[I also posted a portion of this on the original site but thought it might also be useful here.]
Being a Technical Evangelist for Adobe I frequently get questioned about our published statistics. My response is that you should always test YOUR user base before you make a decision about building on any technology. And in most cases when companies do their own testing the results are within one percent of our published numbers. This is true for enterprise's, SMBs, media companies, etc. But occasionally I hear about some demographic where the numbers are totally off. For instance, if your user base is still working on green screens then you will find lower Flash Player penetration numbers there.
I think Slashdot should publish their stats about their users. It would be interesting to see what the Flash Player penetration is like with this demographic - especially considering I sometimes see Flash banner ads on Slashdot.
RemoteObject is also available with the Open Source Granite Data Services project. So for free you get: - HTTPService (connect to any backend using any serialization you want) - WebService (connect to SOAP) - RemoteObject (Java remoting)
Ironic... I just blogged about my credit card company doing this sort of thing. But it ultimately doesn't solve the phishing problem. But by making the password a combination of a user selected token and a picture question password, I think mutual authentication can be improved. It's still not as strong as two-factor, but getting close.
It doesn't appear that any of them support Linux. Possibly movieflix.com but I don't want to subscribe just to test it. Has anyone successfully used any of these on Linux?
AFAIK, those work arounds actually don't use XHR, but rather iframes. There is absolutely no way currently to make a cross domain XmlHTTPRequest. The browsers just don't let it happen.
On this page the attacker has written silent AJAX code which makes backend calls to his bank without John's consent, fetches critical information from the pages and sends this information to the attacker's Web site. This leads to a security breach and leakage of confidential information.
As far as I know this can't be done with Ajax, since XHR can't make crossdomain requests. However there are other techniques for this, including hidden forms, iframes, images, etc. This is commonly known as Cross-site request forgery (XSRF) and is a major problem but not getting much publicity. I guess someone needs to write a MySpace worm that utilizes this technique before people start realizing it's a problem.
I've tried both exploits on Linux (acroread & Gnome Document Viewer). Neither work. The first asks if I want to connect to the web site and I have to explicitly click "Allow" (in acroread). The second of-course doesn't work because I don't have any ODBC junk on my Linux box. But that doesn't mean that it can't talk to other unsecured ports on my computer. That would be interesting to find out.
You are right about Flex already doing this. Want proof? Go to http://maps.yahoo.com/beta Enter an address and hit enter, repeat n times, now use your browser back & forward buttons at will.:) Flex has been doing this for a few years and many components support integration with the history manager out-of-the-box. More info here: http://livedocs.macromedia.com/labs/1/flex20beta3/ 00000996.html
- The Flex SDK is free as in beer. - The Flex SDK ships with the framework source code. - The Flex SDK compiles applications to SWF format. - SWF files compiled with the Flex SDK can be hosted on any web server without restriction. - Applications built with the Flex SDK can connect to any HTTP Service (RESTful or other), SOAP Web Service, or any binary socket. - Official pricing for Flex Builder hasn't been announced. - Official pricing for Flex Data Services hasn't been announced; except that single CPU, non-clustered deployments will be free. - Flex Data Services includes functionality which I don't think exists in Laszlo; Including Java Remote Objects, Pub/Sub messaging which optionally connects to JMS or other backend messaging systems, and a Data Syncronization Service which is like Hibernate for RIAs.
I think you are confusing vendor lock-in with how most web application programming languages work. Besides Laszlo, are there any other web application programming languages that run under multiple virtual machines? Seems like the beef you have with Flex about not running in multiple VM's could also apply to Java, Perl, PHP, etc. Do you also have the same problem with those technologies?
I really don't know what will happen to SVG. But in my opinion it has little value without being ubiquitous, and it is nearly impossible these days for new technologies to get that kind of adoption (like more than 90%), largely due to the chicken & egg problem. Flash is here to stay and is a great platform for building web based applications.
I can't speak to Adobe's overall SVG strategy because I really don't know. But I do know that a subset of SVG is supported in Flex. As for Flex 2 pricing, the SDK is free, and single CPU deployments of Flex Data Services are free. Exact pricing on Flex Builder and clustered FDS haven't been announced.
But of course Flex locks you into Flash!
This is silly. This is like complaining about how Ajax frameworks lock you into XmlHTTPRequest (which BTW is not a standard and only exists because Microsoft added it to the browser).
And how did you make the conceptual leap from "more affordable pricing" to "*FREE*"?
Ummm, maybe because the Flex SDK that does everything Laszlo can do and more IS FREE.
Slashdot Mirror
Adobe recently announced a similar program but for software developers:
http://www.jamesward.com/blog/2009/04/03/free-flex-builder-for-unemployed-developers/
-James (Adobe)
[I also posted a portion of this on the original site but thought it might also be useful here.]
Being a Technical Evangelist for Adobe I frequently get questioned about our published statistics. My response is that you should always test YOUR user base before you make a decision about building on any technology. And in most cases when companies do their own testing the results are within one percent of our published numbers. This is true for enterprise's, SMBs, media companies, etc. But occasionally I hear about some demographic where the numbers are totally off. For instance, if your user base is still working on green screens then you will find lower Flash Player penetration numbers there.
I think Slashdot should publish their stats about their users. It would be interesting to see what the Flash Player penetration is like with this demographic - especially considering I sometimes see Flash banner ads on Slashdot.
-James (Adobe)
Complaining about this on Slashdot does little to change it. Instead, please send your complaints to: info@demconvention.com
You can find details on how to sign-up for the beta program on my blog:
http://www.jamesward.org/wordpress/2008/02/20/adobe-air-on-linux-pre-beta-testers-needed/
-James
Don't we usually call this Astroturfing?
RemoteObject is also available with the Open Source Granite Data Services project. So for free you get:
- HTTPService (connect to any backend using any serialization you want)
- WebService (connect to SOAP)
- RemoteObject (Java remoting)
I've posted a possible solution to this kind of thing on my blog:u al-authentication/
./ folks thoughts on my solution.
http://www.jamesward.org/wordpress/2007/02/05/mut
I'd love to hear the
You can read the original version here:= 193593
http://www.artima.com/weblogs/viewpost.jsp?thread
Ironic... I just blogged about my credit card company doing this sort of thing. But it ultimately doesn't solve the phishing problem. But by making the password a combination of a user selected token and a picture question password, I think mutual authentication can be improved. It's still not as strong as two-factor, but getting close.
I recently tried to recreate the Compiz Wobbly Windows with Flash 9 and the free Flex SDK. Check out my blog for the demo and more information.
It doesn't appear that any of them support Linux. Possibly movieflix.com but I don't want to subscribe just to test it. Has anyone successfully used any of these on Linux?
Here is the official Adobe Announcement:l eases/200611/110706Mozilla.html
e lative-tamarin-joins.html
/. FUD away. ;)
http://www.adobe.com/aboutadobe/pressroom/pressre
And here is a great blog post from Tinic, one of the Flash Player engineers:
http://www.kaourantin.net/2006/11/spidermonkeys-r
And the Tamarin FAQ:
http://www.mozilla.org/projects/tamarin/faq.html
Please read these before you post FUD. Oh wait... This is
AFAIK, those work arounds actually don't use XHR, but rather iframes. There is absolutely no way currently to make a cross domain XmlHTTPRequest. The browsers just don't let it happen.
That's actually not true for XSRF. It's true for XSS.
As far as I know this can't be done with Ajax, since XHR can't make crossdomain requests. However there are other techniques for this, including hidden forms, iframes, images, etc. This is commonly known as Cross-site request forgery (XSRF) and is a major problem but not getting much publicity. I guess someone needs to write a MySpace worm that utilizes this technique before people start realizing it's a problem.
I've tried both exploits on Linux (acroread & Gnome Document Viewer). Neither work. The first asks if I want to connect to the web site and I have to explicitly click "Allow" (in acroread). The second of-course doesn't work because I don't have any ODBC junk on my Linux box. But that doesn't mean that it can't talk to other unsecured ports on my computer. That would be interesting to find out.
In the article the second "back door demo (PDF)" link just points to the same PDF as the first link. The correct link is:
http://michaeldaw.org/projects/backdoored2.pdf
Just curious... Do you disable JavaScript as well? These days I see just as many, if not more abuses of DHTML, JavaScript, and XHR than I do of Flash.
You are right about Flex already doing this. Want proof? Go to http://maps.yahoo.com/beta :)/ 00000996.html
o uncement
Enter an address and hit enter, repeat n times, now use your browser back & forward buttons at will.
Flex has been doing this for a few years and many components support integration with the history manager out-of-the-box. More info here:
http://livedocs.macromedia.com/labs/1/flex20beta3
BTW: Flex 2 SDK is now free as in beer: http://labs.adobe.com/wiki/index.php/Flex:SDK_Ann
Disclaimer: I work for Adobe.
- The Flex SDK is free as in beer.
- The Flex SDK ships with the framework source code.
- The Flex SDK compiles applications to SWF format.
- SWF files compiled with the Flex SDK can be hosted on any web server without restriction.
- Applications built with the Flex SDK can connect to any HTTP Service (RESTful or other), SOAP Web Service, or any binary socket.
- Official pricing for Flex Builder hasn't been announced.
- Official pricing for Flex Data Services hasn't been announced; except that single CPU, non-clustered deployments will be free.
- Flex Data Services includes functionality which I don't think exists in Laszlo; Including Java Remote Objects, Pub/Sub messaging which optionally connects to JMS or other backend messaging systems, and a Data Syncronization Service which is like Hibernate for RIAs.
I think you are confusing vendor lock-in with how most web application programming languages work. Besides Laszlo, are there any other web application programming languages that run under multiple virtual machines? Seems like the beef you have with Flex about not running in multiple VM's could also apply to Java, Perl, PHP, etc. Do you also have the same problem with those technologies?
I really don't know what will happen to SVG. But in my opinion it has little value without being ubiquitous, and it is nearly impossible these days for new technologies to get that kind of adoption (like more than 90%), largely due to the chicken & egg problem. Flash is here to stay and is a great platform for building web based applications.
I can't speak to Adobe's overall SVG strategy because I really don't know. But I do know that a subset of SVG is supported in Flex. As for Flex 2 pricing, the SDK is free, and single CPU deployments of Flex Data Services are free. Exact pricing on Flex Builder and clustered FDS haven't been announced.
/
/ wwhelp/wwhimpl/common/html/wwhelp.htm?context=Live Docs_Parts&file=00001271.html/ wwhelp/wwhimpl/common/html/wwhelp.htm?context=Live Docs_Parts&file=00000992.html
For more info on the Free Flex 2 SDK, see: http://labs.adobe.com/technologies/flexframework2
Also for more info on Flex's SVG support see:
http://livedocs.macromedia.com/labs/1/flex20beta2
http://livedocs.macromedia.com/labs/1/flex20beta3
But of course Flex locks you into Flash!
This is silly. This is like complaining about how Ajax frameworks lock you into XmlHTTPRequest (which BTW is not a standard and only exists because Microsoft added it to the browser).
And how did you make the conceptual leap from "more affordable pricing" to "*FREE*"?
Ummm, maybe because the Flex SDK that does everything Laszlo can do and more IS FREE.