

following which everything went quiet. The value of .NET to Microsoft is greater than the value of OpenOffice to Sun or Oracle.

Oracle, however, seems more willing to litigate than Sun; and I doubt it cares much about OpenOffice. Might we see this issue reappear?

That said, Microsoft also has a large bank of patents; and who knows, some of them might be brought to bear against Java in the event of legislative war.

The risk though is that if everyone litigates, the industry descends into a kind of nuclear winter which paralyses everyone. Companies like Interval Licensing, which seemingly exist solely to profit from patents, have no incentive to hold back.

Can any good come of this? Well, increasing software patent chaos might bring some benefit, if it forces countries like the USA to legislate in order to fix the broken patent system.

Protecting intellectual property is good; but against that you have to weigh the potential damage to competition and innovation from these energy-sapping lawsuits.

We need patent reform now.

SOA, REST and Flash/Flex – why Flash does not PUT

Adobe’s Duane Nickull has an illuminating post on how the Flash player handles REST. Nickull is responding to a post by Malcolm Box in which he complains how hard it is to use Flash with a REST web service. Box observes that Flash cannot send POST, PUT and DELETE requests when running in the browser, and does not send cookies.

Nickull defends the Flash behaviour:

Flash’s HTTP libraries currently support GET and POST. My architectural view of this is that the HTTP libraries only should really support these and not worry about the others.

He also notes that cookies are a poor way to manage state:

Cookies are for the browser and belong in the browser. Having Flash Player able to access cookies would be a mistake in my own opinion. Any logic that is facilitated by a browser should probably be dealt with at the browser layer before Flash Player is used.

Now, I think the comments on REST are important to read if you are engaged in designing a web service, as many of us in these days of cloud+device. There is a kind-of “word on the street” approach to web services which says that REST is good, SOA/SOAP is bad; but in reality it is not so simple, and these distinctions are muddled. REST is arguably a form of SOA, you can do SOAP with REST, and so on.

One factor is that reading data in a web client is far more common than writing data. It is easy to be an advocate of the simplicity of REST if all you are doing is GET.

The question Nickull asks is whether the transport protocol has any business dictating how the data it transports should be processed, for example whether it is an operation to retrieve or to write data:

In an SOA world, the transport functionality (usually implemented using SOAP) should focus on just delivering the message and it’s associated payload(s) to the destination(s), optionally enforcing rules of reliability and security rather than declaring to the application layer processing instructions to the service endpoint.

Read the post for more of the rationale behind this. Maybe, even if you are doing REST, restricting your web service to GET and POST is not such a bad idea after all.

That said, whatever you think about the architectural principles, you may find yourself having to write a browser-hosted Flash client for a service that requires an HTTP verb other than GET or POST. There are ways round it: see this discussion of Amazon S3 (which uses PUT) and Flash for an example.

Setting up RemoteApp and secure FTP on Windows

I spent some time setting up RemoteApp and secure FTP for a small business which wanted better remote access without VPN. VPN is problematic for various reasons: it is sometimes blocked by public or hotel wifi providers, it is not suitable for poor connections, performance can be poor, and it means constantly having to think about whether your VPN tunnel is open or not. When I switched from connecting Outlook over VPN to connecting over HTTP, I found the experience better in every way; it is seamless. At least, it would be if it weren’t for the connection settings bug that changes the authentication type by itself on occasion; but I digress.

Enough to say that VPN is not always the best approach to remote access. There’s also SharePoint of course; but there are snags with that as well – it is powerful, but complex to manage, and has annoyances like poor performance when there are a large number of documents in a single folder. In addition, Explorer integration in Windows XP does not always work properly; it seems better in Vista and Windows 7.

FTP on the other hand can simply publish an existing file share to remote users. FTP can be horribly insecure; it is a common reason for usernames and passwords to passed in plain text over the internet. Fortunately Microsoft now offers an FTP service for IIS 7.0 that can be configured to require SSL for both password exchange and data transmission. I would not consider it otherwise. Note that this is different from the FTP service that ships with the original Server 2008; if you don’t have 2008 R2 you need a separate download.

So how was the setup? Pretty frustrating at the time; though now that it is all working it does not seem so bad. The problem is the number of moving parts, including your network configuration and firewall, Active Directory, IIS, digital certificates, and Windows security.

FTP is problematic anyway, thanks to its use of multiple ports. Another point of confusion is that FTP over SSL (FTPS) is not the same thing as Secure FTP (SFTP); Microsoft offers an FTPS implementation. A third issue is that neither of Microsoft’s FTP clients, Internet Explorer or the FTP command-line client, support FTP over SSL, so you have to use a third-party client like FileZilla. I also discovered that you cannot (easily) run a FTPS client behind an ISA Server firewall, which explained why my early tests failed.

Documentation for the FTP server is reasonable, though you cannot find all the information you need in one place. I also found the configuration perplexing in places. Take this dialog for example:

image

The Data Channel Port Range is disabled with no indication why – the reason is that you set it for the entire IIS server, not for a specific site. But what is the “External IP Address of Firewall”? The wording suggests the public IP address; but the example suggests an internal, private address. I used the private address and it worked.

As for RemoteApp, it is a piece of magic that lets you remote the UI of a Windows application, so it runs on the server but appears to be running locally. It is essentially the same thing as remote desktop, but with the desktop part hidden so that you only see the window of the running app. One of the attractions is that it looks more secure, since you can give a semi-trusted remote user access to specified applications only, but this security is largely illusory because under the covers it is still a remote log-in and there are ways to escalate the access to a full desktop. Open a RemoteApp link on a Mac, for example, and you get the full desktop by default, though you can tweak it to show only the application, but with a blank desktop background:

image

Setup is laborious; there’s a step by step guide that covers it well, though note that Terminal Services is now called Remote Desktop Services. I set up TS Gateway, which tunnels the Terminal Server protocol through HTTPS, so you don’t have to open any additional ports in your firewall. I also set up TS Web Access, which lets users navigate to a web page and start apps from a list, rather than having to get hold of a .RDP configuration file or setup application.

If you must run a Windows application remotely, RemoteApp is a brilliant solution, though note that you need additional Client Access Licenses for these services. Nevertheless, it is a shame that despite the high level of complexity in the configuration of TS Gateway, involving a Connection Authorization Policy and a Resource Authorization Policy, there is no setting for “only allow users to run these applications, nothing else”. You have to do this separately through Software Restriction Policies – the document Terminal Services from A to Z from Cláudio Rodrigues at WTS.Labs has a good explanation.

I noticed that Rodrigues is not impressed with the complexity of setting up RemoteApp with TS Gateway and so on on Windows Server 2008 R2:

So years ago (2003/2004) we had all that sorted out: RDP over HTTPS, Published Applications, Resource Based Load Balancing and so on and no kidding, it would not take you more than 30 minutes to get all going. Simple and elegant design. More than that, I would say, smart design.

Today after going through all the stuff required to get RDS Web Access, RDS Gateway and RDS Session Broker up and running I am simply baffled. Stunned. This is for sure the epitome of bad design. I am still banging my head in the wall just thinking about how the setup of all this makes no sense and more than that, what a steep learning curve this will be for anyone that is now on Windows Server 2003 TS.

What amazes me the most is Microsoft had YEARS to watch what others did and learn with their mistakes and then come up with something clean. Smart. Unfortunately that was not the case … Again, I am not debating if the solution at the end works. It does. I am discussing how easy it is to setup, how smart the design is and so on. And in that respect, they simply failed to deliver. I am telling you that based on 15+ years of experience doing nothing else other than TS/RDS/Citrix deployments and starting companies focused on TS/RDS development. I may look stupid indeed but I know some shit about these things.

Simplicity and clean design are key elements on any good piece of software, what someone in Redmond seems to disagree.

My own experience was not that bad, though admittedly I did not look into load balancing for this small setup. I agree though: you have to do a lot of clicking to get this stuff up and running. I am reminded of the question I asked a few months back: Should IT administration be less annoying? I think it should, if only because complexity increases the risk of mistakes, or of taking shortcuts that undermine security.