Sunday, July 12, 2009

Progress update

When I started writing s3mp, I wrote it because I wanted to be able to access my music whenever I was in front of a computer and a browser. Once it reached the point where it basically did that with all the features I want (searching by tag is more important to me than playlists), development slowed.

But that's no excuse. Here's the current todo list:

  • Fix the bug where an mp3 starts downloading, but not playing. Why this happens is a bit of a mystery. The library that comes with Flex has is supposed to send notifications when a sound's downloading or it's ready for playing. S3mp gets the download progress notification, but never one indicating it's ready to play.
  • Add seek functionality. The Flex library doesn't support getting the total length on an mp3. In order to get it, I need to manually read the first few KB of the file and figure out its size and bitrate, and then calculate...unless it's variable bitrate. In that case, I need to search for either a LAME or XING header that holds the length of the song.
  • UI cleanup and features.

Friday, October 24, 2008

SSL Man in the Middle Attack: What's it look like?

Security experts tell us tell us that sending credit card numbers across the internet is safe; it's more likely that an employee on the other end could take it or your wallet is stolen than the NSA breaking the encryption that protects your personal information.

So your information is safe from eavesdropping, but what about a man in the middle attack, an attack where someone pretends to be, say,

Your browser lets you know. Instead of seeing a page you're accustomed to, you'll see a big warning about an SSL certificate being bad.

Developing s3mp, I use a tool called Paros that lets me look at encrypted web traffic by doing just that attack. Whenever I debug, I get a warning, making sure I know that someone between me and Amazon is looking at what I'm doing.

Here's what Firefox 3, Chrome, and Internet Explorer 7 display so that if you encounter the message you know what's going on.

Firefox stops you in your tacks with a popup (UI designers call this a "modal window"). On one hand, it gets your attention, but on the other, it stops you from even closing another webpage as your boss is about to look over. The icon isn't particularly informative and the text is loaded with technobabble.

Chrome lets you know the connection isn't secure with huge type and a red border (though for people with color blindness (protanopia or deuteranopia), the red border is more of a brown). To the designers' credit, it says "an attacker may be trying to intercept your communications" and "you should not proceed."

Internet Explorer shows a page that looks much like the normal error page, but with a red security shield. Like Chrome, it has a human-readable description of what happened, stating that this "might be an attempt to fool you or intercept any data you send to the server." It recommends not proceeding, and unlike Chrome, I always find myself hitting the button that doesn't load the page.

Overall, I like Chrome's warning the most, IE's second, and hate Firefox's. Firefox just doesn't explain what happened very well, the modal dialog is obnoxious, there isn't a "run away" button, and ignoring it is a pain. IE came in a close second, but I really like Chrome's red border.

Support for large buckets (1000+ files) added

s3mp now supports buckets with a large number of files, although support is still in beta. It required a re-write of "List" code, so the tag cache has also been rolled back to beta. The color scheme changed, but this was just an experiment, so it's not permanent (but don't expect it to be changed before parts of the UI are redesigned).

After a little more testing and configuring error handling, the next thing on the todo list is getting seek to work.

Sunday, September 28, 2008

Tag caching and progress slider

First, what's the tag cache?  s3mp is, at least for now, almost entirely client-side, so to get the meta data (artist, song title) of an mp3, it downloads a small initial chunk and a smaller final chunk from the file, looks for tags, and if it finds them, stores them.  The process of looking takes a while, but if all the tags are already stored in a handful of files, the process is a lot faster.

I changed how tag caching is handled.  Instead of letting the user choose a bucket to store tags in, s3mp now (once this beta is released) automatically stores a tag cache (with intentionally obvious names like .s3mp_tag_cache.0.xml.z) for the all mp3s in a given bucket in that same bucket.  I had an ugly dilemma to sort through on this one.  A tag cache for each bucket is easy for both me and the user, and loading a single bucket, or making it public to share, works as expected.  The problem is in how it's handled when the user doesn't have permission to write in that bucket.  All of the solutions put a strange burden on the user to pick, with foresight, where to put the tags.

For now, if you want to use the tag cache, make sure you have write access on the bucket.

The Progress Slider is making a lot of, um, progress.  The UI basically works, it just needs keyboard support, and the progress portion already indicates progress downloading a song.

Wednesday, September 10, 2008

Google Chrome, s3mp, and security

Seeing that Chrome was just released, I decided to make sure it works with s3mp, and I'm pleased to say that it does (see screenshot). That said, when playing with s3mp in Incognito mode, I found a disturbing security hole that allows "cookies" to not only be retained between Incognito sessions, but leak from a regular session to Incognito.

I said cookies, but I meant Flash SharedObjects. They're basically a way for Flash applets to store information locally (s3mp uses them to store "Local Settings"). Unlike cookies, Chrome doesn't flush these from Incognito mode or sandbox them.

Aside: Adobe has a knowledge base entry on how to manage and disable shared objects.

I made a proof-of-concept that logs what web pages the user visits using a Flash SharedObject to escape the Incognito sandbox.
Using it's easy; go to the main page, then some random combination of Chrom'd pages (page 1, page 2, etc.), then back to the main page, and the main page will display the history. The "Clear" button removes the cookie from your computer.

To break out of Incognito mode, go to the Chrom'd main page in an Incognito session. Browse a few pages, then close the session (or all of Chrome). Browse to the Chrom'd main page, again, and the Incognito browsing (only Chrom'd pages) history will be shown. Even better: since SharedObjects are shared across browsers, fire up up IE or explore your way to Firefox and load the page.

Putting on my black hat, what could be done with this hole? Nothing that isn't already a problem on other browsers. One of the more clever applications would be to couple SharedObjects with cookies as a means of detecting whether a user is frequently browses a web page Incognito, then display security related ads to paranoid users.

Chrome might offer some security features, but history, cache, and cookies are only part of security. As plugins become required for the web experience, without plugin-aware security, Chrome will be one step behind web developers, and further behind black hats.

Now... Where did they hide the "disable flash" button?

Sunday, August 17, 2008

Small website changes

I made a few changes to the UI, today. They were mainly aimed at cleaning up the About page, but through the magic of CSS, the app page changed, too. I narrowed the whole layout and put the page content in a white box. Hopefully it makes the About page barable on a widescreen monitor.

More interestingly, I designed the song scroller. Flex doesn't have a scroller+progressbar built-in, so I worked on one that matches the feel of Flex's default toolkit.I think I'm so pleased with how it turned out that I'm going to have to redesign the volume control, too. It's amazing how many places I drew inspiration (stole) from for the UI. The larger play button was from Windows Media Player, and the scoll bar is a combination of the Flex toolkit style (border, suble gradient, button), Gawker's videoModule and Vimeo's loading style, and YouTube's bubble button.

Sunday, August 10, 2008

I'm back

Sorry for not posting or developing for a while, but I found myself busy with other things (mostly related to wireless networks). I gave the blog a logo, and I have a few ideas for website reshuffling, but for now, I'm going to focus all new development on a few features that I think are sorely needed:
  • Support for buckets with lots (1000+) files
  • Display information about the song in the "ticker"
  • Allow seeking though songs
  • Playlists
  • Directory support (only a problem in File Mode)
And one of these days, ad a few advertisements.

I don't have a schedule, but it would be nice if each of those only took a week, but I know I should multiply that number by two if I want to finish on time.