Gears, Google's project to make Web browsers a better foundation for elaborate online applications, now supports Firefox 3, the company plans to announce soon.
"Gears for Firefox 3, as of today, is available for all users," said Aaron Boodman, a Google programmer working on the Gears project, in an interview Tuesday. "We hope to announce it either today or tomorrow."
Indeed, the Google Gears code site lists Firefox 3 support in version 0.3 description. Firefox 3 itself is due this month; the open-source browser currently is in its second release candidate.
Google is working on Gears--formerly called Google Gears--as a way to advance Web programming. It's a key enabler to the cloud computing model exemplified with Web applications such as Google Docs and Gmail.
The company hopes features developed for Gears will eventually settle into HTML, the standard used to describe Web pages. There has been some success: the offline page access and internal database technology released in the first Gears incarnation, has made its way to the HTML 5 specification under development.
At the Google I/O conference conference in May, the company described several Gears features under development--though not promised--for Gears. The Gears history page is more specific about two of those features, listing the "blob" module and the geolocation module as "in the oven" for Gears 0.4.
The blob module lets a Web browser handle a large chunk of data in pieces, for example, uploading a large video bit by bit to better protect against unreliable network connections. The geolocation module gives browsers abilities to use data about where exactly a person using the Web is located, but Google hasn't worked out exactly how to handle the privacy implications of that work.
Also demonstrated in version 3 is the ability to make a Web site into a shortcut users can drop onto their computer desktops. That feature is built into Gears 0.3.
The primary initial feature of Gears was offline access to Web applications, which has obvious utility for somebody editing a spreadsheet on an airplane. Future Gears features, such as the geolocation technology, likely will have broader adoption on Web applications, he predicted.
"We started with offline, a very hard feature because it involves synchronizing data with multiple computers," Boodman said. "I don't think every Web app needs offline. But as we add additional capabilities beyond just offline, it will be appealing to more Web sites."
Gears, an open-source project, already supports Firefox 2 and Internet Explorer. Google is working hard on a version for Apple's Safari browser, and Opera is extending support to its own desktop and mobile browsers.
"We do plan to make it work across all major browsers across all major platforms," said Sundar Pichai, the Google vice president in charge of Gears, iGoogle, Google Desktop, Gadgets, and various other products.
Gears has been downloaded hundreds of thousands of times, Google said, and the company expects it to spread. Also at Google I/O, MySpace announced it's using Gears to augment its online inbox.
Google isn't alone in the area: Yahoo is working on a conceptually similar project called BrowserPlus to improve Web browsers.
Google is expected to update its Google Web Toolkit (GWT) this week at its new developer conference, according to eWeek.
GWT is designed to help programmers write richer Internet applications using a beefed-up JavaScript programming technique called Ajax; the project was released as open-source software in 2006 with version 1.3, and the current version is 1.4. There are several GWT talks at the Google I/O conference.
Google has been working on improving GWT's performance, Java compatibility, and developer tools, eWeek said.
SAN FRANCISCO--The glitzy, interactive abilities of Web 2.0 have led to a profusion of new applications, but the technology also is bringing a new era of security vulnerabilities, a security researcher warned Wednesday.
"Security was a challenge to begin with, but if anything it's getting harder in the Web 2.0 world," said Jacob West, manager of the security research group at Fortify, a company that helps companies make sure their software is secure. He made his comments during a talk at the Web 2.0 Expo in San Francisco here.
Jacob West, manager of the security research group at Fortify
(Credit: Stephen Shankland/CNET Networks)A big culprit is JavaScript, a language that's widely used to control Web browsers and enable more sophisticated operations. JavaScript has been around for more than a decade, but new risks are emerging since it's a major component of Ajax, a Web 2.0 technology used to build richly interactive sites.
"The number of unique problems from Ajax will remain pretty small," West said in an interview after his speech. But Ajax means that JavaScript is being used much more widely and in much more complicated ways, so existing vulnerabilities are more widespread, and "attack techniques are improving quickly."
He did describe one particular Ajax-specific problem called JavaScript hijacking. With it, a Web browser that picks up malicious JavaScript code from a Web site can be instructed, in effect, to send confidential information with an attacker.
"JavaScript hijacking is Ajax-specific," West said. It relies on the transmission of personal information packaged as JavaScript code, and "transmitting information with JavaScript I unique to Ajax code."
Another problem triggered by Ajax are that JavaScript is more complex and therefore harder to test. And more sophistication brings more opportunities for problems with "input validation"--making sure that text typed into forms, for example, isn't actually naughty code that could sidestep ordinary scrutiny and run on somebody's computer.
West was pessimistic that fundamental progress would help reduce vulnerabilities. Companies with browsers and Web sites are reluctant to embrace change that would break compatibility with older technology, for example.
"We're talking about fixes that are going to come in the 10-year time frame," he said.
But some are working to at least close up the holes. For example, programmers working on Direct Web Remoting (DWR) and the Google Web Toolkit (GWT) updated their Ajax programming toolkits to head JavaScript hijacking attacks off at the pass.
Other toolkit makers were not so responsive, though, he said: "Microsoft and Yahoo wrote back and said, 'Nope, we're not going to fix that.'"
Correction 10:45 a.m. PST: This blog initially misspelled the name of one of the Python programmers hired by Sun. His name is Frank Wierzbicki.
Sun Microsystems has hired high-profile Python programmers Ted Leung and Frank Wierzbicki, stepping up its bet on open source and scripting languages.
Sun has already hired other open-source luminaries such as Debian Linux founder Ian Murdock, in an effort to capitalize on open source and diversify beyond its roots in Java and Solaris.
Python is one of several dynamic, or scripting, languages that have grown in popularity over the past several years. Developers are using scripting languages, such as PHP or Python, in some cases over Java, which is considered more complicated and harder to learn.
Leung, well known for his work with XML and Python, will join Sun as "principal engineer, dynamic languages and tools," he said in his blog Monday, which means that he'll be working with other dynamic languages.
"Sun is (finally?) very serious about this. As part of Sun's new direction, Sun wants to give developers the ability to use whatever tool sets they want. Ruby, Python, PHP, Java. On or off OpenSolaris. On or off the JVM (Java virtual machine)," he wrote.
Wierzbicki is the lead implementer on the Jython project for making Python run on the Java virtual machine.
"Jython is going to remain completely open source....This move by Sun means that Jython is going to get some of the attention that it needs to move forward," he wrote in his blog.
Security researcher Aaron Weaver claims visiting a random Web site could send unwanted print requests to your nearest office printer.
In a paper published in November (PDF), and cited on Wednesday in a blog by Jeremiah Grossman of White Hat Security, Weaver demonstrates the code necessary for sending a formatted page to a remote network printer, and, in an another example, to an intranet addressable fax machine. Since most network printers are behind the corporate firewall and therefore don't have security enabled, Weaver says that a simple iframe added to an Internet Web site could cause an internal network printer to start printing remotely.
The attack is derived from techniques employed within a project called hacking network printers by Adrian "Irongeek" Crenshaw. Weaver notes that most network printers listen on port 9100 and that you can telnet to port 9100, type text, and, once you disconnect, the text will print remotely. That's fine, but he ventures further that network printers also accept PostScript and Printer Control language (PCL) code as well, which creates more interesting printouts.
Weaver writes "within the last year there have been new discoveries on attacking the intranet from the Internet. This involves setting an image tag or script tag to an internally addressable IP address and then the browser will request the 'image' resource. Several attacks can be accomplished; port scanning, fingerprinting devices, and changing internal router settings."
Add to that list, printer spam. "The attack could be initiated by creating a hidden iframe, and then creating a form and submitting the contents to the printer. Since the connection will not close, a setTimeout could be used to cancel the request so that the printer would print the request."
As a demonstration, Weaver shows how to send an ASCII-drawn advertisement for frogs, and later, using PCL, a message in 20-point Courier: "Your printer is mine!"
One positive use for this would be for the IT or HR department to send a persistent banner reminding employees about the company's printer use policies. A negative use would be to remotely spam all the printers on the local intranet.
At the end of the short paper, Weaver offers some remediation. "First always have an administrator password set on your printer. Secondly look at restricting access to the printer so that it only accepts print jobs from a centralized print server."
"No man is an island, entire of itself," wrote poet John Donne. But Microsoft apparently doesn't like poetry.
The company is currently mulling over whether to get in line with JavaScript standards for Internet Explorer, or whether to go it alone and crown itself a standard.
This is particularly tricky since every browser implements the JavaScript standard in different ways. So, the problem isn't exclusive to Microsoft.
It's more nettlesome with Microsoft, however, given its dominant browser market share. In some ways, it already is a standard unto itself. But I'm not sure the industry is ready for Microsoft to veer from the quasi-beaten path. According to an article posted Thursday on The Register:
Microsoft's browser is renowned as being a basket case on standards compliance, being less compliant than other leading standards in recent years according to the group monitoring this issue--The Web Standards Project (WASP).
... Read more
The Eclipse Foundation on Tuesday released Eclipse PHP Development Tools 1.0, software that it hopes will open Eclipse up to the millions of PHP Web developers.
Eclipse has become a widely used integrated development environment for Java programmers. But scripting, or dynamic, languages like PHP have become increasingly popular, particularly for the front-end development. Now people trained in Eclipse can write PHP applications and get access to about 1,400 plug-ins.
But Zend has chosen to participate in the project and will build commercial tools on top of the Eclipse PHP Development Tools software. It plans to introduce the commercial tools in the first quarter of next year.
Why? It's better to disrupt your own business than have someone else do it to, he says. The tools project also makes PHP--already used by 4.5 million people--potentially more appealing to programmers looking for a better tool or already familiar with Eclipse. About 50 percent of PHP developers already use Java, he said.
The Eclipse tools, combined with the Zend Platform, which acts much like an application server, Zend and other vendors are making PHP more corporate-friendly, de Visser said.
"We look at (Microsoft's) .Net as a good example. We're very comfortable mimicking (that) and knowing that companies want an alternative because they don't want to buy the whole Microsoft stack."
Continuing to warm up to Web developers, Microsoft released an early version of IronRuby that will let programmers write .Net applications with the Ruby language.
In tandem with the "first code drop" of IronRuby, Microsoft will be taking code contributions from outsiders, John Lam, program manager on the Common Language Runtime team at Microsoft, wrote in his blog on Monday.
Lam said that the company intends to fully release IronRuby on RubyForge and take a wider range of contributions by the end of August. The software is available under the open-source style Microsoft Permissive License.
IronRuby uses the Dynamic Languages Runtime which the company introduced at its Mix 07 Web developer and design conference in May of this year. The runtime allows people to use dynamic, or scripting, languages to write .Net applications.
Other languages that Microsoft intends to support include Python, JavaScript (EcmaScript 3.0), and Visual Basic.
Once Microsoft releases the Silverlight version 1.1, expected in the next few months, developers can use Ruby or other scripting languages to build Silverlight Web applications on Windows or the Safari Mac browser.
Eventually, developers could use supported dynamic languages to write applications for handheld devices and, in theory, Linux applications using the Mono Moonlight implementation of Silverlight on Linux.
Silverlight is Microsoft's alternative to Adobe's Flash for writing and running rich Internet applications.
- prev
- 1
- next
