Author Archive

ISOC Roundup

Sunday, February 25th, 2007

I got back late in the week from a trip to the ISOC-IL annual conference where I gave a full-day tutorial on Ajax and Dojo (with a little bit of Comet mixed in for fun). The conference organizers were tremendously kind and thoughtful and the whole trip was a lot of fun. What was best, though, were the great questions that folks had during the tutorial. It’s always a hit-and-miss on this kind of thing (big room, low lights, different country, potential language barrier, etc.) and it can go very badly indeed if people aren’t curious about the topic(s). The ISOC-IL conference drew great folks with wonderful and pointed questions that helped make everything go faster. It’s rare that conferences are that tightly run, well-attended, and have such good food and caffeine. Conference size can’t beat quality and the ISOC-IL conference proved it.

The day after the conference, I was lucky enough to get to visit some of the Zend hackers in Tel Aviv who were also tremendously kind and had lots of great feedback on how we can improve Dojo. Work aside, this was my first trip to Israel and I can say with some confidence that I’ll be back. My trip left me thinking that there’s a lot more to Israel than news accounts in US papers would imply.

Posted in Conferences, News | 3 Comments

Going Data-Driven

Sunday, January 7th, 2007

Dylan’s last post on performance is only one in a series we’ll be running on the topic, and as promised this post is all about the tools of the trade for doing Ajax app performance tuning and how to use them. Here at SitePen, we often get called into a project when the heat is really on: after most of the code is written and just before the hoped-for (or worse, already slipped) ship date. Needless to say, we like this situation even less than our clients do. We always prefer to be involved early enough in the development process to be able to steer clients towards architecture decisions that will scale and perform better and still fit the budget, but sometimes the damage is done. What then?

Let the data guide you.

It sounds simple and naive, but most developers who have been through their share of performance tuning crunches will have horror stories of hours or days lost to phantom performance “problems” that turned out to be nothing more than the hunch of one developer. It’s no use optimizing your database configuration or adding more expensive storage systems if the bottleneck is at the JavaScript or HTTP levels. Likewise, tuning your HTTP server to the hilt may have no effect if the bottleneck is storage contention or TCP fragmentation. Getting to a root cause requires defining the goal of a tuning project, testing each change to isolate causality, and keeping a log book handy and up-to-date.

It may be necessary to write custom tools to help you diagnose problems in some environments, but there’s a stable of tools that we always seem to fall back on here at SitePen and I’m going to do a quick run-through of what we do at each step when we’re analyzing webapp performance and scalability problems (note: they’re not the same thing!). Here’s the short list, and why we can’t live without them:

  • Firebug 1.0 Beta
    • To users, perceived performance is the only thing that matters, and that means that investigation should examine the system from the user’s perspective and work backward from there. There was a time when the Firefox TamperData extension ruled the roost for this, but no more. Now that page loading requests can be graphed inside of Firebug, things are getting a lot easier. Not only can the graph view show 404 requests and slow responses, it often lays bare the synchronous nature of script execution and requests and the 2 HTTP connection limit. Generating “before” and “after” evaluations for clients has never been so easy.
  • Venkman and Firebug 1.0 Beta
    • Now that Firebug includes some profiling and debugging support, Venkman may finally be on the way out, but whichever tool you use it’s highly valuable to be able to profile in-browser JavaScript performance at a function level. HTTP and server-side problems are often a source of perceived latency, but simple testing with full caches can easily point to client-side performance issues. Any logging or profiling system will impact overall page performance, but you should be using these tools to get relative timing data. There’s a special mode for the Dojo package loader that can be used to get accurate function names and line numbers. While the timing information may not translate 100% across FF, IE, Opera, and Safari, the relative timings tend to be in line.
  • dojo.profile
    • The dojo.profile module lets you do tic/toc timings of JavaScript code and provide a table showing averages and total timings. We use this to verify relative timings across browsers once Venkman/Firebug point out bottlenecks and to validate fixes in a cross-browser way.
  • Tsung and Apache Bench
    • As I noted earlier, HTTP-level performance problems can seriously impact application latency. Neither tool can pinpoint fundamental problems like outbound bandwidth saturation (making the system more scalable doesn’t matter if you can’t send more data across your link), but when the problem is one of scale and not instantaneous performance, these tools let you begin to validate assumptions. Apache Bench is great for testing balls-to-the-wall concurrency of a single script, but very often you’re more interested in full-app performance under more realistic workloads. While there are commercial tools available that can do this kind of load testing in a “real world” way, Tsung provides a highly-capable “replay” proxy mode that will generate workloads that can be used to monitor system performance from a variety of angles. Since we’re most often interested in “how many users can it handle?” rather than “how many times a second can I request foo.php?”, Tsung is an invaluable ally. As a downside, Tsung often requires a proxy and an Erlang build.
  • bonnie++
    • Databases and web servers alike need good I/O performance, and bonnie++ lets us determine if we’re getting anything like the theoretical disk performance out of a system. Knowing the “shape” of your workload is essential, but I find that when remediating disk I/O issues bonnie++ usually finds its way into my analysis.
    • Please, please, please make sure that your file systems are running with noatime set.
  • “EXPLAIN” statements and slow-query logs
    • SQL is the ubiquitous abstraction that most of the web runs on, and every database system today provides information on how well it’s returning what you request. A thousand other things can niggle your SQL server performance to death, but nothing should get done without logs and EXPLAIN output to guide you.

System development and tuning need to go hand-in-hand, and expert help can clearly make a huge difference. The tools above are some of the most visible artifacts of the process, but it’s discipline in the process itself that’s of the most paramount importance. Let the data guide you and everything else is likely to work out…assuming you know where the goal line is.

Performance tuning can easily drive you crazy should you not have a goal in mind. Without a goal, there will always be another tweak, another 3% to be eeked out of the system. Combined with the marathon sessions that seem to lead nowhere, it’s important that developers doing performance work remember to keep their eye on the ball and to take a walk or a nap or just stop for the day when there isn’t forward progress for an hour or so. That, of course, means having a ball to keep an eye on. So before you start your tuning adventure (or call us in to help), you need to know what your budget is, what your responsiveness goals are, and what your scalability targets are.

For more thorough treatments of how to build things that both perform well and can be made to scale, I strongly recommend Cal Henderson’s “Building Scalable Web Sites”, Theo Schlossnagle’s “Scalable Internet Architectures”, and Jeremy Zawodny’s “High Performance MySQL”.

Next time: why the Dojo build system matters, why the x-domain package loader is awesome, and other stupid HTTP tricks.

Posted in Dojo, News, Performance | 5 Comments

When Vendors Attack! Film at 11

Sunday, January 7th, 2007

I’m sorry to interrupt the performance post series, but this seems to warrant a timely response.

Before I go any further, I should note that once-upon-a-time I was deeply involved in the webapp security community. As an engineer at a small MSSP in ‘02 and ‘03, I contributed to OWASP, lead one of their main projects, and participated in the associated discussions. I’ve audited web software for security flaws and worked to secure new and existing systems. These days, my involvement in the security world is reduced to reading interesting papers from the various conferences and my occasional trawl of CiteSeer. I have tremendous respect for the security community and many of the smart and talented people I had a chance to work with in those days.

But all is not right with the world of web app security. Paola and Fedon’s paper is an amalgam of other people’s research (response splitting) and a sprinkling of idiomatic JavaScript. When it can get to the front page of slashdot with “the web2.0 is falling!” billing, it only feeds the FUD flames. Pablum as revolution is disturbing. When it’s widely read, it’s urban legend in the making.

Here’s what Paola and Fedon tried to side-step:

  1. Response Splitting attacks aren’t that common (no, really)
    • The scariest bits of the presented paper require a complicit, b0rken proxy.
    • Mitigating the threat therefore means fixing the proxies, not the clients. This is comparatively good news as it implies fewer nodes to upgrade to remove the immediate-term threat. This matters to everyone interested in mitigating and managing risk (not eliminating it).
  2. The fundamental root-of-trust issue here is still an XSS attack. If you are subject to an XSS, the same domain policy already ensures that you’re f’d. An XSS attack is the “root” or “ring 0″ attack of the web. This is the fundamental weakness of the web’s security model today, and one that is difficult to solve (e.g., requires upgrading all clients). That there are problems associated with being rooted should surprise no one.
  3. Characterizing the replacement of existing functions as a “design flaw” in JavaScript is comical. The assumption is malicious code in the same execution scope as the code being attacked (see #2), and that’s not tractable by disallowing redefinition. Even if JavaScript didn’t allow it, any environment that would allow runtime event handlers to be registered would suffice, and since there is no way (in current JS) to determine if code is “valid”, the gig would still be up. Just register a malicious onreadystatechange handler. The only change would be that you might have to target applications more narrowly.

What really makes me sad though is that the work of folks like H.D. Moore, Thor Larhom, and Jeremiah Grossman gets lost in the noise when chaff like this is published. By not providing an honest evaluation of the real-world potential of a threat vector, the authors of a paper like this create a sort of seismograph that can’t tell magnitudes, only number of things shaking. Without magnitude information, an instant market is created for people to stand on the tops of roofs and yell down how bad it is (or in this case, how bad it could have been had they not been valiantly standing there).

Threat information is only valuable as when there is enough data about it to manage and mitigate risk. Yes, security problems are real, and web app security problems aren’t going away any time soon, but without level-headed analysis of the threat vectors, the real-world risk profiles, and the root-of-trust that is being attacked there is very little reason for clients to view the security community as anything but a freakish collection of opportunists, wolves, and disillusioned techno-utopianists. Accurate data builds trust, and trust builds a relationships that allows you to effectively mitigate risk. It’s high time that the security industry developed a code of ethics that prevents FUD-slinging. OWASP could even lead the way although I suspect there’s not a chance in hell of it happening.

The view from the roof is pretty good, after all.

Posted in Dojo, News, ajax | 8 Comments

Mobile Ajax: Hype, Reality, and SitePen

Saturday, September 30th, 2006

It’s been a little quiet around here lately, but as Dylan’s last post points out, it’s because we’ve been so busy on working on the technologies we need to push the web forward. While Comet, cross-domain services, and native vector graphics are nearly “here”, “Mobile Ajax” is clearly a term in search of a definition.

I’m going to spend a little time recapping my recent excursions into the world of mobile web app development to share a little of what we’ve learned and where SitePen will be focusing its resources with respect to mobile web apps.

Recently, we’ve been hearing more and more about “Mobile Ajax”, mostly in vague terms. I suspect this stems mostly from no one knowing really what it means. Those who are clued into the size of the mobile phone market are, like me, scratching their heads as to why mobile web apps still suck. Mobile phone browsers have traditionally been under-powered to the extent that they can’t really support applications, but Moore’s Law solves that problem eventually. Coupled with significantly improved bandwidth to phones, you’d think that we’d be in a golden area of invention around mobile web apps. It hasn’t happened yet. Significant impedance mismatches between web app developers and the constraints of mobile phones still remain, and despite the high-end of the phone market being “there”, the platform as a whole isn’t. Here’s why:

  • Latency
  • Developer (mis)training
  • Browser issues
  • Carrier slow-wittedness and delusions of competence

All of these factors have contributed to a situation in which web apps on phones, nevermind ajax apps, generally suck. And it’s not for lack of trying. Using google or yahoo on a mobile device today is generally about as good as it gets, and they’re not bad. Unfortunately the text bias that’s built into the fabric of the “desktop web” hurts even these sites which have entire teams dedicated to figuring out how to reduce steps to action.

All of this matters to us at SitePen because it’s our goal to help push the web forward (and this case, outward). Through talks like the one I gave at EuroOSCON (and will give again at AjaxWorld) we’re starting to share the raw data that’s been available but not yet widely distributed. At the end of the day, a couple of things have become pretty obvious out of our research:

  • Ajax on mobile devices isn’t worth doing yet
  • Mobile browsers need to evolve before apps can really take off
  • Developers need to stop expecting to get text from clients
  • Developers need to start thinking about “stacking” interfaces instead of scrolling
  • Most big web properties are already “on it”, leaving smaller firms at a disadvantage in both experience and motivation

All of this generally means that the term “Mobile Ajax” is likely to be a code word for “snake oil” for the foreseeable future. Ajax isn’t the right answer for mobile devices. Other techniques will evolve to improve the utility web apps for mobile devices, and here at SitePen we’re already working to test out some of our hunches about how we can solve the existing UI problems.

If you’d like to learn more about what we’re working on in this area and how our expertise and perspective might improve your mobile apps, drop us a line.

Posted in Conferences, ajax, mobile | No Comments

SitePen At LinuxWorld

Monday, August 14th, 2006

I’ll be at LinuxWorld this week, and I’ll even be giving a talk on Thursday. If you’re going to be at the conference and want to catch up, just send mail to alex at sitepen dot com.

Posted in Conferences, News, Open Source | No Comments

Lets. Push. Things. Forward.

Tuesday, August 1st, 2006

SitePen is an interesting hybrid of Open Source idealism and intense pragmatism. Lots of companies work on a bunch of things and then try to Open Source bits of that they think won’t compete with some product they hope to sell or will commoditize a competitor’s offering. In a lot of cases folks use restrictive Open Source licenses (e.g. GPL) to create some sort of “carve out” that allows them to be the only people who make money directly from a codebase. We think that’s a fine tactic as far as tactics go, but how is that really different from closed-source companies locking up markets via network effects?

We’ve grown because we work with and help grow the Open Source communities we’re a part of and do it in a non-exclusive way. We didn’t start working this way because we’re prescient or have some super-secret plan, but because we believe that well-done Open Source projects create markets that benefit users. Being plugged into those projects just gives us better access to those market opportunities while at the same time scratching our collective itch to do the right thing. We’re not afraid of competing on a fair playing field and if Open Source can help us ensure that the pitch remains flat, so much the better. You can almost think of it as “sustainable software”.

It’s accepted wisdom these days that great Open Source represents the last step on the road to software commoditization, but I don’t think the story ends there. Software is complex. Like the cost of physical production before it, managing complexity is now the limiting factor in reducing the cost of producing software products. On a recent trip I was re-acquainted with the idea of the “Magic Number Seven” thanks to an article in Scientific American. The basic premise is that we humans can only keep so much on “stack” at any given time. One of the obvious applications in software is that abstractions help make you more productive. For proof of this, just sit down and watch a Ruby programmer who knows a couple of DSLs. The ability to pack more meaning into fewer “words” is a tremendous advantage to someone who knows where they’re trying to go. Unfortunantly, abstractions are leaky and so knowing just the abstraction stacks the deck against less experienced developers and their employers.

The upshot is that seasoned veterans will always be able to help you navigate the fjords and currents of application development faster than someone who’s never seen the tools of the trade before (let alone the particular problem you’re facing right now). Having a good idea of what you want to do is necessaray, but not sufficient. SitePen’s clients don’t hire us because we grok Open Source, they engage us to help them build things or better understand the tools we know in depth because they’ve seen what we can do with them.

And isn’t meritocracy what Open Source is all about?

Posted in News, Open Source | No Comments

Newer Entries