New Google Apps design

Still waiting for the updated Gmail look, but they really shit the bed with Reader. I miss the clear demarcation lines. Or really any sort of contrast.

Let me google that for you

Via Matt Yglesias:

I don’t know what’s worse. That they don’t know, or that they can’t be bothered to google him.

Sony: It’s possible that millions of Credit Card numbers were stolen

How possible? I don’t know. Things over at PSN are obviously about as bad as they get. There are data breaches all the time. But I can’t remember the last time a company brought in the security consultants and those consultants actually managed to convince the people in charge that they needed to shut down their business and stop taking in money for going on a week now. Usually it’s all very hush-hush while you keep out the hackers with one hand and frantically patch all the security holes you can find with the other.

All that’s beside the point, though, because the fact that it’s a possibility at all is just said. There is no reason, none whatsoever, to store credit card numbers. Once you verified that the information is valid, you can discard it. If you want to keep cards on file so you can re-charge them without your customers having to re-enter information all the time, you don’t need the actual number and expiration date. All you need is a reference ID for when you verified the card information the first time it was entered.

Websites are hard

Security shitshow failparade over at discover.com and chase.com . Chase’s problem is pretty serious so I emailed them to see if they’ll fix it before disclosing it (I like my security research ethical… today). Discover’s problem is pretty much out there: Auto complete is not disabled on the form fields for social security numbers, which seem to be on every form they have All their customer service or contact us links give 500 errors, so I doubt that will ever be fixed.

Socket bug in PHP 5.2.11

I had to reverse a PHP upgrade today which I did just yesterday because of what I can only assume is some sort of regression error. I’ve been using the PEAR HTTP_Request library for webservice calls. Today I’ve noticed that in about 5% of requests, the request body would be incomplete for no good reason. A quick comparison with 5.2.10 showed no such problem, so I had to reverse to that version to investigate. HTTP_Request uses Net_Socket, which in turn uses the fsockopen function. I build a test case and confirmed that it was indeed a problem in that function. I checked the nightly build of PHP 5.2 and the problem is not in there, so I recon no bug report should be necessary.

UPDATE: I checked the PHP repository and the offending commit was r288034 by Sriram Natarajan. What really pisses me off about this is that not only did he check it in despite breaking a test (ext/standard/tests/streams/stream_get_contents_002.phpt). But the change made it all the way into the next bugfix release despite breaking a test. The bug was fixed 5 days ago by Dmitry Stogov in r288604.

Dealing with Facebook text message delay

I recently switched to an unlimited text and data plan for my cell phone and thought I’d give Facebook and Twitter a chance to show me why it is so important to know instantly what each and everyone of my internet-enabled friends are up to RIGHT NOW. Well, I didn’t go crazy, I turned on text message notifications for about 3 people. I came to notice pretty quickly that the meaning “right now” varies wildly according to time of day. That’s expected to a degree, with all the people coming home to microblog how crappy a day they have had, but it’s annoying when I get a text message at 2am about something that happened at 8pm after telling Facebook that I don’t want to receive any messages after 11pm.

I can’t say for sure if this is a problem on Facebook’s side or a carrier issue. I’ve been reading a lot about congestion issues in regards to 3G, especially with AT&T. For the purposes of finding a solution though, it’s not that important. The ways to mitigate the problem are mostly the same, it just the question of who implements them. In a perfect world, both sides would work on it, but as recent insights into the profit structure of the text message business show, cell phone carriers are increasing profits while keeping infrastructure investments flat for the most part.

Now, for all the importance that text messages are carrying today they are comparably unreliable. There is no SLA and as I mentioned, the infrastructure investments are lagging behind skyrocketing usage. At the same time, a high amount of messages associated with social networking and micro-blogging are both broadcasts and highly immediate. That means that their is no express expectation of delivery on the receiving end and that their perceived value drops sharply with delivery time. Therefor, paradoxically, the low expectation of reliability could be used to increase reliability overall by decreasing congestion volume.

This could be done relatively simply by attaching an expiration time to certain classes of messages like broadcasts. In the example above, a status update at 8pm triggers a text message to be sent to each subscriber. Now, I personally wouldn’t care about a status update that’s 2 hours late, but let’s just go with a default expiration time of 4 hours. If the message can’t be delivered by midnight, it gets discarded and purged from the sender queue. Odds are nobody would care about the information anyhow, and there’s a good chance the receiver already found out since the same information is accessible in other ways.
Now, in my own example, since the message was sent at 8pm and I don’t want to receive messages after 11pm, the expiration time could be set to 3 hours. If it can’t be delivered in 3 hours, it eases congestion and I don’t get annoyed by messages I don’t care about in the middle of the night.

This might be the best video game trailer ever

Halo 3: ODST

Upgraded to Snow Leopard

I followed the lifehacker guide unclutter Mac OS before the upgrade and everything went smoothly, except that Firefox would crash every time I started it. But a simple reinstall took care of that. Can’t really say anything about performance yet, because I’ve been using it for browsing and chatting mostly since the upgrade.

Optimizations in browser games

A long time ago, when the first widely popular browser games started – mostly sci-fi themed games centered around colonizing planets, gathering resources and building fleet to blow up other fleets – things were moving along in a very deliberate pace. Usually there were so called “ticks” at regular intervals at which ongoing processes would be updated. That included calculating resources gathered, moving fleets around and playing out their engagements.

As games became more complicated and more engaging moving to real time processing was a natural step. But while running a couple SQL updates every 15 minutes with a couple thousands users might have worked, that same approach quickly runs into trouble if you multiply the userbase and try to get even close to real time updates, or even if the calculation become more complicated that what can be done in an SQL query.

One solution is to go lazy. As long as something can be calculated reasonably fast, especially if it can be done on the client side, there’s no reason to update the database until absolutely neccessary. Example:

A player has 1000 units of Resources #1 and produces 1800 units per hour. If you take those two data points, plus the time the resource count was updated last, you can easily calculate the current amount for display purposes on the client side. Most games utilize this already in order to have running counters on the frontend. So with a little javascript magic, the user in this example will see their resource count increment by 1 every two seconds.

How lazy can you go in this example? The only times it’s neccessary to update the database is when one of the two main datapoints changes, i.e. when there are changes to the basecount or the production rate.

As a general rule, you can apply the quatum mechanical observer paradox, wherein something is indeterminate until you look at it. Think Schroedinger’s Cat.
From the viewpoint of the database, the current resource count and the results of other ongoing processes can be undetermined until somebody, a user or a process that needs hard data, comes looking for it.

Gmail SMS works again

Alternatively, you can get an invite for Google Voice, which has better SMS management. I haven’t used it for much besides that but the free business cards are nice.