An SLA for Amazon S3

Amazon has announced an SLA (Service Level Agreement) for its Simple Storage Service (S3).

S3 is great, and I noticed how it kept getting mentioned at the Future of Web Apps conference last week. The fact that people are using it, and liking both the performance and the price, says far more about it than any amount of PR.

The lack of an SLA was a snag for enterprise users who need assurance of reliability. So now there is one – but how much is it worth? Not much. The SLA guarantees 99.9% uptime, but you only get between 10% and 25% discount on your usage fees if it slips below that. There’s no coverage for consequential loss:

…your sole and exclusive remedy for any unavailability or non-performance of Amazon S3 or other failure by us to provide Amazon S3 is the receipt of a Service Credit

Given the keen pricing of S3 that’s not surprising. Still, the SLA does have some value, if only for setting expectations about what level of service S3 is likely to deliver.

Update: WordPress is now using S3 as its primary store, but Matt Mullenweg says the SLA means little to him. 

Technorati tags: , , , ,

RM’s Linux miniBook

Palm may have abandoned its Foleo; but others are willing to take a crack at the sub-notebook market. Educational suppler RM has partnered with Asus to offer a Linux miniBook starting at £169.00 (around $300). That’s substantially cheaper than a Nokia N800 internet tablet. Here are the specs:

  • Mobile Intel Celeron-M ULV 900MHz processor
  • 7″ TFT screen
  • 256MB or 512MB Memory, 2GB or 4GB Solid-State Hard Drive, SD card reader
  • Integrated Modem and LAN, Internal wireless 802.11g
  • Integrated webcam, microphone and speakers
  • 3 USB ports, VGA out port

According to the press release:

Students will be able to use the RM Asus miniBook to send and receive email, create and edit documents, view photographs, play videos and MP3 files, browse the Internet, listen to online radio and participate in instant messaging.

It caught my interest because I am constantly frustrated at having to carry a relatively bulky laptop in order to get my work done. So I could be in the market for one of these, though it is aimed at students. Bluetooth is not mentioned, which is a shame as this helps with mobile phone integration. According to this post, based on a preview, Windows may be available as an optional extra – I presume this would be Windows Mobilethis article says Windows XP.

If the category succeeds, of course there will be others like it. Why will this be different than other failures or semi-failures, such as the Windows CE Handheld form factor, Tablet PC, or UMPC? Price, mainly. The mass market is reluctant to buy a sub-notebook when there are much more powerful laptops available for the same or less money. That’s now changing, and at this level it just might catch on.

Technorati tags: , , , , , ,

Paying on the web? Look for the small padlock, not the big one

A friend drew my attention to a security issue on, a UK website for purchasing train tickets.

She planned her journey and then entered her credit card details, noting that the browser confirmed that she was on a secure page:

In this case, Internet Explorer shows the url in green, which means it uses an Extended Validation (EV) SSL certificate, giving extra confidence that all is well. Indeed, in normal circumstances it would have been.

Unfortunately she made a small error with the card details. The site then bounced her to an insecure page, inviting her to re-submit her details but this time over HTTP. The image below shows part of the web page, including the credit card details (albeit with whatever errors caused the validation to fail) and the IE property dialog confirming that the page is not encrypted:

Now the comforting green url is gone, replaced by plain black on white:

However, the big padlock graphic is still in place, along with logos for Verified by Vista and MasterCard SecureCode.

It looks to me as if the card details are sent in plain text twice, first when bounced back to the user for correction, and second when re-submitted.

The site was advised of the problem 24 hours ago, but I was able to replicate the issue just now. Moral: look for the small padlock in the address bar, not the big reassuring graphic on the page itself.

Is this a big security risk? As far as I’m aware, the chance of a criminal intercepting internet traffic to look for useful information is slim. That’s just as well, given the number of sites that do bad things like emailing password reminders in plain text. The risk is not just theoretical though; the traffic could be logged or intercepted.

Let me emphasise: is a respectable web merchant and I am sure this is no more than a bit of careless coding. After all, there is no advantage to the web site if you send your card details unencrypted. They get them anyway.

Technorati tags: , ,

The curious silence of the IE team – Microsoft needs to rediscover blogging

There are huge numbers of Microsoft bloggers; yet in some important areas Microsoft seems happy to let its opponents make all the noise.

Internet Explorer is an obvious example. There is an official IE Blog, but you won’t find anything there about IE8, just occasional news of minor IE7 tweaks. The comments on the other hand are full of questions, many of them good ones that deserve an answer, or at least an acknowledgement that someone is listening.

I spoke to Microsoft’s Chris Wilson at the Future of Web Apps conference back in February, noting that he gave a “good bridge-building talk”. There have been other similar talks, but little of substance since then. Anyone searching the web for news of browser development and innovation will find little from Microsoft, lots from Mozilla and others.

This is not about Microsoft bashing. Rather, it is about web developers and designers who need to make stuff work. Having some idea about where Microsoft is going with its browser helps with that.

Microsoft needs to rediscover the value of high quality blogging that engages with the community. It is not just IE. Soon after the release of Office 2007 I was among those who reported on performance problems with Outlook. This blog still receives thousands of visits from users who search for why Outlook 2007 is slow. Where were the bloggers from the Outlook team? Months later there was a tech note and patch which helps a little, but Outlook 2007 is still slow and there is no real evidence that the company cares.

What about Open Office XML, viciously attacked by IBM and other sponsors of the rival Open Document Format? Brian Jones has a good marketing blog; yet I’ve seen relatively little technical blogging from the OOXML folk at Microsoft, in response to questions raised.

See also Dave Massy’s blog.

Technorati tags: , , , ,

Who’s got the best search engine?

Please try the test here and vote because this is fascinating. It’s simple: perform a search and pick which is the best result, as in, which result best corresponds with what you are looking for. The script gives you the top result from Google, Yahoo and Microsoft (not in that order), but – crucially – does not show which is which. Currently, after 1400 votes, 34% have voted for the first, 53% for the second, and 29% for the third.

Of course this is an inexact science. Two different people could perform the same search and prefer different results. Further, it is not quite fair, in that the search engines could have personalization algorithms that will not operate when you go via a third-party script. I also hope nobody is cheating here, since unfortunately the test is insecure, in that you can work out which search engine is which and vote accordingly.

It is still interesting because it removes branding from the search results. This counts against Google, which has the best brand for search. After all, the brand has become a verb, “to Google”. Some people probably think Google invented web search.

Although number two is significantly ahead, the figures are already closer than actual market share would suggest. That implies that factors other than pure results are of critical performance in the search wars – though I suppose you could argue that if one search engine gives you the best result 53% of the time, you will end up using it 100% of the time.

Has anyone done a more secure test, maybe showing the first page of results rather than just the top hit?

Technorati tags: , ,

Facebook, Comet, FireEagle at Future of Web Apps

This will be my last post direct from the Future of Web Apps as day two draws to a close.

Dave Morin, Senior Platform Manager at Facebook, talked this morning about the site’s remarkable growth and its value as a developer platform. He says its user count is growing at 3% per week, which equates to doubling each 6 months or so. Even more impressive are its activity stats – 50 page views per user per day, according to Morin, with 50% of users logging in at least daily.

So what is the Facebook platform? Morin calls it “A standards-based advanced web service which enables you to access the social graph”, where “social graph” means the connections between people. If you build an application on this platform, you can hook into these connections. An attraction for developers is that applications can achieve rapid adoption through the viral networking that Facebook encourages.

For me, his talk was more notable for what it did not say, than for what it did. Morin referred to the oft-repeated Facebook problem, that developers fear their best ideas will simply get built into Facebook itself, but did not offer any comfort beyond bland reassurance. I’m also interested in the implications of Facebook becoming increasingly important as an identity provider. How does it compare to others such as Google, Microsoft, Yahoo, when measured against the laws of identity developed by Microsoft’s identity architect Kim Cameron, for example?

Joe Walker spoke on Comet, an API for two-way communication with the web browser. Fascinating session, if only for his description of the hacks required to make it work – web browsers are not designed for this. Interesting comment on IE and how it handles data in iFrames – “it’s not wrong, but all the other browsers do it better.”

Tom Coates from Yahoo spoke on FireEagle, the code name for a project which exposes an API for applications that provide location-based services. If you sign up, it uses a variety of techniques to detect your location. An application could then do things like advising the speed limit in your area, or giving you a weather forecast, or informing you of friends nearby, or any number of other possibilities. Intriguing stuff, but with security and privacy implications that have not been fully worked out. It will be interesting to track what happens once people begin to sign up, which will be possible shortly in the form of an early test release.

Great for debugging: Microsoft to release .NET Framework source

Scott Guthrie has the details. As my title implies, this is great for debugging. There will be benefits for the Framework as well, presuming Microsoft listens when a developer says, “Why does your code do this and not that?”

Is this a big radical step for Microsoft? I don’t think so. Nor does it merit this kind of predictable backlash – Steven J Vaughan-Nichols saying that Microsoft is tempting open source developers to use its code and become vulnerable to lawsuits.

I recall an early .NET briefing in which an IT exec from the Nationwide Building Society (an early adopter) said how grateful he was to Microsoft for sharing the source to the .NET Framework. How come? Well, ever come across Reflector for .NET? If compiled .NET libraries are not obfuscated, you can easily decompile the code. Admittedly you will not see comments, but it is still pretty effective. As far as I know, the .NET Framework has never been obfuscated, so in some ways we already had the code.

I do understand the risks for projects like Mono, which seek to be clean-room implementations, but I doubt they are significantly greater than before. Further, I suspect that if Microsoft wanted to bring legal guns to bear on Mono, it is likely that it already could. Although Mono builds on ECMA standards, it implements plenty of stuff that is not covered by those standards. I have no idea whether it breaches any Microsoft patents; but I would not find it surprising. What stops Microsoft pursuing Mono? Mainly, I imagine, because it is good for .NET and therefore a benefit to the company.

Technorati tags: , , , ,

Microsoft Seadragon: smooth scaling for web images, coming to Silverlight

I mentioned Microsoft’s short presentation yesterday here at the Future of Web Apps conference. The highlight was a single page showing the complete works of Charles Dickens, with every page on view. We then zoomed in to read a page; the performance was great and the type perfectly clear. However I am taking it on trust that it really was all of Dickens works…

The technology behind this is Seadragon, acquired by Microsoft in February this year. I’m told that it will be integrated into Silverlight 1.1, so I guess we will be able to use this cross-platform next year. It is also used in Photosynth.

Is it any different from what you can already do with say Google Maps and related, or Virtual Earth? The answer I guess is that amazing zoom capability is nothing new, but Seadragon looks like an advance in smoothness and probably ease of programming. The goal:

visual information can be smoothly browsed regardless of the amount of data involved or the bandwidth of the network.

Notes on the Future of Web Apps: mobile web, scalability, Zoho, Microsoft

A few notes on the first day at the Future of Web Apps conference in London. These are supplementary to my posts yesterday.

Heidi Pollock of Bluepulse spoke on mobile web apps. This was a depressing session, through no fault of Pollock. She explained how to keep to the compatible set of HTML and CSS markup that works on most mobiles, but acknowledged that even this will not work well for all users. Apparently CSS support is disabled by default on Blackberry devices, for example. She also noted that most mobile web users were either in urgent need of information, or bored. A reminder that the mobile web still falls a long way short of its potential.

Microsoft’s Mark Quirk gave a demo of 10 things developers can do for free on Microsoft’s platform. This is a tough crowd for the company. We were shown the complete works of Charles Dickens on a single page, then zooming in to read the text. Great demo, but no applause. Why? Because it’s Microsoft, and the average attendee here carries a Mac and develops on an open source stack.

Zoho gave a sparsely-attended demo of its online application suite. It seems very capable; yet I get the impression that Zoho is losing the battle for attention. Possibly its products do too much, at the expense of usability. I am reminded of Om Malik’s comment yesterday, on web apps that “don’t address the principle of fixing someone’s pain point… a lot just do too much and it’s not clear who they are for”.

Steve Souders from Yahoo spoke on performance. He says to fix the front-end; in most cases the bottleneck is not in the database or server-side algorithms. He has a great collection of tips for speeding the performance of web pages. The crowd was impressed and I’m told that copies of his book were being snapped up on the bookstall afterwards.

Matt Mullenweg talked about the architecture of He does a good job of de-mystifying scalability. Apparently his site is now somewhere around the 20th most visited in the USA, but runs on relatively modest hardware. His three “magic tools”: Pound (load balancer), Wackamole (manages IP addresses for a cluster) and Spread (messaging). He also uses MySQL in master/slave configuration. Another point of interest – everything is in Subversion, even kernels. Favourite quote: “Spam is the Achilles heel of Web 2.0.” Slides are here.

I interviewed Mullenweg and will post a link in due course.

Best of show so far? John Resig on the future of FireFox. He’s now posted his slides; see also my comments.

John Resig makes the case for standards-based Rich Internet Applications

John Resig is a brilliant developer who is the creator of JQuery, a fast and lightweight JavaScript library. He is also JavaScript evangelist at the Mozilla Corporation. He spoke here at The Future of Web Apps on the future of FireFox and JavaScript.

It was a fascinating presentation which demonstrated that it is not just Adobe (Flash, AIR), Microsoft (Silverlight) and Sun (JavaFX) who are in the Rich Internet Application game. Resig began with a tour of new features in JavaScript 2.0, most of which was familiar to me as it seems to be essentially ECMAScript 4.0 a.k.a ActionScript 3.0. In short, JavaScript is becoming more like Java, complete with full object orientation, optional strict typing, and a Just-in-time (JIT) compiler. Adobe has donated much of its code for the ActionScript runtime, in the form of the Tamarin project, which will eventually be part of FireFox 4.0.

My interest perked up when Resig started talking about three monkeys. These are:

  • Action Monkey – Tamarin in FireFox 4.0
  • Screaming Monkey – Tamarin in IE, via the Flash runtime, enabling developers to use it cross-browser
  • Iron Monkey – Python and Ruby for Tamarin

This was new to me. Resig continued by showing some of the work Mozilla is doing to support advanced graphics and multimedia. The Canvas element in HTML 5 interacts with OpenGL to support 3D effects. There is even the possibility of embedding C code in the browser for raw performance, though the security implications mean this is unlikely to be used for general Web pages. Resig also showed generic audio and video support built into the browser. This will integrate with SVG, and we saw how live video can be played back in SVG elements even while they are being dragged around a canvas. Just like Microsoft demonstrates for Silverlight, as it happens.

After showing us how Mozilla might make Flash and Silverlight unnecessary, Resig went on to tackle offline applications. He told us that Mozilla is working to “converge” the three popular offline APIs – Mozilla’s own, Google Gears, and WHATWG. “A final amalgam will be in FireFox 3”, he said.

Resig also described plans for offline applications. This includes Webrunner, a desktop host for XUL applications, and Prism, which lets you install a web application as a desktop application. XUL is Mozilla’s XML user interface language – analogous to Microsoft’s XAML and Adobe’s MXML.

None of this is coming out soon. By the time it does, won’t Adobe and perhaps Microsoft have wrapped up the market for rich multimedia in web applications? And isn’t Mozilla on collision course with Adobe, despite the Tamarin collaboration, since much of what Resig demonstrated competes with Flash, Flex and AIR? After all, Adobe ceased supporting SVG after its acquisition of Macromedia and thereby Flash.

I asked a question about this, and Resig answered tactfully:

Adobe and Mozilla are two separate beasts. They sometimes have very similar goals, like getting the Tamarin virtual machine out. Sometimes the goals differ a bit. We have a pretty good vision of the open web as a viable platform for anyone to develop on. HTML, CSS, JavaScript. This is the core that people should be developing with.

It would be great to see Mozilla disrupting the progress of these two proprietary internet plug-ins, Flash and Silverlight, by providing an open alternative, but it does look as if it will all come too late.

Update: Resig has posted his slides here. He has also clarified the timing:

Of the features mentioned in the presentation, the ones that are coming in Firefox 3 are: SVG Foreign Object, Offline Web Apps, Webrunner/Prism, and JavaScript 1.6-1.8.