Dare Obasanjo's weblog

OAuth 2.0: The good, the bad and the ugly

Eran Hammer-Lahav, the former editor of the OAuth 2.0 specification, announced the fact that he would no longer be the editor of the standard in a harshly critical blog post entitled OAuth 2.0 and the Road to Hell where he made a number of key criticisms of the specification the meat of which is excerpted below

Last month I reached the painful conclusion that I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification, and left the working group. Removing my name from a document I have painstakingly labored over for three years and over two dozen drafts was not easy. Deciding to move on from an effort I have led for over five years was agonizing.

There wasn’t a single problem or incident I can point to in order to explain such an extreme move. This is a case of death by a thousand cuts, and as the work was winding down, I’ve found myself reflecting more and more on what we actually accomplished. At the end, I reached the conclusion that OAuth 2.0 is a bad protocol. WS-* bad. It is bad enough that I no longer want to be associated with it. It is the biggest professional disappointment of my career.

All the hard fought compromises on the mailing list, in meetings, in special design committees, and in back channels resulted in a specification that fails to deliver its two main goals – security and interoperability. In fact, one of the compromises was to rename it from a protocol to a framework, and another to add a disclaimer that warns that the specification is unlike to produce interoperable implementations.

When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure.

To be clear, OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result is a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations.

Given that I’ve been professionally associated with OAuth 2.0 over the past few years from using OAuth 2.0 as the auth method for SkyDrive APIs to acting as an advisor for the native support of OAuth 2.0 style protocols in the Web Authentication Broker in Windows 8, I thought it would be useful to provide some perspective on what Eran has written as an implementer and user of the protocol.

The Good: Easier to work with than OAuth 1.0

I’ve been a big fan of web technologies for a fairly long time. The great thing about the web is that it is the ultimate distributed system and you cannot make assumptions about any of the clients accessing your service as people have tended to do in the ~~enterprisey world~~ past. This encourages technologies to be as simple as possible to reduce the causes of friction as much as possible. This has led to the rise of drop dead simple protocols like HTTP and data formats like JSON.

One of the big challenges with OAuth 1.0 is that it pushed a fairly complex and fragile set of logic on app developers who were working with the protocol. This blog post from the Twitter platform team on the most complicated feature in their API bears this out

Ask a developer what the most complicated part of working with the Twitter API is, and there's a very good chance that they'll say OAuth. Anyone who has ever written code to calculate a request signature understands that there are several precise steps, each of which must be executed perfectly, in order to come up with the correct value.

One of the points of our acting on your feedback post was that we were looking for ways to improve the OAuth experience.

Given that there were over 750,000 registered Twitter developers last year, this is a lot of pain to spread out across their ecosystem. OAuth 2.0 greatly simplifies the interaction model between clients and servers by eliminating the requirement to use signed request signatures as part of the authentication and authorization process.

The Bad: It’s a framework not a protocol

The latest draft of the OAuth 2.0 specification has the following disclaimer about interoperability

OAuth 2.0 provides a rich authorization framework with well-defined security properties. However, as a rich and highly extensible framework with any optional components, on its own, this specification is likely to produce a wide range of non-interoperable implementations.

In addition, this specification leaves a few required components partially or fully undefined (e.g. client registration, authorization server capabilities, endpoint discovery). Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate.

What this means in practice for developers is that learning how one OAuth 2.0 implementation works is unlikely to help you figure out how another compliant one behaves given the degree of latitude that implementers have. Thus the likelihood of being able to take the authentication/authorization code you wrote with a standard library like DotNetOpenAuth against one OAuth 2.0 implementation and then pointing it at a different one by only changing a few URLs then expecting things to work is extremely low.

In practice I expect this to not be as problematic as it sounds on paper simply because at the end of the day authentication and authorization is a small part of any API story. In general, most people will still get the Facebook SDK, Live SDK, Google Drive SDK, etc of their target platform to build their apps and it is never going to be true that those will be portable between services. For services that don’t provide multiple SDKs it is still true that the rest of the APIs will be so different that the fact that the developer’s auth code has to change will not be as big of a deal to the developer.

That said, it is unfortunate that once cannot count on a degree of predictability across OAuth 2.0 implementations.

The Ugly: Making the right choices is left as an exercise for the reader

The biggest whammy in the OAuth 2.0 specification which Eran implies is the reason he decided to quit is hinted at in the end of the aforementioned disclaimer

This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.

This implies that there are a bunch of best practices in utilizing a subset of the protocol (i.e. prescriptive profiles) that are yet to be defined. As Eran said in his post, here is a list of places where there are no guidelines in the spec

No required token type
No agreement on the goals of an HMAC-enabled token type
No requirement to implement token expiration
No guidance on token string size, or any value for that matter
No strict requirement for registration
Loose client type definition
Lack of clear client security properties
No required grant types
No guidance on the suitability or applicability of grant types
No useful support for native applications (but lots of lip service)
No required client authentication method
No limits on extensions

There are a number of places where it would be a bad idea if an implementer decided not to implement a feature without considering the security implications such as token expiration. In my day job, I’ve also been bitten by the lack of guidance on token string sizes with some of our partners making assumptions about token size that later turned out to be inaccurate which led to scrambling on both sides.

My advice for people considering implementing OAuth 2.0 on their service would be to ensure there is a security review of whatever subset of the features you are implementing before deploying the service at large. If you can’t afford or don’t have security people on staff then at the minimum I’d recommend picking one of the big guys (e.g. Google, Facebook or Microsoft) and implementing the same features that they have since they have people on staff whose job is to figure out the secure combination of OAuth 2.0 features to implement as opposed to picking and choosing without a frame of reference.

Note Now Playing: Notorious B.I.G. - You're Nobody Till Somebody Kills You Note

Categories: Web Development

February 12, 2012

@ 02:34 PM

Some Thoughts on Address Book Privacy and Hashing as an Alternative to Gathering Raw Email Addresses

If you hang around technology blogs and news sites, you may have seen the recent dust up after it was discovered that many iOS apps upload user address books to their servers to perform friend finding operations. There has been some outrage about this because this has happened silently in the majority of cases. The reasons for doing this typically are not nefarious. Users sign up to the service and provide their email address as a username or contact field. This is used to uniquely identify the user. Then when one of the user’s friends joins the service, the app asks the friend for their contact list then finds all of the existing users they whose email addresses are in the new users list of contacts. Such people you may know features are the bread and butter of growing the size of a social graph and connectedness in social applications.

There are a number of valid problems with this practice and the outrage has focused on one of them; apps were doing this without explicitly telling users what they were doing and then permanently storing these contact lists. However there are other problems as well that get into tricky territory around data ownership and data portability. The trickiest being whether it is OK for me to share your email address and other contact details with another entity without your permission given it identifies you. If you are a private individual with an unlisted phone number and private email address only given to a handful of people, it seems tough to concede that it is OK for me to share this information with any random app that asks me especially if you have this information as private for a reason (e.g. celebrity, high ranking government official, victim of a crime, etc).

As part of my day job leading the program management team behind the Live Connect developer program which among other things provides access to the Hotmail and Messenger contact lists, these sorts of tricky issues where one has to balance data portability and user privacy are top of mind. I was rather pleased this morning to read a blog post titled Hashing for privacy in social apps by Matt Gemmell which advocates the approach we took with Live Connect. Matt writes

Herein lies the (false) dilemma: you’re getting a handy social feature (automatic connection with your friends), but you’re losing your privacy (by allowing your friends’ email addresses to be uploaded to Path’s servers). As a matter of fact, your friends are also losing their privacy too.

What an awful choice to have to make! If only there was a third option!

For fun, let’s have a think about what that third option would be.

Mathematics, not magic

Hypothetically, what we want is something that sounds impossible:

Some way (let’s call it a Magic Spell) to change some personal info (like an email address) into something else, so it no longer looks like an email address and can’t be used as one. Let’s call this new thing Gibberish.

It must be impossible (or at least very time-consuming) to change the Gibberish back into the original email address (i.e. to undo the Magic Spell).

We still need a way to compare two pieces of Gibberish to see if they’re the same.

Clearly, that’s an impossible set of demands.

Except that it’s not impossible at all.

We’ve just described hashing, which is a perfectly real and readily-available thing. Unlike almost all forms of magic, it does actually exist - and like all actually-existing forms of magic, it’s based entirely on mathematics. Science to the rescue!

This is the practice we’ve advocated with Live Connect as well. Instead of returning email addresses of a user’s contacts from our APIs, we provide email hashes instead. That way applications don’t need to store or match against actual email addresses of our users but can still get all the value of providing a user with the a way to find their Hotmail or Messenger contacts who also use that service.

We also provide code samples that show how to work with these hashes and I remember being in discussions with folks on the team as to whether developers would ever want to do this since storing and comparing email addresses is less code than working with hashes. Our conclusion was that it would be just a matter of time before this would be an industry best practice and it was best if we were ahead of the curve. It will be interesting to see if our industry learns from this experience or whether it will take external pressure.

Note Now Playing: Notorious B.I.G. - Want That Old Thing Back (featuring Ja Rule and Ralph Tresvant) Note

Categories: Web Development

January 3, 2012

@ 03:13 PM

What I Learned After 3 Weeks of Writing Mobile Apps

Towards the end of last year, I realized I was about to bump up against the ”use it or lose it” vacation policy at work which basically means I either had to take about two weeks of paid vacation or forfeit the vacation. Since I hadn’t planned the time off I immediately became worried about what to do with all that idle time especially since if left to my own devices I’d play 80 straight hours of Modern Warfare 3 without pause.

To make sure the time was productively used I decided to write a mobile app as a learning exercise about the world of mobile development since I’ve read so much about it and part of my day job is building APIs for developers of mobile apps. I ended up enjoying the experience so much I added an extra week of vacation and wrote two apps for Windows Phone. I’d originally planned to write one app for Windows Phone then port it to iOS or Android but gave up on that due to time constraints after some investigation of both.

I learned a bunch about mobile development from this exercise and a few friends have asked me to share of my thoughts on mobile development in general and building for Windows Phone using Microsoft platforms in particular. If you are already a mobile developer then some of this is old hat to you but I did find a bunch of what I learned to be counterintuitive and fairly eye opening so you might too.

Thoughts on Building Mobile Apps on Any Platform

This section is filled with items I believe are generally applicable if building iOS, Android or Windows Phone apps. These are mostly things I discovered as part of my original plan to write one app for all three platforms.

A consistent hardware ecosystem is a force multiplier

After realizing the only options for doing iPhone development on Windows was the Dragon Fire SDK which only supports games, I focused on learning as much as I could about Android development options. The Xamarin guys have MonoTouch which sounded very appealing to me as a way to leverage C# skills across Android and Windows Phone until I saw the $400 price tag. :)

One of the things I noticed upon downloading the Android SDK as compared to installing the Windows Phone SDK is that the Android one came with a bunch of emulators and SDKs for various specific devices. As I started development on my apps, there were many times I was thankful for the consistent set of hardware specifications for Windows Phone. Knowing that the resolution was always going to be WVGA and so if something looked good in the emulator then it would look good on my device and those of my beta testers not only gave piece of mind but made UX development a breeze.

Comparing this to an ecosystem like Android where the diversity of hardware devices with varying screen resolutions have made developers effectively throw up their hands as in this article quoted by Jeffrey Zeldman

If … you have built your mobile site using fixed widths (believing that you’ve designed to suit the most ‘popular’ screen size), or are planning to serve specific sites to specific devices based on detection of screen size, Android’s settings should serve to reconfirm how counterproductive a practice this can be. Designing to fixed screen sizes is in fact never a good idea…there is just too much variation, even amongst ‘popular’ devices. Alternatively, attempting to track, calculate, and adjust layout dimensions dynamically to suit user-configured settings or serendipitous conditions is just asking for trouble.

Basically, you’re just screwed if you think you can build a UI that will work on all Android devices. This is clearly not the case if you target Windows Phone or iOS development. This information combined with my experiences building for Windows Phone convinced me that it is more likely I’ll buy a Mac and start iOS development than it is that I’d ever do Android development.
No-name Web Hosting vs. name brands like Amazon Web Services and Windows Azure

One of my apps had a web service requirement and I initially spent some time investigating both Windows Azure and Amazon Web Services. Since this was a vacation side project I didn’t want expenses to get out of hand so I was fairly price sensitive. Once I discovered AWS charged less for Linux servers I spent a day or two getting my Linux chops up to speed given I hadn’t used it much since my the early 2000s. This is where I found out about yum and discovered the interesting paradox that discovering and installing software on modern Linux distros is simultaneously much easier and much harder than doing so on Windows 7. Anyway, that’s a discussion for another day.

I soon realized I had been penny wise and pound foolish when focusing on the cost of Linux hosting when it turns out what breaks the bank is database hosting. Amazon charges about $0.11 an hour ($80 a month) for RDS hosting at the low end. Windows Azure seemed to charge around the same ballpark when I looked two months ago but it seems they’ve revamped their pricing site since I did my investigation.

Once I realized database hosting would be the big deciding factor in cost. It made it easier for me to stick with the familiar and go with instead of as a LAMP server stack. If I had stuck with LAMP , I could have gone with a provider like Blue Host to get the entire web platform + database stack for less than $10 with perks like free credits for Google ads thrown in. With the WISC stack, hosters like Discount ASP and Webhost 4 Life charge in the ballpark of $15 which is about $10 if you swap out SQL Server for MySQL.

These prices were more my speed. I was quite surprised that even though all the blogs talk about AWS and Azure, it made the most sense for my bootstrapped apps to start with a vanilla web host and pay up to ten times less for service than using one of the name brand cloud computing services. Paying almost ~$100 a month for services with elastic scaling properties may make sense if my apps stick around and become super successful but not at the start.

Another nice side effect of going with a web hosting provider is the reduced complexity from going with a cloud services provider. Anyone who's gone through the AWS getting started guides after coming from vanilla web hosting knows what I mean.
Facebook advertising beats search ads for multiple app categories

As mentioned above, one of the perks of some of the vanilla hosting providers is that they throw in free credits for ads on Google AdSense/Adwords and Facebook ads as part of the bundle. I got to experiment with buying ads on both platforms and I came away very impressed with what Facebook has built as an advertising platform.

I remember reading a few years ago that MySpace had taught us social networks are bad for advertisers. Things are very different in today’s world. With search ads, I can choose to show ads alongside results when people search for a term that is relevant to my app. With Facebook ads, I get to narrowly target demographics based on detailed profile attributes such as Georgia Tech alumni living in New York who have expressed an interest in DC or Marvel comics. The latter seems absurd at first until you think about an app like Instagram.

No one is searching for "best photo sharing app for the iphone" on Google and even if you are one of the few people who has, there aren’t a lot of you. On the other hand, at launch the creators of Instagram could go to Facebook and say we'd like to show ads to people who have liked or use an and who also have shown an affiliation for photo sharing apps or sites like Flickr, Camera+, etc then craft specific pitches for those demographics. I don’t know about you but I know which sounds like it would be more effective and relevant.

This also reminded me that I'd actually clicked on more ads on Facebook than I've ever clicked on search ads.
Lot's of unfilled niches still exist

I remember being in college back in the day, flipping through my copy of Yahoo! Internet Life and thinking that we were oversaturated with websites and all the good ideas were already taken. This was before YouTube, Flickr, SkyDrive, Facebook or Twitter. Silly me.

The same can be said about mobile apps today. I hear a lot about there being 500,000 apps in the Apple app store and the same number being in Android Market. To some this may seem overwhelming but there are clearly still niches that are massively underserved on those platforms and especially on Windows Phone which just hit 50,000 apps.

There are a lot of big and small problems in people's lives that can be addressed by bringing the power of the web to the devices in their pockets in a tailored way. The one thing I was most surprised by is how many apps haven't been written that you'd expect to exist just from extrapolating what we have on the Web and the offline world today. I don't just mean geeky things like a non-propeller head way to share bookmarks from my desktop to my phone and vice versa without emailing myself but instead applications that would enrich the lives of millions of regular people out there that they'd be gladly willing to pay $1 for (less than the price of most brands of bubble gum these days).

If you are a developer, don't be intimidated by the size of the market nor be attracted to the stories of the folks who've won the lottery by gambling on being in the right place at the right time with the right gimmick (fart apps, sex position guides and yet another photo sharing app). There are a lot of problems that can be solved or pleasant ways to pass the time on a mobile device that haven’t yet been built. Look around at your own life and talk to your non-technical friends about their days. There is lots of inspiration out there if you just look for it.
Look for Platforms that Favor User Experience over Developer Experience

One of the topics I’ve wanted to write about in this blog is how my generation of software developers who came of age with the writings of Richard Stallman and Eric Raymond’s The Cathedral and the Bazaar with its focus on building software with a focus on making the developers who use the software happy collides with the philosophy of software developers who have come of age in the era of Steve Jobs and what Dave Winer has called The Un-Internet where focusing on providing a controlled experience which is smoother for end users leads to developers being treated as second fiddle.

As a developer, having to submit my app to some app store to get it certified when I could publish on the web as soon as I was done checking in the code to my local github repository is something I chafe against. When working on my Windows Phone apps, I submitted one to be certified and found prominent typos a few hours later. However there was nothing I could do but wait for five business days for my app to be approved after which I could submit the updated version to be certified which would take another week in calendar days. Or so I thought.

My initial app submission was rejected for failing a test case around proper handling of lack of network connectivity. I had cut some corners in my testing when it came to testing network availability support once I discovered NetworkInterface.GetIsNetworkAvailable() always returns true in the emulator which meant I had to actually test that process on my phone. I never got around to it by telling myself no one actually expects a network connected app to work if they don’t have connectivity.

The Windows Phone marketplace rejected my app because it turns out it crashes if you lose network connectivity. I was actually pretty impressed that someone at Microsoft is tasked with making sure any app a user installs from the store doesn't crash for common edge cases. Then I thought about the fact that my wife, my 3 year old son, and my non-technical friends all use mobile apps and it is great that this level of base set of quality expectations are being built into the platform. Now when I think back to Joe Hewitt famously quitting the Apple App store and compare it to the scam of the week culture that plagues the Android marketplace, I know which model I prefer as a user and a developer. It’s the respect for the end user experience I see coming out of Cupertino and Redmond.

This respect for end users ends up working for developers which is why there really is no surprise that iOS devs make 6 time smore than their Android counterparts because users are more likely to spend money on apps on iOS.

Thoughts on Microsoft-Specific Development

In addition to the general thoughts there were some things specific to either Windows Phone or WISC development I thought were worth sharing as well. Most of these were things I found on the extremely excellent Stack Overflow, a site which cannot be praised enough.

Free developer tools ecosystem around Microsoft technology is mature and surprisingly awesome

As a .NET developer I’ve been socialized into thinking that Microsoft tools are the realm of paying an arm and a leg for tools while people building on Open Source tools get great tools for free. When I was thinking about building my apps on Linux I actually got started using Python for a web crawler that was intended to be part of my app as well as for my web services. When I was looking at Python I played around with web.py and wrote the first version of my crawler using Beautiful Soup.

As I moved on the .NET I worried I’d be stuck for such excellent free tooling but that was not the case. I found similar and in some cases better functionality for what I was looking for in Json.NET and the HTML Agility Pack. Besides a surprising amount of high quality, free libraries for .NET development, it was the free tools for working with SQL Server that sent me over the top. Once I grabbed SQL Complete, an autocomplete/Intellisense tool for SQL Server, I felt my development life was complete. Then I found ELMAH. Fatality…I’m dead and in developer heaven.
Building RESTful web services that emit JSON wasn't an expected scenario from Microsoft dev tools teams?

As part of my day job, I'm responsible for Live Connect which among other things provides a set of RESTful JSON-based APIs for accessing data in SkyDrive, Hotmail and Windows Live Messenger. So it isn't surprising that when I wanted to build a web service for one of my side projects I'd want to do the same. This is where things broke down.

The last time I looked at web services development on the WISC the way to build web services was to use Windows Communication Foundation (WCF). So I decided to take a look at that and found out that the product doesn’t really support JSON-based web services out of the box but I could grab something called the WCF Web API off of CodePlex. Given the project seemed less mature than the others I’d gotten off of CodePlex I decided to look at ASP.NET and see what I could get there since it needs to enable JSON-based REST APIs as part of its much touted JQuery support. When I got to the ASP.NET getting started page, I was greeted with the statement that ASP.NET enables building 3 patterns of websites and I should choose my install based on what I wanted. Given that I didn't want to build an actual website not a web service I didn't pick any of them

Since I was short on time (after all, this was my vacation) I went back to what I was familiar with and used ASP.NET web services with HTTP GET & POST enabled. I’m not sure what the takeaway is here since I clearly built my solution using a hacky mechanism and not a recommended approach yet it is surprising to me that what seems like such a mainline scenario isn’t supported in a clear out-of-the-box manner by Microsoft’s dev tools.
Embrace the Back Button on Windows Phone

One of the things I struggled with the most as part of Windows Phone development was dealing with the application lifecycle. The problem is that at any point the user can jump out of your app and the operating system will put your app in either a dormant state where data is still stored in memory or tombstone your app in which case it is killed and state your app cares about is preserved.

One of the ways I eventually learned to thing about this the right way was to aggressively use the back button while testing my app. This led to finding all sorts of interesting problems and solutions such as how to deal with a login screen when the user clicks back and that a lot of logic I thought should be in the constructor of a page really should be in the OnNavigatedTo method (and don’t forget to de-register some of those event handlers in your OnNavigatedFrom event handler).

I could probably write more on this but this post has gotten longer than I planned and I need to take my son to daycare & get ready for work. I’ll try to be a more diligent blogger this year depending on whether the above doesn’t make too many people unhappy.

Happy New Year.

Note Now Playing: Kanye West - Devil In A New Dress (featuring Rick Ross) Note

Categories: Programming | Web Development

June 3, 2011

@ 02:44 PM

BUILD: I’ll be there and if you’re a web developer you should be too

Earlier this week, Microsoft took the initial wraps off of the next version of Windows (aka "Windows 8"). As someone who loves personal computing and loves the Web, there’s a lot I find exciting about what we just announced. The official announcement Previewing ‘Windows 8 states the following

The demo showed some of the ways we’ve reimagined the interface for a new generation of touch-centric hardware. Fast, fluid and dynamic, the experience has been transformed while keeping the power, flexibility and connectivity of Windows intact.

Here are a few aspects of the new interface we showed today:

• Fast launching of apps from a tile-based Start screen, which replaces the Windows Start menu with a customizable, scalable full-screen view of apps.

• Live tiles with notifications, showing always up-to-date information from your apps.

• Fluid, natural switching between running apps.

• Convenient ability to snap and resize an app to the side of the screen, so you can really multitask using the capabilities of Windows.

• Web-connected and Web-powered apps built using HTML5 and JavaScript that have access to the full power of the PC.

• Fully touch-optimized browsing, with all the power of hardware-accelerated Internet Explorer 10.
…
Today, we also talked a bit about how developers will build apps for the new system. Windows 8 apps use the power of HTML5, tapping into the native capabilities of Windows using standard JavaScript and HTML to deliver new kinds of experiences. These new Windows 8 apps are full-screen and touch-optimized, and they easily integrate with the capabilities of the new Windows user interface. There’s much more to the platform, capabilities and tools than we showed today.
…
The video below introduces a few of the basic elements of the new user interface. Although we have much more to reveal at our developer event, BUILD (Sept. 13 - 16 in Anaheim, Calif.), we’re excited to share our progress with you.

If you’re a web developer this represents an amazing opportunity and one that should fill you with excitement. Of course, you shouldn’t take the words of a Microsoft employee but should also listen to what even people with cynical opinions of Microsoft are saying such as Mike Mace in his article Windows 8: The Beginning of the End of Windows where he writes

So it's far too early to make any judgments on Windows 8, which Microsoft just previewed (link). There are an incredible number of ways it could go wrong.

But. I've got to say, this is the first time in years that I've been deeply intrigued by something Microsoft announced. Not just because it looks cool (it does), but because I think it shows clever business strategy on Microsoft's part. And I can't even remember the last time I used the phrase "clever business strategy" and Microsoft in the same sentence.
…
What it means to the rest of us
The history of platform transitions is that they are huge opportunities for developers. They reset the playing field for apps and devices. Look at the history: The leaders in DOS applications (Lotus, Word Perfect, etc) were second rate in GUI software. The leaders in GUI apps (Adobe, Microsoft, etc) were not dominant in the web. It's actually very rare for a software company that was successful in the old paradigm to transfer that success to the new one. Similar turnover has happened in hardware transitions (for example, Compaq rode the Intel 386 chip to prominence over IBM in PCs). And yes, there is a hardware transition as part of Windows 8, since it will now support ARM chips, and you'll want a touchscreen to really take advantage of it.

So if you're running an existing PC hardware or software company, ask yourself how a new competitor could use the platform transition to challenge your current products. Here's a sobering thought to keep you awake tonight: the odds are that the challengers will win. The company most at risk from this change is the largest vendor of Windows apps, Microsoft itself. Microsoft Office must be completely rethought for the new paradigm. You have about 18 months, guys. Good luck.

By the way, web companies are also at risk. Your web apps are designed for a browser-centric, mouse-driven user experience. What happens to your app when the browser melts into the OS, and the UI is driven by touch? If you think this change doesn't affect you, I have an old copy of WordStar that you can play with. Google and Facebook, I am talking to you.

You should read the rest of Mike’s post because it has an interesting perspective. I strongly believe in the core premise of the article that Windows 8 is disruptive. Not only is it disruptive to the software industry as a whole but it will be disruptive even for the way Microsoft does business today. When Steve Ballmer said Windows 8 will be Microsoft's riskiest product bet he wasn’t kidding.

Out of disruption comes opportunity and if you’re a web developer you have a front row seat in taking advantage of this opportunity. Don’t waste it. You should register for the BUILD conference. I’ll be there and with any luck I may even get to give a talk or two. See you there.

Note Now Playing: Jay-Z - On To The Next One (featuring Swizz Beats) Note

Categories: Life in the B0rg Cube | Web Development

January 30, 2011

@ 05:44 PM

Comments [17]

Learning from our Mistakes: The Failure of OpenID, AtomPub and XML on the Web

I’ve now been working and blogging about web technology long enough to see technologies that we once thought were the best thing since sliced bread turn out to be rather poor solutions to the problem or even worse that they create more problems than they solve. Since I’ve written favorably about all of the technologies mentioned below this is also a mea culpa where I try to see what I can learn about judging the suitability of technologies to solving problems on the web without being blinded by the hype from the “cool kids” on the web.

The Failure of OpenID

According to Wikipedia, “OpenID is an open standard that describes how users can be authenticated in a decentralized manner, obviating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities”. So the problem that OpenID solves is having to create multiple accounts on different websites but instead being able to re-use from the identity provider (i.e. website) of your choice. OpenID was originally invented in 2005 by Brad Fitzpatrick to solve the problem of having bloggers having to create an account on a person’s weblog or blogging service before being able to leave a comment.

OpenID soon grew beyond it’s blog-centric origins and has had a number of the big name web companies either implement it in some way or be active in it's community. Large companies and small companies alike have been lobbied to implement OpenID and accused of not being “open” when they haven’t immediately jumped on the band wagon. However now that we’ve had five years of OpenID, there are a number of valid problems that have begun to indicate the emperor may either have no close or at least is just in his underwear.

The most recent set of hand wringing about the state of OpenID has been inspired by 37 Signals announcing they'll be retiring OpenID support but the arguments against OpenID have been gathering steam for months if not years.

First of all, there have been the arguments that OpenID is too complex and yet doesn't have enough features from people who’ve been supporting the technology for years like David Recordon. Here is an excerpt from David Recordon’s writings on the need for an OpenID Connect

In 2005 I don't think that Brad Fitzpatrick or I could have imagined how successful OpenID would become. Today there are over 50,000 websites supporting it and that number grows into the millions if you include Google FriendConnect. There are over a billion OpenID enabled URLs and production implementations from the largest companies on the Internet.
…
We've heard loud and clear that sites looking to adopt OpenID want more than just a unique URL; social sites need basic things like your name, photo, and email address. When Joseph Smarr and I built the OpenID/OAuth hybrid we were looking for a way to provide that functionality, but it proved complex to implement. So now there's a simple JSON User Info API similar to those already offered by major social providers.

We have also heard that people want OpenID to be simple. I've heard story after story from developers implementing OpenID 2.0 who don't understand why it is so complex and inevitably forgot to do something. With OpenID Connect, discovery no longer takes over 3,000 lines of PHP to implement correctly. Because it's built on top of OAuth 2.0, the whole spec is fairly short and technology easy to understand. Building on OAuth provides amazing side benefits such as potentially being the first version of OpenID to work natively with desktop applications and even on mobile phones.

50,000 websites sounds like a lot until you think about the fact that Facebook Connect which solves a similar problem had been adopted by 250,000 websites during the same time frame and had been around less than half as long as OpenID. It’s also telling to ask yourself how often you as an end user actually have used OpenID or even seen that it is available on a site.

The reason for why you can count the instances you’ve had this occur on one or two hands is eloquently articulated in Yishan Wong’s answer to the question What's wrong with OpenID on Quora which is excerpted below

The short answer is that OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have. That's what's "wrong" with it.

To answer the most immediate question of "isn't having to register and log into many sites a big problem that everyone has?," I will say this: No, it's not. Regular normal people have a number of solutions to this problem. Here are some of them:

use the same username/password for multiple sites

use their browser's ability to remember their password (enabled by default)

don't register for the new site

don't ever log in to the site

log in once, click "remember me"

click the back button on their browser and never come back to the site

maintain a list of user IDs and passwords in an offline document

These are all perfectly valid solutions that a regular user finds acceptable. A nerd will wrinkle up his nose at these solutions and grumble about the "security vulnerabilities" (and they'll be right, technically) but the truth is that these solutions get people into the site and doing what they want and no one really cares about security anyways. On the security angle, no one is going to adopt a product to solve a problem they don't care about (or in many cases, even understand).
…
The fact that anyone even expects that OpenID could possibly see any amount of adoption is mind-boggling to me. Proponents are literally expecting people to sign up for yet another third-party service, in some cases log in by typing in a URL, and at best flip away to another branded service's page to log in and, in many cases, answer an obscurely-worded prompt about allowing third-party credentials, all in order to log in to a site. This is the height of irony - in order to ease my too-many-registrations woes, you are asking me to register yet again somewhere else?? Or in order to ease my inconvenience of having to type in my username and password, you are having me log in to another site instead??

Not only that, but in the cases where OpenID has been implemented without the third-party proxy login, the technical complexity behind what is going on in terms of credential exchange and delegation is so opaque that even extremely sophisticated users cannot easily understand it (I have literally had some of Silicon Valley's best engineers tell me this). At best, a re-directed third-party proxy login is used, which is the worst possible branding experience known on the web - discombobulating even for savvy internet users and utterly confusing for regular users. Even Facebook Connect suffers from this problem - people think "Wait, I want to log into X, not Facebook..." and needs to overcome it by making the brand and purpose of what that "Connect with Facebook" button ubiquitous in order to overcome the confusion.

I completely agree with Yishan’s analysis here. Not only does OpenID complicate the sign-in/sign-up experience for sites that adopt it but also it is hard to confidently make the argument that end users actually consider the problem OpenID is trying to solve be worth the extra complication.

The Failure of XML on the Web

At the turn of the last decade, XML could do no wrong. There was no problem that couldn’t be solved by applying XML to it and every technology was going to be replaced by it. XML was going to kill HTML. XML was going to kill CORBA, EJB and DCOM as we moved to web services. XML was a floor wax and a dessert topping. Unfortunately, after over a decade it is clear that XML has not and is unlikely to ever be the dominant way we create markup for consumption by browsers or how applications on the Web communicate.

James Clark has XML vs the Web where he talks about this grim realization

Twitter and Foursquare recently removed XML support from their Web APIs, and now support only JSON. This prompted Norman Walsh to write an interesting post, in which he summarised his reaction as "Meh". I won't try to summarise his post; it's short and well-worth reading.

From one perspective, it's hard to disagree. If you're an XML wizard with a decade or two of experience with XML and SGML before that, if you're an expert user of the entire XML stack (eg XQuery, XSLT2, schemas), if most of your data involves mixed content, then JSON isn't going to be supplanting XML any time soon in your toolbox.
…
There's a bigger point that I want to make here, and it's about the relationship between XML and the Web. When we started out doing XML, a big part of the vision was about bridging the gap from the SGML world (complex, sophisticated, partly academic, partly big enterprise) to the Web, about making the value that we saw in SGML accessible to a broader audience by cutting out all the cruft. In the beginning XML did succeed in this respect. But this vision seems to have been lost sight of over time to the point where there's a gulf between the XML community and the broader Web developer community; all the stuff that's been piled on top of XML, together with the huge advances in the Web world in HTML5, JSON and JavaScript, have combined to make XML be perceived as an overly complex, enterprisey technology, which doesn't bring any value to the average Web developer.

This is not a good thing for either community (and it's why part of my reaction to JSON is "Sigh"). XML misses out by not having the innovation, enthusiasm and traction that the Web developer community brings with it, and the Web developer community misses out by not being able to take advantage of the powerful and convenient technologies that have been built on top of XML over the last decade.

So what's the way forward? I think the Web community has spoken, and it's clear that what it wants is HTML5, JavaScript and JSON. XML isn't going away but I see it being less and less a Web technology; it won't be something that you send over the wire on the public Web, but just one of many technologies that are used on the server to manage and generate what you do send over the wire.

The fact that XML based technologies are no longer required tools in the repertoire of the Web developer isn’t news to anyone who follows web development trends. However it is interesting to look back and consider that there was once a time when the W3C and the broader web development community assumed this was going to be the case. The reasons for its failure on the Web are self evident in retrospect.

There have been many articles published about the failure of XML as a markup language over the past few years. My favorites being Sending XHTML as text/html Considered Harmful and HTML5, XHTML2, and the Future of the Web which do a good job of capturing all of the problems with using XML with its rules about draconian error handling on the web where ill-formed, hand authored markup and non-XML savvy tools rule the roost.

As for XML as the protocol for intercommunication between Web apps, the simplicity of JSON over the triumvirate of SOAP, WSDL and XML Schema is so obvious it is almost ridiculous to have to point it out.

The Specific Failure of the Atom Publishing Protocol

Besides the general case of the failure of XML as a data interchange format for web applications, I think it is still worthwhile to call out the failure of the Atom Publishing Protocol (AtomPub) which was eventually declared a failure by the editor of the spec, Joe Gregorio. AtomPub arose from the efforts of a number of geeks to build a better API for creating blog posts. The eventual purpose of AtomPub was to create a generic application programming interface for manipulating content on the Web. In his post titled AtomPub is a Failure, Joe Gregorio discussed why the technology failed to take off as follows

So AtomPub isn't a failure, but it hasn't seen the level of adoption I had hoped to see at this point in its life. There are still plenty of new protocols being developed on a seemingly daily basis, many of which could have used AtomPub, but don't. Also, there is a large amount of AtomPub being adopted in other areas, but that doesn't seem to be getting that much press, ala, I don't see any Atom-Powered Logo on my phones like Tim Bray suggested.

So why hasn't AtomPub stormed the world to become the one true protocol? Well, there are three answers:

Browsers

Browsers

Browsers

…
Thick clients, RIAs, were supposed to be a much larger component of your online life. The cliche at the time was, "you can't run Word in a browser". Well, we know how well that's held up. I expect a similar lifetime for today's equivalent cliche, "you can't do photo editing in a browser". The reality is that more and more functionality is moving into the browser and that takes away one of the driving forces for an editing protocol.
Another motivation was the "Editing on the airplane" scenario. The idea was that you wouldn't always be online and when you were offline you couldn't use your browser. The part of this cliche that wasn't put down by Virgin Atlantic and Edge cards was finished off by Gears and DVCS's.
…
The last motivation was for a common interchange format. The idea was that with a common format you could build up libraries and make it easy to move information around. The 'problem' in this case is that a better format came along in the interim: JSON. JSON, born of Javascript, born of the browser, is the perfect 'data' interchange format, and here I am distinguishing between 'data' interchange and 'document' interchange. If all you want to do is get data from point A to B then JSON is a much easier format to generate and consume as it maps directly into data structures, as opposed to a document oriented format like Atom, which has to be mapped manually into data structures and that mapping will be different from library to library.

As someone who has tried to both use and design APIs based on the Atom format, I have to agree that it is painful to have to map your data model to what is effectively a data format for blog entries instead of keeping your existing object model intact and using a better suited format like JSON.

The Common Pattern in these Failures

When I look at all three of these failures I see a common pattern which I’ll now be on the look out for when analyzing the suitability of technologies for my purposes. In each of these cases, the technology was designed for a specific niche with the assumption that the conditions that applied within that niche were general enough that the same technology could be used to solve a number of similar looking but very different problems.

The argument for OpenID is a lot stronger when limiting the audience to bloggers who all have a personal URL for their blog AND where it actually be a burden to sign up for an account on the millions of self hosted blogs out there. However it isn’t true that same set of conditions applies universally when trying to log-in or sign-up for the handful of websites I use regularly enough to decide I want to create an account.
XML arose from the world of SGML where experts created custom vocabularies for domain-specific purposes such as DocBook and EDGAR. The world of novices creating markup documents in a massively decoupled environment such as the Web needed a different set of underlying principles.
AtomPub assumed that the practice of people creating blog posts via custom blog editing tools (like the one I’m using the write this post) would be a practice that would spread to other sorts of web content and that these forms of web content wouldn’t be much distinguishable from blog posts. It turns out that most of our content editing still takes place in the browser and in the places where we do actually utilize custom tools (e.g. Facebook & Twitter clients), an object-centric domain specific data format is better than an XML-centric blog based data format.

So next time you’re evaluating a technology that is being much hyped by the web development blogosphere, take a look to see whether the fundamental assumptions that led to the creation of the technology actually generalize to your use case. An example that comes to mind that developers should consider doing with this sort of evaluation given the blogosphere hype is NoSQL.

Note Now Playing: Keri Hilson - Knock You Down (featuring Kanye West & Ne-Yo) Note

Categories: Web Development

April 24, 2010

@ 04:22 PM

Comments [12]

Facebook’s Open Graph Protocol from a Web Developer’s Perspective

David Recordon of Facebook has an interesting post titled Why f8 was good for the open web where he talks about how some of Facebook’s announcements at their recent F8 conference increase the openness of the Web. He calls out the following four items as the key benefits to the web as a whole from the F8 announcements

No 24-hour caching limit
An API that is realtime and isn’t just about content
The Open Graph protocol
OAuth 2.0

Of these, the third seems to me to be the most beneficial to the Web as a whole. The first, second and fourth items are really about benefits to Facebook developers. Although I guess you could argue that such a significant service adopting OAuth 2.0 is great for increasing adoption across the Web. However this pales in comparison to the fundamental shifts in thinking introduced by the Open Graph Protocol.

Evolving the Social Graph

The first question is what problem does the Open Graph Protocol solve for Facebook and why are they releasing it?

Figure 1: The Facebook Social Graph in 2006

The original Facebook social graph had a one type of node and edge. The nodes were users and the edges were friend relationships. The operations you could perform on the nodes are also straightforward. How many friends does Jane have? Is Kim a friend of Mary? And so on. As more features were added to the site, new nodes and edges were added to the social graph

Figure 2: The Facebook Social Graph in 2009

Each of these nodes supports similar operations. By counting the number of incoming connections you can tell how many fan's Justin Bieber has, how many people want to show the world their love for the Ramblin’ Wreck or how many people have added Mary as a friend. However as Facebook tries to model more of our offline world, it is clear that these aren’t the only types of relationships that users can have nor are these nodes the only entities users can have a relationship with. Which brings us to…

Figure 3: The Facebook Social Graph in 2011

The Open Graph Protocol is the first step in allowing Facebook users express relationships with arbitrary social objects. If you aren’t familiar with the concept of social objects, Hugh McLeod wrote a great introductory post on this concept entitled social objects for beginners which is excerpted below

The Social Object, in a nutshell, is the reason two people are talking to each other, as opposed to talking to somebody else. Human beings are social animals. We like to socialize. But if think about it, there needs to be a reason for it to happen in the first place. That reason, that “node” in the social network, is what we call the Social Object.

Example A. You and your friend, Joe like to go bowling every Tuesday. The bowling is the Social Object.

Example B. You and your friend, Lee are huge Star Wars fans. Even though you never plan to do so, you two tend to geek out about Darth Vader and X-Wing fighters every time you meet. Star Wars is the Social Object.

Example C. You’ve popped into your local bar for a drink after work. At the bar there’s some random dude, sending a text on this neat-looking cellphone you’ve never seen before. So you go up to him and ask him about the phone. The random dude just LOVES his new phone, so has no trouble with telling a stranger about his new phone for hours on end. Next thing you know, you two are hitting it off and you offer to buy him a beer. You spend the rest of the next hour geeking out about the new phone, till it’s time for you to leave and go dine with your wife. The cellphone was the social object.

Example D. You’re a horny young guy at a party, in search of a mate. You see a hot young woman across the room. You go up and introduce yourself. You do not start the conversation by saying, “Here’s a list of all the girls I’ve gone to bed with, and some recent bank statements showing you how much money I make. Would you like to go to bed with me?” No, something more subtle happens. Basically, like all single men with an agenda, you ramble on like a yutz for ten minutes, making small talk. Until she mentions the name of her favorite author, Saul Bellow. Halleluiah! As it turns out, Saul Bellow happens to be YOUR FAVORITE AUTHOR as well [No, seriously. He really is. You’re not making it up just to look good.]. Next thing you know, you two are totally enveloped in this deep and meaningful conversation about Saul Bellow. “Seize The Day”, “Herzog”, “Him With His Foot In His Mouth” and “Humbolt’s Gift”, eat your heart out. And as you two share a late-night cab back to her place, you’re thinking about how Saul Bellow is the Social Object here.

There are more examples in Hugh’s post but you get the idea. Social objects had been represented by “fan pages” in the Facebook world but with the Open Graph Protocol, it is now possible for any random website to become a part of Facebook’s social graph. This is a very powerful and liberating concept both from the perspective of what it enables Facebook’s platform to do but also because it gets rid of some ugly forms of lock-in. For example, Robert Scoble would no longer need to maintain a brand presence on Facebook at http://www.facebook.com/scobleizer that is different from his website at http://www.scobleizer.com to stay connected with fans of his blog who are Facebook users.

Turning Web Pages into Social Objects

The process of turning a web page into a social object that Facebook can add to their social graph is very straightforward. From the Open Graph Protocol documentation we learn

To turn your web pages into graph objects, you need to add basic metadata to your page. We've based the initial version of the protocol on RDFa which means that you'll place additional <meta> tags in the <head> of your web page. The four required properties for every page are:

og:title - The title of your object as it should appear within the graph, e.g., "The Rock".

og:type - The type of your object, e.g., "movie". Depending on the type you specify, other properties may also be required.

og:image - An image URL which should represent your object within the graph.

og:url - The canonical URL of your object that will be used as its permanent ID in the graph, e.g., "http://www.imdb.com/title/tt0117500/".

As an example, the following is the Open Graph protocol markup for The Rock on IMDB:
<html xmlns:og="http://opengraphprotocol.org/schema/">
<head>
<title>The Rock (1996)</title>
<meta property="og:title" content="The Rock" />
<meta property="og:type" content="movie" />
<meta property="og:url" content="http://www.imdb.com/title/tt0117500/" />
<meta property="og:image" content="http://ia.media-imdb.com/images/rock.jpg" />
...
</head>
...
</html>
The following properties are optional for any object and are generally recommended:

og:description - A one to two sentence description of your object.

og:site_name - If your object is part of a larger web site, the name which should be displayed for the overall site. e.g., "IMDb".

For now Facebook supports a limited set of object types from the following categories; activities, businesses, groups, organizations, people, places, products & entertainment & websites. Once your page is marked up and categorized, the next step is to provide a way for users to add it to their social graph on Facebook. This is done by using adding the Facebook Like button to the page. From then onward, when a user clicks the Like button they become a fan of that page.

Not only is your page added to their profile but you can also send news feed updates to all the people who have liked your page (just like “Fan Pages” can) if you associate the Like button with your Facebook ID. Doing that provides you with an admin page where you can post news feed entries from.

The Return of the Semantic Web

One of the things I find most exciting about this development is that sites now have significant motivation to be marked up with extremely structured data which can then be consumed by other applications. Having such rich descriptive metadata will be a boon to search engines especially those from startups since some of the big guys consider their ability to extract semantics out of HTML tag soup a competitive advantage and have thus fought the semantic web for years.

In the social media space, a few people have focused on the fact that this data is put in place to enable sites to be added to Facebook’s social graph. However there is little reason why other social networking services couldn’t also read the same markup as a way to add those web sites to their social graph. For example, Yelp is one of the sites that now supports the Open Graph Protocol so when I click like the Pro Sports Club it is added to the list of “pages” I’m a fan of on Facebook. However I could just as easily see that being a [Twitter – Like] button which would add the Twitter account for the gym to my following list along with tweeting to my followers that I liked the gym. It would only take adding a markup element to what Yelp is outputting to indicate the Twitter account of the page being liked. With my Windows Live hat on, I can imagine going to Amazon or IMDB and clicking a [Windows Live – Like] button which would add the movie to my list of favorite things. There are a ton of possibilities this opens up in a totally decentralized way without forcing services or users to be locked into a particular social network.

This has been the dream Tim Berners-Lee has been pushing for years and I’m quite surprised to see Facebook being the service to take RDFa mainstream. One of the things I’m happiest about is that Facebook chose RDFa for their implementation instead of the much hyped yet weaker solution, microformats. As Evan Prodromou wrote a few years ago in his post RDFa vs. Microformats, RDFa encourages interoperable implementations between organizations and avoids naming collisions via namespacing as opposed to the microformats approach which requires a centralized committee process to add/remove elements from data formats. From my example above, adding support for indicating the Twitter account of a page that implemented the Open Graph Protocol would be as simple as adding an element namespaced to some Twitter URI. That is distributed extensibility in action.

Final Thoughts

This is a very exciting time for the Web. I suspect that this will be another Facebook platform hit that exceeds expectations. The same way no one could have predicted Zynga and Farmville when the Facebook platform first launched is the way I feel we’ll all be surprised at the sorts of things that will be powered by the Open Graph Protocol in the next year or two.

Note Now Playing: Timbaland - Say Something (featuring Drake) Note

Categories: Social Software | Web Development

April 19, 2010

@ 03:38 PM

Some Thoughts on XAuth

There's an interesting post on ReadWriteWeb about a burgeoning technology effort supported by a number of web companies titled XAuth: The Open Web Fires a Shot Against Facebook Connect which states

A consortium of companies including Google, Yahoo, MySpace, Meebo and more announced tonight that it will launch a new system on Monday that will let website owners discover which social networks a site visitor uses and prompt them automatically to log-in and share with friends on those network. The system is called XAuth and serves to facilitate cross-site authentication (logging in) for sharing and potentially many other uses.

Facebook and Twitter, the dominant ways people share links with friends outside of email, are not participating
...

What XAuth Delivers

It's like Facebook Connect, but for every other social network.

The gist here is that XAuth will make it easier for sites around the web to find out what social networks you are using, let you log in to those easily, access your permitted information from those networks in order to better personalize your experience on their site and easily share their content back into your social network. It's like Facebook Connect, but for every other social network. Any website can register as an identity provider with XAuth, too.

What About OAuth?
If you're familiar with OAuth, you might be wondering what the difference is between that system of secure authentication and XAuth. Here's one way to explain it: XAuth tells a webpage "this is where the site visitor does social networking." Then, OAuth is the way the user logs in there, granting the site permission to access their info without seeing their password. In other words, XAuth tells you where to ask for OAuth from.
Google's Joseph Smarr, recently hired because of his high-profile work on distributed identity systems across the web, says that XAuth is a provisional solution to the limitations of the cookie system. If you visit ReadWriteWeb, for example, our servers aren't allowed to check the cookies left on your browser by the social networks you use because they are tied to URL domains other than ours.

The first thing that is worth pointing out is that XAuth is not like Facebook Connect. Facebook Connect enables a website to associate a user’s Facebook identity, social graph and activity stream with the site. XAuth enables a website to discover which services an end user is a member of that support associating a user’s identity, social graph and/or activity stream with third party websites.

A practical example of this is the various sharing options at the bottom of this blog post (if you’re viewing it in the browser on your desktop PC)

This is a fixed list of options that where I had to write special Javascript code to handle each service. There are a few issues with this approach. The first is that people end up seeing exhortations to share on services they don’t use which is just visual noise in that case. Another is that, each of those widgets involves a Javascript call to the domain of the service which impacts page load times. In fact, I used to have a Reddit widget but took it out because their server was too slow and noticeably impacted rendering of my blog. Finally, I tend to keep the list small because I don’t want my blog posts to suffer from the NASCAR problem so some services that may be popular with my audience audience are left out (e.g. I have no widgets for sharing on Google Buzz, Slashdot or Digg).

How the XAuth specification attempts to solve this problem is fairly straightforward. Services that want to participate include some Javascript from http://xauth.org which writes some data to the local storage (not cookie) for that domain when the user visits the social network. At that point there is now an indication on the user’s machine that they are a member of the aforementioned social network. Then when the user visits a site such as my blog, I also include the same Javascript from but this time I ask it if the user is a member of the social networks I’m interested in. Once the list of sites is returned, I then only have to render sharing widgets from the sites I support which the user is a member of.

In general, I think XAuth is a legitimate attempt to solve a valid problem. However it should be made clear what problems XAuth doesn’t solve. For one, people like me who have an account on Facebook, Twitter, Digg, Google, Windows Live, Reddit, Delicious, etc will actually have a more cluttered experience than we do today. I know I’m always a little confused when I visit a site that uses Clickpass since I can never remember if I’ve associated that site with my Facebook, Windows Live, Yahoo! or Google account. Similarly XAuth will potentially exacerbate the problem for the subset of people who are members of lots of social media sites. Another thing to be made clear is that this isn’t a replacement for delegated authentication and authorization technologies like Facebook Connect, Twitter’s @Anywhere or OAuth WRAP. Sites will still need to support all of these technologies if they want to reach the widest audience. This is just about hiding options from users that do not matter to them.

The one thing I’d keep an eye on is that XAuth provides a token that uniquely identifies the user as part of the results returned to the requesting site instead of a simply stating the user is a member of a specified social media site. This enables the requesting site (e.g. my blog) to potentially make some API calls to the social network site for information specific to the user without asking for permission first. For example, pre-populating the user’s name and display picture in a comment box. Since Facebook has already announced such functionality I guess people don’t think it is overstepping the bounds of the user relationship to enable this feature on any website the user visits without the user explicitly granting the sites permission to their profile information. It will be interesting to see if implementations of this feature steer clear of some of the creepiness factor of Facebook’s Beacon program which led to massive outcry in its day.

Note Now Playing: Jamie Foxx - Winner (featuring Justin Timberlake & T.I.) Note

Categories: Social Software | Web Development

March 29, 2010

@ 02:09 AM

The NoSQL Debate: Automatic vs. Manual Transmission

The debate on the pros and cons of non-relational databases which are typically described as “NoSQL databases” has recently been heating up. The anti-NoSQL backlash is in full swing from the rebuttal to one of my recent posts of mine I saw mentioned in Dennis Forbes’s write-up The Impact of SSDs on Database Performance and the Performance Paradox of Data Explodification (aka Fighting the NoSQL mindset) and similar thoughts expressed in typical rant-y style by Ted Dziuba in his post I Can't Wait for NoSQL to Die.

This will probably be my last post on the topic for a while given that the discussion has now veered into religious debate territory similar to vi vs. emacs OR functional vs. object oriented programming. With that said…

It would be easy to write rebuttals of what Dziuba and Forbes have written but from what I can tell people are now talking past each other and are now defending entrenched positions. So instead I’ll leave this topic with an analogy. SQL databases are like automatic transmission and NoSQL databases are like manual transmission. Once you switch to NoSQL, you become responsible for a lot of work that the system takes care of automatically in a relational database system. Similar to what happens when you pick manual over automatic transmission. Secondly, NoSQL allows you to eke more performance out of the system by eliminating a lot of integrity checks done by relational databases from the database tier. Again, this is similar to how you can get more performance out of your car by driving a manual transmission versus an automatic transmission vehicle.

However the most notable similarity is that just like most of us can’t really take advantage of the benefits of a manual transmission vehicle because the majority of our driving is sitting in traffic on the way to and from work, there is a similar harsh reality in that most sites aren’t at Google or Facebook’s scale and thus have no need for a Bigtable or Cassandra. As I mentioned in my previous post, I believe a lot of problems people have with relational databases at web scale can be addressed by taking a hard look at adding in-memory caching solutions like memcached to their infrastructure before deciding the throw out their relational database systems.

Note Now Playing: Lady Gaga - Bad Romance Note

Categories: Web Development

March 10, 2010

@ 03:06 PM

Building Scalable Databases: Are Relational Databases Compatible with Large Scale Websites?

A few weeks ago Todd Hoff over on the High Scalability blog penned a blog post titled MySQL and Memcached: End of an Era? where he wrote

If you look at the early days of this blog, when web scalability was still in its heady bloom of youth, many of the articles had to do with leveraging MySQL and memcached. Exciting times. Shard MySQL to handle high write loads, cache objects in memcached to handle high read loads, and then write a lot of glue code to make it all work together. That was state of the art, that was how it was done. The architecture of many major sites still follow this pattern today, largely because with enough elbow grease, it works.
…
With a little perspective, it's clear the MySQL+memcached era is passing.
…
LinkedIn has moved on with their Project Voldemort. Amazon went there a while ago.

Digg declared their entrance into a new era in a post on their blog titled Looking to the future with Cassandra,
…
Twitter has also declared their move in the article Cassandra @ Twitter: An Interview with Ryan King.

Todd’s blog has been a useful source of information on the topic of scaling large scale websites since he catalogues as many presentations as he can find from industry leaders on how they’ve designed their systems to deal with millions to hundreds of millions of users pounding their services a day. What he’s written above is really an observation about industry trends and isn’t really meant to attack any technology. I did find it interesting that many took it as an attack on memcached and/or relational databases and came out swinging.

One post which I thought tried to take a balanced approach to rebuttal was Dennis Forbes’ Getting Real about NoSQL and the SQL-Isn't-Scalable Lie where he writes

I work in the financial industry. RDBMS’ and the Structured Query Language (SQL) can be found at the nucleus of most of our solutions. The same was true when I worked in the insurance, telecommunication, and power generation industries. So it piqued my interest when a peer recently forwarded an article titled “The end of SQL and relational databases”, adding the subject line “We’re living in the past”. [Though as Michael Stonebraker points out, SQL the query language actually has remarkably little to actually to do with the debate. It would be more clearly called NoACID]
…
From a vertical scaling perspective — it’s the easiest and often the most computationally effective way to scale (albeit being very inefficient from a cost perspective) — you have the capacity to deploy your solution on powerful systems with armies of powerful cores, hundreds of GBs of memory, operating against SAN arrays with ranks and ranks of SSDs.

The computational and I/O capacity possible on a single “machine” are positively enormous. The storage system, which is the biggest limiting factor on most database platforms, is ridiculously scalable, especially in the bold new world of SSDs (or flash cards like the FusionIO).
…
From a horizontal scaling perspective you can partition the data across many machines, ideally configuring each machine in a failover cluster so you have complete redundancy and availability. With Oracle RAC and Sybase ASE you can even add the classic clustering approach. Such a solution — even on a stodgy old RDBMS — is scalable far beyond any real world need because you’ve built a system for a large corporation, deployed in your own datacenter, with few constraints beyond the limits of technology and the platform.

Your solution will cost hundreds of thousands of dollars (if not millions) to deploy, but that isn’t a critical blocking point for most enterprises.This sort of scaling that is at the heart of virtually every bank, trading system, energy platform, retailing system, and so on.

To claim that SQL systems don’t scale, in defiance of such obvious and overwhelming evidence, defies all reason.

There’s lots of good for food for thought in both blog posts. Todd is right that a few large scale websites are moving beyond the horizontal scaling approach that Dennis brought up in his rebuttal based on their experiences. What tends to happen once you’ve built a partitioned/sharded SQL database architecture is that you tend to notice that you’ve given up most of the features of an ACID relational database. You give up the advantages of the relationships by eschewing foreign keys, triggers and joins since these are prohibitively expensive to run across multiple databases. Denormalizing the data means that you give up on Atomicity, Consistency and Isolation when updating or retrieving results. And the end all you have left is that your data is Durable (i.e. it is persistently stored) which isn’t much better than you get from a dumb file system. Well, actually you also get to use SQL as your programming model which is nicer than performing direct file I/O operations.

It is unsurprising that after being at this point for years, some people in our industry have wondered whether it doesn’t make more sense to use data stores that are optimized for the usage patterns of large scale websites instead of gloriously misusing relational databases. A good example of the tradeoffs is the blog post from the Digg team on why they switched to Cassandra. The database was already sharded which made performing joins to calculate results of queries such as “which of my friends Dugg this item?” to be infeasible. So instead they had to perform two reads from SQL (all Diggs on an item and all of the user’s friends) then perform the intersection operation on the PHP front end code. If the item was not already cached, this leads to disk I/O which could take seconds. To make the situation worse, you actually want to perform this operation multiple times on a single page view since it is reasonable to expect multiple Digg buttons on a page if it has multiple stories on it.

An alternate approach is to denormalize the data and for each user store a list of stories that have been Dugg by at least one of their friends. So whenever I Digg an item, an entry is placed in each of my friends’ lists to indicate that story is now one that has been Dugg by a friend. That way when the a friend of mine shows up, it is a simple lookup to say “is this story ID on the list of stories Dugg by one of their friends?” The challenge here is that it means Digging an item can result in literally thousands of logical write operations. It has been traditionally prohibitively expensive to incur such massive amounts of write I/O in relational databases with all of their transactionality and enforcing of ACID constraints. NoSQL databases like Cassandra which assume your data is denormalized are actually optimized for write I/O heavy operations given the necessity of having to perform enormous amounts of writes to keep data consistent.

Digg’s usage of Cassandra actually serves as a rebuttal to Dennis Forbes’ article since they couldn’t feasibly get what they want with either horizontal or vertical scaling of their relational database-based solution. I would argue that introducing memcached into the mix would have addressed disk I/O concerns because all records of who has Dugg an item could be stored in-memory so comparisons of which of my friends have Dugg an item never have to go to disk to answer any parts of the query. The only caveat with that approach is that RAM is more expensive than disk so you’ll need a lot more servers to store 3 terabytes of data in memory than you would on disk.

However, the programming model is not the only factor one most consider when deciding whether to stay with a sharded/partitioned relational database versus going with a NoSQL solution. The other factor to consider is the actual management of the database servers. The sorts of questions one has to ask when choosing a database solution are listed in the interview with Ryan King of Twitter where he lists the following checklist that they evaluated before deciding to go with Cassandra over MySQL

We first evaluated them on their architectures by asking many questions along the lines of:

How will we add new machines?

Are their any single points of failure?

Do the writes scale as well?

How much administration will the system require?

If its open source, is there a healthy community?

How much time and effort would we have to expend to deploy and integrate it?

Does it use technology which we know we can work with?

The problem with database sharding is that it isn’t really a supported out of the box configuration for your traditional relational database product especially the open source ones. How your system deals with new machines being added to the cluster or handles machine failure often requires special case code being written by application developers along with special hand holding by operations teams. Dealing with issues related to database replication (whether it is multi-master or single master) also often takes up unexpected amounts of manpower once sharding is involved.

For these reasons I expect we’ll see more large scale websites decide that instead of treating a SQL database as a denormalized key-value pair store that they would rather use a NoSQL database. However I also suspect that a lot of services who already have a sharded relational database + in-memory cache solution can get a lot of mileage from more judicious usage of in-memory caches before switching. This is especially true given that you still caches in front of your NoSQL databases anyway. There’s also the question of whether traditional relational database vendors will add features to address the shortcomings highlighted by the NoSQL movement? Given that the sort of companies adopting NoSQL are doing so because they want to save costs on software, hardware and operations I somehow doubt that there is a lucrative market here for database vendors versus adding more features that the banks, insurance companies and telcos of the world find interesting.

Note Now Playing: Birdman - Money To Blow (featuring Drake & Lil Wayne Note

Categories: Web Development

January 18, 2010

@ 02:32 PM

Does the world need OpenID Connect?

About two weeks ago Chris Messina wrote a post titled OpenID Connect where he argued for the existence of a Facebook Connect style technology build on OpenID. He describes the technology as follows

So, to summarize:

for the non-tech, uninitiated audiences: OpenID Connect is a technology that lets you use an account that you already have to sign up, sign in, and bring your profile, contacts, data, and activities with you to any compatible site on the web.

for techies: OpenID Connect is OpenID rewritten on top of OAuth WRAP using service discovery to advertise Portable Contacts, Activity Streams, and any other well known API endpoints, and a means to automatically bootstrap consumer registration and token issuance.

This is something I brought up over a year ago in my post Some Thoughts on OpenID vs. Facebook Connect. The fact is that OpenID by itself is simply not as useful as Facebook Connect. The former allows me to sign-in to participating sites with my existing credentials while the latter lets me sign-in, share content with my social network, personalize and find my friends on participating sites using my Facebook identity.

As I mentioned in my previous post there are many pieces of different “Open brand” technologies that can be pieced together to create something similar to Facebook Connect such as OpenID + OpenID Attribute Exchange + Portable Contacts + OAuth WRAP + Activity Streams. However no one has put together a coherent package that ties all of these together as a complete end-to-end solution. This isn’t helped by the fact that these specs are at varying levels of maturity and completion.

One of the reasons this hasn’t happened is for a reason I failed to anticipate. Back in late 2008, I assumed we would see lots of competitors to Facebook Connect. This hasn’t truly materialized. Google Friend Connect has turned out to be an interesting combination of OpenID sign-in and the ability to add “social” widgets to your site but not about integrating with Google’s social networking services in a deep way (probably because Google doesn’t have any?). MySpaceID has failed to gain traction and lacks key features of Facebook Connect such as being able to publish rich activities from a 3rd party site to MySpace. And that’s it. Those two technologies are the closest to Facebook Connect from a major online player and they fall far short.

So do we need an OpenID Connect? We would if there were lots of Facebook Connect style offerings that significantly differed in implementation. However there aren’t. One could argue that perhaps the reason we don’t have many is that there are no standards that guide websites on what to implement. However this sounds like using “standards” for inventing technologies instead of standardizing best practice. I’ve always considered this questionable from my days working with XML technologies XML Schema, SOAP and WSDL.

If you got together to create an OpenID Connect now, the best you could do is come up with a knock off of Facebook Connect using “Open brand” technologies since that’s the only example we have to work off of. That’s great until Facebook Connect adds more features or websites finally wrap their heads around this problem space and actually start competing with Facebook Connect. Premature standardization hinders instead of helps.

Although we might need OpenID Connect someday, that day isn’t today.

Note Now Playing: Ke$ha - TiK ToK Note

Categories: Social Software | Web Development

December 21, 2009

@ 03:09 PM

Some Thoughts on the Twitter API as a "standard API" for microblogging

There are a couple of posts written this past weekend about services beginning to expose their services using the Twitter API and how this marks the rise of Twitter as a de facto standard for use in microblogging (or whatever we're calling it these days).

The first post I was on this topic was from Fred Wilson in his post Open APIs and Open Standards where he writes

As Dave Winer has been pointing out in recent weeks, there is something quite interesting happening in the blogging/microblogging world.

First WordPress allowed posting and reading wordpress blogs via the Twitter API.

Then yesterday our portfolio company Tumblr did the same.

John Borthwick has been advising companies for a while now to build APIs that mimic the Twitter API. His reasoning is that if your API look and feels similar to the Twitter API then third party developers will have an easier time adopting it and building to it. Makes sense to me.

But what Wordpress and Tumblr have done is a step farther than mimicing the API. They have effectively usurped it for their own blogging platforms. In the case of Tumblr, they are even replicating key pieces of their functionality in it

Anil Dash quickly followed up by declaring The Twitter API is Finished. Now What? and stating

Twitter's API has spawned over 50,000 applications that connect to it, taking the promise of fertile APIs we first saw with Flickr half a decade ago and bringing it to new heights. Now, the first meaningful efforts to support Twitter's API on other services mark the maturation of the API as a de facto industry standard and herald the end of its period of rapid fundamental iteration.

From here, we're going to see a flourishing of support for the Twitter API across the web, meaning that the Twitter API is finished. Not kaput, complete. If two companies with a significant number of users that share no investors or board members both support a common API, we can say that the API has reached Version 1.0 and is safe to base your work on. So now what?

This is a pattern that repeats itself regularly in the software industry; companies roll their own proprietary APIs or data formats in a burgeoning space until one or two leaders emerge and then the rest of the industry quickly wants to crown a winning data format or API to prevent Betamax vs. VHS style incompatibility woes for customers and developers.

Given that this is a common pattern, what can we expect in this instance? There are typically two expected outcomes when such clamoring for a company's proprietary platform or data format to become the property reaches a fever pitch. The first outcome is similar to what Anil Dash and Fred Wilson have described. Some competitors or related companies adopt the format or API as is to take advantage of the ecosystem that has sprung up around the winning platform. This basically puts the company (Twitter in this case) in a spot where they either have to freeze the API or bear the barbs from the community if they ever try to improve the API in a backwards incompatible way.

The problem with freezing the API is that once it becomes a de facto standard all sorts of folks will show up demanding that it do more than it was originally expected to do since they can't ship their own proprietary solutions now that there is a "standard". This is basically what happened during the RSS vs. Atom days where Dave Winer declared that RSS is Frozen. What ended up happening was that there were a lot of people who felt that RSS and it's sister specifications such as the MetaWeblog API were not the final word in syndicating and managing content on the Web. Dave Winer stuck to his guns and people were left with no choice but to create a conflicting de jure standard to compete with the de facto standard that was RSS. So Atom vs. RSS became the XML syndication world's Betamax vs. VHS or Blu-Ray vs. HD-DVD. As a simple thought experiment, what happens if Twitter goes along with the idea that their API is some sort of de facto standard API for microcontent delivered in real-time streams. What happens when a company like Facebook decides to adopt this API but needs to API to be expanded because it doesn't support their features? And that they need the API to be constantly updated since they add new features on Facebook at a fairly rapid clip? Amusingly enough there are already people preemptively flaming Facebook for not abandoning their API and adopting Twitter's even though it is quite clear to any observer that Facebook's API predates Twitter's, has more functionality and is supported by more applications & websites.

Things get even more interesting if Facebook actually did decide to create their own fork or "profile" of the Twitter API due to community pressure to support their scenarios. Given how this has gone down in the past such as the conflict between Dave Winer and the RSS Advisory board or more recently Eran Hammer-Lahav's strong negative reaction to the creation of OAuth WRAP which he viewed as a competitor to OAuth, it is quite likely that a world where Facebook or someone else with more features than Twitter decided to adopt Twitter's API wouldn't necessarily lead to everyone singing Kumbaya.

Let's say Twitter decides to take the alternate road and ignores this hubbub since the last thing a fast moving startup needs is to have their hands tied by a bunch of competitors telling them they can't innovate in their API or platform any longer. What happens the first time they decide to break their API or even worse deprecate it because it no longer meets their needs? That isn't far fetched. Google deprecated the Blogger API in favor of GData (based on the Atom Publishing Protocol) even though Dave Winer and a bunch of others had created a de facto standard around a flavor of the API called the MetaWeblog API. About two weeks ago Facebook confirmed that they were deprecating a number of APIs used for interacting with the news feed. What happens to all the applications that considered these APIs to be set in stone? It is a big risk to bet on a company's platform plans even when they plan to support developers let alone doing so as a consequence of a bunch of the company's competitors deciding that they want to tap into its developer ecosystem instead of growing their own.

The bottom line is that it isn't as simple as saying "Twitter is popular and it's API is supported by lots of apps so everyone needs to implement their API on their web site as well". There are lots of ways to create standards. Crowning a company's proprietary platform as king without their participation or discussion in an open forum is probably the worst possible way to do so.

Note Now Playing: Eminem - Hell Breaks Loose Note

Categories: Syndication Technology | Web Development

November 23, 2009

@ 02:46 PM

Building Scalable Databases: Perspectives on the War on Soft Deletes

In the past few months I've noticed an increased number of posts questioning practices around deleting and "virtually" deleting data from databases. Since some of the concerns around this practice have to do with the impact of soft deletes on scalability of a database-based application, I thought it would be a good topic for my ongoing series on building scalable databases.

Soft Deletes 101: What is a soft delete and how does it differ from a hard delete?

Soft deleting an item from a database means that the row or entity is marked as deleted but not physically removed from the database. Instead it is hidden from normal users of the system but may be accessible by database or system administrators.

For example, let's consider this sample database of XBox 360 games I own

Name	Category	ESRB	GamespotScore	Company
Call of Duty: Modern Warfare 2	First Person Shooter	Mature	9.0	Infinity Ward
Batman: Arkham Asylum	Fantasy Action Adventure	Teen	9.0	Rocksteady Studios
Gears of War 2	Sci-Fi Shooter	Mature	9.0	Epic Games
Call of Duty 4: Modern Warfare	First Person Shooter	Mature	9.0	Infinity Ward
Soul Calibur IV	3D Fighting	Teen	8.5	Namco

Now consider what happens if I decide that I'm done with Call of Duty 4: Modern Warfare now that I own Call of Duty: Modern Warfare 2. The expected thing to do would then be to remove the entry from my database using a query such as

DELETE FROM games WHERE name='Call of Duty 4: Modern Warfare';

This is what is considered a "hard" delete.

But then what happens if my friends decide to use my list of games to decide which games to get me for Christmas? A friend might not realize I'd previously owned the game and might get it for me again. Thus it might be preferable if instead of deleting items from the database they were removed from consideration as games I currently own but still could be retrieved in special situations. To address this scenario I'd add an IsDeleted column as shown below

Name	Category	ESRB	GamespotScore	Company	IsDeleted
Call of Duty: Modern Warfare 2	First Person Shooter	Mature	9.0	Infinity Ward	False
Batman: Arkham Asylum	Fantasy Action Adventure	Teen	9.0	Rocksteady Studios	False
Gears of War 2	Sci-Fi Shooter	Mature	9.0	Epic Games	False
Call of Duty 4: Modern Warfare	First Person Shooter	Mature	9.0	Infinity Ward	True
Soul Calibur IV	3D Fighting	Teen	8.5	Namco	False

Then for typical uses an application would interact with the following view of the underlying table

CREATE VIEW current_games AS SELECT Name, Category, ESRB, GameSpotScore, Company FROM games WHERE IsDeleted=False;

but when my friends ask me for a list of all of the games I have, I can provide the full list of all the games I've ever owned from the original games table if needed. Now that we understand how one would use soft deletes we can discuss the arguments against this practice.

Rationale for War: The argument against soft deletes

Ayende Rahien makes a cogent argument against soft deletes in his post Avoid Soft Deletes where he writes

One of the annoyances that we have to deal when building enterprise applications is the requirement that no data shall be lost. The usual response to that is to introduce a WasDeleted or an IsActive column in the database and implement deletes as an update that would set that flag.

Simple, easy to understand, quick to implement and explain.

It is also, quite often, wrong.

The problem is that deletion of a row or an entity is rarely a simple event. It effect not only the data in the model, but also the shape of the model. That is why we have foreign keys, to ensure that we don’t end up with Order Lines that don’t have a parent Order. And that is just the simplest of issues.
...
Let us say that we want to delete an order. What should we do? That is a business decision, actually. But it is one that is enforced by the DB itself, keeping the data integrity.

When we are dealing with soft deletes, it is easy to get into situations where we have, for all intents and purposes, corrupt data, because Customer’s LastOrder (which is just a tiny optimization that no one thought about) now points to a soft deleted order.

Ayende is right that adding an IsDeleted flag mean that you can no longer take advantage of database triggers for use when cleaning up database state when a deletion occurs. This sort of cleanup now has to moved up into the application layer.

There is another set of arguments against soft deletes in Richard Dingwall's post entitled The Trouble with Soft Delete where he points out the following problems

Complexity

To prevent mixing active and inactive data in results, all queries must be made aware of the soft delete columns so they can explicitly exclude them. It’s like a tax; a mandatory WHERE clause to ensure you don’t return any deleted rows.

This extra WHERE clause is similar to checking return codes in programming languages that don’t throw exceptions (like C). It’s very simple to do, but if you forget to do it in even one place, bugs can creep in very fast. And it is background noise that detracts away from the real intention of the query.

Performance

At first glance you might think evaluating soft delete columns in every query would have a noticeable impact on performance. However, I’ve found that most RDBMSs are actually pretty good at recognizing soft delete columns (probably because they are so commonly used) and does a good job at optimizing queries that use them. In practice, filtering inactive rows doesn’t cost too much in itself.

Instead, the performance hit comes simply from the volume of data that builds up when you don’t bother clearing old rows. For example, we have a table in a system at work that records an organisations day-to-day tasks: pending, planned, and completed. It has around five million rows in total, but of that, only a very small percentage (2%) are still active and interesting to the application. The rest are all historical; rarely used and kept only to maintain foreign key integrity and for reporting purposes.

Interestingly, the biggest problem we have with this table is not slow read performance but writes. Due to its high use, we index the table heavily to improve query performance. But with the number of rows in the table, it takes so long to update these indexes that the application frequently times out waiting for DML commands to finish.

These arguments seem less valid than Ayende's especially when the alternatives proposed are evaluated. Let's look at the aforementioned problems and the proposed alternatives in turn.

Trading the devil you know for the devil you don't: Thoughts on the alternatives to soft deletes

Richard Dingwall argues that soft deletes add unnecessary complexity to the system since all queries have to be aware of the IsDeleted column(s) in the database. As I mentioned in my initial description of soft deletes this definitely does not have to be the case. The database administrator can create views which the core application logic interacts with (i.e. the current_games table in my example) so that only a small subset of system procedures need to actually know that the soft deleted columns even still exist in the database.

A database becoming so large that data manipulation becomes slow due to having to update indexes is a valid problem. However Richard Dingwall's suggested alternative excerpted below seems to trade one problem for a worse one

The memento pattern

Soft delete only supports undoing deletes, but the memento pattern provides a standard means of handling all undo scenarios your application might require.

It works by taking a snapshot of an item just before a change is made, and putting it aside in a separate store, in case a user wants to restore or rollback later. For example, in a job board application, you might have two tables: one transactional for live jobs, and an undo log that stores snapshots of jobs at previous points in time:

The problem I have with this solution is that if your database is already grinding to a halt simply because you track which items are active/inactive in your database, how much worse would the situation be if you now store every state transition in the database as well? Sounds like you're trading one performance problem for a much worse one.

The real problem seems to be that the database has gotten too big to be operated on in an efficient manner on a single machine. The best way to address this is to partition or shard the database. In fact, you could even choose to store all inactive records on one database server and all active records on another. Those interested in database sharding can take a look at a more detailed discussion on database sharding I wrote earlier this year.

Another alternative proposed by both Ayende Rahien and Richard Dingwall is to delete the data but use database triggers to write to an audit log in the cases where auditing is the primary use case for keeping soft deleted entries in the database. This works in the cases where the only reason for soft deleting entries is for auditing purposes. However there are many real world situations where this is not the case.

One use case for soft deleting is to provide an "undo" feature in an end user application. For example, consider a user synchronizes the contact list on their phone with one in the cloud (e.g. an iPhone or Windows Mobile/Windows Phone connecting to Exchange or an Android phone connecting to Gmail). Imagine that the user now deletes a contact from their phone because they do not have a phone number for the person only to find out that person has also been deleted from their address book in the cloud. At that point, an undo feature is desirable.

Other use cases could be the need to reactivate items that have been removed from the database but with their state intact. For example, when people return to Microsoft who used to work there in the past their seniority for certain perks takes into account their previous stints at the company. Similarly, you can imagine a company restocking an item that they had pulled from their shelves because they have become popular due to some new fad (e.g. Beatles memorabilia is back in style thanks to The Beatles™: Rock Band™).

The bottom line is that an audit log may be a useful replacement for soft deletes in some scenarios but it isn't the answer to every situation where soft deletes are typically used.

Not so fast: The argument against hard deletes

So far we haven't discussed how hard deletes should fit in a world of soft deletes. In some cases, soft deletes eventually lead to hard deletes. In the example of video games I've owned I might decide that if a soft deleted item is several years old or is a game from an outdated console then it might be OK to delete. So I'd create a janitor process that would scan the database periodically to seek out soft deleted entries to permanently delete. In other cases, some content may always be hard deleted since there are no situations where one might consider keeping them around for posterity. An example of the latter is comment or trackback spam on a blog post.

Udi Dahan wrote a rebuttal to Ayende Rahien's post where he question my assertion above that there are situations where one wants to hard delete data from the database in his post Don’t Delete – Just Don’t where he writes

Model the task, not the data

Looking back at the story our friend from marketing told us, his intent is to discontinue the product – not to delete it in any technical sense of the word. As such, we probably should provide a more explicit representation of this task in the user interface than just selecting a row in some grid and clicking the ‘delete’ button (and “Are you sure?” isn’t it).

As we broaden our perspective to more parts of the system, we see this same pattern repeating:

Orders aren’t deleted – they’re cancelled. There may also be fees incurred if the order is canceled too late.

Employees aren’t deleted – they’re fired (or possibly retired). A compensation package often needs to be handled.

Jobs aren’t deleted – they’re filled (or their requisition is revoked).

In all cases, the thing we should focus on is the task the user wishes to perform, rather than on the technical action to be performed on one entity or another. In almost all cases, more than one entity needs to be considered.

Statuses

In all the examples above, what we see is a replacement of the technical action ‘delete’ with a relevant business action. At the entity level, instead of having a (hidden) technical WasDeleted status, we see an explicit business status that users need to be aware of.

I tend to agree with Udi Dahan's recommendation. Instead of a technical flag like IsDeleted, we should model the business process. So my database table of games I owned should really be called games_I_have_owned with the IsDeleted column replaced with something more appropriate such as CurrentlyOwn. This is a much better model of the real-life situation than my initial table and the soft deleted entries are now clearly part of the business process as opposed to being part of some internal system book keeping system.

Advocating that items be never deleted is a tad extreme but I'd actually lean closer to that extreme than most. Unless the data is clearly worthless (e.g. comment spam) or the cost is truly prohibitive (e.g. you're storing large amounts of binary data) then I'd recommend keeping the information around instead of assuming the existence of a DELETE clause in your database is a requirement that you use it.

Note Now Playing: 50 Cent - Baby By Me (feat. Ne-Yo) Note

Categories: Web Development

November 14, 2009

@ 03:03 PM

Joe Hewitt on Irony

Joe Hewitt, the developer of the Facebook iPhone application, has an insightful blog post on the current trend of developers favoring native applications over Web applications on mobile platforms with centrally controlled app stores in his post On Middle Men. He writes

The Internet has been incredibly empowering to creators, and just as destructive to middle men. In the 20th century, every musician needed a record label to get his or her music heard. Every author needed a publishing house to be read. Every journalist needed a newspaper. Anyone who wanted to send a message needed the post office. In the Internet age, the tail no longer wags the dog, and those middle men have become a luxury, not a necessity.

Meanwhile, the software industry is moving in the opposite direction. With the web and desktop operating systems, the only thing in between software developers and users is a mesh of cables and protocols. In the new world of mobile apps, a layer of bureacrats stand in the middle, forcing each developer to queue up for a series of patdowns and metal detectors and strip searches before they can reach their customers.
...
We're at a critical juncture in the evolution of software. The web is still here and it is still strong. Anyone can still put any information or applications on a web server without asking for permission, and anyone in the world can still access it just by typing a URL. I don't think I appreciated how important that is until recently. Nobody designs new systems like that anymore, or at least few of them succeed. What an incredible stroke of luck the web was, and what a shame it would be to let that freedom slip away.

Am I the only one who thinks the above excerpt would be similarly apt if you replaced the phrase "mobile apps" with "Facebook apps" or "OpenSocial apps"?

Note Now Playing: Lady GaGa - Bad Romance Note

Categories: Web Development

November 7, 2009

@ 04:41 PM

Does OAuth Have a Dark Side?

There was an article in the The Register earlier this week titled Twitter fanatic glimpses dark side of OAuth which contains the following excerpt

A mobile enthusiast and professional internet strategist got a glimpse of OAuth's dark side recently when he received an urgent advisory from Twitter. The dispatch, generated when Terence Eden tried to log in, said his Twitter account may have been compromised and advised he change his password. After making sure the alert was legitimate, he complied.

That should have been the end of it, but it wasn't. It turns out Eden used OAuth to seamlessly pass content between third-party websites and Twitter, and even after he had changed his Twitter password, OAuth continued to allow those websites access to his account.
…
Eden alternately describes this as a "gaping security hole" and a "usability issue which has strong security implications." Whatever the case, the responsibility seems to lie with Twitter.

If the service is concerned enough to advise a user to change his password, you'd think it would take the added trouble of suggesting he also reset his OAuth credentials, as Google, which on Wednesday said it was opening its own services to work with OAuth, notes here.

I don't think the situation is as cut and dried as the article makes it seem. Someone trying to hack your account by guessing your password and thus triggering a warning that your account is being hacked is completely different from an application you've given permission to access your data doing the wrong thing with it.

Think about it. Below is a list of the applications I've allowed to access my Twitter stream. Is it really the desired user experience that when I change my password on Twitter that all of them break and require that I re-authorize each application?

list of applications that can access my Twitter stream

I suspect Terence Eden is being influenced by the fact that Twitter hasn't always had a delegated authorization model and the way to give applications access to your Twitter stream was to handout your user name & password. That's why just a few months ago it was commonplace to see blog posts like Why you should change your Twitter password NOW! which advocate changing your Twitter password as a way to prevent your password from being stolen from Twitter apps with weak security. There have also been a spate of phishing style Twitter applications such as TwitViewer and TwitterCut which masquerade as legitimate applications but are really password stealers in disguise. Again, the recommendation has been to change your password if you fell victim to such scams.

In a world where you use delegated authorization techniques like OAuth, changing your password isn't necessary to keep out apps like TwitViewer & TwitterCut since you can simply revoke their permission to access your account. Similarly if someone steals my password and I choose a new one, it doesn't mean that I now need to lose Twitter access from Brizzly or the new MSN home page until I reauthorize these apps. Those issues are ~~orthogonal~~ unrelated given the OAuth authorized apps didn't have my password in the first place.

Thus I question the recommendation at the end of the article that it is a good idea to even ask users about de-authorizing applications as part of password reset since it is misleading (i.e. it gives the impression the hack attempt was from one of your authorized apps instead of someone trying to guess your password) and just causes a hassle for the user who now has to reauthorize all the applications at a later date anyway.

Note Now Playing: Rascal Flatts - What Hurts The Most Note

Categories: Web Development

September 10, 2009

@ 05:18 PM

Building Scalable Databases: Denormalization, the NoSQL Movement and Digg

Database normalization is a technique for designing relational database schemas that ensures that the data is optimal for ad-hoc querying and that modifications such as deletion or insertion of data does not lead to data inconsistency. Database denormalization is the process of optimizing your database for reads by creating redundant data. A consequence of denormalization is that insertions or deletions could cause data inconsistency if not uniformly applied to all redundant copies of the data within the database.

Why Denormalize Your Database?

Today, lots of Web applications have "social" features. A consequence of this is that whenever I look at content or a user in that service, there is always additional content from other users that also needs to be pulled in to page. When you visit the typical profile on a social network like Facebook or MySpace, data for all the people that are friends with that user needs to be pulled in. Or when you visit a shared bookmark on del.icio.us you need data for all the users who have tagged and bookmarked that URL as well. Performing a query across the entire user base for "all the users who are friends with Robert Scoble" or "all the users who have bookmarked this blog link" is expensive even with caching. It is orders of magnitude faster to return the data if it is precalculated and all written to the same place.

This is optimizes your reads at the cost of incurring more writes to the system. It also means that you'll end up with redundant data because there will be multiple copies of some amount of user data as we try to ensure the locality of data.

A good example of a Web application deciding to make this trade off is the recent post on the Digg Blog entitled Looking to the Future with Cassandra which contains the following excerpt

The Problem

In both models, we’re computing the intersection of two sets:

Users who dugg an item.

Users that have befriended the digger.

The Relational Model

The schema for this information in MySQL is:
CREATE TABLE `Diggs` (
  `id`      INT(11),
  `itemid`  INT(11),
  `userid`  INT(11),
  `digdate` DATETIME,
  PRIMARY KEY (`id`),
  KEY `user`  (`userid`),
  KEY `item`  (`itemid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;   CREATE TABLE `Friends` (
  `id`           INT(10) AUTO_INCREMENT,
  `userid`       INT(10),
  `username`     VARCHAR(15),
  `friendid`     INT(10),
  `friendname`   VARCHAR(15),
  `mutual`       TINYINT(1),
  `date_created` DATETIME,
  PRIMARY KEY                (`id`),
  UNIQUE KEY `Friend_unique` (`userid`,`friendid`),
  KEY        `Friend_friend` (`friendid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
The Friends table contains many million rows, while Diggs holds hundreds of millions. Computing the intersection with a JOIN is much too slow in MySQL, so we have to do it in PHP. The steps are:
Query Friends for all my friends. With a cold cache, this takes around 1.5 seconds to complete.
Query Diggs for any diggs of a specific item by a user in the set of friend user IDs. This query is enormous, and looks something like:
SELECT `digdate`, `id` FROM `Diggs`
 WHERE `userid` IN (59, 9006, 15989, 16045, 29183,
                    30220, 62511, 75212, 79006)
   AND itemid = 13084479 ORDER BY `digdate` DESC, `id` DESC LIMIT 4;
The real query is actually much worse than this, since the IN clause contains every friend of the user, and this can balloon to hundreds of user IDs. A full query can actually clock in at 1.5kb, which is many times larger than the actual data we want. With a cold cache, this query can take 14 seconds to execute.
Of course, both queries are cached, but due to the user-specific nature of this data, it doesn’t help much.

The solution the Digg development team went with was to denormalize the data. They also went an additional step and decided that since the data was no longer being kept in a relational manner there was no point in using a traditional relational database (i.e. MySQL) and instead they migrated to a non-RDBMS technology to solve this problem.

How Denormalization Changes Your Application

There are a number of things to keep in mind once you choose to denormalize your data including

Denormalization means data redundancy which translates to significantly increased storage costs. The fully denormalized data set from the Digg exampled ended up being 3 terabytes of information. It is typical for developers to underestimate the data bloat that occurs once data is denormalized.
Fixing data inconsistency is now the job of the application. Let's say each user has a list of the user names of all of their friends. What happens when one of these users changes their user name? In a normalized database that is a simple UPDATE query to change a single piece of data and then it will be current everywhere it is shown on the site. In a denormalized database, there now has to be a mechanism for fixing up this name in all of the dozens, hundreds or thousands of places it appears. Most services that create denormalized databases have "fixup" jobs that are constantly running on the database to fix such inconsistencies.

The No-SQL Movement vs. Abusing Relational Databases for Fun & Profit

If you’re a web developer interested in building large scale applications, it doesn’t take long in reading the various best practices on getting Web applications to scale such as practicing database sharding or eschewing transactions before it begins to sound like all the advice you are getting is about ignoring or abusing the key features that define a modern relational database system. Taken to its logical extreme all you really need is a key<->value or tuple store that supports some level of query functionality and has decent persistence semantics. Thus the NoSQL movement was borne.

The No-SQL movement is a used to describe the increasing usage of non-relational databases among Web developers. This approach has initially pioneered by large scale Web companies like Facebook (Cassandra), Amazon (Dynamo) & Google (BigTable) but now is finding its way down to smaller sites like Digg. Unlike relational databases, there is a yet to be a solid technical definition of what it means for a product to be a "NoSQL" database aside from the fact that it isn't a relational database. Commonalities include lack of fixed schemas and limited support for rich querying. Below is a list of some of the more popular NoSQL databases that you can try today along with a brief description of their key qualities

CouchDB: A document-oriented database where documents can be thought of as JSON/JavaScript objects. Creation, retrieval, update and deletion (CRUD) operations are performed via a RESTful API and support ACID properties. Rich querying is handled by creating Javascript functions called "Views" which can operate on the documents in the database via Map/Reduce style queries. Usage: Although popular among the geek set most users seem to be dabblers as opposed to large scale web companies.
Cassandra: A key-value store where each key-value pair comes with a timestamp and can be grouped together into a column family (i.e. a table). There is also a notion of super columns which are columns that contain whose values are a list of other key-value pairs. Cassandra is optimized to be always writable and uses eventual consistency to deal with the conflicts that inevitably occur when a distributed system aims to be always writable yet node failure is a fact of life. Querying is available via the Cassandra Thrift API and supports fairly basic data retrieval operations based on key values and column names. Usage: Originally developed and still used at Facebook today. Digg and Rackspace are the most recent big name adopters.
Voldemort: Very similar to Cassandra which is unsurprising since they are both inspired by Amazon's Dynamo. Voldemort is a key-value store where each key value pair comes with a timestamp and eventual consistency is used to address write anomalies. Values can contain a list of further key value pairs. Data access involves creation, retrieval and deletion of serialized objects whose format can be one of JSON, strings, binary BLOBs, serialized Java objects and Google Protocol Buffers. Rich querying is non-existent, simple get and put operations are all that exist. Usage: Originally developed and still used at LinkedIn.

There are a number of other interesting NoSQL databases such as HBase, MongoDB and Dynomite but the three above seem to be the most mature from my initial analysis. In general, most of them seem to be a clone of BigTable, Dynamo or some amalgam of ideas from both papers. The most original so far has been CouchDB.

An alternative to betting on a speculative database technologies at varying levels of maturity is to misuse an existing mature relational database product. As mentioned earlier, many large scale sites use relational databases but eschew relational features such as transactions and joins to achieve scalability. Some developers have even taken that practice to an extreme and built schema-less data models on top of traditional relational database. A great example of this How FriendFeed uses MySQL to store schema-less data which is a blog post excerpted below

Lots of projects exist designed to tackle the problem storing data with flexible schemas and building new indexes on the fly (e.g., CouchDB). However, none of them seemed widely-used enough by large sites to inspire confidence. In the tests we read about and ran ourselves, none of the projects were stable or battle-tested enough for our needs (see this somewhat outdated article on CouchDB, for example). MySQL works. It doesn't corrupt data. Replication works. We understand its limitations already. We like MySQL for storage, just not RDBMS usage patterns.

After some deliberation, we decided to implement a "schema-less" storage system on top of MySQL rather than use a completely new storage system.
…
Our datastore stores schema-less bags of properties (e.g., JSON objects or Python dictionaries). The only required property of stored entities is id, a 16-byte UUID. The rest of the entity is opaque as far as the datastore is concerned. We can change the "schema" simply by storing new properties.
…
In MySQL, our entities are stored in a table that looks like this:
CREATE TABLE entities (
    added_id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
    id BINARY(16) NOT NULL,
    updated TIMESTAMP NOT NULL,
    body MEDIUMBLOB,
    UNIQUE KEY (id),
    KEY (updated)
) ENGINE=InnoDB;
The added_id column is present because InnoDB stores data rows physically in primary key order. The AUTO_INCREMENT primary key ensures new entities are written sequentially on disk after old entities, which helps for both read and write locality (new entities tend to be read more frequently than old entities since FriendFeed pages are ordered reverse-chronologically). Entity bodies are stored as zlib-compressed, pickled Python dictionaries.

Now that the FriendFeed team works at Facebook I suspect they'll end up deciding that a NoSQL database that has solved a good story around replication and fault tolerance is more amenable to solving the problem of building a schema-less database than storing key<->value pairs in a SQL database where the value is a serialized Python object.

As a Web developer it's always a good idea to know what the current practices are in the industry even if they seem a bit too crazy to adopt…yet.

FURTHER READING

JSON vs. XML: Browser Programming Models – Dare Obasanjo on why JSON is more attractive than XML for Web-based mashups due to presenting a friendlier programming model for the browser.
JSON vs. XML: Browser Security Model - Dare Obasanjo on why JSON is more attractive than XML for Web-based mashups due to circumventing some of the browser security constraints placed on XML.

Note Now Playing: Lady Gaga - Poker Face Note

Categories: Web Development | XML Web Services

April 11, 2009

@ 02:47 PM

Some thoughts on memory based architectures (aka why memcached isn't good enough)

Todd Hoff over on the high scalability blog has an interesting post along the vein of my favorite mantra of Disk is the new tape titled Are Cloud Based Memory Architectures the Next Big Thing? where he writes

Why might cloud based memory architectures be the next big thing? For now we'll just address the memory based architecture part of the question, the cloud component is covered a little later.

Behold the power of keeping data in memory:

Google query results are now served in under an astonishingly fast 200ms, down from 1000ms in the olden days. The vast majority of this great performance improvement is due to holding indexes completely in memory. Thousands of machines process each query in order to make search results appear nearly instantaneously.

This text was adapted from notes on Google Fellow Jeff Dean keynote speech at WSDM 2009.

Google isn't the only one getting a performance bang from moving data into memory. Both LinkedIn and Digg keep the graph of their network social network in memory. Facebook has northwards of 800 memcached servers creating a reservoir of 28 terabytes of memory enabling a 99% cache hit rate. Even little guys can handle 100s of millions of events per day by using memory instead of disk.

The entire post is sort of confusing since it seems to mix ideas that should be two or three different blog posts into a single entry. Of the many ideas thrown around in the post, the one I find most interesting is highlighting the trend of treating in-memory storage as a core part of how a system functions not just as an optimization that keeps you from having to go to disk.

The LinkedIn architecture is a great example of this trend. They have servers which they call The Cloud whose job is to cache the site's entire social graph in memory and then have created multiple instances of this cached social graph. Going to disk to satisfy social graph related queries which can require touching data for hundreds to thousands of users is simply never an option. This is different from how you would traditionally treat a caching layer such as ASP.NET caching or typical usage of memcached.

To build such a memory based architecture there are a number of features you need to consider that don't come out of the box in caching product like memcached. The first is data redundancy which is unsupported in memcached. There are forty instances of LinkedIn's in-memory social graph which have to be kept mostly in sync without putting to much pressure on underlying databases. Another feature common to such memory based architectures that you won't find in memcached is transparent support for failover. When your data is spread out across multiple servers, losing a server should not mean that an entire server's worth of data is no longer being served out of the cache. This is especially of concern when you have a decent sized server cloud because it should be expected that servers come and go out of rotation all the time given hardware failures. Memcached users can solve this problem by using libraries that support consistent hashing (my preference) or by keeping a server available as a hot spare with the same IP address as the downed server. The key problem with lack of native failover support is that there is no way to automatically rebalance the workload on the pool of servers are added and removed from the cloud.

For large scale Web applications, if you're going to disk to serve data in your primary scenarios then you're probably doing something wrong. The path most scaling stories take is that people start with a database, partition it and then move to a heavily cached based approach when they start hitting the limits of a disk based system. This is now common knowledge in the pantheon of Web development. What doesn't yet seem to be part of the communal knowledge is the leap from being a cache-based with the option to fall back to a DB to simply being memory-based. The shift is slight but fundamental.

FURTHER READING

Improving Running Components at Twitter: Evan Weaver's presentation on how Twitter improved their performance by two orders of magnitude by increasing their usage of caches and improving their caching policies among other changes. Favorite quote, "Everything runs from memory in Web 2.0".
Defining a data grid: A description of some of the features that an in-memory architecture needs beyond simply having data cached in memory.

Note Now Playing: Ludacris - Last Of A Dying Breed [Ft. Lil Wayne] Note

Categories: Web Development

April 11, 2009

@ 02:47 PM

rev="canonical": DiggBar outrage causes bad ideas to come out of the wood work

Last week, Digg announced the launch of the DiggBar which manages to combine two trends that Web geeks can't stand. It is both a URL shortener (whose problems are captured in the excellent post by Joshua Schachter on URL shorteners) and brings back the trend of one website putting another's content in a frame (which has detailed criticism in the wikipedia article on framing on the World Wide Web).

The increasing popularity of URL shortening services has been fueled by the growth of Twitter. Twitter has a 140 character limit on posts on the site which means users sharing links on the site often have to find some way of shortening URLs to make their content fit within the limit. From my perspective, this is really a problem that Twitter should fix given the amount of collateral damage the growth of these services may end up placing on the Web.

Some Web developers believe this problem can be solved by the judicious use of microformats. One such developer is Chris Shiflett who has written a post entitled Save the Internet with rev="canonical" which states the following

There's a new proposal ("URL shortening that doesn't hurt the Internet") floating around for using rev="canonical" to help put a stop to the URL-shortening madness. It sounds like a pretty good idea, and based on some discussions on IRC this morning, I think a more thorough explanation would be helpful. I'm going to try.
…
This is easiest to explain with an example. I have an article about CSRF located at the following URL:

http://shiflett.org/articles/cross-site-request-forgeries

I happen to think this URL is beautiful. Unfortunately, it is sure to get mangled into some garbage URL if you try to talk about it on Twitter, because it's not very short. I really hate when that happens. What can I do?

If rev="canonical" gains momentum and support, I can offer my own short URL for people who need one. Perhaps I decide the following is an acceptable alternative:

http://shiflett.org/csrf

Here are some clear advantages this URL has over any TinyURL.com replacement:

The URL is mine. If it goes away, it's my fault. (Ma.gnolia reminds us of the potential for data loss when relying on third parties.)

The URL has meaning. Both the domain (shiflett.org) and the path (csrf) are meaningful.

Because the URL has meaning, visitors who click the link know where they're going.

I can search for links to my content; they're not hidden behind an indefinite number of short URLs.

There are other advantages, but these are the few I can think of quickly.

Let's try to walk through how this is expected to work. I type in a long URL like http://www.25hoursaday.com/weblog/2009/03/22/VideoStandardsForAggregatingActivityFeedsAndSocialAggregationServicesAtMIX09Conference.aspx into Twitter. Twitter allows me to post the URL and then crawls the site to see if it has a link tag with a rev="canonical" attribute. It finds one and then replaces the short URL with something like http://www.25hoursaday.com/weblog/MIX09talk which is the alternate short URL I've created for my talk. What could go wrong? Smile

So for this to solve the problem, every site that could potentially be linked to from Twitter (i.e. every website in the world) needs to run their own URL shortening service. Then Twitter needs to make sure to crawl the website behind every URL in every tweet that flows through the system. Oh yeah, and the fact is that the URLs still aren't as efficient as those created by sites like http://tr.im unless everyone buys a short domain name as well.

Sounds like a lot of stars have to align to make this useful to the general populace and not just a hack that is implemented by a couple dozen web geeks.

Note Now Playing: Nas - Hate Me Now (feat. Puff Daddy) Note

Categories: Web Development

March 31, 2009

@ 01:19 PM

Seeking the perfect website: Design vs. Experimentation

Last week, Douglas Bowman posted a screed against making web design based strictly on usage data. In a post entitled Goodbye Google, he wrote

With every new design decision, critics cry foul. Without conviction, doubt creeps in. Instincts fail. “Is this the right move?” When a company is filled with engineers, it turns to engineering to solve problems. Reduce each decision to a simple logic problem. Remove all subjectivity and just look at the data. Data in your favor? Ok, launch it. Data shows negative effects? Back to the drawing board. And that data eventually becomes a crutch for every decision, paralyzing the company and preventing it from making any daring design decisions.

Yes, it’s true that a team at Google couldn’t decide between two blues, so they’re testing 41 shades between each blue to see which one performs better. I had a recent debate over whether a border should be 3, 4 or 5 pixels wide, and was asked to prove my case. I can’t operate in an environment like that. I’ve grown tired of debating such minuscule design decisions. There are more exciting design problems in this world to tackle.

I can’t fault Google for this reliance on data. And I can’t exactly point to financial failure or a shrinking number of users to prove it has done anything wrong. Billions of shareholder dollars are at stake. The company has millions of users around the world to please. That’s no easy task. Google has momentum, and its leadership found a path that works very well.

One thing I love about building web-based software is that there is the unique ability to try out different designs and test them in front of thousands to millions of users without incurring a massive cost. Experimentation practices such as A/B testing and Multivariate testing enable web designers to measure the impact of their designs on the usability of a site on actual users instead of having to resort to theoretical arguments about the quality of the design or waiting until after they've shipped to find out the new design is a mistake.

Experimentation is most useful when you have a clear goal or workflow the design is trying to achieve and you are worried that a design change may impact that goal. A great example of this is how shopping cart recommendations were shipped at Amazon which is recalled in a great story told by Greg Linden in his post Early Amazon: Shopping cart recommendations excerpted below

The idea of recommending items at checkout is nothing new. Grocery stories put candy and other impulse buys in the checkout lanes. Hardware stores put small tools and gadgets near the register. But here we had an opportunity to personalize impulse buys. It is as if the rack near the checkout lane peered into your grocery cart and magically rearranged the candy based on what you are buying.Health food in your cart? Let's bubble that organic dark chocolate bar to the top of the impulse buys. Steaks and soda? Get those snack-sized potato chip bags up there right away.

I hacked up a prototype. On a test site, I modified the Amazon.com shopping cart page to recommend other items you might enjoy adding to your cart. Looked pretty good to me. I started showing it around.While the reaction was positive, there was some concern. In particular, a marketing senior vice-president was dead set against it. His main objection was that it might distract people away from checking out -- it is true that it is much easier and more common to see customers abandon their cart at the register in online retail -- and he rallied others to his cause.

At this point, I was told I was forbidden to work on this any further. I was told Amazon was not ready to launch this feature. It should have stopped there. Instead, I prepared the feature for an online test. I believed in shopping cart recommendations. I wanted to measure the sales impact. I heard the SVP was angry when he discovered I was pushing out a test. But, even for top executives, it was hard to block a test. Measurement is good. The only good argument against testing would be that the negative impact might be so severe that Amazon couldn't afford it, a difficult claim to make. The test rolled out.

The results were clear. Not only did it win, but the feature won by such a wide margin that not having it live was costing Amazon a noticeable chunk of change. With new urgency, shopping cart recommendations launched.

This is a great example of using data to validate a design change instead of relying on gut feel. However one thing that is often overlooked is that the changes still have to be well-designed. Shopping cart recommendations feature on Amazon is designed in such a way that it doesn't break you out of the checkout flow. See below for a screenshot of the current shopping cart recommendation flow on Amazon

On the above page, it is always very clear how to complete the checkout AND the process of adding an item to the cart is a one click process that keeps you on the same page. Sadly, a lot of sites have tried to implement similar features but often end up causing users to abandon shopping carts because the design encourages users to break their flow as part of the checkout process.

One of the places experimentation falls down is when it is used to measure the impact of aesthetic changes to the site when these changes aren't part of a particular workflow (e.g. changing the company logo). Another problem with experimentation is that it may encourage focusing on metrics that are easily measurable to the detriment of other aspects of the user experience. For example, Google's famous holiday logos were a way to show of the fun, light-hearted aspect of their brand. Doing A/B testing on whether people do more searches with or without the holiday logos on the page would miss the point. Similarly, sometimes even if A/B testing does show that a design impacts particular workflows it sometimes is worth it if the message behind the design benefits the brand. For example, take this story from Valleywag "I'm feeling lucky" button costs Google $110 million per year

Google cofounder Sergey Brin told public radio's Marketplace that around one percent of all Google searches go through the "I'm Feeling Lucky" button. Because the button takes users directly to the top search result, Google doesn't get to show search ads on one percent of all its searches. That costs the company around $110 million in annual revenue, according to Rapt's Tom Chavez. So why does Google keep such a costly button around?

"It's possible to become too dry, too corporate, too much about making money. I think what's delightful about 'I'm Feeling Lucky' is that it reminds you there are real people here," Google exec Marissa Mayer explained

~~~

Last night, I stumbled on a design change in Twitter that I suspect wouldn't have been rolled out if it had gone through experimentation first. On the Twitter blog, Biz Stone writes Replies Are Now Mentions

We're updating the Replies feature and referring to it instead as Mentions. In your Twitter sidebar you'll now see your own @username tab. When you click that tab, you'll see a list of all tweets referencing your account with the @username convention anywhere in the tweet—instead of only at the beginning which is how it used to work. So for me it would be all mentions of @biz. For developers, this update will also be included in the APIs.

Compare the above sidebar with the previous one below and which do you think will be more intuitive for new users to understand?

This would be a great candidate to test because the metric is straightforward; compare clicks on the replies tab by new users using the old version as the control and the new version as the test. Then again, maybe they did A/B test it which is why the "@username" text is used instead of "Mentions" which is even more unintuitive. :)

Note Now Playing: Jamie Foxx - Blame It (remix) (feat. T-Pain & Rosco) Note

Categories: Web Development

March 5, 2009

@ 02:22 PM

Yahoo! Updates + Yahoo! Social Directory API (aka Yahoo! Connect)

Yahoo! has thrown their hat in the ring and joined the hottest new trend on the Web, shipping your very own "Connect" technology. What is a "Connect" technology? David Recordon does a good job of summarizing the common characteristics of this new category of technology offerings in his post Anatomy of "Connect" where he wrote

a straw man definition of a "Connect" application:

Profile: Everything having to do with identity, account management and profile information ranging from sign in to sign out on the site I'm connecting with.

Relationships: Think social graph. Answers the question of who do I know on the site I've connected with and how I can invite others.

Content: Stuff. All of my posts, photos, bookmarks, video, links, etc that I've created on the site I've connected with.

Activity: Poked, bought, shared, posted, watched, loved, etc. All of the actions that things like the Activity Streams project are starting to take on.

In my mind, the Goals of all of these "Connect" applications are focused on helping people discover new content, people they already know as well as new people with similar interests.

Facebook launched this trend with their announcement of Facebook Connect which offered an alternative to OpenID by offering a smoother user experience and the opportunity for sites to also leverage their news feed as a viral distribution mechanism. According to the Yahoo! Developer blog there is now a similar offering from Yahoo! announced in their post Extend Your Publishing Reach with JS-Kit + Yahoo! Updates which states

Here's how it works: Integration with the Social Directory API allows JS-Kit to display a user’s Yahoo! nickname and avatar picture on the site. Integration with the Updates API allows JS-Kit to publish an item to the Yahoo! Updates feed when a user adds a comment to a web site powered by JS-Kit. At all times, your users remain in control of their data by leveraging OAuth to broker data access between Yahoo! and JS-Kit.

Yahoo! Updates allow publishers (and publishing partners like JS-Kit), to syndicate user-generated actions (ratings, reviews, comments, favorites, and uploads) to Yahoo!'s massive global distribution network. In the coming months, as Updates are implemented across Yahoo!, publishers will enjoy referral traffic back to their sites from across the Yahoo! Network (more than 500M+ monthly unique visitors).

The more of these "Connect" offerings that are announced the more they seem like introducing a new problem instead of creating a solution. Back in the day, it was easy to argue that having a button on your site is more palatable than the OpenID login box prompting users to enter some obscure URL. However when I go to places like Sun's website and see a comment box with the following

I wonder if this is progress. There are even more perverse cases like StackOverflow whose current login page looks like

Of course, this is just StackOverflow's attempt to make the OpenID sign-in process easier for users instead of having them remember some obscure URL. Still I wonder about the paradox of choice style experience that is being thrown in front of users. Whenever I go to Hacker News I actually forget which of my various Facebook/Windows Live/Google/Yahoo IDs I've previously associated with the site via ClickPass. It actually would have been easier and less confusing for me to just create a regular account on the site like did with Reddit which would also enable cookies to work so I wouldn't have to sign-in every single time.

I also wonder about the unnecessary duplicative efforts it will take sites to integrate all of these different "Connect" offerings as well especially when you consider how radically different APIs like Facebook's friends.get are from Yahoo's Contacts API. I'm typically against premature standardization but when you have almost half a dozen offerings that effectively do the same thing but with radically different APIs it may be time for standards to start showing up.

Note Now Playing: Domino - Sweet Potatoe Pie Note

Categories: Web Development

February 26, 2009

@ 03:30 PM

If your users can't find the feature it might as well not exist

Earlier this morning I was reading a number of comments in response to a submission on reddit.com where I found out that despite being a regular visitor to the site there were multiple useful features I was completely unaware of. Here's a list of features I discovered the site has that I hadn't noticed even though I visit it multiple times a day

Private user-to-user messaging feature including an inbox containing all responses to your comments.
A social networking component which enables you to customize the site so you only see content from your friends.
An option for bookmarking my favorite stories so I could come back to them later

These are all clearly useful features. In fact, some of them are features I'd have lobbied for if ever asked what features I'd like to see added to reddit even though they already existed. Considering that I'm a fairly savvy Web user and visit the site multiple times a day, it is problematic that I'm unaware of valuable features of the site which were the result of valuable effort from the developers at reddit.

This is a very commonplace occurrence in software development. As applications add features without wanting to clutter the interface, they begin to "hide" these features until it gets to the point where their users end up clamoring or pining for features that actually already exist in the application. A famous example of this comes from Jensen Harris' series of posts on the UI changes in Office 2007. There is rather informative post entitled New Rectangles to the Rescue? (Why the UI, Part 4) which contains the following excerpt

Contrary to the conventional wisdom of the naysayers, we weren't (and aren't) "out of ideas" for Office. Customers weren't telling us that they didn't need new features--to the contrary, the list of requests is a mile long. Every version we were putting our heart and soul into developing these new features, undergoing a rigorous process to determine which of the many areas we would invest in during a release, and then working hard to design, test, and ship those features. The only problem was that people weren't finding the very features they asked us to add.

To address the issue above, the Office team effectively dedicated a release to making their existing features discoverable¹. This isn't the only example of a popular application dedicating a release to making features more discoverable instead of adding new features. The Facebook redesign of last year is another famous example of this which has lead to increased usage of the site.

A recent TechCrunch article, Facebook Photos Pulls Away From The Pack shows the effect of the redesign on the usage of the site

...
What accounts for Facebook’s advantage in the photo department? The biggest factor is simply that it is the default photo feature of the largest social network in the world. And of all the viral loops that Facebook benefits from, its Photos app might have the largest viral loop of all built into it. Whenever one of your friends tags a photo with your name, you get an email. This single feature turns a solitary chore—tagging and organizing photos—into a powerful form of communication that connects people through activities they’ve done in the past in an immediate, visual way. I would not be surprised if people click back through to Facebook from those photo notifications at a higher rate than from any other notification, including private messages.

But the tagging feature has been part of Facebook Photos for a long time. What happened in September to accelerate growth? That is when a Facebook redesign went into effect which added a Photos tab on everyone’s personal homepage.

The lesson here is that having a feature isn't enough, making sure your users can easily find and use the feature is just as important. In addition, sometimes the best thing to do for your product isn't to add new features but to make sure the existing features are giving users the best experience.

When you do find out that usage of a feature is low given it's usefulness and relevance to your user base, this is a good time to invest in an experimentation platform where you can perform A/B testing (aka split testing) and multivariate testing. There are a number of off-the-shelf tools for performing such experiments which enable you to test and validate potential redesigns today without unleashing potentially negatively impacting changes to your entire user base.

¹I believe the Office team shipped lots of new features as well in Office 2007, however the biggest change from an end user's perspective was the redesign not new features.

Note Now Playing: Metallica - Harvester of Sorrow Note

Categories: Web Development

February 9, 2009

@ 02:53 PM

Google App Engine on the road to becoming useful for building real web applications

There used to be a time when all you needed when building a Web site was a relational database, a web server and some sort of application server or web framework (terminology depending on whether you are enterprisey or Web 2.0) that acted as a thin layer to translate requests into database queries. As we've grown as an industry we've realized there are a lot more tools needed to build a successful large scale modern web site from messages queues for performing time consuming tasks asynchronously to high availability cloud management tools that ensure your site can keep running in the face of failure.

Leonard Lin has a [must bookmark] blog post entitled Infrastructure for Modern Web Sites where he discusses the underlying platform components you'll commonly see powering a large scale web site in today. The list is included below

I’ve split this into two sections. The first I call “below the line,” which are more system level (some things straddle the line):

API Metering

Backups & Snapshots

Counters

Cloud/Cluster Management Tools

Instrumentation/Monitoring (Ganglia, Nagios)

Failover

Node addition/removal and hashing

Autoscaling for cloud resources

CSRF/XSS Protection

Data Retention/Archival

Deployment Tools

Multiple Devs, Staging, Prod

Data model upgrades

Rolling deployments

Multiple versions (selective beta)

Bucket Testing

Rollbacks

CDN Management

Distributed File Storage

Distributed Log storage, analysis

Graphing

HTTP Caching

Input/Output Filtering

Memory Caching

Non-relational Key Stores

Rate Limiting

Relational Storage

Queues

Rate Limiting

Real-time messaging (XMPP)

Search

Ranging

Geo

Sharding

Smart Caching

dirty-table management

Leonard Lin's list comes from his experience working at Yahoo! but it is consistent with what I've seen at Windows Live and from comparing notes from publications on the platforms behind other large scale web services like Facebook, eBay and Google. This isn't to say you need everything on the above list to build a successful web site but there are limits to how much a service can scale or the functionality it can provide without implementing almost every item on that list.

This brings me to Google App Engine (GAE) which is billed as a way for developers to build web applications that are easy to build, maintain and scale. The problem I had with GAE when I took an initial look at its service is that although it handles some of the tough items from the above list such as the need for high availability cloud management tools, deployment tools and database sharding, it was also missing some core functionality like message queues. These oversights made it impossible to build large classes of Web applications such as search engines or email services. It also made it impossible to build asynchronous workflows in ways that improve responsiveness of the site from an end user's perspective by reducing request latency.

So it was with some interest I read Joe Gregorio's post on the Google App Engine blog entitled A roadmap update! where he updates the product's roadmap with the following announcement

The App Engine team has been plugging away and we're excited about some pretty big announcements in the near future. In the meantime, we decided to refresh our App Engine roadmap for the next six months with some of the great new APIs in our pipeline:

Support for running scheduled tasks

Task queues for performing background processing

Ability to receive and process incoming email

Support for sending and receiving XMPP (Jabber) messages

As always, keep in mind that development schedules are notoriously difficult to predict, and release dates may change as work progresses. We'll do our best to update this roadmap as our engineers continue development and keep you abreast of any changes!

The ability to send email and the ability to perform background processing tasks are key features you'd need in any modern site. I've been wanting to try out GAE as a way to keep my Python skills fresh but have balked at the lack of background tasks and message queues which artificially limits my creativity. Once these announced features are done, I may have to take back my comments about GAE being only useful to toy applications.

Maybe next time C|Net asks Is Google App Engine successful? the answer will be "Yes". Or at least the possibility that the answer will be "Yes" will go up a few orders of magnitude since it definitely doesn't seem to be successful today.

Note Now Playing: Playa Fly - Feel Me Note

Categories: Web Development

January 16, 2009

@ 02:23 PM

Building Scalable Databases: Pros and Cons of Various Database Sharding Schemes

Database sharding is the process of splitting up a database across multiple machines to improve the scalability of an application. The justification for database sharding is that after a certain scale point it is cheaper and more feasible to scale a site horizontally by adding more machines than to grow it vertically by adding beefier servers.

Why Shard or Partition your Database?

Let's take Facebook.com as an example. In early 2004, the site was mostly used by Harvard students as a glorified online yearbook. You can imagine that the entire storage requirements and query load on the database could be handled by a single beefy server. Fast forward to 2008 where just the Facebook application related page views are about 14 billion a month (which translates to over 5,000 page views per second, each of which will require multiple backend queries to satisfy). Besides query load with its attendant IOPs, CPU and memory cost there's also storage capacity to consider. Today Facebook stores 40 billion physical files to represent about 10 billion photos which is over a petabyte of storage. Even though the actual photo files are likely not in a relational database, their metadata such as identifiers and locations still would require a few terabytes of storage to represent these photos in the database. Do you think the original database used by Facebook had terabytes of storage available just to store photo metadata?

At some point during the development of Facebook, they reached the physical capacity of their database server. The question then was whether to scale vertically by buying a more expensive, beefier server with more RAM, CPU horsepower, disk I/O and storage capacity or to spread their data out across multiple relatively cheap database servers. In general if your service has lots of rapidly changing data (i.e. lots of writes) or is sporadically queried by lots of users in a way which causes your working set not to fit in memory (i.e. lots of reads leading to lots of page faults and disk seeks) then your primary bottleneck will likely be I/O. This is typically the case with social media sites like Facebook, LinkedIn, Blogger, MySpace and even Flickr. In such cases, it is either prohibitively expensive or physically impossible to purchase a single server to handle the load on the site. In such situations sharding the database provides excellent bang for the buck with regards to cost savings relative to the increased complexity of the system.

Now that we have an understanding of when and why one would shard a database, the next step is to consider how one would actually partition the data into individual shards. There are a number of options and their individual tradeoffs presented below – Pseudocode / Joins

How Sharding Changes your Application

In a well designed application, the primary change sharding adds to the core application code is that instead of code such as

//string connectionString = @"Driver={MySQL};SERVER=dbserver;DATABASE=CustomerDB;"; <-- should be in web.config
string connectionString = ConfigurationSettings.AppSettings["ConnectionInfo"];          
OdbcConnection conn = new OdbcConnection(connectionString);
conn.Open();
          
OdbcCommand cmd = new OdbcCommand("SELECT Name, Address FROM Customers WHERE CustomerID= ?", conn);
OdbcParameter param = cmd.Parameters.Add("@CustomerID", OdbcType.Int);
param.Value = customerId; 
OdbcDataReader reader = cmd.ExecuteReader();

the actual connection information about the database to connect to depends on the data we are trying to store or access. So you'd have the following instead

string connectionString = GetDatabaseFor(customerId);          
OdbcConnection conn = new OdbcConnection(connectionString);
conn.Open();
         
OdbcCommand cmd = new OdbcCommand("SELECT Name, Address FROM Customers WHERE CustomerID= ?", conn);
OdbcParameter param = cmd.Parameters.Add("@CustomerID", OdbcType.Int);
param.Value = customerId; 
OdbcDataReader reader = cmd.ExecuteReader();

the assumption here being that the GetDatabaseFor() method knows how to map a customer ID to a physical database location. For the most part everything else should remain the same unless the application uses sharding as a way to parallelize queries.

A Look at a Some Common Sharding Schemes

There are a number of different schemes one could use to decide how to break up an application database into multiple smaller DBs. Below are four of the most popular schemes used by various large scale Web applications today.

Vertical Partitioning: A simple way to segment your application database is to move tables related to specific features to their own server. For example, placing user profile information on one database server, friend lists on another and a third for user generated content like photos and blogs. The key benefit of this approach is that is straightforward to implement and has low impact to the application as a whole. The main problem with this approach is that if the site experiences additional growth then it may be necessary to further shard a feature specific database across multiple servers (e.g. handling metadata queries for 10 billion photos by 140 million users may be more than a single server can handle).
Range Based Partitioning: In situations where the entire data set for a single feature or table still needs to be further subdivided across multiple servers, it is important to ensure that the data is split up in a predictable manner. One approach to ensuring this predictability is to split the data based on values ranges that occur within each entity. For example, splitting up sales transactions by what year they were created or assigning users to servers based on the first digit of their zip code. The main problem with this approach is that if the value whose range is used for partitioning isn't chosen carefully then the sharding scheme leads to unbalanced servers. In the previous example, splitting up transactions by date means that the server with the current year gets a disproportionate amount of read and write traffic. Similarly partitioning users based on their zip code assumes that your user base will be evenly distributed across the different zip codes which fails to account for situations where your application is popular in a particular region and the fact that human populations vary across different zip codes.
Key or Hash Based Partitioning: This is often a synonym for user based partitioning for Web 2.0 sites. With this approach, each entity has a value that can be used as input into a hash function whose output is used to determine which database server to use. A simplistic example is to consider if you have ten database servers and your user IDs were a numeric value that was incremented by 1 each time a new user is added. In this example, the hash function could be perform a modulo operation on the user ID with the number ten and then pick a database server based on the remainder value. This approach should ensure a uniform allocation of data to each server. The key problem with this approach is that it effectively fixes your number of database servers since adding new servers means changing the hash function which without downtime is like being asked to change the tires on a moving car.
Directory Based Partitioning: A loosely couples approach to this problem is to create a lookup service which knows your current partitioning scheme and abstracts it away from the database access code. This means the GetDatabaseFor() method actually hits a web service or a database which actually stores/returns the mapping between each entity key and the database server it resides on. This loosely coupled approach means you can perform tasks like adding servers to the database pool or change your partitioning scheme without having to impact your application. Consider the previous example where there are ten servers and the hash function is a modulo operation. Let's say we want to add five database servers to the pool without incurring downtime. We can keep the existing hash function, add these servers to the pool and then run a script that copies data from the ten existing servers to the five new servers based on a new hash function implemented by performing the modulo operation on user IDs using the new server count of fifteen. Once the data is copied over (although this is tricky since users are always updating their data) the lookup service can change to using the new hash function without any of the calling applications being any wiser that their database pool just grew 50% and the database they went to for accessing John Doe's pictures five minutes ago is different from the one they are accessing now.

Problems Common to all Sharding Schemes

Once a database has been sharded, new constraints are placed on the operations that can be performed on the database. These constraints primarily center around the fact that operations across multiple tables or multiple rows in the same table no longer will run on the same server. Below are some of the constraints and additional complexities introduced by sharding

Joins and Denormalization – Prior to sharding a database, any queries that require joins on multiple tables execute on a single server. Once a database has been sharded across multiple servers, it is often not feasible to perform joins that span database shards due to performance constraints since data has to be compiled from multiple servers and the additional complexity of performing such cross-server.

A common workaround is to denormalize the database so that queries that previously required joins can be performed from a single table. For example, consider a photo site which has a database which contains a user_info table and a photos table. Comments a user has left on photos are stored in the photos table and reference the user's ID as a foreign key. So when you go to the user's profile it takes a join of the user_info and photos tables to show the user's recent comments. After sharding the database, it now takes querying two database servers to perform an operation that used to require hitting only one server. This performance hit can be avoided by denormalizing the database. In this case, a user's comments on photos could be stored in the same table or server as their user_info AND the photos table also has a copy of the comment. That way rendering a photo page and showing its comments only has to hit the server with the photos table while rendering a user profile page with their recent comments only has to hit the server with the user_info table.

Of course, the service now has to deal with all the perils of denormalization such as data inconsistency (e.g. user deletes a comment and the operation is successful against the user_info DB server but fails against the photos DB server because it was just rebooted after a critical security patch).
Referential integrity – As you can imagine if there's a bad story around performing cross-shard queries it is even worse trying to enforce data integrity constraints such as foreign keys in a sharded database. Most relational database management systems do not support foreign keys across databases on different database servers. This means that applications that require referential integrity often have to enforce it in application code and run regular SQL jobs to clean up dangling references once they move to using database shards.

Dealing with data inconsistency issues due to denormalization and lack of referential integrity can become a significant development cost to the service.
Rebalancing (Updated 1/21/2009) – In some cases, the sharding scheme chosen for a database has to be changed. This could happen because the sharding scheme was improperly chosen (e.g. partitioning users by zip code) or the application outgrows the database even after being sharded (e.g. too many requests being handled by the DB shard dedicated to photos so more database servers are needed for handling photos). In such cases, the database shards will have to be rebalanced which means the partitioning scheme changed AND all existing data moved to new locations. Doing this without incurring down time is extremely difficult and not supported by any off-the-shelf today. Using a scheme like directory based partitioning does make rebalancing a more palatable experience at the cost of increasing the complexity of the system and creating a new single point of failure (i.e. the lookup service/database).

What is it?

Although the main website is somewhat light on details, I eventually gleaned enough information from the Live Framework SDK documentation on MSDN to conclude that LiveFX consists of the following pieces

A Resource Model: A set of RESTful APIs for interacting with Live Mesh and Windows Live data.
Libraries: A set of libraries for the .NET Framework, Silverlight and Javascript for accessing the REST APIs.
The Live Operating Environment: A local web server that implements #1 above so it can be programmed against using #2 above.

The Scary Architecture Diagram

This diagram tries to capture all the ideas in LiveFX in a single image. I found it somewhat overwhelming and after learning more about LiveFX I consider it to be a rather poor way of conveying across its key concepts. It doesn't help that this diagram is somewhat aspirational given that some key pieces of the diagram are missing from the current technology preview.

The Resource Model

Live Mesh and Windows Live data is exposed by LiveFX as a set of resources identified by URIs which can be interacted with via the Atom Publishing Protocol (RFC 5023). Relationships between resources are exposed as hyperlinks between resources. The hierarchical data model currently exposed in the CTP is shown in the diagram below taken from the MSDN documentation.

It should be noted that although AtomPub is the primary protocol for interacting with resources in LiveFX, multiple serialization formats can be used to retrieve data from the service including Atom, RSS, Plain Old XML (POX), JSON or even binary XML.

Since LiveFX is a fully compliant implementation of the Atom Publishing Protocol, one can browse to the service document of a user's Mesh or other top level resource and traverse links to various Atom collections and feeds in the hierarchy. Below is a screenshot of the LiveFX resource browser showing the service document for a user's Mesh with the links to various child collections exposed as hyperlinks.

Besides supporting multiple serialization formats, there are a number of other features of LiveFX that separate it from a vanilla implementation of the Atom Publishing Protocol.

Synchronization via FeedSync: Mesh resources in LiveFX can be synchronized using FeedSync (formerly Simple Sharing Extensions). FeedSync is a family of extensions to RSS and Atom that enables bidirectional synchronization of XML feeds and the resources they reference. However synchronization in LiveFX is based on a client/server model instead of a peer-to-peer model which means that instead of the server subscribing to changes from the client and vice versa, clients subscribe to changes from the server and then inform the server when they make a change. More information about how LiveFX implements FeedSync can be found here.
Query Model and Linq to REST: LiveFX supports the same URI query parameters for paging, sorting, filtering and inline expansion of linked resources as other Microsoft cloud-based data APIs including ADO.NET Data Services (formerly Astoria), SQL Server Data Services and Windows Azure Storage services. One of the benefits of this consistency is that the ADO.NET client libraries can be used to perform Linq queries over the LiveFX data types using a technology that has been colloquially described as Linq to REST. For example, the following C# Linq query actually executes HTTP GET requests using the $filter parameter under the covers.
```
MeshObject GetMeshObjectByTitle(string title)
       {
           MeshObject meshObject = (from mo in mesh.CreateQuery<MeshObject>()
                                    where mo.Resource.Title == title
                                    select mo).FirstOrDefault<MeshObject>();

           return meshObject;
       }
```
The HTTP request this makes over the wire is

GET https://user-ctp.windows.net/V0.1/Mesh/MeshObjects/{meshObjectID}/DataFeeds/?$filter=(Title eq ‘WhateverWasPassedIn’)
Batch Requests via Resource Scripts: LiveFX supports batching using a construct known as resource scripts. Using resource scripts a developer can submit a single request which contains multiple create, retrieve, update and delete operations at once. A resource script consists of a control flow statement which can contain one or more control flow statements, web operation statements, synchronization statements, data flow constructs and data flow statements. You can find out more about resource scripts by reading the document About Live Framework Resource Scripts on the LiveFX developer site.
Resource Introspection via OPTIONS: One problem that commonly occurs in REST APIs is determining which operations a resource supports. Some protocols like OpenSocial specify a mechanism where HTTP responses should indicate which parameters are not supported. The problem with this approach is that the client has to first make an HTTP request then have it fail before determining if the feature is supported. LiveFX supports the HTTP OPTIONS verb on every resource. By performing the following HTTP request
OPTIONS https:// user-ctp.windows.net/V0.1/{UserID}/Mesh/MeshObjects/{meshObjectID}
a client can retrieve an introspection metadata document which describes what query parameters and serialization formats the resource supports. The $metadata query parameter can also be used to retrieve the introspection metadata document. This enables clients using libraries that don't support making HTTP OPTIONS requests to also be able to retrieve introspection metadata.
Support for Portable Contacts: By specifying the parameter $type=portable when requesting contact data, the results will be returned in the Portable Contacts schema format as either JSON or Plain Old XML.

The Libraries

Like most major Web vendors who have exposed REST APIs, Microsoft has provided client libraries to make interacting with the LiveFX service more natural for developers who aren't comfortable programming directly against HTTP. The following client libraries are provided

A generic AtomPub client library for the .NET Framework. Learn more about programming with it here.
A .NET Framework library which provides a high-level object model for interacting with the LiveFX service. More details here.
A Javascript library which provides a high-level object model for interacting with the LiveFX service. Programming samples can be found here.

The Live Operating Environment

The Live Operating Environment refers to two things. The first is the Web platform upon which the LiveFX REST APIs are implemented. The second is a local cache which runs on your PC or other device which exposes the same REST interface as the LiveFX Web service. This is somewhat similar to Google Gears except that the database is accessed RESTfully instead of via a SQL API.

The intent of the local version of the Live Operating Environment is to enable developers to be able to build apps that target the desktop or the Web without having to change their programming model. All that needs to be altered is changing the base URI from https://user-ctp.windows.net to http://localhost:2048 when accessing LiveFX resources. Everything else works exactly the same.

The Bottom Line

As the title of this blog post states there is a lot of similarity in concept between LiveFX and Google's Data APIs (GData). Like GData, LiveFX provides a consistent set of AtomPub based APIs for accessing resources from a particular vendor's online services along with a set of client libraries that wrap these RESTful APIs. And just like GData, there are Microsoft-specific extensions to the Atom syndication format and custom query parameters for sorting, filtering and paging. LiveFX also supports batching like GData, however from my perspective adding batching to a Web service seems like an attempt to reinvent distributed transactions. This is a bad idea given the flaws of distributed transactions that are well discussed in Pat Helland's excellent paper Life beyond Distributed Transactions: An Apostate's Opinion.

A number of LiveFX's additional features such as synchronization and resource introspection which have no analog in GData are fairly interesting and I wouldn't be surprised to see these ideas get further traction in the industry. On the flip side, the client-side Live Operating Environment is a technology whose benefits elude me. I admit it is kind of cool but I can't see its utility.

Note Now Playing: John Legend - Green Light (feat. Andre 3000) Note

Categories: Web Development | Windows Live

November 9, 2008

@ 12:46 PM

In-Memory Caching: Why We Can't Just Trust the Database to get it Right

I remember taking an operating systems class in college and marveling at the fact that operating system design seemed less about elegant engineering and more about [what I viewed at the time as] performance hacks. I saw a similar sentiment recently captured by Eric Florenzano in his post It's Caches All the Way Down where he starts describing how a computer works to a friend and ends up talking about the various layers of caching from CPU registers to L2 caches to RAM and so on.

At the end of his post Eric Florenzano asks the following question I've often heard at work and in developer forums like programming.reddit

That's what struck me. When you come down to it, computers are just a waterfall of different caches, with systems that determine what piece of data goes where and when. For the most part, in user space, we don't care about much of that either. When writing a web application or even a desktop application, we don't much care whether a bit is in the register, the L1 or L2 cache, RAM, or if it's being swapped to disk. We just care that whatever system is managing that data, it's doing the best it can to make our application fast.

But then another thing struck me. Most web developers DO have to worry about the cache. We do it every day. Whether you're using memcached or velocity or some other caching system, everyone's manually moving data from the database to a cache layer, and back again. Sometimes we do clever things to make sure this cached data is correct, but sometimes we do some braindead things. We certainly manage the cache keys ourselves and we come up with systems again and again to do the same thing.

Does this strike anyone else as inconsistent? For practically every cache layer down the chain, a system (whose algorithms are usually the result of years and years of work and testing) automatically determines how to best utilize that cache, yet we do not yet have a good system for doing that with databases. Why do you think that is? Is it truly one of the two hard problems of computer science? Is it impossible to do this automatically? I honestly don't have the answers, but I'm interested if you do.

Eric is simultaneously correct and incorrect in his statements around caching and database layers. Every modern database system has caching mechanisms that are transparent to the developer. For LAMP developers there is the MySQL Query Cache which transparently caches the text of SELECT query and the results so that the next time the query is performed it is fetched from memory. For WISC developers there are the SQL Server's Data and Procedure caches which store query plans and their results to prevent having to repeatedly perform expensive computations or go to disk to fetch recently retrieved data. As with everything in programming, developers can eke more value out of these caches by knowing how they work. For example, using parameterized queries or stored procedures significantly reduces the size of the procedure cache in SQL Server. Tony Rogerson wrote an excellent post where he showed how switching from SQL queries based on string concatenation to parameterized queries can reduce the size of a procedure cache from over 1 Gigabyte to less than 1 Megabyte. This is similar to understanding how garbage collection or memory allocation works teaches developers to favor recycling objects instead of creating new ones and favoring arrays over linked lists to reduce memory fragmentation.

Even though there are caching mechanisms built into relational databases that are transparent to the developer, they typically aren't sufficient for high performance applications with significant amounts of read load. The biggest problem is hardware limitations. A database server will typically have twenty to fifty times more hard drive storage capacity than it has memory. Optimistically this means a database server can cache about 5% to 10% of its entire data in memory before having to go to disk. In comparison, lets look at some statistics from a popular social networking site (i.e. Facebook)

48% of active users log-in daily
49.9 average pages a day viewed per unique user

How much churn do you think the database cache goes through if half of the entire user base is making data requests every day? This explains why Facebook has over 400 memcached hosts storing over 5 Terabytes of data in-memory instead of simply relying on the query caching features in MySQL. This same consideration applies for the majority of social media and social networking sites on the Web today.

So the problem isn't a lack of transparent caching functionality in relational databases today. The problem is the significant differences in the storage and I/O capacity of memory versus disk in situations where a large percentage of the data set needs to be retrieved regularly. In such cases, you want to serve as much data from memory as possible which means going beyond the physical memory capacity of your database server and investing in caching servers.

Note Now Playing: Kanye West - Two Words (feat. Mos Def, Freeway & The Harlem Boys Choir) Note

Categories: Web Development

November 7, 2008

@ 03:43 PM

Why Google Forked OpenID and Other Stories

The more I learn about OpenID, the more it reminds me of XML in that it is a suboptimal solution to the primary problem people are using it to solve. Recently I've seen OpenID geeks berating large vendors like Microsoft, Yahoo and Google for the way they've incorrectly implemented OpenID. Looking at these situations it has become clear that the problem OpenID solves is actually different from the problem these companies are trying to solve.

What OpenID Gives Us

So what is the problem that OpenID solves? For this I'll go back to one of the original emails on OpenID from it's founder Brad Fitzpatrick way back in 2005. In that email Brad wrote

So LiveJournal for user "bob" would positively assert the follow root URLs as being owned by bob:

http://www.livejournal.com/users/bob/
http://www.livejournal.com/~bob/
http://bob.livejournal.com/

And for those geeks out there with their own domain names (yes, I'm one, and you're one, but we're not the common case), you either run your own identity server, or you use somebody else's that's paranoid. For example, LiveJournal's would only assert off-site URLs which come to us with a rel="me" type of deal (not using XFN) as we currently do,with ljuser_sha1=9233b6f5388d6867a2a7be14d8b4ba53c86cfde2

OpenID is all about confirming that a user "owns" a URI. The expectation is that users have a URI that they have memorized and enter it into sites that support OpenID (i.e. Relying Parties) so that they can be authenticated. This breaks down in a number of situations.

Users of email services don't have a URI that they own, they have an email address.
Some users of social networking sites may have a URI but they don't have it memorized. for example I don't know anyone who has memorized the URL to their Facebook profile. Mine is http://www.facebook.com/p/Dare_Obasanjo/500050028 for anyone interested.

As different Web vendors have begun implementing OpenID, they've began to run into situations where OpenID's design breaks down for their users. Unsurprisingly a number of OpenID proponents have described these issues as usability issues as opposed to design problems.

Google's OpenID Woes

The most notorious example of a mainstream vendor colliding with the design mismatch between OpenID and their target domain is Google's implementation of OpenID. In a post entitled Google Abandons Standards, Forks OpenID we have the following excerpt

whatever it is that Google has released support for, it sure as hell isn’t OpenID, as they even so kindly point out in their OpenID developer documentation (that media outlets certainly won’t be reading):

The web application asks the end user to log in by offering a set of log-in options, including Google.

The user selects the "Sign in with Google" option.

The web application sends a "discovery" request to Google to get information on the Google authentication endpoint. This is a departure from the process outlined in OpenID 1.0. [Emphasis added]

Google returns an XRDS document, which contains endpoint address.

The web application sends a login authentication request to the Google endpoint address.

This action redirects the user to a Google Federated Login page.

As Google points out, this isn’t OpenID. This is something that Google cooked up that resembles OpenID masquerading as OpenID since that’s what people want to see – and that’s what Microsoft announced just the day before.

It’s not just a “departure” from OpenID, it’s a whole new standard.

With OpenID, the user memorizes a web URI, and provides it to the sites he or she would like to sign in to. The site then POSTs an OpenID request to that URI where the OpenID backend server proceeds to perform the requested authentication.

In Google’s version of the OpenID “standard,” users would enter their @gmail.com email addresses in the OpenID login box on OpenID-enabled sites, who would then detect that a Google email was entered. The server then requests permission from Google to use the OpenID standard in the first place by POSTing an XML document to Google’s “OpenID” servers. If Google decides it’ll accept the request from the server, it’ll return an XML document back to the site in question that contains a link to the actual OpenID URI for the email account in question.

The key problem Google had with their OpenID implementation is that they want their users to log-in with information they know (i.e. their gmail address) instead of some made up URL that is their Google OpenID identifier. Since only the Über geeks in their user base would know their Google OpenID URL if they went with that approach. With Google's approach meant that only sites that had been hardcoded to support Google's flavor of OpenID would be supported.

Thankfully, the outcry from the OpenID community was heard by the folks at Google and they've reversed their decision. Instead they will support OpenID discovery on gmail.com and so users just have to know that domain name and then the OpenID authentication process kicks off from there. The intent is for Google's OpenID implementation to eventually mirror the functionality of Yahoo's OpenID implementation.

It Isn't Over Yet

It should be noted that as Google aspires to have an OpenID implementation that is as compliant as Yahoo's, OpenID experts have also criticized Yahoo's implementation. Specifically Sam Ruby in his post OpenId Minus Id Equals Wide Open writes

Martin Atkins: Yahoo!'s OP and now it seems Microsoft’s OP both ignore the value of openid.identity provided to them, and just return an assertion for whatever user’s logged in.

I may ultimately need to black-list such ids.

Looking at live.com instructions:

At any Web site that supports OpenID 2.0, type openid.live-INT.com in the OpenID login box to sign in to that site by means of your Windows Live ID OpenID alias.

If everybody uses the same URI, I can’t tell them apart. That doesn’t concern me much, but do find it a bit distressing that that’s the recommended usage.

The problem goes back to the original role of OpenID as being a way for a user to claim that they own a URI. As Sam points out, some of the techniques being used to "improve usability" now run counter to the spirit of the original specification.

Only time will tell if by the time all is said and done, it won't seem like we've been trying to shove a square peg in a round hole all these years.

Note Now Playing: Kanye West - Heartless Note

Categories: Web Development

October 24, 2008

@ 08:58 AM

REST API Design: Invent Media Types, Not Protocols and Understand the Importance of Hyperlinks

Early this week, Roy Fieldings wrote a post entitled REST APIs must be hypertext-driven where he criticized the SocialSite REST API (a derivative of the OpenSocial REST API) for violating some constraints of the Representational State Transfer architectural style (aka REST). Roy's key criticisms were

API designers, please note the following rules before calling your creation a REST API:

…

…

A REST API should spend almost all of its descriptive effort in defining the media type(s) used for representing resources and driving application state, or in defining extended relation names and/or hypertext-enabled mark-up for existing standard media types. Any effort spent describing what methods to use on what URIs of interest should be entirely defined within the scope of the processing rules for a media type (and, in most cases, already defined by existing media types). [Failure here implies that out-of-band information is driving interaction instead of hypertext.]

A REST API must not define fixed resource names or hierarchies (an obvious coupling of client and server). Servers must have the freedom to control their own namespace. Instead, allow servers to instruct clients on how to construct appropriate URIs, such as is done in HTML forms and URI templates, by defining those instructions within media types and link relations. [Failure here implies that clients are assuming a resource structure due to out-of band information, such as a domain-specific standard, which is the data-oriented equivalent to RPC's functional coupling].

..

A REST API should be entered with no prior knowledge beyond the initial URI (bookmark) and set of standardized media types that are appropriate for the intended audience (i.e., expected to be understood by any client that might use the API). From that point on, all application state transitions must be driven by client selection of server-provided choices that are present in the received representations or implied by the user’s manipulation of those representations. The transitions may be determined (or limited by) the client’s knowledge of media types and resource communication mechanisms, both of which may be improved on-the-fly (e.g., code-on-demand). [Failure here implies that out-of-band information is driving interaction instead of hypertext.]

In reading some of the responses to Roy's post on programming.reddit it seems there are of number of folks who found it hard to glean practical advice from Roy's post. I thought it be useful to go over his post in more depth and with some examples.

The key thing to remember is that REST is about building software that scales to usage on the World Wide Web by being a good participant of the Web ecosystem. Ideally a RESTful API should be designed to be implementable by thousands of websites and consumed by hundreds of applications running on dozens of platforms with zero coupling between the client applications and the Web services. A great example of this is RSS/Atom feeds which happen to be one of the world's most successful RESTful API stories.

This notion of building software that scales to Web-wide usage is critical to understanding Roy's points above. The first point above is that a RESTful API should primarily be concerned about data payloads and not defining how URI end points should handle various HTTP methods. For one, sticking to defining data payloads which are then made standard MIME types gives maximum reusability of the technology. The specifications for RSS 2.0 (application/xml+rss) and the Atom syndication format (application/xml+atom) primarily focus on defining the data format and how applications should process feeds independent of how they were retrieved. In addition, both formats are aimed at being standard formats that can be utilized by any Web site as opposed to being tied to a particular vendor or Web site which has aided their adoption. Unfortunately, few have learned from these lessons and we have people building RESTful APIs with proprietary data formats that aren't meant to be shared. My current favorite example of this is social graph/contacts APIs which seem to be getting reinvented every six months. Google has the Contacts Data API, Yahoo! has their Address Book API, Microsoft has the Windows Live Contacts API, Facebook has their friends REST APIs and so on. Each of these APIs claims to be RESTful in its own way yet they are helping to fragment the Web instead of helping to grow it. There have been some moves to address this with the OpenSocial influenced Portable Contacts API but it too shies away from standard MIME types and instead creates dependencies on URL structures to dictate how the data payloads should be retrieved/processed.

One bad practice Roy calls out, which is embraced by the Portable Contacts and SocialSite APIs, is requiring a specific URL structure for services that implement the API. Section 6.2 of the current Portable Contacts API spec states the following

A request using the Base URL alone MUST yield a result, assuming that adequate authorization credentials are provided. In addition, Consumers MAY append additional path information to the Base URL to request more specific information. Service Providers MUST recognize the following additional path information when appended to the Base URL, and MUST return the corresponding data:

/@me/@all -- Return all contact info (equivalent to providing no additional path info)

/@me/@all/{id} -- Only return contact info for the contact whose id value is equal to the provided {id}, if such a contact exists. In this case, the response format is the same as when requesting all contacts, but any contacts not matching the requested ID MUST be filtered out of the result list by the Service Provider

/@me/@self -- Return contact info for the owner of this information, i.e. the user on whose behalf this request is being made. In this case, the response format is the same as when requesting all contacts, but any contacts not matching the requested ID MUST be filtered out of the result list by the Service Provider.

The problem with this approach is that it assumes that every implementer will have complete control of their URI space and that clients should have URL structures baked into them. The reason this practice is a bad idea is well documented in Joe Gregorio's post No Fishing - or - Why 'robots.txt and 'favicon.ico' are bad ideas and shouldn't be emulated where he lists several reasons why hard coded URLs are a bad idea. The reasons against include lack of extensibility and poor support for people in hosted environments who may not fully control their URI space. The interesting thing to note is that both the robots.txt and favicon.ico scenarios eventually developed mechanisms to support using hyperlinks on the source page (i.e. noindex and rel="shortcut icon") instead of hard coded URIs since that practice doesn't scale to Web-wide usage.

The latest drafts of the OpenSocial specification have a great example of how a service can use existing technologies such as URI templates to make even complicated URL structures to be flexible and discoverable without having to force every client and service to hardcode a specific URL structure. Below is an excerpt from the discovery section of the current OpenSocial REST API spec

A container declares what collection and features it supports, and provides templates for discovering them, via a simple discovery document. A client starts the discovery process at the container's identifier URI (e.g., example.org). The full flow is available athttp://xrds-simple.net/core/1.0/; in a nutshell:

Client GETs {container-url} with Accept: application/xrds+xml
Container responds with either an X-XRDS-Location: header pointing to the discovery document, or the document itself.
If the client received an X-XRDS-Location: header, follow it to get the discovery document.

The discovery document is an XML file in the same format used for OpenID and OAuth discovery, defined at http://xrds-simple.net/core/1.0/:

<XRDS xmlns="xri://$xrds">
    <XRD xmlns:simple="http://xrds-simple.net/core/1.0" xmlns="xri://$XRD*($v*2.0)" xmlns:os="http://ns.opensocial.org/2008/opensocial" version="2.0">
        <Type>xri://$xrds*simple</Type>
        <Service>
          <Type>http://ns.opensocial.org/2008/opensocial/people</Type>
          <os:URI-Template>http://api.example.org/people/{guid}/{selector}{-prefix|/|pid}</os:URI-Template>
        </Service>
        <Service>
          <Type>http://ns.opensocial.org/2008/opensocial/groups</Type>
          <os:URI-Template>http://api.example.org/groups/{guid}</os:URI-Template>
        </Service>
        <Service
          <Type>http://ns.opensocial.org/2008/opensocial/activities</Type>
          <os:URI-Template>http://api.example.org/activities/{guid}/{appid}/{selector}</os:URI-Template>
        </Service>
        <Service>
          <Type>http://ns.opensocial.org//2008/opensocial/appdata</Type>
          <os:URI-Template>http://api.example.org/appdata/{guid}/{appid}/{selector}</os:URI-Template>
        </Service>
        <Service>
          <Type>http://ns.opensocial.org//2008/opensocial/messages</Type>
          <os:URI-Template>http://api.example.org/messages/{guid}/{selector}</os:URI-Template>
        </Service>
    </XRD>
</XRDS>

This approach makes it possible for a service to expose the OpenSocial end points however way it sees fit without clients having to expect a specific URL structure.

Similarly links should be used for describing relationships between resources in the various payloads instead of expecting hard coded URL structures. Again, I'm drawn to the example of RSS & Atom feeds where link relations are used for defining the permalink to a feed item, the link to related media files (i.e. podcasts), links to comments, etc instead of applications expecting that every Web site that supports enclosures should have /@rss/{id}/@podcasts URL instead of just examining the <enclosure> element.

Thus it is plain to see that hyperlinks are important both for discovery of service end points and for describing relationships between resources in a loosely coupled way.

Note Now Playing: Prince - When Doves Cry Note

Categories: Web Development | XML Web Services

October 19, 2008

@ 08:47 AM

Cloud Computing and Vendor Lock-In

Tim Bray has a thought provoking post on embracing cloud computing entitled Get In the Cloud where he brings up the problem of vendor lock-in. He writes

Tech Issue · But there are two problems. The small problem is that we haven’t quite figured out the architectural sweet spot for cloud platforms. Is it Amazon’s EC2/S3 “Naked virtual whitebox” model? Is it a Platform-as-a-service flavor like Google App Engine? We just don’t know yet; stay tuned.

Big Issue · I mean a really big issue: if cloud computing is going to take off, it absolutely, totally, must be lockin-free. What that means if that I’m deploying my app on Vendor X’s platform, there have to be other vendors Y and Z such that I can pull my app and its data off X and it’ll all run with minimal tweaks on either Y or Z.

At the moment, I don’t think either the Amazon or Google offerings qualify.

Are we so deranged here in the twenty-first century that we’re going to re-enact, wide-eyed, the twin tragedies of the great desktop-suite lock-in and the great proprietary-SQL lock-in? You know, the ones where you give a platform vendor control over your IT budget? Gimme a break.

I’m simply not interested in any cloud offering at any level unless it offers zero barrier-to-exit.

Tim's post is about cloud platforms but I think it is useful to talk about avoiding lock-in when taking a bet on cloud based applications as well as when embracing cloud based platforms. This is especially true when you consider that moving from one application to another is a similar yet smaller scoped problem compared to moving from one Web development platform to another.

So let's say your organization wants to move from a cloud based office suite like Google Apps for Business to Zoho. The first question you have to ask yourself is whether it is possible to extract all of your organization's data from one service and import it without data loss into another. For business documents this should be straightforward thanks to standards like ODF and OOXML. However there are points to consider such as whether there is an automated way to perform such bulk imports and exports or whether individuals have to manually export and/or import their online documents to these standard formats. Thus the second question is how expensive it is for your organization to move the data. The cost includes everything from the potential organizational downtime to account for switching services to the actual IT department cost of moving all the data. At this point, you then have to weigh the impact of all the links and references to your organization's data that will be broken by your switch. I don't just mean links to documents returning 404 because you have switched from being hosted at google.com to zoho.com but more insidious problems like the broken experience of anyone who is using the calendar or document sharing feature of the service to give specific people access to their data. Also you have to ensure that email that is sent to your organization after the switch goes to the right place. Making this aspect of the transition smooth will likely be the most difficult part of the migration since it requires more control over application resources than application service providers typically give their customers. Finally, you will have to evaluate which features you will lose by switching applications and ensure that none of them is mission critical to your business.

Despite all of these concerns, switching hosted application providers is mostly a tractable problem. Standard data formats make data migration feasible although it might be unwieldy to extract the data from the service. In addition, Internet technologies like SMTP and HTTP all have built in ways to handle forwarding/redirecting references so that they aren't broken. However although the technology makes it possible, the majority of hosted application providers fall far short of making it easy to fully migrate to or away from their service without significant effort.

When it comes to cloud computing platforms, you have all of the same problems described above and a few extra ones. The key wrinkle with cloud computing platforms is that there is no standardization of the APIs and platform technologies that underlie these services. The APIs provided by Amazon's cloud computing platform (EC2/S3/EBS/etc) are radically different from those provided by Google App Engine (Datastore API/Python runtime/Images API/etc). For zero lock-in to occur in this space, there need to be multiple providers of the same underlying APIs. Otherwise, migrating between cloud computing platforms will be more like switching your application from Ruby on Rails and MySQL to Django and PostgreSQL (i.e. a complete rewrite).

In response to Tim Bray's post, Dewitt Clinton of Google left a comment which is excerpted below

That's why I asked -- you can already do that in both the case of Amazon's services and App Engine. Sure, in the case of EC2 and S3 you'll need to find a new place to host the image and a new backend for the data, but Amazon isn't trying to stop you from doing that. (Actually not sure about the AMI format licensing, but I assumed it was supposed to be open.)

In App Engine's case people can run the open source userland stack (which exposes the API you code to) on other providers any time the want, and there are plenty of open source bigtable implementations to chose from. Granted, bulk export of data is still a bit of a manual process, but it is doable even today and we're working to make it even easier.

Ae you saying that lock-in is avoided only once the alternative hosts exist?

But how does Amazon or Google facilitate that, beyond getting licensing correct and open sourcing as much code as they can? Obviously we can't be the ones setting up the alternative instances. (Though we can cheer for them, like we did when we saw the App Engine API implemented on top of EC2 and S3.)

To Doug Cutting's very good point, the way Amazon and Google (and everyone else in this space) seem to be trying to compete is by offering the best value, in terms of reliability (uptime, replication) and performance (data locality, latency, etc) and monitoring and management tools. Which is as it should be.

Although Dewitt is correct that Google and Amazon are not explicitly trying to lock-in customers to their platform, the fact is that today if a customer has heavily invested in either platform then there isn't a straightforward way for customers to extricate themselves from the platform and switch to another vendor. In addition there is not a competitive marketplace of vendors providing standard/interoperable platforms as there are with email hosting or Web hosting providers.

As long as these conditions remain the same, it may be that lock-in is too strong a word describe the situation but it is clear that the options facing adopters of cloud computing platforms aren't great when it comes to vendor choice.

Note Now Playing: Britney Spears - Womanizer Note

Categories: Platforms | Web Development

October 15, 2008

@ 01:28 AM

Yahoo! Shares OpenID Usability Study

Allen Tom has an interesting post on the Yahoo! Developer blog entitled Yahoo! Releases OpenID Research where he shares the results of some usability studies the folks at Yahoo! have been doing around OpenID. The concluding paragraphs of his post are particularly interesting and are excerpted below

I'm happy to announce that Yahoo! is releasing the results of a usability study that we did for OpenID. Our test subjects were several experienced Yahoo! users (representative of our mainstream audience) who were observed as they tried to sign into a product review site using the Yahoo OpenID service.
...
On the Yahoo! side of things, we streamlined our OP (OpenID Provider) last week, and removed as much as we could. We removed the CAPTCHA and slimmed down the OP to just a single screen, and focused the UI to get the user back to the RP. We expect that RPs will enjoy a much higher success rate for users signing in with their Yahoo OpenID.

On the RP (Relying Party) side of things, our recommendation is that they emphasize to users that they can sign in with an existing account, specifically their YahooID. We believe that the YahooID, as well has IDs from other providers, have a higher brand awareness than OpenID. We also believe that first time users signing in with an OpenID should be able to go directly to their intended destination after signing in, instead of having to complete additional registration. Hopefully, as SimpleReg/AttributeExchange are more widely supported (Yahoo does not currently support them), relying parties will no longer feel the need to force the user through an additional registration form after signing in with an OpenID.

It's nice to see how much of this dovetails with my post on Things to Keep in Mind when Implementing OpenID on Your Website. In that post, I pointed out that the key risk of using OpenID on your Web site (i.e. being a Relying Party) is that there is a high risk of losing users if the OpenID sign-in flow is more complicated than simply having the user sign-up for your site. The Yahoo! usability study points to the fact that this seems to be the common case in typical OpenID deployments.

Actually there are two problems. The first being that most people don't know what OpenID is so simply stating that people can use OpenIDs to log-in to your site or using the logo may work for geeks but doesn't work for the typical Web user. The risk here is that the work of deploying ID on your site ends up being wasted. The second problem is the risk of losing the user after they decide to use OpenID to sign-in either due to an unintuitive user experience on your site (e.g. having to enter an OpenID URL) or on the site of the OpenID provider (e.g. lots of jargon with no clear call to action).

I did find it interesting that Yahoo! is recommending that services should prefer to using the brand of the target services whose credentials you plan to accept [especially if you white list OpenID providers you support] instead of using the OpenID brand since it isn't recognizable to the typical Web user. I tend to agree with this, OpenID is a means to an end and not an end in itself so it is weird to be putting it front and center in an end user facing user experience. Talking explicitly about OpenID should probably be at the developer to developer level. I feel the same way about RSS and other Web technologies for connecting services together.

The other interesting point is that a lot of services still require users to go through a sign-up flow after logging in with an OpenID thus the only thing they've saved is having the user pick a username (which would probably have been their email address) and password. That saving doesn't seem worth the extra complexity in the user experience of going through an OpenID provider. I agree with Tom that if more OpenID providers supported OpenID Attribute Exchange then the need for a post-login account creation would likely disappear since the Relying Party would get the basic information they need from the OpenID provider.

In conclusion, the typical way OpenID is being implemented on the Web today leads to more costs than benefits. Hopefully, services will take to heart the lessons from Yahoo's usability study and we'll start seeing smarter usage of OpenID that benefits both users and the services that are adopting the technology.

Note Now Playing: Leona Lewis - Better In Time Note

Categories: Web Development

October 5, 2008

@ 04:02 PM

The Portable Contacts API: Killing the Password Anti-Pattern Once and For All

A common practice among social networking sites is to ask users to import their contacts from one of the big email service providers (e.g. Yahoo! Mail, Hotmail or Gmail) as part of the sign up process. This is often seen as a way to bootstrap the user's social network on the site by telling the user who in their email address book is also a user of the site they have just joined. However, there is one problem with this practice which Jeremy Keith described as the password anti-pattern and I quote

The problems start when web apps start replicating bad design patterns as if they were viruses. I want to call attention to the most egregious of these anti-patterns.

Allowing users to import contact lists from other services is a useful feature. But the means have to justify the ends. Empowering the user to import data through an authentication layer like OAuth is the correct way to export data. On the other hand, asking users to input their email address and password from a third-party site like GMail or Yahoo Mail is completely unacceptable. Here’s why:

It teaches people how to be phished.

The reason these social networks request login credentials for new users is because they log-in to the user's email account and then screen scrape the contents of their address books. For a long time, the argument for doing this has been that the big email services have not given them an alternative and are thus holding user data hostage.

This may have been true once but it isn't anymore. Google has the Contacts Data API, Yahoo! has their Address Book API and Microsoft has the Windows Live Contacts API. Each of these is provides a user-centric authorization model where instead of a user giving their email address and password to random sites, they log-in at their email provider's site and then delegate authority to access their address book to the social network site.

The only problem that remains is that each site that provides an address book or social graph API is reinventing the wheel both with regards to the delegated auth model they implement and the actual API for retrieving a user's contacts. This means that social networking sites that want to implement a contact import feature have to support a different API and delegated authorization model for each service they want to talk to even though each API and delegated auth model effectively does the same thing.

Just as OAuth has slowly been increasing in buzz as the standard that will sweep away the various proprietary delegated auth models that we have on the Web today, there has been a similar effort underway by a similar set of dedicated individuals intent on standardizing contacts and social graph APIs on the Web. The primary output from this effort is the Portable Contacts API.

I've read been reading latest draft specification of the Portable Contacts API and below are some of the highlights as well as some thoughts on them

A service's Portable Contacts API endpoint needs to be auto-discoverable using XRDS-Simple (formerly YADIS).
The API supports either direct authorization where a caller provides a username and password as well as delegated authorization where the caller passes a delegation token obtained by the application out-of-band. The former MUST support HTTP Basic Authentication while the latter MUST support OAuth. My initial thinking is that there must be some kind of mistake and the spec meant to say HTTP Digest Authentication not HTTP Basic Authentication (which is described as insecure in the very RFC that defines at it).
The API defines a specific URL structure that sites must expose. Specifically /@me/@all which returns all of a user's contacts, /@me/@all/{id} which returns the contact with the given ID, and /@me/@self which returns contact info for the user must all be supported when appended to the base URI that is the Portable Contacts API end point. In general being prescriptive about how services should structure their URI space is to be discouraged as explained in Joe Gregorio's post No Fishing - or - Why 'robots.txt and 'favicon.ico' are bad ideas and shouldn't be emulated but since the service gets to control the base URI via XRDS-Simple this isn't as bad as the situation we have today with robots.txt and favicon.ico
The API defines a set of query parameters for filtering (filterBy, filterOp & filterValue) and sorting (sortBy & sortOrder) of results. The API wisely acknowledges that it may be infeasible or expensive for services to support these operations and so supporting them is optional. However services MUST indicate which parameters were ignored/not supported when returning responses to requests containing the aforementioned parameters. I definitely like the approach of having services indicate which parameter was ignored in a request because it wasn't supported. However it would be nice to get an explicit mechanism for determining which features are supported by the provider in a without having to resort to seeing which parameters to various API calls were ignored.
The API also defines query parameters for pagination (startIndex & count). These are pretty straightforward and are also optional to support.
There are query parameters to indicate which fields to return (fields parameter whose value is a comma delimited list) and what data format to return (format parameter can be either JSON or XML). The definition of the XML format is full of errors but seems to be a simplistic mapping of JSON to XML. It also isn't terribly clear how type information is conveyed in the XML format. It clearly seems like the having the API support XML is currently a half baked afterthought within the spec.
Each result set begins with a series of numeric values; startIndex, itemsPerPage and totalResults which are taken from OpenSearch followed by a series of entries corresponding to each contact in the users address book.
The API defines the schema as a contact as the union of fields from the vCard data format and those from OpenSocial. This means a contact can have the basic fields like name, gender and birthday as well as more exotic fields like happiestWhen, profileSong and scaredOf. Interesting data models they are building over there in OpenSocial land. :)

Except for the subpar work with regards to defining an XML serialization for the contacts schema this seems like a decent spec.

If anything, I'm concerned by the growing number of interdependent specs that seem poised to have a significant impact on the Web and yet are being defined outside of formal standards bodies in closed processes funded by big companies. For example, about half of the references in the Portable Contacts API specs are to IETF RFCs while the other half are to specs primarily authored by Google and Yahoo! employees outside of any standards body (OpenSocial, OAuth, OpenSearch, XRDS-Simple, etc). I've previously questioned the rise of semi-closed, vendor driven consortiums in the area of Web specifications given that we have perfectly good and open standards bodies like IETF for defining the Open Web but this led to personal attacks on TechCrunch with no real reasons given for why Web standards need to go in this direction. I find that worrying.

Note Now Playing: Madonna - Don't Cry For Me Argentina Note

Categories: Web Development | XML Web Services

October 1, 2008

@ 04:22 PM

Windows Server on Amazon EC2?

Werner Vogels, CTO of Amazon, writes in his blog post Expanding the Cloud: Microsoft Windows Server on Amazon EC2 that

With today's announcement that Microsoft Windows Server is available on Amazon EC2 we can now run the majority of popular software systems in the cloud. Windows Server ranked very high on the list of requests by customers so we are happy that we will be able to provide this.

One particular area that customers have been asking for Amazon EC2 with Windows Server was for Windows Media transcoding and streaming. There is a range of excellent codecs available for Windows Media and there is a large amount of legacy content in those formats. In past weeks I met with a number of folks from the entertainment industry and often their first question was: when can we run on windows?

There are many different reasons why customers have requested Windows Server; for example many customers want to run ASP.NET websites using Internet Information Server and use Microsoft SQL Server as their database. Amazon EC2 running Windows Server enables this scenario for building scalable websites. In addition, several customers would like to maintain a global single Windows-based desktop environment using Microsoft Remote Desktop, and Amazon EC2 is a scalable and dependable platform on which to do so.

This is great news. I'm starting a month long vacation as a precursor to my paternity leave since the baby is due next week and was looking to do some long overdue hacking in-between burping the baby and changing diapers. My choices were

Facebook platform app
Google App Engine app
EC2/S3/EBS app

The problem with Amazon was the need to use Linux which I haven't seriously messed with since my college days running SuSe. If I could use Windows Server and ASP.NET while still learning the nuances of EC2/S3/EBS that would be quite sweet.

I wonder how who I need to holler at to get in the Windows Server on EC2 beta? Maybe Derek can hook me up. Hmmmmm.

Note Now Playing: Lil Wayne - Best Rapper Alive [Explicit] Note

Categories: Platforms | Web Development

September 28, 2008

@ 09:50 PM

jQuery to Ship as Part of Visual Studio

jQuery is an Open Source Javascript framework that is very popular among Web developers. John Resig, lead developer of the project has a blog post with some interesting news with regards to Microsoft and jQuery where he writes

Microsoft is looking to make jQuery part of their official development platform. Their JavaScript offering today includes the ASP.NET Ajax Framework and they’re looking to expand it with the use of jQuery. This means that jQuery will be distributed with Visual Studio (which will include jQuery intellisense, snippets, examples, and documentation).

Additionally Microsoft will be developing additional controls, or widgets, to run on top of jQuery that will be easily deployable within your .NET applications. jQuery helpers will also be included in the server-side portion of .NET development (in addition to the existing helpers) providing complementary functions to existing ASP.NET AJAX capabilities.

John's announcement has been followed up by a blog post from Scott Guthrie, corporate vice president of the .NET developer division at Microsoft, entitled jQuery and Microsoft where he writes

I'm excited today to announce that Microsoft will be shipping jQuery with Visual Studio going forward. We will distribute the jQuery JavaScript library as-is, and will not be forking or changing the source from the main jQuery branch. The files will continue to use and ship under the existing jQuery MIT license.

We will also distribute intellisense-annotated versions that provide great Visual Studio intellisense and help-integration at design-time. For example:

and with a chained command:

The jQuery intellisense annotation support will be available as a free web-download in a few weeks (and will work great with VS 2008 SP1 and the free Visual Web Developer 2008 Express SP1). The new ASP.NET MVC download will also distribute it, and add the jQuery library by default to all new projects.

We will also extend Microsoft product support to jQuery beginning later this year, which will enable developers and enterprises to call and open jQuery support cases 24x7 with Microsoft PSS.

This is great news for Web developers everywhere. Kudos to everyone involved in making this happen.

Note Now Playing: T.I. - Swagga Like Us (Ft. Kanye West, Jay Z & Lil Wayne) Note

Categories: Mindless Link Propagation | Web Development

September 19, 2008

@ 02:29 PM

Things to Keep in Mind when Implementing OpenID on Your Website

I have this dream that one day we will see true interoperability between social networking sites potentially powered by OpenID. As part of trying to make this dream a reality I've been reading a lot about the pros and cons of implementing OpenID since a shared identity system is the cornerstone of any hope of getting interoperability to work across social networking sites. Here are some of the things I've learned.

The Problems OpenID Solves for Web Developers

There are two ways to approach using OpenID on your Web site. The first way is to treat OpenID as a way to delegate user authentication on your site to another service. This means that you rely on someone else to authenticate (i.e. sign-in/log-in) the user and take their word for it that the user is who he/she claims to be. Some sites use this as the sole means of authenticating users (e.g. StackOverflow) while others give users the choice of either creating an account on the site or using an OpenID provider (e.g. SourceForge). The assumption behind this view of OpenID is that asking users to create yet another username/password combo for your site is a barrier to adoption and using OpenID removes this barrier. However this assumption is only correct if the OpenID sign-in process is easier for users than registering a new account on your site.

The second approach is to use OpenID as a way to give users of other Web sites access to features of your site that are traditionally only available to your users. For example, Google's Blogger has an option to enable anyone with an OpenID to comment on your blog. However Blogger does not allow you to login with OpenID instead you must have a valid Google account to create a blog on their service. In this scenario, the assumption is that asking users to create yet another username/password combo just to leave a comment on a blog or use some other feature of the site is too high of a barrier to entry but that same barrier to entry is acceptable for people who want to become full users of the site.

It should be noted that the second approach is actually why OpenID was originally invented but scope creep has made it become a popular choice as a single sign-in solution.

The Ideal OpenID User Experience

As a Web developer, the main problem OpenID is supposed to solve for you is that it reduces the barrier to using your service. This means that if redirecting a user to an OpenID provider to be authenticated and then having them redirect the user back to your site is more complicated than a new user account creation flow you could build on your site then using OpenID will cost you users. The ideal OpenID user experience should be

Your log-in page gives the user a choice of OpenID providers to use to sign in
The user selects their OpenID provider from a list or enters their OpenID provider information
The user is redirected to a log-in page on the provider's site
User enters their credentials
The user is redirected back to your site and is now logged in

Even in this ideal flow, there is a chance you will lose users since you have distracted them from their task of using your site by directing them to another site. The assumption here is that the redirect->sign-in->redirect flow is less cumbersome than asking new users to pick a unique username and password as well as asking them to solve a Human Interactive Proof or CAPTCHA. This sounds like a fair tradeoff although I'm not aware of any published research results that back up this assumption.

However if the OpenID sign-in flow is any more complicated than the above steps then the risk of losing users increases significantly. Here is an example of how OpenID can cost you users taken from a post by Ned Batchelder entitled OpenID is too hard

Earlier this week I visited yet another site that encouraged me to get an OpenID, and I decided I would finally cross OpenID off my list of technologies I should at least understand and probably use.

The simplest way to use OpenID is to pick a provider like Yahoo, go to their OpenID page, and enable your Yahoo account to be an OpenID. This in itself was a little complicated, because when I was done, I got to a page that showed me my "OpenID identifiers", which had one item in it:

https://me.yahoo.com/a/.DuSz_IEq5Vw5NZLAHUFHWEKLSfQnRFuebro-

What!? What is that, what do I do with it? Am I supposed to paste that into OpenID fields on other sites? Are you kidding me? Also, in the text on that page is a stern warning:

This step is completely optional. After you choose an identifier, you cannot edit or delete it.

(Emphasis theirs). So now I have a mystifying string of junk, with a big warning all over it that I can't go back. "This step" claims it's optional, but I seem to have already done it! Now I'm afraid, and I'm a technical person — you expect my wife to do this?

How many users do you think start this process and complete it successfully? Now how many of these users would have been lost if the site in question had replaced their OpenID usage with a lightweight account creation process similar to that used by reddit.com which only requires username/password and solving a CAPTCHA?

This is food for thought when comparing the costs and benefits of adopting OpenID.

The Risks of Using OpenID

There are lots of commonly voiced criticisms about OpenID, a number of which are captured in the blog post entitled The problem(s) with OpenID by Stefan brands. A few of the complaints are only interesting if you are a hardcore identity geek while others are of general interest to any Web developer considering adopting OpenID. Some of the key criticisms include

Susceptibility to Phishing: The argument here is that the growing popularity of OpenID will train users into thinking that it is OK to enter their credentials on a "trusted site" after following a link from another Web site. However given that this is how phishing works it is also training users to be more susceptible to phishing since any random site can now claim to be powered by OpenID when in truth it redirects people to http://www.example.com/phishingattempt/yahoo.com/login or some similarly malicious URL.

Given that we live in a world where worse practice of Please Give Us Your Email Password is now commonplace and the best solution people have come up with for dealing with it (OAuth) also utilizes browser-based redirection, I'm not sure this is a fair criticism against OpenID.
Identity Providers May Be Lax about Validating Users: When you outsource user authentication to an identity provider via OpenID you are trusting that they are performing some minimum level of user validation to keep spammers and bots out of their service. However there is no requirement that they do that at all nor is there any minimum standard that they have to meet. A year ago, Tim Bray posted an interesting thought experiment where he pointed out that one could create an identity provider that "successfully authenticated" any user URL you provided it with. You can imagine what kind of fun spammers would have with such an identity provider on a site like StackOverflow.
Identity Providers May Recycle Identities: A number of large email service providers like Yahoo! and AOL have decided to become OpenID identity providers. Email service providers typically recycle abandoned email accounts after a set period of time. For example, if I don't sign-in to my dare@example.com email address after three months then all my data is wiped and that account joins the pool of available email accounts. What happens to my accounts on other sites where I use that email address as my OpenID? Does this mean that the next person to use that email address can log-in to StackOverflow as me? Maybe…it depends on quality of the identity provider.
Privacy Concerns: Delegating user authentication to another service means you are letting this other service know every time a user logs in to your site and often times what the user was trying to do since you pass along a return URL. Depending on the sensitivity of your site, this may be information that you would rather not leak about your users. Then again, most Web developers don't care about this given how much information about their users they let Web analytics firms and advertising providers track.

White Lists are Key

The bottom line is that accepting an Tom, Dick and Harry as an identity provider on your site is probably a bad idea. User authentication is an important aspect of an online service and delegating it to others without vetting them is not a wise given how widely the user experiences and the policies of various identity providers can vary. Developers should evaluate OpenID providers, then select a subset those whose policies and sign-in experience is compatible with their goals to avoid the risk of losing or alienating users.

Now Playing: The Game Ft. Ice Cube - State Of Emergency

Categories: Web Development

September 19, 2008

@ 01:45 AM

The Problem with Every Implementation of a "Forgot Your Password?" Feature I've Seen Online

I recently read that Sarah Palin's Yahoo! email accounts had been hacked. What is interesting about the hack is that instead of guessing her password or finding a security flaw in Yahoo's email service, the hacker used the forgot your ID or password feature and a search engine. The Threat Level blog on Wired has posted an email from the hacker in a post entitled Palin E-Mail Hacker Says It Was Easy which is excerpted below

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

The fundamental flaw of pretty much every password recovery feature I've found online is that what they consider "secret" information actually isn't thanks to social networking, blogs and even Wikipedia. Yahoo! Mail password recovery relies on asking you your date of birth, zip code and country of residence as a proof of identity. Considering that this is the kind of information that is on the average Facebook profile or MySpace page, it seems ludicrous that this is all that stops someone from stealing your identity online.

Even the sites that try to be secure by asking more personal questions such as "the name of your childhood pet" or "where you met your spouse" fail because people often write about their childhood pets and tell stories about how they met on weddings sites all over the Web.

Web developers need start considering whether it isn't time to put password recovery features based on asking personal questions to pasture. I wonder how many more high profile account hijackings it will take before this becomes as abhorred a practice as emailing users their forgotten passwords (you know why this is wrong right?)

Now Playing: DJ Khaled - She's Fine (Feat. Sean Paul, Missy Elliot & Busta Rhymes)

Categories: Web Development

September 8, 2008

@ 04:37 AM

Comments [17]

The New Browser Wars: The Best Features of the new Generation of Browsers

With the releases of betas of Google Chrome and Internet Explorer 8 as well as the recent release of Firefox 3, the pundits are all in a tizzy about the the new browser wars. I don't know if it is a war or not but I do like the fact that in the past few months we've seen clear proof that the end user experience when browsing the Web is going to get an upgrade for the majority of Web users.

Whenever there is such active competition between vendors, customers are typically the ones that benefit and the "new browser wars" are no different. Below are some of the features and trends in the new generation of browsers that has me excited about the future of the Web browsing user experience

One Process Per Tab

As seen in: IE 8 beta, Chrome

With this feature browsers are more resilient to crashes since each tab has its own process so a bug which would cause the entire browser to crash in an old school browser only causes the user to lose the tab in next generation browser. This feature is called Loosely Coupled IE (LCIE) in Internet Explorer 8 and described in the documentation of the Chrome Process Manager in the Google Chrome Comic Book.

This feature will be especially welcome for users of add-ons and browser toolbars since the IE team has found that up to 70% of browser crashes are caused by extensions and now these crashes will no longer take down the entire browser.

Smarter Address Bars

As seen in: IE 8 beta, Chrome, Firefox 3

Autocomplete in browser address bars has been improved. Instead of trying to match a user entered string as the start of a URL (e.g. "cn" autocompletes to http://cnn.com) newer browsers match any occurrence of the string in previously seen URLs and page titles (e.g. "cn" matches http://cnn.com, http://google.cn and a blog post on Wordpress with the title "I've stopped watching CNN"). Like Mark Pilgrim, I was originally suspicious of this feature but now cannot live without it.

This feature is called AwesomeBar in Firefox 3, OmniBox in Google Chrome and Smart Address Bar in IE 8.

Restoring Previous Browsing Sessions

As seen in: Firefox 3, Chrome, IE 8 beta

I love being able to close my browser and restart my operating system safe in the knowledge that whenever I launch the browser it is restored to exactly where I left off. Both Firefox and Chrome provide an option to make this behavior the default but the closest I've seen to getting a similar experience in the betas of IE 8 requires a click from the "about:Tabs" page. However given "about:Tabs" is my start page it gives maximum flexibility since I don't have to be slowed down by the opening up the four or five previously open browser tabs every time I launch my browser.

Search Suggestions

As seen in: IE 8 beta, Chrome, Firefox 3

In the old days, the only way to get search suggestions when typing a search query in your browser's search box was if you had a vendor specific search toolbar installed (e.g. Google Suggest for Firefox). It is becoming more commonplace for this to be native functionality of the Web browser. Google Chrome supports this if the default search provider is Google. IE 8 beta goes one better by making this feature a platform that any search engine can plug into and currently provides search suggestions for the following search providers; Wikipedia, Amazon, Google, Live Search and Yahoo! as at this writing.

Updated: Firefox has also supported search suggestions using a provider model since Firefox 2 via OpenSearch and ships with suggestions enabled for Google and Yahoo! by default.

Offline Support

As seen in: Chrome, IE 8 beta, Firefox 3

The WHAT WG created specifications which describes secure mechanisms for Web applications to store large amounts of user data on a local system using APIs provided by modern Web browsers. Applications can store megabytes of data on the user's local machine and have it accessible via the DOM. This feature was originally described in the Web Applications 1.0 specification and is typically called DOM Storage. You can read more about it in the Mozilla documentation for DOM Storage and the IE 8 beta documentation for DOM Storage. The related APIs are currently being defined as part of HTML 5.

Chrome supports this functionality by bundling Google Gears which is a Google defined set of APIs for providing offline storage.

The most interesting thing about this list is that if you follow the pronouncements from various pundits on sites like Techmeme, you'd think all of these features were originated by Google and appeared for the first time in Chrome.

Update: An amusing take on the pundit hype about Google Chrome from Ted Dziuba in The Register article Chrome-fed Googasm bares tech pundit futility

Now Playing: Metallica - Cyanide

Categories: Technology | Web Development

August 28, 2008

@ 07:16 PM

Fixing the HTTP Polling Problem: Some Thoughts on FriendFeed's Simple Update Protocol (SUP)

Paul Buchheit of FriendFeed has written up a proposal for a new protocol that Web sites can implement to reduce the load on their services from social network aggregators like FriendFeed and SocialThing. He unveils his proposal in his post Simple Update Protocol: Fetch updates from feeds faster which is excerpted below

When you add a web site like Flickr or Google Reader to FriendFeed, FriendFeed's servers constantly download your feed from the service to get your updates as quickly as possible. FriendFeed's user base has grown quite a bit since launch, and our servers now download millions of feeds from over 43 services every hour.

One of the limitations of this approach is that it is difficult to get updates from services quickly without FriendFeed's crawler overloading other sites' servers with update checks. Gary Burd and I have thought quite a bit about ways we could augment existing feed formats like Atom and RSS to make fetching updates faster and more efficient. Our proposal, which we have named Simple Update Protocol, or SUP, is below.
...
Sites wishing to produce a SUP feed must do two things:

Add a special <link> tag to their SUP enabled Atom or RSS feeds. This <link> tag includes the feed's SUP-ID and the URL of the appropriate SUP feed.

Generate a SUP feed which lists the SUP-IDs of all recently updated feeds.

Feed consumers can add SUP support by:

Storing the SUP-IDs of the Atom/RSS feeds they consume.

Watching for those SUP-IDs in their associated SUP feeds.

By using SUP-IDs instead of feed urls, we avoid having to expose the feed url, avoid URL canonicalization issues, and produce a more compact update feed (because SUP-IDs can be a database id or some other short token assigned by the service). Because it is still possible to miss updates due to server errors or other malfunctions, SUP does not completely eliminate the need for polling.

Although there's a healthy conversation about SUP going on in FriendFeed in response to one of my tweets, I thought it would be worth sharing some thoughts on this with a broader audience.

The problem statement that FriendFeed's SUP addresses is the following issue raised in my previous post When REST Doesn't Scale, XMPP to the Rescue?

On July 21st, FriendFeed had 45,000 users who had associated their Flickr profiles with their FriendFeed account. FriendFeed polls Flickr about once every 20 – 30 minutes to see if the user has uploaded new pictures. However only about 6,000 of those users logged into Flickr that day, let alone uploaded pictures. Thus there were literally millions of HTTP requests made by FriendFeed that were totally unnecessary.

FriendFeed's proposal is similar to the Six Apart Update Stream and the Twitter XMPP Firehose in that it is a data stream containing information about all of the updates users are making on a particular service. It differs in a key way in that it doesn't actually contain the data from the user updates but instead identifiers which can be used to determine the users that changed so their feeds can be polled.

This approach aims at protecting feeds that use security through obscurity such as the Google Reader's Shared Items feed and Netflix's Personalized Feeds. The user shares their "secret" feed URL with FriendFeed who then obtains the SUP ID of the user's feed when the feed is first polled. Then whenever that SUP ID is seen in the SUP feed by FriendFeed, they know to go re-poll the user's "secret" feed URL.

For services that are getting a ton of traffic from social network aggregators or Web-based feed readers it does make sense to provide some sort of update stream or fire hose to reduce the amount of polling that gets done. In addition, it also makes sense that if more and more services are going to provide such update streams then it should be standardized so that social network aggregators and similar services do not end up having to target multiple update protocols.

I believe that at the end we will see a continuum of options in this space. The vast majority of services will be OK with the load generated by social networking aggregators and Web-based feed readers when polling their feeds. These services won't see the point of building additional features to handle this load. Some services will run the numbers like Twitter & Six Apart have done and will provide update streams in an attempt to reduce the impact of polling. For these services, SUP seems like a somewhat elegant solution and it would be good to standardize on something, anything at all is better than each site having its own custom solution. For a smaller set of services, this still won't be enough since they don't provide feeds (e.g. Blockbuster's use of Facebook Beacon) and you'll need an explicit server to server publish-subscribe mechanism. XMPP or perhaps something an HTTP based publish-subscribe mechanism like what Joshua Schachter proposed a few weeks ago will be the best fit for those scenarios.

Now Playing: Jodeci - I'm Still Waiting

Categories: Web Development

August 24, 2008

@ 11:33 AM

RESTful JSON: Bringing REST and RPC Closer Together

My recent post, Explaining REST To Damien Katz, led to some insightful comments from Dave Winer and Tim Bray about what proponents of building RESTful Web services can learn from remote procedure call (RPC) technologies like SOAP and XML-RPC.

In his post, Dare left something out (and it's important) Dave Winer wrote

Really ought to include it in your thinking, Dare and everyone else. You're missing out on something that works really well. You should at least learn the lessons and add to REST what it needs to catch up with XML-RPC. Seriously.

What's missing in REST, btw, is a standard method of serializing structs, lists and scalar types. The languages we use have a lot more in common than you might think. We're all writing code, again and again, every time we support a new interface that could be written once and then baked into the kernels of our languages, and then our operating systems. Apple actually did this with Mac OS, XML-RPC support is baked in. So did Python. So if you think it's just me saying this, you should take another look.

Dave has a valid point, a lot of the time communication between distributed systems is simply passing around serialized objects and/or collections of objects. In such cases, having a lightweight standard representation for serialized objects which is supported on multiple platforms would be beneficial. Where Dave goes astray is in his assertion that no such technology exists for developers building RESTful Web services. Actually one does, and it is widely deployed on the Web today. JavaScript Object Notation (JSON) which is described in RFC 4627 is a widely deployed and well-defined media type (application/json) for representing serialized structs, lists and scalar values on the Web.

There are libraries for processing JSON on practically every popular platform from "corporate" platforms like Java and the .NET Framework to Web scripting languages like Python and Ruby. In addition, JSON is attractive because it is natively available in modern Web browsers that support JavaScript which means you can use it to build services that can be consumed by Web browsers, other Web services or desktop applications with a single end point.

Tim Bray cautioned REST proponents against blindly rejecting the features typically associated with RPC systems and SOAP/WS-* in his post REST Questions where he wrote

Has REST Been Fortunate in its Enemies? · I have been among the most vocal of those sneering at WS-*, and I’m comfortable with what I’ve said. But that doesn’t prove that the core WS-* ideas are wrong. Here are some of the handicaps WS-* struggled under:

Lousy foundational technologies (XSD and WSDL).

A Microsoft/IBM-driven process that was cripplingly product-linked and political.

Designers undereducated in the realities of the Web as it is.

Unnecessary detours into Architecture Astronautics.

As a result, we should be really careful about drawing lessons from the failure of WS-*. Specifically:

Just because the XSD type system is malformed, you can’t conclude that the notion of schema-driven mapping between program data types and representation payloads is harmful.

Just because WSDL is a crock, you can’t conclude that exposing a machine-readable contract for a service is a necessarily bad idea.

Just because UDDI never took off, you can’t conclude that service registries are dumb.

Just because SOAP has a damaging MustUnderstand facility and grew a lot of ancillary specification hair, you can’t conclude that some sort of re-usable payload wrapper is necessarily a dead-end path.

Just because the WS-* security specifications are overengineered and based on a shaky canonicalization spec, you can’t conclude that message-level security and signing aren’t sometimes real important.

And so on. I personally tend to think that schema-driven mapping is hopeless, contracts are interesting, registries are a fantasy, and payload wrappers are very promising. But I don’t think that the history of WS-* is a very good argument for any of those positions.

In a lot of situations where applications consume XML, the first thing the application does is convert the XML into an object graph representative of the business logic of the application. The SOAP/WS-* way of doing this was to define an XSD schema for the XML payload and then use some object<->XML mapping layer to convert the XML to objects. The problem with this approach was that there is a fundamental impedance mismatch between XSD types and OO types which led to horrible interoperability problems since no two platforms could agree on how to map the various esoteric type system features of XSD into the structs, lists and scalar types that are the building block of all OO type systems. However these problems go away if you use a data format that was explicitly designed for describing serialized data objects like JSON.

Providing a machine readable description of a service's end points is useful, especially on the Web where multiple services may expose the same interface. For example, when you visit my weblog at http://www.25hoursaday.com/weblog/ using Firefox 2 or higher and Internet Explorer 7 or higher the browser immediately lights up with a feed icon which allows you to subscribe to my Atom feed from your Web browser. This happens because I've provided a machine readable description of my feed end points on my blog. The Atom Publishing Protocol, which is one of the most well-designed RESTful protocols out there, has a notion of service documents which enable client applications to discover the capabilities and locations of the various end points of the service.

If you put together the notion of service documents with using JSON as the payload format for a service endpoint, you're close to getting the touted programmer friendliness of RPC technologies like XML-RPC & SOAP/WSDL while still building a RESTful service which works with the Web instead of against it.

The only problem is how to deal with statically typed languages like C# and Java. These languages need the types of the objects that application will consume from a Web service defined up front. So if we could just figure out how to come up with service documents for JSON services that included the notion of a class definition, we could pretty much have our cake and eat it to with regards to getting the ease of use of an RPC system while building a RESTful service.

If this sounds interesting to you, then you should go over and read Joe Gregorio's original post on RESTful JSON and then join the restful-json mailing list. Joe's proposal is on the right path although I think he is letting his background as an editor of the Atom Publishing Protocol specification skew his thinking with regards to what developers would find most useful from a Json Publishing Protocol (JsonPub).

Now Playing: G-Unit - Beg For Mercy

Categories: Web Development | XML Web Services

August 21, 2008

@ 02:02 PM

Some Thoughts on Amazon's Elastic Block Store

According to Werner Vogels's blog post entitled Amazon EBS - Elastic Block Store has launched, it seems that my friends at Amazon have plugged a gaping hole in their cloud computing platform story. Werner writes

Back in the days when we made the architectural decision to virtualize the internal Amazon infrastructure one of the first steps we took was a deep analysis of the way that storage was used by the internal Amazon services. We had to make sure that the infrastructure storage solutions we were going to develop would be highly effective for developers by addressing the most common patterns first. That analysis led us to three top patterns:

Key-Value storage. The majority of the Amazon storage patterns were based on primary key access leading to single value or object. This pattern led to the development of Amazon S3.
Simple Structured Data storage. A second large category of storage patterns were satisfied by access to simple query interface into structured datasets. Fast indexing allows high-speed lookups over large dataset. This pattern led to the development of Amazon SimpleDB. A common pattern we see is that secondary keys to objects stored in Amazon S3 are stored in SimpleDB, where lookups result in sets of S3 (primary) keys.
Block storage. The remaining bucket holds a variety of storage patterns ranging special file systems such as ZFS to applications managing their own block storage (e.g. cache servers) to relational databases. This category is served by Amazon EBS which provides the fundamental building block for implementing a variety of storage patterns.

What I like about Werner's post is that it shows that Amazon had a clear vision and strategy around providing hosted cloud services and has been steadily executing on it.

S3 handled what I've typically heard described as "blob storage". A typical Web application typically has media files and other resources (images, CSS stylesheets, scripts, video files, etc) that is simply accessed by name/path. However a lot of these resources also have metadata (e.g. a video file on YouTube has metadata about it's rating, who uploaded it, number of views, etc) which need to be stored as well. This need for queryable, schematized storage is where SimpleDB comes in. EC2 provides a virtual server that can be used for computation complete with a local file system instance which isn't persistent if the virtual server goes down for any reason. With SimpleDB and S3 you have the building blocks to build a large class of "Web 2.0" style applications when you throw in the computational capabilities provided by EC2.

However neither S3 nor SimpleDB provides a solution for a developer who simply wants the typical LAMP or WISC developer experience of building a database driven Web application or for applications that may have custom storage needs that don't fit neatly into the buckets of blob storage or schematized storage. Without access to a persistent filesystem, developers on Amazon's cloud computing platform have had to come up with sophisticated solutions involving backing data up manually from EC2 to S3 to get the desired experience.

EBS is the final piece in the puzzle that had prevented Amazon's cloud computing platform from being comparable to traditional hosting solutions. With EBS Amazon is now superior to most traditional hosting solutions from a developer usability perspective as well as cost. Google App Engine now looks like a plaything in comparison. In fact, you could build GAE on top of Amazon's cloud computing platform now that the EBS has solved persistent custom storage problem. It will be interesting to see if higher level cloud computing platforms such as App Engine start getting built on top of Amazon's cloud computing platform. Simply porting GAE wholesale would be an interesting academic exercise and a fun hacking project.

Now Playing: T.I. - Whatever You Like

Categories: Competitors/Web Companies | Web Development

August 21, 2008

@ 02:02 PM

How Facebook Keeps Memcached Consistent Across Geo-Distributed Data Centers

Last year I wrote a blog post entitled When Databases Lie: Consistency vs. Availability in Distributed Systems where I talked about the kinds of problems Web applications face when trying to keep data consistent across multiple databases spread out across the world.

Jason Sobel, a developer at Facebook has some details on how they've customized MySQL to solve a variation of the problem I posed in a blog post entitled Scaling Out where he writes

A bit of background on our caching model: when a user modifies a data object our infrastructure will write the new value in to a database and delete the old value from memcache (if it was present). The next time a user requests that data object we pull the result from the database and write it to memcache. Subsequent requests will pull the data from memcache until it expires out of the cache or is deleted by another update.

...

Consider the following example:

I update my first name from "Jason" to "Monkey"
We write "Monkey" in to the master database in California and delete my first name from memcache in California and Virginia
Someone goes to my profile in Virginia
We don't find my first name in memcache so we read from the Virginia slave database and get "Jason" because of replication lag
We update Virginia memcache with my first name as "Jason"
Replication catches up and we update the slave database with my first name as "Monkey"
Someone else goes to my profile in Virginia
We find my first name in memcache and return "Jason"

Until I update my first name again or it falls out of cache and we go back to the database, we will show my first name as "Jason" in Virginia and "Monkey" in California. Confusing? You bet. Welcome to the world of distributed systems, where consistency is a really hard problem.
Fortunately, the solution is a lot easier to explain than the problem. We made a small change to MySQL that allows us to tack on extra information in the replication stream that is updating the slave database. We used this feature to append all the data objects that are changing for a given query and then the slave database "sees" these objects and is responsible for deleting the value from cache after it performs the update to the database.

...

The new workflow becomes (changed items in bold):

I update my first name from "Jason" to "Monkey"
We write "Monkey" in to the master database in California and delete my first name from memcache in California but not Virginia
Someone goes to my profile in Virginia
We find my first name in memcache and return "Jason"
Replication catches up and we update the slave database with my first name as "Monkey." We also delete my first name from Virginia memcache because that cache object showed up in the replication stream
Someone else goes to my profile in Virginia
We don't find my first name in memcache so we read from the slave and get "Monkey"

Facebook's solution is clever and at first I couldn't shake the feeling that it is an example of extremely tight coupling for database replication to also be responsible for evicting expired items from your in-memory cache. After some thought, I realized that this is no different from the SqlCacheDependency class in ASP.NET which allows you to create a dependency between objects in your ASP.NET cache and those in your SQL database. When the underlying tables change, the Cache is updated to reflect this change in database state.

In fact, the combination of replication and the SqlCacheDependency class should mean that you get this sort of behavior for free if you are using ASP.NET caching and SQL Server. Unfortunately, it looks like Microsoft's upcoming in-memory distributed object caching product, Velocity, won't support SqlCacheDependency in its initial release according to a comment by one its developers.

Of course, there is a significant performance difference between actively monitoring the database for changes like SqlCacheDependency does and updating the cache when updates made to the database are received as part of the replication stream. I wonder if this pattern will turn out to be generally useful to Web developers (at least those of us who work on geo-distributed services) or whether this will just go down as a clever hack from those kids at Facebook that was cool to share.

Now Playing: Rihanna - Disturbia

Categories: Web Development

August 17, 2008

@ 12:33 PM

Explaining REST to Damien Katz

Damien Katz recently caused a stir on a bunch of the blogs I read with his post entitled REST, I just don't get it where he wrote

As the guy who created CouchDB, I should be a big cheerleader for RESTful architectures. But the truth is, I just don't get it.

For CouchDB, REST makes absolutely insanely perfect sense. Read a document, edit, put the document back. Beautiful. But for most applications, enterprise or not, I don't see what the big win is.

I know what is wrong with SOAP, and it has everything to do with unnecessary complexity and solving the same problems twice. But what is the big advantage of making all your calls into GET PUT and DELETE? If POST can handle everything you need, then what's the problem?

I guess what I mean to say is just because SOAP is a disaster, doesn't somehow make REST the answer. Simpler is better, and REST is generally simpler than SOAP. But there is nothing wrong with a plain old POST as an RPC call. If its easy to make all your calls conform to the RESTful verb architecture, then that's good, I guess.

His post made the rounds on the expected social news sites like programming.reddit and Hacker News, where I was amused to note that my blog is now being used as an example of silly REST dogma by REST skeptics in such discussions. From reading the Damien's post and the various comments in response, it seems clear that there are several misconceptions as to what constitutes REST and what its benefits are from a practical perspective.

Background: The Origins of REST vs. SOAP

The Representational State Transfer (REST) architectural style was first described in Chapter 5 of Roy Fielding's Ph.D dissertation published in 2000. It describes the architecture of the Web from the perspective of one of the authors of the HTTP 1.1 specification which was published the year before in 1999. Around the same time Don Box, Dave Winer and a bunch of folks at Microsoft came up with the Simple Object Access Protocol (SOAP) which they intended to be the standard protocol for building distributed applications on the Web.

Over the following years SOAP was embraced by pretty much every major enterprise software vendor and was being pushed hard by the W3C as the way to build distributed applications on the Web. However a lot of these vendors weren't really interested in building software for the Web but instead were more interested in porting all of their technologies and scenarios from enterprise integration technologies like CORBA to using buzzword compliant XML. This led to a bunch of additional specifications like XSD (type system), WSDL (IDL) and UDDI (naming/trading service). Developers initially embraced these technologies enthusiastically which led to the enterprise software vendors pumping out dozens of WS-* specifications. During this period not many thought or talked much about REST since no one talks about boring Ph.D dissertations.

In 2002, a canary in the coal mine emerged in the form of Mark Baker. On mailing lists frequented by Web services types such as xml-dev and xml-dist-app, Mark began to persistently point out that SOAP was built on a bad foundation because it fundamentally ignored the architecture of the Web as defined by Roy Fielding's thesis. At first a lot of people labeled mark as a kook or malcontent for questioning the trend of the moment.

By 2005, the industry had enough experience with SOAP to start seeing real problems using at as a way to build distributed applications on the Web. By that year many developers had started hearing stories like Nelson Minar's presentation on the problems Google had seen with SOAP based Web services and sought a simpler alternative. This is when the seeds of Mark Baker's evangelism of Roy's dissertation eventually bore fruit with the Web developer community.

However a Ph.D dissertation is hard to digest. So the message of REST started getting repackaged into simpler, bite-sized chunks but the meat of the message started getting lost along the way. Which led to several misconceptions about what REST actually is being propagated across the Web developer community.

Misconceptions About the REST Architectural Style

With that out of the way I can address the straw man argument presented in Damien's post. Damien states that building a RESTful Web Service is about using the HTTP PUT and DELETE methods instead of using HTTP POST when designing a Web API. In fact, he goes further to describe it as "the RESTful verb architecture" implying that choice of HTTP verbs that your service supports is the essence of REST.

This is incorrect.

Q: What is the Essence of REST? A: The Uniform Interface

REST explains how the Web works by defining the set of constraints on the various components in the current Web architecture. These constraints include

interaction is based on the client-server architectural style. User agents like Web browsers, RSS readers, Twitter clients, etc are examples of Web clients which talk to various Web servers without having a tight coupling to the internal implementation of the server.
communication between the client and server is stateless. The benefits of HTTP being a primarily stateless protocol is that statelessness increases scalability and reliability of services at the cost of introducing some complexity on the part of the client.
the Web architecture supports caching by requiring that requests that are cacheable or non-cacheable are labeled as such (i.e. via HTTP method and various caching related headers).
there is a uniform interface between components which allows them to communicate in a standard way but may not be optimized for specific application scenarios. There are four interface constraints: identification of resources; manipulation of resources through representations; self-descriptive messages; and, hypermedia as the engine of application state.
there can be multiple layers between client and server which act as intermediaries (e.g. proxies, gateways, load balancers, etc) without this being obvious to the requesting client or accepting server.

When you read the above list, the first thing you will note is that it describes the architecture of the World Wide Web. It doesn't describe the architecture of "a typical enterprise" or the internals of a cloud computing application.

Building a RESTful Web Service simply means paying attention to these characteristics of the Web. As you read them, some practical guidelines start becoming obvious. For example, if you want to take advantage of all the caching infrastructure that is built into the Web infrastructure, then you should use HTTP GET for services that retrieve data. This is just one of the many things Web Services built on SOAP got wrong.

The uniform interface constraints describe how a service built for the Web can be a good participant in the Web architecture. These constraints are described briefly as follows

Identification of resources: A resource is any information item that can be named and represented (e.g. a document, a stock price at a given point in time, the current weather in Las Vegas, etc). Resources in your service should be identified using URIs.
Manipulation of resources via representations: A representation is the physical representation of a resource and should correspond to a valid media type. Using standard media types as the data formats behind your service increases the reach of your service by making it accessible to a wide range of potential clients. Interaction with the resource should be based on retrieval and manipulation of the representation of the resource identified by its URI.
Self-descriptive messages: Following the principles of statelessness in your service's interactions, using standard media types and correctly indicating the cacheability of messages via HTTP method usage and control headers ensures that messages are self descriptive. Self descriptive messages make it possible for messages to be processed by intermediaries between the client and server without impacting either.
Hypermedia as the engine of application state: Application state should be expressed using URIs and hyperlinks to transition between states. This is probably the most controversial and least understood of the architectural constraints set forth in Roy Fielding's dissertation. In fact, Fielding's dissertation contains an explicit arguments against using HTTP cookies for representing application state to hammer this point home yet it is often ignored.

Benefits of Conforming to REST and the Uniform Interface to Web Developers

At this point, the benefits of building RESTful services for the Web should be self evident. The Web has a particular architecture and it makes sense that if you are deploying a service or API on the Web then it should take advantage of this architecture instead of fighting against it. There are millions of deployed clients, servers and intermediaries that support REST and it makes sense to be compatible with their expectations.

This doesn't mean you have to use DELETE and PUT when POST might suffice. It does mean understanding the difference between using POST versus using PUT to other participants in the Web architecture. Specifically, that PUT is idempotent while POST is not so a client of your service can assume that performing the same PUT two or three times in a row has the same effect as doing it once but cannot assume that for POST. Of course, it is up to you as a Web service developer to decide if you want your service to provide a more explicit contract with clients or not. What is important to note is that there is a practical reason for making the distinction between which HTTP verbs you should support.

There are other practical things to be mindful of as well to ensure that your service is being a good participant in the Web ecosystem. These include using GET instead of POST when retrieving a resource and properly utilizing the caching related headers as needed (If-Modified-Since/Last-Modified, If-None-Match/ETag, Cache-Control), learning to utilize HTTP status codes correctly (i.e. errors shouldn't return HTTP 200 OK), keeping your design stateless to enable it to scale more cheaply and so on. The increased costs, scalability concerns and complexity that developers face when they ignore these principles is captured in blog posts and articles all over the Web such as Session State is Evil and Cache SOAP services on the client side. You don't have to look hard to find them. What most developers don't realize is that the problems they are facing are because they aren't keeping RESTful principles in mind.

Don't fight the Web, embrace it.

FURTHER READING

Roots of the REST/SOAP Debate – Paul Prescod provides a history of the REST/SOAP debate from his perspective in the trenches in various mailing lists in early part of this decade.
Guidelines for Building RESTful Web Services – Dare Obasanjo offers advice on how to learn about building and designing RESTful Web Services

Now Playing: Public Enemy - Don't Believe the Hype

Categories: Web Development | XML Web Services

August 11, 2008

@ 08:24 AM

Managing Large Web Server Farms: Puppet

Puppet provides a mechanism for managing a heterogeneous cluster of Unix-like machines using a central configuration system and a declarative scripting language for describing machine configuration. The declarative scripting language abstracts away the many differences in various Unix-like operating systems.

Puppet is used for server management by a number of startups including PowerSet, Joost and Slide.

Typical Puppet Architecture

In a system managed using Puppet, Pupper Master is the central system-wide authority for configuration and coordination. Manifests are propagated to the Puppet Master from a source external to the system. Each server in the system periodically polls the Puppet Master to determine if their configuration is up to date. If this is not the case, then the new configuration is retrieved and the changes described by the new manifest are applied. The Puppet instance running on each client can be considered to be made up of the following layers

Each manifest is described in the Puppet Configuration Language which is a high level language for describing resources on a server and what actions to take on them. Retrieving the newest manifests and applying the changes they describe (if any) is provided by the Transactional Layer of Puppet. The Puppet Configuration Language is actually an abstraction that hides the differences in various Unix-like operating systems. This abstraction layer maps the various higher level resources in a manifest to the actual commands and file locations on the target operating systems of the server.

What Does Puppet Do?

The Puppet Master is the set of one or more servers that run the puppetmasterd daemon. This daemon listens for polling requests from the servers being managed by Puppet and returns the current configuration for the server to the machine. Each server to be managed by Puppet, must have the Puppet client installed and must run the puppetd daemon which polls the Puppet Master for configuration information.

Each manifest can be thought of as a declarative script which contains one or more commands (called resources in Puppet parlance) and their parameters, dependencies along with the prerequisites to running each command. Collections of resources can be grouped together as classes (complete with inheritance) which can be further grouped together as modules. See below for examples

Language Construct	Example	Description
Resource	service { "apache": require => Package["httpd"] }	The apache resource requires that the httpd package is installed
Class	class apache { service { "apache": require => Package["httpd"] } file { "/nfs/configs/apache/server1.conf": group => "www-data } }	Groups together the rule that the apache service requires the httpd package to be installed and that the server1.conf apache configuration file should be owned by the www-data group.
Derived Class	class apache-ssl inherits apache { Service[apache] { require +> File["apache.pem"] } }	The apache-ssl class defines all of the above and that additionally, the apache service also requires the existence of the apache.pem configuration file.
Module	class webserver::apache-ssl inherits apache { Service[apache] { require +> File["apache.pem"] } }	The apache-ssl class is part of the webserver module.
Node	node "webserver.example.com" { include webserver }	Declares that the manifest for the machine named webserver.example.com is the webserver module.

A node describes the configuration for a particular machine given its name. Node names and their accompanying configuration can be defined directly in manifests as shown above. Another option is to either use external node classifiers which provide a dynamic mechanism for determine a machine's type based on it's name or use an LDAP directory for storing information about nodes in the cluster.

FURTHER READING

Puppet Type Reference – List of built in resource types abstracted by the Puppet configuration language.
Puppet Language Tutorial - Introduction to the various language constructs in the puppet language including classes, modules, conditionals, variables, arrays and functions.

Now Playing: Linkin Park - Cure For The Itch

Categories: Web Development

August 11, 2008

@ 08:23 AM

Managing Large Web Server Farms: Microsoft's AutoPilot

Whenever you read stories about how Web companies like Facebook have 10,000 servers including 1800 database servers or that Google has one million servers, do you ever wonder how the system administrators that manage these services deal with deployment, patching, failure detection and system repair without going crazy? This post is the first in a series of posts that examines some of the technologies that successful Web companies use to manage large Web server farms.

Last year, Michael Isard of Microsoft Research wrote a paper entitled Autopilot: Automatic Data Center Management which describes the technology that Windows Live and Live Search services have used to manage their server farms. The abstract of his paper is as follows

Microsoft is rapidly increasing the number of large-scale web services that it operates. Services such as Windows Live Search and Windows Live Mail operate from data centers that contain tens or hundreds of thousands of computers, and it is essential that these data centers function reliably with minimal human intervention. This paper describes the first version of Autopilot, the automatic data center management infrastructure developed within Microsoft over the last few years. Autopilot is responsible for automating software provisioning and deployment; system monitoring; and carrying out repair actions to deal with faulty software and hardware. A key assumption underlying Autopilot is that the services built on it must be designed to be manageable. We also therefore outline the best practices adopted by applications that run on Autopilot.

The paper provides a high level overview of the system, it's design principles and the requirements for applications/services that can be managed by the system. It gives a lot of insight into what it takes to manage a large server farm while keeping management and personnel costs low.

The purpose of AutoPilot is to automate and simplify the basic tasks that system administrators typically perform in a data center. This includes installation and deployment of software (including operating systems and patches), monitoring the health of the system, taking basic repair actions and marking systems as needing physical repair or replacement.

However applications that will be managed by AutoPilot also have their responsibilities. The primary responsibility of these applications include being extremely fault tolerant (i.e. applications must be able to handle processes being killed without warning) and being capable of running in the case of large outages in the cloud (i.e. up to 50% of the servers being out of service). In addition, these applications need to be easy to install and configure which means that they need to be xcopy deployable. Finally, the application developers are responsible for describing which application specific error detection heuristics AutoPilot should use when monitoring their service.

Typical AutoPilot Architecture

The above drawing is taken from the research paper. According to the paper the tasks of the various components is as follows

The Device Manager is the central system-wide authority for configuration and coordination. The Provisioning Service and Deployment Service ensure that each computer is running the correct operating system image and set of application processes. The Watchdog Service and Repair Service cooperate with the application and the Device Manager to detect and recover from software and hardware failures. The Collection Service and Cockpit passively gather information about the running components and make it available in real-time for monitoring the health of the service, as well as recording statistics for off-line analysis. (These monitoring components are ―Autopiloted like any other application, and therefore communicate with the Device Manager and Watchdog Service which provide fault recovery, deployment assistance, etc., but this communication is not shown in the figure for simplicity.)

The typical functioning of the system is described in the following section.

What Does AutoPilot Do?

The set of machine types used by the application (e.g. Web crawler, front end Web server, etc) needs to be defined in a database stored by on the Device Manager. A server's machine type dictates what configuration files and application binaries need to be installed on the server. This list is manually defined by the system administrators for the application. The Device Manager also keeps track of the current state of the cluster including what various machine types are online and their health status.

The Provisioning Service continually scans the network looking for new servers that have come online. When a new member of the server cluster is detected, the Provisioning Service asks the Device Manager what operating system image it should be running and then images the machine with a new operating system before performing burn-in tests. If the tests are successful, the Provisioning Service informs the Device Manager that the server is healthy. In addition to operating system components, some AutoPilot specific services are also installed on the new server. There is a dedicated filesync service that ensures that the correct files are present on the computer and an application manager that ensures that the expected application binaries are running.

Both services determine what the right state of the machine should be by querying the Device Manager. If it is determined that the required application binaries and files are not present on the machine then they are retrieved from the Deployment Service. The Deployment Service is a host to the various application manifests which map to the various application folders, binaries and data files. These manifests are populated from the application's build system which is outside the AutoPilot system.

The Deployment Service also comes into play when a new version of the application is ready to be deployed. During this process a new manifest is loaded into the Deployment Service and the Device Manager informs the various machine types of the availability of the new application bits. Each machine type has a notion of an active manifest which allows application bits for a new version of the application to be deployed as an inactive manifest while the old version of the application is considered to be "active". The new version of the application is rolled out in chunks called "scale units". A scale unit is a group of multiple machine types which can number up to 500 machines. Partitioning the cluster into scale units allows code roll outs to be staged. For example, if you have a cluster of 10,000 machines with scale units of 500 machines, then AutoPilot could be configured keep roll outs to under 5 scale units at a time so that never more than 25% of the cloud is being upgraded at a time.

Besides operating system installation and deployment of application components, AutoPilot is also capable of monitoring the health of the service and taking certain repair actions. The Watchdog Service is responsible for detecting failures in the system. It does so by probing each of the servers in the cluster and testing various properties of the machines and the application(s) running on them based on various predetermined criteria. Each watchdog can report one of three results for a test; OK, Warning or Error. A Warning does not initiate any repair action and simply indicates a non-fatal error has occurred. When a watchdog reports an error back to the Device Manager, the machine is placed in the Failure state and one of the following repair actions is taken; DoNothing, Reboot, ReImage or Replace. The choice of repair action depends on the failure history of the machine. If this is the first error that has been reported on the machine in multiple days or weeks then it is assumed to be a transient error and the appropriate action is DoNothing. If not, the machine is rebooted and if after numerous reboots the system is still detected to be in error by the watchdogs it is re-imaged (a process which includes reformatting the hard drive and reinstalling the operating system as well redeploying application bits). If none of these solve the problem then the machine is marked for replacement and it is picked up by a data center technician during weekly or biweekly sweeps to remove dead servers.

System administrators can also directly monitor the system using data aggregated by the Collection Service which collects information from various performance counters is written to a large-scale distributed file store for offline data mining and to a SQL database where the data can be visualized as graphs and reports in a visualization tool known as the Cockpit.

Now Playing: Nirvana - Jesus Doesn't Want Me For A Sunbeam

Categories: Life in the B0rg Cube | Web Development

July 27, 2008

@ 01:38 PM

When REST Doesn't Scale, XMPP to the Rescue?

There was an interesting presentation at OSCON 2008 by Evan Henshaw-Plath and Kellan Elliott-McCrea entitled Beyond REST? Building Data Services with XMPP PubSub. The presentation is embedded below.

The core argument behind the presentation can be summarized by this tweet from Tim O'Reilly

On monday friendfeed polled flickr nearly 3 million times for 45000 users, only 6K of whom were logged in. Architectural mismatch. #oscon08

On July 21st, FriendFeed had 45,000 users who had associated their Flickr profiles with their FriendFeed account. FriendFeed polls Flickr about once every 20 – 30 minutes to see if the user has uploaded new pictures. However only about 6,000 of those users logged into Flickr that day, let alone uploaded pictures. Thus there were literally millions of HTTP requests made by FriendFeed that were totally unnecessary.

Evan and Kellan's talk suggests that instead of Flickr getting almost 3 million requests from FriendFeed, it would be a more efficient model for FriendFeed to tell Flickr which users they are interested in and then listen for updates from Flickr when they upload photos.

They are right. The interaction between Flickr and FriendFeed should actually be a publish-subscribe relationship instead of a polling relationship. Polling is a good idea for RSS/Atom for a few reasons

there are a thousands to hundreds of thousands clients that might be interested in a resource so the server keeping track of subscriptions is prohibitively expensive
a lot of these end points aren't persistently connected (i.e. your desktop RSS reader isn't always running)
RSS/Atom publishing is as simple as plopping a file in the right directory and letting IIS or Apache work its magic

The situation between FriendFeed and Flickr is almost the exact opposite. Instead of thousands of clients interested in document, we have one subscriber interested in thousands of documents. Both end points are always on or are at least expected to be. The cost of developing a publish-subscribe model is one that both sides can afford.

Thus this isn't a case of REST not scaling as implied by Evan and Kellan's talk. This is a case of using the wrong tool to solve your problem because it happens to work well in a different scenario. The above talk suggests using XMPP which is an instant messaging protocol as the publish-subscribe mechanism. In response to the talk, Joshua Schachter (founder of del.icio.us) suggested a less heavyweight publish-subscribe mechanism using a custom API in his post entitled beyond REST. My suggestion for people who believe they have this problem would be to look at using some subset of XMPP and experimenting with off-the-shelf tools before rolling your own solution. Of course, this is an approach that totally depends on network effects. Today everyone has RSS/Atom feeds while very few services use XMPP. There isn't much point in investing in publishing as XMPP if your key subscribers can't consume it and vice versa. It will be interesting to see if the popular "Web 2.0" companies can lead the way in using XMPP for publish-subscribe of activity streams from social networks in the same way they kicked off our love affair with RESTful Web APIs.

It should be noted that there are already some "Web 2.0" companies using XMPP as a way to provide a stream of updates to subscribing services to prevent the overload that comes from polling. For example, Twitter has confirmed that it provides an XMPP stream to FriendFeed, Summize, Zappos, Twittervision and Gnip. However they simply dump out every update that occurs on Twitter to these services instead of having these services subscribe to updates for specific users. This approach is quite inefficient and brings it's own set of scaling issues.

The interesting question is why people are just bringing this up? Shouldn't people have already been complaining about Web-based feed readers like Google Reader and Bloglines for causing the same kinds of problems? I can only imagine how many millions of times a day Google Reader must fetch content from TypePad and Wordpress.com but I haven't seen explicit complaints about this issue from folks like Anil Dash or Matt Mullenweg.

Now Playing: The Pussycat Dolls - When I Grow Up

Categories: Syndication Technology | Web Development

July 21, 2008

@ 01:57 PM

Some Thoughts on Amazon S3's Recent Outage

Yesterday Amazon's S3 service had an outage that lasted about six hours. Unsurprisingly this has led to a bunch of wailing and gnashing of teeth from the very same pundits that were hyping the service a year ago. The first person to proclaim the sky is falling is Richard MacManus in his More Amazon S3 Downtime: How Much is Too Much? who writes

Today's big news is that Amazon's S3 online storage service has experienced significant downtime. Allen Stern, who hosts his blog's images on S3, reported that the downtime lasted ~~3.5~~ over 6 hours. Startups that use S3 for their storage, such as SmugMug, have also reported problems. Back in February this same thing happened. At the time RWW feature writer Alex Iskold defended Amazon, in a must-read analysis entitled Reaching for the Sky Through The Compute Clouds. But it does make us ask questions such as: why can't we get 99% uptime? Or: isn't this what an SLA is for?

Om Malik joins in on the fun with his post S3 Outage Highlights Fragility of Web Services which contains the following

Amazon’s S3 cloud storage service went offline this morning for an extended period of time — the second big outage at the service this year. In February, Amazon suffered a major outage that knocked many of its customers offline.

It was no different this time around. I first learned about today’s outage when avatars and photos (stored on S3) used by Twinkle, a Twitter-client for iPhone, vanished.
…
That said, the outage shows that cloud computing still has a long road ahead when it comes to reliability. NASDAQ, Activision, Business Objects and Hasbro are some of the large companies using Amazon’s S3 Web Services. But even as cloud computing starts to gain traction with companies like these and most of our business and communication activities are shifting online, web services are still fragile, in part because we are still using technologies built for a much less strenuous web.

Even though the pundits are trying to raise a stink, the people who should be most concerned about this are Amazon S3's customers. Counter to Richard MacManus's claim, not only is there a Service Level Agreement (SLA) for Amazon S3, it promises 99.9% uptime or you get a partial refund. 6 hours of downtime sounds like a lot until you realize that 99% uptime is 8 hours of downtime a month and over three and a half days of downtime a year. Amazon S3 is definitely doing a lot better than that.

The only question that matters is whether Amazon's customers can get better service elsewhere at the prices Amazon charges. If they can't, then this is an acceptable loss which is already covered by their SLA. 99.9% uptime still means over eight hours of downtime a year. And if they can, it will put competitive pressure on Amazon to do a better job of managing their network or lower their prices.

This is one place where market forces will rectify things or we will reach a healthy equilibrium. Network computing is inherently and no amount of outraged posts by pundits will ever change that. Amazon is doing a better job than most of its customers can do on their own for cheaper than they could ever do on their own. Let's not forget that in the rush to gloat about Amazon's down time.

Now Playing: 2Pac - Life Goes On

Categories: Web Development

July 14, 2008

@ 12:40 PM

Scalability: I Don't Think That Word Means What You Think It Does

Via Mark Pilgrim I stumbled on an article by Scott Loganbill entitled Google’s Open Source Protocol Buffers Offer Scalability, Speed which contains the following excerpt

The best way to explore Protocol Buffers is to compare it to its alternative. What do Protocol Buffers have that XML doesn’t? As the Google Protocol Buffer blog post mentions, XML isn’t scalable:

"As nice as XML is, it isn’t going to be efficient enough for [Google’s] scale. When all of your machines and network links are running at capacity, XML is an extremely expensive proposition. Not to mention, writing code to work with the DOM tree can sometimes become unwieldy."

We’ve never had to deal with XML in a scale where programming for it would become unwieldy, but we’ll take Google’s word for it.

Perhaps the biggest value-add of Protocol Buffers to the development community is as a method of dealing with scalability before it is necessary. The biggest developing drain of any start-up is success. How do you prepare for the onslaught of visitors companies such as Google or Twitter have experienced? Scaling for numbers takes critical development time, usually at a juncture where you should be introducing much-needed features to stay ahead of competition rather than paralyzing feature development to keep your servers running.

Over time, Google has tackled the problem of communication between platforms with Protocol Buffers and data storage with Big Table. Protocol Buffers is the first open release of the technology making Google tick, although you can utilize Big Table with App Engine.

It is unfortunate that it is now commonplace for people to throw around terms like "scaling" and "scalability" in technical discussions without actually explaining what they mean. Having a Web application that scales means that your application can handle becoming popular or being more popular than it is today in a cost effective manner. Depending on your class of Web application, there are different technologies that have been proven to help Web sites handle significantly higher traffic than they normally would. However there is no silver bullet.

The fact that Google uses MapReduce and BigTable to solve problems in a particular problem space does not mean those technologies work well in others. MapReduce isn't terribly useful if you are building an instant messaging service. Similarly, if you are building an email service you want an infrastructure based on message queuing not BigTable. A binary wire format like Protocol Buffers is a smart idea if your applications bottleneck is network bandwidth or CPU used when serializing/deserializing XML. As part of building their search engine Google has to cache a significant chunk of the World Wide Web and then perform data intensive operations on that data. In Google's scenarios, the network bandwidth utilized when transferring the massive amounts of data they process can actually be the bottleneck. Hence inventing a technology like Protocol Buffers became a necessity. However, that isn't Twitter's problem so a technology like Protocol Buffers isn't going to "help them scale". Twitter's problems have been clearly spelled out by the development team and nowhere is network bandwidth called out as a culprit.

Almost every technology that has been loudly proclaimed as unscalable by some pundit on the Web is being used by a massively popular service in some context. Relational databases don't scale? Well, eBay seems to be doing OK. PHP doesn't scale? I believe it scales well enough for Facebook. Microsoft technologies aren't scalable? MySpace begs to differ. And so on…

If someone tells you "technology X doesn't scale" without qualifying that statement, it often means the person either doesn't know what he is talking about or is trying to sell you something. Technologies don't scale, services do. Thinking you can just sprinkle a technology on your service and make it scale is the kind of thinking that led Blaine Cook (former architect at Twitter) to publish a presentation on Scaling Twitter which claimed their scaling problems where solved with their adoption of memcached. That was in 2007. In 2008, let's just say the Fail Whale begs to differ.

If a service doesn't scale it is more likely due to bad design than to technology choice. Remember that.

Now Playing: Zapp & Roger - Computer Love

Categories: Web Development | XML

July 10, 2008

@ 03:23 PM

Network Attached Memory: Terracota as an Alternative to Memcached

When it comes to scaling Web applications, every experienced Web architect eventually realizes that Disk is the New Tape. Getting data from off of the hard drive disk is slow compared to getting it from memory or from over the network. So an obvious way to improve the performance of your system is to reduce the amount of disk I/O your systems have to do which leads to the adoption of in-memory caching. In addition, there is often more cacheable data on disk than there is space in memory since memory to disk ratios are often worse than 1:100 (Rackspace's default server config has 1GB of RAM and 250 GB of hard disk ). Which has led to the growing popularity of distributed, in-memory, object caching systems like memcached and Microsoft's soon to be released Velocity.

memcached can be thought of as a distributed hash table and its programming model is fairly straightforward from the application developer's perspective. Specifically, There is a special hash table class used by your application which is in actuality a distributed hashtable whose contents are actually being stored on a cluster of machines instead of just in the memory of your local machine.

With that background I can now introduce Terracotta, a product that is billed as "Network Attached Memory" for Java applications. Like distributed hash tables such as memcached, Terracotta springs from the observation that accessing data from a cluster of in-memory cache servers is often more optimal than getting it directly from your database or file store.

Where Terracotta differs from memcached and other distributed hash tables is that it is completely transparent to the application developer. Whereas memcached and systems like it require developers to instantiate some sort of "cache" class and then use that as the hash table of objects that should be stored, Terracotta attempts to be transparent to the application developer by hooking directly into the memory allocation operations of the JVM.

The following is an excerpt from the Terracotta documentation on How Terracotta Works

Terracotta uses ASM to manipulate application classes as those classes load into the JVM. Developers can pick Sun Hotspot or IBM's runtime, and any of several supported application servers
…
The Terracotta configuration file dictates which classes become clustered and which do not. Terracotta then examines classes for fields it needs to cluster, and threading semantics that need to be shared. For example, if to share customer objects throughout an application cluster, the developer need only tell Terracotta to cluster customers and to synchronize customers cluster-wide.

Terracotta looks for bytecode instructions like the following (not an exhaustive list):

GETFIELD

PUTFIELD

AASTORE

AALOAD

MONITORENTRY

MONITOREXIT

On each of those, Terracotta does the work of Network Attached Memory. Specifically:

BYTECODE Injected Behavior

GETFIELD Read from the Network for certain objects. Terracotta also has a heap-level cache that contains pure Java objects. So GETFIELD reads from RAM if-present and faults in from NAM if a cache miss occurs.

PUTFIELD Write to the Network for certain objects. When writing field data through the assignment operator "=" or through similar mechanisms, Terracotta writes the changed bytes to NAM as well as allowing those to flow to the JVM's heap.

AASTORE Same as PUTFIELD but for arrays

AALOAD Sames as GETFIELD but for arrays

MONITORENTRY Get a lock inside the JVM on the specified object AND get a lock in NAM in case a thread on another JVM is trying to edit this object at the same time

MONITOREXIT Flush changes to the JVM's heap cache back to NAM in case another JVM is using the same objects as this JVM

The instrumented-classes section of the Terracotta config file is where application developers specify which objects types should be stored in the distributed cache and it is even possible to say that all memory allocations in your application should go through the distributed cache.

In general, the approach taken by Terracotta seems more complicated, more intrusive and more error prone than using a distributed hash table like Velocity or memcached. I always worry about systems that attempt to hide or abstract away the fact that network operations are occurring. This often leads to developers writing badly performing or unsafe code because it wasn't obvious that network operations are involved (e.g. a simple lock statement in your Terracotta-powered application may actually be acquiring distributed locks without it being explicit in the code that this is occuring).

Now Playing: Dream - I Luv Your Girl (Remix) (feat. Young Jeezy)

Categories: Web Development

July 2, 2008

@ 01:52 PM

Some Thoughts on Google Adopting OAuth for GData APIs

Late last week, the folks on the Google Data APIs blog announced that Google will now be supporting OAuth as the delegated authentication mechanism for all Google Data APIs. This move is meant to encourage the various online services that provide APIs that access a user’s data in the “cloud” to stop reinventing the wheel when it comes to delegated authentication and standardize on a single approach.

Every well-designed Web API that provides access to a customer’s data in the cloud utilizes a delegated authentication mechanism which allows users to grant 3rd party applications access to their data without having to give the application their username and password. There is a good analogy for this practice in the OAuth: Introduction page which is excerpted below

What is it For?

Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.

Everyday new website offer services which tie together functionality from other sites. A photo lab printing your online photos, a social network using your address book to look for friends, and APIs to build your own desktop application version of a popular site. These are all great services – what is not so great about some of the implementations available today is their request for your username and password to the other site. When you agree to share your secret credentials, not only you expose your password to someone else (yes, that same password you also use for online banking), you also give them full access to do as they wish. They can do anything they wanted – even change your password and lock you out.

This is what OAuth does, it allows the you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User). While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts).

So every service provider invented their own protocol to do this, all of which are different but have the same basic components. Today we have Google AuthSub, Yahoo! BBAuth, Windows Live DelAuth, AOL OpenAuth, the Flickr Authentication API, the Facebook Authentication API and others. All different, proprietary solutions to the same problem.

This ends up being problematic for developers because if you want to build an application that talks to multiple services you not only have to deal with the different APIs provided by these services but also the different authorization/authentication models they utilize as well. In a world where “social aggregation” is becoming more commonplace with services like Plaxo Pulse & FriendFeed and more applications are trying to bridge the desktop/cloud divide like OutSync and RSS Bandit, it sucks that these applications have to rewrite the same type of code over and over again to deal with the basic task of getting permission to access a user’s data. Standardizing on OAuth is meant to fix that. A number of startups like Digg & Twitter as well as major players like Yahoo and Google have promised to support it, so this should make the lives of developers easier.

Of course, we still have work to do as an industry when it comes to the constant wheel reinvention in the area of Web APIs. Chris Messina points to another place where every major service provider has invented a different proprietary protocol for doing the same task in his post Inventing contact schemas for fun and profit! (Ugh) where he writes

And then there were three
...
Today, Yahoo! announced the public availability of their own Address Book API.

However, I have to lament yet more needless reinvention of contact schema. Why is this a problem? Well, as I pointed out about Facebook’s approach to developing their own platform methods and formats, having to write and debug against yet another contact schema makes the “tax” of adding support for contact syncing and export increasingly onerous for sites and web services that want to better serve their customers by letting them host and maintain their address book elsewhere.

This isn’t just a problem that I have with Yahoo!. It’s something that I encountered last November with the SREG and proposed Attribute Exchange profile definition. And yet again when Google announced their Contacts API. And then again when Microsoft released theirs! Over and over again we’re seeing better ways of fighting the password anti-pattern flow of inviting friends to new social services, but having to implement support for countless contact schemas. What we need is one common contacts interchange format and I strongly suggest that it inherit from vcard with allowances or extension points for contemporary trends in social networking profile data.

I’ve gone ahead and whipped up a comparison matrix between the primary contact schemas to demonstrate the mess we’re in.

Kudos to the folks at Google for trying to force the issue when it comes to standardizing on a delegated authentication protocol for use on the Web. However there are still lots of places across the industry where we speak different protocols and thus incur a needless burden on developers when a single language might do. It would be nice to see some of this unnecessary redundancy eliminated in the future.

Now Playing: G-Unit - I Like The Way She Do It

Categories: Platforms | Web Development

June 24, 2008

@ 02:42 PM

Some Thoughts on OpenID and Being Selective About Who You Trust

Jason Kincaid over at TechCrunch has a blog post entitled Microsoft’s First Step In Accepting OpenID SignOns - HealthVault where he writes

Over 16 months after first declaring its support for the OpenID authentication platform, Microsoft has finally implemented it for the first time, allowing for OpenID logins on its Health Vault medical site. Unfortunately, Health Vault will only support authentication from two OpenID providers: Trustbearer and Verisign. Whatever happened to the Open in OpenID?

The rationale behind the limited introduction is that health is sensitive, so access should be limited to the few, most trusted OpenID providers. It certainly makes sense, but it also serves to underscore one of the problems inherent to OpenID: security
...
But it seems that the platform itself may be even more deserving of scrutiny. What good is a unified login when its default form will only be accepted on the least private and secure sites?

A while back I mentioned that the rush to slap "Open" in front of every new spec written by a posse of Web companies had created a world where "Open" had devolved into a PR marketing term with no real meaning since the term was being used too broadly to define different sorts of "openness". In the above case, the "open" in OpenID has never meant that every service that accepts OpenIDs needs to accept them from every OpenID provider.

Simon Willison, who's been a key evangelist of OpenID, has penned an insightful response to Jason Kincaid's article in his post The point of “Open” in OpenID which is excerpted below

TechCrunch report that Microsoft are accepting OpenID for their new HealthVault site, but with a catch: you can only use OpenIDs from two providers: Trustbearer (who offer two-factor authentication using a hardware token) and Verisign. "Whatever happened to the Open in OpenID?", asks TechCrunch’s Jason Kincaid.
Microsoft’s decision is a beautiful example of the Open in action, and I fully support it.

You have to remember that behind the excitement and marketing OpenID is a protocol, just like SMTP or HTTP. All OpenID actually provides is a mechanism for asserting ownership over a URL and then “proving” that assertion. We can build a pyramid of interesting things on top of this, but that assertion is really all OpenID gives us (well, that and a globally unique identifier). In internet theory terms, it’s a dumb network: the protocol just concentrates on passing assertions around; it’s up to the endpoints to set policies and invent interesting applications.
...
HealthVault have clearly made this decision due to security concerns—not over the OpenID protocol itself, but the providers that their users might choose to trust. By accepting OpenID on your site you are outsourcing the security of your users to an unknown third party, and you can’t guarantee that your users picked a good home for their OpenID. If you’re a bank or a healthcare provider that’s not a risk you want to take; whitelisting providers that you have audited for security means you don’t have to rule out OpenID entirely.

The expectation that services would have to create a white list of OpenID providers is not new thinking. Tim Bray blogged as much in his post on OpenID over year ago where he speculated that there would eventually be a market for rating OpenID providers so companies wouldn't have to individually audit each OpenID provider before deciding which ones to add to their white list.

As more companies decide to accept OpenID as a login mechanism on their services, I suspect that either the community or some company will jump in to fill the niche that Tim Bray speculated about in his post. I can't imagine that it is fun having to audit all of the OpenID providers as part of deciding how people will login to your site nor does it make sense that everyone who plans to support OpenID security audits the same list of services. That sounds like a ton of wasted man hours when it can just be done once then the results shared by all.

Now Playing: Big & Rich - Save a Horse (Ride a Cowboy)

Categories: Web Development

June 19, 2008

@ 12:06 PM

Dark Launches, Gradual Ramps and Isolation: Testing the Scalability of New Features on your Web Site

When adding new features that dramatically change how users interact with your site, it is a good practice to determine up front if your service can handle these new kinds of interactions so you don't end up constantly disabling features due to the high load they incur on your site.

A couple of weeks ago, the developers at Facebook posted an entry about the architecture of Facebook Chat (it's written in Erlang, OMFG!!!) and I was interested to see the discussion of how they tested the scalability of the feature to ensure they didn't create negative first impressions when they rolled it due to scale issues or impact the availability of their main site. The relevant part of the post is excerpted below

Ramping up:

The secret for going from zero to seventy million users overnight is to avoid doing it all in one fell swoop. We chose to simulate the impact of many real users hitting many machines by means of a "dark launch" period in which Facebook pages would make connections to the chat servers, query for presence information and simulate message sends without a single UI element drawn on the page. With the "dark launch" bugs fixed, we hope that you enjoy Facebook Chat now that the UI lights have been turned on.

The approach followed by Facebook encapsulates some of the industry best practices when it comes to rolling out potentially expensive new features on your site. The dark launch is a practice that we've used when launching features for Windows Live in the past. During a dark launch, the feature is enabled on the site but not actually shown in the user interface. The purpose of this is to monitor if the site can handle the load of the feature during day to day interactions without necessarily exposing the feature to end users in case it turns out the answer is no.

An example of a feature that could have been be rolled out using a dark launch is the replies tab on Twitter. A simple way to implement the @replies feature is to create a message queue (i.e. an inbox) for the user that contains all the replies they have been sent. To test if this approach was scalable, the team could have built this feature and had messages going into user's inboxes without showing the Replies tab in the UI. That way they could test the load on their message queue and fix bugs in it based on real user interactions without their users even knowing that they were load testing a new feature. If it turned out that they couldn't handle the load or they needed to beef up their message queuing infrastructure they could disable the feature, change the implementation and retest quickly without exposing their flaws to users.

The main problem with a dark launch is that it ignores the fact that users often use social features a lot differently than is expected by site developers. In the specific case of the Replies tab in Twitter, it is quite likely that the usage of "@username" replies would increase by a lot once the tab was introduced since the feature increased the chance that the recipient would see the response compared to a regular tweet. So the load from the dark launch would not be the actual load from having the feature enabled. So the next step is to introduce the feature to a subset of your users using a gradual ramp up approach.

During a gradual ramp up, you release the feature set to small groups of users preferably in a self contained group so you can see how users actually interact with the feature for real without bringing down your entire site if it turns out that their usage patterns greatly exceed your expectations. This is one of the reasons why Facebook Chat was gradually exposed to users from specific networks before being enabled across the entire site even though the feature had already been dark launched.

Another common practice for limiting the impact of certain features from impacting your core user experience is to isolate your features from each other as much possible. Although this should be a last resort, it is better if one or two features of your site do not work than if the entire site is down. The Twitter folks found this out the hard way when it turned out that traffic from their instant messaging interface was bringing down the site and finally resorted to disabling the ability to update Twitter via IM until further notice. Ideally your site's APIs and Web services should be isolated from your core features so that even if the APIs are going over capacity it doesn't mean your entire site is down. Instead, it would mean that at worst access to data via your site's APIs was unavailable. The same applies for ancillary features like the Replies tab in Twitter or Facebook Chat, if that service was overloaded it shouldn't mean the entire site should be unavailable. This is one area where following the principles of service oriented architecture can save your Web site a lot of pain.

Now Playing: Earth, Wind & Fire - Let's Groove

Categories: Web Development

June 6, 2008

@ 04:08 PM

Velocity: A Distributed In-Memory Cache from Microsoft

Early this week, Microsoft announced a project code named Velocity. Velocity is a distributed in-memory object caching system in the vein of memcached (aka a Distributed Hash Table). If you read any modern stories of the architectures of popular Web sites today such as the recently published overview of the LinkedIn social networking site's Web architecture, you will notice a heavy usage of in-memory caching to improve performance. Popular web sites built on the LAMP platform such as Slashdot, Facebook, Digg, Flickr and Wikipedia have all been using memcached to take advantage of in-memory storage to improve performance for years. It is good to see Microsoft step up with a similar technology for Web sites built on the WISC platform.

Like memcached, you can think of Velocity as a giant hash table that can run on multiple servers which automatically handles maintaining the balance of objects hashed to each server and transparently fetches/removes objects from over the network if they aren't on the same machine that is accessing an object in the hash table. In addition, you can add and remove servers from the cluster and the cache automatically rebalances itself.

The Velocity Logical Model

The following diagram taken from the Velocity documentation is helpful in discussing its logical model in detail

Velocity logical model

In the above diagram, each cache host is a server that participates in the cache cluster. Your application can have multiple named caches (e.g. "Inventory", "Product Catalog", etc) each of which can be configured separately. In addition, each named cache can have one or more named region. For example, the Sports region of your Product Catalog or the Arts region of your product catalog. Below is some sample code that shows putting and getting objects in and out of a named cache.

CacheFactory CacheCluster1 = new CacheFactory();
Cache inventoryCache = CacheCluster1.GetCache("Inventory");

Sneaker s = (Sneaker)inventoryCache.Get("NikeAirForce1");
s.price = s.price * 0.8; //20% discount
inventoryCache.Put("NikeAirForce1", s);

Velocity ships with the ability to search for objects by tag but it is limited to objects within a specific region. So you can fetch all objects tagged "Nike" or "sneakers" from the sports region of your product catalog. As shown in the above diagram, a limitation of regions is that all items in a region must be on the same physical server. Below is an example of what the code for interacting with regions looks like

CacheFactory CacheCluster1 = new CacheFactory();
Cache catalog= CacheCluster1.GetCache("Catalog");
List <KeyValuePair<string, object>>  sneakers = catalog.GetByTag("Sports", "sneakers");

foreach (var kvp in sneakers)
{
   Sneaker s = kvp.Value as Sneaker;
   /* do stuff with Sneaker object */ 
}

The above sample searches for all items tagged "sneakers" from the Sports region of the Catalog cache.

The notion of regions and tagging is one place Velocity diverges from the simpler model of technologies like memcached and provides more functionality.

Eviction Policy and Explicit Object Expiration

Since memory is limited on a server, there has to be an eviction policy that ensures that the cache doesn't end up growing to big thus forcing the operating system to get all Virtual Memory on your ass by writing pages to disk. Once that happens you're in latency hell since fetching objects from the cache will involve going to disk to fetch them. Velocity gives you a couple of knobs that can be dialed up or down as needed to control how eviction or expiration of objects from the cache works. There is a file called ClusterConfig.xml which is used for configuring the eviction and expiration policy of each named cache instance. Below is an excerpt of the configuration file showing the policies for some named cache instances

<!-- Named cache list -->
 <caches>
   <cache name="default" type="partitioned">
     <policy>
       <eviction type="lru" />
       <expiration isExpirable="false" />
     </policy>
   </cache>
   <cache name="Inventory" type="partitioned">
     <policy>
       <eviction type="lru" />
       <expiration isExpirable="true" defaultTTL="50" />
     </policy>
   </cache>
 </caches>

The above excerpt indicates that the default and Inventory caches utilize a Least Recently Used algorithm for determining which objects are evicted from the cache. In addition, it specifies the default interval after which an object can be considered to be stale in the Inventory cache.

The default expiration interval can actually be overridden when putting an object in the cache by specifying a TTL parameter when calling the Put() method.

Concurrency Models: None, Optimistic, or Pessimistic

One of the first things you learn about distributed computing in the real world is that locks are bad mojo. In the way locks traditionally work, an object can be locked by a caller meaning everyone else interested in the object has to wait their turn. Although this prevents errors in your system occurring due to multiple callers interacting with the object at once, it also means there are built-in bottle necks in your system. So lesson #1 of scaling your service is often to get rid of as many locks in your code as possible. Eventually this leads to systems like eBay which doesn't use database transactions and Amazon's Dynamo which doesn't guarantee data consistency.

So what does this have to do with Velocity? Systems designed to scale massively like memcached don't support concurrency. This leads to developers asking questions like this one taken from the memcached mailing list

Consider this situation:-

A list with numeric values: 1,2,3
Server1: Gets the list from memcache.
Server2: Also gets the list from memcache.
Server1: Removes '1' from the list.
Server2: Removes '3' from the list.
Server1: Puts back a list with 2,3 in list in memcache.
Server2: Puts back a list with 1,2 in list in memcache.
Note:Since, both servers have their instance of list objs.
This is not what we need to do. Becoz, both servers are putting an incorrect list in memcache.Ideally what shud have happened was that in the end a list with only '1' shud be put back in memcache. This problem occurs under load and happens in case of concurrent threads.
What I want is that memcache shud restrict Server2 and a consistent list shud be there in memcache. How do I handle such problem in memcache environment?? I know we can handle at application server end by doing all these operations through a centralized place(gets and puts), but how do I handle it in Memcache????
Any help wud be appreciated?

Unfortunately for the author of the question above, memcached doesn't provide APIs for concurrent access and enforcing data consistency (except for numeric counters). So far, the code samples I've shown for Velocity also do not support concurrency.

However there are APIs for fetching or putting objects that support optimistic and pessimistic concurrency models. In the optimistic concurrency model, instead of taking a lock, the objects are given a version number and the caller is expected to specify the version number of the object they have modified when putting it back in the cache. If the object has been modified since the time it was retrieved then there is a version mismatch error. At this point, the caller is expected to re-fetch the object and make their changes to the newly retrieved object before putting it back in the cache. Below is a code sample taken from the Velocity documentation that illustrates what this looks like in code

        /* At time T0, cacheClientA and cacheClientB fetch the same object from the cache */ 

         //-- cacheClientA pulls the FM radio inventory from cache
         CacheFactory clientACacheFactory = new CacheFactory();
         Cache cacheClientA = clientBCacheFactory.GetCache("catalog");
         CacheItem radioInventory = cacheClientA.GetCacheItem("electronics", "RadioInventory");


         //-- cacheClientB pulls the same FM radio inventory from cache
         CacheFactory clientBCacheFactory = new CacheFactory();
         Cache cacheClientB = clientBCacheFactory.GetCache("catalog");
         CacheItem radioInventory = cacheClientA.GetCacheItem("electronics", "RadioInventory");


         //-- At time T1, cacheClientA updates the FM radio inventory
         int newRadioInventory = 155;
         cacheClientA.Put("electronics", "RadioInventory", newRadioInventory,
                          radioInventory.Tags, radioInventory.Version);

         //-- Later, at time T2, cacheClientB tries to update the FM radio inventory
         // AN ERROR OCCURS HERE 
         int newRadioInventory = 130;
         cacheClientB.Put("electronics", "RadioInventory", newRadioInventory,
                          radioInventory.Tags, radioInventory.Version);

In the pessimistic concurrency model, the caller specifically takes a lock by calling GetAndLock() with a lock time out. The lock is then held until the time out or until the object is put back using PutAndUnlock(). To prevent this from being a performance nightmare, the system does not block requests if a lock is held on an object they want to manipulate. Instead the request is rejected (i.e. it fails).

Update: Some people have commented here and elsewhere that memcached actually does support the optimistic concurrency model using the gets and cas commands. Sorry about that, it wasn't exposed in the memcached libraries I've looked at.

Final Thoughts

From my perspective, this is a welcome addition to the WISC developer's toolkit. I also like that it pushes the expectations of developers on what they should expect from a distributed object cache which I expect will end up being good for the industry overall and not just developers on Microsoft's platforms.

If the above sounds interesting, there is already a technology preview available for download from MSDN here. I've downloaded it but haven't tried to run it yet since I don't have enough machines to test it in the ways I would find interesting. As you can expect there is a Velocity team blog. Subscribed.

Now Playing: 50 Cent - These N*ggas Ain't Hood (feat. Lloyd Banks & Marquis)

Categories: Web Development

May 30, 2008

@ 04:21 PM

Google Gears as the Next Flash

When Google Gears was first announced, it was praised as the final nail in the coffin for desktop applications as it now made it possible to take Web applications offline. However in the past year that Gears has existed, there hasn't been as much progress or enthusiasm in taking applications offline as was initially thought when Gears was announced. There are various reasons for this and since I've already given my thoughts on taking Web applications offline so I won't repeat myself in this post. What I do find interesting is that many proponents of Google Gears including technology evangelists at Google have been gradually switching to pushing Gears as a way to route around browsers and add features to the Web, as opposed to just being about an 'offline solution'. Below are some posts from the past couple of months showing this gradual switch in positioning.

Alex Russell of the Dojo Toolkit wrote a blog post entitled Progress Is N+1 in March of this year that contained the following excerpt

Every browser that we depend on either needs an open development process or it needs to have a public plan for N+1. The goal is to ensure that the market knows that there is momentum and a vehicle+timeline for progress. When that’s not possible or available, it becomes incumbent on us to support alternate schemes to rev the web faster. Google Gears is our best hope for this right now, and at the same time as we’re encouraging browser venders to do the right thing, we should also be championing the small, brave Open Source team that is bringing us a viable Plan B. Every webdev should be building Gear-specific features into their app today, not because Gears is the only way to get something in an app, but because in lieu of a real roadmap from Microsoft, Gears is our best chance at getting great things into the fabric of the web faster. If the IE team doesn’t produce a roadmap, we’ll be staring down a long flush-out cycle to replace it with other browsers. The genius of Gears is that it can augment existing browsers instead of replacing them wholesale. Gears targets the platform/product split and gives us a platform story even when we’re neglected by the browser vendors.
Gears has an open product development process, an auto-upgrade plan, and a plan for N+1.
At this point in the webs evolution, I’m glad to see browser vendors competing and I still feel like that’s our best long-term hope. But we’ve been left at the altar before, and the IE team isn’t giving us lots of reasons to trust them as platform vendors (not as product vendors). For once, we have an open, viable Plan B.
Gears is real, bankable progress.

This was followed up by a post by Dion Almaer who's a technical evangelist at Google who wrote the following in his post Gears as a bleeding-edge HTML 5 implementation

I do not see HTML 5 as competition for Gears at all. I am sitting a few feet away from Hixie’s desk as I write this, and he and the Gears team have a good communication loop.
There is a lot in common between Gears and HTML 5. Both are moving the Web forward, something that we really need to accelerate. Both have APIs to make the Web do new tricks. However HTML 5 is a specification, and Gears is an implementation.
...
Standards bodies are not a place to innovate, else you end up with EJB and the like.
...
Gears is a battle hardened Web update mechanism, that is open source and ready for anyone to join and take in interesting directions.

and what do Web developers actually think about using Google's technology as a way to "upgrade the Web" instead of relying on Web browsers and standards bodies for the next generation of features for the Web? Here's one answer from Matt Mullenweg, founder of WordPress, taken from his post Infrastructure as Competitive Advantage

When a website “pops” it probably has very little to do with their underlying server infrastructure and a lot to do with the perceived performance largely driven by how it’s coded at the HTML, CSS, and Javascript level. This, incidentally, is one of the reasons Google Gears is going to change the web as we know it today - LocalServer will obsolete CDNs as we know them. (Look for this in WordPress soonish.)

That's a rather bold claim (pun intended) by Matt. If you're wondering what features Matt is adding to WordPress that will depend on Gears, they were recently discussed in Dion Almaer's post Speed Up! with Wordpress and Gears which is excerpted below

However, Gears is so much more than offline, and it is really exciting to see “Speed Up!” as a link instead of “Go Offline?”
This is just the beginning. As the Gears community fills in the gaps in the Web development model and begins to bring you HTML5 functionality I expect to see less “Go Offline” and more “Speed Up!” and other such phrases. In fact, I will be most excited when I don’t see any such linkage, and the applications are just better.
With an embedded database, local server storage, worker pool execution, desktop APIs, and other exciting modules such as notifications, resumable HTTP being talked about in the community…. I think we can all get excited.

Remember all those rumors back in the day that Google was working on their own browser? Well they've gone one better and are working on the next Flash. Adobe likes pointing out that Flash has more market share than any single browser and we all know that has Flash has gone above and beyond the [X]HTML standards bodies to extend the Web thus powering popular, rich user experiences that weren't possible otherwise (e.g. YouTube). Google is on the road to doing the same thing with Gears. And just like social networks and content sharing sites were a big part in making Flash an integral part of the Web experience for a majority of Web users, Google is learning from history with Gears as can be seen by the the recent announcements from MySpace. I expect we'll soon see Google leverage the popularity of YouTube as another vector to spread Google Gears.

So far none of the Web sites promoting Google Gears have required it which will limit its uptake. Flash got ahead by being necessary for sites to even work. It will be interesting to see if or when sites move beyond using Gears for nice-to-have features and start requiring it to function. It sounds crazy but I never would have expected to see sites that would be completely broken if Flash wasn't installed five years ago but it isn't surprising today (e.g. YouTube).

PS: For those who are not familiar with the technical details of Google Gears, it currently provides three main bits of functionality; thread pools for asynchronous operations, access to a SQL database running on the user's computer, and access to the user's file system for storing documents, images and other media. There are also beta APIs which provide more access to the user's computer from the browser such as the Desktop API which allows applications to create shortcuts on the user's desktop.

Now Playing: Nas - It Ain't Hard To Tell

Categories: Platforms | Web Development

May 26, 2008

@ 03:43 PM

Some Thoughts on Single Instance Storage and Twitter

In response to my recent post about Twitter's architectural woes, Robert Scoble penned a missive entitled Should services charge “super users”? where he writes

First of all, Twitter doesn’t store my Tweets 25,000 times. It stores them once and then it remixes them. This is like saying that Exchange stores each email once for each user. That’s totally not true and shows a lack of understanding how these things work internally.
Second of all, why can FriendFeed keep up with the ever increasing load? I have 10,945 friends on FriendFeed (all added in the past three months, which is MUCH faster growth than Twitter had) and it’s staying up just fine.

My original post excerpted a post by Isreal L'Heureux where he pointed out that there are two naive design choices one could make while designing a system like Twitter. When Robert Scoble posts a tweet you could either

PUSH the message to the queue’s of each of his ~~6,864~~ 24,875 followers, or
Wait for the ~~6,864~~ 24,875 followers to log in, then PULL the message.

Isreal assumed it was #1 which has its set of pros and cons. The pro is that fetching a users inbox is fast and the inbox can easily be cached. The con is that the write I/O is ridiculous. Robert Scoble's post excerpted above argues that Twitter must be using #2 since that is what messaging systems like Microsoft Exchange do.

The feature of Exchange that Robert is talking about is called Single Instance Storage and is described in a Microsoft knowledge base article 175706 as follows

If a message is sent to one recipient, and if the message is copied to 20 other recipients who reside in the same mailbox store, Exchange Server maintains only one copy of the message in its database. Exchange Server then creates pointers.
...
For example, assume the following configuration:
Server 1 Mailbox Store 1: Users A, B, and C
Server 2 Mailbox Store 1: User D
When User A sends the same message to User B, User C, and User D, Exchange Server creates a single instance of the message on server 1 for all three users, because User A, User B, and User C are on the same server. Even the message that is in User A's Sent Items folder is a single instance of the messages that is in the Inboxes of User B and User C. Because User D is on a different server, Exchange Server sends a message to server 2 that will be stored on that server.

So now we know how Exchange's single instance storage works we can talk about how it helps or hinders the model where users pull messages from all the people they are following when they log-in. A pull model assumes that you have a single instance of each message sent by a Twitter user and then when Robert Scoble logs in you execute a query of the form

SELECT TOP 20 messages.author_id, messages.body, messages.publish_date
FROM  messages
WHERE messages.author_id  in (SELECT following.id from following where user_id=$scoble_id)
ORDER BY messages.publish_date DESC;

in this model there's only ever one instance of a message and it lives in the messages table. Where does this break down? Well, what happens when you have more than one database per server or more than one set of database servers or more than one data center? This is why Exchange still has multiple message instances per mailbox store even if they do have single instances shared by all recipients of the message in each mailbox store on a single server.

How much does having multiple databases or multiple DB servers affect the benefits of single instancing of messages? I'll let the Exchange team answer that with their blog post from earlier this year titled Single Instance Storage in Exchange 2007

Over the years, the importance of single instance storage (SIS) in Exchange environments has gradually declined. Ten years ago, Exchange supported about 1000 users per server, with all users on a single database. Today, a typical mailbox server might have 5000 users spread over 50 databases. With one-tenth as many users per database (100 users vs. 1000 users), the potential space savings from single-instancing is reduced by 10x. The move to multiple databases per server, along with the reduction in space savings due to items being deleted over time, means that the space savings from SIS are quite small for most customers. Because of this, we've long recommend that customers ignore SIS when planning their storage requirements for Exchange.
...
Looking forward
Given current trends, we expect the value of single instance storage to continue to decline over time. It's too early for us to say whether SIS will be around in future versions of Exchange. However, we want everyone to understand that it is being deemphasized and should not be a primary factor in today's deployment or migration plans.

At the end of the day, the cost of a naive implementation of single instancing in a situation like Twitter's is latency and ridiculous read I/O. You will have to query data from tens of thousands of users across multiple database every time Robert Scoble logs in.

Exchange gets around the latency problem with the optimization of always having an instance of the message in each database. So you end up with a mix of both a pull & push model. If Scoble blasts a message out to 25,000 recipients on an Exchange system such as the one described in the blog post by the Exchange team, it will end up being written 250 times across 5 servers (100 users per database, 5000 users per server) instead of 25,000 times as would happen in a naive implementation of the PUSH model. Then when each person logs-in to view their message it is assembled on demand from the single instance store local to their mail server instead of trying to read from 250 databases across 5 servers as would happen in a naive implementation of the PULL model.

Scaling a service infrastructure is all about optimizations and trade offs. My original post wasn't meant to imply that Twitter's scaling problems are unsolvable since similar problems have obviously been solved by other online services and Enterprise products in the messaging space. It was meant to inject some perspective in the silly claims that Ruby on Rails is to blame and give readers some perspective on the kind of architectural problems that have to be solved.

Now Playing: Lil Wayne - Got Money (feat. T-Pain)

Categories: Web Development

May 23, 2008

@ 03:23 AM

Some Thoughts on Twitter's Availability Problems

As a regular user of Twitter I've felt the waves of frustration wash over me these past couple of weeks as the service has been hit by one outage after another. This led me to start pondering the problem space [especially as it relates to what I'm currently working on at work] and deduce that the service must have some serious architectural flaws which have nothing to do with the reason usually thrown about by non-technical pundits (i.e. Ruby on Rails is to blame).

Some of my suspicions were confirmed by a recent post on the Twitter developer blog entitled Twittering about architecture which contains the following excerpt

Twitter is, fundamentally, a messaging system. Twitter was not architected as a messaging system, however. For expediency's sake, Twitter was built with technologies and practices that are more appropriate to a content management system. Over the last year and a half we've tried to make our system behave like a messaging system as much as possible, but that's introduced a great deal of complexity and unpredictability. When we're in crisis mode, adding more instrumentation to help us navigate the web of interdependencies in our current architecture is often our primary recourse. This is, clearly, not optimal.

Our direction going forward is to replace our existing system, component-by-component, with parts that are designed from the ground up to meet the requirements that have emerged as Twitter has grown.

Given that Twitter has some unique requirements that would put to test a number of off-the-shelf and even custom messaging applications, it is shocking that it isn't even architected as a messaging system. This makes sense when you consider the background of the founders was a blogging tool and they originally intended Twitter to be a "micro" blogging service.

If Twitter was simply a micro-content publishing tool with push notifications for SMS and IM then the team wouldn't be faulted for designing it as a Content Management System (CMS). In that case you'd just need three data structures

a persistent store for each users tweets
a cache of their tweets in memory to improve read performance
a persistent list of [IM and SMS] end points subscribed to each users tweets and an asynchronous job (i.e. a daemon) which publishes to each users subscribers after each post

Unfortunately, Twitter isn't just a blogging tool that allows people to subscribe to my posts via SMS & IM instead of just RSS. It also has the notion of followers. That's when things get hairy. Isreal over at AssetBar had a great post about this entitled Twitter-proxy: Any Interest? where he wrote

Consider the messaging problem:

Nothing is as easy as it looks. When Robert Scoble writes a simple “I’m hanging out with…” message, Twitter has about two choices of how they can dispatch that message:

PUSH the message to the queue’s of each of his ~~6,864~~ 24,875 followers, or

Wait for the ~~6,864~~ 24,875 followers to log in, then PULL the message.

The trouble with #2 is that people like Robert also follow ~~6,800~~ 21,146 people. And it’s unacceptable for him to login and then have to wait for the system to open records on ~~6,800~~ 21,146 people (across multiple db shards), then sort the records by date and finally render the data. Users would be hating on the HUGE latency.

So, the twitter model is almost certainly #1. Robert’s message is copied (or pre-fetched) to 6,864 users, so when those users open their page/client, Scoble’s message is right there, waiting for them. The users are loving the speed, but Twitter is hating on the writes. All of the writes.

How many writes?

A 6000X multiplication factor:

Do you see a scaling problem with this scenario?

Scoble writes something–boom–~~6,800~~ 21,146 writes are kicked off. 1 for each follower.

Michael Arrington replies–boom–another ~~6,600~~ 17,918 writes.

Jason Calacanis jumps in –boom–another ~~6,500~~ 25,972 writes.

Beyond the ~~19,900~~ 65,036 writes, there’s a lot of additional overhead too. You have to hit a DB to figure out who the ~~19,900~~ 65,036 followers are. Read, read, read. Then possibly hit another DB to find out which shard they live on. Read, read, read. Then you make a connection and write to that DB host, and on success, go back and mark the update as successful. Depending on the details of their messaging system, all the overhead of lookup and accounting could be an even bigger task than the ~~19,900~~ 65,036 reads + ~~19,900~~ 65,036 writes. Do you even want to think about the replication issues (multiply by 2 or 3)? Watch out for locking, too.

And here’s the kicker: that giant processing & delivery effort–possibly a combined ~~100K~~ 130K disk IOs– was caused by 3 users, each just sending one, tiny, 140 char message. How innocent it all seemed.

Not only does Isreal's post accurately describes the problem with the logical model for Twitter's "followers" feature, it looks like he may have also nailed the details of their implementation which would explain the significant issues they've had scaling the site. The problem is that if you naively implement a design that simply reflects the problem statement then you will be in disk I/O hell. It won't matter if you are using Ruby on Rails, Cobol on Cogs, C++ or hand coded assembly, the read & write load will kill you.

This leads me to my new mantra which I've stolen from Jim Gray via Pat Helland; DISK IS THE NEW TAPE.

In addition, the fact that the Twitter folks decided not to cap the number of followers or following may have saved them from the kind of flames that Robert Scoble sends at Facebook for having a 5000 friend limit but it also means that they not only have to deal with supporting users with thousands of followers but also users that follow thousands of users [both of which would be optimized in completely different ways]. Clearly a lot of feature decisions have been made on that product without thought to how they impact the scalability of the service.

PS: If this problem space sounds interesting to you, we're hiring. I'm specifically looking for good operations folks. Shoot me a resume at dareo@msft.com - replace msft.com with microsoft.com

Now Playing: Rick Ross - Maybach Music (featuring Jay-Z)

Categories: Web Development

May 17, 2008

@ 12:52 PM

Offline Web Apps, Dumb Idea or Really Dumb Idea?

Lots of "Web 2.0" pundits like to argue that it is just a matter of time before Web applications make desktop applications obsolete and irrelevant. To many of these pundits the final frontier is the ability to take Web applications offline. Once this happens you get the best of both worlds, the zero install hassle, collaborative nature of Web-based applications married to the ability to take your "apps on a plane". Much attention has been given to this problem which has led to the rise of a number of frameworks designed bring offline capabilities to Web applications the most popular of which is Google Gears. I think the anti-Microsoft sentiment that courses through the "Web 2.0" crowd has created an unwanted solution to a problem that most users don't really have.

Unlike David Heinemeier Hansson in his rant You're not on a fucking plane (and if you are, it doesn't matter)!, I actually think the "offline problem" is a valid problem that we have to solve. However I think that trying to tackle it from the perspective of taking an AJAX application offline is backwards. There are a few reasons I believe this

The user experience of a "rich" Web application pales in comparison to that of a desktop application. If given a choice of using a desktop app and a Web application with the same features, I'd use a desktop application in a heart beat.
The amount of work it takes to "offline enable" a Web application is roughly similar to the amount of work it takes to "online enable" a desktop application. The amount of work it took me to make RSS Bandit a desktop client for Google Reader is roughly equivalent to what it most likely took to add offline reading to Google Reader.
Once you decide to "go offline", your Web application is no longer "zero install" so it isn't much different from a desktop application.

I suspect this is the bitter truth that answers the questions asked in articles like The Frustratingly Unfulfilled Promise of Google Gears where the author laments the lack of proliferation of offline Web applications built on Google Gears.

When it first shipped I was looking forward to a platform like Google Gears but after I thought about the problem for a while, I realized that such a platform would be just as useful for "online enabling" desktop applications as it would be for "offline enabling" Web applications. Additionally, I came to the conclusion that the former is a lot more enabling to users than the latter. This is when I started becoming interested in Live Mesh as a Platform, this is one area where I think Microsoft's hearts and minds are in the right place. I want to see more applications like Outlook + RPC over HTTP not "offline enabled" versions of Outlook Web Access.

Now Playing: Jordin Sparks - No Air (feat. Chris Brown)

Categories: Web Development

March 4, 2008

@ 04:00 AM

IE 8 Will Do the Right Thing

Dean Hachamovitch who runs the Internet Explorer team has a blog post entitled Microsoft's Interoperability Principles and IE8 where he addresses some of the recent controversy about how rendering pages according to Web standards will work in IE 8. He wrote

The Technical Challenge

One issue we heard repeatedly during the IE7 beta concerned sites that looked fine in IE6 but looked bad in IE7. The reason was that the sites had worked around IE6 issues with content that – when viewed with IE7’s improved Standards mode – looked bad.

As we started work on IE8, we thought that the same thing would happen in the short term: when a site hands IE8 content and asks for Standards mode, that content would expect IE7’s Standards mode and not appear or function correctly.

In other words, the technical challenge here is how can IE determine whether a site’s content expects IE8’s Standards mode or IE7’s Standards mode? Given how many sites offer IE very different content today, which should IE8 default to?

Our initial thinking for IE8 involved showing pages requesting “Standards” mode in an IE7’s “Standards” mode, and requiring developers to ask for IE8’s actual “Standards” mode separately. We made this decision, informed by discussions with some leading web experts, with compatibility at the top of mind.

In light of the Interoperability Principles, as well as feedback from the community, we’re choosing differently. Now, IE8 will show pages requesting “Standards” mode in IE8’s Standards mode. Developers who want their pages shown using IE8’s “IE7 Standards mode” will need to request that explicitly (using the http header/meta tag approach described here).

Going Forward

Long term, we believe this is the right thing for the web.

I’m glad someone came to this realization. The original solution was simply unworkable in the long term regardless of how much short term pain it eased. Kudos to the Internet Explorer team for taking the long view and doing what is best for the Web. Is it me or is that the most positive the comments have ever been on the IE blog?

PS: It is interesting to note that this is the second time in the past week Microsoft has announced a technology direction related to Web standards and changed it based on feedback from the community.

Now playing: Usher - In This Club (feat. Young Jeezy)

Categories: Web Development

February 23, 2008

@ 04:00 AM

How "View Source" Broke the Web

About five years ago, I was pretty active on the XML-DEV mailing list. One of the discussions that cropped up every couple of weeks (aka permathreads) was whether markup languages could be successful if they were not simple enough that a relatively inexperienced developer could “View Source” and figure out how to author documents in that format. HTML (and to a lesser extent RSS) are examples of the success of the “View Source” principle. Danny Ayers had a classic post on the subject titled The Legend of View ‘Source’ which is excerpted below

Q: How do people learn markup?
A: 'View Source'.

This notion is one of the big guns that gets wheeled out in many permathreads - 'binary XML', 'RDF, bad' perhaps even 'XML Schema, too
complicated'. To a lot of people it's the show stopper, the argument that can never be defeated. Not being able to view source is the reason format X died; being able to view source is the reason for format Y's success.

But I'm beginning to wonder if this argument really holds water any more. Don't get me wrong, I'm sure it certainly used to be the case, that many people here got their initial momentum into XML by looking at that there text. I'm also sure that being able to view existing source can be a great aid in learning a markup language. What I'm questioning is whether the actual practice of 'View Source' really is so widespread these days, and more importantly whether it offers such benefits for it to be a major factor in language decisions. I'd be happy with the answer to : are people really using 'View Source' that much? I hear it a lot, yet see little evidence.
…
One last point, I think we should be clear about what is and what isn't 'View Source'. If I need an XSLT stylesheet the first thing I'll do is open an existing stylesheet and copy and paste half of it. Then I'll get Michael's reference off the shelf. I bet a fair few folks here have the
bare-bones HTML 3.2 document etched into their lower cortex. But I'd argue that nothing is actually gained from 'View Source' in this, all it is is templating, the fact that it's a text format isn't of immediate relevance.

The mistake Danny made in his post was taking the arguments in favor of “View Source” literally. In hindsight, I think the key point of the “View Source” clan was that it is clear that there is a lot of cargo cult programming that goes on in the world of Web development. Whether it is directly via using the View Source feature of popular Web browsers or simply cutting and pasting code they find at places like quirks mode, A List Apart and W3C Schools, the fact is that lots of people building Web pages and syndication feeds are using technology and techniques they barely understand on a daily basis.

Back in the days when this debate came up, the existence of these markup cargo cults was celebrated because it meant that the ability to author content on the Web was available to the masses which is still the case today (Yaaay, MySpace Wink ). However there has been a number of down sides to the wide adoption of [X]HTML, CSS and other Web authoring technologies by large numbers of semi-knowledgeable developers and technologically challenged content authors.

One of these negative side effects has been discussed to death in a number of places including the article Beyond DOCTYPE: Web Standards, Forward Compatibility, and IE8 by Aaron Gustafson which is excerpted below

The DOCTYPE switch is broken

Back in 1998, Todd Fahrner came up with a toggle that would allow a browser to offer two rendering modes: one for developers wishing to follow standards, and another for everyone else. The concept was brilliantly simple. When the user agent encountered a document with a well-formed DOCTYPE declaration of a current HTML standard (i.e. HTML 2.0 wouldn’t cut it), it would assume that the author knew what she was doing and render the page in “standards” mode (laying out elements using the W3C’s box model). But when no DOCTYPE or a malformed DOCTYPE was encountered, the document would be rendered in “quirks” mode, i.e., laying out elements using the non-standard box model of IE5.x/Windows.
…
Unfortunately, two key factors, working in concert, have made the DOCTYPE unsustainable as a switch for standards mode:

egged on by A List Apart and The Web Standards Project, well-intentioned developers of authoring tools began inserting valid, complete DOCTYPEs into the markup their tools generated; and
IE6’s rendering behavior was not updated for five years, leading many developers to assume its rendering was both accurate and unlikely to change.

Together, these two circumstances have undermined the DOCTYPE switch because it had one fatal flaw: it assumed that the use of a valid DOCTYPE meant that you knew what you were doing when it came to web standards, and that you wanted the most accurate rendering possible. How do we know that it failed? When IE 7 hit the streets, sites broke.

Sure, as Roger pointed out, some of those sites were using IE-6-specific CSS hacks (often begrudgingly, and with no choice). But most suffered because their developers only checked their pages in IE6 —or only needed to concern themselves with how the site looked in IE6, because they were deploying sites within a homogeneous browserscape (e.g. a company intranet). Now sure, you could just shrug it off and say that since IE6’s inaccuracies were well-documented, these developers should have known better, but you would be ignoring the fact that many developers never explicitly opted into “standards mode,” or even knew that such a mode existed.

This seems like an intractible problem to me. If you ship a version of your software that is more standards compliant than previous versions you run the risk of breaking applications or content that worked in previous versions. This reminds me of Windows Vista getting the blame because Facebook had a broken IPv6 record. The fact is that the application can claim it is more standards compliant but that is meaningless if users can no longer access their data or visit their favorite sites. In addition, putting the onus on Web developers and content authors to always write standards compliant code is impossible given the acknowledged low level of expertise of said Web content authors. It would seem that this actually causes a lot of pressure to always be backwards (or is that bugwards) compatible. I definitely wouldn’t want to be in the Internet Explorer team’s shoes these days.

It puts an interesting wrinkle on the exhortations to make markup languages friendly to “View Source” doesn’t it?

Now playing: Green Day - Welcome To Paradise

Categories: Web Development

February 7, 2008

@ 04:00 AM

How to Probe Browser History Using Javascript in IE and Firefox

Niall Kennedy has a blog post entitled Sniff browser history for improved user experience where he describes a common-sense technique to test URLs against a Web browser’s visited page history. He writes

I first blogged about this technique almost two years ago but I will now provide even more details and example implementations.
...
A web browser such as Firefox or Internet Explorer will load the current user's browser history into memory and compare each link (anchor) on the page against the user's previous history. Previously visited links receive a special CSS pseudo-class distinction of :visited and may receive special styling.
...
Any website can test a known set of links against the current visitor's browser history using standard JavaScript.

Place your set of links on the page at load or dynamically using the DOM access methods.

Attach a special color to each visited link in your test set using finely scoped CSS.

Walk the evaluated DOM for each link in your test set, comparing the link's color style against your previously defined value.

Record each link that matches the expected value.

Customize content based on this new information (optional).

Each link needs to be explicitly specified and evaluated. The standard rules of URL structure still apply, which means we are evaluating a distinct combination of scheme, host, and path. We do not have access to wildcard or regex definitions of a linked resource.

Niall goes on to describe the common ways one can improve the user experience on a site using this technique. I’ve been considering using this approach to reduce the excess blog flair on my weblog. It doesn’t make much sense to show people a “submit to reddit” button if they don’t use reddit. The approach suggested in Niall’s article makes it possible for me to detect what sites a user visits and then only display relevant flair on my blog posts. Unfortunately neither of Niall’s posts on the topic provide example code which is why I’m posting this follow up to Niall’s post. Below is an HTML page that uses Javascript function to return which social bookmarking sites a viewer of a Web page actually uses based on their browser history.


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">  
  <head>
    <title>What Social Bookmarking Sites Do You Use?</title>  
    <script type="text/javascript">
var bookmarking_sites = new Array("http://programming.reddit.com", "http://www.dzone.com", "http://www.digg.com", "http://del.icio.us", "http://www.stumbleupon.com", "http://ma.gnolia.com", "http://www.dotnetkicks.com/", "http://slashdot.org")


function DetectSites() {
  var testelem = document.getElementById("linktest");
  var visited_sites = document.getElementById("visited_sites");
  var linkColor; 
  var isVisited = false;

  for (var i = 0; i < bookmarking_sites.length; i++) {          
         var url2test = document.createElement("a");                
         url2test.href = bookmarking_sites[i];       
         url2test.innerHTML = "I'm invisible, you can't click me";        
         
	 testelem.appendChild(url2test); 

	 if(document.defaultView){ //Mozilla
           linkColor = document.defaultView.getComputedStyle(url2test,null).getPropertyValue("color");

	   if(linkColor == "rgb(100, 149, 237)"){
	     isVisited = true;
	   }
	 }else if(url2test.currentStyle){ //IE
	   if(url2test.currentStyle.color == "cornflowerblue"){
	     isVisited = true;
	   }
	 }

	 if (isVisited) {           
	 visited_sites.innerHTML = visited_sites.innerHTML + 
	  "<a href='" + url2test.href + "'>" + url2test.href + "</a><br>"
	 }         
	 testelem.removeChild(url2test);            
	 isVisited = false; 
  } 
}
      
    </script>
 <style type="text/css">
   p#linktest a:visited { color: CornflowerBlue }
 </style>
  </head>
  <body onload="DetectSites()">
    <b>Social Bookmarking Sites You've Visited</b>
    <p id="linktest" style="visibility:hidden" />
    <p id="visited_sites" />
  </body>
</html>

Of course, after writing the aforementioned code it occured to me run a Web search and I found that there are bits of code for doing this all over the Web in places like Jermiah Grossman’s blog (Firefox only) and GNUCITIZEN.

At least now I have it in a handy format; cut, paste and go.

Now all I need is some free time which in which to tweak my weblogt to start using the above function instead of showing people links to services they don’t use.

Now playing: Disturbed - Numb

Categories: Programming | Web Development

January 23, 2008

@ 04:00 AM

Google Map/Reduce vs. Relational Databases

The top story in my favorite RSS reader is the article MapReduce: A major step backwards by David J. DeWitt and Michael Stonebraker. This is one of those articles that is so bad you feel dumber after having read it. The primary thesis of the article is

MapReduce may be a good idea for writing certain types of general-purpose computations, but to the database community, it is:

A giant step backward in the programming paradigm for large-scale data intensive applications

A sub-optimal implementation, in that it uses brute force instead of indexing

Not novel at all -- it represents a specific implementation of well known techniques developed nearly 25 years ago

Missing most of the features that are routinely included in current DBMS

Incompatible with all of the tools DBMS users have come to depend on

One of the worst things about articles like this is that it gets usually reasonable and intelligent sounding people spouting of bogus responses as knee jerk reactions due to the articles stupidity. The average bogus reaction was the kind by Rich Skrenta in his post Database gods bitch about mapreduce which talks of "disruption" as if Google MapReduce is actually comparable to a relation database management system.

On the other hand, the good thing about articles like this is that you get often get great responses from smart folks that further your understanding of the subject matter even though the original article was crap. For example, take the post from Google employee Mark Chu-Carroll entitled Databases are Hammers; MapReduce is a ScrewDriver where he writes eloquently that

The beauty of MapReduce is that it's easy to write. M/R programs are really as easy as parallel programming ever gets. So, getting back to the article. They criticize MapReduce for, basically, not being based on the idea of a relational database.
…
That's exactly what's going on here. They've got their relational databases. RDBs are absolutely brilliant things. They're amazing tools, which can be used to build amazing software. I've done a lot of work using RDBs, and without them, I wouldn't have been able to do some of the work that I'm proudest of. I don't want to cut down RDBs at all: they're truly great. But not everything is a relational database, and not everything is naturally suited towards being treated as if it were relational. The criticisms of MapReduce all come down to: "But it's not the way relational databases would do it!" - without every realizing that that's the point. RDBs don't parallelize very well: how many RDBs do you know that can efficiently split a task among 1,000 cheap computers? RDBs don't handle non-tabular data well: RDBs are notorious for doing a poor job on recursive data structures. MapReduce isn't intended to replace relational databases: it's intended to provide a lightweight way of programming things so that they can run fast by running in parallel on a lot of machines. That's all it was intended to do.

Mark’s entire post is a great read.

Greg Jorgensen also has a good rebutal in his post Relational Database Experts Jump The MapReduce Shark which points out that if the original article had been a critique of a Web-based structured data storage systems such as Amazon’s SimpleDB or Google Base then the comparison may have been almost logical as opposed to being completely ridiculous. Wink

Now playing: Marvin Gaye - I Heard It Through the Grapevine

Categories: Web Development

November 12, 2007

@ 04:01 PM

Comments [14]

OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion

Although the choice of whether to pick between WS-* and REST when deciding to build services on the Web seems like a foregone conclusion, there seems to be one or two arguments on the WS-* that refuse to die. You can find a them in the notes on the talk by Sanjiva Weerawarana at QCon, WS-* vs. REST: Mashing up the Truth from Facts, Myths and Lies

history: why were WS created? people were doing XML over HTTP in 1998/1999
everyone invented their own way to do security, reliability, transactions, … (e.g. RosettaNet, ebXML)
Biggest criticism of SOAP in 2000: lack of security
REST-* is on its way - ARGH!

Today you can find other members of the Web Services community echoing some of Sanjiva’s points. You have Don Box in his blog post entitled Yes Steve, I've Tried saying

I wouldn't call myself an advocate for any specific technology (ducks), but I've spent a lot of time doing HTTP stuff, including a recent tour of duty to help out on our .NET 3.5 support for REST in WCF.

I have to say that the authentication story blows chunks.

Having to hand-roll yet another “negotiate session key/sign URL” library for J. Random Facebook/Flickr/GData clone doesn't scale.

and even Sam Ruby adds his voice in agreement with his post Out of the Frying Pan where he writes

I’d suggest that the root problem here has nothing to to with HTTP or SOAP, but rather that the owners and operators of properties such as Facebook, Flickr, and GData have vested interests that need to be considered.

For once I have to agree with Sanjiva and disagree with Sam and Don. The folks at Google, Yahoo! and a bunch of the other Silicon Valley startups realize that having umpteen different application interfaces, authentication and authorization stories is a pain for developers build mashups, widgets and full blown Web applications. The answer isn’t as Don argues that we all jump on WS-* or as Sam suggests that Web companies have a vested interest keeping the situation fragmented so we have to live with it.

In fact, we are already on the road to REST-* as a way to address this problem. What happens when you put together AtomPub/GData, OpenID, OAuth and OpenSocial? Sounds a lot like the same sort of vision Microsoft was pitching earlier in the decade, except this time it is built on a sturdier foundation [not crap like SOAP, WSDL and XSD] and is being worked on collaboratively by members of the Web community instead of a bunch of middleware vendors.

It’s unsurprising that Don and Sam don’t realize this is occuring given that their employers (Microsoft and IBM respectively) are out of the loop on most of this evolution which is primarily being by driven by Google and it’s coalition of the willing. Then again, it does remind me of how IBM and Microsoft pulled the same thing on the industry with WS-*. I guess turnabout is fair play. Wink

Now playing: D12 - American Psycho

Categories: Web Development | XML Web Services

November 4, 2007

@ 07:14 PM

OpenSocial Explained in Five Sentences

A couple of people mentioned that my previous post on Google OpenSocial was too long and needed a five sentence elevator pitch style summary. Below is the five sentence summary of my analysis of Google OpenSocial that cuts through the hype and is just the facts.

OpenSocial is billed as a standardized widget platform for the Web, it isn't. OpenSocial is a standard set of REST APIs which social networks can utilize to expose user profiles and relationship data. Everything else required by a widget platform from authentication and authorization to user interface integration and an application directory is unspecified. OpenSocial is to a standardized widget platform as an internal combustion engine is to an airplane. A step in the right direction but still very far from the end goal.

Hope that helps. I have to go rake some leaves and run some puppy related errands so I might be slow in responding to comments over the rest of the day.

Categories: Platforms | Social Software | Web Development

October 10, 2007

@ 04:00 AM

When Databases Lie: Consistency vs. Availability in Distributed Systems

I recently got an email from a developer about my post Thoughts on Amazon's Internal Storage System (Dynamo) which claimed that I seem to be romanticizing distributed systems that favor availability over consistency. He pointed out that although this sounds nice on paper, it places a significant burden on application developers. He is 100% right. This has been my experience in Windows Live and I’ve heard enough second hand to assume it is the experience at Amazon as well when it comes to Dynamo.

I thought an example of how this trade-off affects developers would be a useful excercise and may be of interest to my readers. The following example is hypothetical and should not be construed as describing the internal architectures of any production systems I am aware of.

Scenario: Torsten Rendelmann, a Facebook user in Germany, accepts a friend request from Dare Obasanjo who is a Facebook user in the United States.

The Distributed System: To improve the response times for users in Europe, imagine Facebook has a data center in London while American users a serviced from a Data Center in Palo Alto. To achieve this, the user database is broken up in a process commonly described as sharding. The question of if and how data is replicated across both data centers isn’t relevant to this example.

The application developer who owns the confirm_friend_request() method, will ideally want to write code that took the following form

public void confirm_friend_request(user1, user2){ begin_transaction(); update_friend_list(user1, user2, status.confirmed); //palo alto update_friend_list(user2, user1, status.confirmed); //london end_transaction(); }

Yay, distributed transactions. You have to love a feature that every vendor advises you not to use if you care about performance. So obviously this doesn’t work for a large scale distributed system where performance and availabilty are important.

Things get particularly ugly when you realize that either data center or the specific server a user’s data is stored on could be unreachable for a variety of reasons (e.g. DoS attack, high seasonal load, drunk sys admin tripped over a power cord, hard drive failure due to cheap components, etc).

There are a number of options one can consider when availability and high performance are considered to be more important than data consistency in the above example. Below are three potential implementations of the code above each with it’s own set of trade offs.

OPTION I: Application developer performs manual rollback on error

public void confirm_friend_request_A(user1, user2){ try{ update_friend_list(user1, user2, status.confirmed); //palo alto }catch(exception e){ report_error(e); return; } try{ update_friend_list(user2, user1, status.confirmed); //london }catch(exception e) { revert_friend_list(user1, user2); report_error(e); return; } }

The problem here is that we don’t handle the case where revert_friend_list() fails. This means that Dare (user1) may end up having Torsten (user2) on his friend list but Torsten won’t have Dare on his friend list. The database has lied.

OPTION II: Failed events are placed in a message queue to be retried until they succeed.

public void confirm_friend_request_B(user1, user2){

try{
   update_friend_list(user1, user2, status.confirmed); //palo alto
}catch(exception e){
report_error(e);
  add_to_retry_queue(operation.updatefriendlist, user1, user2, current_time());
}
try{
update_friend_list(user2, user1, status.confirmed); //london
}catch(exception e) {
report_error(e);
add_to_retry_queue(operation.updatefriendlist, user2, user1, current_time());
}

}

Depending on how long the error exists and how long it takes an item to sit in the message queue, there will be times when the Dare (user1) may end up having Torsten (user2) on his friend list but Torsten won’t have Dare on his friend list. The database has lied, again.

OPTION III: System always accepts updates but application developers may have to resolve data conflicts later. (The Dynamo approach)

/* update_friend_list always succeeds but may enqueue an item in message queue to try again later in the event of failure. This failure is not propagated to callers of the method. */ public void confirm_friend_request_C(user1, user2){ update_friend_list(user1, user2, status.confirmed); // palo alto update_friend_list(user2, user1, status.confirmed); //london } /* get_friends() method has to reconcile results returned by get_friends() because there may be data inconsistency due to a conflict because a change that was applied from the message queue is contradictory to a subsequent change by the user. In this case, status is a bitflag where all conflicts are merged and it is up to app developer to figure out what to do. */ public list get_friends(user1){ list actual_friends = new list(); list friends = get_friends(); foreach (friend in friends){ if(friend.status == friendstatus.confirmed){ //no conflict actual_friends.add(friend); }else if((friend.status &= friendstatus.confirmed) and !(friend.status &= friendstatus.deleted)){ // assume friend is confirmed as long as it wasn’t also deleted friend.status = friendstatus.confirmed; actual_friends.add(friend); update_friends_list(user1, friend, status.confirmed); }else{ //assume deleted if there is a conflict with a delete update_friends_list( user1, friend, status.deleted) } }//foreach return actual_friends; }

These are just a few of the many approaches that can be implemented in such a distributed system to get around the performance and availability implications of using distributed transactions. The main problem with them is that in every single case, the application developer has an extra burden placed on his shoulders due to inherent fragility of distributed systems. For a lot of developers, the shock of this realization is akin to the shock of programming in C++ after using C# or Ruby for a couple of years. Manual memory management? Actually having to perform bounds checking arrays? Being unable to use decades old technology like database transactions?

The challenge in building a distributed storage system like BigTable or Dynamo is in balancing the need for high availability and performance while not building a system that encourages all sorts of insidious bugs to exist in the system by design. Some might argue that Dynamo goes to far in the burden that it places on developers while there are others that would argue that it doesn’t go far enough.

In what camp do you fall?

Now playing: R. Kelly - Rock Star (feat. Ludacris & Kid Rock)

Categories: Platforms | Programming | Web Development

October 6, 2007

@ 04:00 AM

OAuth 1.0 is Here - Delegated Authority Comes to Mashups

According to blog posts like A Flood of Mashups Coming? OAuth 1.0 Released and John Musser’s OAuth Spec 1.0 = More Personal Mashups? , it looks like the OAuth specification has reached it’s final draft.

This is good news because the need for a standardized mechanism for users to give applications permission to access their data or act on their behalf has been obvious for a while. The most obvious manifestation of this are all the applications that ask for your username and password so they can retrieve your contact list from your email service provider.

So what exactly is wrong with applications like the one’s shown below?

meebo

spock

The problem with these applications [which OAuth solves] is that when I give them my username and password, I’m not only giving them access to my address book but also access to

my blog posts and all my photos (http://spaces.live.com)
my travel history (http://www.expedia.com)
my search history (http://www.google.com/psearch)
my personal email (http://www.hotmail.com)
my medical information (http://www.healthvault.com)
my business documents (http://www.officelive.com)
my personal documents (http://docs.google.com)
my purchase history (https://checkout.google.com)
and so on…

because all of those services use the same credentials. Sounds scary when put in those terms doesn’t it?

OAuth allows a service provider (like Google or Yahoo!) to expose an interface that allows their users to give applications permission to access their data while not exposing their login credentials to these applications. As I’ve mentioned in the past, this standardizes the kind of user-centric API model that is utilized by Web services such as the Windows Live Contacts API, Google AuthSub and the Flickr API to authenticate and authorize applications to access a user’s data.

The usage flow end users can expect from OAuth enabled applications is as follows.

1. The application or Web site informs the user that it is about to direct the user to the service provider’s Web site to grant it permission.

2. The user is then directed to the service providers Web site with a special URL that contains information about the requesting application. The user is prompted to login to the service provider’s Website to verify their identity.

3. The user grants the application permission.

4. The application gets access to the user’s data and the user never had to hand over their username and password to some random application which they might not trust.

I’ve read the final draft of the OAuth 1.0 spec and it seems to have done away with some of the worrisome complexity I’d seen in earlier draft (i.e. single use and multi-use tokens). Great work by all those involved.

I never had time to participate in this effort but it looks like I wouldn’t have had anything to add. I can’t wait to see this begin to get deployed across the Web.

Now playing: Black Eyed Peas - Where is the Love (feat. Justin Timberlake)

Categories: Web Development | XML Web Services

October 4, 2007

@ 04:00 AM

Joel Spolsky on Why the Facebook Platform is the Future of the Web

This is another post I was planning to write a few weeks ago which got interrupted by my wedding and honeymoon.

A few weeks ago, Joel Spolsky wrote a post entitled Strategy Letter VI which I initially dismissed as the ravings of a desktop developer who is trying to create an analogy when one doesn’t exist. The Web isn’t the desktop, or didn’t he read There is no Web Operating System (or WebOS)? By the second time I read it, I realized that if you ignore some of the desktop-centric thinking in Joel’s article, then not only is Joel’s article quite insightful but some of what he wrote is already coming to pass.

The relevant excerpt from Joel’s article is

Somebody is going to write a compelling SDK that you can use to make powerful Ajax applications with common user interface elements that work together. And whichever SDK wins the most developer mindshare will have the same kind of competitive stronghold as Microsoft had with their Windows API.

If you’re a web app developer, and you don’t want to support the SDK everybody else is supporting, you’ll increasingly find that people won’t use your web app, because it doesn’t, you know, cut and paste and support address book synchronization and whatever weird new interop features we’ll want in 2010.

Imagine, for example, that you’re Google with GMail, and you’re feeling rather smug. But then somebody you’ve never heard of, some bratty Y Combinator startup, maybe, is gaining ridiculous traction selling NewSDK,

…

And while you’re not paying attention, everybody starts writing NewSDK apps, and they’re really good, and suddenly businesses ONLY want NewSDK apps, and all those old-school Plain Ajax apps look pathetic and won’t cut and paste and mash and sync and play drums nicely with one another. And Gmail becomes a legacy. The WordPerfect of Email. And you’ll tell your children how excited you were to get 2GB to store email, and they’ll laugh at you. Their nail polish has more than 2GB.

Crazy story? Substitute “Google Gmail” with “Lotus 1-2-3”. The NewSDK will be the second coming of Microsoft Windows; this is exactly how Lotus lost control of the spreadsheet market. And it’s going to happen again on the web because all the same dynamics and forces are in place. The only thing we don’t know yet are the particulars, but it’ll happen

A lot of stuff Joel asserts seems pretty clueless on the face of it. Doesn’t he realize that there are umpteen billion AJAX toolkits (e.g. Dojo, Google Web Toolkit, Yahoo! User Interface Library, Script.aculo.us, etc) and rich internet application platforms (e.g. Flash, Silverlight, XUL, etc)? Doesn’t he realize that there isn’t a snowball’s chance in hell of the entire Web conforming to standard user interface guidelines let alone everyone agreeing on using the same programming language and SDK to build Web apps?

But wait…

What happens if you re-read the above excerpt and substitute NewSDK with Facebook platform?

I didn’t classify Facebook as a Social Operating System for no reason. GMail and other email services have become less interesting to me because I primarily communicate with friends and family on the Web via Facebook and it’s various platform applications. I’ve stopped playing casual games at Yahoo! Games and now use Scrabulous and Texas Hold ‘Em when I want to idle some time away on the weekend. All of these applications are part of a consistent user interface, are all accessible from my sidebar and each of them has access to my data within Facebook including my social graph. Kinda like how Windows or Mac OS X desktop applications on my machine have a consistent user interface, are all accessible from my applications menu and can all access the data on my hard drive.

Hmmm…

I suspect that Joel is right about NewSDK, he’s just wrong about which form it will take. “Social operating system” does have a nice ring to it, doesn’t it?

Now playing: Kanye West - Two Words (feat. Mos Def, Freeway & The Harlem Boys Choir)

Categories: Platforms | Web Development

September 18, 2007

@ 04:00 AM

Message Queues, Denormalization and Scalability

There have been a number of recent posts on message queues and publish/subscribe systems in a couple of the blogs I read. This has been rather fortuitous since I recently started taking a look at the message queuing and publish/subscribe infrastructure that underlies some of our services at Windows Live. It’s been interesting just comparing how different my perspective and those of the folks I’ve been working with are from the SOA/REST blogging set.

Here are three blog posts that caught my eye all around the same time with relevant bits excerpted.

Tim Bray in his post Atom and Pushing and Pulling and Buffering writes

Start with Mike Herrick’s Pub/Sub vs. Atom & AtomPub?, which has lots of useful links. I thought Bill de hÓra’s Rates of decay: XMPP Push, HTTP Pull was especially interesting on the “Push” side of the equation. ¶

But they’re both missing an important point, I think. There are two problems with Push that don’t arise in Pull: First, what happens when the other end gets overrun, and you don’t want to lose things? And second, what happens when all of a sudden you have a huge number of clients wanting to be pushed to? This is important, because Push is what you’d like in a lot of apps. So it doesn’t seem that important to me whether you push with XMPP or something else.

The obvious solution is a buffer, which would probably take the form of a message queue, for example AMQP.

The problems Tim points out are a restating of the same problems you encounter in the Push or HTTP-based polling model favored by RSS and Atom; First, what happens when the client goes down and doesn’t poll the server for a while but you don’t want to lose things? Secondly, what happens when a large number of clients are pilling and server can’t handle the rate of requests?

The same way there are answers to these questions in the Pull model, so also are there answers in the Push model. The answer to the Tim’s first question is for the server to use a message queue to persist messages that haven’t been delivered and also note the error rate of the subscriber so it can determine whether to quit or wait longer before retrying. The are no magic answers for the second problem. In a Push model, the server gets more of a chance of staying alive because it controls the rate at which it delivers messages. It may deliver them later than expected but it can still do so. In the Pull model, the server just gets overwhelmed.

In a response to Tim’s post, Bill de hÓra writes in his post entitled XMPP matters

I'd take XMPP as a messaging backbone over AMQP, which Tim mentions because he's thinking about buffering message backlog, something that AMQP calls out specifically. And as he said - "I’ve been expecting message-queuing to heat up since late 2003." AMQP is a complicated, single purpose protocol, and history suggests that simple general purpose protocols get bent to fit, and win out. Tim knows this trend. So here's my current thinking, which hasn't changed in a long while - long haul, over-Internet MQ will happen over XMPP or Atompub. That said, AMQP is probably better than the WS-* canon of RM specs; and you can probably bind it to XMPP or adopt its best ideas. Plus, I'm all for using bugtrackers :)

So I think XMPP matters insofar as these issues are touched on, either in the core design or in supporting XEPs, or reading protocol tea leaves. XMPP's potential is huge; I suspect it will crush everything in sight just like HTTP did.

What I’ve found interesting about these posts is the focus on the protocol used by the publish/subscribe or message queue system instead of the features and scenarios. Even though I’m somewhat of an XML protocol geek, when it comes to this space I focus on features. It’s like source control, people don’t argue about the relative merits of the CVS, Subversion or Git wire protocols. They argue about the actual features and usage models of these systems.

In this case, message buffering or message queuing is one of the most important features I want in a publish/subscribe system. Of course, I’m probably cheating a little here because sometimes I think message queues are pretty important even if you aren’t really publishing or subscribing. For example, the ultimate architecture is one where you have a few hyper denormalized objects in memory which are updated quickly and when updated you place the database write operations in a message queue [to preserve order, etc] to be performed asynchronously or during off peak hours to smooth out the spikes in activity graphs.

Stefan Tilkov has a rather dreadful post entitled Scaling Messaging contains the following excerpt

Patrick may well be right — I don’t know enough about either AMQP or XMPP to credibly defend my gut feeling. One of my motivations, though, was that XMPP is based on XML, while AMQP (AFAIK) is binary. This suggests to me that AMQP will probably outperform XMPP for any given scenario — at the cost of interoperability (e.g. with regard to i18n). So AMQP might be a better choice if you control both ends of the wire (in this case, both ends of the message queue), while XMPP might be better to support looser coupling.

This calls to mind the quote, it is better to remain silent..yadda, yadda, yadda. You’d have thought that the REST vs. SOAP debates would have put to rest the pointlessness that is dividing up protocols based on “enterprise” vs. “Web” or even worse binary vs. XML. I expect better from Stefan.

As for me, I’ve been learning more about SQL Service Broker (Microsoft’s message queuing infrastructure built into SQL Server 2005) from articles like Architecting Service Broker Applications which gives a good idea of the kind of concerns I’ve grown to find fascinating. For example

Queues

One of the fundamental features of Service Broker is a queue as a native database object. Most large database applications I have worked with use one or more tables as queues. An application puts something that it doesn't want to deal with right now into a table, and at some point either the original application or another application reads the queue and handles what's in it. A good example of this is a stock-trading application. The trades have to happen with subsecond response time, or money can be lost and SEC rules violated, but all the work to finish the trade—transferring shares, exchanging money, billing clients, paying commissions, and so on—can happen later. This "back office" work can be processed by putting the required information in a queue. The trading application is then free to handle the next trade, and the settlement will happen when the system has some spare cycles. It's critical that once the trade transaction is committed, the settlement information is not lost, because the trade isn't complete until settlement is complete. That's why the queue has to be in a database. If the settlement information were put into a memory queue or a file, a system crash could result in a lost trade. The queue also must be transactional, because the settlement must be either completed or rolled back and started over. A real settlement system would probably use several queues, so that each part of the settlement activity could proceed at its own pace and in parallel.

The chapter on denormalizing your database in “Scaling Your Website 101” should have a pointer to the chapter on message queuing so you can learn about one of the options when formulating a strategy for dealing with the update anomalies that come with denormalization.

Now playing: Neptunes - Light Your Ass On Fire (feat. Busta Rhymes)

Categories: Web Development

September 12, 2007

@ 04:00 AM

Some Thoughts on CouchDB and Relational Databases

Recently I took a look at CouchDB because I saw it favorably mentioned by Sam Ruby and when Sam says some technology is interesting, he’s always right. You get the gist of CouchDB by reading the CouchDB Quick Overview and the CouchDB technical overview.

CouchDB is a distributed document-oriented database which means it is designed to be a massively scalable way to store, query and manage documents. Two things that are interesting right off the bat are that the primary interface to CouchDB is a RESTful JSON API and that queries are performed by creating the equivalent of stored procedures in Javascript which are then applied on each document in parallel. One thing that not so interesting is that editing documents is lockless and utilizes optimistic concurrency which means more work for clients.

As someone who designed and implemented an XML Database query language back in the day, this all seems strangely familiar.

So far, I like what I’ve seen but there seems to already be a bunch of incorrect hype about the project which may damage it’s chances of success if it isn’t checked. Specifically I’m talking about Assaf Arkin’s post CouchDB: Thinking beyond the RDBMS which seems chock full of incorrect assertions and misleading information.

Assaf writes

This day, it happens to be CouchDB. And CouchDB on first look seems like the future of database without the weight that is SQL and write consistency.

CouchDB is a document oriented database which is nothing new [although focusing on JSON instead of XML makes it buzzword compliant] and is definitely not a replacement/evolution of relational databases. In fact, the CouchDB folks assert as much in their overview document.

Document oriented database work well for semi-structured data where each item is mostly independent and is often processed or retrieved in isolation. This describes a large category of Web applications which are primarily about documents which may link to each other but aren’t processed or requested often based on those links (e.g. blog posts, email inboxes, RSS feeds, etc). However there are also lots of Web applications that are about managing heavily structured, highly interrelated data (e.g. sites that heavily utilize tagging or social networking) where the document-centric model doesn’t quite fit.

Here’s where it gets interesting. There are no indexes. So your first option is knowing the name of the document you want to retrieve. The second is referencing it from another document. And remember, it’s JSON in/JSON out, with REST access all around, so relative URLs and you’re fine.

But that still doesn’t explain the lack of indexes. CouchDB has something better. It calls them views, but in fact those are computed tables. Computed using JavaScript. So you feed (reminder: JSON over REST) it a set of functions, and you get a set of queries for computed results coming out of these functions.

Again, this is a claim that is refuted by the actual CouchDB documentation. There are indexes, otherwise the system would be ridiculously slow since you would have to run the function and evaluate every single document in the database each time you ran one of these views (i.e. the equivalent of a full table scan). Assaf probably meant to say that there aren’t any relational database style indexes but…it isn’t a relational database so that isn’t a useful distinction to make.

I’m personally convinced that write consistency is the reason RDBMS are imploding under their own weight. Features like referential integrity, constraints and atomic updates are really important in the client-server world, but irrelevant in a world of services.

You can do all of that in the service. And you can do better if you replace write consistency with read consistency, making allowances for asynchronous updates, and using functional programming in your code instead of delegating to SQL.

I read these two paragraph five or six times and they still seem like gibberish to me. Specifically, it seems silly to say that maintaining data consistency is important in the client-server world but irrelevant in the world of services. Secondly, “Read consistency” and “write consistency” are not an either-or choice. They are both techniques used by database management systems, like Oracle, to present a deterministic and consistent experience when modifying, retrieving and manipulating large amounts of data.

In the world of online services, people are very aware of the CAP conjecture and often choose availability over data consistency but it is a conscious decision. For example, it is more important for Amazon that their system is always available to users than it is that they never get an order wrong every once in a while. See Pat Helland’s (ex-Amazon architect) example of a how a business-centric approach to data consistency may shape one’s views from his post Memories, Guesses, and Apologies where he writes

#1 - The application has only a single replica and makes a "decision" to ship the widget on Wednesday. This "decision" is sent to the user.

#2 - The forklift pummels the widget to smithereens.

#3 - The application has no recourse but to apologize, informing the customer they can have another widget in one month (after the incoming shipment arrives).

#4 - Consider an alternate example with two replicas working independently. Replica-1 "decides" to ship the widget and sends that "decision" to User-1.

#5 - Independently, Replica-2 makes a "decision" to ship the last remaining widget to User-2.

#6 - Replica-2 informs Replica-1 of its "decision" to ship the last remaining widget to User-2.

#7 - Replica-1 realizes that they are in trouble... Bummer.

#8 - Replica-1 tells User-1 that he guessed wrong.

#9 - Note that the behavior experienced by the user in the first example is indistinguishable from the experience of user-1 in the second example.

Eventual Consistency and Crappy Computers

Business realities force apologies. To cope with these difficult realities, we need code and, frequently, we need human beings to apologize. It is essential that businesses have both code and people to manage these apologies.

…

We try too hard as an industry. Frequently, we build big and expensive datacenters and deploy big and expensive computers.

In many cases, comparable behavior can be achieved with a lot of crappy machines which cost less than the big expensive one.

The problem described by Pat isn’t a failure of relational databases vs. document oriented ones as Assaf’s implication would have us believe. It is the business reality that availability is more important than data consistency for certain classes of applications. A lot of the culture and technologies of the relational database world are about preserving data consistency [which is a good thing because I don’t want money going missing from my bank account because someone thought the importance of write consistency is overstated] while the culture around Web applications is about reaching scale cheaply while maintaining high availability in situations where the occurence of data loss is unfortunate but not catastrophic (e.g. lost blog comments, mistagged photos, undelivered friend requests, etc).

Even then most large scale Web applications that don’t utilize the relational database features that are meant to enforce data consistency (triggers, foreign keys, transactions, etc) still end up rolling their own app-specific solutions to handle data consistency problems. However since these are tailored to their application they are more performant than generic features which may exist in a relational database.

For further reading, see an Overview of the Flickr Architecture.

Now playing: Raekwon - Guillotine (Swordz) (feat. Ghostface Killah, Inspectah Deck & GZA/Genius)

Categories: Platforms | Web Development

September 12, 2007

@ 04:00 AM

OAuth: Standardizing Authentication and Authorization for Web APIs

I attended the Data Sharing Summit last Friday and it was definitely the best value (with regards to time and money invested) that I've ever gotten out of a conference. You can get an overview of that day’s activities in Marc Canter’s post Live blogging from the DataSharingSummit. I won’t bother with a summary of my impressions of the day since Marc’s post does a good job of capturing the various topics and ideas that were discussed.

What I will discuss is a technology initiative called OAuth which is being cooked up by the Web platform folks at Yahoo!, Google, Six Apart, Pownce, Twitter and a couple of other startups.

It all started when Leah Culver was showing off the profile aggregation feature of Pownce on her Pownce profile. If you look at the bottom left of that page, you’ll notice that it links to her profiles on Digg, Facebook, Upcoming, Twitter as well as her weblog. Being the paranoid sort, I asked whether she wasn’t worried that her users could fall victim to imposters such as this fake profile of Robert Scoble? She replied that her users should be savvy enough to realize that just because there are links to profiles in a side bar doesn’t prove that the user is actually that person. She likened the feature to blog *bling* as opposed to something that should be taken seriously.

I pressed further and asked whether she didn’t think that it would be interesting if a user of Pownce could prove their identity on Twitter via OpenID (see my proposal for social network interoperability based on OpenID for details) and then she could use the Twitter API to post a user’s content from Pownce onto Twitter and show their Twitter “tweets” within Pownce. This would get rid of all the discussions about having to choose between Pownce and Twitter because of your friends or even worse using both because your social circle spans both services. It should be less about building walled gardens and more about increasing the size of the entire market for everyone via interoperability. Leah pointed out something I’d overlooked. OpenID gives you a way to answer the question “Is leahculver @ Pownce also leahculver @ Twitter?” but it doesn’t tell you how Pownce can then use this information to perform actions on Leah’s behalf on Twitter. Duh. I had implicitly assumed that whatever authentication ticket returned from the OpenID validation request could be used as an authorization ticket when calling the OpenID provider’s API, but there’s nothing that actually says this has to be the case in any of the specs.

Not only was none of this thinking new to Leah, she informed me that she had been working with folks from Yahoo!, Google, Six Apart, Twitter, and other companies on a technology specification called OAuth. The purpose of which was to solve the problem I had just highlighted. There is no spec draft on the official site at the current time but you can read version 0.9 of the specification. The introduction of the specification reads

The OAuth protocol enables interaction between a Web Service Provider(SP) and Consumer website or application. An example use case would be allowing Moo.com, the OAuth Consumer, to access private photos stored on Flickr.com, the OAuth Service Provider. This allows access to protected resources (Protected Resources) via an API without requiring the User to provide their Flickr.com (Service Provider) credentials to Moo.com (Consumer). More generically, OAuth creates a freely implementable and generic methodology for API authentication creating benefit to developers wishing to have their Consumer interact with various Service Providers.

While OAuth does not require a certain form of user interface or interaction with a User, recommendations and emerging best practices are described below. OAuth does not specify how the Service Provider should authenticate the User which makes the protocol ideal in cases where authentication credentials are not available to the Consumer, such as with OpenID.

This is an interesting example of collaboration between competitors in the software industry and a giant step towards actual interoperability between social networking sites and social graph applications as opposed to mere social network portability.

The goal of a OAuth is to move from a world where sites collect users credentials (i.e. username/passwords) for other Web sites so they can screen scrape the user’s information to one where users authorize Web sites and applications to act on their behalf on the target sites in a way that puts the user in control and doesn’t require giving up their usernames and passwords to potentially untrustworthy sites (Quechup flavored spam anyone?). The way it does so is by standardizing the following interaction/usage flow

Pre-Authentication

The Consumer Developer obtains a Consumer Key and a Consumer Secret from the Service Provider.

Authentication

The Consumer attempts to obtain a Multi-Use Token and Secret on behalf of the end user.

Web-based Consumers redirect the User to the Authorization Endpoint URL.

Desktop-based Consumers first obtain a Single-Use Token by making a request to the API Endpoint URL then direct the User to the Authorization Endpoint URL.

If a Service Provider is expecting Consumer that run on mobile devices or set top boxes, the Service Provider should ensure that the Authorization Endpoint URL and the Single Use Token are short and simple enough to remember for entry into a web browser.

The User authenticates with the Service Provider.

The User grants or declines permission for the Service Provider to give the Consumer a Multi-Use Token.

The Service Provider provides a Multi-Use Token and Multi-Use Token Secret or indicates that the User declined to authorize the Consumer’s request.

For Web-based Consumers, the Service Provider redirects to a pre-established Callback Endpoint URL with the Single Use Token and Single-Use Authentication Secret as arguments.

Mobile and Set Top box clients wait for the User to enter their Single-Use Token and Single-Use Secret.

Desktop-based Consumers wait for the User to assert that Authorization has completed.

The Consumer exchanges the Single-Use Token and Secret for a Multi-User Token and Secret.

The Consumer uses the Multi-Use Token, Multi-Use Secret, Consumer Key, and Consumer Secret to make authenticated requests to the Service Provider.

This standardizes the kind of user-centric API model that is utilized by Web services such as the Windows Live Contacts API, Google AuthSub and the Flickr API to authenticate and authorize applications to access a user’s data. I suspect that the reason OAuth does not mandate a particular authentication mechanism is as a way to grandfather in the various authentication mechanisms used by all of these APIs today. It’s one thing to ask vendors to add new parameters and return types to the information exchanged during user authentication between Web sites and another to request that they completely replace one authentication technology with another.

I’d love to see us get behind an effort like this at Windows Live*. I’m not really sure if there is an open way to participate. There seems to be a Google Group but it is private and all the members seem to be folks that know each other personally. I guess I’ll have to shoot some mail to the folks I met at the Data Sharing Summit or maybe one of them will see this post and will respond in the comments.

PS: More details about OAuth can be found in the blog post by Eran Hammer-Lahav entitled Explaining OAuth.

*Disclaimer: This does not represent the intentions, strategies, wishes or product direction of my employer. It is merely wishful thinking on my part.

Now playing: Sean Kingston - Beautiful Girls (remix) (feat. Fabolous & Lil Boosie)

Categories: Social Software | Web Development | XML Web Services

August 24, 2007

@ 06:44 PM

Microformats are not an API

Recently, my status message on Facebook was I'm now convinced microformats are a stupid idea. Shortly afterwards I got a private message from Scott Beaudreau asking me to clarify my statement. On reflection, I realize that what I find stupid is when people suggest using microformats and screen scraping techiques instead of utilizing an API when the situation calls for one. For example, the social network portability proposal on the microformats wiki states

The "How To" for social network profile sites that want to solve the above problems and achieve the above goals.

Publish microformats in your user profiles:

implement hCard on user profile pages. See hcard-supporting-profiles for sites that have already done this.

implement hCard+XFN on the list of friends on your user profile pages. See hcard-xfn-supporting-friends-lists for sites that already do this. (e.g. [Twitter (http://twitter.com/)]).

Subscribe to microformats for your user profiles:

when signing up a new user:

let a user fill out and "auto-sync" from one of their existing hcard-supporting-profiles, their name, their icon etc. Satisfaction Inc already supports this. (http://microformats.org/blog/2007/06/21/microformatsorg-turns-2/)

let a user fill out and "auto-sync" their list of friends from one of their existing hCard+XFN supporting friends lists. Dopplr.com already supports this.

It boggles my mind to see the suggestion that applications should poll HTML pages to do data synchronization instead of utilizing an API. Instead of calling friends.get, why don't we just grab the entire friends page then parse out the handful of useful data that we actually need.

There are a number of places microformats are a good fit, especially in situations where the client application has to parse the entire HTML document anyway. Examples include using hCard to enable features like Live Clipboard or using hReview and hCalendar to help microformat search engines. However using them as a replacement for an API or an RSS feed is like using boxing gloves instead of oven mitts when baking a pie.

If all you have is a hammer, everything looks like a nail.

Now playing: D12 - American Psycho II (feat. B-Real)

Categories: Web Development | XML Web Services

August 17, 2007

@ 12:36 AM

Version 1.0 of Windows Live ID(Web Authentication) SDK Shipped

If you go to http://dev.live.com/liveid you’ll see links to Windows Live ID for Web Authentication and Client Authentication which enable developers to build Web or desktop applications that can be used to authenticate users via Windows Live ID. The desktop SDK are still in alpha but the Web APIs have hit v1. You can get the details from the Windows Live ID team blog post entitled Windows Live ID Web Authentication SDK for Developers Is Released which states

Windows Live ID Web Authentication allows sites who want to integrate with the Windows Live services and platform. We are releasing a set of tools that make this integration easier than ever.

Web Authentication works by sending your users to the Windows Live ID sign-in page by means of a specially formatted link. The service then directs them back to your Web site along with a unique, site-specific identifier that you can use to manage personalized content, assign user rights, and perform other tasks for the authenticated user. Sign-in and account management is performed by Windows Live ID, so you don't have to worry about implementing these details.

Included with the Web Authentication software development kit (SDK) are QuickStart sample applications in the ASP.NET, Java, Perl, PHP, Python, and Ruby programming languages. You can get the sample applications for this SDK from the Web Authentication download page>on Microsoft.com.

As one of the folks who's been championing opening up our authentication platform to Web developers, this is good news. I'm not particularly sold on using Windows Live ID as a single sign-on instead of sites managing their own identities but I do think that now that we allow non-Microsoft applications (e.g. mashups, widgets, etc) to act on behalf of Windows Live users via this SDK, there'll be a burst of new APIs coming out of Windows Live that will allow developers build applications that manipulate a user's data stored within Windows Live services.

Opening up our platform will definitely be good for users and will be good for the Web as well. Kudos, to the Windows Live ID folks for getting this out.

Now playing: Nappy Roots - Po' Folks

Categories: Web Development | Windows Live

August 3, 2007

@ 11:33 PM

Comments [12]

When Not to Normalize your SQL Database

Database normalization is a formal process of designing your database to eliminate redundant data, utilize space efficiently and reduce update errors. Anyone who has ever taken a database class has it drummed into their heads that a normalized database is the only way to go. This is true for the most part . However there are certain scenarios where the benefits of database normalization are outweighed by its costs. Two of these scenarios are described below.

Immutable Data and Append-Only Scenarios

Pat Helland, an enterprise architect at Microsoft who just rejoined the company after a two year stint at Amazon, has a blog post entitled Normalization is for Sissies where he presents his slides from an internal Microsoft gathering on database topics. In his presentation, Pat argues that database normalization is unnecessary in situations where we are storing immutable data such as financial transactions or a particular day's price list.

When Multiple Joins are Needed to Produce a Commonly Accessed View

The biggest problem with normalization is that you end up with multiple tables representing what is conceptually a single item. For example, consider this normalized set of tables which represent a user profile on a typical social networking site.

user table
user_id	first_name	last_name	sex	hometown	relationship_status	interested_in	religious_views	political_views
12345	John	Doe	Male	Atlanta, GA	married	women	(null)	(null)

user_affiliations table
user_id (foreign_key)	affiliation_id (foreign key)
12345	42
12345	598

affiliations table
affiliation_id	description	member_count
42	Microsoft	18,656
598	Georgia Tech	23,488

user_phone_numbers table
user_id (foreign_key)	phone_number	phone_type
12345	425-555-1203	Home
12345	425-555-6161	Work
12345	206-555-0932	Cell

user_screen_names table
user_id (foreign_key)	screen_name	im_service
12345	geeknproud@example.com	AIM
12345	voip4life@example.org	Skype

user_work_history table
user_id (foreign_key)	company_affiliation_id (foreign key)	company_name	job_title
12345	42	Microsoft	Program Manager
12345	78	i2 Technologies	Quality Assurance Engineer

This is the kind of information you see on the average profile on Facebook. With the above design, it takes six SQL Join operations to access and display the information about a single user. This makes rendering the profile page a fairly database intensive operation which is compounded by the fact that profile pages are the most popular pages on social networking sites.

The simplest way to fix this problem is to denormalize the database. Instead of having tables for the user’s affiliations, phone numbers, IM addresses and so on, we can just place them in the user table as columns. The drawback with this approach is that there is now more wasted space (e.g. lots of college students people will have null for their work_phone) and perhaps some redundant information (e.g. if we copy over the description of each affiliation into an affiliation_name column for each user to prevent having to do a join with the affiliations table). However given the very low costs of storage versus the improved performance characteristics of querying a single table and not having to deal with SQL statements that operate across six tables for every operation. This is a small price to pay.

As Joe Gregorio mentions in his blog post about the emergence of megadata, a lot of the large Web companies such as Google, eBay and Amazon are heavily into denormalizing their databases as well as eschewing transactions when updating these databases to improve their scalability.

Maybe normalization is for sissies…

UPDATE: Someone pointed out in the comments that denormalizing the affiliations table into user's table would mean the member_count would have to updated in thousands of user's rows when a new member was added to the group. This is obviously not the intent of denormalization for performance reasons since it replaces a bad problem with a worse one. Since an affiliation is a distinct concept from a user, it makes sense for it to have it's own table. Replicating the names of the groups a user is affiliated with in the user table is a good performance optimization although it does mean that the name has to be fixed up in thousands of tables if it ever changes. Since this is likely to happen very rarely, this is probably acceptable especially if we schedule renames to be done by a cron job during offpeak ours On the other hand, replicating the member count is just asking for trouble.

UPDATE 2: Lots of great comments here and on reddit indicate that I should have put more context around this post. Database denormalization is the kind of performance optimization that should be carried out as a last resort after trying things like creating database indexes, using SQL views and implementing application specific in-memory caching. However if you hit massive scale and are dealing with millions of queries a day across hundreds of millions to billions of records or have decided to go with database partitioning/sharding then you will likely end up resorting to denormalization. A real-world example of this is the Flickr database back-end whose details are described in Tim O'Reilly's Database War Stories #3: Flickr which contains the following quotes

tags are an interesting one. lots of the 'web 2.0' feature set doesn't fit well with traditional normalised db schema design. denormalization (or heavy caching) is the only way to generate a tag cloud in milliseconds for hundereds of millions of tags. you can cache stuff that's slow to generate, but if it's so expensive to generate that you can't ever regenerate that view without pegging a whole database server then it's not going to work (or you need dedicated servers to generate those views - some of our data views are calculated offline by dedicated processing clusters which save the results into mysql).

federating data also means denormalization is necessary - if we cut up data by user, where do we store data which relates to two users (such as a comment by one user on another user's photo). if we want to fetch it in the context of both user's, then we need to store it in both shards, or scan every shard for one of the views (which doesn't scale). we store alot of data twice, but then theres the issue of it going out of sync. we can avoid this to some extent with two-step transactions (open transaction 1, write commands, open transaction 2, write commands, commit 1st transaction if all is well, commit 2nd transaction if 1st commited) but there still a chance for failure when a box goes down during the 1st commit.

we need new tools to check data consistency across multiple shards, move data around shards and so on - a lot of the flickr code infrastructure deals with ensuring data is consistent and well balanced and finding and repairing it when it's not."

The part highlighted in red is also important to consider. Denormalization means that you you are now likely to deal with data inconsistencies because you are storing redundant copies of data and may not be able to update all copies of a column value simultaneously when it is changed for a variety of reasons. Having tools in your infrastructure to support fixing up data of this sort then become very important.

Now playing: Bow Wow - Outta My System (feat. T-Pain)

Categories: Web Development

July 20, 2007

@ 01:44 AM

Comments [22]

Django or Rails, Ruby or Python?

I'm continuing along with my plan to build an application on the Facebook platform. So far I've made a couple of decisions about the technology I'll use. So far I’ve decided

The application will be built on Amazon's Simple Storage Service (S3) and Elastic Compute Cloud (EC2) services for two reasons. The first is that it seems to be the cheapest solution out there for application hosting which can deal with large swings of traffic (if necessary). The second is that I’d like to learn about Amazon’s hosting platform and there’s no better way to learn than actually writing code.
The application will be built on the LAMP stack because it seems there are a lot more high quality, cheap or free tools for building online services available for that platform than the WISC platform.
It will use a Web application development framework that enables rapid Web development which is designed for the Web as opposed to having some HTTP related features being bolted on.
I will also use this opportunity to meet my new year's resolution of learning a dynamic programming language which is significantly different from the languages I'm most familiar with (i.e. C#, Java, Javascript).

From looking around the Web, it seems there are two language/web framework combinations that can fit the bill; Django which uses the Python programming language and Rails which uses the Ruby programming language. I haven’t done much investigation yet but so far it seems I’m leaning towards Python/Django for a number of reason

There doesn’t seem to be a tutorial as comprehensive as Dive Into Python for Ruby.
It’ll be easier to transfer Python programming skills to development with the .NET Framework since IronPython is now quite mature while IronRuby doesn’t seem to have gotten out of the prototype phase.
I've read a lot of rants on the Web that indicate that Rails treats referential integrity within the database (i.e. foreign keys) as a second class citizen. See posts like I gave up on referential integrity, Are Foreign Keys Worth Your Time? and Rails' Ridiculous Restrictions, a Rant. On the other hand, Django seems to have built-in support for foreign keys.

I understand these aren’t the only criteria one should use when comparing Web application frameworks and there is a good rundown in Sam Newman's A comparison of Django with Rails. However these are the criteria that are important to me and it looks like it’s Python and Django for me. Unless someone out there has any other points I failed to consider?

Now playing: Shop Boyz - Party Like A Rockstar

Categories: Web Development

July 13, 2007

@ 04:18 AM

Google Base Data API vs. Astoria: Two Approaches to SQL-like Queries in a RESTful Protocol

I should probably start out by pointing out that the title of this post is a lie. By definition, RESTful protocols can not be truly SQL-like because they depend on Uniform Resource Identifiers (URIs aka URLs) for identifying resources. URIs on the Web are really just URLs and URLs are really just hierarchical paths to a particular resource similar to the paths on your local file system (e.g. /users/mark/bobapples, A:\Temp\car.jpeg). Fundamentally URIs identify a single resource or aset of resources. On the other hand, SQL is primarily about dealing with relational data which meansyou write queries that span multiple tables (i.e. resources). A syntax for addressing single resources (i.e. URLs/URIs) is fundamentally incompatible with a query language that operates over multiple resources. This was one ofthe primary reasons the W3C created XQuery even though we already had XPath.

That said, being able to perform sorting, filtering, and aggregate operations over a single set of resources via a URI is extremely useful and is a fundamental aspect of the Web today. As Sam Ruby points out in his blog post Etymology, a search results page is fundamentally RESTful even though its URI identifies a query as opposed to a specific resource or set of resources [although you could get meta and say it identifies the set of resources that meet your search criteria].

Both Google's Google Base data API and Microsoft's Project Astoria are RESTful protocols for performing sorting, filtering and aggregate operations similar to what you find in SQL over a hierarchical set of resources. What follows is an overview of the approaches taken by both protocols.

Filtering Results using Predicates (include supported operators and Google's full text option)

Although Astoria provides an abstraction over relational data, it does so in a way that supports the hierarchical nature of HTTP URIs. The primary resource also known as an entity set is placed at the root of the hierarchy (e.g. the set of allmy customers) and each relationship to another set of resources is treated as anotherlevel in the hierarchy (e.g. each customer's orders). Each step in the hierarchy can be filtered using a predicate. Below are some query URLs and the results they return

Query: http://astoria.sandbox.live.com/encarta/encarta.rse/Areas
Results: All content areas in the Encarta online encyclopedia
Query: http://astoria.sandbox.live.com/encarta/encarta.rse/Areas[name eq 'Geography']
Results: The content area whose name is 'Geography'
Query: http://astoria.sandbox.live.com/encarta/encarta.rse/Areas[name eq 'Geography']/Articles
Results: All articles for the content area whose name is 'Geography'
Query: http://astoria.sandbox.live.com/encarta/encarta.rse/Areas[name eq 'Geography']/Articles[Title eq 'Zimbabwe']
Results: The article with the title 'Zimbabwe' from the 'Geography' content area
Query: http://astoria.sandbox.live.com/encarta/encarta.rse/Areas[name eq 'Geography']/Articles[761569370]
Results: The article from the 'Geography' content area with the ID 761569370.

Query: http://astoria.sandbox.live.com/northwind/northwind.rse/Customers[City eq 'London']/Orders[Freight gteq 100]
Results: All orders shipped to customers from the city of London who paid $100 or more in freight charges

Google Base does not treat the data within it as a hierarchy. Instead filters/predicates can be applied to one of two Atom feeds; http://www.google.com/base/feeds/snippets and http://www.google.com/base/feeds/items which represent all the items within Google Base and all the items a specific user has stored within Google Base respectively. The latter URL requires the HTTP request to be authenticated.

The first way one can filter results from a Google Base feed is by placing one or more categories as part of the path component. For example

Query: http://www.google.com/base/feeds/snippets/-/hotels
Results: All items from the 'hotels' category within Google Base

Query: http://www.google.com/base/feeds/snippets/-/jobs|personals
Results: All items from the 'jobs' or the 'personals' category within Google Base

Query: http://www.google.com/base/feeds/snippets/-/-recipes
Results: All items in Google Base except those from the 'recipes' category

The second way is to filter results in a Google Base feed is by performing a full text query using the q query parameter. For example,

Query: http://www.google.com/base/feeds/snippets?q=atlanta
Results: All items within Google Base that contain the string 'atlanta' in one of their fields

Query: http://www.google.com/base/feeds/snippets/-/hotels?q=atlanta
Results: All items from the 'hotels' category within Google Base that contain the string 'atlanta' in any of their fields

Query: http://www.google.com/base/feeds/snippets/-/hotels|housing?q=seattle|atlanta
Results: All items from the 'hotels' or 'housing' categories within Google Base that contain the string 'seattle' or 'atlanta' in any of their fields

Query: http://www.google.com/base/feeds/snippets/-/hotels?q=washington+-dc
Results: All items from the 'hotels' category within Google Base that contain the string 'washington' but not the string 'dc'

The final way to filter results from Google Base feed is by applying a predicate on a field of the item using the bq query parameter. For example

Query: http://www.google.com/base/feeds/snippets/-/hotels?bq=[location:seattle]
Results: All items from the 'hotels' category that have 'seattle' in their location field

Query: http://www.google.com/base/feeds/snippets/-/hotels?bq=[location:seattle]&q=ramada
Results: All items from the 'hotels' category that have 'seattle' in their location field and 'ramada' in any of their other fields

Query: http://www.google.com/base/feeds/snippets/-/-hotels?bq=[location:@"1 Microsoft Way, Redmond, WA, USA" + 5mi]
Results: All items from the 'hotels' category whose location is within 5 miles of "1 Microsoft Way, Redmond, WA, USA"

Query: http://www.google.com/base/feeds/snippets/-/products?q=zune&bq=[price(float USD)>=250.0 USD]
Results: All items from the 'products' category whose price is greater than $250.00 and have 'zune' in one of their fields

Supported Datatypes, Operators and Functions

As can be seen from the previous examples, both the Google Base data API and Astoria support operations on fields searching for string matches. Astoria supports the major SQL datatypes, a list of which can be obtained from the table describing the System.Data.SqlTypes namespace in the .NET Frameworks. The operations that can be performed on the various fields of an entity are the following comparisons

Operator	Description
eq	Equal
ne	Not equal
gt	Greater than
gteq	Greater than or equal
lt	Less than
lteq	Less than or equal

The list of datatypes supported by Google Base is provided in the Google Base data API documentation topic on Attribute Types. In addition to the comparison operators supported by Astoria, the Google Base data API also supports

Operator	Description
@"..." + Xmi	Convert string in quotes to a geocoded location and match anything that is within a radius of X miles/kilometers/meters around it depending on the unit of distance specified
name(type):X..Y	Test whether the value of the named attribute [and optional type] falls between X and Y (e.g. [event date range:2007-05-20..2007-05-25] matches all events which fall between both dates)
date-range << date-range	Test if the date on the right hand side is a subset of the date range on the left hand side
if boolean-expression then expression else expression	Works like an if...else statement in every programming language you've ever used.

In addition to these operators, it turns out that the Google Base data API also support a full blown expression language for use within predicates. This includes a library of over 20 functions from math functions like sin and cos to aggregation functions like sum and count as well as more esoteric functions like dist, exists and join. Below are some queries which use these operators and functions in action

Query: http://www.google.com/base/feeds/snippets?q=sale&bq=[item type:vehicles][location(location)]
&orderby=[x=location(location):neg(min(dist(x,@'Seattle,WA')))]
Results: All vehicles whose listing contain the text 'sale' and orders results by those that are geographically closest to the city of Seattle, WA

Query: http://www.google.com/base/feeds/snippets/-/events?bq=[event date range:2007-05-20..2007-05-25]
Results: All events that fall between May 20th 2007 and May 25th 2007

Sorting

Sorting query results is often necessary when working with large amounts of data. Both Google Base data API and Astoria provide a way to indicate that the results should be sorted based on one or more fields. In Astoria, sorting is done using the $orderby query parameter. For example,

Query: http://astoria.sandbox.live.com/encarta/encarta.rse/Areas?$orderby=Name
Results: All areas in the Encarta encyclopedia sorted alphabetically by their Name

Query: http://astoria.sandbox.live.com/northwind/northwind.rse/Orders?$orderby=OrderDate desc
Results: All customer orders sorted in descending order by order date

Query: http://astoria.sandbox.live.com/northwind/northwind.rse/Orders?$orderby=RequiredDate,Freight
Results: All customer orders sorted by the required date and the cost of freight

The Google Base data API uses the orderby and sortorder query parameters to control sorting and sort order respectively. Examples are shown below

Query: http://www.google.com/base/feeds/snippets/-/jobs?q=program+manager&orderby=salary(int)
Results: All job listings containing the string 'program manager' sorted by the salary field

Query: http://www.google.com/base/feeds/snippets?q=sale&bq=[item type:vehicles][location(location)]
&orderby=[x=location(location):neg(min(dist(x,@'Cupertino,CA')))]
Results: All vehicles whose listing contain the text 'sale' and orders results by those that are geographically closest to the city of Seattle, WA

Query: http://www.google.com/base/feeds/snippets/-/housing?bq=[location:@"1 Microsoft Way, Redmond, WA, USA" + 5mi]&orderby=[x=bedrooms(int): if exists(x) then max(x) else 0]
Results: All items within the 'housing' category that are within 5 miles of Microsoft's headquarters sorted by number of bedrooms. For items that don't have a bedrooms element use the value 0 when sorting

Paging

When dealing with large numbers of items, it often isn't feasible to return all of them in a single XML document for a variety of reasons. Both the Google Base data API and Astoria provide mechanisms to retrieve results as multiple "pages".

In Astoria, this is done using a combination of the top and skip query parameters which indicate the number of items to return and what item to start the list from respectively. Examples below

Query: http://astoria.sandbox.live.com/encarta/encarta.rse/Areas?$orderby=Name&$top=3
Results: All areas in the Encarta encyclopedia sorted alphabetically by their Name, restricted to only showing 3 items per page

Query: http://astoria.sandbox.live.com/encarta/encarta.rse/Areas?$orderby=Name&$top=3&$skip=1
Results: All areas in the Encarta encyclopedia sorted alphabetically by their Name starting from the second item, restricted to only showing 3 items per page

The Google Base data API uses the max-results and start-index query parameters to indicate the number of items to return and what item to start the list from respectively. The default value of max-results is 25 while its maximum value is 250. The total number of results is emitted in the returned feed as the element openSearch:totalResults. Examples below

Query: http://www.google.com/base/feeds/snippets/-/hotels?bq=[location:seattle]&max-results=10
Results: All hotels within the seattle area, restricted to 10 results per page

Query: http://www.google.com/base/feeds/snippets/-/hotels?bq=[location:seattle]&max-results=50&start-index=100
Results: All hotels within the seattle area, restricted to 50 results per page starting from the hundredth result

Astoria Specific Features

Using links within items the describe relationships is a core aspect of a RESTful protocol and is utilized by Astoria to show the foreign key relationships between rows/entities in the data base. However it can be cumbersome to have to make multiple requests and follow every link to get all the content related to an item. For this reason, Astoria includes the $expand query parameter which automatically follows the links and retrieves the XML inline. Compare the following queries

Query: http://astoria.sandbox.live.com/encarta/encarta.rse/Areas[Name eq 'History']/Articles[Title eq 'Civil War, American']
Results: The encyclopedia article on the American Civil War which has links to its Area, ArticleBody, Notes and RelatedArticles

Query: http://astoria.sandbox.live.com/encarta/encarta.rse/Areas[Name eq 'History']/Articles[Title eq 'Civil War, American']?$expand=ArticleBody,Notes,RelatedArticles
Results: The encyclopedia article on the American Civil War with its Area, ArticleBody and Notes shown inline as XML elements

GData Specific Features

Google Base has a notion of adjusted query results. When this feature is enabled, Google Base will automatically use spelling correction, stemming and other tricks to try and match results. For example, if you perform a search for the value "female" in the gender field of an item, the query adjustment engine will know to also match the value "f" in the gender field of any corresponding items. The query adjustment engine applies its heuristics on queries for field names, field values and item categories. The documentation is contradictory as to whether this feature is enabled by default or has to be specifically enabled by the user of the API.

Another interesting feature, is that the Google Base data API allows one to filter out repetitive results using a feature called "crowding". With this feature, limits can be placed on how many results that match a certain criteria should be returned. See the following examples for details

Query: http://www.google.com/base/feeds/snippets/-/restaurants?crowdby=cuisine(text):2
Results: Return all restuarants stored within Google Base but show no more than 2 per cusine type

NOTE: I actually couldn't get this feature to work using either the example queries from the documentation or queries I constructed. It is quite possible that this feature doesn't work but is so esoteric that no one has noticed.

Conclusion

In comparing both approaches there is a lot to like and dislike. I like the "expand" feature in Astoria as well as the fact that I can retrieve XML results from multiple paths of the hierarchy. However there does seem to be a paucity of operators and functions for better filtering of results.

From the Google Base data API, I love the "crowd" feature and having a full library of functions for performing tests within predicates. Also some of the operators such as the ones for finding results near a certain location are quite impressive although unnecessary for the majority of RESTful protocols out there. That said, I do think they went overboard on some of the features such as having if...else blocks within the URIs. I suspect that some of that complexity wouldn't have been needed if they just had hierarchies instead of a flat namespace that requires complex filtering to get anything out of it.

Categories: Web Development | XML Web Services

July 5, 2007

@ 03:15 AM

ASP.NET Caching vs. memcached: Seeking Efficient Data Partitioning, Lookup, and Retrieval

In my previous post, I mentioned that I'm in the early stages of building an application on the Facebook platform. I haven't yet decided on an application but for now, let's assume that it is a Favorite Comic Books application which allows me to store my favorite comic books and shows me to most popular comic books among my friends.

After investigating using Amazon's EC2 + S3 to build my application I've decided that I'm better off using a traditional hosting solution running either a on the LAMP or WISC platform. One of the things I've been looking at is which platform has better support for providing an in-memory caching solution that works well in the context of a Web farm (i.e. multiple Web servers) out of the box. While working on the platforms behind several high traffic Windows Live services I've learned that you should be prepared for dealing with scalability issues and caching is one of the best ways to get bang for the buck when improving the scalability of your service.

I recently discovered memcached which is a distributed, object caching system originally developed by Brad Fitzpatrick of LiveJournal fame. You can think of memcached as a giant hash table that can run on multiple servers which automatically handles maintaining the balance of objects hashed to each server and transparently fetches/removes objects from over the network if they aren't on the same machine that is accessing an object in the hash table. Although this sounds fairly simple, there is a lot of grunt work in building a distributed object cache which handles data partitioning across multiple servers and hides the distributed nature of the application from the developer. memcached is a well integrated into the typical LAMP stack and is used by a surprising number of high traffic websites including Slashdot, Facebook, Digg, Flickr and Wikipedia. Below is what C# code that utilizes memcached would look like sans exception handling code

public ArrayList GetFriends(int user_id){

    ArrayList friends = (ArrayList) myCache.Get("friendslist:" + userid);

    if(friends == null){
        // Open the connection
        dbConnection.Open();

        SqlCommand cmd = new SqlCommand("select friend_id from friends_list where owner_id=" + "user_id", dbConnection);

        SqlDataReader reader = cmd.ExecuteReader();

      // Add each friend ID to the list
        while (reader.Read()){
            friends.Add(rdr[0]);
        }
	reader.Close();
        dbConnection.Close();                             
        myCache.Set("friendslist:" + userid, friends);
    }

    return friends;
}

public void AddFriend(int user_id, int new_friends_id){

    // Open the connection
    dbConnection.Open();
    SqlCommand cmd = new SqlCommand("insert into friends_list (owner_id, friend_id) values (" + user_id + "," + new_friend_id ")";
    cmd.ExecuteNonQuery();
    //remove key from cache since friends list has been updated
    myCache.Delete("friendslist:" + userid);

    dbConnection .Close();
}

The benefits of the using of the cache should be pretty obvious. I no longer need to hit the database after the first request to retrieve the user's friend list which means faster performance in servicing the request and less I/O. The memcached automatically handles purging items out of the cache when it hits the size limit and also deciding which cache servers should hold individual key<->value pairs.

I hang with a number of Web developers on the WISC platform and I don't think I've ever heard anyone mention memcached or anything like it.In fact I couldn't find a mention of it on Microsoft employee blogs, ASP.NET developer blogs or on MSDN. So I wondered what the average WISC developer uses as their in-memory caching solution.

After looking around a bit, I came to the conclusion that most WISC developers use the built-in ASP.NET caching features. ASP.NET provides a number of in-memory caching features including a Cache class which provides a similar API to memcached, page directives for caching portions of the page or the entire page and the ability to create dependencies between cached objects and the files or database tables/rows that they were populated from via the CacheDependency and SqlCacheDependency classes. Although some of these features are also available in various Open Source web development frameworks such as Ruby on Rails + memcached, none give as much functionality out of the box as ASP.NET or so it seems.

Below is what the code for the GetFriends and AddFriend methods would look like using the built-in ASP.NET caching features

public ArrayList GetFriends(int user_id){

    ArrayList friends = (ArrayList) Cache.Get("friendslist:" + userid);

    if(friends == null){
        // Open the connection
        dbConnection.Open();

        SqlCommand cmd = new SqlCommand("select friend_id from friends_list where owner_id=" + "user_id", dbConnection);

        SqlCacheDependency dependency = new SqlCacheDependency(cmd);
        SqlDataReader reader = cmd.ExecuteReader();

        // Add each friend ID to the list
        while (reader.Read()){
            friends.Add(rdr[0]);
        }

        reader.Close();
        dbConnection.Close();

        //insert friends list into cache with associated dependency
        Cache.Insert("friendslist:" + userid, friends, dependency);
    }
    return friends;
}

public void AddFriend(int user_id, int new_friends_id){
    // Open the connection
    dbConnection.Open();

    SqlCommand cmd = new SqlCommand("insert into friends_list (owner_id, friend_id) values (" + user_id + "," + new_friend_id ")";
    cmd.ExecuteNonQuery();

    /* no need to remove from cache because SqlCacheDependency takes care of that automatically */
    // Cache.Remove("friendslist:" + userid);

    dbConnection .Close();
}

Using the SqlCacheDependency class gets around a significant limitation of the ASP.NET Cache class. Specifically, the cache is not distributed. This means that if you have multiple Web front ends, you'd have to write your own code to handle partitioning data and invalidating caches across your various Web server instances. In fact, there are numerous articles showing how to implement such a solution including Synchronizing the ASP.NET Cache across AppDomains and Web Farms by Peter Bromberg and Use Data Caching Techniques to Boost Performance and Ensure Synchronization by David Burgett.

However, let's consider how how SqlCacheDependency is implemented. If you are using SQL Server 7 or SQL Server 2000, then your ASP.NET process polls the database at regular intervals to determine whether the target(s) of the original query have changed. For SQL Server 2005, the database can be configured to send change notifications to the Web servers if the target(s) of the original query change. Either way, the database is doing work to determine if the data has changed. Compared to the memcached this still doesn't seem as efficient as we can get if we want to eke out every last out of performance out of the system although it does lead to simpler code.

If you are a developer on the WISC platform and are concerned about getting the best performance out of your Web site, you should take a look at memcached for Win32. The most highly trafficked site on the WISC platform is probably MySpace and in articles about how they are platform works such as Inside MySpace.com they extol the virtues of moving work out of the database and relying on cache servers.

Categories: Platforms | Programming | Web Development

July 4, 2007

@ 08:30 PM

Comments [16]

Amazon EC2 + S3 Doesn't Cut it for Real Applications

In my efforts to learn more about Web development and what it is like for startups adopting Web platforms I've decided to build an application on the Facebook platform. I haven't yet decided on an application but for the sake of argument let's say it is a Favorite Comic Books application which allows me to store my favorite comic books and shows me to most popular comic books among my friends.

The platform requirements for the application seems pretty straightforward. I'll need a database and some RESTful Web services which provide access to the database from the widget which can be written in my language of choice. I'll also need to write the widget in FBML which will likely mean I'll have to host images and CSS files as well. So far nothing seems particularly esoteric.

Since I didn't want my little experiment eventually costing me a lot of money, I thought this was an excellent time to try out Amazon's Simple Storage Service (S3) and Elastic Compute Cloud (EC2) services since I'll only pay for as much resources as I use instead of paying a flat hosting fee..

However it seems supporting this fairly straightforward application is beyond the current capabilities of EC2 + S3. S3 is primarily geared towards file storage so although it makes a good choice for cheaply hosting images and CSS stylesheets, it's a not a good choice for storing relational or structured data. If it was just searching within a single user's data ( e.g. just searching within my favorite comics) I could store it all in single XML file then use XPath to find what I was looking for. However my application will need to perform aggregated queries across multiple user's data (i.e. looking at the favorite comics of all of my friends then fetching the most popular ones) so a file based solution isn't a good fit. I really want a relational database.

EC2 seemed really promising because I could create a virtual server running in Amazon's cloud and load it up with my choice of operating system, database and Web development tools. Unfortunately, there was a fly in the ointment. There is no persistent storage in EC2 so if your virtual server goes down for any reason such as taking it down to install security patches or a system crash, all your data is lost.

This is a well known problem within the EC2 community which has resulted in a bunch of clever hacks being proposed by a number of parties. In his post entitled Amazon EC2, MySQL, Amazon S3 Jeff Barr of Amazon writes

I was on a conference call yesterday and the topic of ways to store persistent data when using Amazon EC2 came up a couple of times. It would be really cool to have a persistent instance of a relational database like MySQL but there's nothing like that around at the moment. An instance can have a copy of MySQL installed and can store as much data as it would like (subject to the 160GB size limit for the virtual disk drive) but there's no way to ensure that the data is backed up in case the instance terminates without warning.

Or is there?

It is fairly easy to configure multiple instances of MySQL in a number of master-slave, master-master, and other topologies. The master instances produce a transaction log each time a change is made to a database record. The slaves or co-masters keep an open connection to the master, reading the changes as they are logged and mimicing the change on the local copy. There can be some replication delay for various reasons, but the slaves have all of the information needed to maintain exact copies of the database tables on the master.

Besides the added complexity this places on the application, it still isn't fool proof as is pointed out in the various comments in response to Jeff's post.

Demitrious Kelly who also realizes the problems with relying on replication to solve the persistence problem proposed an alternate solution in his post MySQL on Amazon EC2 (my thoughts) where he writes

Step #2: I’m half the instance I used to be! With each AMI you get 160GB of (mutable) disk space, and almost 2GB of ram, and the equivalent of a Xeon 1.75Ghz processor. Now divide that, roughly, in half. You’ve done that little math exercise because your one AMI is going to act as 2 AMI's. Thats right. I’m recommending running two separate instances of MySQL on the single server.

Before you start shouting at the heretic, hear me out!
+-----------+   +-----------+
| Server A  |   | Server B  |
+-----------+   +-----------+
| My  |  My |   | My  |  My |
| sQ  |  sQ |   | sQ  |  sQ |
| l   |  l  |   | l   |  l  |
|     |     |   |     |     |
| #2<=== #1 <===> #1 ===>#2 |
|     |     |   |     |     |
+ - - - - - +   + - - - - - +
On each of our servers, MySQL #1 and #2 both occupy a max of 70Gb of space. The MySQL #1 instances of all the servers are setup in a master-master topography. And the #2 instance is setup as a slave only of the #1 instance on the same server. so on server A MySQL #2 is a copy (one way) of #1 on server A.

With the above setup *if* server B were to get restarted for some reason you could: A) shut down the MySQL instance #2 on server A. Copy that MySQL #2 over to Both slots on server B. Bring up #1 on server B (there should be no need to reconfigure its replication relationship because #2 pointed at #1 on server A already). Bring up #2 on server B, and reconfigure replication to pull from #1 on ServerB. This whole time #1 on Server A never went down. Your services were never disrupted.

Also with the setup above it is possible (and advised) to regularly shut down #2 and copy it into S3. This gives you one more layer of fault tollerance (and, I might add, the ability to backup without going down.)

Both solutions are fairly complicated, error prone and still don't give you as much reliability as you would get if you simply had a hard disk that didn't lose all its data when ~~you rebooted~~ the server goes down. At this point it is clear that a traditional hosted service solution is the route to go. Any good suggestions for server-side LAMP or WISC hosting that won't cost an arm and a leg? Is Joyent any good?

PS: It is clear this is a significant problem for Amazon's grid computing play and one that has to be fixed if the company is serious about getting into the grid computing game and providing a viable alternative to startups looking for a platform to build the next "Web 2.0" hit. Building a large scale, distributed, relational database then making it available to developers as a platform is unprecedented so they have their work cut out for them. I'd incorrectly assumed that BigTable was the precedent for this but I've since learned that BigTable is more like a large scale, distributed, spreadsheet table as opposed to a relational database. This explains a lot of the characteristics of the query API of Google Base.

Categories: Web Development

June 23, 2007

@ 03:02 AM

Moonlight: Silverlight for Linux in 21 Days

In his post Implementing Silverlight in 21 Days Miguel De Icaza writes

The past 21 days have been some of the most intense hacking days that I have ever had and the same goes for my team that worked 12 to 16 hours per day every single day --including weekends-- to implement Silverlight for Linux in record time. We call this effort Moonlight.
Needless to say, we believe that Silverlight is a fantastic development platform, and its .NET-based version is incredibly interesting and as Linux/Unix users we wanted to both get access to content produced with it and to use Linux as our developer platform for Silverlight-powered web sites.

His post is a great read for anyone who geeks out over phenomenal feats of hackery. Going over the Moonlight Project Page it's interesting to note how useful blog posts from Microsoft employees were in getting Miguel's team to figure out the internal workings of Silverlight.

In addition, it seems Miguel also learned a lot from hanging out with Jason Zander and Scott Guthrie which influenced some of the design of Moonlight. It's good to see Open Source developers working on Linux having such an amicable relationship with Microsoft developers.

Congratulations to Mono team, it looks like we will have Silverlight on Linux after all. Sweet.

Categories: Platforms | Programming | Web Development

June 9, 2007

@ 03:13 AM

Why GData/APP Fails as a General Purpose Editing Protocol for the Web

Recently I wrote a blog post entitled Google GData: A Uniform Web API for All Google Services where I pointed out that Google has standardized on GData (i.e. Google's implementation of the Atom 1.0 syndication format and the Atom Publishing Protocol with some extensions) as the data access protocol for Google's services going forward. In a comment to that post Gregor Rothfuss wondered whether I couldn't influence people at Microsoft to also standardize on GData. The fact is that I've actually tried to do this with different teams on multiple occasions and each time the I've tried, certain limitations in the Atom Publishing Protocol become quite obvious when you get outside of blog editing scenarios for which the protocol was originally designed. For this reason, we will likely standardize on a different RESTful protocol which I'll discuss in a later post. However I thought it would be useful to describe the limitations we saw in the Atom Publishing Protocol which made it unsuitable as the data access protocol for a large class of online services.

Overview of the Atom's Data Model

The Atom data model consists of collections, entry resources and media resources. Entry resources and media resources are member resources of a collection. There is a handy drawings in section 4.2 of the latest APP draft specification that shows the hierarchy in this data model which is reproduced below.

                    
             Member Resources
                    |
             -----------------
            |                 |
      Entry Resources     Media Resources
            |
      Media Link Entry

A media resource can have representations in any media type. An entry resource corresponds to an atom:entry element which means it must have an id, a title, an updated date, one or more authors and textual content. Below is a minimal atom:entry element taken from the Atom 1.0 specification


<entry>
    <title>Atom-Powered Robots Run Amok</title>
    <link href="http://example.org/2003/12/13/atom03"/>
    <id>urn:uuid:1225c695-cfb8-4ebb-aaaa-80da344efa6a</id>
    <updated>2003-12-13T18:30:02Z</updated>
    <summary>Some text.</summary>
</entry>

The process of creating and editing resources is covered in section 9 of the current APP draft specification. To add members to a Collection, clients send POST requests to the URI of the Collection. To delete a Member Resource, clients send a DELETE request to its Member URI. While to edit a Member Resource, clients send PUT requests to its Member URI.

Since using PUT to edit a resource is obviously problematic, the specification notes two concerns that developers have to pay attention to when updating resources.

To avoid unintentional loss of data when editing Member Entries or Media Link Entries, Atom Protocol clients SHOULD preserve all metadata that has not been intentionally modified, including unknown foreign markup.
...
Implementers are advised to pay attention to cache controls, and to make use of the mechanisms available in HTTP when editing Resources, in particular entity-tags as outlined in [NOTE-detect-lost-update]. Clients are not assured to receive the most recent representations of Collection Members using GET if the server is authorizing intermediaries to cache them.

The [NOTE-detect-lost-update] points to Editing the Web: Detecting the Lost Update Problem Using Unreserved Checkout which not only talks about ETags but also talks about conflict resolution strategies when faced with multiple edits to a Web document. This information is quite relevant to anyone considering implementing the Atom Publishing Protocol or a similar data manipulation protocol.

With this foundation, we can now talk about the various problems one faces when trying to use the Atom Publishing Protocol with certain types of Web data stores.

Limitations Caused by the Constraints within the Atom Data Model

The following is a list of problems one faces when trying to utilize the Atom Publishing Protocol in areas outside of content publishing for which it was originally designed.

Mismatch with data models that aren't microcontent: The Atom data model fits very well for representing authored content or microcontent on the Web such as blog posts, lists of links, podcasts, online photo albums and calendar events. In each of these cases the requirement that each Atom entry has an an id, a title, an updated date, one or more authors and textual content can be met and actually makes a lot of sense. On the other hand, there are other kinds online data that don't really fit this model.

Below is an example of the results one could get from invoking the users.getInfo method in the Facebook REST API.
```
<user>
    <uid>8055</uid>
    <about_me>This field perpetuates the glorification of the ego.  Also, it has a character limit.</about_me>
    <activities>Here: facebook, etc. There: Glee Club, a capella, teaching.</activities>    
    <birthday>November 3</birthday>
    <books>The Brothers K, GEB, Ken Wilber, Zen and the Art, Fitzgerald, The Emporer's New Mind, The Wonderful Story of Henry Sugar</books>
    <current_location>
      <city>Palo Alto</city>
      <state>CA</state>
      <country>United States</country>
      <zip>94303</zip>
    </current_location>    
    <first_name>Dave</first_name>       
     <interests>coffee, computers, the funny, architecture, code breaking,snowboarding, philosophy, soccer, talking to strangers</interests>
     <last_name>Fetterman</last_name>   
     <movies>Tommy Boy, Billy Madison, Fight Club, Dirty Work, Meet the Parents, My Blue Heaven, Office Space </movies>
     <music>New Found Glory, Daft Punk, Weezer, The Crystal Method, Rage, the KLF, Green Day, Live, Coldplay, Panic at the Disco, Family Force 5</music>
     <name>Dave Fetterman</name>  
     <profile_update_time>1170414620</profile_update_time>
     <relationship_status>In a Relationship</relationship_status>
     <religion/>
     <sex>male</sex>
     <significant_other_id xsi:nil="true"/>
     <status>
       <message>Pirates of the Carribean was an awful movie!!!</message>
     </status>    
   </user>
```
How exactly would one map this to an Atom entry? Most of the elements that constitute an Atom entry don't make much sense when representing a Facebook user. Secondly, one would have to create a large number of proprietary extension elements to anotate the atom:entry element to hold all the Facebook specific fields for the user. It's like trying to fit a square peg in a round hole. If you force it hard enough, you can make it fit but it will look damned ugly.

Even after doing that, it is extremely unlikely that an unmodified Atom feed reader or editing client such as would be able to do anything useful with this Frankenstein atom:entry element. If you are going to roll your own libraries and clients to deal with this Frankenstein element, then it it begs the question of what benefit you are getting from ~~mis~~ using a standardized protocol in this manner?

I guess we could keep the existing XML format used by the Facebook REST API and treat the user documents as media resources. But in that case, we aren't really using the Atom Publishing Protocol, instead we've reinvented WebDAV. Poorly.
Lack of support for granular updates to fields of an item: As mentioned in the previous section editing an entry requires replacing the old entry with a new one. The expected client interaction with the server is described in section 5.4 of the current APP draft and is excerpted below.
Retrieving a Resource
```
Client                                     Server
  |                                           |
  |  1.) GET to Member URI                    |
  |------------------------------------------>|
  |                                           |
  |  2.) 200 Ok                               |
  |      Member Representation                |
  |<------------------------------------------|
  |                                           |
```
1. The client sends a GET request to the URI of a Member Resource to retrieve its representation.
2. The server responds with the representation of the Member Resource.
Editing a Resource
```
Client                                     Server
  |                                           |
  |  1.) PUT to Member URI                    |
  |      Member Representation                |
  |------------------------------------------>|
  |                                           |
  |  2.) 200 OK                               |
  |<------------------------------------------|
```
1. The client sends a PUT request to store a representation of a Member Resource.
2. If the request is successful, the server responds with a status code of 200.
Can anyone spot what's wrong with this interaction? The first problem is a minor one that may prove problematic in certain cases. The problem is pointed out in the note in the documentation on Updating posts on Google Blogger via GData which states

IMPORTANT! To ensure forward compatibility, be sure that when you POST an updated entry you preserve all the XML that was present when you retrieved the entry from Blogger. Otherwise, when we implement new stuff and include <new-awesome-feature> elements in the feed, your client won't return them and your users will miss out! The Google data API client libraries all handle this correctly, so if you're using one of the libraries you're all set.

Thus each client is responsible for ensuring that it doesn't lose any XML that was in the original atom:entry element it downloaded. The second problem is more serious and should be of concern to anyone who's read Editing the Web: Detecting the Lost Update Problem Using Unreserved Checkout. The problem is that there is data loss if the entry has changed between the time the client downloaded it and when it tries to PUT its changes.

Even if the client does a HEAD request and compares ETags just before PUTing its changes, there's always the possibility of a race condition where an update occurs after the HEAD request. After a certain point, it is probably reasonable to just go with "most recent update wins" which is the simplest conflict resolution algorithm in existence. Unfortunately, this approach fails because the Atom Publishing Protocol makes client applications responsible for all the content within the atom:entry even if they are only interested in one field.

Let's go back to the Facebook example above. Having an API now makes it quite likely that users will have multiple applications editing their data at once and sometimes these aplications will change their data without direct user intervention. For example, imagine Dave Fetterman has just moved to New York city and is updating his data across various services. So he updates his status message in his favorite IM client to "I've moved" then goes to Facebook to update his current location. However, he's installed a plugin that synchronizes his IM status message with his Facebook status message. So the IM plugin downloads the atom:entry that represents Dave Fetterman, Dave then updates his address on Facebook and right afterwards the IM plugin uploads his profile information with the old location and his new status message. The IM plugin is now responsible for data loss in a field it doesn't even operate on directly.
Poor support for hierarchy: The Atom data model is that it doesn't directly support nesting or hierarchies. You can have a collection of media resources or entry resources but the entry resources cannot themselves contain entry resources. This means if you want to represent an item that has children they must be referenced via a link instead of included inline. This makes sense when you consider the blog syndication and blog editing background of Atom since it isn't a good idea to include all comments to a post directly children of an item in the feed or when editing the post. On the other hand, when you have a direct parent<->child hierarchical relationship, where the child is an addressable resource in its own right, it is cumbersome for clients to always have to make two or more calls to get all the data they need.

UPDATE: Bill de hÓra responds to these issues in his post APP on the Web has failed: miserably, utterly, and completely and points out to two more problems that developers may encounter while implementing GData/APP.

Categories: Web Development | XML Web Services

June 6, 2007

@ 03:28 AM

Comments [16]

Google Gears: Replacing One Problem with Another

I've been thinking a little bit about Google Gears recently and after reading the documentation things I've realized that making a Web-based application that works well offline poses an interesting set of challenges. First of all, let's go over what constitutes the platform that is Google Gears. It consists of three components

LocalServer: Allows you to cache and serve application resources such as HTML pages, scripts, stylesheets and images from a local web server.

Database: A relational database where the application can store data locally. The database supports both full-text and SQL queries.
WorkerPool: Allows applications to perform I/O expensive tasks in the background and thus not lock up the browser. A necessary evil.

At first, this seemed like a lot to functionality being offered by Google Gears until I started trying to design how I'd take some of my favorite Web applications offline. Let's start with a straightforward case such as Google Reader. The first thing you have to do is decide what data needs to be stored locally when the user decides to go offline. Well, a desktop RSS reader has all my unread items even when I go offline so a user may expect that if they go offline in Google Reader this means all their unread items are offline. This could potentially be a lot of data to transfer in the split instant between when the user selects "go offline" in the Google Reader interface and she actually loses her 'net connection by closing her laptop. There are ways to work around this such as limiting how many feeds are available offline (e.g. Robert Scoble with a thousand feeds in his subscription list won't get to take all of them offline) or by progressively downloading all the unread content while the user is viewing the content in online mode. Let's ignore that problem for now because it isn't that interesting.

The next problem is to decide which state changes while the app is offline need to be reported back when the user gets back online. These seem to be quite straightforward,

Feed changed
Feed added
Feed deleted
Feed renamed
Feed moved
News item changed
Item marked read/unread
Item flagged/starred
Item tag updated

The application code can store these changes as a sequential list of modifications which are then executed whenever the user gets back online. Sounds easy enough. Or is it?

What happens if I'm on my laptop and I go offline in Google Reader and mark a bunch of stuff as read then unsubscribe from a few feeds I no longer find interesting. The next day when I get to work, I go online on my desktop, read some new items and subscribe to some new feeds. Later that day, I go online with my laptop. Now the state on my laptop is inconsistent from that on the Web server. How do we reconcile these differences?

The developers at Google have anticipated these questions and have answered them in Google Gears documentation topic titled Choosing an Offline Application Architecture which states

No matter which connection and modality strategy you use, the data in the local database will get out of sync with the server data. For example, local data and server data get out of sync when:

The user makes changes while offline
Data is shared and can be changed by external parties
Data comes from an external source, such as a feed

Resolving these differences so that the two stores are the same is called "synchronization". There are many approaches to synchronization and none are perfect for all situations. The solution you ultimately choose will likely be highly customized to your particular application.

Below are some general synchronization strategies.

Manual Sync

The simplest solution to synchronization is what we call "manual sync". It's manual because the user decides when to synchronize. It can be implemented simply by uploading all the old local data to the server, and then downloading a fresh copy from the server before going offline.
...
Background Sync

In a "background sync", the application continuously synchronizes the data between the local data store and the server. This can be implemented by pinging the server every once in a while or better yet, letting the server push or stream data to the client (this is called Comet in the Ajax lingo).

I don't consider myself some sort of expert on data synchronization protocols but it seems to me that there is a lot more to figuring out a data synchronization strategy than whether it should be done based on user action or automatically in the background without user intervention. It seems that there would be all sorts of decisions around consistency models and single vs. multi-master designs that developers would have to make as well. And that's just for a fairly straightforward application like Google Reader. Can you imagine what it would be like to use Google Gears to replicate the functionality of Outlook in the offline mode of Gmail or to make Google Docs & Spreadsheets behave properly when presented with conflicting versions of a document or spreadsheet because the user updated it from the Web and in offline mode?

It seems that without providing data synchronization out of the box, Google Gears leaves the most difficult and cumbersome aspect of building a disconnected Web app up to application developers. This may be OK for Google developers using Google Gears since the average Google coder is a Ph.D but the platform isn't terribly useful to Web application developers who want to use it for anything besides a super-sized HTTP cookie.

A number of other bloggers such as Roger Jennings and Tim Anderson have also pointed that the lack of data synchronization in Google Gears is a significant oversight. If Google intends for Google Gears to become a platform that will be generally useful to the average Web developer then the company will have to fix this oversight. Otherwise, they haven't done as much for the Web development world as the initial hype led us to believe.

Categories: Programming | Web Development

June 5, 2007

@ 05:53 PM

What Ruby on Rails Can Learn from ASP.NET

Ian McKellar has a blog post entitled Insecurity is Ruby on Rails Best Practice where he points out that by default the Ruby on Rails framework makes sites vulnerable to a certain class of exploits. Specifically, he discusses the vulnerabilities in two Ruby on Rails applications, 37 Signals Highrise and Magnolia, then proposes solutions. He writes

Cross Site Request Forgery
CSRF is the new bad guy in web application security. Everyone has worked out how to protect their SQL database from malicious input, and RoR saves you from ever having to worry about this. Cross site scripting attacks are dying and the web community even managed to nip most JSON data leaks in the bud.

Cross Site Request Forgery is very simple. A malicious site asks the user's browser to carry out an action on a site that the user has an active session on and the victim site carries out that action believing that the user intended that action to occur. In other words the problem arises when a web application relies purely on session cookies to authenticate requests.
...
Solutions
Easy Solutions
There aren't any good easy solutions to this. A first step is to do referrer checking on every request and block GET requests in form actions. Simply checking the domain on the referrer may not be enough security if there's a chance that HTML could be posted somewhere in the domain by an attacker the application would be vulnerable again.

Better Solutions
Ideally we want a shared secret between the HTML that contains the form and the rails code in the action. We don't want this to be accessible to third parties so serving as JavaScript isn't an option. The way other platforms like Drupal achieve this is by inserting a hidden form field into every form that's generated that contains a secret token, either unique to the current user's current session or (for the more paranoid) also unique to the action. The action then has to check that the hidden token is correct before allowing processing to continue.

Incidents of Cross Site Request Forgery have become more popular with the rise of AJAX and this is likely to become as endemic as SQL injection attacks until the majority of Web frameworks take this into account in their out of the box experience.

At Microsoft, the Web teams at MSN and Windows Live have given the folks in Developer Division the virtue of their experience building Web apps which has helped in making sure our Web frameworks like ASP.NET Ajax (formerly codenamed Atlas) avoid this issue in their default configuration. Scott Guthrie outlines the safeguards against this class of issues in his post JSON Hijacking and How ASP.NET AJAX 1.0 Avoids these Attacks where he writes

Recently some reports have been issued by security researchers describing ways hackers can use the JSON wire format used by most popular AJAX frameworks to try and exploit cross domain scripts within browsers. Specifically, these attacks use HTTP GET requests invoked via an HTML include element to circumvent the "same origin policy" enforced by browsers (which limits JavaScript objects like XmlHttpRequest to only calling URLs on the same domain that the page was loaded from), and then look for ways to exploit the JSON payload content.
ASP.NET AJAX 1.0 includes a number of default settings and built-in features that prevent it from being susceptible to these types of JSON hijacking attacks.
...
ASP.NET AJAX 1.0 by default only allows the HTTP POST verb to be used when invoking web methods using JSON, which means you can't inadvertently allow browsers to invoke methods via HTTP GET.
ASP.NET AJAX 1.0 requires a Content-Type header to be set to "application/json" for both GET and POST invocations to AJAX web services. JSON requests that do not contain this header will be rejected by an ASP.NET server. This means you cannot invoke an ASP.NET AJAX web method via a include because browsers do not allow append custom content-type headers when requesting a JavaScript file like this.

These mitigations would solve the issues that Ian McKellar pointed out in 37 Signals Highrise and Magnolia because HTML forms hosted on a malicious site cannot set the Content-Type header so that exploit is blocked. However neither this approach nor referrer checking to see if the requests come from your domain is enough if the malicious party finds a way to upload HTML or script onto your site.

To completely mitigate against this attack, the shared secret approach is most secure and is what is used by most large websites. In this approach each page that can submit a request has a canary value (i.e. hidden form key) which must be returned with the request. If the form key is not provided, is invalid or expired then the request fails. This functionality is provided out of the box in ASP.NET by setting the Page.ViewStateUserKey property. Unfortunately, this feature is not on by default. On the positive side, it is a simple one line code change to get this functionality which needs to be rolled by hand on a number of other Web platforms today.

Categories: Web Development

June 5, 2007

@ 05:52 PM

Improving Website Usability with A/B Testing

The good folks on the Microsoft Experimentation Platform team have published a paper which gives a great introduction to how and why one can go about using controlled experiments (i.e. A/B testing) to improve the usability of a website. The paper is titled Practical Guide to Controlled Experiments on the Web: Listen to Your Customers not to the HiPPO and will be published as part of the Thirteenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. The paper begins

In the 1700s, a British ship’s captain observed the lack of scurvy among sailors serving on the naval ships of Mediterranean countries, where citrus fruit was part of their rations. He then gave half his crew limes (the Treatment group) while the other half (the Control group) continued with their regular diet. Despite much grumbling among the crew in the Treatment group, the experiment was a success, showing that consuming limes prevented scurvy. While the captain did not realize that scurvy is a consequence of vitamin C deficiency, and that limes are rich in vitamin C, the intervention worked. British sailors eventually were compelled to consume citrus fruit regularly, a practice that gave rise to the still-popular label limeys.
Some 300 years later, Greg Linden at Amazon created a prototype to show personalized recommendations based on items in the shopping cart (2). You add an item, recommendations show up; add another item, different recommendations show up. Linden notes that while the prototype looked promising, ―a marketing senior vice-president was dead set against it, claiming it will distract people from checking out. Greg was ―forbidden to work on this any further. Nonetheless, Greg ran a controlled experiment, and the ―feature won by such a wide margin that not having it live was costing Amazon a noticeable chunk of change. With new urgency, shopping cart recommendations launched. Since then, multiple sites have copied cart recommendations.
The authors of this paper were involved in many experiments at Amazon, Microsoft, Dupont, and NASA. The culture of experimentation at Amazon, where data trumps intuition (3), and a system that made running experiments easy, allowed Amazon to innovate quickly and effectively. At Microsoft, there are multiple systems for running controlled experiments. We describe several architectures in this paper with their advantages and disadvantages. A unifying theme is that controlled experiments have great return-on-investment (ROI) and that building the appropriate infrastructure can accelerate innovation.

I learned quite a bit from reading the paper although I did somewhat skip over some of the parts that involved math. It's pretty interesting when you realize how huge the impact of changing the layout of a page or moving links can be on the bottom line of a Web company. Were talking millions of dollars for the most popular sites. That's pretty crazy.

Anyway, Ronny Kohavi from the team mentioned that they will be giving a talk related to the paper at eBay research labs tomorrow at 11AM. The talk will be in Building 0 (Toys) in room 0158F. The address is 2145 Hamilton Avenue, San Jose, CA. If you are in the silicon valley area, this might be a nice bring your own lunch event to attend.

Categories: Mindless Link Propagation | Web Development

May 31, 2007

@ 01:33 AM

Google Gears: Offline Support for AJAX/Flash Apps

Robert Scoble breaks the news that Google brings developers offline with "Gears" where he writes

Right now in Sydney, Australia, the first of 10 Google Developer days are starting up and the audience there is hearing about several new initiatives. The most important of which is “Google Gears,” an open source project that will bring offline capabilities to Web Applications — aimed at developers
...
Regarding Gears. It works on Macs, Windows, Linux on IE, Firefox, Opera. Enables versioned offline storage. Extension to HTML/JavaScript.

They are showing me a demo of the new Google Reader using the new Gears plugin. After you load the Gears plugin you get a new icon at the top of your Reader window which enables offline capabilities of Google Reader. They showed how Google Reader then downloaded 2,000 feed items. They took the browser offline and it continued to work great.
...
Gears supports using Adobe’s Apollo and Flash and should support other technologies including Microsoft’s Silverlight.
Gears will be submitted to a standards organization eventually, they said, but want to make sure the technology is rock solid first.

Am I the only one wondering what took them so long? I remember chatting about this in mid-2005 with Joshua Allen, we were both pretty sure it we would see it happen within a year. I guess a year and a half isn't so bad. :)

The bit about standardizing the technology is a nice touch, not that it matters. What matters is that "it doesn't work offline" is no longer a valid criticism for Google's family of Microsoft office knock offs (i.e. Google Docs & Spreadsheets) or any other AJAX/Flash application that competes with a desktop application. Running it through a standards body wouldn't make a significant difference one way or the other to the adoption of the technology for use with Google apps. It may prevent other developers from adopting the technology but I doubt many developers would look this gift horse in the mouth, after all it is freaking offline support for Web apps.

Welcome to the future.

Categories: Competitors/Web Companies | Web Development

May 26, 2007

@ 12:18 AM

Google GData: A Uniform Web API for All Google Services

I've been reading the Google Data APIs blog for a few months and have been impressed at how Google has been quietly executing on the plan of having a single uniform RESTful Web service interface to their various services. If you are unfamiliar with GData, you can read the GData overview documentation. In a nutshell, GData is Google's implementation of the Atom 1.0 syndication format and the Atom Publishing Protocol with some extensions. It is a RESTful XML-based protocol for reading and writing information on the Web. Currently one can use GData to manipulate and access data from the following Google services

Google Apps Provisioning
Google Base
Blogger
Google Calendar
Google Code Search
Google Notebook
Google Spreadsheets
Picasa Web Albums

with more on the way. Contrast this with the API efforts on Yahoo! Developer Network or Windows Live Dev which are an inconsistent glop of incompatible RESTful protocols, SOAP APIs and XML-RPC methods all under the same roof. In the Google case, an app that can read and write data to Blogger can also do so to Google Calendar or Picasa Web Albums with minimal changes. This is not the case when using APIs provided by two Yahoo! services (e.g. Flickr and del.icio.us) or two Windows Live services (e.g. Live Search and Windows Live Spaces) which use completely different protocols, object models and authentication mechanisms even though provided by the same vendor.

One way to smooth this disparity is to provide client libraries that aim to provide a uniform interface to all of the vendors services. However even in that case, the law of leaky abstractions holds. Thus the fact that these services use different protocols, object models and authentication mechanisms ends up surfacing in the client library. Secondly, not only is it now possible to create a single library that knows how to talk to all of Google's existing and future Web services since they all use GData. It is also a lot easier to provide "tooling" for these services than it would be for Yahoo's family of Web services given that they use a simple and uniform interface. So far none of the big Web vendors have done a good job of providing deep integration with popular development environments like Eclipse or Visual Studio. However I suspect that when they do, Google will have an easier time than the others due to the simplicity and uniform interface that is GData.

Categories: Web Development | XML Web Services

May 25, 2007

@ 09:19 PM

No Microsoft PDC This Year

Via Robert Scoble's blog post entitled Microsoft postpones PDC we learn

Mary Jo Foley (she’s been covering Microsoft for a long time) has the news: Microsoft has postponed the PDC that it had planned for later this year.

The PDC stands for “Professional Developer’s Conference.” It happens only when Microsoft knows it’ll have a major new platform to announce. Usually a new version of Windows or a new Internet strategy.

So, this means a couple of things: no new Windows and no major new Internet strategy this year.
...
Now that Google, Amazon, Apple, are shipping platforms that are more and more interesting to Microsoft’s developer community Microsoft has to play a different game. One where they can’t keep showing off stuff that never ships. The stakes are going up in the Internet game and Microsoft doesn’t seem to have a good answer to what’s coming next.

Interesting analysis from Robert, I agree with him that Microsoft no longer has the luxury of demoing platforms it can't or won't ship given how competent a number of competitors have shown themselves on the platform front. The official Microsoft cancellation notice states

As the PDC is the definitive developer event focused on the future of the Microsoft platform, we try to align it to be in front of major platform milestones. By this fall, however, upcoming platform technologies including Windows Server 2008, SQL Server codenamed "Katmai", Visual Studio codenamed "Orcas" and Silverlight will already be in developers’ hands and approaching launch

This makes sense, all the interesting near term future stuff has already been announced at other recent events. In fact, when you think about it, it is kinda weird for Microsoft to have a conference for showing next generation Web platform stuff (i.e. MIX) and another for showing general next generation platform stuff (i.e. PDC). Especially since the Web is the only platform that matters these days.

My assumption is that Microsoft conference planners will figure this out and won't make the mistake of scheduling MIX and PDC a few months from each other next time.

Categories: Life in the B0rg Cube | Web Development

May 22, 2007

@ 02:44 AM

Understanding Adobe's Apollo

Pete Lacey has a blog post entitled Rethinking Apollo where he writes

So I dug around in Apollo a little bit, and I did a little bit more thinking about my reflexive dismissal of the technology. And I admit to misunderstanding and miscategorizing Apollo. Here’s what I learned.

Apollo is not a browser plugin, nor does it leverage or extend your browser in any way. It runs completely outside the browser. It is a run-time environment for building cross-platform desktop applications.
...
Lets say you want to build a RSS/Atom reader...But lets add a requirement: my news reader must be cross-platform. That eliminates .NET as a development platform, but still leaves C++. However, with C++ I have to carefully separate my common functionality from my OS-specific functionality and become more of an expert on OS and windowing quirks then I would like, so that’s out. Fortunately, there’s quite a few other ways to go:
Browser based
Java based
Dynamic language based: Perl, Python, Ruby, Tcl
Native cross-platform development environment, e.g Qt
Apollo
Others, e.g. Eclipse RCP

All of these have pros and cons. Browsers are limited in functionality, and quirky. Java is a pain to develop towards-especially GUI apps, has spotty HTML rendering ability, and a non-native look and feel. The dynamic languages are far from guaranteed to be installed on any particular machine—especially Windows machines, and (likely) also have their own look and feel issues. Qt still leaves me in C++ land; that is it’s hard to develop towards. Apollo also has its own look and feel, and will require a download of the runtime environment if it’s not already there (I’m ignoring its alpha release state). I don’t care about any others cross-platform techniques right now.

I think I've found interesting is how a lot of blogosphere pundits have been using Microsoft's Silverlight and Adobe's Apollo in the same sentence as if they are similar products. I guess it's more proof that the popular technology blog pundits don't do much research and in many cases aren't technical enough to do the research anyway.

Although Pete does a good job of explaining the goals of Adobe Apollo with a great example, I think there is a simpler and more cynical way of spelling out the difference between Silverlight and Apollo. I'd describe the projects as

Apollo is Adobe's Flash based ~~knock off~~ competitor to the .NET Framework while Silverlight is Microsoft's .NET Framework based ~~knock off~~ competitor to the Flash platform.

A lot shorter and more to the point. :)

PS: Shame on Pete for equating dynamic languages with the runtimes for certain popular Open Source dynamic programming languages. The programming language is not the platform and vice versa. After all, both Jython and IronPython are instances of a dynamic programming language that don't have any of the problems he listed as reasons to eliminate a dynamic programming language as a choice for building a cross-platform desktop application. :).

Categories: Programming | Web Development

May 18, 2007

@ 10:20 PM

Microsoft's PopFly - Mashup Builder Extraordinaire

A couple of months ago, John Montgomery gave me an invite to test drive a new Microsoft project that was billed as a mashup builder. It's been on my list of "cool things at Microsoft I've been asked to check out but never investigated deeply enough" for about three months [until recently this list also included Microsoft Scout]. Thus I was quite surprised when I found out that the project was already ready for release and had been renamed Popfly.

The most succinct description of the project I've seen is Mike Arrington's writeup in his post Microsoft Launches Popfly: Mashup App Creator Built On Silverlight which stated

Microsoft will announce the private beta launch of Popfly this morning, a new Silverlight application that allows users to create mashups, widgets and other applications using a very cool and easy to use web-based graphical interface.
...
Popfly is a big leap forward from the competitors above because it lets you do so much more, and it is one of the nicest web application interfaces I have ever seen. With Popfly, you can create applications, mashups, web pages and widgets (gadgets) and it is all tied together in a social network (as part of the Live Spaces platform) where you can connect with other users and publishers of applications. Mashups are created by dragging in and connecting ‘blocks’ which produce an output. Blocks are modules that connect to various web services API’s, and even today there are dozens of different blocks that work with a whole variety of different web services.
See additional screen shots and a link to a screencast on the Popfly overview page here.

The application is an impressive mashup builder. It's at least on par with Yahoo! Pipes or maybe even better since it lets you mash up not just RSS feeds but also APIs from dozens of different sources including Flickr, Digg, Twitter, XBox Live and Windows Live spaces among others. Did I mention that it is also a great demo of the capabilities of Silverlight? Damn, the Microsoft developer division folks are outdoing themselves in 2007 and it isn't even June yet.

John Montgomery has a roundup of all the recent posts about Popfly in his blog post Some of the Popfly News So Far. ~~I've been told I have three invites to the service to give out. The first three non-Microsoft people to ping me at my work email address can have them.~~ The invitations are gone.

Kudos to the Popfly team on such a kick ass release.

Categories: Web Development

May 16, 2007

@ 07:17 PM

What is "The Web"?

I've been reading Patrick Logan's blog for a while now and he's recently shown a lot of positive interest in Adobe's Apollo and a lot of discord towards Microsoft's Silverlight. The most interesting thing about his blog posts is that he argues that Apollo is Web-like in contrast to folks like Mike Shaver of Mozilla. His most recent post Unfounded Panic Ensues is a good snapshot into his current thinking and is excerpted below

The panic continues from really smart people (more than one), for some unknown reason...
how is that different than the bad old days when a site was developed for one particular browser?
I really have trouble understanding the concern. When I read about Flex and Apollo the first and most important aspects that caught my attention was the *emphasis* on being web compliant.
The point *is* to write web compliant services and run them through many kinds of web clients. Apollo is just one and should not be leading to locked in service providers.
That would be dumb and missing the point of the web.

Now contrast this with the post by Mike Shaver entitled the high cost of some free tools where he writes

If someone tells you that their platform is the web, only better, there is a very easy test that you can use:
...
When the tool spits out some bundle of shining Deployment-Ready Code Artifact, do you get something that can be mashed up, styled, scripted, indexed by search engines, read aloud by screen readers, read by humans, customized with greasemonkey, reformatted for mobile devices, machine-translated, excerpted, transcluded, edited live with tools like Firebug? Or do you get a chunk of dead code with some scripted frills about the edges, frozen in time and space, until you need to update it later and have to figure out how to get the same tool setup you had before, and hope that the platform is still getting security and feature updates? (I’m talking to you, pre-VB.NET Visual Basic developers.)

It seems the reason lots of folks disagree with Patrick Logan is that his definition of "The Web" is different from theirs. From his perspective, the Web is about RESTful usage of HTTP and any client platform that can interact with HTTP in a RESTful manner is Web-like. Others like Mike Shaver consider the whole enchilada of HTTP, HTML, CSS and JavaScript to be what constitutes the Web experience.

In Patrick Logan's world, the Web browser (e.g. Firefox) is just one of many kinds of Web clients. In Mike Shaver's world, the Web browser is the Web client so the power and limitations of the browser define the Web experience.

I don't think one opinion is right and the other is wrong. I do think that understanding the different perspectives will be useful for Web developers as we navigate the RIA future.

Categories: Web Development

May 14, 2007

@ 10:16 PM

Questioning Silverlight, JavaFX and Other RIA Platforms

I was chatting with Mike Vernal at lunch today about the various reactions to Microsoft's Silverlight project and he mentioned that he hadn't seen much insightful analysis or critiques beyond general kudos and praise from the blogosphere. Since I'd seen quite a few posts that went beyond the kind of gushing you see in posts like Robert Scoble's Microsoft "rebooted the Web" yesterday or TechCrunch's Silverlight: The Web Just Got Richer, I thought Mike and my readers would appreciate some pointers to responses that contained a little more technical meat from seasoned Web developers.

In his post Frustration with RIA platforms Julien Couvreur writes

There has been a recent flurry of announcements around rich internet applications (RIA) recently, from Adobe (Apollo, open-sourcing the Flex SDK and Tamarin), Microsoft (Silverlight v1.1) and Sun (JavaFX). They seem to battle plain AJAX on three main fronts: richer rendering capabilities, improved performance, and a comprehensive set of designer and developer tools.
...
But they do little to address the native problems of the web.
Here are some examples:

integrating web sites and services,
cross-domain mashups with private data,
access control, identity and charging for web services,
user-driven website customization and extension, safe client-side composition.

In other words, the recent wave of RIA platforms make things look nicer and run faster, but we are still left off with the non-semantic markup, the page model, and the same-domain policy.

Grant Skinner writes an interesting analysis from the perspective of a Flash developer entitled A Flash of Silverlight? My Analysis which is excerpted below

By now, everyone has heard of Silverlight (previously WPF/E), Microsoft's answer to the Flash player...From my perspective, the discussion can be broken into four categories: opportunity, runtime, tools, and intent.
Opportunity
...
Flash may not have the gold rush opportunities of Silverlight, but it is a very entrenched technology (98% installed base, 85%+ for Flash Player 9) that will continue to expand its reach, and offer stable growth in web interactive (and beyond) over a long period. There's money to be made in Silverlight development right now, but its future is less certain once MS stops throwing money at it. However, it is worth considering that the skills you acquire using Silverlight will be fully applicable to other Microsoft platforms.
Runtime
...
Silverlight has a lot of potential in this area if Microsoft can innovate. Unfortunately, I have yet to see evidence that they can, and Adobe has a massive lead, both in terms of capabilities and adoption.
Tools
...
Microsoft can and will build a better developer toolset, and provide a better story for tool integration. However their unwillingness to support Macs, and their inability to truly understand creativity or designers will be their Achilles heel. Adobe has a deep cultural understanding of the creative process, and experience with cross-platform support that Microsoft can't match
Intent
...
Cross-platform support for Silverlight is not in Microsoft's best interests if they kill Flash. Neither is continued innovation. As a long time Mac user, I really don't trust Microsoft's intentions, but I do welcome the pressure Silverlight places on Adobe to continue innovating

And from Mike Shaver of Mozilla there is the high cost of some free tools which contains the following gem

If you choose a platform that needs tools, if you give up the viral soft collaboration of View Source and copy-and-paste mashups and being able to jam jQuery in the hole that used to have Prototype in it, you lose what gave the web its distributed evolution and incrementalism. You lose what made the web great, and what made the web win. If someone tells you that their platform is the web, only better, there is a very easy test that you can use:

When the tool spits out some bundle of shining Deployment-Ready Code Artifact, do you get something that can be mashed up, styled, scripted, indexed by search engines, read aloud by screen readers, read by humans, customized with greasemonkey, reformatted for mobile devices, machine-translated, excerpted, transcluded, edited live with tools like Firebug? Or do you get a chunk of dead code with some scripted frills about the edges, frozen in time and space, until you need to update it later and have to figure out how to get the same tool setup you had before, and hope that the platform is still getting security and feature updates? (I’m talking to you, pre-VB.NET Visual Basic developers.)
...
The web can eat toolchain bait like this for breakfast. And, if Mozilla has anything to say about it, it will do just that. You won’t have to give up the web to work offline any more, or programmable 2D graphics, etc. Soon you’ll have the power of 3D and great desktop/application integration as well, via projects like canvas3d and registration of content handlers, and you’ll have it in a way that’s built on open specifications and a tool ecosystem that isn’t a monoculture. Why wouldn’t you choose the web, given its record and power and openness?

All three posts contains some ideas I agree with and many I disagree with. I agree with Julien Couvreur that at the end of the day we still don't have a good solutions to many of the problems facing the Web as a platform. RIA platforms concentrating on how to make things shinier and prettier while writing less code are distracting us from many of the problems that still need to be solved to lead the Web to its true potential. Grant Skinner's post reads to me as if he's in denial. Everywhere he grudgingly gives Microsoft Silverlight a compliment he follows up with an insult that questions the company's competence and assumes that the platform will not fulfill its initial promise. Mike Shaver has a lot of good points in his post especially with regards to RIA platforms ensuring that they play nicely with everything that makes the Web so great in the first place. However I can't help but smile at the final comments in his post that end up sounding like he is pitching Mozilla's proprietary approaches to building Rich Internet Applications as alternatives to the proprietary approaches coming from Adobe, Microsoft and Sun. :)

Categories: Web Development

May 9, 2007

@ 05:17 PM

What is Java FX Answered by Don Park

If like me your head is spinning from all the announcements of proprietary "AJAX killers" out there then you probably were still too busy trying to digest Silverlight to even have heard that Sun's announced it's own "AJAX killer" and Flash competitor named Java FX.

Don Park has a good post which serves as a good starting point to grok the meat of this announcement titled Inside JavaFX where he writes

So what is JavaFX? This is what it looks like:
import javafx.ui.*;

Frame {
  title: "Hello World JavaFX"
  width: 20
  height: 50
  content: Label {
    text: "Hello World"
  }
  visible: true
}
As you can see, JavaFX script (*.fx) is basically JSON-like version of XAML which can be either compiled into Java bytecode or run as is using a java-based JavaFX player. Since JavaFX is just java, it can run as applets in browsers, midlets on mobiles, and applications on WebStart.

Sam Ruby has a good follow up to Don's post titled JavaFX Script where he describes some of the innovations and shortcomings of the platform he has noticed in his initial observations.

It looks like Web developers are getting spoiled for choice this summer; Sun vs. Microsoft vs. Adobe vs. Web Standards.

Categories: Competitors/Web Companies | Web Development

May 8, 2007

@ 08:29 PM

REST, Web Platforms and Versioning

In recent months it has become clear to me that the largest Web companies have become quite serious about providing "web platforms"that Web developers can integrate with or build upon. Amazon (http://aws.amazon.com), Google (http://code.google.com), Yahoo (http://developer.yahoo.com) and Microsoft (http://dev.live.com) all provide online destinations where Web developers can learn how to use their Web services or integrate with their AJAX widget platforms. The problem with building a platform is that providing Web services and writing APIs is the easy part. The hard part is hard work of supporting developers who have built on your platform with proper documentation, prompt tech support, and ensuring backwards compatibility when new revisions of the platform are delivered. Today I feel like riffing on that last point; versioning and backwards compatibility.

Maintaining backwards compatibility and being mindful of forwards compatibility is one of the biggest design problems that faces platform vendors. So far, there have been numerous examples of Web companies that provide APIs failing to realize how important stability and backwards compatibility when providing a platform. I've seen numerous examples of breaking changes in APIs providing by Web companies including the Google Adwords API (shutting down old endpoints with new version), TypePad Atom feeds (switching the feed format to a new incompatible version thus breaking feed readers), del.icio.us API (changing the Web service URL and the security protocol) and Amazon Web Services (changing what is added to a shopping cart when an item is added via its Amazon specific ID) among many others. Some of these changes were necessary due to security concerns while others could have been prevented with better up front design and decision making by the platform vendor. However in all of these cases, developers that had taken a bet on the platform had to scramble to check that their applications still worked and patch/redistribute them if they didn't. That is bad. One of the primary goals of a platform vendor is to ensure that the lives of developers on their platform is as easy and smooth as possible. This means releasing a new version of the platform should not cause developers who have taken a bet on the platform to have to rewrite their code.

In the past I've written lengthy, and fairly complex articles about versioning and XML data formats. These days, I've boiled down my guidance on Web service versioning to one phrase; Cool URIs Don't Change. This simple philosophy is actually all you need to consider when designing your RESTful Web service. You apply it in the following way

The Web service end point (i.e. URL) should not change. Changing the actual service end point is bad (e.g. http://del.icio.us/api/posts/get to https://api.del.icio.us/v1/posts/get) instead you should design your URI space with the knowledge that there will be multiple versions of the protocol.
The types of messages returned by the end point should not change. Thus changing the data format of the service (e.g. changing from RSS to Atom or Atom 0.3 to Atom 1.0) is a bad idea. Thus you should have a strategy for supporting multiple formats and partition your URI space accordingly.
The behavior of the end point should not change. This is the trickiest one to follow but the one that your developers will appreciate the most. New versions of the API should not change the behavior of operations previously defined at that end point. One way to reach this ideal is to partition your URI space in a versioned manner (e.g. http://www.example.com/api/v1/get-stuff in version 1 and http://www.example.com/api/v2/get-stuff in version 2) and then never change the behavior of the old bits or at the very least keep that behavior around as long as possible.

That's it. That's all you really need to know about versioning and REST Web services. The rest is mainly finicky details that are primarily dependent on the specifics of the platform and the ease with which the developers on the platform can respond to breaking changes. The harder it is for them to change, the higher the bar should be for breaking changes. For example, for Windows Live Messenger we have a high bar for breaking changes in the protocol that the server uses to talk to the desktop client because we know for a fact that not only does it take a surprisingly long time for the majority of users to switch to a new version of the client, there are users who actually cannot upgrade for a variety of reasons (e.g. new versions of desktop client doesn't work on their OS, corporate users or students who can't install software on the PC without permission, etc). On the other hand, when it comes to the internal SOAP APIs that are used to communicate between the Contacts platform and Windows Live properties such as Windows Live Spaces, Windows Live Hotmail and so on the bar for breaking changes is slightly lower because (i) they are Web applications and the (ii) set of consumers of the API is limited.

Ensuring that a Web platform has a strategy for handling backwards compatibility issues is just as important in the Web 2.0 world as it is on the desktop. Platform vendors who think otherwise are in for a rude awakening if they want adoption of their Web platform by serious developers.

Categories: Web Development | XML Web Services

May 3, 2007

@ 03:56 PM

What is Silverlight? (The Poster)

Have you been trying to distill the recent Microsoft Silverlight announcement into actual concrete bits and pieces? Look no further than this poster which not only lists the various supported browsers and operating systems but also highlights which class libraries from the .NET Framework will make up Silverlight

PS: Found this via Mark Pilgrim's Silly Season post. As usual, excellent and insightful writing by Mark.

Categories: Programming | Web Development

May 1, 2007

@ 10:32 PM

Comments [15]

Silverlight: AJAX is now an Endangered Species

I've been reading a ton of blog posts containing developer reactions to Microsoft's Silverlight announcement at MIX '07. One thing that I've noticed is that people are coming to some of the same conclusions I came to in my post What Comes After AJAX?. Specifically, it is now clear that ~~WPF/E~~ Silverlight is a contender for the throne of king development platform for building rich internet applications (RIAs). Additionally, it is also clear that the days of Asynchronous Javascript and XMLHttpRequest (AJAX) being first choice when building rich internet applications are numbered. Below are excerpts of some of the posts I found interesting.

In his blog post entitled The Day the Web Changed: NET in the Browser! Jeff Prosise writes

MIX 07 opened yesterday and I believe we'll look back on that day as the day that the Web changed. Microsoft made several announcements, not the least of which is that Silverlight, formerly known as "WPF/E," will include a cross-platform version of the CLR that runs in the browser.
What does it mean? It means goodbye JavaScript, hello C#. It means managed code in the browser. It means an escape from HTML and browser DOMs and a better way to build browser-based UIs using XAML. It means incredibly rich browser experiences and a whole new generation of RIAs.

In his blog post entitled May ASP.NET AJAX Futures CTP... wtf? Drew Marsh writes

Soooo, ok, they released a new May CTP of ASP.NET AJAX futures. It's got some new support in there for Silverlight related stuff now. Great, awesome, love to see it and totally understand they need to pimp the new platform. What has really happened beyond that though?
...
Anyway, it seems like Silverlight is ursurping the development of the core AJAX futures and, while I'm all for Silverlight, I think it's a bad move to put these features on the backburner. They should be fleshed out and delivered. They are extremely valuable to those of us trying to build rich web browser (only) based applications.
I'd love to heard from someone inside MS on what exactly their intentions are at this point. If it's dead, fine... just let us know. If it's not, tell us what to expect and when to expect it so we can make decisions on how to proceed. I've said it before and I'll say it again, the stuff that was cut from ASP.NET AJAX 1.0 and ended up in the futures was much more important to developing rich internet applications and 1.0. It's true that 1.0 layed the groundwork, but having to cobble together all the UI in JavaScript still with $get and $addHandler, while possible, isn't what I'd call a good platform.

Drew Marsh also writes in his post Where's the MSHTML/IE news?

I find it strange that there has been absolutely no mention of what the MSHTML/IE teams are working on right now yet at Mix. I remember they stood on stage last year and talked about much shorter product cycles. Shouldn't we be expecting some kind of new enhancements by at least the early second half 2007? I really don't care about the IE shell, I care most about MSHTML coming up to speed with more/better support for CSS (gimme my selectors damn it!), enhancements to the DOM, etc.

Update: It seems I didn't provide enough context in this post because I assumed people reading this would also read my What Comes After AJAX? post. My point in this post isn't to state that Silverlight will kill AJAX. In my previous post I already mentioned that based on the data we have, Adobe's rich internet application (RIA) platform seems more likely to take the top spot than Microsoft's. Instead I was pointing out that we are further along the road towards replacing Asynchronous Javascript and XMLHttpRequest (AJAX) with a richer and more productive set of platforms. Additionally, if you read between the lines of the MIX '07 announcements, it seems AJAX is no longer the new hotness, given the lack of news on improvements to the Microsoft AJAX stack coming from the conference.

Popular consumer websites like Yahoo! Maps, Flickr, YouTube and MySpace have made rich interactivity mainstream and even expected when it comes to building a modern "Web 2.0" consumer website by using a post-AJAX platform (Flash). My thesis is that we will see more sites embracing post-AJAX platforms until we reach a tipping point where brand new Web 2.0 sites choose something like Silverlight, Flash or OpenLaszlo instead of AJAX when considering a platform for building a rich internet application.

Categories: Web Development

May 1, 2007

@ 12:06 AM

New Windows Live APIs Announces at MIX '07

The blog post entitled Released: Contacts API, Windows Live Data Protocols on the Windows Live Dev blog states

Today we have a few more things for you, starting with this . . .

To date, access to Windows Live Contacts has been exclusively through our Contacts Control, but now we also offer an API for Contacts as well. The Windows Live Contacts API is a RESTful API that works on Address Book objects. The Contacts API offers a more granular control over the user experience than the control, and allows users to grant and revoke permission to their data on a site-by-site basis. Windows Live Data provides the protocols to manage the permissioning process.

Try them out and let us know what you think in our forum.

The Windows Live Data service provides a framework for applications to request and receive access to a user's data stored in Windows Live. An overview of the process is available in the documentation on Requesting Permission to Access Users' Windows Live Data.

The Windows Live Contacts API is a RESTful Web service created by my team for accessing a user's Hotmail contacts. How we use HTTP verbs is described in the documentation Getting Started with Windows Live Contacts API. You'll probably catch me talking about my contributions to future versions of the API in coming months.

Categories: Web Development | Windows Live

April 30, 2007

@ 09:44 PM

Silverlight: Web Development + Hosted Services Platform

I'm not attending MIX '07 but it looks like we're announcing some good stuff this week. because the stuff I've been working on isn't ready to be announced yet but my coworkers have dropped some cool announcements. Today we announced Silverlight Streaming by Windows Live. To understand this announcement you first have to understand what Silverlight actually is.

From http://www.silverlight.net we learn

Microsoft® Silverlight™ is a cross-browser, cross-platform plug-in for delivering the next generation of .NET based media experiences and rich interactive applications for the Web. Silverlight offers a flexible programming model that supports AJAX, VB, C#, Python, and Ruby, and integrates with existing Web applications. Silverlight supports fast, cost-effective delivery of high-quality video to all major browsers running on the Mac OS or Windows.

If that is still too complex for you; you can consider Silverlight as being akin to the Flash platform but built with the .NET platform with all the attendant benefits (i.e. development with Visual Studio and access to a ton of languages). Now we know what Silverlight is, what exactly is Silverlight Streaming by Windows Live? Glad you asked.

From the blog post entitled New! Silverlight Streaming Service on the Windows Live Dev blog we learn about http://dev.live.com/silverlight which states

Microsoft® Silverlight™ Streaming by Windows Live™ is a companion service for Silverlight that makes it easier for developers and designers to deliver and scale rich media as part of their Silverlight applications. The service offers web designers and developers a free and convenient solution for hosting and streaming cross-platform, cross-browser media experiences and rich interactive applications that run on Windows™ and Mac..
...
Microsoft® Silverlight™ Streaming by Windows Live™ can be used either directly from the administration web site or via a REST API. The API allows you to upload, update, delete, and invoke Silverlight applications using the Silverlight Streaming service. Click here to view the complete API reference.
...
While the product is in pre-release, storage and delivery is free up to 4 GB, with outbound streaming up to DVD quality (700 Kbps). As we move out of Beta, developers/designers will have continued use of the service with up to 1 million minutes of free video streaming at 700 Kpbs per site per month. Unlimited streaming will also be available for free with advertising, or with payment of a nominal fee for the service for use without advertising.

Not only is Microsoft giving developers a platform for building Rich Internet Applications (RIA) but it is also giving developers free streaming media hosting if they plan to use the platform to build a media sharing service. This is an interesting new wrinkle in the competition between Web application platforms. The response from Microsoft's competitors will definitely be interesting. I wonder if we'll see a partnership between Adobe/Macromedia and Amazon to bundle free usage of Amazon's S3 service if you are building applications with Flex or Apollo?

Categories: Web Development | Windows Live

March 30, 2007

@ 11:04 PM

Bandwidth Theft and Hotlinking vs. Mashups

Mike Arrington has a blog post on TechCrunch entitled Amazon’s War on Statsaholic where he writes

Statsaholic (formerly Alexaholic) launched a year ago and provided much easier access to Alexa traffic data than the Alexa site itself. Statsaholic also had other features Alexa didn’t offer, like embeddable graphs and data smoothing. Others agreed, and soon started linking to Statsaholic instead of Alexa when doing traffic comparisons. At one point, Alexa was the no. 3 search result on Google for “Alexa.”
Statsaholic was not using the Alexa web service to get the data, because Alexa doesn’t offer the graph data via their web service. Amazon, which owns Alexa, could have complained or simply shut them down when it launched, but they didn’t. They actually complimented the service in a post on the Alexa blog last April.
...
What bothers me about the situation is that Amazon sat on it for a year, complimenting the service along the way (and copying it). Then, just when the service started getting really popular, they took drastic measures to shut it down.

I'm totally perplexed by Arrington's position here. Statsaholic is screenscraping Alexa and building a business on top of that. It seems like a pretty open and shut issue to me. The fact that Amazon didn't bother prosecuting them until they got a lot of traffic just points out that there is little point harassing folks who are abusing your service unless they are consuming a lot of your resources or are taking money out of your pocket. It seems Statsaholic was doing both.

You'd think a smart startup founder would know better than to build a business model on hotlinking and bandwidth theft. You'd also expect a Web savvy dude like Mike Arrington to know better than blame the victim in such situations. Next thing you know, he'll be flaming websites that block hotlinking to their images via htaccess. Weird.

PS: Someone in the comments wondered how Mike Arrington would feel if someone created a mashup that showed all of the TechCrunch content minus the obnoxious ads (e.g. http://techcrunchminusads.com). I wonder if Mike would sue if the site started stealing a bunch of his traffic since it wouldn't load so many ads thus being faster and perhaps included more useful info (e.g. crosslinking TechCrunch posts with PodTech interviews)?

Categories: Competitors/Web Companies | Web Development

March 29, 2007

@ 04:30 PM

Comments [10]

Some Thoughts on the Yahoo! Mail Web Service

The Yahoo! Developer blog has an entry entitled Introducing the Yahoo! Mail Web Service which states

While we are certainly proud of the success of Yahoo! Mail, today we are announcing how we are going beyond the boundaries of the Yahoo! network and enabling developers to build new tools or applications around Yahoo! Mail. We are thrilled to announce the open availability of the Yahoo! Mail Web Service, web service for Yahoo! Mail (accessible via SOAP or JSON-RPC) that we previewed to Yahoo! Hack Day attendees. With the Yahoo! Mail Web Service, you can connect to the core mail platform to perform typical mailbox tasks for premium users such as list messages and folders, and compose and send messages (you can also build mail preview tools for free users with limited Web Service functionality). In other words, developers outside of Yahoo! can now build mail tools or applications on the same infrastructure we use to build the highly-scaled Yahoo! Mail service that serves nearly 250 million Yahoo! Mail users today -- users who might want to help you make some cash with your application.
...
The Yahoo! Mail Web Service is a big release for Yahoo! and the Internet, and it's only the beginning of what you'll be seeing from Yahoo!. Jump into our code samples for Java, .NET, PHP, Perl and Python, and build your dream mail app today, then be sure to give us feedback on your experience so we can continue to make the API even better. Be sure to leverage the online Yahoo! Mail Web Service support group where you can get help from the Yahoo! Mail Web Service team and your fellow developers. We can't wait to see what applications you will build when you add your imagination to the platform. Maybe you want to build an application that backs up Yahoo! mail targeted at a large number of Yahoo! users, or maybe you just want to add a niche feature that makes Yahoo! Mail better for your mom. For inspiration, we've gathered a few applications:

Yahoo! Mail Search (Mail Plus)
Flickr Postcard
Yahoo! Mail with Flickr Image Association

First things first, this is an unprecedented and very welcome move on the part of Yahoo! This is another example of why I think of the three major Web portals, Yahoo! has done the best job of turning their services into a developer platform. I like the fact that the Web service is exposed over multiple protocols and the code samples are in multiple programming languages that run the gamut from enterprise developer fare (Java/.NET) to Web geek fare (Perl/Python/PHP). Mad props to the developer platform folks at Yahoo!, good work.

With that out of the way, there is some stuff that has me scratching my head after taking a look at the Yahoo! Mail Web Service User Guide and API Reference. The first thing that is weird is that although Yahoo! provides SOAP and RESTful JSON web services for accessing one's mail, I still can't get POP access to my Yahoo! mail without shelling out $20/year. After all, GMail has POP access for free and users of the free versions of Windows Live Hotmail can get POP-like access if they use Windows Live Mail desktop although they are restricted to using one mail client.

So I decided to see if the Yahoo! Mail Web Services provides a way around this restriction but found out from the section on "Determining the Users Account Capabilities" that

The Yahoo! Mail Web Service limits the functionality available to free accounts. Premium accounts have no such limits. First call the GetUserData method to get the user’s account type from the web service.

Account Types

●

Premium Users

Premium users may access any part of the web service. There are no restrictions.

●

Non-Premium Users

Non-Premium users are restricted to the following APIs:

ListFolders

ListMessages

DeleteMessages

GetUserData

BatchExecute

CreateFolder

FetchExternalMail

RemoveFolder

RenameFolder

MoveMessages

EmptyFolder

Calls to other APIs will return an error.

So it looks like I actually can't build an application that can be used to read the actual mail messages from my Yahoo! Mail account with the API unless I'm a premium user. Otherwise, all I can do is list the messages but not actually get their content. That makes the APIs a lot less cool than I initially thought.

Like Sam Ruby and Paul Downey I initially wondered about the choice of exposing a SOAP API but then realized that it may be that they already use SOAP internally so this wasn't that much work for them in that case. I also wondered about the lack of a RESTful non-SOAP XML interface as well but after looking at the complex object models I can see why they went with data formats that are pretty much serialized object models (i.e. Javascript OBJECT Notation & Simple OBJECT Access Protocol) instead of expecting developers to write a bunch of gnarly XML parsing code for processing over a dozen different response formats from the 23 methods in the Yahoo! Mail Web Service.

I suspect that Yahoo! won't get as much traction as they expect with the API until they remove some of the restrictions on non-premium accounts. Even then it does look like there is enough to build Windows and Windows Live gadgets for Yahoo! Mail that show your messages. Except that there is no way to read the mail contents and not even a way to link to the message in way that sends the user to Yahoo! Mail to read its contents. I bet if Yahoo! fixed the latter and perhaps had a rev-share with people who drove clicks back to the Web-based mail client, things would get very interesting. I wonder if Jeremy is listening?

Categories: Competitors/Web Companies | Web Development

March 19, 2007

@ 04:26 PM

Living Without Database Transactions

Via Joe Gregorio I found a post entitled Transactionless by Martin Fowler. Martin Fowler writes

A couple of years ago I was talking to a couple of friends of mine who were doing some work at eBay. It's always interesting to hear about the techniques people use on high volume sites, but perhaps one of the most interesting tidbits was that eBay does not use database transactions.
...
The rationale for not using transactions was that they harm performance at the sort of scale that eBay deals with. This effect is exacerbated by the fact that eBay heavily partitions its data into many, many physical databases. As a result using transactions would mean using distributed transactions, which is a common thing to be wary of.
This heavy partitioning, and the database's central role in performance issues, means that eBay doesn't use many other database facilities. Referential integrity and sorting are done in application code. There's hardly any triggers or stored procedures.

My immediate follow-up to the news of transactionless was to ask what the consequences were for the application programmer, in particular the overall feeling about transactionlessness. The reply was that it was odd at first, but ended up not being a big deal - much less of a problem than you might think. You have to pay attention to the order of your commits, getting the more important ones in first. At each commit you have to check that it succeeded and decide what to do if it fails.

I suspect that this is one of those topics like replacing the operations team with the application developers which the CxOs and architects think is a great idea but is completely hated by the actual developers. We follow similar practices in some aspects of the Windows Live platform and I've heard developers complain about the fact that the error recovery you get for free with transactions is left in the hands of application developers. The biggest gripes are always around rolling back complex batch operations. I'm definitely interested in learning more about how eBay makes transactionless development as easy as they claim, I wonder if Dan Pritchett's talk is somewhere online?

The QCon conference wasn't even on my radar but if Dan Pritchett's talk is indicative of the kind of content that was presented, then it looks like I missed out. Looking at the list of speakers it looks like a conference I wouldn't have minded attending and submitting a paper for. I wonder if there'll be a U.S. version of the conference in the future?

Categories: Web Development

March 15, 2007

@ 03:39 PM

Amazon S3 & EC2: What's the Endgame?

A number of blogs I read have been talking about Amazon's S3 service a lot recently. I've seen posts from Jeff Atwood, Shelley Powers and most recently Dave Winer. I find it interesting that S3 is turning into a classic long tail service that works for both startups who are spending hundreds of thousands to millions of dollars a year to service millions of users (like Smugmug) to bloggers who need some additional hosting for their cat pictures. One reason I find this interesting is that it is unclear to me S3 is a business that will be profitable in the long term by itself.

My initial assumption was that S3 was a way for Amazon to turn a lemons into lemonade with regards to bandwidth costs. Big companies like Amazon are usually billed for bandwidth using 95th percentile billing, which is explained below

With 95th percentile billing, buyers are billed each month at a fixed price multiplied by the peak traffic level, regardless of how much is used the rest of the time. Thus with the same nominal price, the effective price is higher for buyers with burstier traffic patterns.

So my assumption was that S3 allows Amazon to make money from bandwidth they were already being charged for and not using. As for storage, my guess is that they are either making a miniscule amount of profit or at cost. Where this gets tricky is that, if S3 gets popular enough then all of a sudden it no longer is a way to make money from bandwidth they are being billed for but aren't using but instead impacts their actual bandwidth costs which then changes the profit equation for the service. Without any data on Amazon's cost structure it is unclear whether this would make the service unprofitable or whether this is already factored into their pricing.

On the other hand, Amazon's Elastic Compute Cloud (EC2) isn't something I've seen a lot of bloggers rave about. However it seems to be the service that shows that Amazon is making a big play to be the world's operating system in the sky as opposed to dabbling in providing some of its internal services to external folks as a cost savings measure. With EC2 you can create a bunch of virtual servers in their system and load it up with an Amazon Machine Image (AMI). An AMI is basically a server operating system and the platform components you need on it. Typical AMIs are an instance of a LAMP system (Linux/Apache/MySQL/PHP/Perl/Python) although I did see one AMI that was an instance of Windows 2003 server. You can create as many or as few server instances as you need and are billed just for what you need.

I suspect that the combination of EC2 and S3 is intended to be very attractive to startups. Instead of spending hundreds of thousands of dollars building out clusters of servers, you just pay as you go when you get your monthly bill. There are only two problems with this strategy that I can see. The first is that, if I was building the next Digg, Flickr or del.icio.us I'm not sure I'd want to place myself completely at the mercy of Amazon especially since there doesn't seem to be any SLA published on the site. According to the CEO of Smugmug in his post Amazon S3: Outages, slowdowns, and problems they've had four major problems with S3 in the past year which has made them rely less on the service for critical needs. The second issue is that VC money is really, really, really easy to come by these days judging from the kind of companies that get profiled on TechCrunch and Mashable. If the latter should change, it isn’t hard to imagine dozens of enterprising folks with a couple of thousand dollars in their pockets deciding to go with S3 + EC2 instead of seeking VC funding. But for now, I doubt that this will be the case.

What I suspect is that without some catalyst (e.g. the next YouTube is built on S3 + EC2)these services will not reach their full potential. This would be unfortunate because I think in much the same way we moved from everyone rolling their own software to shrinkwrapped software, we will need to move to shrinkwrapped Web platforms in the future instead of everyone running their own ad-hoc cluster of Windows or LAMP servers and solving the same problems that others have solved thousands of times already.

I wonder if Amazon has considered tapping the long tail by going up against GoDaddy's hosting services with S3 + EC2. They have the major pieces already although it seems that their prices would need to go down to compete with what GoDaddy charges for bandwidth although I suspect that Amazon's quality of service would be better.

Categories: Competitors/Web Companies | Web Development

March 14, 2007

@ 05:00 PM

Brendan Eich on Mozilla and the Future of AJAX

Brendan Eich has a post on the Mozilla roadmap blog entitled The Open Web and Its Adversaries which references one of my posts on whether AJAX will remain as the technology of choice for building Rich Internet Applications. He writes

open standards and open source both empower user-driven innovation. This is old news to the Mozilla user community, who have been building and feeding back innovations for the life of the project, increasing over time to include Firefox add-ons and GreaseMonkey user scripts. (BTW, I am pushing to make add-on installation not require a restart in Firefox 3, and I intend to help improve and promote GreaseMonkey security in the Firefox 3 timeframe too.) Without forking, even to make private-label Firefoxes or FlashPlayers, users can innovate ahead of the vendor's ability to understand, codify, and ship the needed innovations.
Consider just the open standards that make up the major web content languages: HTML, CSS, DOM, JS. These mix in powerful ways that do not have correspondences in something like a Flash SWF. There is no DOM built inside the FlashPlayer for a SWF; there's just a display list. There's no eval in ActionScript, and ActionScript features a strict mode that implements a static type checker (with a few big loopholes for explicit dynamic typing). You can't override default methods or mutate state as freely as you can in the browser content model. Making a SWF is more like making an ASIC -- it's "hardware", as Steve Yegge argues.
This is not necessarily a bad thing; it's certainly different from the Open Web.
...
Dare Obasanjo argues that developers crave single-vendor control because it yields interoperation and compatibility, even forced single-version support. Yet this is obviously not the case for anyone who has wasted time getting a moderately complex .ppt or .doc file working on both Mac and Windows. It's true for some Adobe and Microsoft products, but not all, so something else is going on. And HTML, CSS, DOM and JS interoperation is better over time, not worse. TCP/IP, NFS, and SMB interoperation is great by now. The assertion fails, and the question becomes: why are some single-vendor solutions more attractive to some developers? The answers are particular, not general and implied simply by the single-vendor condition.

I'm surprised to see Brendan Eich conflating "openness" with the features of a particular technology. I'll start with Brendan's assertion that open standards and open source enable user-driven innovation. Open source allows people to modify the software they've been distributed however they like. Open standards like HTTP, FTP and NNTP allow people to build applications that utilize these technologies without being beholden to any corporate or government entity. It's hard for me to see how open standards enable user-driven innovation in the same way that open source does. I guess the argument could be made that open source applications built on proprietary technologies aren't as "free" as open source applications that implement open standards. I can buy that. I guess.

The examples of Firefox add-ons and GreaseMonkey user scripts don't seem to be an example of open source and open standards enabling user-driven innovation. They seem to be examples of why building an application as a platform with a well-designed plugin model works. After all, we have plugins for Internet Explorer, Gadgets for Google Personalized Homepage and Add-ins for Visual Studio which are all examples of user-driven innovation as plugins for an application which are built on a proprietary platform often using proprietary technologies. My point is

open_source + open_standards != user_driven_innovations;

Being open helps, but it doesn't necessary lead to user driven innovations or vice versa. The rest of Brendan's post is even weirder because he presents the features of Flash's ActionScript versus AJAX (i.e. [X]HTML/CSS/Javascript/DOM/XML/XmlHttpRequest) as the conflict between properietary versus open technologies. Separating content from presentation, dynamic programming languages and rich object models are not exclusively the purvey of "open" technologies and it is disingenious for Brendan to suggest that.

After all, what happens when Adobe and Microsoft make their RIA platforms more "Web-like"? Will the debate devolve into the kind of semantic hairsplitting we've seen with the OpenXML vs. ODF debate where Microsoft detractors are now attacking Microsoft for opening up and standardizing its XML file formats when their original arguments against the file formats where that they weren't open?

Personally, I'd like to see technical discussions on the best way to move the Web forward instead of the red herring of "openness" being thrown into the discussion. For instance, what are the considerations Web developers should make when they come to the crossroads where Adobe is offering Flash/Flex, Microsoft is offering WPF/E and the Mozilla & co are offering their extensions to the AJAX model (i.e. HTML 5) as the one true way? I've already stated what I think in my post What Comes After AJAX? and so far Adobe looks like they have the most compelling offering for developers but it is still early in the game and neither Microsoft nor Mozilla have fully shown their hands.

Categories: Web Development

March 13, 2007

@ 06:18 PM

What is OpenID Good For?

Tim Bray has an excellent post entitled OpenID which attempts to separate hype from fact when it comes to the technorati's newest darling, OpenID. He writes

The buzz around OpenID is becoming impossible to ignore. If you don't know why, check out How To Use OpenID, a screencast by Simon Willison. As it's used now (unless I'm missing something) OpenID seems pretty useless, but with only a little work (unless I'm missing something) it could be very useful indeed.
Problem: TLS · The first problem is that OpenID doesn't require the use of TLS (what's behind URIs that begin with https:).
...
Problem: What's It Mean? · Another problem with OpenID is that, well, having one doesn't mean very much; just that you can verify that some server somewhere says it believes that the person operating the browser owns that ID.
...
Problem: Phishing · This is going to be a problem, but I don't think it's fair to hang it on OpenID, because it's going to be equally a problem with any browser-based authentication. Since browser-based authentication is What The People Want, we're just going to have to fight through this with a combination of browser engineering and (more important) educating the general public
...
The Real Problem · Of course, out there in the enterprise space where most of Sun's customers live, they think about identity problems at an entirely different level. Single-sign-on seems like a little and not terribly interesting piece of the problem. They lose sleep at night over "Attribute Exchange";once you have an identity, who is allowed to hold what pieces of information about you, and what are the right protocols by which they may be requested, authorized, and delivered? The technology is tough, but the policy issues are mind-boggling.
So at the moment I suspect that OpenID isn't that interesting to those people.

I've been thinking about OpenID from the context of authorization and sharing across multiple social networks. Until recently I worked on the authorization platform for a lot of ~~MSN~~ Windows Live properites (i.e. the platform that enables setting permissions on who can view your Windows Live Space, MSN Calendar, or Friends list from Windows Live Messenger). One of the problems I see us facing in the future is lack of interoperability across multiple social networks. This is a problem when your users have created their friend lists (i.e. virtual address books) on sites like Facebook, Flickr or MySpace. One of the things you notice about these services is that they all allow you to set permissions on who can view your profile or content.More importantly, if your profile/content is non-public then they all require that the people who can view your profile must have an account with their service. We do the same thing across Windows Live so it isn't a knock on them.

What I find interesting is this; what if on Flickr I could add http://mike.spaces.live.com as a contact then give Mike Torres permission to view my photos without him having to get a Yahoo! account? Sounds interesting doesn't it? Now let's go back to the issues with OpenID raised by Tim Bray.

The first thing to do is to make sure we all have the same general understanding of how OpenID works. It's basically the same model as ~~Microsoft Passport~~ Windows Live ID, Google Account Authentication for Web-Based Applications and Yahoo! Browser Based Authentication. A website redirects you to your identity provider, you authenticate yourself (i.e. login) on your identity providers site and then are redirected back to the referring site along with your authentication ticket. The ticket contains some information about you that can be used to uniquely identify you as well as some user data that may be of interest to the referring site (e.g. username). Now we have a high level understanding of how it all works, we can talk about Tim Bray's criticisms.

TLS/SSL
On the surface it makes sense that identity providers should use SSL when you login to your account after being redirected there by a service that supports OpenID. However as papers like TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks, SSL/TLS does little to prevent the real security problems on the Web today, namely Web page spoofing (i.e. Phishing) and the large amount of malware on user PCs which could be running key loggers. This isn't to say that using SSL/TLS isn't important, just that it's like putting bars on your windows and leaving the front door open. Thus I can understand why it isn't currently required that identity providers support SSL/TLS. However a little security is better than no security at all.

What Does It Mean?
I agree with Tim Bray that since OpenID is completely decentralized, websites that support it will likely end up creating whitelists of sites they want to talk to otherwise they risk their systems being polluted by malicious or inconsiderate OpenID providers. See Tim Bray's example of creating http://www.tbray.org/silly-id/ which when queried about any OpenID beginning with that URI instantly provides a positive response without authenticating the user. This allows multiple people to claim http://www.tbray.org/silly-id/BillGates for example. Although this may be valid if one was creating the OpenID version of BugMeNot, it is mostly a nuisance to service providers that want to accept OpenID.

Phishing
Using susceptibility to phishing as an argument not to use OpenID seems like shutting the barn door when the horse has already bolted. The problem is that security conscious folks don't want users getting used to the idea of providing their username and password for one service whenever prompted by another service. After all, the main lesson we've been trying to teach users about preventing phishing is to only enter their username and password to their primary sites when they type them in themselves not when they follow links. OpenID runs counter to this teaching. However the problem with that teaching is that users are already used to doing this several times a day. Here are three situations from this morning where I've been asked to enter my username and password from one site on another

Connected Desktop Apps: Google Toolbar prompts me for my Gmail username and password when I try to view my bookmarks. The goal of the Google Account Authentication is to create a world where random apps asking me for my Gmail username and password by redirecting me to the Google login page is commonplace. The same goes for the the various Flickr uploader tools and Yahoo! Browser Based Authentication
Importing Contacts: On Facebook, there is an option to import contacts from Yahoo! Mail, Hotmail, AOL and Gmail which requires me to enter my username and password from these services into their site. Every time I login to Yahoo! Mail there is a notice that asks me to import my contacts from other email services which requires me to give them my credentials from these services as well.
Single Sign-On: Whenever I go to the Expedia sign-in page I'm given the option of signing in with my .NET Passport which happens to be the same username and password I use for all Windows Live and MSN services as well as company health site that has information about any medical conditions I may have.

Given the proliferation of this technique in various contexts on the Web today, it seems partisan to single out OpenID as having problems with phishing. If anything, THE WEB has a problem with phishing which needs to be solved by the browser vendors and the W3C who got us in this mess in the first place.

Attribute Exchange
This usually goes hand in hand with any sort of decentralized/federated identity play. So let's say I can now use my Windows Live ID to login to Flickr. What information should Flickr be able to find out about me from talking to Windows Live besides my username? Should I be able to control that or should it be something that Flickr and Windows Live agree on as part of their policies? How is the user educated that the information they entered in one context (i.e. in Windows Live) may be used in a totally different context on another site. As Tim Bray mentioned in his post, this is less of a technology issue and more a policy thing that will likely differ for enterprises versus "Web 2.0" sites. That said, I'm glad to see that Dick Hardt of Sxip Identity has submitted a proposal for OpenID Attribute Exchange 1.0 which should handle the technology aspect of the problem.

Disclaimer: This is not an endorsement of OpenID by Microsoft or an indication of the future direction of authentication and authorization in Windows Live. This is me brainstorming some ideas in my blog and seeing whether the smart folks in my reader base think these ideas make sense or not.

Categories: Web Development

March 6, 2007

@ 03:33 PM

When JSON isn't JSON

The hottest story on Planet Intertwingly today is Rob Yates' blog post entitled Safe JSON which goes over a number of security issues one can face when exposing services using JSON. He goes ahead to describe the following approaches

Approach 1 - Plain JSON: Simply return JSON

Approach 2 - var assignment: Assign the JSON object to some variable that can then be accessed by the embedding application (not an approach used by Yahoo).

Approach 3 - function callback: When calling the JSON Web Service pass as a parameter a callback function. The resulting JSON response passes the JSON object as a parameter to this callback function.

There are a number of good responses in the comments. The only thing I wanted to point out is that only Approach 1 can really be called using JSON. The other two are "accepting arbitrary code from a third party and executing it" which is such a ridiculously bad idea that we really need to stop talking about it in civilized company. It seems silly to point out specific security or privacy issues with using that approach when the entire concept of building Web services in that manner is fundamentally insecure and downright dangerous.

PS: It looks like Rob Sayre beat me to saying this. :)

Categories: Web Development

March 6, 2007

@ 03:11 PM

Comments [16]

What Comes After AJAX?

I've been thinking about AJAX a lot recently. Between reviewing a book on the subject, reading some of the comments coming out of the Adobe Engage event and chatting with some coworkers at dinner about WPF/E I've had a lot of food for thought.

I'll start with an excerpt from Ted Leung's post entitled Adobe wants to be the Microsoft of the Web

The problem as I see it
I think that a lot (but not all) apps will become RIA’s, and the base platform technology for RIA’s is very important. Too important to be controlled, or designed by any single party. The current vogue toolchain, AJAX, has this property. It also has the property of being a cross platform development nightmare. On the desktop, you commit yourself to a single cross platform library/technology, and then you spend the rest of your time wrestling with it. In AJAX, you have multiple browsers on each platform that you want to support. Not only that, you have multiple versions of each browser.
...
Flash/Flex
Enter Flash/Flex. Flash has a great cross platform story. One runtime, any platform. Penetration of the Flash Player is basically the same as penetration of browsers capable of supporting big AJAX apps. There are nice development tools. This is highly appealing.
What is not appealing is going back to a technology which is single sourced and controlled by a single vendor. If web applications liberated us from the domination of a single company on the desktop, why would we be eager to be dominated by a different company on the web?

Most people who've done significant AJAX development will admit that the development story is a mess. I personally don't mind the the Javascript language but I'm appalled that the most state of the art development process I've found is to use Emacs to edit my code, Firebug to debug in Firefox and attaching Visual Studio to the Internet Explorer processes to debug in IE. This seems like a joke when compared to developing Java apps in Eclipse or .NET applications in Visual Studio. Given how hypercompetitive the "Web 2.0" world is, I doubt that this state of affairs will last much longer. There is too much pressure on Web companies to improve their productivity and stand out in a world full of derivative YouTube/MySpace/Flickr knock offs. If one company finds a way to be more productive and/or build richer Web applications the rest of the industry will follow. This is pretty much what happened with Google and AJAX as well as with YouTube and Flash Video. Once those companies showed how much value they were getting from technologies which were once passe, everyone jumped on the bandwagon. This means that it is inevitable that Rich Internet Applications will eventually be built on a platform that provides a better development experience than AJAX does today. The only questions are how quickly will this happen and which technology will replace AJAX?

Ted Leung mentions two contenders for the throne; Flash/Flex and OpenLaszlo. I'll add a third entry to that list, Windows Presention Foundation/Everywhere (WPF/E). Before discussing what it will take for one of these contenders to displace AJAX, I should point out that being "open" has nothing to do with it. Openness is not a recipe for success when it comes to development platforms. According to TIOBE Java is the most popular programming language today and it was a proprietary language tightly controlled by Sun Microsystems. Before that, it was commonly stated that Visual Basic was the most popular programming language and it was a proprietary language controlled by Microsoft. I believe these count as existence proofs that a popular development platform can rise to the top while being controlled by a single vendor.

So what will it take for an RIA platform to displace the popularity of AJAX besides being able to build richer user interfaces?

Ubiquity: Over 95% of the Web users are using an AJAX capable browser. Any replacement for AJAX must have similar penetration or it's dead in the water. No one wants to turn away customers especialy when it's competitors aren't doing anything that stupid.
Debug Once, Run Anywhere: The biggest problem with AJAX is that it isn't a single development platform. Being able to write an application and debug it once instead of having a different debugging and runtime experience for Internet Explorer, Firefox and Safari is the killer productivity enhancer. Of course, there will always be differences between environments but if we can move to a world where RIA development is more like cross-platform Java development as opposed to cross-platform C++ development (yes, I know that's an oxymoron) then we all win.
Continuoum of Development Tools: I don't need expensive development tools to become an AJAX developer, however if I feel that I need heavy duty tooling I can buy Visual Studio 2005 then download ASP.NET AJAX to get a fancy integrated development environment. Any platform that expects to replace AJAX needs to have a continuoum with high quality, free & Open Source tools on one end and expensive, proprietary and "rich" tools at the other. The Java world with it's culture of Open Source tools like Eclipse, JBoss and Hibernate coexisting with overpriced tools from big vendors like IBM WebSphere and BEA WebLogic is the best example of this to date. That way the hackers are happy and the suits are happy as well.

So far Adobe seems closer than anyone in getting the trifecta. In a year or two, things might look different.

Categories: Web Development

February 12, 2007

@ 08:13 PM

Usage Specific robots.txt Directives

A couple of weeks ago I read a blog post by Matt Cutts entitled What did I miss last week? where he wrote

- Hitwise offered a market share comparison between Bloglines, Google Reader, Rojo, and other feed readers that claimed Bloglines was about 10x more popular than Google Reader. My hunch is that both AJAX and frames may be muddying the water here; I’ve mentioned that AJAX can heavily skew pageview metrics before. If the Google Reader team gets a chance to add subscriber numbers to the Feedfetcher user-agent (which may not be a trivial undertaking, since they probably share code with other groups at Google that fetch using the same bot mechanism), that would allow an apples-to-apples comparison.

As I was thinking about the fact that Google Reader can't make changes to the FeedFetcher user agent without tightly coupling a general platform component that likely services Google Reader, Google Homepage, Google Blog Search and other services with their own. I realized that by using one user agent for all of this servides, it pretty much makes it impossible for Web masters to exclude themselves from some of Google's crawlers.

Exactly how one would go about creating a robots.txt file that limits your feed from showing up in Google Blog Search results but doesn't end up exlcuding you from Google Reader and Google Homepage as well? I can't think of a way to do this but maybe it's because my kung fu is weak. Any suggestions?

PS: This isn't work related.

Categories: Web Development

February 8, 2007

@ 11:11 PM

Netvibes: A Lesson in How to Build an Insecure Widgets Platform

Niall Kennedy has a blog post entitled Netvibes module developer collects web credentials, personal content where he writes

A developer created a Netvibes module and submitted it for inclusion in the Netvibes Ecosystem module directory. A Netvibes employee examined and approved the submitted module for inclusion in the directory. The remotely-hosted module was then altered by the developer to retrieve stored preferences from other configured modules and store information from other modules loaded in the page such as the contents of a webnote, the user's latest Gmail messages, upcoming appointments and contacts, etc. The developer stored this data in a remote database and later examined his collected findings.

Each Netvibes module is rendered inline, meshing the markup generated by the module with the rest of the page's content. A module developer is encouraged to access only their own module's content using a special Netvibes variable, but any developer can request other content on the page through standard JavaScript or the Prototype JavaScript framework.

I talked to Niall about this on IM and upon reading the blog post from the Netvibes team as well as Niall's summary of the situations it seems they are doing at least three things wrong from a security perspective.

3rd party gadgets hosted inline within the page instead of within iframes which means the gadget can walk the DOM and interact with other gadgets on the page.
3rd party gadgets are fetched from 3rd party domains instead of a snapshot of the code being run from their domains which means malicious developers can alter their gadgets after they have been submitted
3rd party gadgets not hosted on a separate top level domain which means gadgets may may be able to set and read cookies from the *.netvibes.com domain

All of these are safeguards that we take in Windows Live Gallery, Windows Live Spaces and Live.com to prevent malicious gadgets. I'm stunned that the response of the Netvibes developers is to change the text of their warning message and allow user rating of gadgets. Neither of are significant mitigations to the threats to their service and I'd recommend that they reconsider and actually secure their service instead of pushing this onto their users.

Categories: Web Development

February 6, 2007

@ 05:48 PM

Microsoft Working on OpenID Support

It looks like we just announced that we'll be supporting OpenID at the RSA conference. Official details are in the press release Microsoft Outlines Vision to Enable Secure and Easy Anywhere Access for People and Organizations which states

To further enable the vision of secure and easy anywhere access, Microsoft today announced the following product milestones and industry alliances:
...
On the heels of the Windows® CardSpace™ general availability launch in Windows Vista™, Microsoft demonstrated momentum with industry partners that are working to apply this technology to help consumers realize a more confident online experience. This includes the announcement of collaboration on use of Windows CardSpace with the OpenID 2.0 specification. Through the support of the WS-Trust-based Windows CardSpace experience, consumers can take advantage of increased security against phishing attacks without adding complexity to their identity management experience. Also at the conference, Wachovia Corp., Arcot Systems Inc. and Corillian Corp. showcased a proof of concept demonstration using Windows CardSpace to deliver a simpler and safer online banking experience for customers.

I'm glad to see the Web platform teams at Microsoft getting better at watching what's going in the Web developer community and adapting their plans to accomodate them. AJAX, RSS, and RESTful Web Services are all trends that started outside the B0rg cube that the platform teams have embraced after some initial resistance. With OpenID it didn't take as long for us to go through the NIH<->FUD<->Acceptance<->Approval<->Adoption cycle that I've come to expect from my fellow B0rg. It seems we have adapted.

You can get some more details about the announcement from Kim Cameron's blog post CardSpace / OpenID Collaboration Announcement which has more details on which companies are collaborating with Microsoft in this effort.

Categories: Web Development | XML Web Services

January 16, 2007

@ 08:23 PM

Google's Month of Security Flaws

By now it's common news that Google has been hit by what seems like half a dozen or more cross site scripting security flaws in the past month. If you missed the news, you can read blog posts like More Google security failures and Wow, more Google XSS problems which contain links to some of the stories of recent exploits. The bugs in those blog posts aren't exhaustive, I've seen some blog posts about exploits that don't seem to have hit the mainstream tech blogs such as the one mentioned in the blog post Pending Members - Google Groups XSS Bug [Part 2].

Anyway, the fact that Google is having problems with XSS issues isn't terribly interesting and should be an expected part of the growing pains as they go from a service that doesn't store any user data to one that aims to be the repository of all their user's data. That requires an entirely different approach to security. What I did find interesting was a blog post on the Google Blogoscoped blog entitled On Google Security which stated

Today, it almost seems as if every single product team in the Googleplex has the “power” to accidentally introduce a Google Account risk with an HTML injection hole, or another kind of cross-site scripting issue. An exotic Blogger bug was able to reveal your Google Docs, even if you’re not blogging with Blogger – an improbable Google Base bug was able to reveal your personalized homepage, even when you’ve never worked with Google Base**. I would argue: these things happen, individual developers and developer teams make errors. It’s impossible not to. There are ways to automatically test against HTML injections, but such tools too need to be handled by humans.

The real problem, and solution, might be on the higher level of the system architecture – the way Google integrates its services and handles cookie data. Right now, the Google Office product partly resembles a mighty convenient & long chain... a chain which is only as strong as its weakest link. Is this a trade-off we’ll just have to make with future web apps, or are there ways to improve on the situation... either by users, or those building browsers, or those developing web apps?

Those who ignore history are doomed to repeat it. None of the problems listed are unique to Google. Any portal that provides multiple services that require the user to login is vulnerable to these problems. This includes competing portals like Yahoo!, MSN and AOL. All of these services have had to encounter and protect users against the very same problems Google is having difficulty dealing with today.

It is likely that with time, Google will stumble upon the same set of best practices that are common knowledge amongst its portal competitors who have been in the game a lot longer. Thinking that this is a problem that affects "the future of Web apps" ignores the history of the Web.

In the meantime, if you are a Web developer at Google, I'd suggest reading Chapter 12 of Writing Secure Code by Michael Howard. After that, take a look at You know about XSS. How about XSRF/CSRF? which happens to use a Google service as an example of Cross Site Request Forgery attack (XSRF).

That which doesn't kill us only makes us stronger. ;)

Categories: Competitors/Web Companies | Web Development

January 2, 2007

@ 07:55 PM

JSON vs. XML: Browser Programming Models

Over the holidays I had a chance to talk to some of my old compadres from the XML team at Microsoft and we got to talking about the JSON as an alternative to XML. I concluded that there are a small number of key reasons that JSON is now more attractive than XML for kinds of data interchange that powers Web-based mashups and Web gadgets widgets. This is the second in a series of posts on what these key reasons are.

In my previous post, I mentioned that getting around limitations in cross domain requests imposed by modern browsers has been a key reason for the increased adoption of JSON. However this is only part of the story.

Early on in the adoption of AJAX techniques across various Windows Live services I noticed that even for building pages with no cross domain requirements, our Web developers favored JSON to XML. One response that kept coming up is the easier programming model when processing JSON responses on the client than with XML. I'll illustrate this difference in ease of use via a JScript code that shows how to process a sample document in both XML and JSON formats taken from the JSON website. Below is the code sample

var json_menu = '{"menu": {' + '\n' +
'"id": "file",' + '\n' +
'"value": "File",' + '\n' +
'"popup": {' + '\n' +
'"menuitem": [' + '\n' +
'{"value": "New", "onclick": "CreateNewDoc()"},' + '\n' +
'{"value": "Open", "onclick": "OpenDoc()"},' + '\n' +
'{"value": "Close", "onclick": "CloseDoc()"}' + '\n' +
']' + '\n' +
'}' + '\n' +
'}}';

var xml_menu = '<menu id="file" value="File">' + '\n' +
'<popup>' + '\n' +
'<menuitem value="New" onclick="CreateNewDoc()" />' + '\n' +
'<menuitem value="Open" onclick="OpenDoc()" />' + '\n' +
'<menuitem value="Close" onclick="CloseDoc()" />' + '\n' +
'</popup>' + '\n' +
'</menu>';

WhatHappensWhenYouClick_Xml(xml_menu);
WhatHappensWhenYouClick_Json(json_menu);

function WhatHappensWhenYouClick_Json(data){

var j = eval("(" + data + ")");

WScript.Echo("When you click the " + j.menu.value + " menu, you get the following options");

for(var i = 0; i < j.menu.popup.menuitem.length; i++){
   WScript.Echo((i + 1) + "." + j.menu.popup.menuitem[i].value
    + " aka " + j.menu.popup.menuitem[i].onclick);
}

}

function WhatHappensWhenYouClick_Xml(data){

var x = new ActiveXObject( "Microsoft.XMLDOM" );
x.loadXML(data);

WScript.Echo("When you click the " + x.documentElement.getAttribute("value")
                + " menu, you get the following options");

var nodes = x.documentElement.selectNodes("//menuitem");

for(var i = 0; i < nodes.length; i++){
   WScript.Echo((i + 1) + "." + nodes[i].getAttribute("value") + " aka " + nodes[i].getAttribute("onclick"));
}
}

When comparing both sample functions, it seems clear that the XML version takes more code and requires a layer of mental indirection as the developer has to be knowledgeable about XML APIs and their idiosyncracies. We should dig a little deeper into this.

A couple of people have already replied to my previous post to point out that any good Web application should process JSON responses to ensure they are not malicious. This means my usage of eval() in the code sample, should be replaced with JSON parser that only accepts 'safe' JSON responses. Given that that there are JSON parsers available that come in under 2KB that particular security issue is not a deal breaker.

On the XML front, there is no off-the-shelf manner to get a programming model as straightforward and as flexible as that obtained from parsing JSON directly into objects using eval(). One light on the horizon is that E4X becomes widely implemented in Web browsers . With E4X, the code for processing the XML version of the menu document above would be

function WhatHappensWhenYouClick_E4x(data){

var e = new XML(data);

WScript.Echo("When you click the " + j.menu.value + " menu, you get the following options");

foreach(var m in e.menu.popup.menuitem){
WScript.Echo( m.@value + " aka " + m.@onclick);
}

}

However as cool as the language seems to be it is unclear whether E4X will ever see mainstream adoption. There is an initial implementation of E4X in the engine that powers the Firefox browser which seems to be incomplete. On the other hand, there is no indication that either Opera or Internet Explorer will support E4X in the future.

Another option for getting the simpler object-centric programming models out of XML data could be to adopt a simple XML serialization format such as XML-RPC and providing off-the-shelf Javascript parsers for this data format. A trivial implementation could be for the parser to convert XML-RPC to JSON using XSLT then eval() the results. However it is unlikely that people would go through that trouble when they can just use JSON.

This may be another nail in the coffin of XML on the Web.

Categories: Web Development | XML | XML Web Services

January 2, 2007

@ 05:46 PM

JSON vs. XML: Browser Security Model

Over the holidays I had a chance to talk to some of my old compadres from the XML team at Microsoft and we got to talking about the JSON as an alternative to XML. I concluded that there are a small number of key reasons that JSON is now more attractive than XML for kinds of data interchange that powers Web-based mashups and Web gadgets widgets. This is the first in a series of posts on what these key reasons are.

The first "problem" that chosing JSON over XML as the output format for a Web service solves is that it works around security features built into modern browsers that prevent web pages from initiating certain classes of communication with web servers on domains other than the one hosting the page. This "problem" is accurately described in the XML.com article Fixing AJAX: XMLHttpRequest Considered Harmful which is excerpted below

But the kind of AJAX examples that you don't see very often (are there any?) are ones that access third-party web services, such as those from Amazon, Yahoo, Google, and eBay. That's because all the newest web browsers impose a significant security restriction on the use of XMLHttpRequest. That restriction is that you aren't allowed to make XMLHttpRequests to any server except the server where your web page came from. So, if your AJAX application is in the page http://www.yourserver.com/junk.html, then any XMLHttpRequest that comes from that page can only make a request to a web service using the domain www.yourserver.com. Too bad -- your application is on www.yourserver.com, but their web service is on webservices.amazon.com (for Amazon). The XMLHttpRequest will either fail or pop up warnings, depending on the browser you're using.

On Microsoft's IE 5 and 6, such requests are possible provided your browser security settings are low enough (though most users will still see a security warning that they have to accept before the request will proceed). On Firefox, Netscape, Safari, and the latest versions of Opera, the requests are denied. On Firefox, Netscape, and other Mozilla browsers, you can get your XMLHttpRequest to work by digitally signing your script, but the digital signature isn't compatible with IE, Safari, or other web browsers.

This restriction is a significant annoyance for Web developers because it eliminates a number of compelling end user applications due to the limitations it imposes on developers. However, there are a number of common workarounds which are also listed in the article

Solutions Worthy of Paranoia

There is hope, or rather, there are gruesome hacks, that can bring the splendor of seamless cross-browser XMLHttpRequests to your developer palette. The three methods currently in vogue are:

Application proxies. Write an application in your favorite programming language that sits on your server, responds to XMLHttpRequests from users, makes the web service call, and sends the data back to users.
Apache proxy. Adjust your Apache web server configuration so that XMLHttpRequests can be invisibly re-routed from your server to the target web service domain.
Script tag hack with application proxy (doesn't use XMLHttpRequest at all). Use the HTML script tag to make a request to an application proxy (see #1 above) that returns your data wrapped in JavaScript. This approach is also known as On-Demand JavaScript.

Although the first two approaches work, there are a number of problems with them. The first is that it adds a requirement that the owner of the page also have Web master level access to a Web server and either tweak its configuration settings or be a savvy enough programmer to write an application to proxy requests between a user's browser and the third part web service. A second problem is that it significantly increases the cost and scalability impact of the page because the Web page author now has to create a connection to the third party Web service for each user viewing their page instead of the user's browser making the connection. This can lead to a bottleneck especially if the page becomes popular. A final problem is that if the third party service requires authentication [via cookies] then there is no way to pass this information through the Web page author's proxy due to browser security models.

The third approach avoids all of these problems without a significant cost to either the Web page author or the provider of the Web service. An example of how this approach is utilized in practice is described in Simon Willison's post JSON and Yahoo!’s JavaScript APIs where he writes

As of today, JSON is supported as an alternative output format for nearly all of Yahoo!’s Web Service APIs. This is a Really Big Deal, because it makes Yahoo!’s APIs available to JavaScript running anywhere on the web without any of the normal problems caused by XMLHttpRequest’s cross domain security policy.

Like JSON itself, the workaround is simple. You can append two arguments to a Yahoo! REST Web Service call:
&output=json&callback=myFunction
The page returned by the service will look like this:
myFunction({ JSON data here });
You just need to define myFunction in your code and it will be called when the script is loaded. To make cross-domain requests, just dynamically create your script tags using the DOM:

var script = document.createElement('script');
script.type = 'text/javascript';
script.src = '...' + '&output=json&callback=myFunction';
document.getElementsByTagName('head')[0].appendChild(script);

People who are security minded will likely be shocked that this technique involves Web pages executing arbitrary code they retrieve from a third party site since this seems like a security flaw waiting to happen especially if the 3rd party site becomes compromised. One might also wonder what's the point of browsers restricting cross-domain HTTP requests if pages can load and run arbitrary Javascript code [not just XML data] from any domain.

However despite these concerns, it gets the job done with minimal cost to all parties involved and more often than not that is all that matters.

Postscript: When reading articles like Tim Bray's JSON and XML which primarily compares both data formats based on their physical qualities, it is good to keep the above information in mind since it explains a key reason JSON is popular on the Web today which turns out to be independent of any physical qualities of the data format.

Categories: Web Development | XML | XML Web Services

January 2, 2007

@ 04:37 PM

The GMail Security Flaw and Canary Values

Over the holidays I had a chance to talk to some of my old compadres from the XML team at Microsoft and we got to talking about the JSON as an alternative to XML. I concluded that there are a small number of key reasons that JSON is now more attractive than XML for kinds of data interchange that powers Web-based mashups and Web ~~gadgets~~ widgets. Expect a series of posts on this later today.

I wasn't sure I was going to write about this until I saw Mike Arrington's blog post about a GMail vulnerability which implied that this is another data point in the XML vs. JSON debate. On reading about the vulnerability on Slashdot I disagree. This seems like a novice cross site scripting vulnerability that is independent of JSON or XML, and is succintly described in the Slashdot comment by TubeSteak which states

Here's the super simple explanation

1. Gmail sets a cookie saying you're logged in
2. A [3rd party] javascript tells you to call Google's script
3. Google checks for the Gmail cookie
4. The cookie is valid
5. Google hands over the requested data to you

If [3rd party] wanted to keep your contact list, the javascript would pass it to a form and your computer would happily upload the list to [3rd party]'s server.

Mitigations to this problem are also well known and are also summarized in another Slashdot comment by buro9 who writes

When you surface data via Xml web services, you can only call the web service on the domain that the JavaScript calling it originates from. So if you write your web services with AJAX in mind exclusively, then you have made the assumption that JavaScript is securing your data.

The problem is created at two points:
1) When you rely on cookies to perform the implicit authentication that reveals the data.
2) When you allow rendering of the data in JSON which bypasses JavaScript cross-domain security.

This can be solved by doing two things:
1) Make one of the parameters to a web service a security token that authenticates the request.
2) Make the security token time-sensitive (a canary) so that a compromised token does not work if sniffed and used later..

The surprising thing is that I'd assumed that the knowledge of using canary values was commonplace but it took a lot longer than I expected to find a good bite size description of them. And when I did, it came from co-worker Yaron Goland in a comment to Mark Nottingham's post on DOM vs. Web where Yaron wrote

There are a couple of ways to deal with this situation:

Canaries - These are values that are generated on the fly and sent down with pages that contain forms. In the previous scenario evil.com wouldn't know what canary site X was using at that instant for that user and so its form post wouldn't contain the right value and would therefore be rejected. The upside about canaries is that they work with any arbitrary form post. The downside is that they require some server side work to generate and monitor the canary values. Hotmail, I believe, uses canaries.

Cookies - A variant on canaries is to use cookies where the page copies a value from a cookie into the form before sending it up. Since the browser security model only allows pages from the same domain to see that domain's cookie you know the page had to be from your domain. But this only works if the cookie header value isn't easily guessable so in practice it's really just canaries.

XMLHTTP - Using XMLHTTP it's possible to add HTTP headers so just throw in a header of any sort. Since forms can't add headers you know the request came from XMLHTTP and because of XMLHTTP's very strict domain security model you know the page that sent the request had to come from your site.

I guess just because something is common knowledge among folks building Web apps and toolkits at Microsoft doesn't mean it is common knowledge on the Web. This is another one of those things that everyone building Web applications should know about to secure their applications but very few actually learn.

Categories: Web Development

December 21, 2006

@ 04:03 AM

Widgets Become More Important than APIs for Data Exchange on the Web

There were two stories announced today with a couple of fairly obvious reactions.

Story: Google Replaces SOAP API with AJAX widget
Obvious Misinterpretation: Google Search API? - mistakes a Web service endpoint the widget talks to for a sanctioned API
Obvious Reaction: The end of SOAP
Story: del.icio.us announces AJAX widget
Obvious Misinterpretation: del.icio.us API for URL top tags, bookmark count - mistakes the web service endpoint the widget talks to for a sanctioned API
Obvious Reaction: God bless the re-inventers - complains that the "new API" uses JSON instead of XML-RPC

The obvious reaction was to make the Google and del.icio.us announcements into a REST vs. SOAP or XML vs. JSON story since geeks like to turn every business decision into a technology decision. However if you scratch the surface, the one thing that is slowly becoming clear is that providers of data services would rather provide you their data in ways they can explicitly monetize (e.g. driving traffic to their social bookmarking site or showing their search ads) instead of letting you drain their resources for free no matter how much geek cred it gets them in the blogosphere.

This is a good thing because it means that as an industry we are slowly figuring out why and how to provide Web APIs and Web services and when not to.

PS: If you are a site that thrives on user generated content this doesn't mean that you should replace APIs that make it easier to add content to your site (e.g. the MetaWeblog API, Flickr API or the del.icio.us API) with a widget. That would make you an idiot.

Categories: Web Development | XML Web Services

December 6, 2006

@ 02:50 AM

Widgets and Protecting Your Brand

Niall Kennedy has been on a roll in the past couple of weeks. He has a blog post entitled Brands will be widgetized, but who is the author? which tackles the interesting problem of widgets, branding and customer confusion. He writes

Sites with personal user data placed behind a username and password may be subject to new types of phishing attacks from the widget web. A user will likely locate your service's widget through the widget provider's directory, searching for terms such as "Gmail" and "eBay" to access their latest mail messages or watched auction items. These widgets will prompt the user for their login information before delivering personalized information from each service, leaving the trust of a brand in the hands of a third-party developer who may or may not act in the best interest of the data provider.

If Google Mail and eBay worked directly with the large widget producers to establish certified or trusted widget status they could reduce opportunities available for third party widgets offering enticing functionality to send messages to a remote server with collected user data. The trusted, certified, or verified seals provided by each widget platform is one way to ensure users receive the official product and not a knock-off.

This issue has been rattling around in my head ever since I wrote a Flickr gadget and a Blufr gadget for Windows Live Spaces. After all, I don't work for either company yet here I am writing gadgets that are being used by hundreds of users in their name. Who ends up getting the taint if my gadget is buggy or causes some problems for the user? Me or Flickr? What happens if legitimate looking gadgets like mine are actually fronts for phishing attacks? How can Flickr protect their users and their brand from malicious or just plain sloppy developers? I like the idea of the major widget galleries like Windows Live Gallery, Yahoo! Widget Gallery and Spring Widgets coming up with a notion of trusted or certified gadgets but it seems like an unfortunate hoop that web sites now need to jump through to police their brands on the various widgets sites on the Web. Reminds me of trademark holders having to rush to register their brand name as a domain whenever new TLDs are opened up.

PS: This is one of the reasons you don't see a bunch of Windows Live gadgets out there today. The brand dilution and phishing problem is a real one that worries lots of folks over here.

Categories: Competitors/Web Companies | Web Development

November 14, 2006

@ 05:24 PM

Tag Clouds 101

Tag clouds are already a pet peeve of mine because they are a poor navigational interface but it seems some people [who shall remain nameless] have found a way to make them even more annoying. If you look at the Wikipedia entry for Tag Cloud it clearly states

There are two main types of tag cloud, distinguished by their meaning rather than appearance.

In the first, size represents the number of times that tag has been applied to a single item. This is useful as a means of displaying metadata democratically 'voted' on and where precise results are not desired. A good example of this is Last.fm, which uses this method as a means of displaying the genre with which an artist or track has been tagged. about an item that has been
In the second, size represents the number of items that have been given that tag. This is used as a presentation of the popularity of the tags and can be indicative of the content they cover, although in most contexts such information is of little use. Interestingly, the more prominent the tag the less information it contains. An example of this is Flickr.

It seems some people have decided to invent a third kind of tag cloud; one where the size of the font is chosen at random and has no relation to the popularity or number of items with that tag. Seriously, WTF people?

Categories: Web Development

November 14, 2006

@ 04:48 PM

Javascript Programming is TEH SUCK (part 2)

So I got a comment from someone complaining that my embedded video gadget doesn't work when embedding MSN SoapBox video from Internet Explorer 7. So I tried embedding his video on my Windows Live Space [not there now because it starts with a video of Adolf Hitler] and it worked using the same version of IE.

I was stumped for a second until I remembered a recent blog posting by Alex Russell entitled The Virtual Life: IE At Arms Length where he wrote

IE isn’t built like Mozilla or any other browser. It really is down into the core of the OS because many of its behaviors are determined by the available versions of other components. Take, for example, the networking and javascript stacks. These are the cause of some very critical deployment-time bugs, but their behavior is determined by the versions of winsock and the Windows Scripting Host that are installed in the host OS, not the “IE version”. This means that if you’re not running the same version and patch-level of Windows, you’re not running the same browser that your users are, and if you’re not running the same browser, you can’t debug the problem or come up with a workaround. To accurately debug issues, you need to be able to step through OS revs, not just rendering engine+browser chrome updates. And as if that’s not enough, major Microsoft partners maintain their own IE builds. Getting reports of a problem that only shows up on Dells? There’s a reason for that. In cases like this, there’s really not much to be done short of buying a POS dell, but we can at least cover most of the rest of the strangeness we see in the wild with virtualization.

So it looks like I have to figure out what operating system and patches the user has installed.

Great!

If this keeps up I'm going to start missing doing C++ development.

Categories: Web Development

November 12, 2006

@ 03:32 PM

Javascript Programming is TEH SUCK

So a few weeks ago I wrote a moderately popular embedded video gadget for Windows Live Spaces which allows you to embed videos from popular video sharing sites on your Live.com or Spaces page. Somewhere along the line it seems that this gadget stopped working correctly in Firefox. Specifically click events on the [Preview] and [Save] buttons were not working. After doing some research I came across an article entitled addEventListener attachEvent - Pass parameters to event-function which made me realize that I had to change my code from

btn2.attachEvent("onclick", OnSave);

if(window.addEventListener){ btn2.addEventListener("click", OnSave, true); //Firefox }else{ btn2.attachEvent("onclick", OnSave); //MSIE }

I'm pretty sure that the code used to work at one point in time and from this post on Adam Kinney's blog it does seem that the Atlas framework which is what is used by the Windows Live gadgets platform did write a cross-browser version of attachEvent. I wonder if they took that change out due to negative feedback from developers? I guess this is just another example of why I think trying to standardize ~~gadget~~ widget packaging and then expecting it'll lead to interop between ~~gadget~~ widget platforms is an amusingly naive idea. See the discussion in the comments to my post entitled W3C Working on Widgets 1.0 Spec for more context. :)

UPDATE: Kevin Daly just posted a comment in response to this post which links to a blog post entitled DOM events in the Microsoft AJAX Library. The post confirms that negative developer feedback led to a change in Atlas which breaks event handling in Firefox for any app written against previous versions of the Atlas framework as I speculated above. I've just spent 15 minutes updating and resubmitting all my old gadgets to Windows Live Gallery. If you are a gadget developer you may want to check out your code as well.

PS: Visit http://carnage4life.spaces.live.com to see what it looks like to embed an MSN SoapBox video in your blog.

Categories: Web Development

November 10, 2006

@ 07:32 PM

Slower Website == Slower Profits

Greg Linden has a blog post entitled Marissa Mayer at Web 2.0 where he writes

Marissa started with a story about a user test they did. They asked a group of Google searchers how many search results they wanted to see. Users asked for more, more than the ten results Google normally shows. More is more, they said.

So, Marissa ran an experiment where Google increased the number of search results to thirty. Traffic and revenue from Google searchers in the experimental group dropped by 20%.

Ouch. Why? Why, when users had asked for this, did they seem to hate it?

After a bit of looking, Marissa explained that they found an uncontrolled variable. The page with 10 results took .4 seconds to generate. The page with 30 results took .9 seconds.

Half a second delay caused a 20% drop in traffic. Half a second delay killed user satisfaction.

This conclusion may be surprising -- people notice a half second delay? -- but we had a similar experience at Amazon.com. In A/B tests, we tried delaying the page in increments of 100 milliseconds and found that even very small delays would result in substantial and costly drops in revenue.

If you are a developing a consumer web site whose revenue depends on the number of page views you get, you need to print out that post and nail it to every bulletin board in your offices. One big problem with the AJAX craze that has hit the Web is how much slower websites have become now that using Flash and DHTML to add "richness" to Web applications is becoming more commonplace. My mind now boggles at the fact that I now see loading pages that last several seconds when visiting Web sites more and more these days.

Below is the graphic that shows up when you try to login to your Yahoo Mail beta inbox.

break dancing dude that shows up when you try to login to Yahoo Mail

My girlfriend watched me waiting for my inbox to show up while the above animated graphic was displaying and joked that they should change the graphic to a tortoise crawling across the screen so you have a heads up about how long it's going to take. :)

Of course, Windows Live services have also been guilty of this as are most of the 'Web 2.0' websites out there. At the end of the day, it's better for me to get to my data as quickly as possible than it is for the experience to be 'rich'. Remember that.

Categories: Web Development

November 10, 2006

@ 07:09 PM

W3C Working on Widgets 1.0 Spec

I noticed today that the W3C has a draft spec named Widgets 1.0 that has the following abstract

This document describes widgets. It covers the packaging format, the manifest file config.xml, and scripting interfaces for working with widgets.
The type of widgets that are addressed by this document are usually small client-side applications for displaying and updating remote data, packaged in a way to allow a single download and installation on a client machine. The widget may execute outside of the typical web browser interface. Examples include clocks, stock tickers, news casters, games and weather forecasters. Some existing industry solutions go by the names "widgets", "gadgets" or "modules".

I read the spec and it's unclear to me after reading what problem it is actually trying to solve. Is this supposed to make the lives of widget developers easier? Doesn't seem like it. Is it targetted at vendors that are building proprietary widget platforms like Yahoo!, Microsoft and Fox Interactive Media (MySpace's parent company)? Not really from what I read. At best, it seems this is trying to change the fact that the primary way of sharing widgets across sites is copying & pasting HTML code you find on places such as MySpace scripts and Video Code Zone by building a more complicated system which hopefully can then be integrated into Web browsers as native functionality to 'eventually' make things easier.

Yeah, right. Good luck with that.

Categories: Web Development

October 30, 2006

@ 04:01 PM

W3C Reverses Course on HTML's Evolution

In a blog post entitled Reinventing HTML Tim Berners-Lee writes

The perceived accountability of the HTML group has been an issue. Sometimes this was a departure from the W3C process, sometimes a sticking to it in principle, but not actually providing assurances to commenters. An issue was the formation of the breakaway WHAT WG, which attracted reviewers though it did not have a process or specific accountability measures itself.
There has been discussion in blogs where Daniel Glazman, Björn Hörmann, Molly Holzschlag, Eric Meyer, and Jeffrey Zeldman and others have shared concerns about W3C works particularly in the HTML area. The validator and other subjects cropped up too, but let's focus on HTML now. We had a W3C retreat in which we discussed what to do about these things.
Some things are very clear. It is really important to have real developers on the ground involved with the development of HTML. It is also really important to have browser makers intimately involved and committed. And also all the other stakeholders, including users and user companies and makers of related products.
Some things are clearer with hindsight of several years. It is necessary to evolve HTML incrementally. The attempt to get the world to switch to XML, including quotes around attribute values and slashes in empty tags and namespaces all at once didn't work. The large HTML-generating public did not move, largely because the browsers didn't complain. Some large communities did shift and are enjoying the fruits of well-formed systems, but not all. It is important to maintain HTML incrementally, as well as continuing a transition to well-formed world, and developing more power in that world.
The plan is to charter a completely new HTML group. Unlike the previous one, this one will be chartered to do incremental improvements to HTML, as also in parallel xHTML. It will have a different chair and staff contact. It will work on HTML and xHTML together. We have strong support for this group, from many people we have talked to, including browser makers.

Wow. It's good to see the W3C reacting to all the negative criticism it has received on its stewardship of HTML in recent times. A few months ago I linked to a number of the complaints from the markup geek crowd that Tim Berners-Lee references in my post entitled W3C Process is Broken? Film at 11. Although it was clear the writing was on the wall, I didn't expect the W3C to change its course anytime soon. The inertia within that organization is just that massive. With browser makers and Web developers being disenchanted with the W3C, this is the only thing they could do if they planned to remain relevant in the world of Web standards. Kudos to TimBL and the rest of the W3C crew for making this course correction.

PS: I really need a personalized meme tracker. The linked post didn't make it onto TechMeme but it did make it onto the meme tracker on Planet Interwingly. I suspect it would have made it onto my list of 'interesting posts' if I had a personalized meme tracker running over my feed list as well.

Categories: Web Development

October 11, 2006

@ 01:33 AM

Widgets Live conference

Niall Kennedy has a blog post entitled Widgets Live! conference in San Francisco on November 6 where he writes

The first ever conference dedicated to widgets, gadgets, and modules will take place on Monday, November 6, in San Francisco. The one-day conference will capture and summarize the emerging widget economy and allow developers, business leaders, and content producers to collaborate and better understand how they might participate in syndication at the edge of the network.

A small web loosely joined.

I am organizing a conference named Widgets Live! next month in partnership with Om Malik to capture the emerging webspace of widgets. There's so much happening in the fast-moving widget space right now it's a bit difficult to keep track of it all....There is so much activity in the customizable web powered by widgets we felt it was time to bring together the major players for a one-day industry overview and tutorial. We hope you can join us.
Tickets are only $100 and available now.

I've been talking to folks at work about this conference since Om Malik responded to my blog post about having a get together to talk about ~~gadgets~~ widgets. So far it looks like Microsoft folks from Live.com, Windows Live Spaces, Windows Live Gallery and the Windows Vista sidebar should in the house. The conference will be during the same week and in the same city as the O'Reilly Web 2.0 which has worked out perfectly for fitting people's schedules over here. Well, except for the folks who will be going to TechEd Europe.

Be there or be square . :)

Categories: Web Development

October 2, 2006

@ 02:28 PM

What's Wrong with Identity Silos?

Dick Hardt has a blog post critical of Yahoo's recently announced BBAuth entitled Yahoo’s Identity Silo where he writes

Yahoo has joined Google’s silo building by releasing BBAuth, a mechanism for other sites to access services and data within the world of Yahoo.
Unlike Google’s Account Authentication, Yahoo is allowing their service to be used for SSO and registration.

BBAuth is clearly targeted at Web 2.0 site developers, encouraging them to build apps on the Yahoo platform so that they get access to all those Yahoo users.. While I understand how this helps Yahoo strengthen their relationship with their users, it would seem Yahoo did not learn what Microsoft learned with Passport, as Yahoo is deepening their identity silo, rather then participating in the emerging identity infrastructure.

Given that I've been crusading for Microsoft to build solutions similar to BBAuth and Google's Account Authentication for Windows Live I'm interested in whatever criticisms of these approaches exist. The first thing I should note is that I don't like the term "identity silo". On the one hand it could be considered accurate but on the other it automatically potrays the party being described in a negative light. It's like using the term "baby killer" to describe people who consider themselves pro-choice. Any website which authenticates its users (i.e. has a username/password requirement to utilize aspects of the site) is an "identity silo" because the identity I've created on that site is only usable on that site and cannot be utilized elsewhere.

Lots of really smart people from big companies (e.g. Kim Cameron of Microsoft) and startups (e.g. Dick Hardt of SXIP Identity) with products to sell have now told us that "identity silos are bad m...kay". Since I drink the company Kool Aid, I agree with this premise. From reading Kim Cameron's The Laws of Identity and Microsoft's Vision for an Identity Metasystem it seems the solution to the problem of identity silos is federated identity where I can use credentials from one site to sign-in to another site as long as the sites trust each other. This sounds cool, it's like the promise of Single Sign On without one company trying to be your Passport to using the Internet. :)

So let's say I'm a website that wants to allow users to access their data from other sources besides my wbesite thus liberating their data and enabling new applications, visualizations and mashups. I need some way to figure out whose data to give out to these mashups when they come calling...I know, I'll use the unique username to figure out whose data I'm to give out and I can verify that its really the user asking because I'll require their password. Except, according to Dick Hardt and Eric Norlin this is bad because I'm deepening my "identity silo". Since I'm a practical guy I have only two questions

Are there shipping technologies today that allow me to do what I want in an "Identity 2.0" way?
Are they as easy to implement as telling mashup developers to include a link to my website in their UI and then process the data they get back when the user is redirected back to their site after signing in?

From my reading, the answer to question #1 is No (but we're really close) and the answer to question #2 is Hell No. If you were Yahoo! or Google, would you wait a few years for a technology that is more difficult for the developers you are targeting to adopt than what you can roll on your own today to meet your needs? If the answer is no, does that make you a "baby killer"?

Let me know what you think.

Categories: Web Development | XML Web Services

September 30, 2006

@ 05:45 AM

Yahoo Launches Browser Based Authentication (BBAuth)

Via Jeremy Zawodny I noticed that Yahoo! has finally launched their Browser Based Authentication (BBAuth) system which they announced at ETech earlier this year. What does BBAuth do?

To use BBAuth, you'll need to do the following:

Register your application
First you need to register your application with Yahoo!. The process requires that you describe what your application does, provide contact information, set your application's endpoint URL, and select the Yahoo! services to which your application needs access. Some services may divide their API calls into subsets, or scopes. For example, a service might group its read-only methods into a single scope.

When you complete registration, Yahoo! provides you with an application ID and shared secret for making authenticated service calls.

Log in your users
Your application cannot access a user's personal data until the user grants your application limited access to their data. To do this you must direct your users to a specialized Yahoo! login page. Once the user enters their Yahoo! user ID and password, Yahoo! displays a Terms of Service page and lists the data which your application may access. If the user grants your application access, Yahoo! redirects the user to your site. The redirect URL contains a token that you use to retrieve the user's credentials.

Use the user's credentials to make web service calls
Now that you have the user's token, you can use it to retrieve an auth cookie and a WSSID, which together represent the user's credentials. The user's credentials last for one hour, and you must supply them for each authenticated web service call.

This is very similar to Google Account Authentication Proxy for Web-Based Applications. However Yahoo! doesn't seem to have a good story for desktop applications that want to use their APIs on behalf of a user (e.g. a desktop photo management application that wants to upload photos to a users Yahoo! Photos account). On the other hand, Google's authentication system for developers actually does cover the desktop case with Account Authentication for Installed Applications which even goes as far as incorporating CAPTCHAs which the desktop app needs to show to the user as they log them in. The only problem is that unlike the Web case, the desktop application actually collects the username and password which I've already mentioned is a big no-no. However the alternatives have trade offs which I can't blame the Google folks for rejecting. I still can't come up with a solution to this problem that I am 100% comfortable with.

Props to the folks at Google and Yahoo! for opening up their systems in this way. One thing I definitely don't like is that both Google via Google Account Authentication and Yahoo! va BBAuth have shipping code that allows developers to authenticate users that use their services while at Microsoft we're still just talking about it. We need to up our game.

Categories: Competitors/Web Companies | Web Development

September 22, 2006

@ 04:50 PM

AJAX Tip: Passing Messages Between iframes

Julien Couvreur has a blog post entitled Cross-document messaging hack where he writes

The Dojo and Windows Live Platform teams have both recently released DHTML hacks that allow two iframes in different domains to communicate, bypassing the notorious same-domain policy implemented in browsers. I'm surprised by the relative lack of response in the AJAX blogosphere, as this opens lots of possibilities for mashups.

The basics:
The hack relies on dynamically created iframes, using the fragment identifier to leak/communicate information to the other domain and timers to check for iframe changes.
For example, if you have page A containing an iframe B in a different domain, then B can create a new iframe and load it with a url in the same domain as A. The url that is loaded doesn't generate a request to the server if it is properly cached and only the fragment identifier is used to pass changing information. Page A can now get the DOM handle on the new iframe and successfully retrieve the information transmitted in the url by B.

Although the hack goes around the same domain policy, you should realize that it does not constitute a significant security threat, as it requires both frames to cooperate. Additionally, this mechanism allows for control of which domains can work together.
...
The applications:
...
Windows Live goes into a more specific proof of concept, with the Windows Live Contacts Gadget, an embeddable contact picker. It explores the problem of cross-domain interactions deeper than the Dojo work, specifically around authentication, access control and privacy.

Like Julien, I'm surprised that there hasn't been more discussion about this technique in the AJAX blogs. I first learned about this technique from Yaron Goland while he was working with Danny Thorpe and others on the Windows Live Contacts Gadget. With this technique I can embed a ~~widget~~ gadget hosted on my domain on a page from another domain and then later on exchange data or otherwise communicate between the ~~widget~~ gadget and the hosting page.

This is how the Windows Live Contacts Gadget allows you to embed a control that opens a portal to a user's Hotmail address book and then communicates the contacts the user has picked back to the hosting page. It's a really sweet hack.

Categories: Web Development

September 21, 2006

@ 01:02 PM

WidgetCon

A couple of days ago, I mentioned that I'd like to talk to folks at startups working on ~~gadgets~~ widgets. Since then a couple of folks have expressed interest in the idea.

In his post WidgetCon Om Malik writes

Dare wants to talk to widget creators. I think it is a great idea. I am happy to host Dare in SF, and perhaps we can put together an informal event to talk widgets. You know I love that stuff. Niall, say what? Anyway else wants to jump in and play along, please do. Meebo & Rock U team…. what do you think?

The folks from Meebo and RockYou both expressed interest in a comments to Om's post.

Marc Canter also jumps in with a post entitled Widgetcon where he writes

Om likes the fact that Dare wants to talk to startups about widgets. He even thinks there should be a conference.
...
We’re watching these three kinds of constituents all use the same technology - and try and shoehorn their technology and business models into them. Whether they’re called Konfabulators, widgets, gadgets, modules, blog objects - it really doesn’t matter.
It’s happening, it’s all good and we’d love to attend any sort of event around this.

I know my friends at AOL would love to attend too - and if I were a betting man, I’d say Yahoo would be on-board, as well as NetVibes and Pageflakes.
Now the question is “can we get Google to show up at such an affair?”

THis would be a PUBLIC event - right dudes? None of this clique shit - right?

Maybe we can even get Microsoft to pay for some Alaskan King Crab legs - like the old days?

I've pinged some folks at work about this and I'm sure there'll be a couple of heads from Microsoft who'd be down with attending. I'm not from the area so I'd suck at organizing something like this from Seattle so I'll just follow Marc and Om's lead on this. I'll also ping some of our developer marketing folks to see if we can spring for food if enough people are down with attending.

To make this "Web 2.0", maybe someone should create an attendee list wiki. ;)

Categories: Web Development

September 1, 2006

@ 06:02 PM

Mike Torres on Firefox Extensions

Mike Torres has a blog post entitled Web 2.0 Revelation #3: I dig Firefox Extensions where he writes

But having returned to Firefox (on my Mac and casually on my PC), I'm seriously impressed by just how much Firefox Extensions have enabled me to do. And as much as I really love using IE7 on my PC, having things like the SessionSaver, Answers, LiveLines, and del.iciou.us extensions are going a long way towards swaying me over to Firefox again (note: I haven't used Firefox exclusively on my PC since it was called Firebird a few years ago!)

The list of extensions I'm exploring on the PC:

Browster to make searching and browsing just a little bit faster - slick! (works in IE too)
de.icio.us to make sure I update my linkblog regularly
Answers just because it's cool
Tab X because I need close buttons on tabs
Livelines to map the RSS feed icon to "Subscribe in Bloglines"
SessionSaver to keep me from losing my place
Luna (theme) to make it look like it belongs on Windows again - although I want a better looking theme

One of the things that's immediately clear to me after a little experimentation this week: IE7 just doesn't have enough to sway power users just yet.

I've been preaching the Firefox religion to Mike and others at work primarily by praising the virtues of inline search and SessionSaver. The more I use Firefox with SessionSaver the more it irritates me that every Windows application doesn't have this functionality. I've definitely been inspired to add similar functionality to RSS Bandit.

Anyway, it looks like Mike didn't just tiptoe into the water but instead jumped in deeper than I have. On his recommendation I have installed Tab X and Luna which have quickly made my browsing experience even better. I may try out the de.icio.us extension if I can ever remember my password for the service. I probably should give a shout out to the Yahoo! Toolbar for Firefox as well. Firefox extensions totally r0x0r.

Categories: Web Development

August 27, 2006

@ 09:45 PM

Memory Leaks and Windows Live gadgets

Recently I asked one of the Javascript devs on the Windows Live Spaces team to review the code for some of my gadgets to see if he could point out areas for improvement. One thing he mentioned was that there were a ton of memory leaks in my gadgets. This took me by surprise since the thought of a memory leak in some AJAX code running in a browser sounded like a throwback to the days of writing apps in C/C++. So I went back and took a look at the Windows Live gadget SDK, and sure as hell there was a section of the documentation entitled Avoiding Memory Leaks which states

Memory leaks are the number one contributor to poor performance for AJAX-style websites. Often code that appears to be written correctly will turn out to be the source of a massive memory leak, and these leaks can be very difficult to track down. Luckily, there are a few simple guidelines which can help you avoid most memory leaks. The Live.com developers follow these rules religiously, and recommend that you do the same when implementing Gadgets.
Make sure you null any references to DOM elements (and other bindings for good measure) in dispose().
Call the base dispose method at the end of your dispose method. (conversely, call the base initialize at the beginning of your initialize method)
Detach all events that you attach.
For any temp DOM element vars created while constructing the DOM, null the temp var before exiting the method.
Any function parameters that are DOM elements coming in should be nulled before returning from the method.
There are a number of websites and blog entries that document approaches for identifying and fixing memory leaks in AJAX applications. One such helpful site can be found here.

A great way to see whether your Gadget is leaking memory is to use the following URL to load your Gadget: http://gadgets.start.com/gadget.aspx?manifestUrl=gadgetManifestUrl. Open Task Manager in Windows and monitor the memory usage of the Internet Explorer window. Keep reloading the Gadget in Internet Explorer to see if the memory usage increases over time. If the memory usage increases, it is indicative that your Gadget is leaking memory.

This is the entirety of the documentation on avoiding memory leaks in Windows Live gadgets. Granted there is some useful information in the blog post referenced from the SDK. The post implies that memory leaks in AJAX code are an Internet Explorer problem as opposed to a general browser issue.

Most of the guidelines in the above excerpt were pretty straightforward except for the one about detaching all events you attach. I wasn't sure how event handling differed between Firefox and IE (the only browsers I test gadgets on) so I started down the path of doing some research. and this led me to a number of informative posts on Quirksmode. They include

The information in the above pages is worth its weight in gold if you're a Javascript developer. I can't believe I spent all this time without ever reading Quirksmode. The Windows Live gadgets team would be doing gadgets developers a lot of favors by including the above links to their documentation.

There is also an interesting observation about the end user perceptions about who's to blame for badly written gadgets. The comment about memory leaks in my gadgets answered the question of why Internet Explorer uses as much as 200MB of memory when running my Live.com start page. At first, I assumed the problem was with Live.com and then after switching browsers to Firefox I saw some improvement and then assumed the problem was with IE. It never crossed my mind that the problem was the poor coding in the gadgets on my page. This may just be because I was the author of many of the gadgets on my page but I suspect that when the average end user hits problems with poorly written gadgets causing issues with Live.com or Windows Live Spaces pages, Microsoft is the entity that gets the blame not the gadget developers.

Just like with Windows®, poorly written applications often reflect badly on the platform and not just the application. Interesting food for thought if you are interested in building Web platforms.

Categories: Web Development | Windows Live

August 22, 2006

@ 04:21 PM

AJAX Will Make it Mainstream, I Promise

Over the weekend I blogged that Kiko was an example of sprinkling AJAX on old ideas that had failed in the 1990s. I found an even better example from a blog post by Richard MacManus entitled Ex-Googler starts Webwag, new personalized start page where he writes

"According to Poisson, Webwag’s revenue streams will include affiliate marketing – something Netvibes is doing via Kelkoo - and B2B deals, an as yet unexplored area. Chris previously suggested that white labelling this technology is one key revenue opportunity for these firms to consider.

Poisson said: "As Web 2.0 develops over the next three three to five years, two things will remain. Firstly, everyone will have their own blog, and over 75% of people will have their own personalised start pages.

"My belief is the big search portals (My Yahoo etc) will get 50% of that market, and 50% will be taken by three to four independents.”"

Personally I think that 50% figure for independents is too ambitious. I also question his claim that 75% of people will have a start page in 3-5 years, unless you count the likes of Yahoo.com as a 'personalized start page' (actually I suspect the distinction will be moot in 5 years time).

If someone would have told me that AJAX versions of My Yahoo! (i.e. a portal homepage) except with none of the integration with a family of websites that a portal provides would be a hot startup idea I'd have laughed them out of my office. This market was saturated five years ago. The thought that adding drag & drop to a portal homepage and not having any rich integration with a family of sites is a viable business seems pretty absurd to me. The barrier to entry is pretty much zero, all you need to do is grab the Yahoo! Javascript UI library and write some code to parse RSS feeds to get started. That's besides the fact that the portal homepage is primarily a means to an end since they are there to encourage people to stick on the site and use other services (i.e. search) and not the core product in itself.

The quote that 75% of people will have a personalized start page is the best part though. As if the lack of AJAX and drag & drop is the reason that 75% of the population don't have My Yahoo!, My MSN or My AOL pages. Yeah, right.

This reminds me of a conversation I was having with Eric Fleischman about blogging and RSS becoming mainstream yesterday. We agreed that blogging is already mainstream because everyone has a MySpace from politicians and school teachers to movie stars and DJs. On the other hand, I didn't think subscribing to feeds in a conventional aggregator would ever become used by a widespread percentage of the population. Subscribing to feeds seems cool to geeks because it solves a geek problem; having too many sources of information to keep track of and optimizing how this is done. The average person doesn't think it's cool to be able to keep track of 10 - 20 websites a day using a some tool because they aren't interested in 10 - 20 websites on a daily basis in the first place. I'm sure a light sprinkling of AJAX can solve that problem as well.

*sprinkle* *sprinkle* *sprinkle*

Categories: Web Development

August 19, 2006

@ 06:18 PM

Jon Udell on Open Sourcing XAML and WPF/E

Jon Udell proves again why he's my favorite technology journalist with his piece Why Microsoft should open XAML where he writes

The WPF/E runtime won’t implement all of XAML (XML Application Markup Language), a .Net language tuned for declarative application layout. But “the portion of XAML we’ve picked,” Gates told me, “will be everywhere, absolutely everywhere, and it has to be.”

“Everywhere” means the kind of ubiquity that the Flash player enjoys on Windows and Mac desktops, and to a lesser extent on Unix and handheld devices. And it sets up an arms race between Adobe and Microsoft, each giving away razors (that is, players) in order to sell blades (development tools).

Here’s a crazy idea: Open-source the WPF/E, endorse a Mono-based version, and make XAML an open standard. Why? Because an Adobe/Microsoft arms race ignores the real competition: Web 2.0, and the service infrastructure that supports it.

The HTML/JavaScript browser has been shown to be capable of tricks once thought impossible. Meanwhile, though, we’re moving inexorably toward so-called RIAs (rich Internet applications) that are defined, at least in part, by such declarative XML languages as Adobe’s MXML, Microsoft’s XAML, Mozilla’s XUL (XML User Interface Language), and a flock of other variations on the theme.

Imagine a world in which browsers are ubiquitous, yet balkanized by incompatible versions of HTML. That’s just where RIA players and their XML languages are taking us. Is there an alternative? Sure. Open XAML. There’s a stake in the ground that future historians could not forget.

When building rich internet applications today, the primary choices are AJAX and Flash. The reason that these are the two primary choices versus other options like Java, ActiveX, XUL, etc is their ubiquity. And AJAX is typically preferred over Flash because it doesn't require expensive development tools and there is the perception that AJAX is less proprietary than Flash.

Any technology that aims to compete with Flash and AJAX, has to be cross platform (i.e. works in Firefox and Internet Explorer at the minimum) and ubiquitous. Ubiquity can be gained either by taking advantage of the existing technologies within the browsers or by ensuring that the process for getting the runtimes on user's machines is seamless for end users. I have no doubt that Microsoft can eventually get development platforms ubiquitous on Windows. Earlier this week, I was reading a number of blog posts from people who tried out Windows Live Writer and don't remember anyone complaining about needing to have the .NET Framework installed to run it. It took a few years but it seems the .NET Framework is now on a majority of PCs running Windows if those blog posts is any indication. However it's taken a couple of years for that to happen.

If WPF/E is meant to be used in the same situations that AJAX and Flash are used today then it needs to give developers better advantages than the incumbents. If it was ubiquitous and cross platform, that would still just get it in the door. Jon Udell's idea to make it an Open platform on the other hand may take it to the tipping point. At the end of the day, Microsoft should favor building the ecosystem of rich internet applications that are accessible from Windows PCs than competing with Adobe for dollars from selling development tools for rich internet applications. This seems to be a better strategy to me.

Disclaimer: The above post contains my own opinions and does not reflect the intentions, strategies, plans or thoughts of my employer

Categories: Programming | Web Development

August 19, 2006

@ 05:38 AM

Paul Graham was Surprised by Google Calendar?

I was just reading Paul Graham's post entitled The Kiko Affair which talks about the recent failure of Kiko, an AJAX web-calendaring application. I was quite surprised to see the following sentence in Paul Graham's post

The killer, unforseen by the Kikos and by us, was Google Calendar's integration with Gmail. The Kikos can't very well write their own Gmail to compete.

Integrating a calendaring application with an email application seems pretty obvious to me especially since the most popular usage of calendaring applications is using Outlook/Exchange to schedule meetings in corporate environments. What's surprising to me is how surprised people are that an idea that failed in 1990s will turn out any differently now because you sprinkle the AJAX magic pixie dust on it.

Kiko was a feature, not a full-fledged online destination let alone a viable business. There'll be a lot more entrants into the TechCrunch deadpool that are features masquerading as companies before the "Web 2.0" hype cycle runs its course.

Categories: Competitors/Web Companies | Web Development

August 16, 2006

@ 12:56 PM

W3C Process is Broken? Film at 11

In the post entitled Something went wrong at the W3C? Anne van Kesteren has a collection of links to rants about the W3C from Web-standards geeks that is sober reading. The post is excerpted below

Something went wrong at the W3C? Lets see:
To Hell with WCAG 2
Leaving W3C QA Dev.
An angry fix
SVG12: brief clarification on formal objections
SVG Tiny 1.2 in Candidate Wreckommendation stage
What's Wrong With The SVG Working Group
Angry Indeed

Reading some of these rants takes me back to days I used to work on the XML team at Microsoft and how I grew to loathe the W3C and standards bodies in general. All of the above links are recommended reading for anyone who is interested in Web standards. An observation that stood out for me was taken from Joe Clark's rant, To Hell with WCAG 2 where he wrote

And now a word about process, which you have have to appreciate in order to understand the result. The Web Content Accessibility Guidelines Working Group is the worst committee, group, company, or organization I’ve ever worked with. Several of my friends and I were variously ignored; threatened with ejection from the group or actually ejected; and actively harassed. The process is stacked in favour of multinationals with expense accounts who can afford to talk on the phone for two hours a week and jet to world capitals for meetings.

The WCAG development process is inaccessible to anyone who doesn’t speak English. More importantly, it’s inaccessible to some people with disabilities, notably anyone with a reading disability (who must wade through ill-written standards documents and e-mails—there’s already been a complaint) and anyone who’s deaf (who must listen to conference calls). Almost nobody with a learning disability or hearing impairment contributes to the process—because, in practical terms, they can’t.

This sounds like an apt description of the W3C working groups I used to track, namely the XML Schema working group and the XML Query working group. Both of which [in my opinion] have done more harm than good for the Web and XML by simply existing and retarding progress with the technologies they have ~~failed to~~ produced.

The question I sometimes ponder is what's the alternative? De-facto standards based on proprietary technologies seem to be one option as evidenced by the success of RSS and IXMLHttpRequest. There is also something to be said about the approach taken by Microformats community. Either approach seems preferable to the current mess we have with the W3C's approach to standards development.

Categories: Web Development

August 9, 2006

@ 06:08 PM

Amazon Developer on Replacing Operations with Developers

In my previous post, I talked about some of the issues I saw with the idea of doing away with operations teams and merging their responsibilities into the development team's tasks [as practised at companies like Amazon]. Justin Rudd, who is a developer at Amazon, posts his first-hand perspective of this practice in his blog post entitled Expanding on the Pain where he writes

Since I am a current employee of Amazon in the software development area, I probably shouldn’t be saying this, but…
...
First a few clarifications - there is no dedicated operations team for Amazon as a whole that is correct. But each team is allowed to staff as they see fit. There are teams within Amazon that have support teams that do handle quite a bit of the day to day load. And their systems tend to be more “smooth” because this is what that team does - keep the system up and running and automate keeping the system up and running so they can sleep at night.

There are also teams dedicated to networking, box failures, etc. So don’t think that developers have to figure out networking issues all the time (although there are sometimes where networking doesn’t see a problem but it is affecting a service).

Now for those teams that do not have a support team (and I am on one of them), at 3 in the morning you tend to do the quickest thing possible to get the problem rectified. Do you get creative? After being in bed for 3 hours (if you’re lucky) and having a VP yell at you on the phone that this issue is THE most important issue there is or having someone yell at you that they are going to send staff home, how creative do you think you can be? Let me tell you, not that creative. You’re going to solve the problem, make the VP happy (or get the factory staff back to work), and go back to bed with a little post it note to look for root cause of the problem in the AM.

Now 1 of 2 things happens. If you have a support team, you let them know about what happened, you explain the symptoms that you saw, how you fixed it, etc. They take your seed of an idea, plant it, nurture it, and grow it.

If you don’t have a support team and you are lucky, in the morning there won’t be another THE most important thing to work on and you can look at the problem with some sleep and some creativity. But the reality is - a lot of teams don’t have that luxury. So what happens? You end up cronning your solution which may be to bounce your applications every 6 hours or run a perl script that updates a field at just the right place in the database, etc.

We all have every intention of fixing it, but remember that VP that was screaming about how this issue had to be fixed? Well now that it isn’t an issue anymore and it’s off his radar screen, he has new features that he wants pushed into your code. And those new features are much more important than you fixing the issue from the night before because the VP really doesn’t care if you get sleep or not at night.

Justin's account jibes with other accounts I've heard [second hand] from other ex-Amazon developers about what it means to live without an operations team. Although it sounds good on paper to have the developers responsible for writing the code also responsible when there are issues with the code on the live site, it leads to burning the candle at both ends. Remember, division of labor exists for a reason.

Categories: Web Development

August 9, 2006

@ 05:04 AM

Replacing Operations with Developers

A few weeks ago, I bookmarked a post from Sam Ruby entitled Collapsing the Stack where he wrote

Werner Vogels: Yep, the best way to completely automate operations is to have to developers be responsible for running the software they develop. It is painful at times, but also means considerable creativity gets applied to a very important aspect of the software stack. It also brings developers into direct contact with customers and a very effective feedback loop starts. There is no separate operations department at Amazon: you build it; you run it.

Sounds like a very good idea.

I don't see how this sounds like a good idea. This reminds me of a conversation I once had with someone at Microsoft who thought it would be a good idea to get rid of their test team and replace them all with developers once they moved to Test Driven Development. I used to be a tester when I first joined Microsoft and this seemed to me to be the kind of statement made by someone who assumed that the only thing testers do is write unit tests. Good test teams don't just write unit tests. They develop and maintain test tools. They perform system integration testing. They manage the team's test beds and test labs. They are the first line of defence when attempting to reproduce customer bug reports face before pulling in developers who may be working on your next release. All of this can be done by the development team but it means that your developers spend less time developing and more time testing. This cost will show up either as an increment in the amount of time it takes to get to market or a reduction in quality if schedules are not adjusted to account for this randomization of the development team. Eventually you'll end up recreating your test team so there are specific people responsible for test-related activities [which is why software companies have test teams in the first place].

The same reasoning applies to the argument for folding the responsibilities of your operations team into the development team's tasks. A good operations team isn't just responsible deployment/setup of applications on your servers and monitoring the health of the Web servers or SQL databases inyour web farm. A good operations team is involved in designing your hardware SKUs and understanding your service's peak capacity so as to optimize purchase decisions. A good operations team makes the decisions around your data centers from picking locations with the best power prices and ensuring that you're making optimal use of all the physical space in your data center to making build . A good operations team is the first line of defence when your service is being hit by a Denial of Service attack. A good operations team insulates the team from worrying about operating system, web server or database patches being made to the live site. A good operations team is involved in the configuration, purchase, deployment and [sometimes] development of load balancing, database partitioning and database replication tools. Again, you can have your development team do this but eventually it would seem to make sense that these tasks be owned by specific individuals instead of splitting them across the developers building one's core product.

PS: I've talked to a bunch of folks who know ex-Amazon developers and they tend to agree with my analysis above. I'd be interested in getting the perspective of ex-Amazon developers like Greg Linden on replacing your operations team with your core development staff.

PPS: Obviously this doesn't apply if you are a small 2 to 5 person startup. Everyone ends up doing everything anyway. :)

Categories: Web Development

July 10, 2006

@ 09:34 PM

Operations Expertise is the Secret Sauce of Web Development

Tim O'Reilly has a blog post entitled Operations: The New Secret Sauce where he summarizes an interview he had with Debra Chrapaty, the VP of Operations for Windows Live. He writes

People talk about "cloud storage" but Debra points out that that means servers somewhere, hundreds of thousands of them, with good access to power, cooling, and bandwidth. She describes how her "strategic locations group" has a "heatmap" rating locations by their access to all these key limiting factors, and how they are locking up key locations and favorable power and bandwidth deals. And as in other areas of real estate, getting the good locations first can matter a lot. She points out, for example, that her cost of power at her Quincy, WA data center, soon to go online, is 1.9 cents per kwh, versus about 8 cents in CA. And she says, "I've learned that when you multiply a small number by a big number, the small number turns into a big number." Once Web 2.0 becomes the norm, the current demands are only a small foretaste of what's to come. For that matter, even server procurement is "not pretty" and there will be economies of scale that accrue to the big players. Her belief is that there's going to be a tipping point in Web 2.0 where the operational environment will be a key differentiator
...
Internet-scale applications are really the ones that push the envelope with regard not only to performance but also to deployment and management tools. And the Windows Live team works closely with the Windows Server group to take their bleeding edge learning back into the enterprise products. By contrast, one might ask, where is the similar feedback loop from sites like Google and Yahoo! back into Linux or FreeBSD?

This is one of those topics I've been wanting to blog about for a while. I think somewhere along the line at ~~MSN~~ Windows Live we realized there was more bang for the buck optimizing some of our operations characteristics such as power consumption per server, increasing the number of servers per data center, reducing cost per server, etc than whatever improvements we could make in code or via database optimizations. Additionally, it's also been quite eye opening how much stuff we had to roll on our own which isn't just standard parts of a "platform". I remember talking to a coworker about all the changes we were making so that MSN Spaces could be deployed in multiple data centers and he asked why we didn't get this for free from "the platform". I jokingly responded "It isn't like the .NET Framework has a RouteThisUserToTheRightDataCenterBasedOnTheirGeographicalLocation() API does it?".

I now also give mad props to some of our competitors for what used to seem like quirkiness that now is clearly a great deal of operational savviness. There is a reason why Google builds their own servers, when I read things like "One-third of the electricity running through a typical power supply leaks out as heat" I get quite upset and now see it as totally reasonable to build your own power supplies to get around such waste. Unfortunately, there doesn't seem to be a lot of knowledge out there about the building and managing a large scale, globally distributed server infrastructure. However we are feeding a lot of our learnings back to the folks building enterprise products at Microsoft (e.g. our team now collaborates a lot with the Windows Communication Foundation team) as Debra states which is great for developers building on Microsoft platforms.

Categories: Competitors/Web Companies | Web Development

April 27, 2006

@ 06:15 PM

Firefox, NTLM Authentication and Sharepoint

Somewhere along the line it seems like I downloaded one too many internal builds of Internet Explorer 7 and hosed my browser setup. Since I hate mucking around with re-installing, rebooting and registry tweaks I decided to use Firefox as my full time browser instead. Not only have I not missed IE 7, I've fallen in love with certain Firefox extensions like SessionSaver which recovers all open browser tabs and form content in case you have a browser crash. This has proved to be a godsend when I come in during the morning and our IT department has rebooted my machine due to some security patch. All I need to do is fire up Firefox and have all my open tabs from the previous day show up in the browser.

The only problem I've had has been with constantly being prompted to enter my username and password on every Sharepoint page I browse to in our corporate network. I had almost resigned to having to waste my morning trying to fix my hosed IE 7 install until it occured to me to search the Web for a solution. That's how I found out about the network.automatic-ntlm-auth.trusted-uris preference. Once I tweaked this preference, it was all good.
...
Except for the fact that Sharepoint seems to use a bunch of Javascript that only works in Internet Explorer so I'm still going to have to muck with my Internet Explorer install anyway.

*sigh*

At least I can browse different pages without that prompt showing up all the time. I hope this information is useful to some other poor soul who's trying to use Firefox on an intranet that requires NTLM authentication.

Categories: Web Development

April 20, 2006

@ 06:10 PM

Tim Bray on the Cost of AJAX

Tim Bray has a post entitled The Cost of AJAX where he writes

James Governor relays a question that sounds important but I think is actively dangerous: do AJAX apps present more of a server-side load? The question is dangerous because it’s meaningless and unanswerable. Your typical Web page will, in the process of loading, call back to the server for a bunch of stylesheets and graphics and scripts and so on: for example, this ongoing page calls out to three different graphics, one stylesheet, and one JavaScript file. It also has one “AJAXy” XMLHttpRequest call. From the server’s point of view, those are all just requests to dereference one URI or another. In the case of ongoing, the AJAX request is for a static file less than 200 bytes in size (i.e. cheap). On the other hand, it could have been for something that required a complex outer join on two ten-million-row tables (i.e. very expensive). And one of the virtues of the Web Architecture is that it hides those differences, the “U” in URI stands for “Uniform”, it’s a Uniform interface to a resource on the Web that could be, well, anything. So saying “AJAX is expensive” (or that it’s cheap) is like saying “A mountain bike is slower than a battle tank” (or that it’s faster). The truth depends on what you’re doing with it.

In general I agree with Tim that the answers to questions like "is technology X slower than technology Y" depends on context. The classic example is that it makes little sense arguing about the speed of the programming language if an application is data bound and has to read a lot of stuff off the disk. However when it comes to AJAX, I think that in general there is usually more load put on servers due to the user interface metaphors AJAX encourages. Specifically, AJAX enables developers to build user interfaces that allow the user to initiate multiple requests at once where only one requests could have been made in the traditional HTML model. For example, if you have a UI that makes an asynchronous request every time a user performs a click to drill down on some data (e.g. view comments on a blog post, tags on a link, etc) where it used to transition the user to another page then it is more likely that you will have an increased number of requests to the server in the AJAX version of your site. Some of the guys working on Windows Live have figured that out the hard way. :)

Categories: Web Development

April 17, 2006

@ 03:05 PM

The Two Webs

I'm still continuing my exploration of the philosophy behind building distributed applications following the principles behind the REpresentational State architectural style (REST) and Web-style software. Recent comments in my blog have introduced a perspective that I hadn't considered much before.

Robert Sayre wrote

Reading over your last few posts, I think it's important to keep in mind there are really two kinds of HTTP. One is HTTP-For-Browsers, and one is HTTP-For-APIs.

API end-points encounter a much wider variety of clients that actually have a user expecting something coherent--as opposed to bots. Many of those clients will have less-than robust HTTP stacks. So, it turns out your API end-points have to be much more compliant than whatever is serving your web pages.

Sam Ruby wrote

While the accept header is how you segued into this discussion, Ian's and Joe's posts were explicitly about the Content-Type header.

Relevant to both discussions, my weblog varies the Content-Type header it returns based on the Accept header it receives, as there is at least one popular browser that does not support application/xhtml+xml.

So... Content-Type AND charset are very relevant to IE7. But are completely ignored by RSSBandit. If you want to talk about “how the Web r-e-a-l-l-y works”, you need to first recognize that you are talking about two very different webs with different set of rules. When you talk about how you would invest Don's $100, which web are you talking about?

This is an interesting distinction and one that makes me re-evaluate my reasons for being interested in RESTful web services. I see two main arguments for using RESTful approaches to building distributed applications on the Web. The first is that it is simpler than other approaches to building distributed applications that the software industry has cooked up. The second is that it has been proven to scale on the Web.

The second reason is where it gets interesting. Once you start reading articles on building RESTful web services such as Joe Gregorio's How to Create a REST Protocol and Dispatching in a REST Protocol Application you realize that how REST advocates talk about how one should build RESTful applications is actually different from how the Web works. Few web applications support HTTP methods other than GET and POST, few web applications send out the correct MIME types when sending data to clients, many Web applications use cookies for storing application state instead of allowing hypermedia to be the engine of application state (i.e. keeping the state in the URL) and in a suprisingly large number of cases the markup in documents being transmitted is invalid or malformed in some ways. However the Web still works.

REST is an attempt to formalize the workings of the Web ex post facto. However it describes an ideal of how the Web works and in many cases the reality of the Web deviates significantly from what advocates of RESTful approaches preach. The question is whether this disconnect invalidates the teachings of REST. I think the answer is no.

In almost every case I've described above, the behavior of client applications and the user experience would be improved if HTTP [and XML] were used correctly. This isn't supposition, as the developer of an RSS reader my life and that of my users would be better if servers emitted the correct MIME types for their feeds, the feeds were always at least well-formed and feeds always pointed to related metadata/content such as comment feeds (i.e. hypermedia is the engine of application state).

Let's get back the notion of the Two Webs. Right now, there is the primarily HTML-powered Web which whose primary clients are Web browsers and search engine bots. For better or worse, over time Web browsers have had to deal with the fact that Web servers and Web masters ignore several rules of the Web from using incorrect MIME types for files to having malformed/invalid documents. This has cemented hacks and bad practices as the status quo on the HTML web. It is unlikely this is going to change anytime soon, if ever.

Where things get interesting is that we are now using the Web for more than serving Web documents for Web browsers. The primary clients for these documents aren't Web browsers written by Microsoft and ~~Netscape~~ ~~AOL~~ Mozilla and bots from a handful of search engines. For example, with RSS/Atom we have hundreds of clients with more to come as the technology becomes more mainstream. Also Web APIs becoming more popular, more and more Web sites are exposing services to the world on the Web using RESTTful approaches. In all of these examples, there is justification in being more rigorous in the way one uses HTTP than one would be when serving HTML documents for one's web site.

In conclusion, I completely agree with Robert Sayre's statement that there are really two kinds of HTTP. One is HTTP-For-Browsers, and one is HTTP-For-APIs.

When talking about REST and HTTP-For-APIs, we should be careful not to learn the wrong lessons from how HTTP-For-Browsers is used today.

Categories: Web Development | XML Web Services

April 13, 2006

@ 01:37 PM

Calendar APIs Will Be The New Hotness

Charlene Li of Forrester research has a blog post entitled Google Calendar creates a platform for "time" applications where she writes

Having trialed a half dozen of them (including Airset, CalendarHub, 30Boxes, Planzo, and SpongeCell), Google Calendar is truly a best of breed in terms of ease of use and functionality. Here’s a quick overview of what’s different about the new product:

-       Manage multiple calendars. ....

-       Easy to use. ....

-       Sharing. ....

-       Open platform. I think this is the most interesting aspect of Google's calendar. The iCal standard along with RSS means that I will be able to synch my work calendar with my Google calendar. Although tie-ins with programs like Outlook aren’t yet available, Carl Sjogreen, Google Calendar’s product manager, said that such functionality will be coming "soon". Google is also partnering with Trumba to enabled "one-click" addition of events to your calendar (Trumba already works with calendar products from Yahoo!, Outlook, MSN Hotmail, and Apple). Also promised are synching capabilities to mobile phones. Carl also said that an API was in the works, which would enable developers to create new products on top of Google Calendar.

I've always thought that Web-based calendaring and event-based products haven't hit the sweet spot with end users because they are too much work to use for little benefit. The reason I use calendaring software at work is mainly to manage meetings. If I didn't have to attend meetings I'd never use the calendaring functionality of Outlook. In my personal life, the only times calendaring software would have been useful is integrating invitation services like eVite into my calendars at work and/or at home (I use both Yahoo! Mail and Windows Live Mail). However either eVite doesn't provide this functionality or it's unintuitive since I've never discovered it. So web-based calendaring software has been pretty much a bust for me. AJAXifying it doesn't change this in any way.

On the other hand, I could probably build the integration I want between my work calendar and my eVite calendar if they had an API [and I was invited to enough parties to make this a worthy excercise]. It seems there is now an awareness of this in the industry at the big three (Google, Yahoo and Microsoft) which is going to turn online calendaring into an interesting space over the next few months. Google Calendar is a step in the right direction by providing RSS feeds and announcing a forthcoming API. Yahoo! is already thinking about the same thing and also announced an upcoming Calendar API last month. As for Windows Live, our CTO has been talking to folks at work about using RSS+SSE as a way to share events and I'm sure they are paying attention [or at least will now that both Yahoo! and Google have thrown down].

With the increased use of RSS by Web-based calendaring applications perhaps it is time for RSS readers to also become more calendar aware?

Categories: Web Development | XML Web Services

April 12, 2006

@ 09:58 PM

Broken as Designed: HTTP Content Negotiation (remix)

To follow up my post asking Is HTTP Content Negotiation Broken as Designed?, I found a post by Ian Hickson on a related topic. In his post entitled Content-Type is dead he writes

Browsers and other user agents largely ignore the HTTP Content-Type header, relying on undefined sniffing heuristics to determine what the content of a page really is.

RSS feeds are always sniffed, regardless of their MIME type, because, to quote a Safari engineer, "none of them have the right mime type".
The target of img elements is almost always assumed to be an image, regardless of the declared type.
IE in particular is well known for ignoring the Content-Type header, despite this having been the source of security bugs in the past.
Browsers have been forced to implement heuristics to handle text/plain files as binary because video files are widely served with the wrong MIME types.

Unfortunately, we're now at a stage where browsers are continuously having to reverse-engineer each other to determine why they are handling content differently. A browser can't afford to render any less content than a browser with more market share, because otherwise users won't switch, and the new browser will not be adopted.

I think it may be time to retire the Content-Type header, putting to sleep the myth that it is in any way authoritative, and instead have well-defined content-sniffing rules for Web content.

Ian is someone who's definitely been around the block when it comes to HTTP given that he's been involved in Web standards groups for several years and used to work on the Opera Web Browser. On the other side of the argument is Joe Gregorio who posts Content-Type is dead, for a short period of time, for new media-types, film at 11 which does an excellent job of the kind of dogmatic arguing based on theory that I criticized in my previous post. In this case, Joe uses the W3C Technical Architecture Groups (TAG) findings on Authoritative Metadata.

MIME types and HTTP content negotiation are good ideas in practice that have failed to take hold on the Web. Arguing that this fact contravenes stuff written in specs from last decade or from findings by some ivory tower group of folks from the W3C seems like religous dogmatism and not fodder for decent technical debate.

That said, I don't think MIME types should be retired. However I do think some Web/REST advocates need to look around and realize what's happening on the Web instead of arguing from an "ideal" or "theoretical" perspective.

Categories: Web Development

April 12, 2006

@ 04:12 PM

Updated: HTTP Cookies and the .NET Framework

Working on RSS Bandit is my hobby and sometimes I retreat to it when I need to unwind from the details of work or just need a distraction. This morning was one of such moments. I decided to look into the issue raised in the thread from our forums entitled MSN Spaces RSS Feeds Issues - More Info where some of our users complained about a cookie parsing error when subscribed to feeds from MSN Spaces.

Before I explain what the problem is, I'd like to show an example of what an HTTP cookie header looks like from the Wikipedia entry for HTTP cookie

Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.usatoday.com

Note the use of a semicolon as a delimiter for separating cookies. So it turned out that the error was in the following highlighted line of code


	if (cookieHeaders.Length > 0) {
		container.SetCookies(url, cookieHeaders.Replace(";", ","));
	}

You'll note that we replace the semicolon delimiters with commas. Why would we do such a strange thing when the example above shows that cookies can contain commas? It's because the CookieContainer.SetCookies method in the .NET Framework requires the delimiters to be commas. WTF ?

This seems so fundamentally broken I feel that I must be mistaken. I've tried searching for possible solutions to the problem online but I couldn't find anyone else who has had this problem. Am I using the API incorrectly? Am I supposed to parse the cookie by hand before feeding it to the method? If so, why would anyone design the API in such a brain damaged manner?

*sigh*

I was having more fun drafting my specs for work.

Update: Mike Dimmick has pointed out in a comment below that my understanding of cookie syntax is incorrect. The cookie shown in the Wikipedia example is one cookie not four as I thought. It looks like simply grabbing sample code from blogs may not have been a good idea.:) This means that I may have been getting malformed cookies when fetching the MSN Spaces RSS feeds after all. Now if only I can repro the problem...

Categories: RSS Bandit | Web Development

April 12, 2006

@ 02:57 PM

Is HTTP Content Negotiation Broken as Designed?

In a recent mail on the ietf-types mailing list Larry Masinter (one of the authors of the HTTP 1.1 specification) had the following to say about content negotiation in HTTP

> > GET /models/SomeModel.xml HTTP/1.1
> > Host: www.example.org
> > Accept: application/cellml-1.0+xml; q=0.5, application/cellml-1.1+xml; q=1

HTTP content negotiation was one of those "nice in theory" protocol additions that, in practice, didn't work out. The original theory of content negotiation was worked out when the idea of the web was that browsers would support a handful of media types (text, html, a couple of image types), and so it might be reasonable to send an 'accept:' header listing all of the types supported. But in practice as the web evolved, browsers would support hundreds of types of all varieties, and even automatically locate readers for content-types, so it wasn't practical to send an 'accept:' header for all of the types.

So content negotiation in practice doesn't use accept: headers except in limited circumstances; for the most part, the sites send some kind of 'active content' or content that autoselects for itself what else to download; e.g., a HTML page which contains Javascript code to detect the client's capabilities and figure out which other URLs to load. The most common kind of content negotiation uses the 'user agent' identification header, or some other 'x-...' extension headers to detect browser versions, among other things, to identify buggy implementations or proprietary extensions.

I think we should deprecate HTTP content negotiation, if only to make it clear to people reading the spec that it doesn't really work that way in practice. .

HTTP content negotiation has always seemed to me something that seems like a good idea in theory but didn't really seem to work out in practice. It's good to see one of the founding fathers of HTTP actually admit that it is an example of theory not matching reality. It's always good to remember that just because something is written in a specification from some standards body doesn't make it a holy writ. I've seen people debate online who throw out quotes from Roy Fieldings's dissertation and IETF RFCs as if they are evangelical preachers quoting chapter and verse from the Holy Bible.

Some of the things you find in specifications from the W3C and IETF are good ideas. However they are just that ideas. Sometimes technological advances make these ideas outdated and sometimes the spec authors simply failed to consider other perspectives for solving the problem at hand. Expecting a modern browser to send an itemized list of every file type that can be read by the applications on your operating system on every single GET request plus the priority in which these file types are preferred is simply not feasible or really useful in practice. It may have been a long time ago but not now.

Similar outdated and infeasible ideas litter practically every W3C and IETF specification out there. Remember that the next time you quote chapter and verse from some Ph.D dissertation or IETF/W3C specification to justify a technology decision. Supporting standards is important but more important is applying critical thinking to the problem at hand. .

Thanks to Mark Baker for the link to Larry Masinter's post.

Categories: Web Development

April 11, 2006

@ 11:55 PM

W3C Publishes XMLHttpRequest Object specification

I just noticed that last week the W3C published a working draft specification for The XMLHttpRequest Object. I found the end of the working draft somewhat interesting. Read through the list of references and authors of the specifcation below

References

This section is normative

DOM3
Document Object Model (DOM) Level 3 Core Specification, Arnaud Le Hors (IBM), Philippe Le Hégaret (W3C), Lauren Wood (SoftQuad, Inc.), Gavin Nicol (Inso EPS), Jonathan Robie (Texcel Research and Software AG), Mike Champion (Arbortext and Software AG), and Steve Byrne (JavaSoft).
RFC2119
Key words for use in RFCs to Indicate Requirement Levels, S. Bradner.
RFC2616
Hypertext Transfer Protocol -- HTTP/1.1, R. Fielding (UC Irvine), J. Gettys (Compaq/W3C), J. Mogul (Compaq), H. Frystyk (W3C/MIT), L. Masinter (Xerox), P. Leach (Microsoft), and T. Berners-Lee (W3C/MIT).

B. Authors

This section is informative

The authors of this document are the members of the W3C Web APIs Working Group.

Robin Berjon, Expway (Working Group Chair)
Ian Davis, Talis Information Limited
Gorm Haug Eriksen, Opera Software
Marc Hadley, Sun Microsystems
Scott Hayman, Research In Motion
Ian Hickson, Google
Björn Höhrmann, Invited Expert
Dean Jackson, W3C
Christophe Jolif, ILOG
Luca Mascaro, HTML Writers Guild
Charles McCathieNevile, Opera Software
T.V. Raman, Google
Arun Ranganathan, AOL
John Robinson, AOL
Doug Schepers, Vectoreal
Michael Shenfield, Research In Motion
Jonas Sicking, Mozilla Foundation
Stéphane Sire, IntuiLab
Maciej Stachowiak, Apple Computer
Anne van Kesteren, Opera Software

Thanks to all those who have helped to improve this specification by sending suggestions and corrections. (Please, keep bugging us with your issues!)

Interesting. A W3C specification that documents a proprietary Microsoft API which not only does not include a Microsoft employee as a spec author but doesn't even reference any of the IXMLHttpRequest documentation on MSDN.

I'm sure there's a lesson in there somewhere. ;)

Categories: Web Development | XML

April 11, 2006

@ 03:20 AM

It Takes a While to Sink in Sometimes

Jeff Schneider has a blog post entitled You're so Enterprise... which is meant to be a response to a post I wrote entitled My Website is Bigger Than Your Enterprise. Since he neither linked to my post nor did he mention my full name, it's actually a coincidence I ever found his post. Anyway, he writes

In regard to the comment that Dare had made, "If you are building distributed applications for your business, you really need to ask yourself what is so complex about the problems that you have to solve that makes it require more complex solutions than those that are working on a global scale on the World Wide Web today." I tried to have a conversation with several architects on this subject and we immediately ran into a problem. We were trying to compare and contrast a typical enterprise application with one like Microsoft Live. Not knowing the MS Live architecture we attempted to 'best guess' what it might look like:

An advanced presentation layer, probably with an advance portal mechanism

Some kind of mechanism to facilitate internationalization

A highly scalable 'logic layer'

A responsive data store (cached, but probably not transactional)

A traditional row of web servers / maybe Akamai thing thrown in

Some sort of user authentication / access control mechanism

A load balancing mechanism

Some kind of federated token mechanism to other MS properties

An outward facing API

Some information was syndicated via RSS

The bulk of the code was done is some OO language like Java or C#

Modularity and encapsulation was encouraged; loose coupling when appropriate

Some kind of systems management and monitoring

Assuming that we are capturing any sensitive information, an on the wire encryption mechanism

We guessed that many of the technologies that the team used were dictated to them: Let's just say they didn't use Java and BEA AquaLogic.

We also guessed that some of the typical stuff didn't make their requirements list (regulatory & compliance issues, interfacing with CICS, TPF, etc., interfacing with batch systems, interfacing with CORBA or DCE, hot swapping business rules, guaranteed SLA's, ability to monitor state of a business process, etc.)

At the end of the day - we were scratching our heads. We DON'T know the MS Live architecture - but we've got a pretty good guess on what it looks like - and ya know what? According to our mocked up version, it looked like all of our 'Enterprise Crap'.

So, in response to Dare's question of what is so much more complex about 'enterprise' over 'web', our response was "not much, the usual compliance and legacy stuff". However, we now pose a new question to Dare:
What is so much more simple about your architecture than ours?

Actually, a lot of the stuff he talks about with regards to SLAs, monitoring business processes and regulatory issues are all things we face as part of building Windows Live. However it seems Jeff missed my point. The point is that folks building systems in places like Yahoo, Amazon and Windows Live are building systems that have to solve problems that are at the minimum just as complex as those of your average medium sized to large scale business. From his post, Jeff seems to agree with this core assertion. Yet people at these companies are embracing approaches such as RESTful web services and using scripting languages which are both often dissed as not being enterprise by ~~complexity~~ enterprise architects.

Just because a problem seems complex doesn't mean it needs a complex technology to solve it. For example, at its core RSS solves the same problem as WS-Eventing. I can describe all sorts of scenarios where RSS falls down and WS-Eventing does not. However RSS is good enough for a large number of scenarios for a smidgeon of the complexity cost of WS-Eventing. Then there are other examples where you have complex technologies like WS-ReliableMessaging that add complexity to the mix but often don't solve the real problems facing large scale services today. See my post More on Pragmatism and Web Services for my issues with WS-ReliableMessaging.

My point remains the same. Complex problems do not necessarily translate to requiring complex solutions.

Question everything.

Categories: Web Development

April 4, 2006

@ 02:57 AM

Greg Linden on SQL Databases and Internet-Scale Applications

I mentioned recently that my new kick is storage platforms for Internet-scale services. Sometimes it's hard to describe the problems that large scale services have with modern relational databases. Thankfully, I now have the post I want a big, virtual database by Greg Linden to crib a simple 1 sentence description of the problem and solution. Greg writes

In my previous story about Amazon, I talked about a problem with an Oracle database.

You know, eight years later, I still don't see what I really want from a database. Hot standbys and replication remain the state of the art.

What I want is a robust, high performance virtual relational database that runs transparently over a cluster, nodes dropping in an out of service at will, read-write replication and data migration all done automatically.

I want to be able to install a database on a server cloud and use it like it was all running on one machine.

It's interesting how your database problems change when you're thinking about hundreds of transactions a second over terabytes of data belonging to hundreds of millions of users.You might also be interested in Greg's post on Google's BigTable.

PS: If building large scale services relied on by hundreds of millions of people to communicate with their friends and family sounds interesting to you, we're still hiring for test, developer and PM positions.

Categories: Web Development

April 4, 2006

@ 02:18 AM

Metadata Quality, Events Databases and Live Clipboard

In his post Exploring Live Clipboard Jon Udell posts a screencast he made about LiveClipboard. He writes

I've been experimenting with microformats since before they were called that, and I'm completely jazzed about Live Clipboard. In this screencast I'll walk you through examples of Live Clipboard in use, show how the hCalendar payload is wrapped, grab hCalendar data from Upcoming and Eventful, convert it to iCalendar format for insertion into a calendar program, inject it natively into Live Clipboard, and look at Upcoming and Eventful APIs side-by-side.
All this leads up to a question: How can I copy an event from one of these services and paste it into another? My conclusion is that adopting Live Clipboard and microformats will be necessary but not sufficient. We'll also need a way to agree that, for example, this venue is the same as that venue. At the end, I float an idea about how we might work toward such agreements.

The problem that Jon Udell describes is a classic problem when dealing with mapping data from different domains. I posted about this a few months ago in my post Metadata Quality and Mapping Between Domain Languages where I wrote

The problem Stefano has pointed out is that just being able to say that two items are semantically identical (i.e. an artist field in dataset A is the same as the 'band name' field in dataset B) doesn't mean you won't have to do some syntactic mapping as well (i.e. alter artist names of the form "ArtistName, The" to "The ArtistName") if you want an accurate mapping.

This is the big problem with data mapping. In Jon's example, the location is called Colonial Theater in Upcoming and Colonial Theater (New Hampshire) in Eventful. In Eventful it has a street address while in Upcoming only the street name is provided. Little differences like these are what makes data mapping a hard problem. Jon's solution is for the community to come up with global identifiers for venues as tags (e.g. Colonial_Theater_NH_03431) instead of waiting for technologists to come up with a solution. That's good advice because there really isn't a good technological solution for this problem. Even RDF/Semantic Web junkies like Danny Ayers in posts like Live clipboard and identifying things start with assumptions like every venue has a unique identifier which is it's URI. Of course this ignores the fact that coming up with a global, unique identification scheme for the Web is the problem in the first case. The problem with Jon's approach is the same one that is pointed out in almost every critique of folksonomies, people won't use the same tags for the same concept. Jon might useColonial_Theater_NH_03431 while I use Colonial_Theater_95_Maine_Street_NH_03431 which leaves us with the same problem of inconsistent identifiers being used for the same venue.

I assume that for the near future we continue seeing custom code being written to make data integration across domains work. Unfortunately, no developments on the horizon look promising in making this problem go away.

PS: Ray Ozzie has a post on some of the recent developments in the world of Live Clipboard in his post Wiring Progress, check it out.

Categories: Technology | Web Development

March 20, 2006

@ 06:00 PM

Comments [23]

My Website is Bigger Than Your Enterprise

I have found James McGovern's post More Thoughts on Ruby and Why it isn't enterprise ready! to be quite entertaining reading. The problem with blogging is that sometimes it is so easy to publish your thoughts that you don't stop to think about what you are writing. Instead of picking at James McGovern's arguments myself, I'll post a summary of his tirade made by David Heinemeier Hansson in his post Boy, is James McGovern enterprise or what!

Allow me to summarize a few choice bits from McGovern's incomprehensibly convoluted ranting. You may not have the patience to finish through his tirade:

Productivity doesn't matter any more (8), but even if it did, there's no way Ruby could deliver more of it because sales people have used the word productivity to lie to me in the past (11).
Whatever we're doing now is already the right thing (2) until the big consulting firms tell us that something else is the right thing (3). And they're not going to tell us about Ruby because they can't make money off it (7).
None of my fellow Enterprise Architects talk about Ruby (5) because they're too busy to think about their business to worry about new technology (4).
All magazines that write about Ruby are bad (4) and all books written about Ruby are bad (1). If other people say they're good, it's because they were paid to say that (12).

The funny thing about a lot of the people who claim to be 'Enterprise Architects' is that I've come to realize that they tend to seek complex solutions to relatively simple problems. How else do you explain the fact that web sites that serve millions of people a day and do billions of dollars in business a year like Amazon and Yahoo are using scripting languages like PHP and approaches based on REST to solve the problem of building distributed applications while you see these 'enterprise architect' telling us that you need complex WS-* technologies and expensive toolkits to build distributed applications for your business which has less issues to deal with than the Amazons and Yahoos of this world?

I was chatting with Dion Hinchcliffe at the Microsoft SPARK workshop this weekend and I asked him who the audience was for his blog on Web 2.0. He mentioned that he gets thousands of readers who are enterprise developers working for government agencies and businesses who see all the success that Web companies are having with simple technologies like RSS and RESTful web services while they have difficulty implementing SOAs in their enterprises for a smaller audience than these web sites. The lesson here is that all this complexity being pushed by so-called enterprise architects, software vendors and big 5 consulting companies is bullshit. If you are building distributed applications for your business, you really need to ask yourself what is so complex about the problems that you have to solve that makes it require more complex solutions than those that are working on a global scale on the World Wide Web today.

NOTE: This post isn't pro-Ruby or not since I have NOT used the language or any of its platforms.

Categories: Web Development

March 17, 2006

@ 08:23 PM

Storage is Key

I'll be flying out for the Microsoft SPARK workshop in Las Vegas tonight. I've been trying to wrap my mind around what I want to talk about. Last year I was really jazzed about the concept of The Web as a Platform including Web APIs and conversations around SOAP vs. REST. Since then a couple of things have changed in the B0rg cube, the Indigo folks (i.e. Windows Communications Foundation) now consider supporting REST to be important and a lot of the stuff I suggested in my ThinkWeek paper is going to be implemented by a new group formed to support the Windows Live platform. All this will be discussed and new stuff revealed next week at the MIX '06 conference which I won't be attending.

I've recently begun to get jazzed about storage platforms for Internet-scale services. I can't help but smile when I read posts like Patrick Logan's Storage Paradigms where he writes

Stephen Williams writes in the FoRK email list on an exchange about Amazon's new storage service...
I firmly believe that both full filesystem semantics and ACID integrity constraints are red herrings and have seen a number projects reach the same conclusion...
With database-based applications, even when you have ACID capabilities, there are a number of reasons to avoid updates, avoid "accumulators", and otherwise avoid many of the situations where you needed transactions to begin with.
...
I will be interested to learn if Amazon has now or will offer some higher-level services on their storage service. Search, matching, versioning, etc. I see they want to keep it simple, and I agree with that. Before long though people will want to do things with their storage. Some of those things will be better done very close to the data itself.
I wonder if/when we'll see the ability to put computations very near Amazon's storage (including indexes, calculations, searches, etc.) that are aware of the format of the stored data, that is secure, etc. Storage is just the most basic start of a shared grid of services.

I suspect I'll end up writing another ThinkWeek paper this year. More than likely the content will draw heavily from the ideas referenced in my previous blog post entitled SQL Databases and Internet-Scale Applications.

Categories: Web Development | XML Web Services

March 15, 2006

@ 02:51 AM

Amazon's Simple Storage Service and GDrive

From Mike Arrington's post Amazon: Grid Storage Web Service Launches on TechCruch we learn

Amazon Web Service is launching a new web service tonight called S3 - which stands for "Simple Storage Service". It is a storage service backend for developers that offers "a highly scalable, reliable, and low-latency data storage infrastructure at very low costs".
...
Here are the facts: This is a web service, and so Amazon is not releasing a customer facing service. They are offering standards-based REST and SOAP web services interfaces for developers. Entire classes of companies can be built on S3 that would not have been possible before due to infrastructure costs for the developer.
...
Virtually any file type is allowed, up to 5 GB. Files may be set as public, shared or private and will have a unique URL. Pricing is cheaper than anything else I’ve seen: $0.15 per GB of storage per month, and $0.20 for each GB of data transferred up or downstream. This translates to $15 per month for 100 GB of storage, net of any transfer fees (to move that much data on to S3 would be a one time cost of $20). These prices are going to be significantly below the development and ongoing costs for small or medium sized storage projects - meaning a lot of the front end services I’ve previously profiled will be much better off moving their entire back end to S3.
This is game changing.

A reader of my blog asked me to give my thoughts on Amazon's S3. The first question was what I thought about this in relation to Google's upcoming GDrive service. Both offerings aren't competing but they are related. GDrive will likely be an ad funded consumer service that offers functionality similar to that of sites like XDrive which enables users to store files in the "cloud" and interact with them via a website and/or a user interface integrated into the file explorer of their operating system. S3 is a service that can be used by applications to store files for a set cost. One could probably build a competitor to GDrive or XDrive using Amazon's S3.

Since my team owns Storage in the "cloud" for Windows Live, building something like Amazon's S3 is something I've thought quite a bit about but never actually pitched at work due to business ramifications. Giving programmatic access to cloud storage needs a revenue model but no one wants to charge for stuff like that since the assumption is that Google or Yahoo! will just give it away for free. What would work better is having something like GDrive which is ad-funded then giving users the ability to access their files using any application that supports the GDrive API. There is still the problem of how you prevent "abuse" (i.e. apps that only go through the GDrive API and thus the user never sees ads).

Being a curious developer type I read the online documentation for the Amazon S3 service to see how hard it would be to build something like GDrive on top of it. The tricky part seems to be that applications only get 100 buckets which are collections of data which can contain an unlimited amount of objects. So my GDrive app wouldn't be able to map each user to a bucket. Instead it would either have to map each user's data to an object (a tarball or ZIP file?) or instead come up with a custom way of partitioning buckets into subgroups each mapping to an individual user's data.

By the way did anyone else notice that bandwidth per GB costs more than storage per GB? The question for you viewers at home is whether this is surprising or expected. ;)

Categories: Web Development | XML Web Services

March 5, 2006

@ 10:27 PM

The Mashup Disconnect: Vendors vs. Developers

Sometimes reading blogs makes you feel like you are in high school. People sometimes chase popularity and wear their immaturity on their sleeve in ways you haven't seen since you were struggling with puberty. One such example is the hubbub around the MashupCamp vs. BarCamp started by Ryan King in his post MashupCamp jumped the shark. Basically some folks who got upset because they weren't invited to Tim O'Reilly's FooCamp came up with a knockoff conference called BarCamp then got upset when another conference called MashupCamp started getting press for the knocking off the same concept. Amazed? I can barely believe it either.

Although the debate [if one can call it that] has been pretty pointless, I did find one quote from Ryan King that I thought was worth highlighting. In his post Live by the Snark, die by the Snark Ryan writes

Wait, no it’s not just me.

David Berlind busted his ass to put together something not vendor-controlled that unavoidably involved vendors because vendor APIs were what was being mashed up.

I see no reason why vendors have to be involved because their services are being mash-up’ed. Aren’t the people writing the mash-ups actually more important here?

The above argument seems weird to me. If I was attending a conference about building Java applications, I'd expect to see Java vendors like Sun and IBM there. If I was attending a conference on building Windows applications, I'd want to see Microsoft developers there. So, if there is a conference about building applications based on data and services from various service providers, why is wouldn't you expect to see the data/service providers at this conference? I think sometimes people take the big companies are bad meme to ridiculous extremes. This is one of those examples.

Personally, I think one of the problems with the discussions around Mashups I've seen at conferences and in blogs is the lack of high level discussion between providers of services/data and developers who use these APIs and data. This is one of the things I miss from when I worked on XML APIs for the .NET Framework. Back then it was clear what developers were interested in our APIs and what they wanted us to do next. The uncertainties were around prioritizing various developer requests and when we could deliver solutions to their problems. On the other hand, now that I've been in discussions around various aspects of the Windows Live platform I've found it hard to figure out who our customers were and what APIs they'd like us to provide. What we need is more dialog between developers building mashups and vendors that provide APIs & data not an us vs. them mentality that builds unnecessary animosity.

Categories: Web Development

March 2, 2006

@ 05:59 PM

My Virtual Earth Mashup Article on XML.com

After procrastinating for what seems like half a year, I finished my article Seattle Movie Finder: An AJAX and REST-Powered Virtual Earth Mashup which has now been published on O'Reilly XML.com. The article is a walkthrough of how I built my Seattle Movie Finder application with a few tips on building mapping mashups.

I think the most useful tip from the article is letting people know about the geocoder.us API which provide REST, SOAP and XML-RPC services for converting addresses to latitudes and longitudes. That discovery helped a great deal. The Virtual Earth folks currently advise people who want geocoding to register for the MapPoint SOAP Web services which was too much of a hassle for me. On the other hand, the free and zero hassle geocoder.us got the job done.

I'm thinking of turning this into a series with the next article explaining how I built my MSN Spaces Photo Album Browser gadget for Live.com. Let me know what you think of the article.

Categories: Web Development | Windows Live

February 24, 2006

@ 07:27 PM

Yahoo! Design Patterns and User Interface Library

Yahoo! announced some cool stuff last week. In his blog post Yahoo! UI JavaScript treats Simon Willison writes

The Yahoo! Developer Network was updated yesterday with a veritable gold-mine of Exciting New Stuff, coinciding with the launch of the brand new Yahoo! User Interface Blog. #

Here are some of the highlights: #

Mature, extensively tested cross-browser JavaScript libraries for animation, event handling, DOM wrangling, XMLHttpRequest Drag and Drop. # and

CSS-skinnable UI controls built on those libraries: Calendar, Slider and TreeView. #

A library of documented design patterns for modern web applications. #

A description of Yahoo!'s Graded Browser Support policy, which should be of great interest to anyone who cares about Web Standards, semantic HTML, accessibility, progressive enhancement and unobtrusive JavaScript. #

The code is all under a BSD Open Source license, which means you can use it freely in your own projects, including for commercial development. #

This is a fantastic contribution to the Web developer community by Yahoo!. It's taken me a week to blog about it because I wanted to try it out first. Unfortunately I still haven't gotten around to trying out the code but I decided to give it a shout out anyway. This is basically what I expected Microsoft to provide developers with Atlas but not only has Yahoo! done it first, it has done so in a way that is completely free (as in speech and as in beer). Wow.

The folks at Yahoo! are definitely understand what it means to build a developer platform and a developer community on the Web. Kudos to everyone involved in getting this out.

Categories: Web Development

February 23, 2006

@ 04:38 PM

Google Launches GeoCities Clone, Film at 11

From Matt Cutt's blog post about the Google Page Creator we learn

Oh, and by the way, it looks like Google has released a tool to make mini-websites. The Google Page Creator at http://pages.google.com/ lets you throw up a quick set of pages without a ton of hassle. Looks like a bunch of different look ‘n’ feel choices:

I feel like I'm in a time warp. Did Google just ship their own version of GeoCities? Isn't this space dead? End users have graduated from personal home pages to blogs and social networking tools which is why sites like MySpace, MSN Spaces and Xanga have tens of millions of users. Business users are likely to want an entire package like Office Live instead of just a web page creation tool.

Who exactly is the target audience for this offering?

Update: I just noticed that username@gmail.com is equal to username.googlepages.com. How do you ship a product with such an obvious privacy bug? I guess if you are creating a 20% project you don't need to have privacy reviews. Doh!

Categories: Web Development

February 21, 2006

@ 11:11 PM

SQL Databases and Internet-Scale Applications

When you build web applications that have to scale up to millions of users, you sometimes end up questioning almost every aspect of your design as you hit scalability problems. One thing I hadn't expected was to notice that a number of people in our shoes had begun to point out the limitations of SQL databases when it comes to building modern Web applications. Below are a sampling of such comments primarily gathered together so I have easy access to them next time I want an example of what I mean by limitations of SQL databases when building large scale Web applications.

From Google's Adam Bosworth we have the post Where Have all the Good databases Gone

The products that the database vendors were building had less and less to do with what the customers wanted...Google itself (and I'd bet a lot Yahoo too) have similar needs to the ones Federal Express or Morgan Stanley or Ford or others described, quite eloquently to me. So, what is this growing disconnect?

It is this. Users of databases tend to ask for three very simple things:

1) Dynamic schema so that as the business model/description of goods or services changes and evolves, this evolution can be handled seamlessly in a system running 24 by 7, 365 days a year. This means that Amazon can track new things about new goods without changing the running system. It means that Federal Express can add Federal Express Ground seamlessly to their running tracking system and so on. In short, the database should handle unlimited change.

2) Dynamic partitioning of data across large dynamic numbers of machines. A lot people people track a lot of data these days. It is common to talk to customers tracking 100,000,000 items a day and having to maintain the information online for at least 180 days with 4K or more a pop and that adds (or multiplies) up to a 100 TB or so. Customers tell me that this is best served up to the 1MM users who may want it at any time by partioning the data because, in general, most of this data is highly partionable by customer or product or something. The only issue is that it needs to be dynamic so that as items are added or get "busy" the system dynamically load balances their data across the machines. In short, the database should handle unlimited scale with very low latency. It can do this because the vast majority of queries will be local to a product or a customer or something over which you can partion...

3) Modern indexing. Google has spoiled the world. Everyone has learned that just typing in a few words should show the relevant results in a couple of hundred milliseconds. Everyone (whether an Amazon user or a customer looking up a check they wrote a month ago or a customer service rep looking up the history for someone calling in to complain) expects this. This indexing, of course, often has to include indexing through the "blobs" stored in the items such as PDF's and Spreadsheets and Powerpoints. This is actually hard to do across all data, but much of the need is within a partioned data set (e.g. I want to and should only see my checks, not yours or my airbill status not yours) and then it should be trivial.
...
Users of databases don't believe that they are getting any of these three. Salesforce, for example, has a lot of clever technology just to hack around the dynamic schema problem so that 13,000 customers can have 13,000 different views of what a prospect is.

If the database vendors ARE solving these problems, then they aren't doing a good job of telling the rest of us.
Joshua Schachter of del.icio.us is quoted as saying the following in a recent talk

Scaling: avoid early optimization. SQL doesn't map well to these problems - think about how to split up data over multiple machines. Understand indexing strategies, profile every SQL statement. Nagios or similar for monitoring.

Tags don't map well to SQL. Sometimes you can prune based on usage - only index the first few pages for example. This keeps indexes small and fast.
Mark Fletcher of Bloglines wrote the following in his post Behind the Scenes of the Bloglines Datacenter Move (Part 2)

The Bloglines back-end consists of a number of logical databases. There's a database for user information, including what each user is subscribed to, what their password is, etc. There's also a database for feed information, containing things like the name of each feed, the description for each feed, etc. There are also several databases which track link and guid information. And finally, there's the system that stores all the blog articles and related data. We have almost a trillion blog articles in the system, dating back to when we first went on-line in June, 2003. Even compressed, the blog articles consist of the largest chunk of data in the Bloglines system, by a large margin. By our calculations, if we could transfer the blog article data ahead of time, the other databases could be copied over in a reasonable amount of time, limiting our downtime to just a few hours.

We don't use a traditional database to store blog articles. Instead we use a custom replication system based on flat files and smaller databases. It works well and scales using cheap hardware.

Interesting things happen when you question everything.

Categories: Web Development

February 13, 2006

@ 09:19 PM

Microsoft's SPARK workshop

Harry Pierson has a blog post entitled SPARK is Out of the Bag where he writes

As part of the new job, I'm involved in the planning a workshop called SPARK, which Dion Hinchcliffe blogged about this morning. (Dion also writes a blog here - bringing the total to three - so I created a combined feed just to keep track of all the places he writes). My new boss Mike also mentioned SPARK this morning. In the hopes of sparking futher interest (pun intended), here's the overview of SPARK:

SPARK is the first in a series of high-level forums hosted by Microsoft that use a workshop setting to examine “the issues that matter most” in the practice of strategic architecture and produce guidance for the industry as a whole.

Today, new social movements, advances in technology, and forces within business are overlapping to create a landscape glutted with challenges and opportunities. In many cases, these forces have driven the deployment of new technologies and the adoption of new behaviors, adding multiple layers to an already complex set of issues that must be navigated. Architects are searching for a solution that helps manage this complexity.

SOA, Software as a Service, Web 2.0, and Edge are all elements of the solution, but are they the complete picture? Are they a sufficient answer to the issues? Can they be used together in a productive and efficient fashion? What matters most?

SPARK is an invite-only event and it looks like I was invited. I'm not sure what to expect. On the one hand it looks like one giant game of buzzword bingo with Web 2.0 hypesters and SOA propaganda-ists trying to outdo each other throwing out spurious buzzwords and grand proclamations. On the other hand some of the invitees have me intrigued and it would be good to compare notes on building services for the World Wide Web in today's world with other folks facing the same kind of issues I do in my day job.

I'll definitely be attending this workshop but not the accompanying MIX '06 conference. However I still plan to flip the bozo bit on any idiot that tries to talk to me about Web 2.0 while at this workshop.

Categories: Web Development

February 4, 2006

@ 06:51 PM

The Difference Between Microsoft and O'Reilly Conferences

Next month, I'm currently scheduled to attend both the O'Reilly Emerging Technology Conference and MIX '06. Given my current work load it is unlikely that I can afford to be away from work for almost two weeks next month. It's likely that I'll just attend one conference next month, in which case it will be ETech not MIX. I was talking to some folks at work about this recently and we talked about the difference between O'Reilly conferences and Microsoft conferences which led me to this decision.

Microsoft's conferences are about technology and often are pitched as training events. The pitch is usually some variation come spend three to five days learning about exciting Microsoft technologies. The MIX '06 website currently has the following on the front page

Learn how to deliver revolutionary media-rich Web content with the new Windows Presentation Foundation,
Explore Windows Live!, Microsoft's new consumer services strategy
Find out how to extend your content, media and services into the living room with Windows Media Center and Xbox 360™
etc

O'Reilly conferences are often about getting interesting people together. The pitch is usually some variation of come spend three to five days listening to and meeting exciting people in the technology industry. The O'Reilly Emerging Technology Conference has the following speakers highlighted on the front page

Ray Ozzie
Jon Udell
Joel Spolsky
Tim Bray
Mark Pilgrim
Danah Boyd
Sam Ruby
Kevin Lynch
Linda Stone
Clay Shirky
etc

If you were a Web geek and only had enough time to attend one conference, which one would you attend?

Categories: Web Development

February 1, 2006

@ 05:53 PM

AJAX 2.0: What Can Web Browsers Do To Get Us There?

It seems like I'm not the only person underwhelmed by the recent Internet Explorer 7 beta release. Alex Russell, one of the guys behind the brilliant Dojo Toolkit, has a blog post entitled How IE7 Can Avoid Irrelevance which lists a number of places where Internet Explorer is deficient when it comes to DHTML/AJAX development. He writes

At a minimum, dynamic web apps need the following out of IE and JScript in the very near future:

Memory leaks need to simply disappear
Fix the cache+gzip bugs
Give us getters/setters in JScript or give back watch()
Fix the event object. Pass it in to DOM handlers by default. Also, offsetLeft and offsetTop are so ambiguious as to be useless. Give us currentTarget.
Bump the limit on the number of concurrent HTTP connections if those connections are initiated after onload (either via XMLHTTP or other methods)
Today, allocating more than 5K objects or so brings JScript to its knees. Object allocation cost needs to be O(1)
Either revive (and start to fix) VML or give it an SVG-Tiny+DOM facade
Give us a persistent, string-keyed, local cache in the MB range (5-10MB/domain seems a good start)
Fast DOM queries. CSS selectors or XPath, we don’t care. Just give us a way to say “get us all DOM node objects matching this”
A way to toggle the box model on a per-element basis without switching doctypes. The CSS 3 box model spec seems a good starting point

If Microsoft is to re-build any credibility around their browser, they need to show us the goods. CSS fixes won’t suffice this time around.

This is a pretty good list and it contains a lot of the features Jon Udell mentioned that he would like to see in future versions of Internet Explorer in his post Further adventures in lightweight service composition . The only thing I'd change about Alex's post would be to rename it How IE8 Can Avoid Irrelevance. I've worked at Microsoft long enough to know that by the time a product hits beta 2, the only kind of changes you are going to see are fixes to major [as in crashing] bugs, security fixes and low cost cosmetic changes. I can only hope that it doesn't take us another five years to see the next version of Internet Explorer

On the positive side, it looks like Dean Hachamovitch who runs the IE team not only has read Alex's blog post but posted a response . That's a good start. .

Categories: Web Development

January 31, 2006

@ 08:12 PM

Some Thoughts on the IE 7 Beta 2 Preview release

If you are a regular reader of the Internet Explorer team's blog then you should know that IE7 Beta 2 Preview is now available.

I've used it for about 10 minutes now and I'm still having difficulty getting used to the changes in the user interface. They seem like rather gratuitous changes to me, the browser now seems unfamiliar although I assume that I'll eventually get used to the new look and feel. My main interest was in checking out the RSS support in the browser and so far I've been unsatisfied by the experience. Below is a screenshot of what it looks like when subscribed to a feed.

The general RSS reading experience is rather unsatisfactory. There are so many features I take for granted from using RSS Bandit that I find the RSS experience in IE 7 to be disappointing. No search folders, no aggregated views of items within a category, no ability to flag items, no options to email an item or post it to my favorite social bookmarking site. I couldn't even figure out how to mark individual items as read or unread. I found it to be pretty unusable as a replacement for my current RSS reader.

PS: For some reason since upgrading to IE 7, all the HTML mail in Outlook now hurts my eyes to look at. Does IE 7 flip on ClearType by default or something?

Categories: Web Development

January 24, 2006

@ 07:06 PM

IE to Support Native XMLHttpRequest object

Sunava Dutta on the Internet Explorer team has written about their support for a Native XMLHTTPRequest object in IE 7. He writes

I’m excited to mention that IE7 will support a scriptable native version of XMLHTTP. This can be instantiated using the same syntax across different browsers and decouples AJAX functionality from an ActiveX enabled environment.

What is XMLHTTP?

XMLHTTP was first introduced to the world as an ActiveX control in Internet Explorer 5.0. Over time, this object has been implemented by other browsing platforms, and is the cornerstone of “AJAX” web applications. The object allows web pages to send and receive XML (or other data) via the HTTP protocol. XMLHTTP makes it possible to create responsive web applications that do not require redownloading the entire page to display new data. Popular examples of AJAX applications include the Beta version of Windows Live Local, Microsoft Outlook Web Access, and Google’s GMail.

Charting the changes: XMLHTTP in IE7 vs. IE6

In IE6 and below, XMLHTTP is implemented as an ActiveX object provided by MSXML.

In IE7, XMLHTTP is now also exposed as a native script object. Users and organizations that choose to disable ActiveX controls can still use XMLHTTP based web applications. (Note that an organization may use Group Policy or IE Options to disable the new native XMLHTTP object if desired.) As part of our continuing security improvements we now allow clients to configure and customize a security policy of their choice and simultaneously retain functionality across key AJAX scenarios.

IE7’s implementation of the XMLHTTP object is consistent with that of other browsers, simplifying the task of cross-browser compatibility. Using just a bit of script, it’s easy to build a function which works with any browser that supports XMLHTTP:

if (window.XMLHttpRequest){

          // If IE7, Mozilla, Safari, etc: Use native object
          var xmlHttp = new XMLHttpRequest()

}
else
{
if (window.ActiveXObject){

          // ...otherwise, use the ActiveX control for IE5.x and IE6
          var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
          }

}

Note that IE7 will still support the legacy ActiveX implementation of XMLHTTP alongside the new native object, so pages currently using the ActiveX control will not require rewrites.

I wonder if anyone else sees the irony in Internet Explorer copying features from Firefox which were originally copied from IE?

Categories: Web Development

January 24, 2006

@ 01:17 AM

Brad Fitzpatrick on Browser Bugs and Cross Site Scripting Attacks

Brad Fitzpatrick, founder of Livejournal, has a blog post entitled Firefox bugs where he talks about some of the issues that led to the recent account hijackings on the LiveJournal service.

What I found most interesting were Brad's comments on Bug# 324253 - Do Something about the XSS issues that -moz-binding introduces in the Firefox bugzilla database. Brad wrote

Hello, this is Brad Fitzpatrick from LiveJournal.
Just to clear up any confusion: we do have a very strict HTML sanitizer. But we made the decision (years ago) to allow users to host CSS files offsite because... why not? It's just style declarations, right?
But then came along behavior, expression, -moz-binding, etc, etc...
Now CSS is full of JavaScript. Bleh.
But Internet Explorer has two huge advantages over Mozilla:
-- HttpOnly cookies (Bug 178993), which LiveJournal sponsored for Mozilla, over a year ago. Still not in tree.
-- same-origin restrictions, so an offsite behavior/binding can't mess with the calling node's DOM/Cookies/etc.
Either one of these would've saved our ass.
Now, I understand the need to innovate and add things like -moz-bindings, but please keep in mind the authors of webapps which are fighting a constant battle to improve their HTML sanitizers against new features which are added to browser.
What we'd REALLY love is some document meta tag or HTTP response header that declares the local document safe from all external scripts. HttpOnly cookies are such a beautiful idea, we'd be happy with just that, but Comment 10 is also a great proposal... being able to declare the trust level, effectively, of external resources. Then our HTML cleaner would just insert/remove the untrusted/trusted, respectively.

Cross site scripting attacks are a big problem for websites that allow users to provide HTML input. LiveJournal isn't the only major blogging site to have been hit by them, last year the 'samy is my hero' worm hit MySpace and caused some downtime for the service.

What I find interesting from Brad's post is how on the one hand having richer features in browsers is desirable (e.g. embedded Javascript in CSS) and on the other becomes a burden for developers building web apps who now have to worry that even stylesheets can contain malicious code.

The major browser vendors really need to do a better job here. I totally agree with one of the follow up comments in the bug which stated If Moz & Microsoft can agree on SSL/anti-phishing policy and an RSS icon, is consensus on scripting security policy too hard to imagine?. Collaborating on simple stuff like what orange icon to use for subscribing to feeds is nice, but areas like Web security could do with more standardization across browsers. I wonder if the WHAT WG is working on standardizing anything in this area...

Categories: Web Development

January 21, 2006

@ 01:01 PM

Metadata Quality and Mapping Between Domain Languages

One part of the XML vision that has always resonated with me is that it encourages people to build custom XML formats specific to their needs but allows them to map between languages using technologies like XSLT. However XML technologies like XSLT focus on mapping one kind of syntax for another. There is another school of thought from proponents of Semantic Web technologies like RDF, OWL, and DAML+OIL, etc that higher level mapping between the semantics of languages is a better approach.

In previous posts such as RDF, The Semantic Web and Perpetual Motion Machines and More on RDF, The Semantic Web and Perpetual Motion Machines I've disagreed with the thinking of Semantic Web proponents because in the real world you have to mess with both syntactical mappings and semantic mappings. A great example of this is shown in the post entitled On the Quality of Metadata... by Stefano Mazzocchi where he writes

One thing we figured out a while ago is that merging two (or more) datasets with high quality metadata results in a new dataset with much lower quality metadata. The "measure" of this quality is just subjective and perceptual, but it's a constant thing: everytime we showed this to people that cared about the data more than the software we were writing, they could not understand why we were so excited about such a system, where clearly the data was so much poorer than what they were expecting.

We use the usual "this is just a prototype and the data mappings were done without much thinking" kind of excuse, just to calm them down, but now that I'm tasked to "do it better this time", I'm starting to feel a little weird because it might well be that we hit a general rule, one that is not a function on how much thinking you put in the data mappings or ontology crosswalks, and talking to Ben helped me understand why.

First, let's start noting that there is no practical and objective definition of metadata quality, yet there are patterns that do emerge. For example, at the most superficial level, coherence is considered a sign of good care and (here all the metadata lovers would agree) good care is what it takes for metadata to be good. Therefore, lack of coherence indicates lack of good care, which automatically resolves in bad metadata.

Note how the is nothing but a syllogism, yet, it's something that, rationally or not, comes up all the time.

This is very important. Why? Well, suppose you have two metadatasets, each of them very coherent and well polished about, say, music. The first encodes Artist names as "Beatles, The" or "Lennon, John", while the second encodes them as "The Beatles" and "John Lennon". Both datasets, independently, are very coherent: there is only one way to spell an artist/band name, but when the two are merged and the ontology crosswalk/map is done (either implicitly or explicitly), the result is that some songs will now be associated with "Beatles, The" and others with "The Beatles".

The result of merging two high quality datasets is, in general, another dataset with a higher "quantity" but a lower "quality" and, as you can see, the ontological crosswalks or mappings were done "right", where for "right" I mean that both sides of the ontological equation would have approved that "The Beatles" or "Beatles, The" are the band name that is associated with that song.

At this point, the fellow semantic web developers would say "pfff, of course you are running into trouble, you haven't used the same URI" and the fellow librarians would say "pff, of course, you haven't mapped them to a controlled vocabulary of artist names, what did you expect?".. deep inside, they are saying the same thing: you need to further link your metadata references "The Beatles" or "Beatles, The" to a common, hopefully globally unique identifier. The librarian shakes the semantic web advocate's hand, nodding vehemently and they are happy campers.

The problem Stefano has pointed out is that just being able to say that two items are semantically identical (i.e. an artist field in dataset A is the same as the 'band name' field in dataset B) doesn't mean you won't have to do some syntactic mapping as well (i.e. alter artist names of the form "ArtistName, The" to "The ArtistName") if you want an accurate mapping.

The example I tend to cull from in my personal experience is mapping between different XML syndication formats such as Atom 1.0 and RSS 2.0. Mapping between both formats isn't simply a case of saying <atom:published> owl:sameAs <pubDate> or that <atom:author> owl:sameAs <author> . In both cases, an application that understands how to process one format (e.g. an RSS 2.0 parser) would not be able to process the syntax of the equivalent elements in the other (e.g. processing RFC 3339 dates as opposed to RFC 822 dates).

Proponents of Semantic Web technologies tend to gloss over these harsh realities of mapping between vocabularies in the real world. I've seen some claims that simply using XML technologies for mapping between XML vocabularies means you will need N² transforms as opposed to needing 2N transforms if using SW technologies (Stefano mentions this in his post as has Ken Macleod in his post XML vs. RDF :: N × M vs. N + M). The explicit assumption here is that these vocabularies have similar data models and semantics which should be true otherwise a mapping wouldn't be possible. However the implicit assumption is that the syntax of each vocabulary is practically identical (e.g. same naming conventions, same date formats, etc) which this post provides a few examples where this is not the case.

What I'd be interested in seeing is whether there is a way to get some of the benefits of Semantic Web technologies while acknowledging the need for syntactical mappings as well. Perhaps some weird hybrid of OWL and XSLT? One can only dream...

Categories: Web Development | XML

January 1, 2006

@ 07:57 PM

Waiting for AJAX 2.0

Reading the blogs of Tim Berners-Lee and Jon Udell this morning, I was struck by how clear it is that the Javascript platform within the browser is somewhat immature and incomplete.

In his post Links on the Semantic Web Tim Berners-Lee writes

To play with semantic web links, I made a toy semantic web browser, Tabulator. Toy, because it is hacked up in Javascript
....
Here is the current snag, though. Firefox security does not allow a script from a given domain to access data from any other domain, unless the scripts are signed, or made into an extension. And looking for script signing tools (for OS X?) led me to dead ends. So if anyone knows how to do that, let me know. Untill I find a fix for that, the power of following links -- which is that they can potentially go anywhere -- is alas not evident!

In his post Predictions for 2006 Jon Udell writes

June 15: Browser local storage

An Alchemy application, though, always works with a genuine local data model that it stores as sets of XML fragments and navigates in a relational style. Bosworth's hunch is that a Web-style thin client, driven by a rich data model intelligently synchronized with the services cloud, could do most of what we really need -- both offline and online.
That's from a column entitled Thin client, rich data. The next turn of the AJAX crank has to involve an intelligent local data store. It's been on my wishlist forever, but Mozilla CTO Brendan Eich told me to expect results in 2006, so I do.

Almost everyone who has attempted building an AJAX application has hit the issues mentioned by Jon Udell and Tim Berners-Lee in their posts. Everytime I mess around with AJAX I can't help thinking how much more interesting the applications could be if I could offload the data aggregation/integration to the client browser instead of doing it on the server. I've thought the same about offline storage, why can't I store richer information than just cookie data on the local client in a cross-platform manner?

It's hard to get wrapped up in the AJAX hype when such fundamental holes exist in the functionality provided by modern web browsers. I hope Jon Udell is right and the Mozilla folks plan to fix some of the more fundamental problems with building AJAX applications on the Web today.

Categories: Web Development

December 21, 2005

@ 06:09 AM

AOL Instant Messenger and Google Talk to Interoperate

The Reuters article AOL, Google ad pact to include video, instant msgs states

America Online said Google had agreed to invest $1 billion to take a 5 percent stake in AOL, as part of an enhanced pact where Google will move beyond text-based advertising to allow AOL to sell graphical ads to Google's fast-growing ad network.

The stake effectively values AOL at $20 billion, a key benchmark should Time Warner elect to spinoff or sell a part of its Internet unit in response to dissident shareholder Carl Icahn's proxy campaign to break up the company.

Terms of the deal call for AOL to make more of its Web sites searchable via Google search, including a plans to feature AOL's premium video services within Google Video, a way of searching for Web-based video programming.

They also said they had agreed, under certain unspecified conditions, to allow users of Google's recently introduced instant messaging system Google Talk to communicate with users of AOL's market-leading AIM instant messaging service.

This is a very interesting development when combined with the recent release of the Libjingle library which allows developers to use the Google Talk API. Does this mean it'll soon be possible for any developer who grabs Libjingle off of SourceForge to be able to integrate the ability to instant message with any AOL Instant Messenger (AIM) into their applications free of charge? That is definitely game changing. I haven't looked at Libjingle [for obvious reasons] but I am interested in comments on whether my analysis is on the mark or not from people who've tried it.

I'll definitely be watching the Google Talk blog and Joe Beda's blog to keep on top of the developments in this space. Interesting stuff indeed. Perhaps I'll soon be able to integrate chatting with your AIM buddies into RSS Bandit ?

Categories: Web Development

December 21, 2005

@ 01:00 AM

Comments [10]

Yahoo! Open Shortcuts Announced

I just found out about Yahoo! Open Shortcuts. This is SICK!!!. Yahoo! has done it again. The excerpt below is taken from the FAQ

How do I use it?
Do you have some shortcuts that are ready to use?
How do I create my own?
How do I manage my Open Shortcuts?
Is there search meta word trigger?
Can I name my shortcut the same name as a default shortcut?
I've got feedback about Yahoo! Open Shortcuts. Who do I tell?

How do I use it?

Type an ! (exclamation point) followed by the name of the shortcut in the Yahoo! Search box.

!shortcut_name

Examples:

!my to navigate to "http://my.yahoo.com"
!wsf to search "weather san francisco" on Yahoo!

For shortcuts that search favorite sites or start an Internet application, you can also type optional term(s) after the shortcut name.

!shortcut_name term(s)

Examples:

!ebay lamps to search for "lamps" on Ebay
!mail bill@yahoo.com to send email to "bill@yahoo.com"

Do you have some shortcuts that are ready to use?

These popular shortcuts are available for immediate use:

Navigation

!clist http://www.craigslist.org/

!my http://my.yahoo.com/

!mysp http://www.myspace.com/

Search

!amazon http://www.amazon.com/exec/obidos/external-search?mode=blended&keyword=%s

!audio http://audio.search.yahoo.com/search/audio?p=%s

!ebay http://search.ebay.com/search/search.dll?satitle=%s

!flickr http://www.flickr.com/photos/tags/%s/

!image http://images.search.yahoo.com/search/images?p=%s

!mw http://myweb2.search.yahoo.com/myresults/ourresults?p=%s

!news http://news.search.yahoo.com/news/search?p=%s

!php http://www.php.net/%s

!shop http://search.shopping.yahoo.com/search?cop=mss&p=%s

!video http://video.search.yahoo.com/search/video?p=%s

!wiki http://en.wikipedia.org?search=%s

Application

!note http://notepad.yahoo.com/?v=161&DESC=%s

!mail http://compose.mail.yahoo.com/ym/Compose?login=1&To=%s

How do I create my personal shortcuts?

To create a navigational shortcut, use the keyword: !set with your shortcut name and destination URL.

!set shortcut_name URL

Example:

To create a shortcut named "ff" to go to Yahoo! Sports Fantasy Football,
Type: !set ff http://football.fantasysports.yahoo.com/f2
To create a common search shortcut, use the keyword: !set with your shortcut name and the query.
!set shortcut_name query

Example:

To create a shortcut named "watx" to search Yahoo! for "weather austin texas",
Type: !set watx weather austin texas

To create a shortcut that searches a favorite site or starts an Internet application, use the keyword: !set with your shortcut name and the destination URL. Within the URL, substitute the query term(s) with the "%s" placeholder.

!set shortcut_name URL_%s

Example:

To create a shortcut named "yf" to search stock quotes on Yahoo! Finance,
Type: !set yf http://finance.yahoo.com/q?s=%s

This is extremely useful. I've been wanting a short cut for searching Wikipedia on popular search engines for quite a while. Just for this feature alone I can see my usage other search engines dropping.

Categories: Web Development

December 15, 2005

@ 06:58 PM

The Value of Web Platforms: Bloglines vs. Newsgator Online

Alan Kleymeyer has a post entitled NewsGator Online where he writes

I've switched my online news aggregator from Bloglines to Newsgator. First, I wanted to try it out and compare it to Bloglines. I like the interface better, especially in how you mark things as read. I've swithched for good. I mainly switched so that I can continue using RSS Bandit and get the benefit of syncing between it and an online news aggregator (supported in latest RSS Bandit 1.3.0.38 release)

Alan's post describes exactly why creating APIs for your online service and treating it as a Web platform and not just a web site is important. What would you rather use, a web-based aggregator which provides limited integration with a few desktop aggregators (i.e.Bloglines) OR a web-based aggregator which provides full integration with a variety of free and payware aggregators including RSS Bandit, NetNewsWire and FeedDemon? Building out a Web platform is about giving users choice which is what the NewsGator guys have done by providing the NewsGator API.

The canonical example of the power of Web APIs and Web platforms is RSS. Providing an RSS feed liberates your readers from the limitations of using one application (the Web browser) and one user interface (your HTML website) to view your content. They can consume it on their own terms using the applications that best fit their needs. Blogging wouldn't be as popular as it is today if not for this most fundamental of web services.

The topic of my ThinkWeek paper was turning Web sites into Web platforms and I was hoping to get to give a presentation about it at next year's O'Reilly Emerging Technology Conference but it got rejected. I guess I'll just have to keep shopping it around. Perhaps I can get it into Gnomedex or Mix '06. :)

Categories: Syndication Technology | Web Development

December 7, 2005

@ 07:48 PM

Comments [12]

Scaling Up and Startups

The folks at 37 Signals have an insightful blog post entitled Don’t scale: 99.999% uptime is for Wal-Mart which states

Jeremy Wright purports a common misconception about new companies doing business online: That you need 99.999% uptime or you’re toast. Not so. Basecamp doesn’t have that. I think our uptime is more like 98% or 99%. Guess what, we’re still here!

Wright correctly states that those final last percent are incredibly expensive. To go from 98% to 99% can cost thousands of dollars. To go from 99% to 99.9% tens of thousands more. Now contrast that with the value. What kind of service are you providing? Does the world end if you’re down for 30 minutes?

If you’re Wal-Mart and your credit card processing pipeline stops for 30 minutes during prime time, yes, the world does end. Someone might very well be fired. The business loses millions of dollars. Wal-Mart gets in the news and loses millions more on the goodwill account.

Now what if Delicious, Feedster, or Technorati goes down for 30 minutes? How big is the inconvenience of not being able to get to your tagged bookmarks or do yet another ego-search with Feedster or Technorati for 30 minutes? Not that high. The world does not come to an end. Nobody gets fired.

Scalability issues are probably the most difficult to anticipate and mitigate when building a web application. When we first shipped MSN Spaces last year, I assumed that we'd be lucky if we became as big as LiveJournal, I never expected that we'd grow to be three times as big and three times as active within a year. We've had our growing pains and it's definitely been surprising at times finding out which parts of the service are getting the most use and thus needed the most optimizations.

The fact is that everyone has scalability issues, no one can deal with their service going from zero to a few million users without revisiting almost every aspect of their design and architecture. Even the much vaunted Google has had these problems, just look at the reviews of Google Reader that called it excruciatingly slow or the complaints that Google Analytics was so slow as to be unusable.

If you are a startup, don't waste your time and money worrying about what happens when you have millions of users. Premature optimization is the root of all evil and in certain cases will lead you to being more conservative than you should be when designing features. Remember, even the big guys deal with scalability issues.

Categories: Web Development

November 19, 2005

@ 06:57 PM

Building Gadgets for Live.com and a Javascript Debugging Tip

I wrote my first gadget for http://www.live.com yesterday; the MSN Spaces Photo Album Browser. Screenshot below

It didn't take that long but it was a frustrating experience trying to find documentation. I resorted to a combination of combing the Microsoft Gadgets forums, reading the source code of existing gadgets and reading the sparse documentation at http://www.start.com/developer. We definitely have a lot of work to do in making this stuff more accessible to developers.

While working on it, I did get a fantastic tip for debugging Javascript from Matt. I didn't realize that I could use Visual Studio to debug any Javascript currently running in Internet Explorer in three steps. This is also explained in the IE blog post Scripting Debugging in Internet Explorer

In Internet Explorer, select Tools->Internet Options…->Advanced->Disable Script Debugging
In Visual Studio, select Debug->Processes
In the Processes dialog, select the IE process you want to debug and then click the Attach button

That's it. Now you can set breakpoints and party like its 1999. Being able to debug script in this manner saved me hours of wasted time because it let me know that the object models exposed by http://www.live.com and http://www.start.com are different. Somebody definitely needs to hustle and get some documentation updated.

Categories: Web Development | Windows Live

November 16, 2005

@ 11:45 PM

GoogleBase is del.icio.us 2.0

I finally got to try out Google Base and it does seem to be an interesting experience. It reminds me a lot of del.icio.us. Of course, it's missing key functionality like web feeds and a proper API, but if I was told to build the next version of del.icio.us it would probably look a bit like Google Base. The three key improvements to del.icio.us being

Supporting more item types beyond "favorite link". This means supporting metadata fields beyond title, link and description.
Allowing users to define their own fields
Adding much better search capabilities

This definitely looks like an experiment by Google to see what people do with the service which might explain it's unpolished look. It's not clear how people will end up using it but I'm sure they will since its the latest new thing from Google.

Categories: Web Development

November 4, 2005

@ 06:09 PM

Addendum on Cloning Google APIs

I saw someone reference the Dave Luebbert's reasons to clone Google's API and wonder what my opinion was in response. In my post from yesterday entitled Clone the Google APIs: Kill That Noise, I gave some technical reasons why we wouldn't want to clone the Google APIs for Windows Live Search.

However, there is probably a clarification that I should have made. In certain cases, there is one thing that trumps all technical arguments against cloning an API. That is when the API has significant market share amongst developers. This is one of the reasons why even though I thought that the MetaWeblog API is a disaster, we made the call that MSN Spaces will support the MetaWeblog API. Since the MetaWeblog API is a derivative of the Blogger API, you could argue that in this case we are cloning a Google API.

To me, the difference here is the case of mindshare. The Blogger & MetaWeblog APIs are widely supported across the weblogging industry and have become de facto industry standards. I don't believe the same can be said for the Google's search API. If anything, I'd say the OpenSearch is the closest to a de facto industry standard for search APIs although [for now] it has been ignored by the big three major search players.

On a similar note, I'd probably agree that the Google Maps API is probably on its way to reaching de facto standard and Yahoo! & Microsoft should just go ahead and clone it. If I worked on the mapping API for either company, I'd probably give it six months and if adoption hadn't increased significantly would consider cloning their API.

Categories: Web Development

November 3, 2005

@ 03:16 PM

Comments [10]

Clone the Google APIs: Kill That Noise

Yesterday Dave Winer wrote in a post about cloning the Google API Dave Winer wrote

Let's make the Google API an open standard. Back in 2002, Google took a bold first step to enable open architecture search engines, by creating an API that allowed developers to build applications on top of their search engine. However, there were severe limits on the capacity of these applications. So we got a good demo of what might be, now three years later, it's time for the real thing.

and earlier that

If you didn't get a chance to hear yesterday's podcast, it recommends that Microsoft clone the Google API for search, without the keys, and without the limits. When a developer's application generates a lot of traffic, buy him a plane ticket and dinner, and ask how you both can make some money off their excellent booming application of search. This is something Google can't do, because search is their cash cow. That's why Microsoft should do it. And so should Yahoo. Also, there's no doubt Google will be competing with Apple soon, so they should be also thinking about ways to devalue Google's advantage.

This doesn't seem like a great idea to me for a wide variety of reasons but first, let's start with a history lesson before I tackle this specific issue

A Trip Down Memory Lane
This history lesson ~~used to be~~ is in a post entitled The Tragedy of the API by Evan Williams ~~but seems to be gone now~~. Anyway, back in the early days of blogging the folks at Pyra [which eventually got bought by Google] created the Blogger API for their service. Since Blogspot/Blogger was a popular service, a the number of applications that used the API quickly grew. At this point Dave Winer decided that since the Blogger API was so popular he should implement it in his weblogging tools but then he decided that he didn't like some aspects of it such as application keys (sound familiar?) and did without them in his version of the API. Dave Winer's version of the Blogger API became the MetaWeblog API. These APIs became de facto standards and a number of other weblogging applications implemented them.

After a while, the folks at Pyra decided that their API needed to evolve due to various flaws in its design. As Diego Doval put it in his post a review of blogging APIs, The Blogger API is a joke, and a bad one at that. This lead to the creation of the Blogger API 2.0. At this point a heated debate erupted online where Dave Winer berated the Blogger folks for deviating from an industry standard. The irony of flaming a company for coming up with a v2 of their own API seemed to be lost on many of the people who participated in the debate. Eventually the Blogger API 2.0 went nowhere.

Today the blogging API world is a few de facto standards based on a hacky API created by a startup a few years ago, a number of site specific APIs (LiveJournal API, MovableType API, etc) and a number of inconsistently implemented versions of the Atom API.

On Cloning the Google Search API
To me the most salient point in the hijacking of the Blogger API from Pyra is that it didn't change the popularity of their service or even make Radio Userland (Dave Winer's product) catch up to them in popularity. This is important to note since this is Dave Winer's key argument for Microsoft cloning the Google API.

Off the top of my head, here are my top three technical reasons for Microsoft to ignore the calls to clone the Google Search APIs

Difference in Feature Set: The features exposed by the API do not run the entire gamut of features that other search engines may want to expose. Thus even if you implement something that looks a lot like the Google API, you'd have to extend it to add the functionality that it doesn't provide. For example, compare the features provided by the Google API to the features provided by the Yahoo! search API. I can count about half a dozen features in the Yahoo! API that aren't in the Google API.
Difference in Technology Choice: The Google API uses SOAP. This to me is a phenomenally bad technical decision because it raises the bar to performing a basic operation (data retrieval) by using a complex technology. I much prefer Yahoo!'s approach of providing a RESTful API and ~~MSN~~ Windows Live Search's approach of providing RSS search feeds and a SOAP API for the folks who need such overkill.
Unreasonable Demands: A number of Dave Winer's demands seem contradictory. He asks companies to not require application keys but then advises them to contact application developers who've built high traffic applications about revenue sharing. Exactly how are these applications to be identified without some sort of application ID? As for removing the limits on the services? I guess Dave is ignoring the fact that providing services costs money, which I seem to remember is why he sold weblogs.com to Verisign for a few million dollars. I do agree that some of the limits on existing search APIs aren't terribly useful. The Google API limit of 1000 queries a day seems to guarantee that you won't be able to power a popular application with the service.
Lack of Innovation: Copying Google sucks.

Categories: MSN | Web Development

October 29, 2005

@ 05:58 PM

Fixing AJAX: Cross-Domain Access and IXMLHttpRequest

Scott Isaacs has written a series of posts pointing out one of the biggest limitations of applications that use Asynchronous Javascript and XML (AJAX). The posts are XMLHttpRequest - Do you trust me?, XMLHttpRequest - Eliminating the Middleman, and XMLHttpRequest - The Ultimate Outliner (Almost) . The limitation is discussed in the first post in the series where Scott wrote

Many web applications that "mash-up" or integrate data from around the web hit the following issue: How do you request data from third party sites in a scalable and cost-effective way? Today, due to the cross-domain restrictions of xmlhttprequest, you must proxy all requests through a server in your domain.
Unfortunately, this implementation is very expensive. If you have 20 unique feeds across 10000 users, you are proxying 200,000 unique requests! Refresh even a percentage of those feeds on a schedule and the overhead and costs really start adding up. While mega-services like MSN, Google, Yahoo, etc., may choose to absorb the costs, this level of scale could ruin many smaller developers. Unfortunately, this is the only solution that works transparently (where user's don't have to install or modify settings).

This problem arises because the xmlhttprequest object can only communicate back to the originating domain. This restriction greatly limits the potential for building "mash-up" or rich aggregated experiences. While I understand the wisdom behind this restriction, I have begun questioning its value and am sharing some of my thoughts on this

I encountered this limitation in the first AJAX application I wrote, the MSN Spaces Photo Album Browser, which is why it requires you to add my domain to your trusted websites list in Internet Explorer to work. I agree with Scott that this is a significant limitation that hinders the potential of various mashups on the Web today. I'd also like to see a solution to this problem proposed.

In his post, Scott counters a number of the reasons usually given for why this limitation exists such as phishing attacks, cross site scripting and leakage of private data. However Derek Denny-Brown describes the big reason for why this limitation exists in Internet Explorer in his post XMLHttpRequest Security where he wrote

I used to own Microsoft's XMLHttpRequest implementation, and I have been involved in multiple security reviews of that code. What he is asking for is possible, but would require changes to the was credentials (username/password) are stored in Windows' core Url resolution library: URLMON.DLL. Here is a copy of my comments that I posted on his blog entry:

The reason for blocking cross-site loading is primarily because of cached credentials. Today, username/password information is cached, to avoid forcing you to reenter it for every http reference, but that also means that script on yahoo.com would have full access to _everything_ in your gmail/hotmail/bank account, without a pop-up or any other indication that the yahoo page was doing so. You could fix this by associating saved credentials with a src url (plus some trickery when the src was from the same sight) but that would require changes to the guts of windows url support libraries (urlmon.dll)

Comparing XML to CSS or images is unfair. While you can link to an image on another sight, script can't really interact with that image; or example posting that image back to the script's host sight. CSS is a bit more complicated, since the DOM does give you an API for interacting with the CSS, but I have never heard of anyone storing anything private to the user in a CSS resource. At worst, you might be able to figure out the user's favorite color.

Ultimately, it gets back to the problem that there needs to be a way for the user to explicitly enable the script to access those resources. If done properly, it would actually be safer for the user than the state today, where the user has to give out their username and password to sights other than the actual host associated with that login.

I'd love to see Microsoft step up and provide a solution that addresses the security issues. I know I've run against this implementation many times.

That makes sense, the real problem is that a script on my page could go to http://www.example.com/yourbankaccount and it would access your account info because of your cookies & cached credentials. That is a big problem and one that the browser vendors should work towards fixing instead of allowing the status quo to remain.

In fact, a proposal already exists for what this solution would look like from an HTTP protocol and API perspective. Chris Holland has a post entitled ContextAgnosticXmlHttpRequest-An informal RFC where he posts on some of the pros and cons of allowing cross-site access with IXmlHttpRequest but having the option to not send cookies and/or cached credentials.

Categories: Web Development

October 26, 2005

@ 01:25 AM

Google Base == Amazon Simple Queue Service++ ?

From the post Google Base Was Sort of Live on Google Blogoscoped we learn

Several people report Google Base (as predicted yesterday) went live, or at least, its login-screen. I can’t reach it at the moment as it seems Google took it down again, but Dirson posted a screenshot to Flickr. So what is it? Quoting from Dirson’s screenshot of the login screen:

Post your items on Google.

Google Base is Google’s database into which you can add all types of content. We’ll host your content and make it searchable online for free.

Examples of items you can find in Google Base:

• Description of your party planning service
• Articles on current events from your website
• Listing of your used car for sale
• Database of protein structures

You can describe any item you post with attributes, which will help people find it when they search Google Base. In fact, based on the relevance of your items, they may also be included in the main Google search index and other Google products like Froogle and Google Local.

This reminds me of Amazon Simple Queue Service except they started with a web page instead of an API. I can't imagine that Google Base will be terribly useful without an API so I expect that one will show up with the release or shortly thereafter. I'm still unclear as to why this is an interesting idea although I'm sure some clever geek will find some way to build something cool with it. I also wonder if this will spur Amazon into doing more interesting things with their service as well.

Who would have thought that online lists would be a hot area? I guess it's time for some BigCo to snap up Ta-da Lists for a couple million dollars. ;)

Categories: Web Development

October 21, 2005

@ 03:35 PM

Web 2.0 Bozo Bit Reflipped

As I mentioned in my previous post on Understanding Web 2.0 the "web 2.0" meme isn't about technology or people, it's about money and hype primarily geared at VCs and big companies looking for small companies to buy so they look hip. The recently launched Flock web browser is one of example of a "Web 2.0" product which looks like it's creators just played a game of buzzword bingo when deciding what to do with their millions in VC funding. It is built on Firefox (bing), integrates with del.icio.us (bing) and Flickr (bing), plus it comes with blog posting (bing!) and RSS reading features (bingo!).

I have to agree with Joel Spolsky's claim that the Architecture Astronauts Are Back when he wrote

I'm starting to see a new round of pure architecture astronautics : meaningless stringing-together of new economy buzzwords in an attempt to sound erudite.

When I wrote my original complaint about architecture astronauts more than four years ago, it was P2P this and messaging that.

"That's one sure tip-off to the fact that you're being assaulted by an Architecture Astronaut: the incredible amount of bombast; the heroic, utopian grandiloquence; the boastfulness; the complete lack of reality. And people buy it! The business press goes wild!"

Now it's tagging and folksonomies and syndication, and we're all supposed to fall in line with the theory that cool new stuff like Google Maps, Wikipedia, and Del.icio.us are somehow bigger than the sum of their parts. The Long Tail! Attention Economy! Creative Commons! Peer production! Web 2.0!

The term Web 2.0 particularly bugs me. It's not a real concept. It has no meaning. It's a big, vague, nebulous cloud of pure architectural nothingness. When people use the term Web 2.0, I always feel a little bit stupider for the rest of the day.
...
Not only that, the very 2.0 in Web 2.0 seems carefully crafted as a way to denegrate the clueless "Web 1.0" idiots, poor children, in the same way the first round of teenagers starting dotcoms in 1999 dissed their elders with the decade's mantra, "They just don't get it!"

I'll do my part. I hereby pledge never again to use the term "Web 2.0" on this blog, or to link to any article that mentions it. You're welcome.

I feel the same way. I am interested in discussions on the Web as a platform and even folksonomies (not tagging) but the marketplace of ideas has been polluted by all this "Web 2.0" garbage. Once again, I've flipped the bozo bit on Web 2.0. Like Joel, you won't see any use of the term on my blog or in items I link to from now on.

Categories: Web Development

October 20, 2005

@ 09:07 PM

Knowing the Problem is Half the Battle

It seems some folks at TheServerSide.com have started bashing AJAX because they see it as a threat to Java. This has led to fairly ridiculous posts such as this one entitled But most of all samy is my hero which states

The story is, a myspace user named samy wanted to be popular. He wanted to make his page do things that others couldn’t and in the process devised a cross system scripting (XSS) attack that managed to add his profile to more then a million other users of the system. To do this he used a combination of AJAX and JavaScript.

It is not the intention to make samy even more famous but he has exposed a serious weakness in the AJAX security model. All samy did was figure out how to upload some JavaScript into his profile and this was despite myspace’s best efforts to limit this type of activity.

With respect to security, the web is already a hostile environment. Will a move to use AJAX and JavaScript further enlarge the security holes that already exist? Could myspace have done more to prevent this type of attack and still afford their users the flexibility to manage their pages as they do now?

Even though I haven't looked at the code of the exploit, I think it is fair to say that this issue has little to do with "the AJAX security model" as implied by the author of the post. Any system that accept user input has to worry about how they scrub the data due to malicious users. Not properly scrubbing input data leads to all sorts of security problems including buffer overflows and cross site scripting attacks.

I'd suggest that some of the folks on TheServerSide need to read up on some of the FAQs on cross site scripting attacks before blaming AJAX for problems that have nothing to do with it.

Categories: Web Development

October 16, 2005

@ 05:46 PM

Making Money from Mashups

Richard McManus has a blog post on his Read/Write Web blog entitled craigslists gets heavy with Oodle where he writes

Uber classifieds site craiglist has requested that Oodle , a classifieds 'meta' search engine, refrain from scraping its content. This has the potential to be the first high-profile case of a mash-up site being slapped for taking another site's content.

In a recent ZDNet post , I wrote that the business models for Web 2.0 mash-ups are beginning to ramp up. Some of the revenue possibilities for sites like Oodle are advertising, lead generation and/or affiliates, transactional, subscription.

Oodle wrote on their blog that they send craigslist "free traffic" and they "don't compete with them by taking listings." John Battelle said that craigslist's response to Oodle "feels counter to the vibe craigslist has always had".

This reminds me of the panel on business models for mash-ups at the recent Web 2.0 conference. One of the things that had me scratching my head about the panel is that it seemed to have skipped a step. Before you talk about making money from mash-ups, you have to talk about how people providing the data and services mash-ups are built on make money.

Providing data and services isn't free; servers cost money, system administrators and other operations folks cost money, and even the bandwidth costs money. Simply claiming to be sending a service "free traffic" may not justify the cost to them of supporting your service and others like it. Then there's the fact that the site may have strategic reasons for not wanting their data syndicated in other sites.

A good example that comes to mind is eBay. Although eBay has an extensive API for developers who want to consume its data and services yet they aggressively defend themselves against screen scraping services to the extent that they created a legal precedent for services based on screenscraping their site to be considered tresspassers. On the one hand this seems schizophrenic but the fact is that it makes sense from a business perspective for eBay to do this.

Personally, I think more companies need to be like eBay and decide where it makes business sense to open up their website or service as a web platform. As part of my ThinkWeek paper on MSN as a Web Platform I've tried to create a taxonomy that can be used as a starting point for web companies to decide where they should consider being open. This taxonomy will also be part of my talk at O'Reilly's Emerging Technology Conference if my proposal gets accepted.

Categories: Web Development

October 5, 2005

@ 03:11 AM

Ning

I took a look at Ning today and I find it interesting from a number of perspectives. On the one hand, it's simply a toolkit for building websites. The same kind of toolkit you see hawked on infomercials while channel surfing at midnight because you have insomnia. The main difference is that instead of a CD that contains software for building eCommerce websites it's an online website for building 'social software' websites. On the other hand, it shows an interesting direction for web platforms to move in.

Let's say you are Yahoo! or MSN and you now have an extensive array of web services at http://developer.yahoo.com or http://msdn.microsoft.com/msn. So now developers can build desktop applications or their own websites that interact with your APIs. These are akin to the low level APIs for interacting with your web platform. The next step is to build the equivalent of rich, high-level components for interacting with your services so people don't have to mess with the low level details. What I find interesting about Ning isn't "Here's another place where I can build yet another social network different from my IM buddy list/Orkut/Yahoo! 360/Friendster/etc clique" but instead "Here's a place where I can build new apps that harness my existing social network from my IM buddy list/Orkut/Yahoo! 360/Friendster/etc". That would be pretty revolutionary if the various parties involved would be interested in opening their social networks to such mashups.

I suspect I'll be trying to track down some folks from Ning while at the Web 2.0 conference this week.

Anyway, gotta go catch my flight.

Categories: Social Software | Web Development

October 2, 2005

@ 02:02 AM

The Web 2.0 Litmus Test

Tim O'Reilly has posted What Is Web 2.0? : Design Patterns and Business Models for the Next Generation of Software which further convinced me that the definition of Web 2.0 used by Tim O'Reilly and his ilk may be too wide to be useful. In the conclusion of his article he writes

Core Competencies of Web 2.0 Companies

In exploring the seven principles above, we've highlighted some of the principal features of Web 2.0. Each of the examples we've explored demonstrates one or more of those key principles, but may miss others. Let's close, therefore, by summarizing what we believe to be the core competencies of Web 2.0 companies:

Services, not packaged software, with cost-effective scalability

Control over unique, hard-to-recreate data sources that get richer as more people use them

Trusting users as co-developers

Harnessing collective intelligence

Leveraging the long tail through customer self-service

Software above the level of a single device

Lightweight user interfaces, development models, AND business models

The next time a company claims that it's "Web 2.0," test their features against the list above.

The list seems redundant in some places and could probably be reduced to 3 points. Half the bullet points all seem to say that the company should expose Web services [in this context I mean services over the Web whether they be SOAP, REST, POX/HTTP, RSS, etc]. So that's point number one. The second key idea seems to be that of harnessing collective intelligence such as with Amazon's recommendation engine, Wikipedia entries and folksonomies/tagging systems. The final key concept is that Web 2.0 companies leverage the long tail. One example of the difference between Web 1.0 and Web 2.0 when it comes to harnessing the long tail is the difference between http://www.msn.com which is a portal that has news and information of general interest that aims at appealing to broad audiences (one size fits all) and http://www.start.com which encourages people to build their own portal that fits their needs (every niche is king).

So let's review. Tim O'Reilly's essay can be reduced to the following litmus test for whether an offering is Web 2.0 or not

Exposes Web services that can be accessed on any device or platform by any developer or user. RSS feeds, RESTful APIs and SOAP APIs are all examples of Web services.
Harnesses the collective ~~intelligence~~ knowledge of its user base to benefit users
Leverages the long tail through customer self-service

So using either Tim O'Reilly's list or mine, I'd be curious to see how many people think http://www.myspace.com is a Web 2.0 offerings or not. If not, why not? If so, please tell me why you think all the folks who've called MySpace a Web 2.0 offering are wrong in my comments. For the record, I think it isn't but would like to compare my reasons with those of other people out there.

Categories: Web Development

September 29, 2005

@ 07:30 PM

The Web 2.0 Conference is Next Week

Kitty came by my office to remind me that the Web 2.0 conference is next week. As part of the lead up to the conference I can see the technology geek blogosphere is buzzing with the What is Web 2.0? discussion which was sparked off by Tim O'Reilly's posting of the Web 2.0 meme map created during FooCamp. The meme map is below for the few folks who haven't seen it

The meme map is visual indication that "Web 2.0" has joined "SOA" as a buzzword that is too ill-defined to have a serious technical discussion about. It is now associated with every hip trend on the Web. Social Networking? That's Web 2.0. Websites with APIs? That's Web 2.0. The Long Tail? That's Web 2.0. AJAX? That's Web 2.0. Tagging and Folksonomies? That's Web 2.0 too. Even blogging? Yep, Web 2.0.

I think the idea and trend towards the 'Web as a platform' is an important one and I find it unfortunate that the discussion is being muddied by hypesters who are trying to fill seats in conference rooms and sell books.

I'm in the process of updating my Billl Gates Thinkweek paper on MSN and Web platforms to account for the fact that some of my recommendations are now a reality (I helped launch http://msdn.microsoft.com/msn) and more importantly given recent developments it needs to change tone from a call to action to being more prescriptive. One of the things I'm considering is removing references to "Web 2.0" in the paper given that it may cause a bozo bit to be flipped. What do you think?

Categories: Web Development

September 29, 2005

@ 06:15 PM

Dates and Times in the MetaWeblog API and XML-RPC

We're almost ready to begin public beta testing of our implementation of the MetaWeblog API for MSN Spaces. As with most technology specifications, the devil has been in the details of figuring out how common practice differs from what is in the spec.

One place where we hit on some gotchas is how dates and times are defined in the XML-RPC specification which the MetaWeblog API uses. From the spec

Scalar <value>s
<value>s can be scalars, type is indicated by nesting the value inside one of the tags listed in this table:

Tag Type Example

<dateTime.iso8601> date/time 19980717T14:08:55

The reason the above definition of a date/time type is a gotcha is that the date in the example is in the format YYYYMMDDTHH:MM:SS. Although this is a valid ISO 8601 date, most Web applications that support ISO 8601 dates usually support the subset defined in the W3C Note on Dates and Time Formats which is of the form YYYY-MM-DDTHH:MM:SS. Subtle but important difference.

Another thing that had me scratching my head was related to timezones in XML-RPC. The spec states

What timezone should be assumed for the dateTime.iso8601 type? UTC? localtime?
Don't assume a timezone. It should be specified by the server in its documentation what assumptions it makes about timezones.

This just seems broken to me. What if you are a generic blog posting client like Blogjet or W.Bloggar which isn't tied to one particular server? It would seem that the only sane thing that can happen here is for the dates & times from the server to always be used and dates & times from clients be ignored since they are useless without timezones. If I get a blog post creation date of September 29th at 4:30 PM from a client, I can't use it since without a timezone I'll likely date the entry incorrectly by anything from a few hours to an entire day.

It probably would have been better to retrofit timezones into the spec than just punting on the problem as is the case now. I wonder what other interesting gotchas are lurking out there for our beta testers to find. :)

Categories: Web Development | XML Web Services

September 20, 2005

@ 12:35 PM

Sleeper Hit of the PDC: Windows Presentation Foundation/Everywhere

Below is an excerpt from a transcript of an interview with Bill Gates by Jon Udell during last week's Microsoft Professional Developer Conference (PDC).

JU: So a few people in the audience spontaneously commented when they saw the light version of the presentation framework, I heard the words "Flash competitor" in the audience. Do you think that's a fair observation? And do you think that that's potentially a vehicle for getting Avalon interfaces onto not just devices but non-Windows desktops? To extend the reach of Avalon that way?

BG: From a technology point of view, what the Windows Presentation Foundation/Everywhere thing does -- I think it was called Jolt internally. It overlaps what Flash does a lot. Now, I don't think anybody makes money selling lightweight presentation capability onto phones and devices and stuff like that. We're making this thing free, we're making it pervasive. I don't think anybody's business model is you get a bunch of royalties for a little presentation runtime. So there'll certainly be lots of devices in the world that are going to have Flash and they're going to have this WPF/E -- which they say they're going to rename, but that's the best they could do for now -- there'll be lots of devices that have both of those, but they don't conflict with each other. It's not like a device maker say -- oh my god, do I pick Flash, do I pick WPF/E? You can have both of those things and they co-exist easily. They're not even that big.

JU: And it's a portable runtime at this point, so is it something that conceivably takes XAML apps to a Mac desktop or a Linux desktop? Is that a scenario?

BG: The Mac is one of the targets that we explicitly talked about, so yes. Now it's not 100 percent of XAML, we need to be clear on that. But the portion of XAML we've picked here will be everywhere. Absolutely everywhere. And it has to be. You've got to have, for at least reading, and even some level of animation, you've got to have pervasiveness. And will there be multiple things that fit into that niche? Probably. Because it's not that hard to carry multiple...you as a user don't even know when you're seeing something that's WPF/E versus Flash versus whatever. It just works.

One of my concerns when it came to the adoption of the the Windows Presentation Foundation (formerly Avalon) has been the lack of cross platform/browser support. A couple of months ago, I wrote about this concern in my post The Lessons of AJAX: Will History Repeat Itself When it Comes to Adoption of XAML/Avalon?. Thus it is great to see that the Avalon folks have had similar thoughts and are working on a cross-platform story for the Windows Presentation Foundation.

I spoke to one of the guys behind WPF/E yesterday and it definitely looks like they have the right goals. This will definitely be a project to watch.

Categories: Technology | Web Development

September 18, 2005

@ 04:15 AM

Questioning RDF

I've been a long time skeptic when it comes to RDF and the Semantic Web. Every once in a while I wonder if perhaps what I have a problem with is the W3C's vision of the Semantic Web as opposed to RDF itself. However in previous attempts to explore RDF I've been surprised to find that its proponents seem to ignore some of the real world problems facing developers when trying to use RDF as a basis for information integration.

Recently I've come across blog posts by RDF proponents who've begun to question the technology. The first is the blog post entitled Crises by Ian Davis where he wrote

We were discussing the progress of the Dublin Core RDF task force and there were a number of agenda items under discussion. We didn’t get past the first item though - it was so hairy and ugly that no-one could agree on the right approach. The essence of the problem is best illustrated by the dc:creator term. The current definition says An entity primarily responsible for making the content of the resource. The associated comments states Typically, the name of a Creator should be used to indicate the entity and this is exactly the most common usage. Most people, most of the time use a person’s name as the value of this term. That’s the natural mode if you write it in an HTML meta tag and it’s the way tens or hundreds of thousands of records have been written over the past six years...Of course, us RDFers, with our penchant for precision and accuracy take issue with the notion of using a string to denote an “entity”. Is it an entity or the name of an entity. Most of us prefer to add some structure to dc:creator, perhaps using a foaf:Person as the value. It lets us make more assertions about the creator entity.

The problem, if it isn’t immediately obvious, is that in RDF and RDFS it’s impossible to specify that a property can have a literal value but not a resource or vice versa. When I ask “what is the email address of the creator of this resource?” what should the (non-OWL) query engine return when the value of creator is a literal? It isn’t a new issue, and is discussed in-depth on the FOAF wiki.

There are several proposals for dealing with this. The one that seemed to get the most support was to recommend the latter approach and make the first illegal. That means making hundreds of thousands of documents invalid. A second approach was to endorse current practice and change the semantics of the dc:creator term to explictly mean the name of the creator and invent a new term (e.g. creatingEntity) to represent the structured approach.
...
That’s when my crisis struck. I was sitting at the world’s foremost metadata conference in a room full of people who cared deeply about the quality of metadata and we were discussing scraping data from descriptions! Scraping metadata from Dublin Core! I had to go check the dictionary entry for oxymoron just in case that sentence was there! If professional cataloguers are having these kinds of problems with RDF then we are fucked.

It says to me that the looseness of the model is introducing far too much complexity as evidenced by the difficulties being experienced by the Dublin Core community and the W3C HTML working group. A simpler RDF could take a lot of this pain away and hit a sweet spot of simplicity versus expressivity.

Ian Davis isn't the only RDF head wondering whether there is too much complexity involved when trying to use RDF to get things done. Uche Ogbuji also has a post entitled Is RDF moving beyond the desperate hacker? And what of Microformats? where he writes

I've always taken a desperate hacker approach to RDF. I became a convert to the XML way of expressing documents right away, in 1997. As I started building systems that managed collections of XML documents I was missing a good, declarative means for binding such documents together. I came across RDF, and I was sold. I was never really a Semantic Web head. I used RDF more as a desperate hacker with problems in a fairly well-contained domain.
...
I've developed an overall impression of dismay at the latest RDF model semantics specs. I've always had a problem with Topic Maps because I think that they complicate things in search of an unnecessary level of ontological purity. Well, it seems to me that RDF has done the same thing. I get the feeling that in trying to achieve the ontological purity needed for the Semantic Web, it's starting to leave the desperate hacker behind. I used to be confident I could instruct people on almost all of RDF's core model in an hour. I'm no longer so confident, and the reality is that any technology that takes longer than that to encompass is doomed to failure on the Web. If they think that Web punters will be willing to make sense of the baroque thicket of lemmas (yes, "lemmas", mi amici docte) that now lie at the heart of RDF, or to get their heads around such bizarre concepts as assigning identity to literal values, they are sorely mistaken. Now I hear the argument that one does not need to know hedge automata to use RELAX NG, and all that, but I don't think it applies in the case of RDF. In RDF, the model semantics are the primary reason for coming to the party. I don't see it as an optional formalization. Maybe I'm wrong about that and it's the need to write a query language for RDF (hardly typical for the Web punter) that is causing me to gurgle in the muck. Assuming it were time for a desperate hacker such as me to move on (and I'm not necessarily saying that I am moving on), where would he go from here?

Uche is one of the few RDF heads whose opinions seem grounded in practicality (Joshua Allen is another) so it is definitely interesting to see him begin to question whether RDF is the right path.

I definitely think there is some merit to disconnecting RDF from the Semantic Web and seeing if it can hang on its own from that perspective. For example, XML as a Web document format is mostly dead-on-arrival but it has found a wide variety of uses as a general data interchange format instead. I've wondered if there is similar usefulness lurking within RDF once it loses its Semantic Web baggage.

Categories: Web Development | XML

September 16, 2005

@ 04:02 PM

A Webpage is Not An API or a Platform (The Populicio.us Remix)

A few months ago in my post GMail Domain Change Exposes Bad Design and Poor Code, I wrote Repeat after me, a web page is not an API or a platform. It seems some people are still learning this lesson the hard way. In the post The danger of running a remix service Richard MacManus writes

Populicio.us was a service that used data from social bookmarking site del.icio.us, to create a site with enhanced statistics and a better variety of 'popular' links. However the Populicio.us service has just been taken off air, because its developer can no longer get the required information from del.icio.us. The developer of Populicio.us wrote:

"Del.icio.us doesn't serve its homepage as it did and I'm not able to get all needed data to continue Populicio.us. Right now Del.icio.us doesn't show all the bookmarked links in the homepage so there is no way I can generate real statistics."

This plainly illustrates the danger for remix or mash-up service providers who rely on third party sites for their data. del.icio.us can not only giveth, it can taketh away.

It seems Richard Macmanus has missed the point. The issue isn't depending on a third party site for data. The problem is depending on screen scraping their HTML webpage. An API is a service contract which is unlikely to be broken without warning. A web page can change depending on the whims of the web master or graphic designer behind the site.

Versioning APIs is hard enough, let alone trying to figure out how to version an HTML website so screen scrapers are not broken. Web 2.0 isn't about screenscraping. Turning the Web into an online platform isn't about legitimizing bad practices from the early days of the Web. Screen scraping needs to die a horrible death. Web APIs and Web feeds are the way of the future.

Categories: Web Development

September 13, 2005

@ 11:32 PM

Start.com and Microsoft Gadgets

Start.com has always been an innovative service but today's announcements have kicked it up a notch. In his post Start.com: A Preview of Web 3.0, Scott Isaacs writes

Today's preview of the Start.com Developer illustrates fundamental shifts in web programming patterns:

DHTML-based Gadgets
Start.com consumes DHTML-based components called Gadgets. These Gadgets can be created by any developer, hosted on any site, and consumed into the Start.com experience. The model is completely distributed. You can develop components derived from other components on the web.
Adding Behavior to RSS
RSS (Really Simple Syndication) is an incredible platform for sharing content and information. Today all RSS feeds are treated equally by aggregators. Start.com integrates the world of RSS with Gadgets enabling any feed to optionally be associated with a rich, interactive experience. Some feeds present information that may be better presented in an alternative format. Other feeds leverage extensions or provide extra semantics beyond standard RSS (e.g., Open Search, Geo-based coordinates, etc). By enabling a feed to define a unique experience or consume an existing one, the richness of the aggregator experience can improve organically without requiring a new application. Of course, we also allow the user to control whether a custom experience is displayed for a feed.
Open-ended Application Model
Start.com is what I call an open-ended application. An open-ended application consumes Gadgets and provides core application services and experiences. This is and has been the Start.com model since its inception (how do you think they released new features every week?). By opening up Start.com, we have removed the boundaries around Start.com features and experiences. The community of developers and publishers can now define and control the richness of the Start.com experience.

These are the web-applications of the future - applications that can integrate not only content (e.g., RSS) but associated behaviors and services. Today, via Start.com, the developer community can preview MSN's client technology and infrastructure. At Start.com/Developer, you will find early samples and documentation. This site will be continually improved with more documentation and samples. Go and build Gadgets and custom experiences for your feeds. Most importantly, since we are far from finished, please give us feedback. The platform can only improve with your feedback. Also, we are always looking for interesting Gadgets and custom RSS experiences.

I'm not sure I'm feelin' the "Web 3.0" monicker but the extensibility of the site is definitely cool beans. I remember a conversation I had with Steve Rider I had during the early days of the site where I asked if it would be possible to customize how different RSS feeds were displayed. At the time, I had noticed that there were three primary widget types for weather reports, stock quotes and headlines. I suggested that it would be cool if people could add annotations to the RSS feed to tell it how to display on the Start.com. Being an XML geek I was was thinking of extensions such as a start:display-style element which could have values like "columns", "headlines" or "rows".

Steve thought my idea was cool and chatted with Scott Isaacs about it. Since Scott is the DHTML guru of DHTML gurus, he kicked the idea up a notch and actually designed an infrastructure where sophisticated rendering behavior could be associated with an RSS feed using JavaScript. The rest is history.

Damn, I love working here.

Categories: MSN | Web Development

September 13, 2005

@ 05:09 PM

ASP.NET "Atlas" Framework now available

Surprise, surprise. Check out http://atlas.asp.net to try out a preview of Microsoft's AJAX framework. From the website

ASP.NET "Atlas" is a package of new Web development technologies that integrates an extensive set of client script libraries with the rich, server-based development platform of ASP.NET 2.0. "Atlas" enables you to develop Web applications that can update data on a Web page by making direct calls to a Web server — without needing to round trip the page. With "Atlas", you can take advantage of the best of ASP.NET and server-side code while doing much of the work in the browser, enabling a richer user experience.

ASP.NET "Atlas" includes:

Client script libraries that provide a complete solution for creating client-based Web applications. The client script libraries support object-oriented development, cross-browser compatibility, asynchronous calls to Web services, and behaviors and components for creating a full-featured UI.
Web server controls that provide a declarative way to emit markup and client script for "Atlas" features.
Web services, such as ASP.NET profiles, that can add useful server-side features to an "Atlas" application.

It's great to see this getting out to developers so quickly. Kudos to Scott Isaacs, Walter Hsueh and the rest of the folks at MSN who worked with the ASP.NET team on this project.

Categories: Web Development

September 13, 2005

@ 03:35 PM

PDC Question: Indigo vs. Atlas

In planning for our future releases, I came up against a design question that I'd like to see solved in future versions of the .NET Framework. The basic scenario is a website that wants to expose a web service using a number of different protocols (SOAP, XML-RPC, JSON, Plain Old XML (POX), etc) without having to write a lot of duplicate code. For example, the Flickr web services expose 3 interfaces for each method (SOAP, XML-RPC and POX).

From my perspective, this is something that should be handled by a protocol agnostic web services stack which is what the Windows Communications Foundation (aka Indigo) is supposed to be. On the other hand, the ASP.NET team's recently announced Atlas project is targetted server-side AJAX development.

What I want to know is basically this, if I want to create web services that utilize both SOAP & JSON does that mean I have to adopt both Indigo and Atlas?

Can some helpful soul at PDC ask this at any sessions on Indigo or Atlas? I guess I can always wait until next week and get the info from the horses mouth but product teams tend to give better answers to external customers than us internal MSFT folks. :)

Categories: Web Development | XML Web Services

September 9, 2005

@ 02:54 PM

The Connection Between XML Web Services, Service Orientation and AJAX

Dion Hinchcliffe wrote a blog entry entitled State of Ajax: Progress, Challenges, and Implications for SOAs which did a good job of pointing out the [somewhat obvious yet not so obvious] link between web services and AJAX. For those who don't have time to wade through his entire post, the key bit is

Lightweight SOAP and REST services are in and WS-* services may be on the rocks. Since Ajax applications can and will frequently call backend XML web services as the user interacts with the front-end, having lightweight, easy-to-consume, high performance/availability SOAP and REST web services will only become more important. Of course, the implication is that since Ajax applications live in a fairly austere JavaScript sandbox, this means heavy-duty WS-*-style SOAP stacks probably won't play well with the lightweight XML/JSON service interactions that Ajax prefers. This doesn't mean WS-* is broken for Ajax, but at this time there are no Ajax frameworks yet that support more than basic SOAP service interaction.

There's some stuff I agree with here but a lot I don't. Personally I think even lightweight SOAP services are out in the AJAX world. As it stands, lots of AJAX developers are trying to eschew the overhead of XML for the simplicity of JSON let alone the overhead and complexity of SOAP. The fact is that most AJAX applications talk to lightweight REST services with either XML or JSON being the wire format.

This is yet another example of the dichotomy between providing services for the Web and building services for using within an enterprise's intranet.

Surprisingly, it seems some people fail to acknowledge this dichotomy. One of these people is Nick Malik who in his recent post On Atlas/Ajax and SOA stated

I ran across a blog entry that attempts to link Atlas/Ajax to SOA. What absolute nonsense!
...
So what's wrong with having a browser consume enterprise web services? The point of providing SOA services is to be able to combine them and use them in a manner that is consistent and abstracted from the source application(s). SOA operates at the integration level... between apps. To assume that services should be tied together at the browser assumes that well formed architecturally significant web services are so fine-grained that they would be useful for driving a user interface. That is nonsense.

For an Atlas/Ajax user interface to use the data made available by a good SOA, the U/I will need to have a series of fine-grained services that access cached or stored data that may be generated from, or will be fed to, an SOA. This is perfectly appropriate and expected. However, you cannot pretend that this layer doesn't exist... it is the application itself!

In a nutshell, the distinction is in the kinds of services provided. An SOA provides coarse-grained services that are self-describing and fully encapsulated. In this environment, the WS-* standards are absolutely essential. On the other hand, the kinds of data services that a web application would need in an Atlas/Ajax environment would be optimized to provide displayable information for specific user interactions. These uses are totally different.

This is probably one of the most bogus posts I've ever seen written by a Microsoft employee. As Nick points out, the point of providing services is to be able to combine them and use them in a manner that is consistent and abstracted from the source application.

For example, my Seattle Movie Finder web page is powered by a RESTful web service which gives it information about movies currently playing in the Seattle area. The URL http://www.25hoursaday.com/MovieFinder/MovieFinder.aspx?showall=1, gives me an XML list of all the movies currently playing in my neighborhood. The web page is an AJAX application that consumes this service. This information could also be consumed by a smart client on a desktop or another service which augments the data (e.g. merges in the movie critic ratings to the various movies before sending to an end user). Claiming that because this service doesn't use the various WS-* technologies and is being accessed from a web browser somehow makes it illegitimate is just plain ridiculous.

Furthermore, it is quite likely that the various services that are used to gather this information aren't RESTful. However what works within the intranet isn't necessarily what works on the Web.

An interesting challenge I've faced at work is convincing some of the developers on my team that just because we use SOAP for the services we use internally, this doesn't mean we may not use alternate appproaches for Web facing services. This issue first came up when we decided to go with the MetaWeblog API as the blog editing API for MSN Spaces and I'm sure it will keep coming up.

When you have a hammer, everything looks like a nail. SOAP/WS-* are not the answer to every problem and just because they can't be used in a particular problem space doesn't mean that problem space any less valid than others. The sooner people understand the dichotomy that is intranet vs. internet service development, the better.

Categories: Web Development | XML Web Services

September 1, 2005

@ 06:34 PM

Seattle Movie Finder LazyWeb Request

I have a LazyWeb request. I plan to write an article about my Seattle Movie Finder hack which is built on the MSN Virtual Earth APIs next week. Currently the application works in Internet Explorer but not in Firefox. This isn't due to any issues with VE but has to do with the fact that I don't know what the Firefox alternatives to innerHTML and some other properties of the DOM in IE actually are nor do I have time to brush up on writing Firefox-specific Javascript.

If any kind soul can do a view source on the Seattle Movie Finder and modify it to also work in Firefox, I'd appreciate it. Thanks in advance.

Update: Julien Couvreur just swung by my office and fixed the page so it works in Firefox & IE. The new version of the site should be up in a few hours.

Categories: Web Development

August 24, 2005

@ 12:04 AM

The Evolution of AJAX: Jason Kottke Beats Me To The Punch

Last week I had lunch with Joshua Allen and mentioned that I was planning to write a blog post about the game changing effect of some entity adding generally accessible offline support to the AJAX capabilities of traditional web browsers. It seems Jason Kottke has beaten me to writing this with his post GoogleOS? YahooOS? MozillaOS? WebOS? , he even has a roll call of the usual suspects who might build this and why.

He writes

So who's going to build these WebOS applications? Hopefully anyone with XHTML/JavaScript/CSS skills, but that depends on how open the platform is. And that depends on whose platform it is. Right now, there are five organizations who are or could be moving in this direction:

Google. If Google is not thinking in terms of the above, I will eat danah's furriest hat. They've already shifted the focus of Google Desktop with the addition of Sidebar and changing the name of the application (it used to be called Google Desktop Search...and the tagline changed from "Search your own computer" to the more general "Info when you want it, right on your desktop"). To do it properly, I think they need their own browser (with bundled Web server, of course) and they need to start writing their applications to work on OS X and Linux (Google is still a Windows company)[4]. Many of the moves they've made in the last two years have been to outflank Microsoft, and if they don't use Google Desktop's "insert local code into remote sites" trick to make whatever OS comes with people's computers increasingly irrelevant, they're stupid, stupid, stupid. Baby step: make Gmail readable offline.
Yahoo. I'm pretty sure Yahoo is thinking in these terms as well. That's why they bought Konfabulator: desktop presence. And Yahoo has tons of content and apps that that would like to offer on a WebOS-like platform: mail, IM, news, Yahoo360, etc. Challenge for Yahoo: widgets aren't enough...many of these applications are going to need to run in Web browsers. Advantages: Yahoo seems to be more aggressive in opening up APIs than Google...chances are if Yahoo develops a WebOS platform, we'll all get to play.
Microsoft. They're going to build a WebOS right into their operating system...it's likely that with Vista, you sometimes won't be able to tell when you're using desktop applications or when you're at msn.com. They'll never develop anything for OS X or for Linux (or for browsers other than IE), so its impact will be limited. (Well, limited to most of the personal computers in the world, but still.)
Apple. Apple has all the makings of a WebOS system right now. They've got the browser, a Web server that's installed on every machine with OS X, Dashboard, iTMS, .Mac, Spotlight, etc. All they're missing is the applications (aside from the Dashboard widgets). But like Microsoft, it's unlikely that they'll write anything for Windows or Linux, although if OS X is going to run on cheapo Intel boxes, their market share may be heading in a positive direction soon.
The Mozilla Foundation. This is the most unlikely option, but also the most interesting one. If Mozilla could leverage the rapidly increasing user base of Firefox and start bundling a small Web server with it, then you've got the beginnings of a WebOS that's open source and for which anyone, including Microsoft, Google, Yahoo, and anyone with JavaScript chops, could write applications. To market it, they could refer to the whole shebang as a new kind of Web browser, something that sets it apart from IE, a true "next generation" browser capable of running applications no matter where you are or what computer (or portable device) you're using.

So yeah, that's the idea of the WebOS (as I see it developing) in a gigantic nutshell.

I disagree with some of his post; I think desktop web servers are a bad idea and also that the claims of the end of Microsoft's operating system dominance are premature. He is also mistaken about MSN not building stuff for browsers other than IE. Of course, overestimating Microsoft's stupidity is a common trait among web developer types.

However the rest of his post does jibe with a lot of thinking I did while on vacation in Nigeria. I'd suggest that anyone interested in current and future trends in web application development should check it out.

Categories: Web Development

August 23, 2005

@ 12:56 PM

Omar Shahine on MSN's AJAX Framework

Omar Shahine has a post where he talks about FireAnt. FireAnt is communications part of the AJAX framework shared by Hotmail, Start.com, MyMSN and MSN Spaces which Steve Rider alluded to in his post Spaces, Hotmail and Start (oh my!).

Omar writes

Last summer we spent a lot of time at the white-board evaluating a number of ways to deliver a new architecture for Hotmail. We considered a number of things:

Modification of the current C/C++ ISAPI architecture to support a hybrid ASP model.

.NET rewrite for the DataLayer and BusinessLayer and XML/XSLT for the PresentationLayer

Same as #2 but the Presentation layer would be JavaScript, XMLHTTP, and DHTML/CSS. This now has the fancy name, AJAX.

After much deliberating, we chose #3, and started running. For 4 weeks basically 1 PM, a developer and an intern built a prototype, and then the real thing (in case you are in college I’d note how cool it is that we put an intern on the most important technology we we're building). As more people started to move over to the FireAnt project, we got more and more excited about what was happening. You see, writing AJAX code can be a pain, and we didn’t want to spend our days and nights writing a lot of JavaScript and debugging client side Script. Instead we built an infrastructure that dynamically take server side objects (classes and methods) and automatically generates client side JavaScript stubs. The end result is that the client side object model looked exactly like the server side object model. Information was transported across the wire using XMLHTTP and the whole thing happened Asynchronously.

We extended .NET Attributes to mark classes and methods as FireAnt classes/methods and at build time the script is generated. If you think of SOAP support in the .NET Framework, it’s basically similar. As a developer you do not worry about generating SOAP messages, or building a SOAP parser. All you do is mark your method as [WebMethod] and your classes as [Serializable] and the .NET framework takes care of proxying, class generation etc. That’s what we were shooting for.

This was a big deal for us as it allows us to be incredibly productive. Since last summer, we have built a ton of features using FireAnt and the JavaScript Frameworks from Scott Isaacs. Late last fall we went up to Redmond and showed FireAnt to a number of folks in MSN, one of those folks was Steve Rider. It was really exciting to see the looks on folks faces when Walter (our FireAnt “architect”) setup his “Hello World” demo. You could just see that people realized that doing AJAX style development any other way was crazy.

We’ve since showed our stuff to a number of teams inside Microsoft. As a result of our work, Walter and Scott have spent a considerable amount of time with the Whidbey/ASP.NET folks and it’s pretty exciting to see ATLAS come together. If you want to learn more, Walter will be giving a talk at the PDC on what we’ve built. It’s great so see collaboration between our team and the Developer Division as the end result will be a better more scalable version of the .NET Framework for you.

Trying to build a complex AJAX website with traditional Visual Studio.NET development tools is quite painful which is why the various teams at MSN have collaborated and built a unified framework. As Omar points out, one of the good things that has come out of this is that the various MSN folks went to the Microsoft developer division and pointed out they are missing ~~the boat~~ key infrastructure needed for AJAX development. This feedback was one of the factors that resulted in the recently announced Atlas project.

A key point Omar touches on is that development became much easier when they built a framework for handling serialization and deserialization of objects to transmitted using XMLHTTP. The trick here is that the framework handles both serialization and deserialization on both the server (ASP.NET code) and the client (Javascript code). Of course, this is AJAX development 101 and anyone who's used AJAX frameworks like AJAX.NET is familiar with these techniques. One of the interesting things that falls out of using a framework like this is that the serialization format becomes less interesting, one could as easily use JavaScript Object Notation (JSON) as opposed to some flavor of XML.

If you're going to be at the Microsoft Professional Developer's Conference (PDC) and are interested in professional AJAX development you should definitely make your way to the various presentations by the MSN folks. Also, we're always looking for developers so if building AJAX applications that will be utilized by millions of people on a daily basis sounds like your cup of tea give us your resume.

Categories: MSN | Web Development

August 16, 2005

@ 04:11 PM

Moving Beyond the Basics: Scott Isaacs on AJAX Design Patterns

I was recently re-reading Jesse James Garrett's article Ajax: A New Approach to Web Applications and it struck me that the article was very much an introductory text on building web applications which skirted a number of real world issues. The core idea behind the article is that using DHTML and server callbacks results in web sites that are more responsive [from the end user's perspective] than traditional web applications. This is very true.

However if you are building a large scale web application there is more to consider when using AJAX than how to create a function that hides the differences between the XMLHttpRequest object in IE and Firefox. Problems that have to be solved [or at the very least considered] include

How to abstract away browser detection from each page in the application
How to make the site accessible or at least work on non-Javascript enabled browsers
How to efficiently manage the number of connections to the server created by the client given the "chattiness" of AJAX applications compared to traditional web applications
How to reduce the amount of time spent downloading large script files
How to create permalinks to portions of the application
How to preserve or at least simulate the behavior of the browser's 'Back' button

At MSN we've had to come up with solutions to a number of these problems while working on Start.com, MSN Spaces, the next version of Hotmail, and the next version of MyMSN. We have built our own AJAX framework and come up with a number of best practices for building large scale applications using AJAX.

Much to my surprise Scott Isaacs (one of the inventors of DHTML and now an architect at MSN) has started a series on the problems that face web sites that plan to utilize AJAX and how we solved them at MSN. The first two articles in the series are Why Ajax is so 1999? Part 1 and Why Ajax is so 1999? Part 2. Scott will also be giving a talk at the Microsoft Professional Developer's Conference (PDC) about Start.com and some of the cool AJAX stuff we've done.

I actually expected this would be the kind of information we'd keep close to our chest since they give us a competitive advantage so it is quite a welcome surprise to see us sharing knowledge with the Web developer community this way. I've already started nagging Scott to write a book about this stuff or at least update his Inside Dynamic HTML for the new millenium.

Categories: MSN | Web Development

August 15, 2005

@ 06:20 PM

ETech 2006 Call for Participation

It seems there is an open call for participation for the 2006 edition of the O'Reilly Emerging Technology Conference (ETech). Although I'm not in right demographic to be an ETech speaker since I don't work at a sexy Silicon Valley startup, I'm not a VP at a major software company and don't consider myself a Friend of O'Reilly, I plan to toss my hat in the ring and send in two talk proposals anyway.

What's Next for RSS, Atom and Content Aggregation: Currently the primary usage of content syndication technology like RSS has been consuming news and blog postings in desktop or web-based RSS readers. However the opportunities created by syndication technologies go much further than enabling us to keep up with Slashdot and Boing Boing in our RSS reader of choice. Podcasting is one manifestation of the new opportunities that arise once the concept of content syndication and aggregation is applied to domains outside of news sites and blogs. This talk will focus problem areas and scenarios oustde of blogs, news sites and traditional RSS readers that can benefit from the application of syndication technologies like RSS and Atom.
Bringing MSN into Web 2.0: The essence of Web 2.0 is moving from a Web consisting of Web pages and Web sites (Web 1.0) to a Web consisting of Web applications based on open data that are built on Web platforms. MSN hosts a number of properties from social software applications like MSN Spaces, Hotmail, MSN Groups and MSN Messenger which are used by hundreds of millions of people to communicate to software that enables people to find information they need such as MSN Search and MSN Virtual Earth. All of these applications. A number of these web sites are making the transition to becoming web platforms; MSN Virtual Earth has a Javascript API, MSN Search exposes search results as RSS feeds and MSN Spaces will support the MetaWeblog API which uses XML-RPC. This talk will focus on the current and future API offerings coming from MSN and give a behind the scenes look as to how some of these APIs came about from conception and getting sign off from the bean counters to technical details on building web services.

These are my first drafts of both proposals, criticisms are welcome. If they don't get accepted, I'll survive. Now that I've actually written the abstracts I can just keep submitting them to various conferences I'm interested in until they get accepted somewhere. In my experience, it usually takes about 2 or 3 submissions to get a talk accepted anyway.

Categories: Web Development

August 8, 2005

@ 01:47 PM

Microformats vs. XML vs. RDF

In response to my post Using XML on the Web is Evil, Since When? Tantek updated his post Avoiding Plain XML and Presentational Markup. Since I'm the kind of person who can't avoid a good debate even when I'm on vacation I've decided to post a response to Tantek's response. Tantek wrote

The sad thing is that while namespaces theoretically addressed one of the problems I pointed out (calling different things by the same name), it actually WORSENED the other problem: calling the same thing by different names. XML Namespaces encouraged document/data silos, with little or no reuse, probably because every person/political body defining their elements wanted "control" over the definition of any particular thing in their documents. The <svg:a> tag is the perfect example of needless duplication.

And if something was theoretically supposed to have solved something but effectively hasn't 6-7 years later, then in our internet-time-frame, it has failed.

This is a valid problem in the real world. For example, for all intents an purposes an <atom:entry> element in an Atom feed is semantically equivalent to an <item> element in an RSS feed to every feed reader that supports both. However we have two names for what is effectively the same thing as far as an aggregator developer or end user is concerned.

The XML solution to this problem has been that it is OK to have myriad formats as long as we have technologies for performing syntactic translations between XML vocabularies such as XSLT. The RDF solution is for us to agree on the semantics of the data in the format (i.e. a canonical data model for that problem space) in which case alternative syntaxes are fine and we performs translations using RDF-based mapping technologies like DAML+OIL or OWL. The microformat solution which Tantek espouses is that we all agree on a canonical data model and a canonical syntax (typically some subset of [X]HTML).

So far the approach that has gotten the most traction in the real world is XML. From my perspective, the reason for this is obvious; it doesn't require that everyone has to agree on a single data model or a single format for that problem space.

Microformats don't solve the problem of different entities coming up with the different names for the same concept. Instead its proponents are ignoring the reasons why the problem exists in the first place and then offering microformats as a panacea when they are not.

I personally haven't seen a good explanation of why <strong> is better than <b>...

A statement like that begs some homework. The accessibility, media independence, alternative devices, and web design communities have all figured this out years ago. This is Semantic (X)HTML 101. Please read any modern web design book like those on my SXSW Required Reading List, and we'll continue the discussion afterwards.

I can see the reasons for a number of the semantic markup guidelines in the case of HTML. What I don't agree with is jumping to the conclusion that markup languages should never have presentational markup. This is basically arguing that every markup language that may be used as a presentation format should use CSS or invent a CSS equivalent. I think that is a stretch.

Finally, one has to seriously cast doubt on XML opinions on a page that is INVALID markup. I suppose following the XML-way, I should have simply stopped reading Dare's post as soon as I ran into the first well-formedness error. Only 1/2 ;)

The original permalink to Tantek's article was broken after he made teh edit. I guess since I couldn't find it, it doesn't exist. ;)

Categories: Web Development | XML

August 7, 2005

@ 12:11 AM

Is "Web 2.0" Bullshit? Not Entirely.

Tim Bray has a blog post entitled Not 2.0 where he writes

I just wanted to say how much I’ve come to dislike this “Web 2.0” faux-meme. It’s not only vacuous marketing hype, it can’t possibly be right. In terms of qualitative changes of everyone’s experience of the Web, the first happened when Google hit its stride and suddenly search was useful for, and used by, everyone every day. The second—syndication and blogging turning the Web from a library into an event stream—is in the middle of happening. So a lot of us are already on 3.0. Anyhow, I think Usenet might have been the real 1.0. But most times, the whole thing still feels like a shaky early beta to me.

I also dislike the Web 2.0 meme but not for the reasons Tim Bray states. Like the buzzword "SOA" that came before it "Web 2.0" is ill-defined and means different things to different people. Like art, folks can tell you "I know it when I see it" but ask them to define it and you get a bunch of inconsistent answers. For a while even Wikipedia had a poor definition of the term Web 2.0. The meat of the description there is still crap but the introduction is now one that doesn't make me roll my eyes. The wikipedia entry currently begins

Web 2.0 is a term often applied to a perceived ongoing transition of the World Wide Web from a collection of websites to a full-fledged computing platform serving web applications to end users. Ultimately Web 2.0 services are expected to replace desktop computing applications for many purposes.

This is a definition that resonates with me and one that has gotten me jazzed enough to have written my first Bill Gates Thinkweek paper as well as give Powerpoint pitches to lots of folks across MSN from VPs & GMs to fellow rank and file PMs & devs.

The problem with "Web 2.0" and other over hyped buzzwords like "SOA" is that 90% of the stuff you hear or read about it is crap. Or even worse are like Tim O'Reilly's Not 2.0? post which hype it as something that will change the world but don't give you a good idea why. Reading stuff like Tim O'Reilly's

There's a set of "Web 2.0 design patterns" -- architecting systems so that they get smarter the more people use them, monetizing the long tail via a combination of customer-self service and algorithmic management, lightweight business models made possible by cooperating internet services and data syndication, data as the "intel inside", and so on.

just leaves me scratching my head. On the other hand I completely grok the simple concept that folks like me at MSN are no longer just in the business of building web sites, we are building web platforms. Our users are no longer just people interacting with our web sites via Firefox or IE. They are folks reading our content from their favorite RSS reader which may be a desktop app, web-based or even integrated into their web browser. They are folks who want to create content on our sites without being limited to a web-based interface or at least not the one created by us. They are folks who want to integrate our services into their applications or use our services from their favorite applications or sites. To me, that is Web 2.0.

You folks should probably just ignore me though since I am quite the hypocrite. I may pan the writings of folks like Tim O'Reilly and call 90% of the stuff written about "Web 2.0" crap but I did give up being a speaker on two panels at PDC to sit in the audience at the Web 2.0 conference. Due to a variety of reasons I could only pick one and based on how much value I got out of ETech I decided to pick Web 2.0

Categories: Web Development

July 25, 2005

@ 10:22 AM

Hacking MSN Virtual Earth - Seattle Movie Finder

It looks like MSN Virtual Earth is live. In an attempt to beat everyone to the punch when it comes to building an application using the MSN Virtual Earth API, I present http://www.25hoursaday.com/moviefinder

It requires Javascript (duh) and only works in IE beecause I didn't have time to figure out the Firefox equivalent of innerHTML. Enjoy.

Pardon my brevity, I'm posting this from a kiosk at Heathrow Airport

Categories: MSN | Web Development

July 13, 2005

@ 01:36 PM

Hacking MSN Virtual Earth

I stumbled on Bus Monster last week and even though I don't take the bus I thought it was a pretty cool application. There's a mapping application that I've been wanting for a few years and I instantly realized that given the Google Maps API I could just write it myself.

Before starting I shot a mail off to Chandu and Steve on the MSN Virtual Earth team and asked if their API would be able to support building the application I wanted. They were like "Hell Yeah" and instead of working on my review I started hacking on Virtual Earth. In an afternoon hacking session, I discovered that I could build the app I wanted and learned new words like geocoding.

My hack should be running internally on my web server at Microsoft before the end of the week. Whenever Virtual Earth goes live I'll move the app to my personal web site. I definitely learned something new with this application and will consider Hacking MSN Virtual Earth as a possible topic for a future Extreme XML column on MSDN. Would anyone be interested in that?

Categories: MSN | Web Development | XML

July 10, 2005

@ 06:20 PM

Microsoft and Innovation: Always Ahead of It's Time or Bad Marketer?

A recent comment left in my blog by someone named Nigel states "Not only is Microsoft unable to create technological tidal waves, it constantly misses the waves produced by others. Aren't you guys learning from the past?"

After watching a number of recent trends in the software industry I've been struck by how many of them were originally started by Microsoft but later abandoned only to be picked up by the rest of the software industry a few years later.

EXHIBIT A - XML Syndication (CDF & ActiveDesktop)

Content syndication using RSS has emerged as the next big thing. We have Apple's iTunes supporting podcasting, VC funds dedicated to funding startups building on RSS and practically every news organization on the Web sporting RSS feeds.

However the basic approach and technology behind RSS and XML content syndication was originally proposed by Microsoft with its Channel Definition Format (CDF) and ActiveDesktop technology. As with most aspects of the push technology fad of the late 1990s, usage of the technology languished. However CDF did inspire Dave Winer and Netscape to become interested in content syndication using XML. In 2000, Dan Brickley sent a mail to the RSS-DEV mailing list entitled RSS-Classic, RSS 1.0 and a historical debt which points out that the syndication formats created by Dave Winer & Netscape owed a lot to CDF.

Of course, the original killer app for RSS has been blogging. Without the rise of blogging it is unlikely that RSS would be as popular as it has become today.

EXHIBIT B - AJAX (DHTML & XMLHTTP):

Another popular trend on the Web today is using DHTML and server callbacks to build Web applications This approach has been recently been named Asynchronous Javascript & XML or AJAX for short. This trend really became hot after Jesse James Garrett penned his article Ajax: A New Approach to Web Applications which highlighted the power of applications built using this approach.

As Adam Bosworth points out in his post AJAX Reconsidered and Scott Guthrie in his post Atlas Project, the basic building blocks of AJAX (DHTML & the XMLHTTP object) were invented by Microsoft. However as both Adam & Scott point out, the primary focus of building AJAX applications at Microsoft was on targetting business customers with applications like Outlook Web Access. Eventually interest in building rich internet applications at Microsoft swung towards XAML and Avalon and away from DHTML.

Until Google unleashed GMail, Google Maps and Google Suggest on the Web. Now AJAX is the new hotness.

EXHIBIT C - Web APIs & Web 2.0 (Hailstorm)

If you hang around web development pundits long enough, you'll eventually hear the phrase "Web 2.0". This is a monicker for the increasing trend of treating web sites as web platforms. Every cool website has APIs these days. At Google Web APIs page you can find APIs for Google Maps, Google Search and Google AdSense. At the Yahoo! Developer Network you can find APIs for Yahoo! Maps, Yahoo! Search, Flickr & Yahoo! MyWeb. On the Amazon Web Services page you can find APIs for creating and searching listings on Amazon. At the eBay Developer Program you can find the same for eBay. Smaller sites also have APIs as are evidenced by the del.icio.us API, Bloglines API or the 43 Things API. Then there are all the weblogging APIs and RSS feeds out there that allow users to create and consume content outside of the traditional window of the Web browser.

Turning web sites into web platforms that can be interacted with from any platform running on any device was a key part of the original vision behind Microsoft's Hailstorm initiative. However there were other parts of the initiative that didn't sit well with potential customers and it was quietly abandoned.

LESSONS LEARNED?

I'm not sure whether the aformentioned trends count as "technological tidal waves" but they are definitely significant to how developers and end users utilize the Web. In all three situations Microsoft started with a vision that was quite innovative, hit some roadblocks and scrapped initiatives instead of changing tactics. Eventually our competitors learned from our mistakes and make us look late to the party when we finally get over our initial failure enough to try again.

I suspect that in a few years, a fourth example that should be added to this list would be comparing Passport to efforts such as the Liberty Alliance. Then again, from reading Kim Cameron's blog it seems that we are trying to switch tactics in the digital identity space instead of giving up. That is a welcome change.

Categories: Life in the B0rg Cube | Web Development

June 28, 2005

@ 11:41 PM

Microsoft Announces AJAX Toolkit Codenamed "Atlas"

Just when you think we've missed the boat on software development trends on the Web, Microsoft surprises folks. First it was announcing that we will be baking RSS support into the next version of Windows. Now we've announced that we will be shipping a toolkit for building AJAX-style Web applications. In his post about the Atlas Project, Scott Guthrie writes

All of the pieces of AJAX – DHTML, JScript, and XMLHTTP – have been available in Internet Explorer for some time, and Outlook Web Access has used these techniques to deliver a great browser experience since 1998. In ASP.NET 2.0, we have also made it easier to write AJAX-style applications for any browser using asynchronous callbacks, and we use them in several of our built-in controls.

Recently, however, the technologies used by AJAX have become broadly available in all browsers, and use of this model for rich web applications has really taken flight. There are a number of high-profile new AJAX-style websites out there today, including a number by Google, as well as sites like A9 and Flickr. Microsoft will also have more sites that use this technology out there soon – check out Start.com and the MSN Virtual Earth project for examples.

The popularity of AJAX shows the growing demand for richer user experiences over the web. However, developing and debugging AJAX-style web applications is a very difficult task today. To write a rich web UI, you have to know a great deal of DHTML and JavaScript, and have a strong understanding of all the differences and design details of various browsers. There are very few tools to help your design or build these applications easily. Finally, debugging and testing these applications can be very tricky.

...

For this work, we’ve been working on a new project on our team, codenamed “Atlas”. Our goal is to produce a developer preview release on top of ASP.NET 2.0 for the PDC this September, and then have a website where we can keep updating the core bits, publishing samples, and building an active community around it.

Here are some of the pieces of Atlas that we are going to be delivering over time:

Atlas Client Script Framework

The Atlas Client Script Framework is an extensible, object-oriented 100% JavaScript client framework that allows you to easily build AJAX-style browser applications with rich UI and connectivity to web services. With Atlas, you can write web applications that use a lot of DHTML, Javascript, and XMLHTTP, without having to be an expert in any of these technologies.

The Atlas Client Script Framework will work on all modern browsers, and with any web server. It also won’t require any client installation at all – to use it, you can simply include references to the right script files in your page.

The Atlas Client Script Framework will include the following components:

An extensible core framework that adds features to JavaScript such as lifetime management, inheritance, multicast event handlers, and interfaces

A base class library for common features such as rich string manipulation, timers, and running tasks

A UI framework for attaching dynamic behaviors to HTML in a cross-browser way

A network stack to simplify server connectivity and access to web services

A set of controls for rich UI, such as auto-complete textboxes, popup panels, animation, and drag and drop

A browser compatibility layer to address scripting behavior differences between browsers.

This is excellent news which I know a lot of our UX developers at MSN will be glad to hear. Already Scott Isaacs who's been a key part of the AJAX development we've been doing at MSN has posted his opinions about Atlas in his blog entry entitled My personal thoughts on an AJAX (DHTML) framework..... His post highlights some of the history of AJAX as well as the issues a toolkit like Atlas could solve.

First RSS, now AJAX. All that's left is to see some announcement that we will be shipping a REST toolkit to make this a trifecta of utmost excellence. More nagging I must do...

Categories: Life in the B0rg Cube | Web Development

June 12, 2005

@ 06:41 PM