I consider myself a competent programmer; I'm a bit of a 'jack of all trades' and as the adage goes, possibly a master of none. The advantage, I feel, of my approach, is that I can dip in and out of stuff really easily most of the time. So I'm not usually afraid to try new technologies, languages etc. My current fetish in this respect is the Facebook platform.
I recently started development of a Facebook application which is basically a reimplementation of the classic MUDs (Multi User Dungeons). These were text-only adventure games based, I suppose, on the classic Dungeons and Dragons books, with computer-simulated rolling die to generate the characteristics of the players and their antagonists, and to affect their effectiveness in conflicts. These simple games, which by their nature were laden with a great deal of descriptive prose, eventually developed into what was clumsily acronymed (sic) MMORPG - or Massively Multiplayer Online Role Playing Games, and became 3D wonders like Acheron's Call, (the first MMORPG I played), and the now ubiquitous World of Warcraft. My game is a very poor cousin to those, but should turn out to be a multiplayer online roleplaying game, although I suspect not 'massively multiplayer', which I guess must mean 1000s or tens of 1000s of players online concurrently.
I very briefly blogged my frustration with my excursion into the Facebook platform a week or so ago. However, I'm over the hump now and I'm starting to see, if not the advantages, then at least the cleverness of what Facebook have done with their code.
Any web app you use which is highly interactive has to run a lot of code on your machine, rather than on the server, in order to respond quickly to user input. Unless you're using a plugin like Flash or Java, this is very likely to be executed in Javascript. Javascript is a great language in my opinion, and while I struggled with the different implementations in IE 3 and Mozilla all those years ago, I also came to love the language for the ways I could work round those differences.
I came to Facebook development, then, with an idea that my previous Javascript skills would be fundamental to my discovery of the FB development platform. Fundamentally, that assumption was true, but as usual the Devil is in the Details, and in this case, the detail was that Facebook were fucking with my code.
It's understandable; Javascript code can be dangerous; you can redirect users to pages that look like, say, their bank, or some other valuable site like PayPal, or you can show them important-looking popup boxes telling them to perform some action or other on their computer which might render them vulnerable. Facebook are proud that they have made a platform where you can run code as a first-class citizen, and thereby have access to their own code libraries, (or of them to yours, I'm not quite sure yet) and not, as other sites might apparently have you do, run your code in a "sandbox" environment, where it cannot interact with the code in the main body of the web page, and therefore not trick users.
Now to come to the clever bit. Let's assume that the alert() function is dangerous. All it does is display a message to the user, but let's assume that a gullible user will act as a result of this dialog box, perhaps telephoning a criminal masquerading as their bank, or something similar. It appears that facebook consider alert() dangerous, as they don't let you use it. The way they do this is the interesting bit.
Consider a bit of code:
var i = "1234";
alert(i);
setTimeout("doSomething(i)", 1000);
With facebook you get an application key, which is a string of letters and numbers. Let's say for now that key is "a007". The code above will be translated, before interpretation, into the following:
var a007_i = "1234";
a007_alert(a007_i);
a007_setTimeout("doSomething(a007_i)", 1000);
If you read that closely, you'll see that if Facebook, who modify this code before it hits their Javascript engine, decide to implement a007_setTimeout() as an alias to the setTimeout() function you'll be able to use the setTimeout() function, but if they don't implement a007_alert(), you, as a user submitting Javascript to Facebook for execution, will not be able to use thealert() function.
And that, from my analysis, appears to be exactly what Facebook do. For functions that they want to allow you to run, they implement aliases from, say, aFunction() to a007_aFunction(). For functions they don't want you to run, they don't implement those aliases. Of course, they first translate your code so that all variables and function calls are prefixed by "a007_"
Damned clever.
Friday, 25 July 2008
Monday, 14 July 2008
My accountant tracked me down on facebook
My accountant is my company secretary, a not unusual arrangement. This means he gets calls from the Inland Revenue and Companies House when I don't do what I'm supposed to do with my company books.
So if I neglect to submit accounts to the Rev and CH, and coincidentally change my phone number and email address, my accountant, while being technically liable for my misdeeds has no way to get hold of me.
So bravo for him for being inventive enough to search for me on facebook.
And boo because now I have to find my bank statements and enter the bloody data into the accounts software. No more hiding! Dammit.
So if I neglect to submit accounts to the Rev and CH, and coincidentally change my phone number and email address, my accountant, while being technically liable for my misdeeds has no way to get hold of me.
So bravo for him for being inventive enough to search for me on facebook.
And boo because now I have to find my bank statements and enter the bloody data into the accounts software. No more hiding! Dammit.
Building an interactive facebook app - what a nightmare
I'm in the process of building a facebook app which is highly interactive. It's a game which needs a lot of AJAX updates to keep the frontend up to date.
I'm sure I'm only repeating the frustrations of every developer who's tried to create a complex facebook app, but their javascript filtering is driving me up the wall.
On the one hand I'm impressed by the competence of their engineers; it's a difficult task to pull off, allowing me to write javascript which will be executed in the context of their web pages, while stripping any malicious code out. On the other hand, writing code for the facebook platform is extremely painful due to the number of things they didn't implement. Is it my imagination or can I not create an Array object?
I'm sure I'll get there in the end. In the meantime, I'm really enjoying listening to "The Next Big Thing" by Benjamin Bates and "The Sex Has Made Me Stupid" by Robots in Disguise.
I'm sure I'm only repeating the frustrations of every developer who's tried to create a complex facebook app, but their javascript filtering is driving me up the wall.
On the one hand I'm impressed by the competence of their engineers; it's a difficult task to pull off, allowing me to write javascript which will be executed in the context of their web pages, while stripping any malicious code out. On the other hand, writing code for the facebook platform is extremely painful due to the number of things they didn't implement. Is it my imagination or can I not create an Array object?
I'm sure I'll get there in the end. In the meantime, I'm really enjoying listening to "The Next Big Thing" by Benjamin Bates and "The Sex Has Made Me Stupid" by Robots in Disguise.
Tuesday, 8 July 2008
"Anarchist Gifts" on Facebook.
Do you think that using an app called "Anarchist Gifts" on a website which has a fairly substantial CIA shareholding is a little bit like painting a target on your arse, to be aimed at in the future?
A subsidiary company of the CIA has a share of facebook. I think more than 1%, less than 10% but I can't remember how much. Your network of friends, or "social graph" is a really good way of identifying you and what you might do. That sounds fanciful but it's a reasonable bet that quite a lot of your behaviour is influenced by and targeted towards your peers.
"Anarchist Gifts" seems like it could be a honeypot trap, a lure, a ruse to divine the anarchist social graph. It may not be, but in any case any shareholder with a technical interest in Facebook may be able to access a network of self-proclaimed anarchists.
If I'm in your network and you're playing with "Anarchist Gifts" or similar, I'm obviously an anarchist sympathiser, or that's how it might seem. It wasn't very long ago that "anarchist" was a louder-proclaimed public foe than "terrorist", and it may not be very long before those days arrive again.
Facebook is a cool app, even for, perhaps especially for, anarchists. It's going to be a lynchpin of the next couple of years' internet usage. Use it. But don't paint a target on your own arse.
A subsidiary company of the CIA has a share of facebook. I think more than 1%, less than 10% but I can't remember how much. Your network of friends, or "social graph" is a really good way of identifying you and what you might do. That sounds fanciful but it's a reasonable bet that quite a lot of your behaviour is influenced by and targeted towards your peers.
"Anarchist Gifts" seems like it could be a honeypot trap, a lure, a ruse to divine the anarchist social graph. It may not be, but in any case any shareholder with a technical interest in Facebook may be able to access a network of self-proclaimed anarchists.
If I'm in your network and you're playing with "Anarchist Gifts" or similar, I'm obviously an anarchist sympathiser, or that's how it might seem. It wasn't very long ago that "anarchist" was a louder-proclaimed public foe than "terrorist", and it may not be very long before those days arrive again.
Facebook is a cool app, even for, perhaps especially for, anarchists. It's going to be a lynchpin of the next couple of years' internet usage. Use it. But don't paint a target on your own arse.
Subscribe to:
Comments (Atom)