January 16, 2007
@ 08:23 PM

By now it's common news that Google has been hit by what seems like half a dozen or more cross site scripting security flaws in the past month. If you missed the news, you can read blog posts like More Google security failures and Wow, more Google XSS problems which contain links to some of the stories of recent exploits. The bugs in those blog posts aren't exhaustive, I've seen some blog posts about exploits that don't seem to have hit the mainstream tech blogs such as the one mentioned in the blog post Pending Members - Google Groups XSS Bug [Part 2].

Anyway, the fact that Google is having problems with XSS issues isn't terribly interesting and should be an expected part of the growing pains as they go from a service that doesn't store any user data to one that aims to be the repository of all their user's data. That requires an entirely different approach to security. What I did find interesting was a blog post on the Google Blogoscoped blog entitled On Google Security which stated

Today, it almost seems as if every single product team in the Googleplex has the “power” to accidentally introduce a Google Account risk with an HTML injection hole, or another kind of cross-site scripting issue. An exotic Blogger bug was able to reveal your Google Docs, even if you’re not blogging with Blogger – an improbable Google Base bug was able to reveal your personalized homepage, even when you’ve never worked with Google Base**. I would argue: these things happen, individual developers and developer teams make errors. It’s impossible not to. There are ways to automatically test against HTML injections, but such tools too need to be handled by humans.

The real problem, and solution, might be on the higher level of the system architecture – the way Google integrates its services and handles cookie data. Right now, the Google Office product partly resembles a mighty convenient & long chain... a chain which is only as strong as its weakest link. Is this a trade-off we’ll just have to make with future web apps, or are there ways to improve on the situation... either by users, or those building browsers, or those developing web apps?

Those who ignore history are doomed to repeat it. None of the problems listed are unique to Google. Any portal that provides multiple services that require the user to login is vulnerable to these problems. This includes competing portals like Yahoo!, MSN and AOL. All of these services have had to encounter and protect users against the very same problems Google is having difficulty dealing with today.

It is likely that with time, Google will stumble upon the same set of best practices that are common knowledge amongst its portal competitors who have been in the game a lot longer. Thinking that this is a problem that affects "the future of Web apps" ignores the history of the Web. 

In the meantime, if you are a Web developer at Google, I'd suggest reading Chapter 12 of Writing Secure Code by Michael Howard. After that, take a look at You know about XSS. How about XSRF/CSRF? which happens to use a Google service as an example of Cross Site Request Forgery attack (XSRF).

That which doesn't kill us only makes us stronger. ;)


 

January 16, 2007
@ 05:57 PM

Danny Sullivan over at Search Engine Land has a post entitled comScore: Google Wins Again & IE7 Doesn't Stop Microsoft's Slide where he writes

It's that time again -- search popular stats for last month are coming out. Actually, Hitwise sent me their figures earlier this month but I'm diving in with the comScore figures that just came out. The main real news is despite the Internet Explorer 7 launch, Microsoft's Live continues to show a drop in usage.

What is puzzling to me is that people thought that the release of IE 7 would cause a increase in search share for Microsoft's search engine and a decline in competitors. The fact is that built-in search boxes within the browser encourage people to treat search as a feature of the browser instead of a site they visit. That means that the defaults built into the browser/operating system are important. But what exactly is the default search engine on most PCs running IE 7? I don't have any hard numbers but here's some data from my post about this entitled Competing with Google is Like the War in Iraq which stated

The combination of the proliferation of search toolbars and a new generation of Web browsers with built-in search boxes (e.g. IE 7 and Firefox) have reduced the need for users to actually go to websites to perform a search. This means that it is now very important to be the search engine that is used when a user enters a search directly from their browser. Guess which search engine is the one used by your browser if you
  1. Are you a user of the Firefox browser?
  2. Are you a user of the Opera browser?
  3. Are you a user of IE 7 and have installed Adobe Acrobat?
  4. Are you a user of IE 7 and have installed the Java runtime?
  5. Are you a user of IE 7 and have installed the WinZip archive utility?
  6. Are you using a newly purchased Dell computer?
  7. Are you a user of the Google Toolbar?
Yes, the answer is Google in every case. So even if you are an Internet n00b who hasn't made up their mind about which search engine to choose, there is a large chance that the default search engine you end up using thanks to recent innovations in IE 7 and Firefox will be Google.

If anything, browsers like Firefox and IE 7 make it harder for users to switch from Google not easier because it gets them away from the notion of visiting websites to perform searches and instead they just accept whatever default the browser provides.


 

There's an article in the NY Times entitled Want an iPhone? Beware the iHandcuffs which contains the following excerpt

Even if you are ready to pledge a lifetime commitment to the iPod as your only brand of portable music player or to the iPhone as your only cellphone once it is released, you may find that FairPlay copy protection will, sooner or later, cause you grief. You are always going to have to buy Apple stuff. Forever and ever. Because your iTunes will not play on anyone else’s hardware.

Unlike Apple, Microsoft has been willing to license its copy-protection software to third-party hardware vendors. But copy protection is copy protection: a headache only for the law-abiding.

Microsoft used to promote its PlaysForSure copy-protection standard, but there must have been some difficulty with the “for sure” because the company has dropped it in favor of an entirely new copy-protection standard for its new Zune player, which, incidentally, is incompatible with the old one.

Pity the overly trusting customers who invested earlier in music collections before the Zune arrived. Their music cannot be played on the new Zune because it is locked up by software enforcing the earlier copy-protection standard: PlaysFor(Pretty)Sure — ButNotTheNewStuff.

The name for the umbrella category for copy-protection software is itself an indefensible euphemism: Digital Rights Management. As consumers, the “rights” enjoyed are few. As some wags have said, the initials D.R.M. should really stand for “Digital Restrictions Management.”

It's weird to see the kind of anti-DRM screed that one typically associates with people like Cory Doctorow getting face time in the New York Times. DRM is bad for society and bad for consumers. It's that unfortunate that Microsoft is the company that has made one of the bogey men of anti-DRM activists a reality. As Mini-Microsoft wrote in his blog post The Good Manager, etc, etc, ...

In the meantime, I think a positive-because-it's-so-negative result of Zune is that it added fire to the DRM debate

No longer is it a theoretical problem that buying a lot of DRMed music from a vendor leaves you vulnerable if the DRM becomes unsupported or falls out of favor. Thanks to Zune and its lack of support for PlaysForSure. Now even the New York Times has joined the in the rally against DRM.

I have to agree with Mini-Microsoft, this is one of those things that is so bad that it is actually turns a 180 and will be good for all of us in the long run.


 

Categories: Technology

My sister is paying me a surprise visit this weekend and I decided to look on the Web for ideas for what we could do together this weekend. My initial thoughts were that we'd go to the movies and perhaps check out the Bodies: The Exhibition. I wouldn't to see if I could get a better suggestion on the Web.

My first instinct was to try Seattle - City Search but had to give up when I realized the only events listed for today were either announcements of what DJs would be at local clubs tonight or announcements sales at local stores. Another thing that bugged me is how few ratings there were for events or locations on City Search. This reminds me of a blog post on Search Engine Land entitled Local And The Paradox of Participation which came to a set of incorrect conclusions about a poll that claimed that people are equally likely to post a positive or negative review of an event or location. The incorrect conclusion was that it is a myth that few people are likely to post reviews. Given that locations and events that are attended by thousands of people tend to only have dozens of reviews on almost every review site I've ever seen seems to make this a fact not a myth. The poll only seems to imply that people are willing to share their opinion if prompted which is totally different from someone attending a nightclub or concert then feeling compelled to visit one of umpteen review sites to share their opinion. What is surprising to me is that there doesn't seem to even be a small community of die hard reviewers on City Search which is unlike most review sites I've seen. Just compare Amazon or IMDB which both seem to have a number of reviewers who are on top of certain categories of products.

Anyway, what does this have to do with Google? Well, I went to Rich Skrenta's much vaunted starting point of the Intenet and tried some queries such as "local events", "seattle events" and "events in seattle" with pathetic results. The only useful links in the search results page led me to a couple of event search engines (e.g. NWsource, Upcoming) that were pathetically underpopulated with event information. None of them even had a listing for Bodies: The Exhibition. Lame. 

I tried Google Local which turned out to be redirect to their mapping site. Shouldn't a local search engine be able to find events in my local area? Double lame.

Before you bother pointing it out, I realize that other search engines don't do a much better job either. This seems to point to an opportunity to add a lot of value in what must be a very lucrative search market. I'm surprised that Yahoo! hasn't figured out how to do more with their purchase of Upcoming.org. Then again Yahoo! hasn't figured what to do with any of the Web 2.0 startups they've purchased so maybe that is expecting too much. Maybe Google will purchase Eventful.com and fix this fairly big hole in their search offerings. Somehow I doubt it. .


 

I checked out the official Apple iPhone site especially the screencasts of the phone user interface and ipod capabilities set. As an iPod owner, $500 is worth it just to get my hands on this next generation iPod which makes my Video iPod look old and busted. On the other hand, although the text messaging UI is pretty sweet a cellphone without tactile feedback when pushing its buttons is a pain in the ass especially when the layout of the buttons continually changes. I wouldn't wish that on my worst enemy. Maybe I'm just unusual in the fact that I don't want to be required to look at the cellphone's screen when using it. I pull my phone out of my pocket, unlock it and call the last number dialed often without looking at the screen before putting it to my ear. It's hard to imagine that my muscle memory would ever get used to to doing that without tactile feedback from the phone when navigating its interface. It also hasn't been announced whether the phone will be able to sync with Microsoft Exchange or not. As someone who used his phone to keep on top of the goings on at work while at CES, this is another non-starter.

That said, I have to agree with a lot of the stuff said in the article Macworld: Ten Myths of the Apple iPhone. A lot of the complaints about the iPhone just seem like sour grapes. Me, I'm going to wait until I can get an unlocked iPhone so I don't have to replace my Cingular 3125 or until Apple ships a 6th generation iPod (aka iPhone sans phone features).


 

Categories: Technology

From the Reuters article R&B sales slide alarms music biz we learn

With the exception of new age, the smallest genre tracked by Nielsen SoundScan, R&B and rap suffered the biggest declines in 2006 of all styles of music. R&B, with album scans of 117 million units, was down 18.4% from 2005, while the rap subgenre's 59.5 million scans were down 20.7%. Total U.S. album sales fell 4.9% to 588.2 million units. Since 2000, total album sales have slid 25%, but R&B is down 41.4% and rap down 44.4%. In 2000, R&B accounted for 25.4% of total album sales, and rap 13.6%. In 2006, their respective shares fell to nearly 20% and 10%.
...
Merchants point to large second-week declines in new albums. For example, Jay-Z's 2006 "Kingdom Come" album debuted with 680,000 units in its first week and then dropped nearly 80%, to almost 140,000 units.
...
"Downloading and Internet file sharing is a problem and the labels are really late in fixing it," Czar Entertainment CEO and manager of the Game Jimmy Rosemond says. "With an artist like Game, his album leaked before it came out, and I had 4 million people downloading it."
...
In 2006, the best-selling rap album was T.I.'s "King," which sold 1.6 million copies, while the best-selling R&B album was Beyonce's "B'Day," which moved 1.8 million units. But those are exceptions.
...
A senior executive at one major label says ringtone revenue now exceeds track download revenue. And since Nielsen RingScan started tracking master ringtones in September, rap and R&B have comprised 87% of scans generated by the top 10 sellers.

Interscope's Marshall points out that Jibbs, for example, "has sold an incredible 1.4 million ringtones" -- a figure that might well offset lost album revenue. The rapper has moved 196,000 units of his "Jibbs Feat. Jibbs" album since its October 24 release. But figuring the ringtones he's sold at $2 apiece translates into $2.8 million in revenue, the equivalent of another 233,000 albums at a wholesale cost of $12 per unit.

And, Marshall adds, Chamillionaire has moved more than 3 million ringtones on top of scanning nearly 900,000 units of his "Sound of Revenge" album.

Some look at the above data and see it is an argument that the long tail spells the end of the hit. Others look at it and see it as more evidence that piracy is destroying the music industry. Or it may just be a sign that hip hop is finally played out. Me, I look at the ringtone industry and wonder whether it doesn't stand out as an example of where walled gardens and closed platforms have worked out quite well for the platform vendors and their partners yet [almost] detrimentally for consumers.


 

Categories: Current Affairs

Recently an RSS Bandit user made a feature request on our forums about a Good Google Reader Feature and wrote

On RSS Bandit, while reading all the news from a feed at the same time on the reading pane (feed selected) and scrolling down to read all news, you scroll all the page and nothing is marked as readed. This only happen when you select the message on Feed Details. On Google Reader every new you scroll down became marked as readed automatically. It's a very simple and natural scheme. Works really well, just check out http://reader.google.com.

I checked out Google Reader and I had to agree that the feature is pretty hot, so yesterday I brushed up on my knowledge of the HTML DOM and added the feature to RSS Bandit. Below is a video showing the new feature in action

What's funny is that Andy Edmonds asked me for this feature a couple of years ago and I never attempted to add it because at the time I was intimidated by Javascript and DHTML. It turned out to be a lot easier than I thought.

RSS Bandit users can expect to see this feature in the next beta of the Jubilee release which should be available in the next week and a half. It would be sooner but unfortunately I'm on my way to Las Vegas to attend CES for most of next week and Torsten is on vacation. By the way, users of Windows Vista should be glad to know that the next beta will finally run fine on that operating system.

NOTE: The slowness in the video is due to the fact that my CPU is pegged at 100% while capturing the screencast with Windows Media Encoder. This feature doesn't noticeably affect the performance of the application while running regularly.


 

Categories: RSS Bandit

Joel Spolsky has an seminal article entitled Don't Let Architecture Astronauts Scare You where he wrote

A recent example illustrates this. Your typical architecture astronaut will take a fact like "Napster is a peer-to-peer service for downloading music" and ignore everything but the architecture, thinking it's interesting because it's peer to peer, completely missing the point that it's interesting because you can type the name of a song and listen to it right away.

All they'll talk about is peer-to-peer this, that, and the other thing. Suddenly you have peer-to-peer conferences, peer-to-peer venture capital funds, and even peer-to-peer backlash with the imbecile business journalists dripping with glee as they copy each other's stories: "Peer To Peer: Dead!"

 The Architecture Astronauts will say things like: "Can you imagine a program like Napster where you can download anything, not just songs?" Then they'll build applications like Groove that they think are more general than Napster, but which seem to have neglected that wee little feature that lets you type the name of a song and then listen to it -- the feature we wanted in the first place. Talk about missing the point. If Napster wasn't peer-to-peer but it did let you type the name of a song and then listen to it, it would have been just as popular.

This article is relevant because I recently wrote a series of posts explaining why Web developers have begun to favor JSON over XML in Web Services. My motivation for writing this article were conversations I'd had with former co-workers who seemed intent on "abstracting" the discussion and comparing whether JSON was a better data format than XML in all the cases that XML is used today instead of understanding the context in which JSON has become popular.

In the past two weeks, I've seen three different posts from various XML heavy hitters committing this very sin

  1. JSON and XML by Tim Bray - This kicked it off and starts off by firing some easily refutable allegations about the extensibility and unicode capabilities of JSON as a general data transfer format.
  2. Tim Bray on JSON and XML by Don Box - Refutes the allegations by Tim Bray above but still misses the point.
  3. All markup ends up looking like XML by David Megginson - argues that XML is just like JSON except with the former we use angle brackets and in the latter we use curly braces + square brackets. Thus they are "Turing" equivalent. Academically interesting but not terribly useful information if you are a Web developer trying to get things done.

This is my plea to you, if you are an XML guru and you aren't sure why JSON seems to have come out of nowhere to threaten your precious XML, go read JSON vs. XML: Browser Security Model and JSON vs. XML: Browser Programming Models then let's have the discussion.

If you're too busy to read them, here's the executive summary. JSON is a better fit for Web services that power Web mashups and AJAX widgets due to the fact it gets around the cross domain limitations put in place by browsers that hamper XMLHttpRequest and that it is essentially serialized Javascript objects which makes it fit better client side scripting which is primarily done in Javascript. That's it. XML will never fit the bill as well for these scenarios without changes to the existing browser ecosystem which I doubt are forthcoming anytime soon.

Update: See comments by David Megginson and Steve Marx below.


 

Categories: XML

It's a new year and time for another brand new Windows Live service to show up in beta. This time it's the Windows Live for TV Beta which is described as follows

What it is
Windows Live™ for TV Beta is a rich, graphically-driven interface designed for people who use Windows Live Spaces and Messenger and Live Call on large-screen monitors and TVs. We're still in the early stages of this beta, so many of the features might not work properly yet. That's why we really need your feedback! This beta is in limited release, so you must request access to the trial group. After you’re in the beta, come back to this page and let us know what you think.

You can also find out more about the product on the team's blog at http://wlfortv.spaces.live.com which includes the following screenshot

Hey, I think I can see me in that screen shot. :)


 

Categories: Windows Live

A perennial topic for debate on certain mailing lists at work is rich client (i.e. desktop) software versus Web-based software. For every person that sings the praises of Web-based program such as Windows Live Mail, there's someone to wag their finger who points out that "it doesn't work offline" and "not everyone has a broadband connection". A lot of these discussions have become permathreads on the some of the mailing lists I'm one and I can recite detailed arguments for both sides in my sleep.

However I think both sides miss the point and agree more than they disagree. The fact is that highly connected societies such as the North America and Western Europe computer usage overlaps almost completely with internet usage (see Nielsen statistics for U.S. homes and Top 25 most connected countries). This trend will only increase as internet penetration spreads across developing countries emerging markets. 

What is important to understand is that for a lot of computer users, their computer is an overpriced paperweight if it doesn't have an Internet connection. They can't read the news, can't talk to their friends via IM, can't download music to their iPods Zunes, can't people watch on Facebook or MySpace, can't share the pictures they just took with their digital cameras, can't catch up on the goings on at work via email, they can't look up driving directions, can't check the weather report, can't do research for any reports they have to write and the list goes on. Keeping in mind that connectivity is key is far more important than whether the user experience is provided via a desktop app written using Win32 or is a "Web 2.0" website powered by AJAX. Additionally, the value of approachability and ease of use over "features" and "richness" cannot be emphasized enough.

Taken from that perspective, a lot of things people currently consider "features" of desktop applications are actually bugs in todays Internet-connected world. For example, I have different files in the "My Documents" folders on the 3 or 4 PCs I use regularly. Copying files between PCs and keeping track of what version of what file is where is an annoyance. FolderShare to the rescue.

When I'm listening to my music on my computer I sometimes want to be able to find out what music my friends are listening to, recommend my music to friends or just find music similar to what I'm currently playing. Last.fm and iLike to the rescue.

The last time I was on vacation in Nigeria, I wanted to check up on what was going on at work but never had access to a computer with Outlook installed nor could I have actually set it up to talk to my corporate account even if I could. Outlook Web Access to the rescue.

Are these arguments for Web-based or desktop software? No. Instead they are meant to point out that improving the lives of computer users should mean finding better ways of harnessing their internet connections and their social connections to others. Sometimes this means desktop software,   sometimes it will mean Web-based software and sometimes it will be both.


 

Categories: Technology