Graphics Considered Harmful

OK now I’m getting pissed off. This security crap just won’t go away.

Gregg Tavares, Chrome developer,  discovered that Silverlight has the same security vulnerability as WebGL. Benoit Jacob, WebGL guru at Mozilla, even filed a bug with Microsoft about it. Cool… the cat is out of the bag. But I wouldn’t hold my breath waiting for Microsoft to change its position.

Turns out that Unity, Molehill, etc. also are likely to have similar security problems. News flash: graphics hurt. But no pain, no gain. And yet, the FUD continues to fly.

Jon Peddie said it succinctly: any graphics technology is going to have these issues, and the industry needs to manage the situation as developers inevitably adopt 3D on the web. (Yes: I said inevitably. Suck on that.) Regardless, he calls the question: should we kill this thing before it grows? I know he is being rhetorical but the scary thing is, the blogosphere is easily swayed and someone needs to fight the FUD. Bully, Jon! Keep ’em flying.

The truth is, all 3D applications come with elevated security risk because they tap into lower-level hardware. “But this is on the web,” you say, the implication being that it makes the situation inherently more dangerous. Well, these days, most 3D games run on a network so don’t go crying that this is different. It’s close enough to the same that it’s the same: bits on screen powered by random code susceptible to tampering by nefarious agents. We’ve been fighting this fight for years; we know how to do it. The real deal is, consumers either want rich experiences– and by rich, I mean real 3D not bullshit 3D– or they don’t. And if they do, the market will power through any obstacles in its path.

Web 3D is inevitable. (There, I said it again.)  The history of media is the history of a rise in production value. Production value has nowhere else to go… but 3D.

Kill WebGL? You might as well kill graphics. You’re welcome to try.

Shades of Chrome

A new blog posting by Microsoft Security Research and Defense, with the combative title “WebGL Considered Harmful,” has reignited the WebGL security debate. Recent moves by the Khronos Group and browser makers supporting WebGL (that is, pretty much everybody but Microsoft) had quelled the noise for about a month. Now, with Redmond weighing in on the negative side of the issue, we can expect the rhetoric around security to heat up again. That much seems clear. What seems less clear is the motivation: does Microsoft have genuine security concerns, or is this a tactical smokescreen to mask a nefarious strategy? Put another way: is Microsoft up to their old API tricks? Conspiring minds want to know.

A paranoid observer might wonder if Microsoft sees WebGL as a threat to its Silverlight product– I don’t see how they couldn’t– and is just using the security issue as an excuse to stonewall WebGL. And while it may just be paranoia, indulge me for a moment, because there is an aspect of history repeating here.

Web 3D old-timers may recall Microsoft’s failed attempt to derail VRML, originally known as ActiveVRML, subsequently renamed to Chrome (no relation to Google’s browser) and again renamed to Chromeffects, back in 1998. At the time, VRML was gaining serious traction and solid vendor support. Meanwhile, a cohort of Sun graphics transplants, with the help of the DirectX team and IE teams, lobbied the Web3D Consortium to consider ActiveVRML as an alternative standard. After much debate, the ActiveVRML initiative was resoundingly defeated within the Consortium, delivering MS a shocking (if not truly surprising) blow. The net result: Microsoft picked up their ball and went home. Chromeffects was released as its own competing thing within IE, and Microsoft’s built-in VRML support (supplied by yours truly btw) was mothballed.

Ultimately, Chromeffects was no more of a commercial hit than VRML, and within a few years of its introduction it withered. But it never died: Chromeffects was eventually resurrected as– you guessed it– Silverlight. The code may be unrecognizable from the original ActiveVRML but many of the key concepts remain, such as 2D/3D media integration, authoring with built-in XML tags, and hardly any actual 3D rendering. Silverlight is a conceptual, if not genetic, descendant of ActiveVRML. Sure, this whole line of thinking might be a stretch… but I’m just sayin’.

Of course, 1998 was a very different time: the OpenGL/DirectX war was in full swing simultaneous with the IE/Netscape war, and Microsoft was in the dominant position with application developers. So while they lost the ActiveVRML battle, they won the two big wars handily, largely because of their leverage with developers. Cut to 2011, however, and we see a very different picture. IE is no longer the market share leader browser (accordingly to many of today’s stat counters) and MS is fighting a battle for developer mindshare on several fronts. The strong-arm tactics they formerly employed with developers aren’t nearly as effective as they were back then. So this conspiracy theory might come up short, unless you consider another very effective tactic from the MS playbook: sow Fear, Uncertainty and Doubt. In the VRML days, performance was the boogeyman with which competitors generated FUD. Today, security might be the hobgoblin of choice.

For what it’s worth, this time around I think we can take MS at face value about this security thing. I really don’t believe they are being that crafty. The security issue is real and should be of concern within the industry. However, the tone and title of the MS blog post, plus alarmist reporting by CNet and ZDNet on the topic don’t help. Particularly disturbing is the poll-within-the-article on ZDNet: the article is titled “Microsoft is right to label WebGL ‘harmful'”, and within the article there is a poll asking, “Do you think WebGL is ‘harmful’?” And guess what: over 50% of the respondents do. Now there’s a shocker. Framing anyone?

Despite the scary going around, I am optimistic that cooler heads will prevail. The coolest head in this debate so far, ironically, rests on the shoulders of Microsoft employee Avi Bar-Zeev. Writing in his personal blog he advocates a balanced look at the situation and argues that Microsoft ultimately needs to support WebGL because web developers will come to demand it. Avi has hit the crux of the matter: Microsoft’s success or failure rests largely on, as it always has, its application developers. My prediction is that developers aren’t going to be scared away from WebGL based on FUD, intentional or unintentional. It’s just too cool, and it’s already supported in the other browsers. So, yeah, MS will come around… it’s just a matter of time.