Yesterday a Roomware Devhouse was held at the Ex Machina office in Amsterdam. Here are some pictures:

To summarize briefly: Roomware is a piece of middleware to facilitate the running of software in a physical space. This most directly involves Bluetooth and RFID like applications which by their nature are limited to a specific area.

You set up a Roomware server and it handles the communication to and from the devices. My small project for the afternoon (we had some ideas for projects which would have been hard to finish) was making a badge clubs can put on their website to show who are in the club at a given moment. With the messaging functionality that was developed the same afternoon, it would even be possible to send your friends at a club messages.

Technically simple, the concept demonstrates how close physical computing has become. The Roomware server does a great job removes the heavy lifting in interfacing with libraries for Bluetooth and RFID.

A great next step would be to add an XMPP layer on top of the roomware server. This way you could theoretically connect your Adium to some clubs of your choice, and see people entering and leaving in your buddy list and even message them.

The only problem is what to use as a unique identifier as your Bluetooth name. I’m a proponent of using a URL but a lot of people do something like their Hyves username or their Twitter name. Fortunately this distinction is mostly blurred using Google’s new Social Graph service.

I like the vibe of devhouses and building something in a strict time limit, but working solo puts limits on your reach. Next time it would be great to work in a team and build something as a group.

A week ago I noticed zapreader.com, a site that makes it relatively easy to teach yourself speedreading. At least 1000 people also bookmarked it and from personal experience I can say: It really works quite well. In a nutshell, it takes a bunch of text and splits it into words. It then displays each word (or a block of two, which works a bit better in my opinion) in a huge font in the middle of your screen, for a fraction of a second, before moving on to the next word.

However, the ZAP reader itself has some annoyances so I decided to fix them.

Thus, I present: the (mac only!) desktop app version of zap reader. Download here: http://files.fourstarters.com/ZAPMac/ZAPMac.dmg.

It works very simply: select text in any application, then hit CMD+SHIFT+V and ZAPMac automatically starts and zapreads the selected text for you. Once the text is done, it quits automatically. Use Z and X to rewind/fast forward 16 words at a time, and use A and Q to speed up or slow down. space starts and stops, and there are preferences to change a number of things, though the defaults worked the best for me. It intentionally goes fullscreen - to make sure there is no distraction for your eyes.

Apparently it works so well because of two things:

• It saves you from having to ‘track’ - you no longer expend effort to keep your eyes in the right place. Your eyes no longer need to move at all, just keep staring at the same place.
• It makes use of ‘brain replay’. Ever said ‘What did you say?” to someone, only to realize that you DID hear them after all? Your brain has a limited ‘pipeline’ of sorts, but you usually incorrectly think you misheard or misread forcing you to take action. When reading, this means you often reread sentences that you don’t need to reread. With ZAP Reader you force yourself into going forward.

This is my first foray into Mac Os X Cocoa development, incidentally. I spent maybe 12 hours on getting this thing together, including learning a new programming language from scratch (well, enough to write this, anyhow), and including learning how to distribute it, set it up with a nice preference pane that stores its settings in the right places, and all that jazz. Basically cocoa development is really nice and very simple, which may explain why Mac software looks so good.

If you’re interesting in the source, here you go: http://files.fourstarters.com/ZAPMac/ZAPMacSource.zip.

This is a -very- technical post, so if you aren’t a programmer you may not be able to follow along.

Regular Expressions are used in virtually all webservices. mod_rewrite, a very popular apache plugin, uses them. Django, a popular Python web framework, uses regexps to map URLs onto the code that can handle the requests. Perl is virtually built on regular expressions. Virtually all languages popular for web development support regexp parsing.

Unfortunately, certain regular expressions have what I call ‘runaway nature’. A regexp with ‘runaway nature’ has the following property:

There exists at least 1 input string which will cause the act of matching this input string against the regexp to take a very long time.

Simple example: Given the regexp (x+x+)+y and the input string xxxxxxxxxxxxxxxxxxxx, most regexp parsers just hang. Smart ones realize this can’t work (as all matching strings must end in a y, but the input string does not. Unfortunately most aren’t that intelligent). Turns out on e.g. the C# regexp parser, an average powerful machine needs 25 SECONDS to realize that the input does not match the output. See This codinghorror article on the details of this particular case. Clearly the regexp (x+x+)+y has runaway nature, at least on the C# regexp parser.

There are many regexps which have ‘runaway nature’ on only certain platforms. However, no implementation of a regexp parser that I know of is completely immune to ‘runaway nature’ - some regexp strings just implicitly have it, regardless of implementation.

This is a security leak; causing one of the CPU cores of a webserver to hang for 25 seconds makes it totally trivial to crash the server; this is known as a Denial of Service attack. No data is compromised, but the server just stops working.

There are 2 ways this issue can be fixed, that I can see.

1. Determine if it is possible for a machine to determine in constant time if a certain regexp pattern has ‘runaway nature’, and generate a warning if this is true. This allows web programmers to be warned in advance that they have a security risk.
2. When running a string against a pattern, allow the programmer to specify a ‘limit’. Once the regexp parser backtracks that many times, it just quits and throws an error instead of getting bogged down. By choosing a careful limit, a web programmer can trade off ‘correctness’ against server security. I get the feeling that any input string that causes runaway performance troubles is very likely to be an invalid usecase anyway.

   Unfortunately, neither fix is available as standard solution in any mainstream programming language that I know of.

   I’m not sure how large this problem really is but I can imagine there are lots and lots of webservices out there which can be brought to a grinding halt by feeding it the right (wrong) input.

   ---

   NB: This issue crossed my mind when I crafted the following regexp to check if an input string appears to be a URL. I’m not sure if this regexp has ‘runaway nature’. If you’re a real regexp guru and can figure this out, or if you spot any errors, help me out and let me know in the comments! Thanks a lot!

   • ^([hH][tT][tT][pP][sS]?://)?

   • ((?:[a-zA-Z0-9][a-zA-Z0-9-]*?[a-zA-Z0-9]?)(?:\.[a-zA-Z0-9][a-zA-Z0-9-]*?[a-zA-Z0-9]?)+)
   • (:\d+)?
   • (/[\w/\.;\?:\&=+\$,#]*)?$”

   (1,2,3,4 stands for: protocol, server, port, path string).

Monday a week ago I visited Mediamatic on invitation from Willem Velthoven to talk about how they could fit in Portable Social Networks in their anyMeta system. This meeting was inspired by our meeting in Copenhagen and the talks we had about opening up social networks.

Picture by Matt Biddulph

anyMeta and OpenCI

Mediamatic.lab implements and maintains a series of social networking sites for the creative industries (CI) in Amsterdam. These are sites built on the anyMeta system that resemble structured wikis with a strong social dimension. They are positive towards open source, but the anyMeta system is not open source for reasons of manageability of the projects.

Seeing as that these sites have a lot of overlap in both in functionality and in the people that have an account on them, they wanted to abstract and syndicate the social stuff as much as possible. Currently people can have accounts on each of the different sites, all with the same information on them.

Seeing as Mediamatic builds anyMeta themselves and they have total control, it is very feasible for them to devise and mandate the exchange of information between their own sites. To enable the exchange between their own sites, they will use their own protocol and data format to provide for a high fidelity exchange of information. Leaving implementation details for what they are, it should become possible to use one account on any of the sites in the network.

To verify your identity on the various sites of the network they are going to enable OpenID consumer and provider functionality in the next version. This way they will have a way of distributed authentication both within their network of sites and throughout the rest of the internet.

anyMeta and the rest of the web

Having solved the problem of information exchange between anyMeta sites, they would also like to play along with the rest of the internet as far as that is possible. Being able to share public information with the rest of the internet in a logical way is also on the agenda but not so straight forward.

Making public profile information available using hCard and related microformats looks easy enough. Problems arise however because the templates are made by different people and that is the location of the microformatted markup. This means the template authors have to be educated on the subject of microformats.

Whenever I advocate the use of microformats, I always have to fight against the blank looks and criticism about the aplicability of the technology. It’s a solid Catch 22 that has to be taken on with real life use cases and benefits to extoll the virtues of a dirty semantic web. For hCard there are various uses cropping up over the internet, but for the others it is a lot more limited. Having microformatted data on sites and being able to parse that using browser plugins is a first step and essential groundwork for the real use cases and richer interaction that we all want to have.

Another plan they have at Mediamatic is to first enable the sharing of information between their sites and make plugins for some of the bigger CMS’es out there (Drupal, Joomla) so they can also exchange information with those systems.

In these use cases and in the case with the internet the issue of fidelity comes up again and again. How much information can you exchange reliably and what do you do when stuff is missing? This is an important and valid question with no ready answer; though mine would be ‘get what you can, and ignore the holes where possible’.

Other stuff

I am currently not implementing anything relating to OpenID and Social Networks but I think I would like to. One idea was to make a Facebook front-end site which uses the information in Facebook to offer you a microformatted profile. There already is an hCard application but extending this with XFN, hReview and hResume would be a real winner.

Yesterday on the O’Reilly event I heard about Yme Bosma who’s job it now is to drag Hyves kicking and screaming into the world of Open Social Networks. I wish him a lot of luck as that would be a good thing to have. I have started my own work on scraping the Hyves site but that hasn’t been as simple as I would have liked.

I was looking at the excellent Ratatouille (Pixar’s upcoming movie) video podcasts recently and a thought struck me:

Pixar always makes their product live looong before the product is finished. The amount of video material that doesn’t even make it in the DVD extras, let alone the movie itself, is astounding. For example, on one of the podcasts, Pixar’s own cook explains how he cooked up a bunch of dishes to allow the artists to draw tasty looking food. Then somewhere in that segment, a fragment of a little video with the main character (Remy the Rat) commenting on the how yummy each animated item looks, with no background and a couple of rendering artifacts flashes by.

That scene was written, voice-acted, animated, and partly rendered JUST to get a feel for the characters, the tone of the movie, and to make sure everyone in the entire company has an real relationship to the work they are doing.

For those of you in IT - there’s a lesson to be learned here: Make your software does SOMETHING as fast as possible. It doesn’t matter if half the material is patchwork mockup. Once it’s a real application you can actually start or go to and see it in action, even if most of the results are just simple scripting - in other words, once it starts to ‘live’, you have a marketing message, motivation, a sudden sense of priorities, and most of all an unqualifiable feeling about the thing you’re making.

NB: All Transactions are based on Trust will continue tomorrow.

Cristiano and myself wanted to add avatar support to Four Starters so that people could put a face to the writer of a post or comment. There already exist some solutions for this, but something more open might be nice.

(more…)

These are glory days for those interested in computers, particulary: Programmers.

The big five (google, yahoo, microsoft, ebay, amazon) are buying more than one company a week - google alone is picking up startups left and right. These are actual sales; unlike the dot com bubble of the late 90s, you become an actual millionaire, not just on paper. If you want to splurge, it’s up to you. There won’t be a VC with veto power of large financial transactions to rain on your parade and ride your startup into to the ground.

However: there’s a lack of programmers in this land of opportunity. It’s so bad that I openly oppose ’stealth mode’ (not going public with your startup idea until you are ready to launch it) - there are so many ideas and so few implementors out there, you have absolutely nothing to worry about. Only if you have some specific marketing goal that justifies stealth mode should you go for it; don’t do it just because you’re afraid someone’s going to rip off your idea. It doesn’t happen, not right now.

It’s even worse, in fact - You don’t even need an idea! You can just take a successful idea, and localize it to your own country. You can rip off just about everything, and while you may not exactly be hailed as a visionary paragon, apparently you don’t get sued, you do get popular, and you do get bought. You don’t even need design skills though I’m sure they help.

You just need to know how to program, on your own. That’s about it.

This get-rich-quick-scheme actually works, and if you’re a (good) programmer, you’ve got most of the skills you need to toss your name into the hat already. What are you waiting for?

A long long time ago, I managed to find an IBM ViaVoice edition at a fleamarket, for one guilder. (It’s voice recognition software).

I was working on an assembler project back then, which has a very simple and small instruction set. I had a whacky plan to use the ViaVoice software to allow me to program by speaking, instead of typing. I honestly thought it would be able to program faster, it wasn’t some sort of noble goal to help programmers around the world suffering from RSI.

I guess my younger self wasn’t all that smart.

The project failed miserably, as customizing the dictionary wasn’t really possible, and you type something like MOV, or 0xFF a lot faster than you can say it.

Vista ships with a notorious and tempramental voice recognition module. Hmmmmm…. perhaps almost a decade of software improvement has brought programming-by-voice closer to reality?

Let’s check it out! (YouTube video)

“Funny” doesn’t cover the half of it. I practically fell off my chair.

NB: the sheer level of frustration reminds me of the Custom Super Mario level from Hell (swearing abounds, careful if you’re at work).

All kidding aside for a moment, the performance really isn’t that bad, and perl isn’t exactly the most natural language; it’s closer to cartoon swearing. If the software knows about the grammar and syntax of the programming language, this almost looks like it might work. The one time I ever got serious RSI indicators is when I tried to teach myself dvorak, but, certainly, the number of programmers suffering from RSI out there should be large enough that there just might be an interesting market for creating voice recognition software for programmers. I know, I know - there are far more ideas out there compared to entrepreneurs, but this particular idea should be just perfect for a Master’s thesis at my old alma mater, Media and Knowledge Engineering at the Delft University of Technology.