WombatNation

Adobe recently rolled out a patch to Flash Player 9 to mitigate some bad security vulnerabilities (my favorite Flash vulnerability was hilariously described at Matasano Chargen). One of our Flash apps at work suffered collateral damage from the update.

If you get the message “Security error accessing url” after applying the April 8 Flash Player update, then it’s likely the app is doing something covered in this article covering potential compatibility issues with the update. Our app was affected because it accesses a web service running on another server.

When the Flash Player accesses data from another domain on behalf of a Flash app, it first looks for a crossdomain.xml file in the root directory of the domain that is being accessed. For example, on my site it would try to retrieve http://wombatnation.com/crossdomain.xml. This file contains access policies that the Flash Player will apply. If you want to allow any Flash app to access a web service on your site, you can go with the Come and Get It policy file:

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM

"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

  <allow-access-from domain="*" />

</cross-domain-policy>

If you need to allow access to only a small set of domains, you should replace the * wildcard with something more specific. You can use a * to pick up all sub-domains, though, for example, *.wombatnation.com would allow access to my local botnet herd.

One of the vulnerabilities Adobe is attempting to mitigate in this patch is the ability of a Flash app to send malicious HTTP headers to a remote service. The updated Flash Player lets an app send only the standard HTTP headers. If you want to send additional headers, the remote server must include additional policies. Unless, of course, your header of choice is already on the blacklist for fighting in bars, spitting on sidewalks or p0wning servers.

Since the SOAPAction header that is used with SOAP based web services is not a standard HTTP header, your Flash app will display the “Security error accessing url” message unless the remote server’s crossdomain.xml is updated. The quickest fix is to add the following line:

  <allow-http-request-headers-from domain="*" headers="SOAPAction"/>

to the cross-domain-policy section. If you specified a more limited set of domains in the allow-access-from policy, you should probably use the same set of domains in this policy. This Adobe TechNote explains the details.

I tried to figure out what was going on with Firebug, but Flash apps are pretty much black boxes to me unless you’re debugging them with Flex Builder or whatever tool was used to build them. Flash is a pretty useful technology for quickly building apps, but there are so many drawbacks that I seriously doubt I would ever choose it as my preferred tool for building web apps.

When I think bike safety or car safety video, I mostly think about boring instructions on how to ride a bike or drive a car in the most conservative fashion. But what if the kids in the safety video had monkey faces and curly tails? That would make even the most Ritalin deprived kid pay attention, right?

This seven minute sampled video I found on Monoscope is pretty great. The first two minutes are a bit of an artsy “My Lunch with 10 Year-Old Andre”, but then a pack of kids with monkey faces and curly tails and funky hats join our young friend on their bikes. It’s weirder and better than it sounds. If my parents had shown me this when I was a kid I think I would have ridden into a lot fewer open manholes.

Monoscope, by the way, is a great site for design enthusiasts.

I’ll be at the 2008 MySQL Conference the next three days. If any of the three or so of you that read these posts will be there, let me know and I would love to meet up down in Santa Clara. Even better, I’d love to carpool with someone from Oakland to Santa Clara.

Besides whichever keynotes I can manage to arrive in time for, I’m planning to attend the following sessions on Tuesday:

• Lessons Learned in Building a Highly Scalable MySQL Database
• The Lost Art of the Self Join
• EXPLAIN Demystified
• High Availability Landscape of MySQL
• Replication Tricks and Tips
• Mitigating Replication Latency in a Distributed Application Environment

The San Jose Earthquakes played their first regular season home MLS match (though at the Oakland Coliseum) last Saturday since the team got moved to Houston by the low lifes at AEG. Sadly, they lost 1-0 to the Chicago Fire, though the Earthquakes far outplayed the Fire. Chicago is a pretty good team, but they looked pretty bad on Saturday.

Blanco was especially awful. He played really well last year and earlier this year for Chicago, but he was about the worst player on the field. He tried two nifty backheels. Too bad they went directly to Earthquakes players. He also did his famous bunnyhop in the corner at San Jose’s end of the field where he grabs the ball with the inside of both feet, jumps forward flipping the ball clear of the defenders and takes off with the ball. Only this time, both Earthquakes players who were defending him easily beat him to the ball and took off while Blanco was left standing there to watch. He’s still a great player and I’m sure he’ll get better as the season goes on, thogh he definitely has to work on his fitness. He was never a threat in the open field.

The Earthquakes played very well and nearly scored several goals, with shots going off the crossbar and the post. They also defended well, giving up the only goal against the run of play when an unfortunate deflection caught the midfield out on the attack. Salinas had a great look at goal but somehow managed to lift the ball over the goal from only a few feet out. The keeper was on the ground and he tried a little too hard to lift it over him.

When I posted a couple days ago about Spinvox taking in a very large funding round, I missed an announcement that same day about Nuance’s new voicemail to text service, which they have decided to cryptically call Voicemail to Text. Nuance is providing this service only through telecom carriers.

The thing I found most interesting is that the Voicemail to Text product page states that Nuance’s transcription software is supported by over 3,000 human transcriptionists. Well, they don’t specifically say human, but I think that’s a safe bet. I would have thought that if any company could completely automate the transcription process, it would be Nuance. Then again, I often can’t understand all of the words in the voicemail messages I receive, and last time I checked, I was human.

Recently I interviewed for a position at Voxify an engineer who worked on such a service at a company that develops unified messaging software. They were trying to fully automate the voicemail transcription process, though they seemed to be targeting for a much less complete transcription. That would still be useful if you receive a lot of voicemail messages, as it might allow you to better prioritize the order in which you go through the backlog. I get upwards of three voicemails a week from my retinue of admirers, so this isn’t such a problem for me, though it would let me quickly skip through the majority of those messages that are wrong numbers.

An article in Speech Technology magazine reports that in the most recent update to Gartner’s Magic Quadrant for IVRs, Microsoft Speech Server and Nuance Voice Portal got dropped. The disappearance of NVP is no surprise, since Nuance announced at their Conversations conference over two years ago that they would no longer enhance it.

Microsoft moved Speech Server into Office Communications Server last year, and really doesn’t seem to be promoting it as a standalone product, even though it can still be installed separately. Although I see virtually no push by Microsoft, or even their partners, to sell Speech Server into large contact centers, I’m still a little surprised Gartner dropped them.

We’ve been doing some testing on Speech Server at Voxify, and overall it works quite well. Getting it to work with our Asterisk-based PBX was a nightmare, but otherwise the install went pretty smoothly. Recognition performance using Microsoft’s ASR is generally similar to Nuance OSR, though recognition is very slow when doing nbest recognition for even medium sized values of n. Microsoft’s fairly faithful compliance with the VoiceXML standard (we find issues with every VXML browser vendor we have worked with) was another very pleasant surprise. The best surprise was the licensing costs. It is amazingly inexpensive considering the quantity and quality of features it includes.

One of my biggest concerns about Speech Server is that activity in discussion forums and blogs regarding the product has dwindled dramatically (at least in the places I have looked) over the last year. Without Microsoft pushing Speech Server, I think there will need to be pretty strong community support for it to gain a foothold. It would be really too bad if it ends up getting buried in the unified communication product line at Microsoft.

The rest of the report contained no surprises. Genesys is listed as the clear leader, and that is definitely what I have seen in the market. Acquiring VoiceGenie was a brilliant move on their part, and they have very good offerings for both enterprises and large VXML hosting providers. Nonetheless, there continue to be interesting developments at Nortel, Avaya and Voxeo, among others.

Just over an hour into my bike ride today while I was slogging up a steep hill, my Polar CS200 heart rate monitor rebooted. The screen went blank, a few cryptic symbols appeared on the display, and then the display filled with a union of all possible characters and symbols that it ever displays. And it stayed like that until I turned it off and on again. It forgot the ride data up to that point for the day and all the general settings, like the current time, but kept all my personal settings. I’ve gotten use to the sensor strips on the chest strap sometimes not immediately picking up a signal, but I’ve never had the software crash like that before.

Nancy Jamison posted a nice write up on her blog about a recent Voxify webcast where Voxify presented with Continental on a new outbound voice app we just rolled out for Continental that calls customers up to 24 hours before their flight and offers to check them into their flight. It’s an especially great app for Continental’s frequent fliers, since the sooner they check in, the better their chance of getting an upgrade. Nancy provides a good description of the main features of the app near the end of her post. I’m especially excited about this deployment, because I developed the integration to the remote dialer that is actually placing the phone calls.

As Nancy points out, this is the kind of outbound call that customers actually do want to receive. We’re working on a lot of stuff like this, so hopefully more of the outbound calls people receive in the future will be helpful calls, instead of just telemarketing, collections and surveys with no compensation for your time.

The outbound calling apps we build also go way beyond “read-only” notification calls. These are interactive calls that let you do things like ask to have a message repeated or reschedule the call for a more convenient time. Rescheduling a call using DTMF (i.e., pressing digits on a keypad) is terrible comparing to doing it with speech. For this application, speech recognition is also used to prompt for how you want to receive your check in confirmation, check in for multiple flights, collect information about infants or passengers under the age of thirteen, ask about upgrades, and a lot more.

SpinVox certainly has come a long way in the last few years since I checked out their service for converting voicemails to text. They launched at nearly the perfect time. Large vocabulary speech recognizers have been around for a long time, but in the last few years they have become particularly plentiful and cheap.

Also, SMS has taken off in the US to the point that there is now a huge number of potential customers who would be interested in getting the gist of a voicemail texted to them. There is also a fast growing population of users with phones capable of email access who would want the full transcription emailed to them so they could review it and potentially respond. If the voicemail message contains things you might want to write down, like phone numbers, names, addresses, etc., the automatic transcription saves you even more time. Of course, that assumes the transcription is at least as correct as what you would have written down.

Of course, SMS has been popular for much longer in other countries, but language is obviously an issue. Sure there are a lot of potential customers in Finland, but that means you need a recognizer with a very good Finnish language model. But that’s going to help you out only in Finland. Obviously, tapping into a large country that uses the same language as several other large countries is pretty desirable when you are trying to really scale up a business.