Let's Not Fuck Up a Good Thing

I love the title of this Ars Technica article: EU admits ICANN setup has worked well, wants change anyway.

On Thursday, the European Commission released a strategic document in which it called for some significant changes to the way that the Internet's name assignment system operates. Currently, the system is managed by the Internet Corporation for Assigned Names and Numbers, a private, nonprofit corporation. The EU doesn't seem to have a specific beef with how ICANN operates, but it's been consistently unhappy about the fact that ICANN answers only to the US government and is incorporated under California law. With ICANN's current charter coming to an end this September, the EU is starting a campaign to give it a more international flavor.

The document makes it clear that the EU is very much in favor the general structure that was used to set up ICANN: a private-sector entity handling the general operations, with governmental oversight of its decisions. In fact, the document is notable for the absence of any specific criticisms of any actions taken by ICANN during the past decade. A section entitled "How has ICANN performed in its first ten years?" is largely complementary, with the only real complaint being that it has no mechanism for binding oversight by the international community—in essence, the EU is admitting that the setup has worked well without its input.

I find it rather amazing that the US government has managed to stay "hands off" with respect to ICANN. There's a lot of power there to punish countries and organizations that the US considers hostile, but no evidence (I'm aware of) it has pushed to do so. Maybe I should keep my mouth shut before some congressman gets an idea.

So why in the world would we want to give even more countries a chance to screw with things? We -- the Internet community -- have lucked out that ICANN has remained benevolent. Everyone knows what happens when you throw more cooks into a kitchen, and this quote already has me worrying about what the EU visions ICANN should do:

"The EU also believes that future internet governance arrangements should comply with key principles, in particular, the respect for human rights and freedom of expression as well as the need to preserve stability and security of the Internet."

I don't know about the EU, but for a cautious tale we only have to look a little north. What the Canadian Human Rights Commussion thinks is free speech is downright scary. Just remember that the US has a very broad view of what constitutes freedom of expression, that the Internet currently reflects this, and that many countries don't share our view.

I'm all for discussing alternatives to ICANN because we shouldn't assume it will always remain benign. But let's not change anything until problems occur.

Steve Jobs Liver Transplant

The WSJ is breaking this news item tonight. Not much to report:

Steve Jobs, who has been on medical leave from Apple Inc. since January to treat an undisclosed medical condition, received a liver transplant in Tennessee about two months ago. The chief executive has been recovering well and is expected to return to work on schedule later this month, though he may work part-time initially.

Not terribly surprising, considering his appearance in the last year. I'm glad it was just a failing liver, and not a return of cancer.

In other news, I first learned about this because it was tracking in Twitter. Usually I get my breaking news from Drudge, but times change!

Not Dead Yet

I live to see another day. It apparently wasn't meningitis because I feel pretty good right now. Good enough to go to a full days worth of work. Doh!

Anyway, the big news today was the iPhone SDK. Take a look at the feature list. Things that stand out to me include OpenAL and Embedded OpenGL. Apple even convinced EA and Sony to demo games today, full versions of Spore and Super Monkey Ball. The companies ported the games in under two weeks.

The games were very impressive, especially for a phone. Which makes me wonder if the iPhone won't fulfill the promise of the Nokia N-Gage. With a standards based platform, rich API, and wireless networking, the iPhone suddenly becomes very attractive to developers. I'm pleasently surprised that they managed to get Instruments (built on Sun's DPROBE) working with the platform. I've never developed for a console or phone, but I bet the SDK competes very nicely with other developer kits out there.

Apple hit a home run today between the Enterprise (aka Exchange) and SDK announcements. I'm looking forward to buying the next version of the iPhone. June 2008? I hope so.

Mysteries of .NET

At work they had the idea of modifying the login screen for our Windows images. They wanted to put a small four digit number (MMDD) in the lower right hand corner. You can do this with Paint, but having a command line tool would automate the process even more. The watermarking tools they found all ran somewhere around $100, and didn't have many command line options. I considered the problem for all of 10 minutes and declared "I can do it in a dozen lines of code."

My Windows development lately has been C#/.NET. Now that Objective-C 2.0 has garbage collection, I can pretty much avoid coding projects in C/C++, or any other languages that require manual memory management. Glorious Day! And what do you know, .NET has all the classes I need in System.Drawing and System.Drawing.Imaging.

It's pretty simple, really. Here's the basic steps the program goes through, leaving out the particulars of the Windows drawing API (GDI+):

1. Load the source image with the Image class.
2. Create an empty Bitmap class as the destination, with the same width/height/resolution.
3. Acquire the font and color resources.
4. Calculate the width and height of the desired text.
5. Draw it in the lower right hand corner.
6. Call Bitmap.Save(string) with the destination file name.

So, can anyone tell me why I spent three hours debugging this today? It's straight forward, except when I ran it the login screen displayed a crummy message (Hit CTRL + ALT + DEL, on grey, in a raised border) instead of my beautifully composed image.

My first thought was that the Bitmap was 24 bits/pixel, while the source is an 8 bits/pixel, indexed format. Good luck trying to get .NET to dither the image down to 256 colors! After much Googling, I discovered you have to do a bunch of PInvoke calls to lower level API's. I managed to do it, however, by cheating. Since my font color was black, and the original palette had a black entry, I created a third bitmap that was 8 bits/pixel, locked the memory, and manipulated it manually. I just stuck all the original palette colors in a dictionary and looped over all the pixels of the image, placing the correct index in the new bitmap.

I got my 8 bits/pixel image, but the login screen still didn't work. After scratching my head for an hour, in a moment of desperation I decided to actually check what format the Bitmap.Save(string) was outputting. Of course, to do this I copied the file to OS X and ran the file utility.

The result? Originally, a 24 bits/pixel PNG file. With my hacky dithering code, it was an indexed 8 bits/pixel PNG file. I yanked out all my extra code and called Bitmap.Save(string,ImageFormat) instead.

What. The. Fuck. Who in their right mind decided that the proper default format for a Bitmap class was a PNG file?

require( 'sanity.php' )

Could someone please, please tell me why PHP programmers insist on putting all their spaghetti code in one file?

I'm tired of reading through a program that is one huge switch statement (usually: index.php?mode=[blah]). What advantage could this possible confer? Where did this habit start?

I will vote for any presidential candidate that promises to make all programmers take a design paradigms course. Something where they learn some coding styles, patterns, and organization. It's time to end this national insanity.

150 Glorious Inches

Two HD posts in a row. I've certainly drank this sweet, sweet Kool-Aid. But I couldn't pass up mentioning the new 150 inch Panasonic plasma TV. It's magnificent. I've read that not only is it around $100,000 but that it also uses 3,000 watts. At 220 volts it's pulling ~ 13 amps. The plug probably looks more like something that belongs on a stove or dryer.

Chances of me even owning one of these is pretty slim. But perhaps the price will now come down on Sharp's 108 inch monster.

In Memoriam, HD DVD?

This Christmas my sister and I got our parents an HD DVD player to go with their new HD TV. I selected HD DVD because at the time neither format had a clear advantage, and the HD DVD players were cheaper.

Naturally, after only two weeks, it looks like HD DVD is a dead format. Arg. You win some, you lose some. Who know that support for HD DVD could collapse so quickly?

I want to know what sort of bribes the Sony executives had to offer... and why Toshiba couldn't match. As far as I can tell, the two formats are technically on par. Blu-ray hasn't been cracked yet, but that's only a matter of time. Sony as a company scares me, and I worry that licensing fees will cripple Blu-ray once Sony has dominated the market. I guess we won't have to wait long to find out.

On the bright side, now I know what we can get our parents next Christmas.

The SAFE Act

Nate Anderson takes some of the FUD out of the SAFE Act over on Ars Technica. The diggtards were all riled up over this earlier. Here's what Nate had to say:

ISPs already have a duty to notify authorities if they stumble across anything that appears to be child pornography or molestation evidence. The new bill ups the penalties for not reporting this information; ISPs now face up to $150,000 for a first violation and up to $300,000 for subsequent violations. The bill also requires ISPs to retain copies of all information filed in these reports, and to do so for 180 days in case they are needed for use as evidence in court.

Now, what does the bill not do? It explicitly tells ISPs that they do not need to "monitor any user, subscriber, or customer," they do not need to "monitor the content of any indication," or even "affirmatively seek facts or circumstances." In other words, if you see it, you are legally obligated to report it, but ISPs do not need to become child porn detectives.

I wonder... if I posted the story of Chicken Little to Digg, how many diggs could I get? The attention to the SAFE Act is deserved, because it is potentially scary. But only when followed by well informed, intellegent discussion. Often Digg brings out the worst in group think and emotional, reactionary commentary.

90 90 90 90 CD 19

Nate sent the above to me as a joke about Windows to decode. It's IA-32 op-codes. The hardest part was finding a damned interrupt vector table for real-mode DOS. Apparently, no one programs like this anymore!

PHP Idioms and Idiots

Today I need to generate a random string of characters in PHP. Give me a couple minutes and I can write a function, but I thought I'd use Google to see what the common PHP idiom is (also, I'm lazy). Here are the top four results:

1. Jon Haworth - PHP: Generate random password
2. Create a random password - Totally PHP
3. PHPFAQ - How can I create random passwords?
4. Free Random Alphanumeric String Generator Script in PHP

Of those four results, the only one I'd consider using is the first, from Jon Haworth. The rest are much less than ideal. The fourth is utter crap. Why? Here's a typical example:

function createRandomPassword() {
    $chars = "abcdefghijkmnopqrstuvwxyz023456789";
    srand( (double)microtime() * 1000000 );

    $i = 0;
    $pass = '' ;
    while ($i <= 7) {
        $num = rand() % 33;
        $tmp = substr( $chars, $num, 1 );
        $pass = $pass . $tmp;
        $i++;
    }

    return $pass;
}

No, no, no, no, no. You should only ever seed the random number generator once. That's it. Fini. The random function is only designed to return a uniform distribution with a given seed. So providing multiple seeds can/will ruin the distribution.

Example four actually calls srand() inside an inner loop, which is the worst of all possible situations. I wanted to call createRandomPassword() in a loop, which is only slightly better. What's the point of calling rand() anyway if the distribution won't be uniform?

I went to the PHP manual page for srand() to see what the comments said. Right at the top is this:

Richard's statement, that calling srand more than once per script will impair you chance to get a true random number, is not necessarily correct. In fact using srand more than once can even improve randomness if you understand how.

The rand function uses a certain algorithm to calculate a number out of the seed given to srand. This algorithm, of course, is always the same, so without knowing the seed (which is assumed to be random) you can calculate any value returned by rand other than the first one if you know the first one. The chances to do so get better the higher the range of your random number is (and are pretty good if the range of the random number exceeds the possible range of the seed).

What he says is superficially correct. Given a set of values from rand(), and their sequence, you can guess the seed and subsequent values. rand(), under many implementations, is just a complex function. It doesn't really provide random numbers.

It does guaranteed that the numbers returned will be uniformly distributed; that is, each return value is just as likely as all the others... as long as the seed doesn't change. Which is ultimately what I care about.

The rest of the srand() comment suggests jumping through a lot of hoops to achieve "random" numbers. He lists code to seed the generator, get a value, fetch a page from Google (sufficiently random for him), reseed the generator... etc.

But this is (a) way too much work, and (b) doesn't guarantee a random value. Suppose I flood his machine with network traffic. I could slow down his queries to Google to the point where the execute time is predictable. I'll probably never get the value of microtime(), but he defeats himself. What if I know details about his generator? Perhaps it's biased towards certain values at the start of a sequence.

The best way, in my book, to keep people from guessing the sequence is to (a) seed it at an unpredictable time -- like when the server process first starts -- and (b) to not display many random values to the user in sequence.

All of this is besides the point anyway. 99% of the time you don't feed the random value to the user. It's an intermediary step in generating some value. I want to modulus 36 to get a "random" character. Some people want to feed it (with other data) into MD5. He advocates doing all this work to mask a value that the user will never see!

To top it all off, rand() is nowhere near a cryptographically secure random number generator. OpenSSL has one, but PHP didn't import the function call in its extension. Better yet, don't use PHP to do cryptographically secure things.

Argg... this is one of my pet peeves, if you couldn't tell.