Duff Johnson’s PDF Perspective

Last week, loud noises began emanating from a variety of online security experts regarding a vulnerability in Adobe’s Reader browser plugin that can allow malicious code to execute on a user’s system via cross-site-scripting (XSS).

The headlines were choice: ‘Adobe bug may be worst flaw of 2007“, and “Adobe Flaw Means Trusted PDFs May Be Treacherous” are just two examples.

I’m not a security expert, but I know a thing or two about Adobe Acrobat and Reader, and thanks to an earlier career in politics, I know something about the media as well.

My general recommendation for anyone who consumes newspapers, websites or blogs for subjects of any complexity is this: Check in on stories weekly. That way, you’ll get a far more sensible read on the so-called “news” than you will garner from the rankings-adrenaline junkies who dominate the 24 hour news cycle. For me, The Economist is the world’s single finest source of news; in no small part because it is published weekly.

This newest PDF scare is a case in point - the result of parallel mentalities in the computer security and news-gathering worlds: jumping the gun.

Today, we learn that some people were actually bothering themselves to test the original claims over the weekend. The latest headline? iDefence backtracks on PDF scare“.

Here’s Adobe’s statement, on the subject. They are planning a fix for older versions of Reader. Since the “dangerous” combination of Reader and browser is so inherently unusual anyhow (how many installations of FireFox aren’t automatically updating themselves?), in my view, this “flaw” is close to a nothing-burger, the result of a headline-hungry and woefully incautious computer-security hype-machine.

One other point worth noting. In describing this security problem, Symantec’s Hon Lau makes the following claim:

“What this means, in a nutshell, is that anybody hosting a .pdf file, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime.”

This is, frankly, nothing more than a cheap grab for headlines, and of course, it worked. Yes, Reader’s XSS flaw requires a link to a real PDF file that exists on the web. It could be any file - which one doesn’t matter. Just because a bad guy may use any PDF on any website as his link-target does not in ANY way implicate the owner of that PDF as an “unwilling partner in crime”! We are discussing fraud, no more, no less - certainly no different than any other fraud committed online. Suggestions to the contrary are unwarranted, inflammatory and unworthy of a respected computer security organization.

I’ve been working on “live” files using Acrobat 8 Professional for some time now, so my initial reactions to the latest version of Acrobat are a little more seasoned.

I had this in mind during a recent interview for MacAddict magazine.

Since I went on at greater length than they could possibly print, I thought I would inflict the balance of my words on you, the helpess RSS robots (and occasional human) monitoring this Blog.

> What is your overall opinion of Acrobat 8?

The vast majority of desktop PDF users still think of Acrobat and PDF for basic create/view/print applications - if, that is, they don’t think of them collectively as just “Adobe”. With XPS looming and competition stiffening, Acrobat 8 represents a serious effort on Adobe’s part to awaken end-users to PDF’s higher uses. The redesign is new-user friendly, yet includes some neat tricks for power users that help to smooth out certain grumbles. There’s not a lot that’s strictly speaking “new” in Acrobat 8, but there are a lot of very powerful refinements, and some key additions.

> What are the most important new features for the average user? (Whomever that is.)

Oddly enough, it’s very hard to say - testimony to the very breadth and depth of the toolkit. The very first Acrobat users thought it was a prepress tool. For others, it was (and is!) a document assembly and distribution tool, or a scanning tool, or a platform for developing interactive PDF forms, or archiving documents, or commenting. There are many other equally dissimilar tasks in which some aspect of Acrobat is considered vital. “Swiss army knife” remains about the fairest overall description.

Perhaps the most important single change is the effort Adobe has put into helping newer users get more out of Acrobat than just the very basics. In Acrobat 8 most (but not all) of the tools got either a little or a lot better, depending mainly on what you need and how cleverly you use them.

That said, from my “knowledge worker” perspective, the single biggest new feature is the ability to “bless” PDFs using Acrobat Professional so the free Reader can save a user-filled form before printing or submitting it to a server.

> What are the most important new features for the vertical markets (e.g., government, manufacturing, legal, etc.) Does anything stand out in this regard?

Allowing Reader to save a form stands out in any context. Every industry uses forms, and extended this capability to Reader is BIG, without a doubt.

The legal community seems excited about redaction and bates-numbering (which surprised me, since excellent PDF redaction AND bates-numbering software from Appligent has been around for years), but government, publishers and others who want to make their PDF files more accessible (or PDF/A-1A compliant) won’t find substantially improved tagging tools in Acrobat 8.0.

Unlike Adobe, I don’t really believe traditional verticals are especially meaningful when it comes to PDF and Acrobat. There are many seemingly subtle enhancements in Acrobat 8 that offer immense opportunity for streamlining regular and ad-hoc work processes in many verticals. That’s because these are really document processes, not vertical processes.

Take the upgraded Combine Documents tool for example. Notice that this slick, easy tool now allows users to select and convert individual pages from different sources, preview the results and save that overall configuration for reuse. Workgroups large and small can continue to update documents individually, simply pushing the “easy button” in Acrobat 8 to combine all efforts together at the end of the day. Very cool. What vertical needs that? Any of them could really use it, and it’s only one such feature.

> Are there any often-requested features that aren’t in Acrobat 8? (i.e., What are the key missing pieces?)

While Extended Rights via Acrobat are great, the way they are implemented (and limited) in the EULA (End User License Agreement) makes little sense. Adobe has set a legal, financial and/or logistical cliff at the 500 user or 500 forms mark, depending. If LiveCycle is to meet the potential, Adobe needs to put (a lot) more attention into smoothing the transition from desktop to server-orientation in this area.

I was also quite disappointed to see very little improvement to the tagging tools. Ensuring that content semantics may be extracted from the document is a key aspect of making documents usable by those who must use assistive technologies to read. From accessibility to PDF/A to content reuse, automation and search-engine optimization, meaningful semantic tagging isn’t going away as an issue and there are a lot of corollary benefits to getting it right. Adobe needs to get going here.

I have to also say that it is well PAST high time that Adobe upgraded the JavaScript editor and made the power of JavaScript in PDF more accessible for the newer user, and less frustrating for the leathery Acrobat javascript gurus who can really make PDFs fly.

> Is Acrobat 8 a good value for new purchasers and upgraders?

Acrobat 8 Professional is an especially good value for new purchasers. While the application as a whole is very wide and deep, it is now laid out in a way that is fundamentally more approachable for new users. The new Combine Documents feature alone, if carefully studied and implemented, could deliver dramatic document-assembly benefits to distributed teams in almost every desk-bound organization.

Upgraders will find many improvements, even if the tonka-toy icons, unnecessary and lurid alerts and uber-prominent navigational panel cause distress. Adobe has yet to decide whether (or how) to trust Acrobat javascripters, putting a drag on the uptake of PDF in advanced forms and kiosk applications.

Those who read my (too) frequent tirades knows that Adobe has to do a lot to impress me. In that spirit, I am VERY happy to report that Adobe has (finally) done something really smart in marketing a LiveCycle product; they’ve put a Policy Server online for anyone and everyone to try out at no charge - through the end of 2006, at least.

Simply put, Adobe’s new Document Center allows you to secure PDF (and now .doc and .xls!) files in meaningful and really useful ways. No dinky, readily cracked passwords here! With a couple of simple clicks at the Document Center, you can:

• Ensure only specific recipients can view a file (based on verified email address)
• Restrict printing or copying file contents, even with “authorized” recipients
• Set specific time-periods where access is or isn’t permitted
• Allow documents to work offline for a specific time-period before “calling home” to log offline access
• Cause PDF files to “embargo” themselves until a specific date and time
• Cause every copy of a document to “expire”, and (optionally) prompt the user to retrieve an updated file.

You’ll need Adobe Acrobat Standard or Professional 7.05 or higher to access the Adobe Document Center, but users with Adobe Reader 7.0x or higher will be able to view your encrypted PDFs - if you’ve specifically allowed them to do so. You’ll also need a (free) Adobe ID, which is reasonably painless. NOTE: Your files are NOT uploaded to Adobe in the encryption process, so you need not worry that Adobe will suddenly know your secrets.

So, get over to dc.adobe.com at some point in the very near future. I guarantee you’ll be impressed as well. You may even be thinking “Wow, this is kind of crude, but now that I’ve seen it, I wonder if I could live without it? I suspect that’s the idea.

The Adobe Document Center is FREE right now, for a limited time only, at dc.adobe.com.

A lot of people sat up and took notice when Google announced their book-scanning initiative.  And not for nothing; when a company as powerful and innovative as Google says they are going to do something, it’s usually worth watching.

Per my earlier promise, I’ve been sniffing around this new Google site.  From the PDF Perspective, then, a brief review of Google Book Search.

Background

The end-product of a massive scanning project, Google Book Search is intended to eventually span millions of books.  For many works in the public-domain, Google makes complete cover-to-cover scans of the book available to users as images in an online viewer and also… you guessed it, as a PDF.

The Imaging Work

Overall, the scanning quality is average, perhaps very slightly above average.  The black and white pages from each book have are captured with JBIG2 compression, and are overlaid by a clever grayscale “screen” to produce the “patina” of an old document.  Nice touch - it keeps the file-size very low indeed while preserving at least some of the “atmospherics” of an old book.  Google managed to suppress edge-artifacts for the most part, but I’ve certainly noticed errors which should have been caught during imaging… about 1 in 300 pages or so has a boo-boo of some sort.  Not too bad, but not too good either.   For the price they are doubtless paying (and charging) for the service, I’m sure Google thinks it’s just fine the way it is.

Google’s Book Viewer

This gadget displays an image of each page in your browser window, complete with buttons to move forward or backwards through pages, or to goto a specific page. If you’re looking at the page as the result of a text-search, your search-term is highlighted, although this works less well than it should - the highlight is usually “off”.

The book’s own Table of Contents is provided via adjacent links, as is information about the publisher and current editions available in print.

The downloadable PDF files

The first thing to say about the files I’ve downloaded from Google Book Search is that they are very “lightweight” - from 8 to 20 kb per page in size for “black and white” pages. Very nice… but in their zeal to produce the SMALLEST possible PDF files, the Googlistas left something important (actually two somethings) OUT.

1. There’s no searchable text!  Users who want to locate a word or phrase are out of luck. OK, they want you to do your searching online, not offline… fair enough.  But if you were thinking about doing something offline that involves text search or extraction, you better reconsider.
2. The OCR engine used to generate the text needed to support the full-text search feature online is so-so at best.  I suspect it was selected for speed and robustness rather than quality.  In fact, I’ll go further, and guess that Google wrote their own OCR engine.  Either way, they could have done better.
3. There aren’t any bookmarks!  Users who might prefer to actually NAVIGATE a 300 page book rather than simply turn pages are also… you guessed it… out of luck.
4. Since they don’t include text, the files are (can’t be) tagged, and are completely inaccessible to disabled users.
5. File properties are left at Acrobat defaults.  Clearly the presentation of the PDF (ie, the end-user experience) doesn’t overly concern the Googlistas.

Overall, the service is, of course, free, so whining about it most likely won’t change anything.  It’s a good thing too… I recently found a fascinating “Glossary of Words Pertaining to the Dialect of Mid-Yorkshire” from the 1870s.

If I could ask them to change ONE thing, it would be this: It’s clear that Google is capturing the necessary metadata (how else do they create links for a table of contents on their site) when they scan the book, so it’s really mysterious why they don’t go ahead and slap that data into each PDF in the form of Bookmarks. Who knows?  If Google Google’s this blog post, maybe they’ll fix it!

With Acrobat 8, everything changes

A PDF form enabled for Reader Save in Acrobat 8 Professional may
now be completed and SAVED using the free Adobe Reader!

From the introduction of forms technology to PDF nine years ago until today, users with the free Adobe Reader could certainly fill out and print a PDF form (if, in fact, it included form-fields), or submit the form to a server, but that was the limit. Could they save their work along the way? No. Could they fill out part of a form, and pass it to a coworker to check over and complete? Nope.

PDF forms offer an easy yet sophisticated way to move existing business-processes from paper to the computer without losing the connection with paper workflows. This capacity was intentionally hobbled in the free Adobe Reader, sending most users to the printer once they’d filled-out a form. Quite apart from end-user frustration, the limitation effectively precluded implementation of PDF forms in many distributed applications where end-users could not be expected to own Adobe’s $300 Acrobat Standard software.

PDF forms exploded nonetheless. From the IRS to the smallest non-profit, organizations everywhere found a myriad ways to to use PDF forms, Reader Save or no. The ability to add typed text to a form that would faithfully reproduce itself when printed was an obvious winner.

Naturally, almost as soon as the forms capability was introduced to PDF in Acrobat, users and third-party developers alike began asking for (nay, demanding!) the ability to save completed forms to the user’s own computer using the free Reader. The absence of the feature was (rightly) regarded as the single biggest barrier to wholesale implementation of PDF forms. Adobe Systems understood this, but also understood that Reader Save had major revenue potential, and thus were in no hurry to give it away for free.

After an abortive attempt at a low-cost “Reader + Save” product called Acrobat Approval, (junked to howls of protest from 3rd party PDF developers), Adobe Systems faced the demand for “Reader Save” capability with the development of the Adobe LiveCycle Reader Extensions Server (ARES), the basic purpose of which is to “bless” PDF files with various “extended rights” - including the ability to be saved with Adobe Reader.

ARES remains very, very expensive, and the typical customer is a large corporation or government agency with a major forms headache and a server software budget in the high five figures. The lack of a affordable Reader Save solution helped foster the so-called “Acrobat Alternatives”, including ARTS Nitro PDF, Nuance’s PDF Converter and Global Graphics’ JAWS PDF Editor. Besides replicating many of the most popular functions in Adobe Acrobat Standard and Professional, these lower-priced products allow users to fill and SAVE a form right there on their own computer.

And then, late last year came word of Microsoft’s foray into PDF creation. Ouch. So what does Adobe do? It was time for the heavy artillery.

Adobe’s Response

The Acrobat Alternatives and Microsoft’s PDF software exist only because Adobe Systems elected to publish the PDF Reference. This move made it possible for any sufficiently competent software developer to create and edit PDF files without any Adobe software. This was, in a sense, a calculated risk. The move could spawn competitors to Acrobat, but on the other hand, a world awash in PDF (from whatever source) could only be a good thing.

What Adobe did NOT give away, of course, is the code for the free Adobe Reader. This ubiquitous software, installed on hundreds of millions of computers worldwide, is Adobe’s “special sauce”, for only they can build features into Reader that PDF files can unlock.

Even with all of the advanced capabilities in Acrobat 7, most people still buy the software because it can make PDFs, period. The “higher” capabilities of the PDF format barely register for most developers and decision-makers, and are rarely utilized.

Adobe had to change that, or risk increasing peril to the Acrobat franchise. With the announcement of Acrobat 8, Adobe can (and I believe, will) move beyond the perception that “Acrobat is for making PDFs, Reader is for Viewing PDFs”. The ability to add Reader Save capabilities to PDF files creates a compelling reason to purchase Adobe’s own desktop software for creating and managing PDF files - Adobe Acrobat and Acrobat Professional - before any others. Awareness, interest in and adoption of PDF as an electronic document in its own right, not merely as a conveyance for a consistent printout, is about to take off.

Google Book Search, the extension of things Google into the world of the printed word, has taken a new step, one much applauded by denizens of the PDF community.

As many readers will know, Google has been busy scanning out of print books, and it’s not a low-volume operation.  Google has now decided to make them freely available, cover to cover, as downloadable PDF files, no charge.

In a forthcoming Post, I’ll take a look at the service, and report on the quality of Google’s offering.  Of course, it’s hard to argue with free… but I’ll try!