Does Chrome need to change it’s mic/camera permission UX?

I’m a little worried about webcam and mic access in browsers at least as currently implemented. (and native apps too I suppose but less so)

As it is, in Chrome, if you let a webpage access your camera (or mic) that page’s domain gets permanent permission to access the camera or mic whenever it wants forever, no questions asked again.

I recently visited one of the early HTML5 Webcam demos that I hadn’t visited in years. I expected to get asked for permission to access the camera. Instead the camera just came on. That does not seem like a good model for web sites that are covered in ads and scripts from all over the net.

I’m sure the Chromium team was thinking of supporting hangouts when designing webcam support and I might be convinced that if hangouts always had access to the camera that might be no worse than a native app. But, it’s the browser it’s not a native app, it’s untrusted code.

Even for communications sites though if I run them in an iframe they get camera permission. In other words, say yes just once and now that domain can follow you all over the net and use your camera and mic, at least as of Chrome 59. Did you ever use your mic on facebook.com to make a call? Well now any page that has facebook social embeds can now use your mic without asking.

I don’t know what the best permission UX is. Always asking might might be tedious for actual communication websites (messenger, hangouts, slack?, …) but not asking sucks for the open web. It even sucks on a communications website if the camera or mic is not something I use often. I don’t want any app to have permission to spy on me. Imagine slack.com, imagine you use it to do a video call just once, then not again for 6 months even though you’re text chatting constantly. During that entire time, at any time slack could have been accessing your mic or you camera. I personally want to opt-in to always ask. I think I’d prefer this even in native apps but especially for the web. The UX doesn’t have to suck. Clicking “call” and having the browser say “this app wants to access your mic, Y/N” doesn’t seem like a burden.

Here’s a demo of the issue.

At a minimum it seems like iframes should not get automatic permission even if that domain had permission before. Otherwise some ad company will make a compelling camera demo just to get you to say yes once to using the camera on their domain. Once they do all their ads all over the net can start spying on you or using the mic to track you.

Even then though there are plenty of sites that allow users to post JavaScript, give access to one user’s page and all users’ pages get access. So nice person makes camera demo, bad person takes advantage that that domain now has access to your mic or camera.

I filed a bug on this about 5 months ago but no word yet. If you think this is an important issue consider starring the bug. Until then, if this concerns you go to chrome://settings/content/camera in Chrome and remove all the sites you’ve enabled the camera for. Do the same for the microphone by going to chrome://settings/content/microphone.

If you use a site that needs access to the camera or the mic, once you’ve given it permission to use the camera or the mic a small icon will appear in the URL bar. When you’re done with the site you can click that icon to remove permission. That’s tedious and you’re likely to forget but it’s better than nothing for now.

Dear Apple, Please make your app stores more internationally friendly

I know we are in the minority but as a person living abroad (Japan) it’s extremely frustrating to use the iOS (and Mac) App stores.

Because my native language is English and I’m from the USA I want to use the USA store. But, sometimes I have to use the Japanese store, for example to download a banking for local banks who’s apps are only available on the Japanese store. Doing this is extremely tedious. The steps are:

1. Go to your home page, swipe to whatever page your settings are on and click the settings app.

2. Scroll down, find, and pick “iTunes and App Store”

3. Click your Apple ID (it’s not clear at all this is clickable)

4. Pick “View Apple ID” (It’s not clear at all this is where you’d change the store)

5. Enter you password. I have a long password with both numbers and symbols. It’s super annoying to type on the phone. No idea why this is Japanese right now.

6. Pick “Country/Region”.

7. Pick “Change Country or Region” (think of this as “yes, I really want to do this”).

Imagine the frustration of students etc who don’t have a local credit card with which to sign up. I’m guessing they beg their friends.

8. Select the region you want.

9. Enter your local address and postal code.

10. Enter your local phone number

11. Enter a local credit card, its expiration date and its code.

All of this takes several minutes.

Then, when I need to switch back I have to go through the same tedious process.

To give an example, Saturday I wanted to checkout Japanese podcasts. The easiest way to access the most popular ones seemed to be to use the builtin Apple iOS Podcast app. So I click it but of course since I’m on the USA store it shows the USA list. I sigh and decide I’ll do this later. A couple of days later I finally get around to switching stores. I check the podcasts just to see it’s showing me the Japanese lists. It is but don’t download any yet. Today I need some network info app for iOS. I find one called “Network Utility” on iOS and download it. It’s not showing the info I need. I check their website to see if there’s an example of it showing the info I need. It’s possible the info doesn’t exist on my phone. I see the same app exists on the Mac App Store. I check it out, I can’t tell but I know the info I want to display on iOS *is* available on my Mac. In other words if the Mac App displays the info I want then maybe the iOS one does too. There’s no free version but it’s only 99¢ so I click “buy” and am then told I can’t use the account to buy it. In other words because I switched my region to Japan and this mac app is on the USA store I can’t buy it without going through all the shit above to switch back to the USA region.

Now I get I’m in the minority, most people stay in whatever region they were born in so this issue probably affects few people (maybe tourists?). But at the same time why does it have to be this way? Why can’t I just register addresses and payment info for both stores and switch easily without having to re-enter it all every time? Or better why I can’t have it automatically use the correct info. Or even better than that why can’t there just be one store? Let me select a region for the charts and recommendations but otherwise put it all on the same store! Come on Apple! You’re the leaders in UI/UX. You can do this!

Don’t disable web security!!!

This basic question is all over stack overflow.

People ask how can they access files when developing HTML locally. They make a .HTML file, then open it in Chrome. They add a script that needs to access an image for canvas or WebGL or whatever and find they can’t. So they ask on Stack Overflow and the most common answer is some form of “Start Chrome with the option –disasble-web-security” (or one of 5 or 6 other similar flags)

I keep screaming DON’T DO THAT! but almost no one listens. In fact not only that the downvote my answers.

Well here’s two proof of concepts of why it’s ill-advised to disable web security.

The first one is an example that will get your stack overflow or github username if you are logged in and you started chrome with --disable-web-security. Of course you probably don’t care that someone is looking up your username on various sites but that’s not really the point. The point is some webpage not related to those sites was able to access data from those sites. The same webpage could access any other site. You bank, your google account, all because you disabled security.

You might say “I’d never run a script like that” but you likely run lots of 3rdparty scripts.

The second example will show files from your hard drive. It could upload them to a remote server. Which files some baddie would want I have no idea. The point is not to show uploading dangerous files. The point is only to show if you disable web security it’s possible for a script, your own or a 3rd party one to access your local files.

Many of you will be thinking “I’d never do either of those” but I think that’s being short sighted. I know I often forget which browser I’m in, the dev one or the non-dev one. If I mistakenly used the dev one with web security disabled then oops.

Of course you might also be thinking you’d never do any of the things above. You’re running your own hand coded webpages with scripts and not using any 3rd party libraries and you never use the wrong browser. But again, that’s not the point. The point is you turned off security. The point is not to enumerate all the ways you might get hacked or have data stolen or accounts manipulated. The point is if you disable web security you’ve made yourself more vulnerable period.

This is especially frustrating because the better solution is so simple. Just run a simple local server! It will take you all of 2 minutes at most. Here’s one I wrote for those people not comfortable with the command line. Here’s also 6 or 7 others.

Sony Playlink

So Sony announced Playlink at E3 this year 2017.

It’s a little frustrating. It’s basically HappyFunTimes.

The part that’s frustrating is in that video Shuhei Yoshida is happily playing a Playlink game and yet about a year ago I saw Shuhei Yoshida at a Bitsummit 2016 party and I showed him a video of happyfuntimes. He told me using phones as a controller was a stupid idea. Is objection was that phone controls are too mushy and laggy. He didn’t have the foresight to see that not all games need precise controls to be fun. And yet here he is a year later playing Playlink which is the same thing as happyfuntimes.

In 2014 I also showed Konou Tsutomu happyfuntimes at a party and even suggested a “Playstation Party” channel with games for more than 4 players using the system. My hope was maybe he’d get excited about it and bring it up at Sony but he seemed uninterested.

Some people don’t see the similarity but I’d like to point out that there are

  • There are happyfuntimes games where you draw on the phone
  • There are happyfuntimes games where you use a virtual dpad
  • There are happyfuntimes games where you tilt and orient the phone like a Wiimote
  • There are happyfuntimes games where you set the phone on the table and spin it
  • There are happyfuntimes games where you’re given various menus of choices
  • There are happyfuntimes games that take live video from the phone and display it in the game
  • There are happyfuntimes games that use the phone like Google Cardboard, multiple people looking in shared VR
  • There are happyfuntimes games that play sounds from the phone
  • There are happyfuntimes games with asymmetric controls where
    • One player is the driver (uses phone like Wii MarioKart Wiimote)
    • One player is the navigator (map only on his phone so has to direct driver)
    • Two players are chefs making pizzas, pretending phones are boxes of ingredients

And many others.

And of course there are also games you could not easily play on PS4 like this giant game where players control bunnies or this game using 6 screens.

And to Shuhei’s objection that the controls are not precise enough

You just have to design the right games. Happyfuntimes would not be any good for Street Fighter but that doesn’t mean there aren’t still an infinite variety of games it would be good for.

In any case I’m not upset about it. I doubt that Shuhei had much to do with Playlink directly I doubt Konou even brought it up at Sony. I think the basic idea is actually a pretty obvious idea. Mostly it just reinforces something I already knew. That pitching and negotiation skills are incredibly important. If I had really wanted happyfuntimes to become PS4 Playlink I should have pitched it much harder and more officially than showing it casually at a party to gauge interest. It’s only slightly annoying to have been shot down by the same guy that announced their own version of the same thing. 😜

In any case, if you want to experiment with games that support lots of players happyfuntimes is still a free and open source project available for Unity and/or HTML5/Electron. I’d love to see and play your games!

Wishing for more Sandboxes

I’m starting to wish that nearly all desktop apps ran in a very tight sandbox the same way they do on iOS.

Windows is trying to do this with the Windows store and Apple is trying to do it with the Mac App Store. The problem is two folder. One is they started with unsandboxed systems and so have decades of legacy software that expects to be unsandboxed. The other is they’ve conflated sandboxes and their app stores. Those 2 things should be separated.

Apps like Photoshop, Lightroom, Microsoft Word, gIMP, Blender, Maya, etc should not need system wide access.

To be clear I am **NOT** suggesting that there should be an app store or there should be an approval process for apps. Rather I’m suggesting that the OS should default to running each app in a sandbox with that app unable to get outside its sandbox without user permission. The permission system should be designed well (like I think it mostly is on iOS) so a native app should not be able to access your entire hard drive by default. It should not be able to read files from other apps by default. It should not be able to use your camera or mic or get GPS info by default. It should not be able to supply notifications by default or read your contacts. All of those things should be requested of the user at use time like iOS does (and I think Android is in the process of doing).

This might seem unrelated but it came up recently when a user on Stack Overflow asked how to make an Electron app from their HTML5 WebGL game. There are a few steps but over all it’s pretty easy. If you’re not familiar with Electron it’s basically a version of Chrome that you can bundle as an app with your own HTML/CSS/JavaScript but unlike a normal webpage your JavaScript can access native features like files, OS level menus, OS level networking, etc.

And there in is the issue. The issue is it’s common to use 3rd party scripts in your HTML5 apps. Maybe you’re including JQuery or Three.js from a CDN. Maybe like many mobile apps you’re downloading your HTML/CSS/JavaScript from your own servers like myautoupdatingapp.com. By doing that you’ve just made it possible for the people controlling the CDN or that hacks your server or the people that buy your domain to own every machine that’s running your app. This is something that’s not true with a browser doing the same thing because the browser does not allow JavaScript to access all those native things. It’s only Electron that does this.

This means I have to trust every developer using Electron to not do either of those things.

On the other hand, this is exactly what iOS was designed to handle. You don’t have to trust the app to the same level because the OS doesn’t let the app read and write files to the entire machine. The OS doesn’t let the app access the camera or the mic without first asking the user for permission.

This isn’t the first time this kind of thing has happened. I’m sure there’s plenty of other cases. One for me is XBMC/Kodi where there are plugins but no sandbox which means every plugin could be hacking your system. Many of those plugins are for websites that are arguably doing questionable things so why should I trust them not to do questionable things to my machine?

I’d even take it so far as I wish it it was easier to do this in the terminal/shell. If I’m trying out a new project there is often a build step or setup step or even the project itself. Those steps often allow code to run, code I don’t want to have to trust. Of course in those cases I could run them in a VM and maybe I should start doing that more. I’m just wishing that that was easier than it is today. Like it kind if wish it was an OS level thing. I’d type something like

mkdir test & cd test & start VM

or

mkdir test & cd test & start standbox

Then I could

git clone someproject .
./configure
make

or

git clone somejsproj .
npm install

And not have to trust the 1000+ contributors above that they weren’t doing something bad intentionally or unintentionally.

Unfortunately without a push by Apple and/or Microsoft it’s unlikely the big software companies like Adobe are going to switch to their apps to the sandboxed systems.

IMO both companies need to separate their sandboxes (good) from their stores (bad). They then need to make it harder to run un-sandboxed apps. Not impossible, some apps probably need system level access if they provide system level services. But, they need to start making it the normal that the apps themselves are sandboxed.

NES/Famicom, A Visual Compendium – Corrections

I very nice book came out with images from tons of NES games called “NES/Famicom, A Visual Compendium“. I saw several of my friends had backed the kickstarter and when they go their copies they mentioned one of my games was in it so I had to buy a copy.

It’s a gorgeous book. I’m not 100% sure I’m into the sharp emulator captures graphics as they look absolutely nothing at all like the original games. As art they’re very cool but as representations of what those games looked like they are far off the mark. You can see a comparison on this article and see how when blown up in an emulator they look all blocky but back when the came out they looked smooth. Still as graphic art it’s cool to see them in the book.

That said I looked up M.C. Kids and was a little disappointed to see things reported incorrectly. I not blaming anyone in particular. I assume it’s an issue of like the game “telephone” where as the message got passed from person to person it got re-interpreted and ended up in it’s present form

For M.C Kids it implies Rene did all the enemies but that was not the case. I’m not sure the percent of enemies created by Rene but IIRC Darren Bartlett and Ron Miller both did enemies as well.

I then notice there was an unreleased section and sure enough there was Robocop vs Terminator listed.

It’s also wrong. It’s says “Graeme Devine moved me from Caesars Palace Gameboy to Robocop Vs Terminator”. What actually happened though is Graeme Devine moved me from Caesars Palace to Terminator NES, not Robocop vs Terminator. I worked on an animation tool to be shared between Terminator NES and M.C. Kids NES. Later I was asked to work on M.C Kids and Terminator was given to David Parry to make Terminator for Sega Genesis. When I finished M.C. Kids and I was no longer at Virgin Games I got a contract from Interplay to code Robocop Vs Terminator for NES.

Trying to help noobs is SOOOO FRUSTRATING!

I often wonder if I’d like to teach. It’s certainly fun to teach when the students are easy to teach ? But where’s the challenge in that?

I wrote webglfundamentals.org (and webgl2fundamentals.org) and I answer tons of WebGL questions on stackoverflow but sometimes it’s sooooooooooooooo frustrating.

I’m trying to take those frustrations as an opportunity to learn better how to teach, how to present things, how to be patient, etc but still… (more…)

After 11 years of waiting The Last Guardian has some how lost the magic

It’s been 11 years since Shadow of the Colossus shipped for PS2. I was such a fan of Ico that even though I sat directly next to the Shadow of the Colossus team at Sony Japan and all I had to is stand up and look over my cubicle’s divider to see work in progress I made my best effort to not look because I didn’t want to spoil the experience of whatever they were making.

So, now, 11 years since then the team has finally shipped their next game, skipping an entire generation of console.

And …. (more…)

Isolating Devices on a Home Network

Call me paranoid but I’d really like to be able to easily isolate devices on a home network.

As it is most people have at a best a single router running a single local area network. On that network they have 1 or more computers, 1 or more tablets, 1 or more phones. Then they might have 1 or more smart TVs, 1 or more game consoles. And finally now people are starting to add Internet of Things (IoT) devices. IP Webcams, Network connected door locks, Lights that change color from apps, etc…

The problem is every device and every program run on every phone/tablet/tv/game consoles/computer can hack all your other devices on the same network. That includes when friends visit and connect to your network.

So for example here’s a demonstration of hacking into your network through the network connected lights. There’s ransomware where your computer gets infected with a virus which encrypts all your data and then demands a ransom to un-encrypt it. The same thing is happening to smart TVs where they infect your TV, encrypt it so you can’t use it and demand money to un-encrypt it. Printers can get infected.

All of this gets easier with every app you download. You download some new app for your phone, you have no idea if, when it’s on your home network, that it’s not scanning the network for devices with known exploits to infect. Maybe it’s just hacking your router for various reasons. It could hack your DNS so when you type “mybank.com” it actually takes you to a fake site where you type in your password and then later get robbed. Conversely you have no idea what bugs are in the app itself that might let it be exploited.

One way to possibly mitigate some of these issues seems like it would be for the router to put every device on its own network. I know of no router than can do this easily. Some routers can make virtual networks but it’s a pain in the ass. Worse, you often want to be able to talk to other devices on your home network. For example you’d like to tell your chromecast to cast some video from your phone except you can’t if they’re not on the same network. You’d like to access the webcam in your baby’s room but you can’t if they’re not on same network. You’d like to print but you can’t if they’re not on the same network etc…

So, I’ve been wondering, where’s the router that fixes this issue? Let me add a device with 1 button that makes a lan for that one device. Also, let me choose what other devices and over which protocols that new device is allowed to communicate. All devices probably also need to use some kind of encryption since with low-level network access an app could still probably manage to hack things.

I get this would only be a solution for geeks. Maybe it could be more automated in some way. But in general there’s clearly no way you can expect all app makers and all device makers to be perfect. So, the only solution seems like isolating the devices from each other.

Any other solutions?