Bonus Security Credit for Google Chrome’s Strange Install

Last fall, many folks including myself commented about Google Chrome’s unusual install behavior. Our best guess at the time was that it represented an attempt to accelerate adoption, by allowing non-administrative users to install Chrome.

It also allowed lower-privileged domain users in corporate environments to install and use Chrome unless their IT specifically blocked it.

With this recent Chrome vulnerability and rapid patch cycle, though, I’ve come to see the install in a new light.

Firefox requires an admin to initialize an update. This can be done through programmatic remote admin or right on the console, but still requires intervention. IE can be updated via Windows auto-update, but if auto-update isn’t set to run or if a specific patch needs to be applied, it requires intervention. Chrome, on the other hand, will update itself on the fly for each user’s install (it does require a restart, but only of the Chrome app) unless the installer is cracked to remove the GoogleUpdater component.

Given the cost of having an out-of-date browser version versus the risk of having Chrome updated without admin knowledge … I have to say I like this approach.

Notebarn Update

Notebarn, my Windows Mobile / Exchange sync notes app, definitely looks like an archaeological relic these days. Dating from early ‘07, before the iPhone era, and being a simple text utility, it is almost comic how it doesn’t resemble modern mobile apps.

That said, I still use it, and it turns out a lot of other people have been using it too. So when a user helped me reproduce a tricky timing bug that could cause data loss under certain circumstances on app initialization, I hopped back into the old (and quite small) codebase to fix it.

There is a little more info on the notebarn project page. Or if you just want to install the app you can install it over-the-air from here. If you already have the app it will automatically install in-place over your existing version. And since the “notes” are actually stored in an Outlook/Exchange Task, the install won’t affect existing data.

A word about backups: notebarn doesn’t have its own data backup mechanism. There are two main approaches to backing up and recovering data if you should lose it for any reason (e.g. problem with notebarn, problem with ActiveSync, accidentally deleting a note you needed, etc.)

One is to lean on whatever backup solution protects all of your Outlook/Exchange data, since notebarn data is really Outlook data. If you can go back to a backup snapshot of this data, even temporarily, you can simply grab the notes data from there. If that’s not practical, you can either manually or via a script back up the “My Notes” item from Outlook tasks, into another place in Outlook, the filesystem, etc.

Google “Similar Images” Roadmap

Ok, it’s not their roadmap, it’s my roadmap.

I was psyched to see the Similar Images announcement today, but I was underwhelmed by the results. That’s ok, it’s helpful, it’s free, and here is the post where I explained how to build the rest of it.

Oracle and Sun: Cui Bono?

Well, here’s a hint: it’s not Oracle, “Sun,” Java, or MySQL in the long run.

I’m thinking the Ruby, Python, and PostgreSQL worlds just got a shot in the arm, as this is minor calamity (at least) for Java, and a major one for MySQL. Ironic, since Java maturing like a fine wine and recovering from early-decade blunders; MySQL was already in trouble thanks to Sun.

As for benefits, it’s also not Google, who relies heavily on Java but could eventually find itself in an adversarial relationship with Oracle as enterprise computing moves to the cloud. Google does have enough sheer wo/manpower to exploit the OSS licensing on Java to take it in its own direction if necessary … but is that really a desirable way to go? or one the investors can live with?

I don’t think Microsoft minds this one bit either … since there was nothing that that Java, Oracle, and their communities (and users) couldn’t do before that they can now, while a number of scenarios (Java and open source databases/appservers in the enterprise) suddenly become just a bit murkier.

Atalasoft: Another Example of Gnarly DRM == Lost Sale

I’m working on a project that involves semi-automated document imaging. Scan, deskew, crop, re-arrange …

It’s on Windows, where every modern scanner hooks into both TWAIN and WIA out of the box, often without even needing a vendor driver, so I just needed a library/toolkit to do the lifting on the app logic side.

Enter Atalasoft DotImage imaging libraries. Does everything you need, works fairly well. Established presence in the market. We start heading in that direction. The Atalasoft bits we needed turn out to be pricey as components go, and we would need a runtime license as well as the development license – but this is a commercial project the success of which would not be diminished by the software costs. So we didn’t blink at the price.

We downloaded the dev SDK, implemented a few features … and we needed to show them to customers. In other cities on other machines. Well, the dev SDK is crippled and doesn’t allow that.

Atalasoft’s sales department generated a 30-day license for me, and sent me the instructions to install and deploy it. And … it half worked. Some machines could run the deployed app. Other machines, the app would crash when the relevant DLLs tried to load, despite deployment of the magic binaries, license files, and other DRM voodoo.

For a brief moment, I thought maybe my app is just broken … but, upon attaching a debugger, I saw that all of these crashes threw the same error. And, since it was .Net, the error was in plain English: Atalasoft’s licensing module was barfing and taking the whole app down.

At that point I could have spend more critical hours trying to navigate around these problems (I’m guessing their pre-sales tech support would have tried) … but … wouldn’t you know it, here is another company offering a similar library, much more agreeable terms, 30-day trial and a seemingly foolproof license key mechanism.

Download, type type build deploy. Success. Haven’t looked back.

Now it’s also convenient that this other product seems to work a little better, has more agreeable legal terms and costs less. But those were not dealbreaker criteria at this stage.

I would never have even gone down the list to this other vendor if Atalasoft’s DRM hadn’t broken my tight-deadline customer demos.

Facebook “Private” RSS Feeds Probably Don’t Leach Data…

Last year I experimented with private group microblogging systems via authenticated feeds. Didn’t go anywhere, because many of the biggest newsreaders don’t properly support authenticated feeds. And “obscure but public” feeds get indexed by aggregators like Bloglines, by design, making sensitive content much less obscure.

Enter feed access control, a several- (3-?) year-old RSS/ATOM extension that tells Bloglines, and anyone else who is listening, that this feed should be treated as private, even though it’s public.

Facebook’s feeds are intended to support this protocol:

Which seems reasonable enough.

There are a couple of issues though. First, this approach is based on a third-party’s positive action to prevent or “opt-out” of publishing and indexing, in a system that normally defaults to syndication, indexing, etc. So it’s easier for a glitch to expose data.

Second, the whole “fac” extension is a gentlemen’s agreement among parties that couldn’t even agree on making authenticated feeds work well. Perhaps they all make a best effort to isolate the marked content. But tomorrow, a startup with a rocking aggregator could simply ignore “fac” and expose all of the feeds it has.

In some sense, the same vulnerability exists with other systems – if you signed up with some random webmail provider, who’s to say they don’t expose your mail. But because RSS is public by nature, almost all feeds live utterly unprotected, and this extension is one vendor’s hack, it’s not quite the same.

All in all, probably not a big reason for concern. But when people tell me how private things can be on facebook (where you can sneeze and end up revealing your data because the IxD is tilted so heavily toward sharing everything) it always seems worth noting how your data (via your friends’ feed subscriptions) can slowly leach out into the open ocean of the indexed net.

Random Bit: Sysprep Re-Writes Boot.ini … Not Always Correctly

I discovered the hard way that Microsoft’s sysprep tool (for configuring machine images) re-writes (at least some of the time) the boot.ini file, the file which tells the Windows initial bootloader which OSes are installed on which devices and partitions.

The new boot.ini contains the same OSes as the old one, but it specifies a different default, and a zero timeout for the user to choose what to boot.

I can imagine some reasons why sysprep might want to do this, based on speculating how I might deploy enterprise images.

Only the thing is, if I were going to re-write boot.ini, I would at least check to see which OS was currently running and maybe make that the default. As it is, sysprep made a different OS the default – it picked the “first” OS in the device tree even though that is not the OS I was trying to sysprep. This behavior seems more like a bug than a feature.

In any case, if this happens to you, there was no long-term damage done -- you can just reconfigure the boot.ini file by hand and restart.

Enable “Modern” (Themed) Common Controls in Hybrid WPF/WinForms Apps

Here is a quick hint to save someone from a bunch of Googling:

If you are building a WPF app, you may find that you need or want to also use some Windows Forms windows. In my case, I was adding a form just to host a WinForms control, so there was no point in creating a WPF form just to host the WinForms Host container in order to add the control. A more common scenario is you want to invoke a built-in Windows dialog box, which is not natively a WPF object.

If you do this, it will work, but you will notice that some controls are rendering their old-fashioned look and behavior – you’ll be zapped back to the era of Win 2000 or the earliest .Net apps that lacked the benefit of comctl32.dll version 6. Square edges, no mouse-hover behaviors, etc.

The short answer for how to fix this is that you need to add a call to System.Windows.Forms.Application.EnableVisualStyles().

Add it once, somewhere early on. It’s ideal (though not always necessary) to do this before you start instantiating the WinForms objects.

Apparently the template code for WinForms projects contains this line, and depending on your POV, that’s either “low level boilerplate that an app developer shouldn’t have to care about” or “the kind of thing that kids nowadays just take fer granted with their magical IDEs and WYSI-whatnot, virtual memory and lazy programming habits.”

I was also particularly motivated to write this post because the most accurate (and earliest) Google hit I found on this topic was to one of those scam programmer support boards, where they wanted me to sign up for a trial with a credit card just to see the discussion thread on this issue.

Which is half insane if they could persuade me that had the right answer inside, but 100% insane since there was no way for me to know that their “answers” weren’t way off topic from clueless n00b who thinks a HWND is what you pull to keep the rain out of your office.

Visual and Context-Cued Semiotic Search Opportunity

Want a hardcore problem to work on? to fund? to stay-up-nights-only-to-see-Google-do-it? or maybe get-bought-by-Google?

We need a search engine that searches based on visual and contextual clues about the appearance of objects -- especially of signs and symbols -- rather than just based on words that (perhaps) describe them.

For example, if I see a bumper sticker around town, with a green star on a blue field, I might want to see if this represents some well known organization or cause. I could search for “green star" and “bumper sticker” or something similar. But I probably won’t find anything.

Moreover, when the elements of the design don’t have names (“star”, “stripe,” “field”), properly describing a complex design in a single search gets difficult. Imagine you saw the new Pepsi logo:

 

You don’t know what it is; for the sake of the argument, imagine you don’t have any cultural Pepsi associations to work from either. What do you type in to the search box? Circle? red? stripe?

Good luck.

How do we solve this problem?

I envision a search that consists of several stages. At the first stage, you can add descriptive words, or you can import a similar image, or even draw/sketch some cues right on the page. That may sound unlikely for less design-oriented folks, but many unknown visual designs consist of largely straight lines, simple geometry, etc. So it’s not unreasonable that I could sketch in a simple design, or even take a swing at the Pepsi logo above, with just a circle and 3 straight lines using an AJAX or Flash inline drawing tool.

From these inputs, the search engine draws a set of possible results – but it also generates a set of context-narrowing options that I can use.

It presents options to choose where I saw this design: web, billboard, tv, clothing, museum, public building (e.g., a capitol or courthouse), manhole cover, etc.

Perhaps knowing material is useful: was this printed? embroidered? leather? denim? engraved metal?

This is a challenging but eminently creatable piece of software.

I’ve actually had a lot of instances where I would have liked to use something like this – but, if it’s never happened to you, consider: when computer vision progresses beyond working with the local environment, objects and known patterns (people), the machine will need to take the next step. It will want to dereference symbols to find data and meanings in order to solve problems. And, in order to do this, it will need benefit from this kind of visual-semiotic search heuristic, which starts with a visual-context search like the one we are discussing.

Good Results So Far For Google RAM

A week ago I had 4GB of RAM die (well, part of matched pair anyway) in my main desktop PC.

I’m currently awaiting replacement under warranty from Corsair, but meantime it’s hard to run dev tools and big virtual machines with the measly amount of memory I have left. So I thought it was time to give the new Google network-attached RAM a try.

I had to flash the motherboard BIOS of course and upgrade the chipset driver and the on-board network controller firmware. Google RAM, just like wake-on-LAN, has to interact with the network card at a hardware/BIOS level. In this case, the purpose is to ensure that any OS I boot sees the new space just like local memory.

Then I rebooted and … nothing.

Where is my free 4GB of storage?

Then I remembered that Google’s revenue model for this product requires you to run a Windows service that in turn interacts with a Google-provided kernel patch for PAE.

In addition to providing checks in real time – as my machine accesses RAM – for any security threats, this service displays Google ads as 5 new icons on my desktop.

Apparently they are context-based, and determined by Google’s analysis of what I have in RAM at the time.

And they are surprisingly accurate. I had a picture of a Corvette open in Photoshop, and the G-RAM icons turned into links to car dealerships, new-car financing, and a discount oil change.

Google’s FAQ insists that it does not look at my clicks or the image file metadata – instead, its server analyzed the image in real time (since the network RAM is in their datacenter) and determined I was looking at a new Corvette.

The only downside was that my cable modem signal dropped out for a couple of minutes, and the local service warned me not to touch any processes using G-RAM until it could sync back up, or those apps would immediately crash.

No matter, overall it’s great technology, and I think my RAM replacement will arrive from Corsair tomorrow.

Quick Hit and a Deep Hit on Social Nets and Identity

This article from the WSJ is neither deep nor particularly novel, but I like it because if focuses a laser on propagation of identities and the history of identities in popular social networks. This is the most important metatopic for social networks.

If you have a few more minutes, this article by MIT Media Lab prof Judith Donath gets a lot clearer on the signals that make up identities online, and how the mechanics of those signals can function.

Harm Reduction in Windows 7

Guest mode … kid mode … whatever you want to call it, is brilliant.

But more than that, it’s an interesting admission that (1) you can’t fight the power of the darknet and (2) you might as well empower people to behave in a way that minimizes the damage, whether or not you approve of what they’re doing.

If I had a dollar for every individual who ever swore they never go near warez or pr0n or questionable media downloads, and ended up with a mucked up machine … or worse, a machine that transmits their passwords and SSN to a bad guy …

Even with an older OS, like XP, one can achieve a fair degree of isolation and protection by using a patched up Firefox or Chrome on top of a plain user (not admin) account. There are still holes by design; e.g., a user could fill up the hard drive or install software that persists in certain places. And I’m sure there are serious security flaws that allow code downloaded as user to escalate itself to admin … perhaps even coming from a “drive-by” Javascript source via Firefox/Chrome … but such threats seem to be pretty darned rare if everything is patched up and prophylactic protections are applied (e.g. Spyware S&D’s “immunization”).

Guest mode (and IE 8 “In Private” browsing) appears to close many of the remaining holes.

What we need now is an education campaign to convince people to segregate their online activities. But besides not knowing how to create these low-privilege accounts, a lot of people I know refuse to admit they ever visit the darknet. Or the visits are rare and they “hope for the best.”

Let’s pre-configure – by default -- a second account for ever power user (or admin) on a machine. At login time, offer the guest (more protected) account along with some description of when it might be a good idea to use it.

I’m not sure the best way to label the buttons, because it’s a bit hard to explain how the more secure, more protected mode is paradoxically for the more anonymous, more dangerous behavior; while the “less protected” mode is for normal operation which might involve vital personal data. I’ll let the UX wizards sort this part out.

(Semi) Portable Comet Framework

I meant to reblog this at the time of the announcement: Sun has released a first alpha of their atmosphere project. The project was about extracting useful comet-y bits from Grizzly and making a standalone pluggable kit for comet.

It is its own small framework, and autodetects where you drop it.

Here’s a nice article. It looks to be Jean-Francois Arcand’s project – follow his blog and the project’s twitter.

How Much Would You Pay to “Learn to Pitch Big [Failing] Newspapers”

If you’re in SF next week, and you don’t mind paying $15-20 for the privilege, you can come hear some people from the SF Chronicle and NY Times talk about how to pitch your (probably tech) company to them.

So they’ll write a glowing and informed article about you.

Wait, wait, wait … this is all wrong.

First, these are “reputable” newspapers, meaning they won’t necessarily write anything good about you. At most, they’ll theoretically assemble a balanced story, interviewing your competitors, talking to customers, maybe even your employees … or ex-employees.

Oh, wait, I’ve got this wrong again.

They aren’t going to anything like that … unless, maybe, you were already a big news-section story already. Else they will write something that’s like a watered-down blog post, without any specific expertise or authority, but with a couple of quotes. Newspapers like to quote because they can’t link. They’ll also mention twitter in the story, they can’t help themselves.

These papers do have a big circulation though, maybe that’s the appeal.

But it’s hard to tell their attention reach, or the “effective circulation” of your story buried in the tech or lifestyle section. How many people really read that? Are they influencers? Customers? Relevant at all to you?

It’s hard to tell. I can tell you that the people who are really interested might find the story … when it comes to them through the backdoor via some RSS feed or Google alert. But if they care enough to do the RSS thing and find you, then they’ll also have all the other, better, material about you that comes from all of the experts in your field who blog about you and also turn up in RSS and Google alerts. Ironic.

Next, these two newspapers are in dire financial straits. At this point, $20 probably keeps the Chron publishing for another couple of days. And why are they in trouble? Not just because people can read their content online for free – rather, it’s because in most areas of reporting, the big organs have no specific interest, capability, or credibility, and so no one cares what they write. The one thing they can do is send a foreign correspondent to Iraq or the White House, and maybe the correspondent has some credibility…

Wait, there I go again, the Times sold out on Iraq years ago, by their own admission, and so did most of the rest of the traditional press.

Ok, I give up.

I’m going to sponsor a meetup where newspapers can send people, who will each pay me $15-20, buying my attention long enough to tell me why I should care.

Silverlight Sound And Fury (You Know the Rest)

So as not to bore regular readers, I’ll skip the jeremiad.

Bottom line: despite the hoopla at MIX over Silverlight 3 – which is an incredible platform – there were still no meaningful penetration numbers presented.

And while it’s great to see the platform revving and maturing, the various version make a development decision that much harder. If you have a new idea for a Silverlight app, and you imagine your target audience will have the plugin or is able to install it, do you aim for v3? v2? v1?

I also haven’t heard a word about any explicit program to drive Silverlight client installs.

According RIAStats.com – perhaps not the best source of detected install info, but … wait, I guess if it’s the only source of information, that automatically makes it the best – Silverlight is on 22.3% of their observed clients.

Microsoft SDS Change Eerily Reminiscent of WinFS Fate

Last week Microsoft announced that they would be abandoning the ACE and dynamic entity (“property bag”) model for the SQL Server Data Services cloud data storage system. They would also switch from their REST data API (used in ADO.Net Data Services) to the old-school “Tabular Data Stream” wire protocol.

While Microsoft’s promise of more relational support was always a distinguishing feature of their cloud DB service, and while they tried to spin the news in that direction, it feels a lot more like when they abandoned WinFS and announced that, really, everything you could do with WinFS would work fine using NTFS and a whole heck of a lot of indexing. Maybe sorta true … but feels like a big step back.

Of course, big customers – large enterprises with SQL Server databases and lots of SQL code – would not want to see a change in their data layer and would prefer this move. But accommodating them is assuming that they are ready to become first-version customers of the data cloud at all. And I doubt this for two reasons.

First, any move to the cloud involves a trade-off of control which some companies are loath to make even if they are confident the system will work. Which is problematic because:

Second, anyone who has dealt with big databases knows that there is no magic. Despite the quest for automagic autoscaling self-tuning databases, no one, so far as I know, has made one that does all of this for really large enterprise applications. There are just too many application specific variables, not to mention poorly written app code that can cause trouble in proportion to the amount of resources you give it access to.

I do believe Microsoft has the engineering brainpower to try the problem, and are as likely as anyone to succeed. It’s just that I haven’t seen any evidence of a specific strategy or technology. Maybe if I were a bigger customer … but seriously, if Redmond had this problem solved (and it’s one of the biggest out there), they would either patent it or publish lots of white papers. Either way, it would be publicized and reviewed. A trade secret? maybe, but which Fortune 500 CIO is going to jump on that bandwagon and the cloud and the outsourced data stuff all at the same time?

To the extent that these large database apps could be made to behave without human intervention, there is likely to be a tradeoff in resources, and when you’re paying per GB or per compute-cycle, that equals a side order of more cost to go along with the entree of new greater risk.

The point is that the ACE/dynamic entity/REST model is well understood, performs, utilizes resources in a known manner. Not appropriate for every app. Not relational in the formal sense if at all. Not easy to migrate to. But it goes like the devil. So you’re getting something concrete in exchange for your risk and your dollars. Unlike a magical SQL Server instance in the sky.

Maybe there is magic in there, and I’ll be proven wrong. Or maybe 99% of the customers’ database needs are so small that it’s a non-issue, and Microsoft is really just competing with the thousands of hosting providers that will host actual individual SQL Server instances for you on a large server. But this change still seems to raise more questions than it answers.

Way to Compete, Guys…

Microsoft’s app store … sure, why not? But that’s not the bit they need to take on Apple.

Microsoft and the smartphone is really a funny/ironic/sad story depending on who you are.

They had a true next-generation mobile OS starting back in ‘01 … It was really easy to code for – like GUI-builder, point-and-click web services, run-your-regular-.Net-code easy. And they were outselling pretty much everyone in total device count a couple of years later. By ‘06 they even had consumer friendly devices, in the Moto Q series and then the Samsung Blackjack. They were poised to challenge RIM for the big shiny belt.

And then Apple came along and wiped the smirk off everyone’s faces. What’s surprising is that no ‘softie seems to have circulated an “Internet Tidal Wave” memo about mobile. Or, if they did, no one paid any attention.

In the last two years, we’ve seen a continuing proliferation of Windows Mobile devices, but no fundamental change – or even speed-up – on platform evolution. If anything, we’ve seen a slowdown, as Mobile 7 devices seem to be at least a year away, and the “app store” is going to launch on Mobile 6.5

In case anyone didn’t already notice, v 6.5 is a great OS if it’s 2005, but a non-entity in the iPhone era. An app store? well, maybe … but a store by itself has never been the magic sauce in mobile (remember Verizon’s “vending machine”).

And with a “logo validation” scheme for each app? Developers violating the logo cert guidelines is not the problem. The problem is that there are too many different form factors for Win Mo devices. Used to be, practically anything could run the OS. Around the 5.0 era, they reduced the number of supported screen configurations, and a few other things.

But there appears to be little escape from the compromise Microsoft made to be successful on the enterprise side: it’s really easy to code a simple utility/productivity/line-of-business app that will run great on almost any Windows Mobile device. And it’s equally hard to write anything really cutting edge, because there is simply too much variation in device capability and performance, and that genie's not going back in the bottle.

Perhaps Microsoft’s best chance lies in forking a “consumer” mobile OS, with stricter controls over the handsets. On the other hand, Apple is clawing into the enterprise, so an artificial separation of consumer vs. enterprise offerings may be hopeless at this point.

Adobe Time-Warps Half a Decade Back, Will Still Probably Defeat MSFT

Earlier this week, I went to see a couple of folks from Adobe present their latest progress on Flash Catalyst, Flex "Gumbo," and the "Spark" UI component framework.

As someone who does a bunch of Flex work, I liked everything I saw.

Especially since it was the second time around.

No, I didn't see this stuff at MAX, I saw it at Microsoft PDC in 2003 and 2005.

It was shocking how pleased Adobe seems with itself now that it's almost ready to release a design tool that generates XML and RIA code... since everything they showed -- and more -- was part of the earliest Microsoft Expression Blend alphas that I saw years ago.

The Microsoft product was code-named "Sparkle." But we won't get this confused with Adobe's "Spark" because (1) "Spark" refers to a different bit, Adobe's re-invention of lookless, templated controls, which Microsoft implemented in WPF and shared with the world at the time (around '04 or '05), and (2) because Expression Blend is already out in a 2.0 version, so unlike the Adobe products, it doesn't need a codename anymore.

Adobe even has yet another XML dialect to facilitate moving design assets through the workflow -- it's called "FXG." And it appears to supplement MXML quite well in specific areas, so that if you take MXML and add FXG, you get XAML. Not that XAML was de novo or anything -- the XUL and Java folks (desperate to stop writing Swing code) had been creating similar XML formats for a while. The Java community was especially fond of XML with tons of imperative programming constructs mixed in alongside data objects and calling it "simple and declarative." What XAML did was provide all the necessary power, while keeping it declarative.

Anyway ... Adobe should get credit for recognizing the right way to do this when they saw it. Namely, they realized which workflow tools were needed, embraced the idea of export from Photoshop and Illustrator to a vector markup with a visual editor with timelimes, and thence to an RIA build tool with a code-oriented IDE.

Now that they're finally getting this on track, Adobe is even more likely to trounce Microsoft in the RIA world. They have penetration numbers that MSFT can only dream of, and for a company that doesn't build real developer tools they're giving it the college try.

Which is kind of sad, since I believe Silverlight is a better technology with better language and tool support ... and not any less rather more open than Flash.

Want Help With Your Startup? Let It All Hang Out on Craigslist

It's awfully easy to go looking for folks doing stuff the wrong way ... and to find it. So it's nice to be surprised by someone doing something amazingly, shockingly, frighteningly ... right!

I was greeted by a craigslist ad in my RSS reader today, one of many startups looking for folks to, essentially, work for free. I've written about why this is a bad idea before, and it's still a bad idea.

But there's a little more to this ... the poster (the company's founder presumably) posts a link to a wiki. Maybe it's genius, maybe a trainwreck -- either way I had to look.

On the other side of this link is a company wiki. An explanation of what the company is building; where they are in the process; their calendar; UI mockups with notes and the comment stream by the creators; and other items.

This is absolute genius, and it's so rare. Plus it shows the guts that most entrepreneurs fancy themselves to have, but lack when tested. I'm not commenting on their specific business/tech idea, I haven't thought much about that to be honest.

But it is so refreshing to see someone out there on the beach letting it all hang out as it were.

I work with a lot of entrepreneurs and most of them think that they're the first ones to think up some genius idea, and the best way to be successful is to either keep it stealthy and secret, or to sign reams of NDAs and non-competes with you before disclosing (cue music) their subtle and delicate brilliance.

Just writing that last paragraph, it's a struggle to keep a professional tone. These folks are usually (97%, there are a couple of specific exceptions) complete fools. And truly, they are fooling themselves, unconsciously trying to avoid exposing their idea to someone who might not think it's so good, or who might point them to the dozen other people doing the same thing. Generally speaking, the secrecy ends up being a contributing factor to their failure. Which, since startups are highly failure-prone anyway, they will deny anyway.

That's why I was so thrilled to see this post. The founder is saying, "If you want to try and 'steal' my idea, you go ahead. But if you really believe there's a bunch of money in it, wouldn't you want to work with other people who believe the same thing and who have the will to execute? And if you go off with it and succeed anyway ... you're still helping me because you're establishing the category, while I plan to work nights and sweat blood to execute better and faster than you."

The ad is reproduced below. I was going to link it, but interestingly it has been 'flagged' for removal from craigslist. It's hard to imagine why -- the whole scenario seems rather more legitimate than the typical ad in the category. Perhaps the allusion to potential full-time work disqualifies it from the free "gig" listing ... but I think a startup seeking essentially non-paid volunteers in whatever capacity they can afford qualifies as a part-time or temporary arrangement.

Technical Wizard / Web Developer Wanted | Internet Startup (sunnyvale) An internet startup is seeking a highly talented web developer If you have experience with either: PHP/MySQL, Python, or Ruby we would love to talk with you. This a very exciting startup opportunity with massive potential. At this stage, we are looking to bring aboard those who are seeking equity share in the company. We simply do not have the capital to fund salaries. For more information, please have a look at: http://wiki.kunsoom.com All of the pertinent information will be included in the wiki page. Thanks for your interest in the project! We look forward to hearing from you.

Adobe and Microsoft Get Into It Like Children on the Playground

A week or so back, Adobe exec Mark Garrett got a bunch of attention for insisting that Microsoft's Silverlight effort has "fizzled."

Microsoft promptly screamed back that it wasn't so, pointing to the inauguration video stream, and a few other factoids.

What makes this truly schoolyard funny though is what happened today when Adobe "announced" it was bringing Flash 10 to phones. This seems just as dubious as Microsoft's oft-repeated plan (since as far back as '05, when it was WPF/e) to get Silverlight onto mobile phones ... by last year ... which obviously didn't happen.

Meanwhile, for years, Adobe has been pushing a weak technology called FlashLite for mobile ... and for a variety of reasons it has never been a usable option for content providers to deploy Flash content or apps.

For both Microsoft and Adobe, for both PC and phone applications, the critical metric is current "content-ready" penetration. How many devices are ready to run new Flash/Silverlight content off of the web today.

In this 2x2, the only square that's solidly covered is Adobe's Flash on the PC. "Ready" penetration of Flash 9+ is near 100%.

On PCs, existing install base is critical because of locked-down corporate networks that won't allow end-user installs. Microsoft needs to stop talking about download numbers, or numbers of people who "can access a PC with Silverlight," and start doing anything it can to get these ready penetration numbers up.

On mobile, the barrier is user confusion over configuration. Vendors could push the updates to phones, but in nearly 10 years of smartphones, only Apple has done much of this. Windows Mobile 6 has an updater ... and in over a year I don't recall it ever updating a darned thing.

Flash Lite trumpets a large "installed base," but these are strange installs, where the runtime (but not browser integration) is baked into the phone, and there's no reasonable way to get new Flash content onto the phone, either via web pages or download.

Both of these players are big on bluster and have been for a long time. Meanwhile, developers are left with few options for all of the smartphones in the world that don't an apple on the back.