Steve Jobs: Thoughts On Flash

Apple today published a letter from Steve Jobs aptly title “Thoughts on Flash“. What’s interesting isn’t so much what he said, but what he alluded to. This letter is about Flash, but it’s also about the future if the iPhone platform strategy. It also alludes to the future importance of WebKit and the open web. Lets walk through this. From his points:

First, there’s “Open”.

Steve is right. Flash isn’t really “open”. The iPhone isn’t either by any means. In fact it’s the most restricted computing platform in the world as far as I know. What he did note is that the iPhone uses WebKit and by proxy the web is the most open platform on the planet. That’s very noteworthy.

Second, there’s the “full web”.

Flash video itself isn’t that great by todays standards. That’s why sites like YouTube are serving HD video in H.264 rather than VP6. H.264, VP8 and Theora are the future. If all 3 or just one will survive remains to be seen. Regardless any of them can be played outside of Flash. The dependency on Flash to build a player is going away more and more each day.

Regarding games, this is a silly point. Almost all Flash games need a keyboard or mouse to work. They would never work with a touch screen. Nor would they scale to fit the screen. They would need to be significantly reworked/rewritten.

This is yet more alluding to WebKit and HTML5 where there are solutions already in place.

Third, there’s reliability, security and performance.

It’s pretty hard to dispute the reliability of Flash. It’s by far the driving force behind things like out of process plugins (OOPP) in Firefox among other browsers. It’s also been subject to lots of security vulnerabilities.

Fourth, there’s battery life.

The WSJ quotes Adobe’s Shantanu Narayen as saying the claims of Flash being battery draining are “patently false” but if you look at a CPU monitor while browsing a page with Flash, you can see the load increase quite a bit. Blocking flash on your browser does speed things up and keep your system cooler. I’m very suspect that Adobe has solved this in cell phones when they don’t even seem to have it under control in Windows.

Fifth, there’s Touch.

I already mentioned that mouse/keyboard interfaces just don’t work on the iPhone. No need to rehash that.

Sixth, the most important reason.

That’s actually a vague header. The reason is that they don’t want a third-party sitting between the iPhone API’s and developers. If that happens, developers are limited to what that third-party decides to implement. At the very most developers on the Flash platform get whatever is supported on all Flash platform (greatest common denominator).

That leaves Apple in a stupid position. They could implement killer features in the iPhone and create amazing API’s to take advantage of the features. But if Adobe doesn’t see a way to support things across platforms, or just doesn’t see the cost/benefit of implementing that feature, developers can’t use it. That marginalizes the product for Apple as well as developers.

Conclusion

I found this very interesting that he closed it like this:

New open standards created in the mobile era, such as HTML5, will win on mobile devices (and PCs too). Perhaps Adobe should focus more on creating great HTML5 tools for the future, and less on criticizing Apple for leaving the past behind.

In February of 2007 Steve Jobs wrote another letter on DRM. It’s noteworthy because in January 2009 Apple launched the ability to buy non-DRM protected music. The letter was really a hint at where things were going. He’s repeating the PR strategy that he used then, make no mistake of it.

I have a feeling the day will come where the App Store is deprecated in favor of promoting HTML5 based Applications either directly off the web or packed similar to how Dashboard Widgets are done now on Mac OS X. The App Store will be around for quite some time, but it will eventually morph.

That is why WebKit is so important to Apple. They want to abstract their OS to the point where they can provide very high level hooks into features they want developers to be able to use. The current iPhone App SDK was a solution created by Apple as a way to let developers put applications on the iPhone as an afterthought. The moderation is so that they can keep their security record intact and could shut down a malicious app before trouble becomes rampant. That puts them in the position where they can either approve all content and be viewed as sleazy by more conservative folks, or they can let everything go and accept that reputation. They obviously made their decision. Developers and some geeks hate it, but 99% of the rest of the world doesn’t even know about the process. Nobody wants to know how sausage is made.

The App Store will likely morph to feature Dashboard Widget like applications (not to different from Palm’s WebOS). Apple will still be able to cash in via that distribution point since they can use DRM giving them the only way to actually sell a protected application. You can view them online via you’re browser.

That’s my prediction. The day will come when the iPhone SDK that we know today will be deprecated. WebKit and HTML5 aren’t there today, but the day will come when they will be the tier 1 development platform for the iPhone. Steve Jobs is just laying the groundwork today.

For desktops, other platforms and browsers it’s worth noting that there’s a lot to gain here.

What Facebook Apps Know About You

The ACLU put together a clever quiz on Facebook that lets you see what a Facebook application knows about you.

I doubt most people realize how much they are giving an application, and how unnecessary the information is to the application. There is no legitimate need for something as simple as a quiz to require that much information. And yes, if your friend takes a quiz, your information is shared too.

I mentioned the other day that that Facebook changed the data retention policy. So this gives a little more context regarding what is actually at stake here.

I’ve been unable to confirm if Facebook gives applications the same data for minors (those under 18) as they do for adults. I know they restrict information shared via the website, but not sure if that extends to the API level. If anyone has a minor child and can shed some light on that, I’d be interested to see how they treat privacy of children in Facebook applications. I’m also not sure if they adjust what data is shared for users, in particular children in other countries where laws may be different. If you know, please share. If you can share a few screenshots of what’s revealed contact me (I won’t share unless you explicitly say so).

Yes, I know this is my third Facebook related blog post in a week. I promise to go back to ignoring them soon enough, but the privacy implications of their applications is pretty interesting to say the least. This is especially true if online privacy and security have long interests of yours.

Israel Lifts iPad Ban

Israel announced that they have lifted the iPad ban.

“The scrutiny conducted by the Ministry technical team vis-à-vis Apple’s team, International laboratory and European counterparts confirmed that the device which could be operated in various standards will be operated in Israel in accordance to the local standards.”

Lets be honest. This had nothing to do with Israeli limitations on wireless communications. This had to do with importing a device that could be resold for significant profit without paying any sort of tax. Israel has more high-tech start-ups per capita than anywhere on earth. Needless to say the number of folks willing to pay a large premium to get their hands on one makes this a profitable market. It also makes the startups extra vulnerable to being extorted.

The truth is the iPad uses a pretty vanilla Broadcom BCM4329 (BCM4329XKUBG to be exact) chip. This is yet another chip in a very popular series of Broadcom chips for wireless communications. It handles Bluetooth and WiFi on one package making it very efficient and battery friendly. The iPhone 3GS uses the BCM4325. Millions of cell phones and laptops have very similar chips in them for the past several years. The radio is nothing new.

Almost every traveler bringing a laptop or smart phone into Israel has a wireless card of equal strength. If they had any real reason to believe that foreign wireless chipsets could be a danger to their infrastructure all laptops would need to be whitelisted before being brought to Israel. Clearly that’s not the case. Yes you can tweak via software to limit the power of a wireless card, but does anyone adjust their laptop when entering another country? Has anyone been checked when entering the country for wireless strength? I’m guessing not.

Now that a few weeks have passed, and the hype is starting to die down, there is no longer a need for the ban. Units will start shipping overseas soon anyway.

This isn’t a bad thing I might add. People who smuggle these devices in and resell them are just opportunistic and taking advantage of the situation.

Of Mice And Keyboards

It’s not a secret that I’m a keyboard snob. I’m picky with mice, but I’m clearly a keyboard snob. To give some background I once swapped the keyboard of a brand new laptop (1 week old) for the exact same keyboard manufactured by a different supplier for IBM/Lenovo because of the spring quality. Only then was the Thinkpad T43 keyboard acceptable to me. I actually found it better than the Thinkpad A31 after the swap.

I hate most keyboards that I’ve ever used. Given how much time I spend using them, I think my snobbery is justified.

Current Setup

I’ve flirted with the idea of replacing my Logitech Cordless Navigator Duo since 2006 and have yet to execute. I like this keyboard as far as the feel goes. Good spacing, great action, I can get pretty good speed/accuracy on this thing. It’s also quite comfortable despite being a little thick. However the wireless is occasionally flaky especially using a KVM. The software for “features” is crap to say the least and unusable. Now the wrist rest is cracking and creaky. To solve the battery eating problem I’ve been using rechargeable batteries, which have made it much more practical to use since the mouse is insane. The whole setup is approaching replacement time. I’ve had the same keyboard and mouse since 2003. Before anyone asks, the labels on all keys are visible, and slight wear on the space bar. The paint on the mouse is flaking a little.

I have an Apple Extended Keyboard II (M2980) stored away since I’ve always felt that was a great keyboard (second to an IBM Model M) and want to keep the option to go back to it in the future.

I’ve considered a Model M via Unicomp who now owns the design, but it wouldn’t be a daily keyboard since the noise isn’t always desirable. It’s more like the impractical garaged car you’d take out on nice weekends for a drive. I haven’t ruled this out.

I’ve also considered a Matias Tactile Pro 3 but I just wasn’t sold on it.

The Next Generation

Apple Keyboard With Numeric Keypad

I’m leaning towards the lesser known Apple Keyboard with Numeric Keypad. It’s actually offered as an option when ordering the iMac or Mac Pro and available separately. I like the newer MacBook Pro keyboard design, despite its odd appearance. The thing I never quite liked about laptop keyboards in general is the spacing, which this fixes. I really don’t mind the low key-travel design as I find it increases typing speed. Another thing I really like about this design is that it’s mostly closed, so it’s much cleaner and less prone to dust. One thing I don’t like is that it’s not very serviceable should it need cleaning (welds vs screws). The keyboard is wired, so the wireless crap is no longer an issue and KVM compatibility is much easier.

It’s a slight gamble since it’s a very different keyboard design, but it’s not that expensive and I’m pretty sure it will work out.

The big question becomes what to do about the mouse. The best I’ve seen so far in the corded mouse market is the Logitech M500, which I’m still not ecstatic about. I’d like something heavier, and ideally more than 1000 dpi. I’ve also read that the glide pads are prone to coming off. The G500 and G9x gaming mice offer the weight and higher resolution, but I’m not into the design of the mouse itself. The Performance Mouse MX seems nice and reminiscent of the discontinued MX Revolution, which was a nice weight… but it’s wireless, which means it’s not in the running.

Before anyone mentions the Apple Magic Mouse let me note it’s Bluetooth and must be paired with the computer, and is not usable with a KVM switch, which I’m not willing to give up.

Microsoft has lots of mice in their lineup, but not one that actually seems nice to me. I’ve never liked the design of their keyboards/mice. They always had this cheap plastic feel to them.

Photo copyright Apple Inc.

On Facebook Permitting Longer Storage Of User Data

Previously the rules only permitted storage of some data for 24 hours. Notice I said “rules”. The truth is that there is no technical means of enforcement that I can find. This is done on the honor system. Facebook in theory could look at usage and wonder “how are they doing this without refetching data?”, but monitoring all the apps in that way seems highly impractical. You’d need good knowledge of how the every app actually functions to make that decision. That still doesn’t cover the case of not deleting data when a user removes the application or changes privacy settings.

I’m sure there are some shady application vendors who have forever ignored this requirement. I’m sure some have also captured data they weren’t supposed to store. It seems naïve to think otherwise. That’s not to say everyone does it, or even a sizable number. I suspect most companies are honest and follow the rules. The change to remove the limit is actually more honest and straight forward. It is a step closer to reflecting reality.

Facebook should really have some sort of audit policy for apps over X number of users, or make it clear that there’s no real technical means limiting what an application can store once you share data with it. They don’t know for certain that just because a user deleted an application that the application has purged the data. There’s no technical means behind it, and that’s not something that’s easy to fix.

This is an important thing to clarify. Just because they had a policy of a time limit, that doesn’t equate to a technical solution. This is akin to passing a law that says “no identity theft”. It’s a novel thing to do, but it doesn’t prevent theft. It simply clarifies the official position on the activity. If this method worked, we wouldn’t need law enforcement or a legal system, just a few clever people with pens to write laws.

Facebook can obviously shut down anyone who it feels violated their policies, and can likely take legal action against such parties. I’m pretty sure they shut down applications, I’m not sure about legal action.

Bottom line: only share data if you’re willing to accept this risk. Their clarification of warning dialogs before you authorize an application is a good step in this direction.

More On Cell Phones And Toilets

Last month I briefly touched upon the correlation between cell phones and toilets. My influence was coincidentally reading a story on third-world water sanitation a day or so before stumbling upon the cell phone statistics.

Now the UN is reporting in India more people have access to cell phones than toilets.

To briefly recap:

  1. I called it.
  2. I still find it disturbing.

When The Laptop Watches You

Virtually everyone in the United States has now heard of the case in Lower Merion School District where administrators allegedly took thousands of pictures of students at home. They did this by using a school issued laptop that was equipped with a camera and software that could remotely access them. Kids often leave them in their bedrooms, and the rest is pretty self-explanatory.

The software LANrev (now renamed Absolute® Manage) intends for the feature to be used by administrators for the purposes of theft recovery. That obviously leaves an avenue for abuse.

If you or someone you know has a laptop with a camera that is managed by a third party, always assume they could have control of that device. A simple piece of opaque tape (I’d suggest electrical tape) over the camera will prevent any abuse of the camera. You can put a small piece of paper between the camera glass and tape to help avoid damage and clean it when you remove the tape before returning it. Harmless fix. Someone could in theory still listen using the microphone and view what’s on the screen at any given moment, but that’s a much smaller invasion of privacy than someone watching you get undressed in your own home. Use the computer only for school work if possible, and the rest isn’t much of an issue.

Someone did some digging into the software and it’s implementation at this particular school district, and quite frankly it’s a bit disturbing.

In a September 2009 post that may come to haunt this investigation, Perbix posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when Perbix puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration:

“what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking”

This type of stuff should have set off some alarms. Good security doesn’t rely on obscurity or deceit.

The laptops have a light next to the camera that illuminates when the camera is activated, however the IT folks are alleged to have claimed the light appearing was a glitch according to the above link.

That said, school districts shouldn’t use laptops with cameras and microphones. Manufacturers should give those bulk purchasers the ability to have no camera installed. Alternatively they should be physically removed from the chassis by IT staff before being distributed to students. Disabling via software or policy isn’t going to stop this problem as long as the same people who control the laptops are the ones most likely to abuse it.

This is an interesting mix of hardware, software and policy security implications. The hardware worked correctly (it warned the user) but shouldn’t have existed. The software was abused and the policy was flawed. Lots of things can be learned here.

Another Brick In The Facebook Wall

I ran across the problem recently trying to write to a users wall using the Facebook API. The Facebook documentation is hardly sane as it’s a mix of languages, not entirely up to date, and lacks good examples. The error messages are hardly ideal either. “A session key is required” at least leads me in the right direction. “Invalid parameter” is just unacceptable and makes me stabby.

So here’s some cleaned up pseudocode I pulled together that will hopefully be of use to others who bang their heads against the wall. This “works for me” in my limited testing over several days:

require_once(‘./facebook-platform/php/facebook.php’);
 
$facebook = new Facebook($apiKey, $appSecret);
 
// This gets us the uid
$canvasUser = $facebook->get_canvas_user();
 
// And the session key
$sessionKey = $facebook->api_client->session_key;
 
// You need both of these permission bits
$user = $facebook->require_login($required_permissions = ‘publish_stream,offline_access’);
 
// You’ll likely have an application sitting here and at
// some point in your application be doing the following
 
// Here’s where we actually set the status
$facebook->api_client->call_method("facebook.status.set", array(
    ‘uid’ => $canvasUser,
    ‘status’ => "All in all it’s just another brick in the wall.",
    ‘session_key’ => $sessionKey
));

Getting the right permissions is key.

The thing that ends up being the most confusing is the session_key. After reading the docs, I was inclined to do:

$token = $facebook->api_client->auth_createToken();
$sessionKey = $facebook->api_client->auth_getSession($token);

What you really want is:

$sessionKey = $facebook->api_client->session_key;

You can also use adapt this to use stream.publish if you’d like.