Brian Slesinsky

Russ Cox explained a while ago how interface types work in the original implementation of the Go language. But reading about an implementation when your grasp of the language is shaky is sometimes more confusing than helpful.

For example, I happened to see the beginning of a dispute on the mailing list [edit: which turned out to be just a misunderstanding] about whether interface values are copied by value or by reference. I had forgotten and couldn't find an answer in the Go spec, so I wrote a test program. See if you can guess what this program does without running it:

Saturday, 12 Jun 2010

Saturday, 22 Aug 2009

In an attempt to improve my musical skills, I've been practicing with Interval Ear Trainer a little bit every day. It's a web app that plays two notes, either sequentially or at the same time, and then you have to decide how far apart they are in pitch. (This is a common exercise for musicians.)

If you can recognize a melody then you can hear these intervals, though you probably can't name them. So it might seem like this is just a matter of learning some new names, but it's more like exercising a muscle you didn't know you had. Sometimes when practicing, I would start to think I was getting it, but then lose concentration and make silly mistakes. Low notes seem a bit easier for me than high notes, maybe as a result of my less-than-perfect hearing. Also, just like when listening to a song, the same interval can sound very different depending on what came before it. (Perhaps part of learning to recognize intervals is being able to ignore this effect?)

I've become reasonably good at recognizing intervals when the notes are played sequentially, so now I'm working on doing it when the notes are played at the same time, which is almost like starting over. It was a little frustrating until I hit on the scheme of practicing with only two intervals at a time, starting out with intervals that are spaced fairly far apart. (For example, I turned off everything except perfect fifth and octave.) After hearing the tone, I try to imagine the notes played separately, and that connects back to what I already know. Sometimes it takes a second or two for imagination to kick in: "It's not an octave so I know this must be a perfect fifth, but I'm not hearing it - oh, there it is." It's like I can almost feel the neurons connecting.

It's a fun exercise, in short stretches anyway. If you want to try this, a trick to help you get started is to associate each interval with a song you know. (You could use separate songs for ascending and descending intervals, but I just learned to mentally reverse the notes.) It's best to use songs you know well, but to get you started, here's what I use:

Incidentally, thinking of songs that you know with a particular interval and finding them on YouTube is a fine way to waste an hour or two! It would be fun to find out which songs other people use. My blog doesn't have comments, but if you use Twitter, I suggest posting the link to Twitter with #interval in your Tweet so that it will show up here.

(As an extra bonus tip, here's how to create a link that starts in the middle of any YouTube video: if the link looks like http://www.youtube.com/watch?v=hjzlPtsS0R8 and you want it to start 2 minutes and 18 seconds in, then you add #t=2m18s to the end of the link.)

Update: I decided to write my own ear trainer applet. It lets you do interval training with random musical phrases. You can try it out here.

Sunday, 01 Mar 2009

Seems like browsers are doing a lot of things already to manage vendor relationships, where "vendors" are websites:

However, the major browser projects tend to have a tough balancing act between users' and vendors' interests, because they need to be compatible with as many vendors as possible. Features like ad blocking are "controversial" for this reason, which is why they're often an extension.

Client-side programs (Javascript embedded in web pages) are a rather odd thing. A Javascript application is written by the vendor, but once downloaded, the vendor cannot trust it anymore because it's in the user's control and the user could modify it. So vendors only trust these programs they wrote themselves to represent the intentions of the user identified by the auth cookie. On the other hand, as a user you cannot fully trust one of these programs either, except to display information from one vendor and to relay your intentions back to that vendor's server when you're using a particular website. In particular, you don't want programs from different vendors to talk to each other about you, unless you specifically allow it, and you don't want a program from one vendor to gain control over a program from another vendor.

These programs are like agents that all live within different jail cells in your browser. The agents aren't fully trusted by either side, and yet each agent is the primary way that you communicate with one vendor. The major client-side security bugs come from letting these agents escape their cells or spy on each other. And there are millions of these agents out there, one for each website, of widely varying quality.

Perhaps Greasemonkey scripts are the closest thing we have to turning these agents into true fourth-party software. However, they're a hack. They have to be rewritten for each agent, they have to be updated each time the vendor changes the website, and vendors sometimes write terms that forbid you from using them.

Can someone do better? I suspect an in-browser evolutionary approach is most likely to succeed. Users need better control over these agents and standard, automatic ways of communicating with multiple agents at once. I'm imagining browser extensions whose purpose is to start up a bunch of web sites (agents) and send them bids, and gather information from these agents and store it in a standard way outside of any agent's control. The standard API's for websites to communicate with browser extensions needs to become richer.

On the other hand, there needs to be a way to get your favorite browser extensions back when using a different browser. This suggests that the "extension" is just another agent that lives in its own cell and is downloadable by vising a website. So maybe they all talk to each other using Google Gears, and it's just that you've designated certain more-trusted agents to administer the other less-trusted agents?

Perhaps there could be a cells-within-cells model, where visiting one website creates an agent in a cell, who creates more cells and downloads agents from other websites into them. We'd need a standard for creating "headless" agents that have no UI but are just used by another website. As the user you'd want to be able to see when this happens and decide whether to allow it. Probably the closest thing we have now are hidden frames, but communication between them is a hack and the user doesn't get any visibility.

Update 2: and of course Facebook Apps and OpenSocial containers allow similar things, with the difference that the "more trusted" agent lives on someone else's server and therefore can do things on your behalf when you're not logged in. Also, it's questionable how much they deserve our trust. Open source client-side software (such as browsers and extensions) can theoretically be reviewed and given more trust than someone else's server, assuming you're using them on a secure client.

Then again, this is only a matter of degree in the usual case where you download client-side software from a website without reviewing it yourself.

Saturday, 21 Feb 2009

"Ownership means that I have something to lose. If you're a banker, it means that you've got collateral. It also means that I'm credible, so you can give me credit. When you think about it, whether it's ownership, whether it's credit, whether it's capital, whether it's identification, none of the things that make a modern economy are possible without property." [emphasis added]

- Hernando De Soto

Online property might be considered as owning accounts in various online systems. "Having something to lose" means having control over an account that's valuable to you and other people you know (that is, not a throwaway account). Could an identity system be based on this? Someone with control over an account should be able to prove that they are the same person who owns other accounts as well. Once we have that, there are likely to be some systems that tie online identity to offline identity, which can be used to associate other online accounts to an offline identity when that's what you want.

The fundamental transaction of proving that two accounts are owned by the same person could be done with OAuth. Note that this isn't a permanent relationship; if one of your accounts is hacked, you should be able to log into all your other accounts and attest that you no longer wish to be associated with the hacked account. When an identity splits in two like this, your friends might not know which identity to trust, but they would know something is up and to be careful.

This is distinct from single sign-on; in fact, an identity created this way is more robust if you use an independent method of authentication for each account. In practice, some groups of accounts will probably share an authentication system for ease of use, but using a single auth system for everything is probably a bad idea even if it were possible. Even if you managed to tie most of your accounts to a single OpenID provider, keeping a few accounts separate (like your bank) would be a very good idea.

Friday, 02 May 2008

With the launch of Google App Engine, I decided to give it a spin by rewriting PixelToy, a Java Applet (and backend server) that I wrote more than a decade ago to learn Java. This time, the technologies I'm trying out are jQuery, Ajax, and Python.

PixelToy is a simple paint program where everyone who visits paints on the same canvas. The new Pixeltoy also lets you take a snapshot of your painting and see a gallery of pictures others have made; the gallery also has a feed.

How it works: the PixelToy web page sends each brush stroke to the server when you release the mouse button and polls the server for updates. The polling gets slower for inactive users.

(Warning: since anyone can paint anything they like and painting is anonymous, you never know what you'll find when you visit. I ask that visitors keep things generally "safe for work," but can't monitor it all the time.)

Sunday, 06 Apr 2008

When not following the election, I've found the latest financial crisis to be pretty interesting; how can so many smart people be collectively so stupid as to put the entire system at risk? I don't pretend to fully understand this stuff, but here are a few thoughts, from a spectator.

Sunday, 30 Mar 2008

Maybe it's just that I haven't found the right web site yet, but discovering good web comics online seems a little harder than it ought to be. I went looking for new comics the other day, and found that lots of people make lists of their favorite comics but provide too little information: who wants to follow a blind link from a long list created by someone they don't know? On the other hand, there are a few websites that publish fairly serious critical articles about comics, but that's too much information when you're just looking for a new comic to read. And then there are the websites that review online and offline comics together, so you have to wade through stuff you can't read right now to get to the good stuff.

How is it possible that in the year 2008, a really good web comic review site hasn't spontaneously appeared out of the sea of obsession that is the Internet? It's a clear-cut case of market failure (or maybe just laziness on my part) that I could remain unaware of Girl Genius for several years after it started.

Until someone does start that website, I'll post a few reviews here and leave it to Google to get them to people who might find them useful:

Sunday, 17 Feb 2008

Guice is easy to use when you want to build a web of objects based on a static configuration. However, it gets awkward when you want to create multiple, similar webs of objects, where only a few nodes vary.

This is because Guice has no direct support for callbacks that take parameters. The only callback that's built into Guice is Provider.get().

I would like to see full support for callbacks with parameters in the next version of Guice. In this article, I'll sketch out how we could do it.

Saturday, 26 Jan 2008

"There is the dangerous cliché in the financial world [that] everything depends on confidence. One could better argue the importance of unremitting suspicion."

- John Kenneth Galbraith

Saturday, 07 Aug 2010