Archive for December, 2012

Test Driving a Chromebook and ChromeOS

When you’ve been using computers as long as I have change doesn’t always come easy. But, at Mozilla we have a saying that “The Web IS the Platform”. I’ve spent a LOT of time over the past year researching how much one can actually do using only “Web Technology”.

In case you’ve been under a rock for the last couple of years there is an ongoing debate (meaning argument) about HTML5 versus “Native”.  The more I experiment with HTML and the associated technologies, the fewer use-cases I find that truly require native platform technologies.

In May of 2011 a co-worker came back from Google I-O with a “Chromebook”. He described it as a net-book that only ran the Chrome browser. As a Microsoft employee I was a good corporate citizen and ran Internet Explorer as my primary browser. (Though I used Firefox for development work). IE doesn’t really have an extensibility model (and no, I don’t consider ActiveX a viable extensibility model) so I hadn’t really come to think of the browser as a container for application type functionality.

Spending the last 14 months embracing Firefox (and by association, Google Chrome) I’ve learned to be comfortable doing things in the browser  that I historically felt the need to do with a native Windows app. So, thinking from the perspective of Mozilla’s “The Web IS the Platform” and seeing the amazing progress we’ve made with FirefoxOS (an HTML5 Operating System for Phones) it makes sense that my “second look” at Chromebooks might leave me a bit more open minded about the potential.

Then it happened a couple of weeks ago. I stopped in to my local Best Buy store to upgrade my phone and they had an end-cap display of Chromebooks. They had two models on featured.

The Samsung ($249) had more elegant, Airbook-eske lines but they had the same size screens and RAM and they both booted in the same 20 seconds. However, the Samsung ($249) had only a 16 gigabyte SSD whereas the Acer ($199) had a 320 Gb hard drive. Since the both booted at the same pace I opted for the cheaper Acer with 20 times the storage.

Acer CHromebook

The plan was to see how much real work that I could to without having to revert to a “full” laptop. I have to say the the experience has been FAR better than I expected it to be. To begin with, I’m getting almost 5 hours of battery life which is 20% more than the manufacturer’s estimates.

The file manager takes a but of getting used to but once I did I was able to organize my files and easily move them between local storage on the hard drive and my Google Drive. One of the cool things about this is that I’ve been able to copy ripped movies t the Chromebook hard drive for in-flight viewing. They play just fine.

I plugged in a Microsoft wireless desktop (Mouse and Keyboard) and they “just worked”.

I found a plethora of apps to meet most of my daily needs.

Between Google Apps, Zoho, and Evernote I have most of my basic needs fulfilled. I also found a collection of other useful apps.  A couple of ToDo list managers, source code editors with built in FTP support, a web based irc client, basic image editors, etc.

I wrote the blog post, cropped the image, and posted all on the Chromebook.

So, what can I NOT do.

Well, I can’t run Zend Studio or other IDE / Editors of choice. I can’t to rich Video, Audio or Image editing (though I can do simple stuff), I haven’t found a batch FTP program yet. The list is pretty small.

There are also little annoyances like the inability to rearrange the order of the icons in the application launcher (which seem to be on the bill for the next ChromeOS update.)

VGA and HDMI support. Wired or Wireless network access. 3 USB ports with drive and device support. 320 Gig hard drive. All for $199.

It may not ever be my ONLY computer, but I probably could have gotten though high school and college with it and it’s almost instant on makes it a great personal data assistant !

Saying good-bye to 2012

The last week of the year is always a quiet one. Most people take holiday but most years I prefer to use the relative quiet time to catch up, reflect on the last year and think about what I want to accomplish in the year to come.

2012 has been a great, stressful, fun, frustrating educational year. Having started at Mozilla in late 2011 after spending 10 years at Microsoft, Mozilla has been an adjustment. Mozilla has nearly doubled it’s employee compliment since I started. The ethos of the organization has morphed from a primary focus on the browser to building FirefoxOS, an HTML5 phone operating system and the accompanying apps platform and marketplace.

I did a lot of coaching, business, strategy stuff this year and not as much technical work as I normally have done in my developer community work.

Though I don’t make “New Year’s Resolutions” I do have a to-do list of work items that I want to focus on this year.

  • Start doing How-Do-I videos again. (HTML5 & PHP) 
  • Blog at least once a week.
  • Start sharing all my code on GitHib.
  • Conference Talks (I only did a few this year).
  • Contribute to at least one Open Source Project
  • Embrace the Cloud (starting with moving my blog to a could host).
  • Renew my interest in iOS and write my first native  iOS app.
  • Organize my social media presence (separate my work and my personal identities)

Technically over the last year I focused almost exclusively on the client which is funny because I’ve always been a “server side” guy. In 2013 I plan to divide my focus between client technologies and the server interaction patterns that make for great app experiences.

First up – a two day camp on migrating apps to FIrefoxOS.

What do you plan to focus on differently in 2013?


Is Intellectual Property Security a Myth ?

Is intellectual property protection a myth?

In a word, yes, sort of, at least in a technically acruate sense.

Last week I had a conversation with a developer who told be that his company would never develop an HTML5 app because his intellectual property was far too valuable to share with anyone who wanted it.

Of course, upon further discussion, like most of the developers that have said this to me over the years, what he was really concerned with is software piracy, but lets talk about the former first.

Developers, like the one I was talking to above, insist that their distributed applications be compiled so that their source code is “secured”.

Ok, 1999 called to say it misses you ! :)

I was working at Microsoft when we released the beta versions of .NET. Included in the SDK was a decompiler. Developers around the world went nuts because all their source code would be stolen !

The truth of the matter is that source code is retrievable from compiled applications on all popular computing platforms. Just a bit of crafty googling will find you de-compilers for C#, Java, Visual Basic, C/C++ and a plethora of other languages.

These will turn your executable binaries into source code. Which tool you use would depend on the type of file you are decompiling which can be determined by headers in the files themselves.

The common response is that the code is not the same as the original source code, and that is true, it may be harder to read (or it may be easier) but either way the “intellectual property” would be exposed.

And there are other ways to get source code for an app too.

You will also find disassemblers that turn an executable binary file into assembly code. They basically convert the executable machine instructions into platform specific Assembly code instructions. If assembly code is not your thing you could them run a source translator to convert the Assembly into another language like “C”.

Of course this still doesn’t deliver the exact source code written by the developer. The resulting source code may not even be recompilable without modification, but again, the “Intellectual Property” has been retrieved.

There are very clever tools like the Holodeck Debugger that allow a skilled hacker type to view in real time what instructions are being executed by the operating system. (Holodeck is an AMAZING tool for good guy developers too !)

It’s possible to implement an encrypted operating system (file system, memory, runtime, ect.) that could decrypt programs in isolation for execution, but characteristics of such an operating system would make it unsuitable for general consumer use.

So, when we talk about intellectual property protection in our applications it’s important to understand that what we are really talking about is just increasing the difficulty level involved in stealing our code or using it in meaningful ways that oppose our desires.

.NET and Java developers who felt the need solved this problem by using pre-compilation obfuscators. The obfuscation process converted the source code to a product that, while syntactically valid, made no sense to the human viewer.

When decompiled the hacker has access to only the OBFUSCATED source code. The intellectual property was still in there, but for all intents and purposes, still secret. The process of reverse engineering code delivered after this obfuscation / compilation was too time consuming to be of interest. This makes the intellectual property secret in a practical sense, it not a purely technical one. Some obfuscators even produces source code that would feail recompilation attempts.

Likewise, people have been securing the logic and the content of the web for a long time. Obfuscators exist for HTML, CSS, and JavaScript. If you’re a web developer you have certainly cracked open a page or a downloaded a JavaScript file and seen huge strings of hex digits. Those were probably a method of obfuscation.

For example, the following simple JavaScript program:


var a="Hello World!";
function MsgBox(msg)
{
    alert(msg+"\n"+a);
}
MsgBox("OK");

When obfuscated becomes this.


var _0xf979=["\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21","\x0A",
"\x4F\x4B"];var a=_0xf979[0];function MsgBox(_0xa221x3)
{alert(_0xa221x3+_0xf979[1]+a);} ;
MsgBox(_0xf979[2]);

Using the application will expose what it does but viewing the source code does dot expose HOW it does it.

There are really two things that people are interested in defending against. One is people using their software for free, the other is people stealing their source code which is to say the algorithms that are specific to their applications.

If you’re build an app using web standards (HTML5/JavaScript/CSS) you need to decide how much “protection” is enough to satisfy your concerns.

Of course the most secure method is to keep the parts of your logic that need to be secret on the server. You can modify your application’s architecture so that some functionality is only available when an internet connection is present.

You can use obfuscated client side assets to confuse prying eyes from easily hacking the APIs. Of course, if an even higher level of security is necessary, you can further restrict access to the APIs by using SSL and a per request token based authentication mechanism.

Similarly, once you have done the above you can use similar methods to assure that the user of your app is authorized to use it by periodically requiring an authentication handshake. (Mozilla apps will provide an API to help the developer do exactly this using Persona and the MozApps receipt system.

Many organizations have discovered that these concerns are never realized when their apps become public but above are a few ideas that you can use to make stealing your code more difficult. Remember, there is no such thing an an app that can’t be reverse engineered. But you can make them work for it !