Podcast: Play in new window | Download

Apple has been criticizing Adobe Systems lately for what Cupertino perceives as poor performance and design deficiencies in Adobe’s Flash web media technology, which it darned well wants to keep off the iPhone and iPad. Adobe, in turn, has been defending Flash, however gently, citing it as a great enabling technology that has got the web in large part to where it is today. Both companies are correct, and that’s the point that seems to be missed by most of the pundits standing around pointing at the fight. Flash has been vital to the success of the web, but Flash is old.

Apple’s preferred media architecture, HTML5, is the future of the web.

Web browsers have swallowed up most every app you used to have to install on your PC. Something like TurboTax needs forms to input data, display tables of numbers, and store your returns on their server. But if you want to have forms smart enough to know what’s a date and what’s a dollar; to draw piecharts; or store your W-2 on your laptop, then you need a new browser.

Flash always picked up where the browser left off, but it can’t talk to your webcam, store local files, or draw pixels directly to your screen. Now, for the first time, a cluster of technologies known as HTML5 allow a standards-based pathway to busting those barriers with canvas graphics, drawing video onscreen, smarter forms, and local storage for private data. So who needs Flash?

John Gruber is right: Flash is responsible for most of the crashes of my Mac. I can hardly blame Adobe for defending its very successful Flash franchise, though it feels strange coming from that nerdiest of nerdy companies. And I admit there are still a few things that Flash can do but HTML5 can’t, but the evolutionary path here is clear.

Where Flash a decade ago enabled browsers to do more, I can see a time coming soon when Flash will force browsers to do less than they might.

It’s time for a change.

Podcast: Play in new window | Download

No, Google doesn’t intend to become a national Internet Service Provider, despite its new plan to build a number of optical networks to serve homes and businesses at up to one gigabit-per-second.  The real plan is half Xerox PARC and half Tom Sawyer.

When the Computer Science Lab at Xerox Palo Alto Research Center was organized by Bob Taylor in the early 1970s to revolutionize computer, network, and printing technology, there was a conscious decision to live 10 years in the future. The CSL would build devices that could be expected to make economic sense in 1980, not 1970.  This was a huge leap, because it meant the amount of memory in each device would be 64 times as much as made economic sense in 1970 when 1K was a lot.  Yet think of it, a 64K PC was the norm when IBM introduced that product in 1981 (base was 16K!) so the numbers were about right.  Only by embracing future limits, no matter the cost, was PARC able to achieve so much (Ethernet, Graphical User Interfaces, laser printing) in its first three years of operation.

Part of Google’s inspiration, then, for building-out a few residential and business optical networks is to do the same thing.  Because not all smart people work at Google and even more so because the smart people who do work at Google don’t generally think or operate like the rest of us, it will be very useful to see what normal folks actually do with that much bandwidth.

There will be a few surprises, I’m sure, but not many.  For the most part Google is hoping to inspire current ISPs — mainly cable companies — to follow its lead, like Tom Sawyer did when getting his friends to whitewash that fence.  Google wants to set an example for how to do local networks right and get the Obama Administration to codify that methodology through the Federal Communication Commission.  Then they want someone else to do the actual heavy lifting.

And it will probably work, not so much because Google is brilliant but because the cable TV companies are ambitious.  We’re entering an era where cable operators will have a real cost advantage over telcos in expanding residential bandwidth, thanks to DOCSIS 3.0 modems.

I’m the third DOCSIS 3.0 customer in Charleston, South Carolina and the first residential customer following two law firms.  I did it I suppose to write this column but even more so because I have some heavy video activity coming-up and thought I might need the extra bandwidth, which is substantial.  The important thing to understand about DOCSIS 3.0 technology is that it’s not a big deal, really.  It’s just channel bonding.

Where earlier cable modems had users on each subnet sharing a single analog video channel (generally channel 80), DOCSIS 3.0 devices can grab several channels and aggregate bandwidth.  Think about it, under this scenario if a cable system operator were to abandon its analog signal entirely in favor of a total IP solution that would mean a 100X increase in shareable bandwidth on each subnet — subnets that are already for the most part interconnected by fiber.  That’s 30 gigabits-per-second or more to be share in your neighborhood alone for a cost that amounts to about $300 compared to the average $1350 per customer Verizon is spending to install FiOS fiber.

Some cable companies will use DOCSIS 3.0 to take down the local phone company, which will be hard-put to compete.  And they’ll have support from the TV manufacturers as well as cable box makers.  My new 58-inch Panasonic Plasma TV has an Ethernet port on the back and all Panasonic’s competitors would like us to buy new TV’s too.  And don’t forget who is America’s largest maker of cable boxes — Cisco.  You think they don’t want IP TV? Heck, they trademarked the term.

While what Google intends to install is fiber (or so they are saying right now) the ultimate beneficiaries of this project may be more traditional cable plants running mainly thick old coax.

Google wants to nudge this along because their ultimate goal isn’t to be an ISP but to live in the data center of the ISP providing us data with ads to go with it.  They want to drop one of those shipping container server farms into the parking lot of every cable head-end in America, ultimately providing gigabits of data without having to pay anything for bandwidth.

Podcast: Play in new window | Download

Small companies create jobs in America.

According to a recent study by the Ewing Marion Kauffman Foundation, companies less than five years old generated nearly two-thirds of the new jobs created in the U. S. in 2007. But what’s even more important is that without these startups more jobs would be lost than created, the U. S. economy would permanently shrink and America would eventually lose its superpower status, simple as that.

This is because big companies grow by increasing scale and productivity, which is to say by reducing the number of jobs per unit of sales, while startups grow by inventing cool stuff. See the difference?

The startups that most reliably become giant American corporations and creators of wealth are technology startups. Without startups to compete with or acquire, big technology companies would do almost nothing new. In the United States large companies depend on startups to explore new technologies and new markets. Startups play a particularly important role in growing jobs out of a recession. New companies produced all of the net new jobs in the U. S. from 2001-2007, and also from 1980-1983, the last big American downturn.

Why then, has U. S. economic policy been aimed almost entirely at saving large and dying industries (banks and car companies)? Because sometimes even Presidents don’t get it.

U. S. technology startups are born and die at astounding rates. Ninety-five percent of technology startups fail — ninety-five percent. With odds at 19-to-1 against success, why do entrepreneurs even bother to build these companies? Because the potential rewards are huge (Microsoft and Apple, Cisco and Intel were all startups, remember) and for real entrepreneurs there are some things even worse than failure, like boredom or being like everyone else.

American technology startups change the world all the time and are this country’s primary global advantage, though hardly anyone understands that. Encouraging technology startups is the key to keeping America competitive and prosperous, though hardly anyone does that. Technology startups succeed despite these adversities because Americans are full of ideas, startups are so darned fun to do, and they don’t have to cost that much, either — sometimes nothing at all.

Technology export sales drive the U. S. economy and technology startups drive U. S. industry, yet in this era of too-big-to-die companies hardly anyone knows about or understands this phenomenon. The experts are supposed to be the venture capitalists of Silicon Valley and Boston, but they don’t really know what they are doing. VC returns are way down for a variety of reasons mainly coming back to the same greed and stupidity we’ve been seeing at work in other financial markets.

Something needs to be done, then, to encourage America to restart itself, and I’m just the guy to try it.

Announcing the Cringely 2010 (Not in Silicon Valley) Startup Tour.

Starting next month I will be accepting from readers nominations for interesting startup companies in six general categories — biotech, energy, entertainment, information technology, materials, and transportation.  Over the course of about six weeks we will examine and discuss as a community these nominated companies of which I am hoping there will be hundreds, primarily not from Silicon Valley or any other tech hotbeds.  I’ll have some assistance in this process from the Kauffman Foundation.

Together we’ll whittle the number down to 24 then come June I will set off with my family in our RV to visit all 24.  We’ll camp in the parking lot or in the driveway of the CEO and spend a couple days at each startup, learning about the company, the people, their technology and their market.  I’ll take with me a small camera crew and we’ll produce what will begin with a summer of blogging and end with a 13-part TV reality series

That’s my plan for restarting America and I hope you’ll be along for the ride.  Look for details soon, but no nominations yet, please.

Podcast: Play in new window | Download

As we’ve all read, Google recently experienced a massive attack on its network, probably from China, and has threatened to leave the Chinese market as a result. I’ve written about that aspect before (Google taking its ball and going home) but this column is about the attack itself and Google’s internal plans for how to deal with future such problems, because of course this will happen again. I’m frankly trying to understand what Google is up to in its response to the Chinese threat — a response that doesn’t make much sense to me given the details of the attack as published.

First reports of the attack blamed a security flaw in an attached PDF file. Later reports blamed a vulnerability in Microsoft’s Internet Explorer browser. Adobe denies the PDF vulnerability, though the company not long ago issued a security patch for that product. Microsoft confirmed the IE vulnerability. But what’s interesting to me is that I understand from inside Google that the company plans to respond to this Chinese threat by changing its log-in process for web apps to one using a secure secondary server. That’s great, but it wouldn’t have stopped the most recent attack.

Is there something here we aren’t being told?

The most popular secure secondary server access system is called SiteKey and is used by Bank of America and many other financial institutions. The way SiteKey works is you log on to your bank’s computer, for example, by first typing an account identifier which causes one server to generate a picture and another server to generate a pass phrase which together don’t identify you to the bank but rather identifies the bank to you. Trapped as it is in a hash table, nobody at the bank can even tell you what picture you chose but you know it (the pass phrase too) so you can be pretty sure the server you are logging into is the one you want and not some phishing site. If the picture and phrase are satisfactory you can then type in your real password and you are there.

I’m told that Google will soon roll-out a similar system for Google Apps.

But I can’t see how using secure secondary authentication would have had any impact at all on the recent Chinese malware incident.

So I went to a friend who manages data security for a huge defense contractor and he agreed. “Authentication helps, ” he said, “but that was the second part of the attack, the original piece was a carefully crafted PDF file that was executed by the user. No amount of authentication helps against an authorized user. Don’t get me wrong, I am a believer in strong X. 509 based authentication, just it would not have helped against a malicious attachment.”

Adobe says it wasn’t a PDF problem at all. Yet my friend, who is privy to a flow of information the rest of us are not, says Adobe may be technically incorrect in this assertion.  I don’t know for sure, nor do I think it really matters in this case.

“The IE use was a secondary effect (to download the malware using an allowed program), ” he explained. “I’m not sure what they are calling a vulnerability (it might be a feature). The initial vector was the PDF. Typically such an attack is limited in just how large a program can be in the initial attack (hidden inside the attachment).  It has to be just enough to pull the real root kit. Early ones used their own network app but most systems are now protected by personal firewalls that would disallow or alarm. Use of IE would probably avoid this (and explains why large corporations are going to gateway white lists). Bottom line: the attack requires an executable program to be running on the workstation. Once that is in place, anything can be done. ”

The best defense against this sort of attack would have been two-fold. First, strip all e-mail attachments from messages and replace them with a URL. Send one copy of the attachment to a dedicated server that can be set to paranoid. Take as much time as needed to vet the attachment including emulation to see if it is malware or not. Once complete, the URL embedded with the forwarded e-mail becomes active and the attachment can be downloaded.

Google owns Postini, which could implement just such a technique, so we should probably expect that they will do so, making Google apps more secure and therefore more attractive in the process.  In Google’s move to make itself ever more essential to the net they may well offer such a quarantine service as a standalone product, too.

The second part of this solution unfortunately died with Windows Vista — the hated User Access Control (UAC). Temporary privilege escalation with logging, which is what Vista’s UAC provided along with some user grief, is the way to go.

Remember that all the authentication in the world will not protect against a privileged user doing the wrong thing. It’s just that logging may help to determine what happened after the fact.

We have known for years how to fix this, but nobody cared.