I've been reading a lot of REST vs SOAP falderall lately and it's getting tiresome. Well, some of it is interesting, like looking at whether Bloglines is REST. Anyway, I thought I'd point out the cowman and the farmer can be friends, at least when we both are discussing the smell of the fertilizer. So, four dumb things about XML as a wire format for distributed systems:
  • XML is text. You have to base-10 encode numbers in XML. This is terribly slow and inefficient.
  • XML can't handle binary data. There is no reasonable way to embed a 400k image into your XML. Your choices are to base 64 encode it (whee!) or use some wrapper around the XML like MIME.
  • XML is awfully wordy. I don't begrudge the meaningful beginning tag names and the pointy brackets, but the meaningful closing tag names are superfluous if all your XML is machine generated.
  • XML is complicated. We love XML because it's S-expressions, but it's a lot more too. Entities! PIs (whatever those are). Attributes vs. elements! Three different ways to describe the data model! Awful programming models! It's awfully complicated when what you're trying to do is pass a couple of numbers and a string.
The roots of XML are SGML, a hand-edited markup language for writing documents. I think it's clever that it's been repurposed for distributed systems, particularly since a human can easily read the packets without translation. And I really like the idea of document-oriented web services (whether SOAP or REST). But it'd sure be nice if the document were more friendly to computer data.
  2004-09-30 15:20 Z
This new JPEG vulnerability in Windows has me scared. I'm generally pretty virus-immune: I don't read email on Windows, I've got Norton AntiVirus on my Windows box, and I don't generally run unknown programs. But I do look at a lot of JPEGs. And now there's at least one JPEG virus in the wild.

Windows Update is one of the great unheralded Microsoft technologies. It really works. Well, mostly. I downloaded the various JPEG fixes from them and thought I was safe until I ran GDI Scan, a deep scan tool that tries to find vulnerable versions of the DLL. And it found a vulnerable version, C:\WINDOWS\system32\gdiplus.dll.

Now what do I do? I don't know where to get an update. Do I have to install Service Pack 2? Does that even fix the problem? I'm a software professional and I'm confused. What does the other 99% of the world do?

At least Norton Antivirus blocks it. I downloaded a virus sample and Norton AntiVirus dedicted it as Roxe and wouldn't let me copy it to my Windows box.

Update 2004-10-01. The Washington Post has a story on this. And thanks to Jon Udell I learned about this forum post with instructions on how to run GDI Scan and how to manually patch the broken DLL.
  2004-09-29 16:06 Z
Ken and I had a truly amazing dinner at Campton Place, the hotel / restaurant near Union Square in SF. The new chef, Daniel Humm, is very impressive. We don't have Michelin here in the US, but it compares well to the 4 or 5 fork / 1 star places I've been in Europe. It's definitely among the best meals I could have in San Francisco. If you're looking for an excellent dinner or maybe a romantic overnight you will do very well at Campton Place.

We had the 10 course tasting meal along with the wine pairing. Every dish was quite rich with bold flavours and fantastic texture. The menu was also inventive, a variety of unique combinations. And what a variety! 10 courses is an underestimate. My menu has 13 items on it, and that's not counting a couple of pre-menu goodies. And on top of that the tasting menu was split, with Ken and I getting different items a few times. 20 separate items for a table is quite a feat for a chef to pull off.

And for all that dinner was quite reasonably priced, $85 for the menu and another $60 for the excellent wine pairing. Not bad for one of the best meals you'll find in San Francisco. This chef is working hard: go and enjoy it!

Here's our menu.

More inside ...

  2004-09-25 17:34 Z
Tiny USB hard drives are good hardware. They've revolutionized data storage and interface. Even the New York Times has caught on to USB hard drives for carrying files around. But there's a lot more the USB hard drive interface can do.

The key thing is you can plug a tiny device into your computer and copy files off of it with no special software. So my MP3 players just mount and let me drag my MP3s on. And both my real camera and my keychain camera let me download photos just by plugging it in. So simple, and I don't have to use some horrible software with a proprietary protocol.

Some of these devices are even bootable; you could take your whole Linux environment with you. In the guts of these devices somewhere must be a $3 part, a USB controller that speaks the hard drive protocol. A good thing.

  2004-09-25 17:05 Z
Kerry issued a major new speech yesterday morning criticizing the war in Iraq in plain-spoken terms. The Bush campaign immediately answered, and by the time you get to today's NYT article the story is half about what Kerry said, half about how Bush answered. I counted: 15 inches about Kerry, 14 inches about Bush, 6 inches of context.
Mr. Bush's advisers watched the 10 a.m. speech on television at the White House and set to work with him aboard Air Force One at noon to insert a hard-hitting response into the president's remarks at a campaign event in Derry, N.H.
Just like with the war record flap, the Bush campaign is controlling the debate around Iraq. And it's working.
  2004-09-21 15:06 Z
Working with time in Python is confusing. There are three different standard types for representing time: seconds since epoch, tuples, and the datetime module. And there's common add-ons like mxDateTime and database times.

I was having a heck of a time parsing RFC 822 strings like you see in HTTP headers and email. The problem is timezones are not supported by strptime() or the tuple format. But the Web is my programmer:

def parseRFC822Time(t):
    return calendar.timegm(
      time.strptime(t, "%a, %d %b %Y %H:%M:%S %Z"))
The magic here is the calendar module which has the timegm() function missing from the time module.

Thanks to a couple of readers for pointing out there's also a rfc822.parsedate() function.
  2004-09-19 17:03 Z
I may have found password software that does what I want: Roboform. It's a toolbar for IE and Mozilla/Firefox that, among other things, stores passwords in a 3DES store and lets you back them up to HTML. It seems to work well, with intense AI for figuring out what forms to fill. $30.

But boy is the usability inhumane. You can get a flavour for the design æsthetic by looking at the website, or revel in the screenshots of 15 different screens. Design is a good idea, but Roboform used up all its good ideas on features.

  2004-09-19 15:46 Z
My partner Ken is a small plane pilot. One thing that makes flying un-fun is carrying around and maintaining the stacks and stacks of Jeppesen charts you need for instrument flying. Instead of carrying a full set of paper charts Ken's going digital, with a laptop and a printer and a Toshiba e800 PocketPC. All of this is for PocketPlates, software that prints charts and views them on a PDA screen.

The only problem is the PocketPC OS is apparently locked in 240x320 resolution. This fancy Toshiba has a 480x640 screen, but the OS refuses to run at that resolution. Fortunately there's MyVGA, an open source hack that puts the PDA in 480x640 mode. Add in Undead Hack and some cosmetic fixes, and it's like your PDA really is high-res.

Most apps work just fine in the full VGA mode, including PocketPlates. Now the charts look pretty good (if tiny). I wonder why this wasn't easier? Does the Windows on Pocket PC only officially support 240x320 resolution?

  2004-09-18 00:39 Z
Photo by Richard Perry for The New York Times.
  2004-09-17 14:33 Z
The New York Times has a Diebold love piece about voting machines. It's well written enough, explaining various concerns with the technology in clear language. But every concern is answered as if it's not a problem, and in the end even I was wondering why Computer Geek Lunatics were harassing Poor Diebold. My favourite bit, the last sentence:
Critics say they can only hope that the problems will not be severe enough to require recounts, since paper ballots will not exist.
Why the #$($*#*$ won't paper ballots exist? The article doesn't get into that. Nor does it discuss the Diebold backdoor that lets you change the votes, nor the ACM's emerging position against electronic voting. And it only briefly touches on the long sorry operational history. Still, it was nice to learn Diebold's gonna add some crypto to the communication links. Duh!

I generally like Guernsey's articles, but I think she relied too much on Diebold for this article.

  2004-09-16 15:38 Z
I've gotten lots of suggestions for password keepers so far, thank you so much! Alas, none quite meet my needs.
Firefox 1.0PR
The latest Firefox has a new master password to encrypt passwords (screenshot). It works pretty well, but two flaws. First, there's still no way to get all your passwords. (You can view them in a window but can't copy and paste them!) Second, the password store is only accessible if their "this page has a password" heuristics work. If you're on a site like MyWay where Firefox doesn't realize there's a password, there's no way to store / retrieve one. Still, it's pretty good.
Password generator bookmarklet
Clever idea: have a master password that statelessly generates passwords for different sites. Then roll the whole thing up in a bookmarklet. Alas, it doesn't work in MSIE.
Password Scrambler
Same master password idea as the bookmarklet but in a Windows binary with MSIE toolbar button. I'm not wild about the password generation idea. You have no way to get a list of all your passwords, and you have no way to change your password on one site without changing the master.
Password Safe
Standalone app that maintains a password database. This was originally by Bruce Schneier's people as a Blowfish demo, now a SourceForge project. I like the app pretty well but it has a bug with the text export of its database. And the integration with MSIE is lacking.
If only there were Password Safe's transparency integrated nicely like Mozilla or Password Scrambler.
  2004-09-16 15:08 Z
I have way too many passwords for online accounts now. For dorky sites I use low security passwords that I can remember, but for important stuff I have random strings I can't remember. I probably have 30 of those now. I keep them in an encrypted text file and cut/paste as needed.

I need something better. Can anyone recommend a good account name / password keeper? The UI is key, it has to integrate with a web browser well. Given a URL, I want it to tell me my account name and password. Filling out the login form is better, but not essential. The tool needs to be transparent. I need to trust the crypto it uses to protect my passwords. And I need some simple way to get a plain text dump of all passwords for backups.

MSIE's built-in password thing isn't secure. The standalone tools I've seen all have lousy UIs. I like how Quicken's "PIN Vault" works, except it's not for browsers and it fails the transparency test. Know something good for MSIE or Firefox? Email me at nelson@monkey.org

Please see the followup post

  2004-09-14 15:48 Z
One thing people who hate SOAP say is that the XML for SOAP is ugly. That used to be a problem because of rpc/encoded style. But thanks mostly to WS-I the SOAP community has moved on to the simpler document/literal.

The nice thing about doc/lit is that it's really just any ol' XML message with two SOAP tags wrapped around it. SOAP says very little about what's inside your message, just that it should have a namespace and it should be describable via XML Schema. Here's an example:

<?xml version='1.0' encoding='UTF-8'?>
      <product>Soul Harvest</product>
The stuff in black is the app's data. The rest is what you need to turn some random XML into a SOAP message.

Even those two SOAP tags might seem like too much, but they give you a couple things. The headers give you a transport-neutral way to add header metadata to a message, and SOAP Faults (not shown) give you a structured way to indicate detailed errors.

If you're comfortable parsing XML, you're comfortable parsing doc/lit SOAP. But SOAP also offers the possibility of automatic data bindings (no parsing required) and WSDL (service description). Alas, those technologies still don't work so well in Perl, Python, or PHP where doc/lit support is weak. It does work pretty well in Java and .NET.

  2004-09-12 16:48 Z
You know how bad websites have those horrible popover ads that land on top of the text you're trying to read? The SFChron has those in their print edition, too. Can you spot the funnies?
  2004-09-12 16:34 Z
I saw Quentin Tarantino presents Jet Li in Yimou Zhang's "Hero" (aka Ying xiong) (trailer). The director is one of the fantastic folks coming out of Beijing, and you couldn't ask for a better cast. Alas, the film didn't work for me nearly as well as the other recent art-fu hit, Crouching Tiger, Hidden Dragon. I prefer Zhang's other excellent films (Raise the Red Lantern, Ju Dou, To Live).
The best thing about Hero is the formal use of colour and setting. It's sort of like The Cook, The Thief, His Wife, and Her Lover with martial arts. But this same formalism drains the film of any passion or joy, it's just one set piece after another. Even the fight choreography is dull.

The story is tiresome too; the Rashomon thing is only clever when the different views of the story reveal something about the character telling them. And the conclusion, with the Noble Hero sacrificing himself for the good of The State, is too creepy for me.

Still, it's a good movie, worth your time to see.

  2004-09-08 15:14 Z
I've finally put a license on my blog content: Attribution-NonCommercial 2.0. I did this reluctantly; I prefer a bit of ambiguity and with no license I end up with simple copyright protection which gives me a lot of power. But people are starting to steal my content without attribution: whether it's Real posting it on their site or robot aggregator sites that republish my posts with their ads on them. So now it's clear what's OK. And I'll be in CC's cool search engine, too.
  2004-09-04 15:18 Z
Sir Bruce updated his amazing MMOG stats page sometime in the last month. It now contains a lot of text explaining the data and where it comes from, along with some commentary. Two things pop out at me:
  • The 150k+ chart shows that Lineage and Lineage II are enormous, 4.5M users between them, 10x the size of Everquest. These are South Korean games, totally different userbase.
  • The 100k-500k chart gives you more detail on the non-Lineage games. I'm surprised how little drop-off these games have. Everquest has had 400k subscribers for 3 years! (That's about $150M in revenue).
I'm reading Richard Bartle's Designing Virtual Worlds after seeing it on Castranova's syllabus. It suggests that 100k in a year is the benchmark for MMOG success.
  2004-09-01 15:20 Z