In general, not using the platform your users use is a path to trouble. For example, because so many designers in the valley use Macs, we continually have to fight an OS X bias in our design process; when designing something, you tend to calibrate it against what you're used to, but when OS X is only 5% of the market, OS X-based designers of client software end up with a massive blind spot when it comes to understanding what comes naturally to the rest of the world.
One example is font and font size choices - because the system fonts and font rendering styles differ between platforms, it becomes very hard to tell what looks broken or 'not quite right' on the platform you're not used to. It's not uncommon to see sites launch with font choices that look rubbish on ClearType, but if you're not used to ClearType, it's hard to tell whether the rubbish is your fault or not.
Apple's excellent execution and Windows' (no-longer-deserved) poor reputation also mean you frequently hear excuses for this behavior like "Windows users won't care because they don't care about design" or "The Apple way is better, so we should do it that way on Windows too". Both of these are infuriating and lead to terribly designed products.
5% of 'the market' does not translate to 5% of users on your site.
Depending on the site's demographic, as a developer, I see approx 15% Mac users making up traffic. Not to mention an ADDITIONAL 25% iPhone users. That's an average of 40% of apple traffic on the sites I work on. Some of which are getting 30k - 60k hits a month. Obviously this isnt the same stats across the board on all websites... but It is by no means FIVE percent.
Indeed. According to Google, something like 39% of viewers on my blog are running Windows and 9% are running IE. There are more Mac and Linux users together than there are Windows users....
Somehow I don't think this translates to the general market.
A good example of this can be found on SoundCloud. They load a placeholder image that represents the common sharing widgets and then let the real widgets load over them. The problem is that the font rendering makes it look weird on any platform except the dev platform: http://i.imgur.com/lejjI.png
Oh yeah, that's an annoying one and we have that problem too. We have sharing controls that reload as you cycle through images - but the delay / iframes reloading for the share widgets looks terrible. To get around it we use fake versions like soundcloud.
Really depends on how you divide up the market. Mac users will pay a lot for perceived quality, and they will buy upgrades. I'd point you at Wil Shipley's arguments. It might be a lot easier to get $50 from a mac user, or it might be easier to get $5 from 10 windows users. They're just very different. Doing a half assed job on either side isn't going to win you any fans.
But, yeah, if half your money comes from windows, you should really focus on windows, The growth potential there is just staggering.
Agreed. I don't know if it's just me, but Helvetica looks rather bad on Windows. I've found that Segoe UI almost always looks more pleasing, and yet Helvetica is omnipresent on the web (partially because of Twitter bootstrap).
I can't verify this, but unless you installed Helvetica manually, windows installations won't have it and will fall back to whatever is specified next in the family (usually Arial or the default Sans Serif).
Why would you need to run a dev environment on Windows? Keep running your dev environment on Linux and SSH to it using Putty/Chrome secure Shell. Works like a charm :)
I have an android 3. Never updated it, never customized anything.
This phone is so terribly broken and nonfundtional at times you wouldn't believe me.
I decided against focusing on android mobile dev (although I'm a gnu/linux gguy because the experience is so friggin terrible, and Google is just letting the carriers molest the users at this point.
>If MS was serious about this only being for security they could issue the certificates for free and prove me wrong.
Make it too easy, and the scamware software will just get a free cert and sign apps.
It takes some amount of effort, possibly by a human, to approve you to receive a cert.
Even the "free" certs I've applied for have taken time and human interaction on the side of the registrar, and I'm certain those certs are offered as loss-leaders for their other products.
I'm unfamiliar with many of these certificates, but is there any reason such 'scamware' woudln't be able to get one even though it costs money? Because, if they still can, they the whole certification business definitely seems like a big scam to me.
The certificate authority should revoke their signing certificate if their binary is found to contain malware, returning them to the big warning state.
Okay, "free" was poor phrasing. I should have said "no extra charge". Compare this to the situation described in the original article, where the developer had to buy a separate $59 certificate from a third party, on top of what Microsoft charges you for Visual Studio (which looks to be $499 for the cheapest non-evaluation version).
Express isn't an evaluation version. Also, it's trivially easy to get setup with BizSpark if you're a small startup and get free copies of Visual Studio.
No mobile apps, no conventional desktop apps, no command line apps... looks pretty "evaluaty" to me. Also: "private developers will have to pay $49 a year, corporations $99 a year."
So, on the one hand we have (from Apple):
Xcode (free or $5.00, depending on what kind of mood Apple is in that week)
Developer program with store access: $99/year
Code-sigining certificate: included.
From Microsoft we have:
Non-crippled Visual Studio: $499
Developer program with store access: $49-$99/year
Code-signing certificates: must be purchased separately from a third party.
Sorry, but Microsoft backpedaled after the bad press. You can download Windows 8 development tools for free now. [1]
Your info about "no command line apps" is also outdated. It USED to be true, but I have VS2010 Express, and it came with the command line tools:
c:\Devel\Msdev.2010\Common7\Tools>vsvars32
vsvars32
Setting environment for using Microsoft Visual Studio 2010 x86 tools.
c:\Devel\Msdev.2010\Common7\Tools>cl
cl
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
usage: cl [ option... ] filename... [ /link linkoption... ]
c:\Devel\Msdev.2010\Common7\Tools>
I also use XCode, and it's ... not nearly as good as Visual Studio, though I am liking the new Eclipse-like "compile your code as you're typing it" real time error markup. A friend tells me that XCode can be configured to be sane, but I haven't given it a try yet.
Some combination of distributed notaries, warning for unusual certificate conditions (e.g. certs changing when they have lots of time until expiration -- Dear Google, please stop doing that), and other ideas.
When given the option to choose who to trust, the vast majority of users will stay with the defaults, which are chosen by Google, Microsoft, and Mozilla. That's not fundamentally different from what's currently in place.
Tack is much more interesting. I'm too sleepy to fully understand the proposal, but what I've gathered so far looks promising.
It could be structured based on kittens and be at least as secure. I could steal a guys wallet, copy his id, slip it back or just throw it out, buy a certificate, slip virus laden software and it would get a huge seal of approval.
That's not much of an argument. It's not very easy to mug someone from Nigeria. Eliminating a remote attack is a big deal.
Of course, the sheer number of certs given out guarantees that some bad guys will be able to get one using fake id. But the point is to make malware rare and easier to investigate, not to eliminate it completely.
Most people care less about assurance and more about encryption. I.e., unless you're subject to a MITM DNS attack, you're a lot less likely to be directed at the wrong paypal.com than you are to say, have your password sniffed off the wire, or by a keylogger on the local machine.
And that identity assurance is where most of the scam comes in. Encrypting communication securely is dead simple (from an implementation standpoint - pick a cipher and go), making sure server X actually represents who they say they do, that's a whole different can of worms.
Many users have figured out that if they click the OK button (or maybe the Cancel button), the dialog goes away. In this case, they know that they get what they want (downloaded file) if they hit the right buttons; they've probably hit exactly this before, on innocuous programs, and don't trust the warning messages.
Or we might just have a bunch of reasonably-savvy users that have realized that lack of a signature is not the same as untrustworthy software.
Racketeering indeed! I am sure that was the goal of the SmartScreen filter in IE. Cert vendors and MS must have colluded to add this feature so that developers of all binaries are forced to buy certs. Right?
I'm sure a large part of the reason Microsoft wouldn't offer it for free is that, at the time, any effort on Microsoft's part to enter a new market off the back of an existing market would be scrutinized pretty heavily by the DOJ. They couldn't even add virus scanning functionality to Windows because of anti-trust concerns.
He said "at the time", which I guess refers to the difference between Smartscreen's release which was apparently 2006 with IE7; and MSE's 2009 release.
If you are creating a Windows binary and expect a user to download it, you should be signing the binary. Period. It's not just IE that considers unsigned downloads suspect, many antivirus programs do as well. If you are proud of your work, sign it.
This is one of those times I miss the upvote counter on HN. I think it's important for the makers of StartSSL to see just how many people agree with you that their interface completely sucks. Without the counter, it just seems like one person's opinion while I bet many people agree.
HN and all other web sites are there for whatever purposes their users wish to use it for, within the constraints of whatever actions are implemented on a site.
This is one of the things that infuriates me about StackOverflow and its army of article closing moderators. A real community will change its practices and perceptions over time according to the needs of the community. If you have a subset of people who decide what a site is for, forever and ever without change, then it's not a community, it's a cast. Or it's a system of castes.
It could be a bit cheaper, but I'd hope SSL certificate vendors would be putting some work into identity verification. You know, making sure the person with an @gmail.com e-mail is the right person to send the gmail.com SSL certificate to. That could mean manually checking scanned copies of legal documents, making some phone calls, maybe even faxing or sending some things by post. Look at all these requirements Mozilla have to include your CA certificate! http://www.mozilla.org/projects/security/certs/policy/Inclus...
$60 sounds a little high to me, but if you think you could do it for substantially less, why not set yourself up in competition with them?
Because I was commenting on the price for a dev certificate. There are already free ssl certificates for https that doesn't cost anything, or only 10 usd/year.
In that case, it is harder to provide. As far as I know, most SSL certificates just validate the domain name, while code signing certificates validate the developer/company identity.
I've been buying Comodo authenticode certs for years through KSoftware - http://codesigning.ksoftware.net/. The prices are much lower than buying directly through Comodo and the service is excellent.
If you're on Windows, one thing to keep in mind is to use IE or Firefox when buying the cert. After the purchase is approved, you need to navigate to the site in the same browser that you purchased it, and only IE and FF are supported.
I totally agree that maybe people shouldn't be HAVE to buy certificates for their binaries. In that case you should be making moves towards eliminating that process, ignoring the fact that it's necessary in the current market and then being upset when you're missing 50% of your profits is a whole other story entirely.
My family taught me to always do the right thing, which, most of the time, is neither the most convenient nor the most profitable.
It should be trivial to provide a free binary signing service that required some steps to prove the person (or website) is the person asking the binary to be signed (much like Google asks me to upload a file or setup a DNS record) and match the file signature to the URL of the download. Let's not forget every one who would rely on it already paid for a license of Windows.
Of course, this would probably kill download sites, but the internet would be better off without them anyway.
It's possible that the reason Authenticode doesn't work like this is legal rather than technical: it was deployed at a time when Microsoft was already subject to considerable regulatory scrutiny for a wide variety of alleged anticompetitive practices, so, independent of motivation and technical merits, scary warnings about third-party code not "certified" by Microsoft may have been legally ill-advised.
That's exactly my point. This is clearly an issue of business and not "pride", so the whole "pride" argument to shame someone into a business decision is really questionable.
I read that as a response to the parent - "If you are proud of your work, sign it" - pointing out that "pride" could reasonably cut either way, so it's a spurious argument in the first place.
I've been a vocal supporter of the "don't worry about Internet Explorer" crowd. However, in this case if you have a Windows app that you want people to use, your target market is indeed Internet Explorer users.
I'd love to hear how this isn't grounds for a product disparagement lawsuit. Are any attorneys familiar with SmartScreen Filter?
A couple of relevant points that may be overlooked:
1) Signing your code, even with an expensive class-3 Authenticode certificate from Verisign that allows you to sign kernel drivers, is no guarantee that IE will not accuse you of distributing potential malware.
2) Contrary to various postings by Microsoft, there appears to be no avenue for appealing IE's poor judgement calls. This happened to me a few months ago -- again, with a signed .exe -- and all of the links on microsoft.com that I followed to submit my download to a whitelist went nowhere useful.
3) Mentioned in the article but worth emphasizing: the ridiculous "This application is not commonly downloaded" criterion almost seems designed to penalize smaller vendors who release frequent updates.
This SmartScreen bullshit is one of those cases where if you're not outraged, you're either not paying attention, or you're profiting from the scam somehow.
Do you have a better idea? Signature-based malware scanning is a joke and a half. I know CA"s can be gamed but unless you're proposing a better solution then don't complain.
Yes; they can do what they're doing now, but drop the scary language. Scaring users with non-specific threatening language does not enlighten them.
Since it's almost unheard-of for malware to be signed with a legitimate, unrevoked certificate, they could also afford to give signed executables much greater leeway when deciding what to report to the user. People seem to be assuming that signing the .exe is enough to keep the dire warnings from appearing. That is not the case, or at least it wasn't the case a few months ago.
Finally, they can provide a standardized method for whitelisting URLs (and not individual executables) instead of what they're doing now, which is apparently nothing.
They are giving signed EXEs much greater leeway, since the publishers is verified by a CA, providing a secure base on which the publisher's reputation is determined.
So what's better? The App Store model, where you pay 30% + $99/year to sell your apps? Or paying for a certificate to prove your software's originator identity? Even OSX will likely soon make buying outside the Mac App Store cumbersome. About the only "free" market is Android or the Web.
I suppose if you're selling to the Windows market, the App Store will be required in a few years as Metro becomes the dominant Windows UI (and Metro apps have to be sold in the Microsoft App Store).
Certification costs money, and certification is a thing in many industries. I notice nobody is banging pots about ASE certification for automotive techs?
I mean, it's true, there is a difference here- the active "This software isn't certified" notification- but is that a critical distinction?
Put it this way. What is the first thing that springs to mind when some one is scaring off your customers demanding, sorry, politely implying a payment to stop?
Yes, yes, yes, I know. Security, user safety, lots of lovely logical arguments for it, Im sure there are plenty. But strip it back to basics and, well, there it is. I presume since MS is a big huge "evil" business which probably funds some political rodent its all cosy and legal.
Or maybe cost of doing business? I mean, I can self sign SSL certs, so why does the browser give me warnings on https URLs? Mozilla must be arm in arm with Verisign. I'm shocked an open source company could be this evil. I will never browse the internet with Firefox again. I hope they get burnt for this.
In windows 8 the smartscreen filter is part if the OS and not just IE. Even if you download unsigned code with another browser, trying to run it will result in the same nasty warnings.
Although ~half of your revenue came from the IE users the numbers may not significantly improve after resolving this issue as the ie users that completed downloads are also the IE users invested enough in the application to download it despite the ie warning.
That's an interesting question, so I gave it a try just now.
On Windows 7 with IE 9, there were no warnings presented when downloading the zip file containing the unsigned installer executable. When the installer was extracted from the archive and run after the download completed, I got the standard Windows security warning about "The publisher could not be verified", which was far less scary that the SmartScreen warning.
So yes, it looks like that could be a viable work-around.
On the subject of conversion rates, the Download and Buy links are separate, with no mention of an unregistered trial or watermarked demo mode. That uncertainty might be affecting your tryout rate. If the "Download" button said "Try it!", then the certainty that there is some usable trial would be higher. Side note: I notice that the (watermarked) saved images lack EXIF info - is that preserved in the registered version? This is very important for many photographers...
I've done some A/B testing with various download button labels, but I should probably go back and do it again now that I've switched from a 30-day trial model to a watermarked-demo model. As for preserving EXIF data, I think that should be an easy change, so I'm going to add that one to the feature list.
Gatekeeper is not nearly as bad for small developers, though. Unless Microsoft has started offering, as part of a $99 MSDN subscription, the ability to generate a signed certificate that doesn't expire for five years automatically from inside Visual Studio as soon as you've signed in with your Microsoft ID.
The problem with Microsoft's strategy has always been the reliance on companies like VeriSign for whom recurring revenue from certificate renewal is a primary revenue source. And when I've had to deal with VeriSign for code-signing certificates in the past, it's easily cost more than $99 in time ("I'm sorry for the delay, but could you please fax that to us again, only this time, on official company letterhead?").
Verisign is a massive scam. Their SSL certs, for example are several hundred dollars. They get away with it because the big corporate-types have "heard" of verisign and "heard" they need security.
Last I checked, you didn't even need the $99 Mac Developer program to get a signing certificate. You just needed an Apple Developer Id. The $99 program allows you to submit apps to the app store and gives you access to pre-release binaries, etc.
Even better — I was already a member of the paid program when Mountain Lion was announced, and this point wasn't clear from the original announcement.
Even more significant: as a registered developer, it took me less than ten minutes on developer.apple.com to obtain a Developer ID, to use it to successfully sign an executable and an installer package, and to verify the resulting signatures.
In contrast, as an MSDN Universal member, Microsoft directs me to a list of root certificates installed in current versions of Windows [1], leaving me to puzzle out which are willing and able to sign third-party code-signing certificates (as, presumably, organizations like the French Secrétariat Général de la Défense Nationale are not).
As an aside, the official copy of this list is posted on TechNet as an unlocked wiki page I'm permitted to edit!?!
I keep hearing that all I need is a developer ID to get a signing certificate, but nowhere on the developer website for Apple do I see where I can get this certificate without first forking over $99 for the mac Developer Program...
I was under that impression as well--perhaps something has changed since the initial announcement--but certificates are not free. I just went through this process with my free, non-App-Store Mac app, and there was no way to do it without paying $99.
That sounds like a completely different product. He would need to maintain infrastructure and an entire software stack under his deblurring program, design an API and/or security-hardened web interface to upload and retrieve photos, and consider bandwidth costs for every photo uploaded and downloaded.
Pretty much spot on. Deblurring is extremely CPU intensive, so it would take a lot of hardware on the server side. Or, I could do something like a CUDA port, but then that would mean owning and grooming my own servers, since decent GPUs are still rare beasts on leased dedicated servers.
The more likely route for Mac support is to release a native OS X version, since the GUI is written in Python and the underlying deconvolution stuff is written in portable C++.
Back in May, Jeff wrote on his blog: https://www.blurity.com/blog/2012/05/01/blurity-is-back/ "What happened to the web version? In short, the market happened: nobody wanted web-based photo blur removal. A minor pivot, but a pivot nonetheless!"
This seems to be that effort: http://fixblurryphotos.com/ Blurity is mentioned after the deblur is performed.
Yeah, fixblurryphotos.com was an experiment to see if people would be satisfied with very simple photo improvements rather than the full deblurring power of Blurity.
When I was experimenting with the SaaS version of Blurity, I found that many of the people who did eventual make purchases were, firstly, interested in only a single photo; and secondly, satisfied with the most trivial of improvements. I lamented that those people would be just as satisfied with auto-levels and unsharp mask as they were with Blurity, so my friend Tyler threw exactly that simple service together in about 10 hours.
The results? Turns out that people aren't willing to pay for something simple like that after all.
Tell you what, if I was stuck without _my_ laptop, but had access to a random web-connected computer, I'd pay for a day's worth of emergency access in a pinch, to crop/deblur/resolution-enhance/color-balance some photos for a deadline...
Thanks for sharing the numbers. Great to see the process by which you worked out how much it was costing you. Good wakeup call really. Shame it took you so long to cotton on.
That's probably because the news.ycombinator.com certificate is rooted an Entrust certificate thumbprinted "50 30 06 ...", trusted by Windows [1] but not Windows Phone [2].
Yet another reason Apple's "one and only one way to do it" approach to code signing certificates may not be such a bad idea after all.
Interesting. I had some initial problems with installing the certificate for blurity.com when I got the intermediate cert chaining backwards, but this is the first I've heard about problems since I fixed that a few months ago.
Could you drop me an email at the address in my profile? Thanks!
A quick Google search turned up this [1], this [2], and this [3], all which seem to indicate that StartCom certificates were unsupported on Windows Phone, at least as of 7.0 RTM. So the problem may indeed be as simple (and frustrating!) as an untrusted root.
If you care about your product you have to draw a line somewhere. The more developers that take a stance and don't support the criminal negligence of IE's support of broadly accepted standards the sooner we can all eliminate needless time costs of making sites agnostic to the point of stupidity.
Huh? The issue was with an .exe not being digitally signed and IE's scary warning that it might be malware. Very similar to what Apple are going to do in 10.8 (Gatekeeper).
You have created the perfect layman meter. I can't of any of my friends or collegues who would even consider searching for such a program since in blurring can not be done.
Didnt use your program but this can be proved mathamatically.
These people will never use explorer and even if they would,
They are the kind if crowd who actually reads error messages.
On the other hand you have my grandma,aunt. Random old folks who fall into the red messege = panic & insta call super urgent call to me.
So yea far more layman are using IE
Sent from android.
As for the cert. When you know about you simply explaon this on the page.
If I'm understanding you correctly, you think only laypeople would search for such a thing because more knowledgeable people think that what the program is doing is mathematically impossible? Sounds like a classic example of thinking you know more than you do, and trying to look at the world as binary, black and white.
In actuality, images have a wide range of sharpness. In this case, Blurity can improve the image. (Using mathematics no less!) Will it be perfectly sharp? No, not always, but it will be better. And that's something people will pay for. Even experts.
One example is font and font size choices - because the system fonts and font rendering styles differ between platforms, it becomes very hard to tell what looks broken or 'not quite right' on the platform you're not used to. It's not uncommon to see sites launch with font choices that look rubbish on ClearType, but if you're not used to ClearType, it's hard to tell whether the rubbish is your fault or not.
Apple's excellent execution and Windows' (no-longer-deserved) poor reputation also mean you frequently hear excuses for this behavior like "Windows users won't care because they don't care about design" or "The Apple way is better, so we should do it that way on Windows too". Both of these are infuriating and lead to terribly designed products.