Danny's Weblog

2007 May 22 [ Tue ]

Google problem for people in Cambodia seems partially fixed

A few days ago I described a problem with trying to access Google from a cambodian IP: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Internet/google-kh01.html]

Weirdly, the next day I noticed that the problem had been fixed. I had noticed that somebody from Google's IP range had been snooping round the site, repeatedly hitting it first from Google and then an IP in Singapore or somewhere; maybe he checked it out when he happened to notice I had a Google gripe.

The other possibility is that Google was *always* working in Windows, because it's *still* not working in Linux Firefox. I can't believe that though, because I had been noticing the problem for weeks, and I still use Windows occasionally. ...I just checked and the problem is gone from one of the machines I use most, in Windows Firefox.

Hmm. Why is it still *not* working for me in Linux Firefox? ...Hmmm... I tried turning Javascript on but it diodn't help.

2007 May 17 [ Thu ]

Irritating problem with Google in Cambodia

For a year or so Google has had a Cambodian version. Apparently, as soon as it was available, the main Google page at www.google.com would notice if you accessed it from a Cambodian IP and would add the option of clicking a button for the Cambodian version.

However, something was not very well thought out: they tried to display the link in Khmer script, but on 99% of the machines I've seen it displayed as boxes. I never tracked down what the real problem was – the code for Google's main page is much more complex than its appearance suggests – but I'm guessing they tried to use Unicode, which very few browsers here are set up to support. I'm sure that if they had just tried to use Limon they would not have had the problem, but it probably doesn't fit into their setup, and it's not politically-correct. (Even if the browser happens to be set up to display the fonts correctly, the Cambodian users don't know how to enter text even if the Khmer Unicode keboard handler is installed.)

Presumably Google people noticed that almost nobody was using their link, so they decided to go the fascist route: now all attempts to reach www.google.com are redirected to www.google.com.kh. Considerately, they left a link to "Google.com in English", which is the only thing you can read on the page (for 99% of befuddled users).

Regrettably however when you click on the link (to www.google.com/ncr) it *doesn't work*; you are redirected *again* to www.google.com.kh.

I assumed this would be a temporary thing, and started accessing www.google.com by IP number. However, after a couple of weeks that IP number stopped working. Presumably somebody noticed a bunch of accesses by IP number and said "we'll fix him! we'll deny accesses by IP!". I found a different IP number which is working right now, but I fear Google may implement a system-wide fix for my "problem".

Google has an excellent reputation (although I have always maintained that they lucked into search as one of the few applications of computers where results may still be useful although provably wrong, and better yet difficult for the hoi polloi to prove wrong) but this problem makes them seem not only utterly clueless but offensively intrusive.

2006 May 13 [ Sat ]

Weird problem with Putty pscp

"Putty" is the Windows program I use to connect to my servers using the secure ssh protocol. It's freely downloadable. It includes the "pscp" program for doing file transfers via the encrypted ssh link.

A few days ago I needed to do a file transfer but pscp failed with a strange "out of memory" error. Feeling superior, I booted my little CD with "Damn Small Linux" and ran scp, the equivalent version of pscp but otherwise completely unrelated, only to get the same error msg!

As I discovered on that same day that the internet cafe had put a virus on my USB key that was designed to capture passwords, I was a little concerned. Indeed I have not been back there since (when I told them that at least two of their machines had the virus, and they needed to install an up-to-date virus checker on their machines the guy said "Oh yeah? Uh-hmmm?") although I probably will, after a decent interval has elapsed. (Incidentally I usually add a shortcut or two to the browser on machines I use, so I can detect when they reload them: apparently not for months, which I suppose is some sort of tribute to WIndows XP/2000.)

To cut a long story short it eventually occurred to me to Google for the error message, and here's the answer: the.earth.li [http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter10.html#S10.6]

What had actually happened was that I had added a string to my Unix prompt, and bozoically added it to my .shrc instead of my .login, so that the string was generated not only on login but by every process which spawned a shell. Unknown to me, this was actually what my pscp/scp were trying to do at startup, but they interpreted the string as a call to reserve a huge amount of memory at the client end, causing the client to throw up its hands with a stupid misleading error msg. Aargh.

2006 Feb 15 [ Wed ]

Firefox memory problem a "feature"?

According to this Slashdot thread: developers.slashdot.org [http://developers.slashdot.org/article.pl?sid=06/02/14/2154224] Firefox takes more and more memory because it keeps old pages in RAM (so that they can be reloaded faster) even after you close their tabs.

I had been getting problems using Damn Small Linux because the Firefox was using more and more memory – not good when you can't page to disk.

I'm running IE now (aargh) so I can't check it, but apparently you can fix this by putting about:config in the URL box, then scrolling to this value:

browser.sessionhistory.max_total_viewers 

and set the value to 0.

...hmmm. Later posts in the Slashdot thread deny it. Oh well, I'll try the above fix anyway and see what happens.

2006 Feb 14 [ Tue ]

The "Honeynet" project has various anti-hacking tools

Their main page is notr very exciting. Try this one instead: www.honeynet.org [http://www.honeynet.org/tools/index.html]

A "honeynet" is a system of servers which are set up to act as "honeypots" – ie, machines which will appear to be hackable so that hackers will find them and attempt to hack into them. But they have special software running which allows a great deal of information to be gathered *from the hacker*. For instance, as soon as a hacker gets into a machine, he will download his own tools package somehow. Often this process will allow the honeynet machine to capture the machine name, user name and password of the accounts that he is using, which provides both a lead to his identity and a way to gather more information (eg by logging into his IRC group).

honeynet.org provides a CD which can be used to easily set up a honeynet server. They also provide the tools individually, as in the link at the top.

It strikes me that the dividing line between hacker tools and anti-hacker tools is rather small. For instance, if a hacker manages to subvert DNS (or ARP), client workstations can be fooled into thinking the hacker's machine is their normal server. The hacker merely has to use the honeynet software on his machine: when they attempt to log in, their usernames and passwords can be captured.

One of the individual tools is "sebek": www.honeynet.org [http://www.honeynet.org/tools/sebek/]

It has two components. The first is a client that runs on the honeypots, its purpose is to capture all of the attackers activities (keystrokes, file uploads, passwords) then covertly send the data to the server. The second component is the server which collects the data from the honeypots.

If this software can be used to gather all this info from relatively wily hackers, it can certainly be used against normal users. Like your girlfriend. Hmmm.

2006 Jan 31 [ Tue ]

Microsoft is apparently still allowing sites to share your cookies

I have posted about this before: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Internet/cookieexploit02.html]

A description on c/net: news.com.com [http://news.com.com/2100-1023-245680.html]

A recent posting on Slashdot says that this is still happening: it.slashdot.org [http://it.slashdot.org/comments.pl?sid=175615&cid=14603033]

The existence of this security issue makes a mockery of Microsoft's public pledges to concentrate on security – as do many other similar issues.

2005 Dec 26 [ Mon ]

Actually, Joomla *can* work with Moodle

In a previous article I confessed that I had mistakenly assumed that Moodle was module-compatible with Joomla: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Internet/Joomla]

Actually Moodle *does* have a degree of compatibility with Joomla, in that Moodle can be installed so that it runs "inside" Joomla, at least as far as the user sees it. Right now that capability seems to be poorly documented and liable to break things, but apparently some people have made it work. For instance, they can share the user/password database. (phpbb can do the same thing, although regrettably phpbb has fewer restrictions on usernames so you usually can't import existing phpbb users into the Joomla system.)

Actually, I think it's probably better *not* to share the user database for my purposes, but it's good to know it's not impossible.

See eg discussion here: moodle.org [http://moodle.org/mod/forum/discuss.php?d=20080]

Apparently features like this are called "integrations" in Moodlespeak: download.moodle.org [http://download.moodle.org/modules/integrations.php]

I had been vaguely looking for this stuff under "modules". Silly me!

The "filters" category is a little thin, but you should check it out. For instance, you can install a filter that turns TeX code into GIF images: hmmm...

2005 Dec 14 [ Wed ]

I made a silly mistake with Joomla

No, not with the patch (as far as I know just yet).

For some reason I got it into my head that Joomla was compatible not just with Mambo but *also* Moodle. I'm not good with names so I guess I just remembered them as "silly sounding name N". As far as I can see, while Joomla and Mambo are still compatible (at least for now), Moodle is a *completely separate product*.

This is a pity because actually *Moodle* has the education features I need.

Fortunately Moodle was easy to install and has been flawless so far (not very far) and I think I may maintain *both* systems for a while. It might be good to have a *total* separation between the public features and the features for paying customers.

Patching Joomla 1.03 to 1.04

I was puzzled about how to *apply* this patch, even though pretty clearly it was the file I wanted (the filename was after all Joomla_1.0.3_to_1.0.4-Stable-Patch_Package.tar.gz). It just said something about "put this in your Joomla directory".

Having dealt with tar files before, I suspiciously checked the directory structure inside the tar file. It corresponded to the directory structure inside the Joomla directory. So (in fear and trembling) I went ahead and ran tar -xvzf | less.

After maing the disappointing discovery that on my new server "less" appears to be symlinked to "more" instead of the other way round, I could see no error messages.

Then when I tried to run it from the browser, everything seems to work fine and it does say version 1.04.

I don't know quite how this really worked. For instance, I noticed a new htaccess file in there, but I assume it has to be manually copied to .htaccess.

Likewise, the files are marked owner/group "pasamio" inside the tar file but of ocurse were created with my default owner/group when I untarred them. I think I'm just lucky that happens to be OK for this webserver.

2005 Dec 10 [ Sat ]

Setting up Joomla

I recently set up another site. One reason I chose my hosting vendor was that they had Joomla via web-based install: I figured I didn't really need web-based (in fact I hate web interfaces for admin) but it probably meant that they had several users already running it.

It basically worked ok. Some observations so far:

1. Joomla actually has surprisingly little documentation. For instance, I couldn't find anything that explained which visible items were part of the base install and which were part of the template.

2. The site logo, at least with one template I checked, isn't even defined by HTML, but in css. It took me a long while to find it (it didn't help that I kept thinking there must be an easier way to track it down as I pored through HTML, PHP and CSS).

3. Even when features *are* accessible via the administrator's web interface, it's not obvious *where* they are in the interface. I found myself wishing for some sort of feature where you could hover the mouse pointer over an element and it would pop up a little window that told you how to edit it. Or documentation.

4. So far it's been stable. I'm fairly impressed.

5. The update process is a little scary. Why do they give you a windowing interface and handholding to do trivial stuff you could do faster at the command line, but to do a security update you have to manually overwrite every changed file on the site? Oh and by the way, there's no readme file to explain exactly how to overwrite it. What happens if you *edited* some of those files?

6. I'm surprised – considering all the hype about Joomla – how few features there are. I was assuming there would be software to create class packages; payment modules; test result analysis... but about all there is seems to be timed release of content and user registration.

7. Huh – I noticed something in the sourcecode about creating PDFs, and now I found that if a user goes below a certain level in the hierarchy, a content item gets a clickable PDF icon – and it seems to work (although for some reason Firefox crashes if Adobe Reader is *already open* – go figure).

2005 Aug 08 [ Mon ]

Interesting to check your cookies sometime

I've found it's impossible to figure out cookies unless you first delete all cookies. Then it's much easier to eyeball each new one as it arrives.

Today I was checking out the blogs of my new blogging buddies from last night. I had gone only to blogspot.com, Google and elizabethriel.com, but I found cookies from AOL.com and yahoo.com. Hmmm.

I would be more self-righteous about this if I hadn't myself proposed at the meeting last night that we put a tracking image on all our sites so that each of us could watch the behavior of users who crawled across them. "Don't be evil." Sigh.

2005 Jul 08 [ Fri ]

Microsoft to buy trojan company; MS antitrojan sw already ignores it

As discussed on Slashdot: it.slashdot.org [http://it.slashdot.org/article.pl?sid=05/07/07/1517254]

MS is negotiating to buy Claria, which used to be known as Gator, but changed its name because too many people had heard of it. The Claria software purports to install a few little utilities, but actually takes over your computer and spies on you.

Apparently as a result, MS's antispyware product, which they bought a few months ago, has now been set to *not* identify Claria as spyware.

The following posting makes it clear that the foxes are running the farm, not just the henhouse:

D. Reed Freeman, the "Chief Privacy Officer" of Claria Networks (formerly Gator), the creators of the pervasive spyware package GAIN, has been appointed to the Department of Homeland Security's 'Data Privacy and Integrity Advisory Committee'.

Damn Small Linux and usb memory, continued

I just tried starting up DSL on another system and just doing

mount /dev/sda1

and I was then able, as non-root, to do

ls /mnt/sda1

and see the directories on my usb stick.

However, dmesg reports a bunch of errors on this machine as well, as soon as you plug the usb key in. I don't understand how it can work. Perhaps there is some sort of hidden partition on the usb key – as well as the normal vfat partition – and Linux tries to mount the hidden partition as well and reports errors there, and just keeps quiet about the normal partition. I don't actually know what "dev 03:01" is.

2005 Jul 06 [ Wed ]

Reading a USB memory device in Damn Small Linux (DSL)

In some Linux distributions this all works automagically but it did not seem to work for me until I did some prodding.

This is a forbiddingly long explanation for Linux in general: www.ibiblio.org [http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Flash-Memory-HOWTO.html]

Then I tried this, which is specifically for DSL: www.ke1ha.com [http://www.ke1ha.com/dsl-linux/downloads/dsl-usbkey-mini-how-too.pdf]

(it *does* have two o's in "too") and was able to do the following

1. Plug in the usb key.

2. Open a shell and enter "dmesg" (not "dmsg"). This will show you the most recent messages from the kernel. In my case, it appeared to be trying to mount the usb key, but failing because it did not see a FAT filesystem. (If your Linux distribution does *not* show something like this, you may have to install driver support, which may be explained in the top link. But personally, I would give up.)

3. Run "mount" to check if anything was half-mounted:

/proc/bus/usb on /proc/bus/usb type usbdevfs (rw,devmode=0666)
none on /proc/bus/usb type usbfs (rw)

4. Actually, to *add* a mount point you need to be root. Do this by:

sudo su

5. Now you can create a fresh directory to mount on:

mkdir -m 777 /mnt/memstick

6. And do a manual mount:

mount -t vfat /dev/sda1 /mnt/memstick

(I don't understand why this didn't work before automagically.)

7. As you created all this stuff as root you still need to be root to view it with ls or whatever. Changing the permissions on this is left as an exercise to the reader.

8. Alternatively, at least after doing the above, there is a much easier trick. First (as root) unmount memstick: #umount /mnt/memstick

9. Then cat /etc/fstab. I haven't tried rebooting DSL to check if this comes up as soon as you plug in the usb key, but this is what it had:

# Added by KNOPPIX
/dev/sda1 /mnt/sda1 vfat noauto,users,exec,umask=000,uid=1001,gid=500 0 0

10. So then (as root) I could do

mount /dev/sda1

and mount picked up the defaults from /etc/fstab and worked – and this time /mnt/sda1 was world-readable.

11. Remember to

umount /mnt/sda1

before you shut down DSL.

12. I still am not sure why this didn't work at first. Here's the current output of dmesg:

hub.c: new USB device 00:07.2-2, assigned address 2
scsi2 : SCSI emulation for USB Mass Storage devices
  Vendor: JetFlash Model: TS256MJF2B        Rev: 2.00
  Type:   Direct-Access                      ANSI SCSI revision: 02
Attached scsi removable disk sda at scsi2, channel 0, id 0, lun 0
SCSI device sda: 511744 512-byte hdwr sectors (262 MB)
sda: Write Protect is off
 sda: sda1
WARNING: USB Mass Storage data integrity not assured
USB Mass Storage device found at 2
FAT: Did not find valid FSINFO signature.
Found signature1 0x66024a1e signature2 0xc88b6602 sector=4.
VFS: Can't find a valid FAT filesystem on dev 03:01.
FAT: Did not find valid FSINFO signature.
[
Now tried manual procedure]
Found signature1 0x66024a1e signature2 0xc88b6602 sector=4.
VFS: Can't find a valid FAT filesystem on dev 03:01.
[
Did umount]
usb.c: USB disconnect on device 00:07.2-2 address 2
[
Reconnected]
hub.c: new USB device 00:07.2-2, assigned address 3
WARNING: USB Mass Storage data integrity not assured
USB Mass Storage device found at 3

Then doing "mount /mnt/sda1" worked.

Strange.

Using Damn Small Linux "DSL" at an internet cafe

I have always been very wary of doing credit-card transactions via an internet cafe because of the danger of trojans, or indeed anybody with local access to the computer, installing software keyloggers. I had to do such a transaction this week and after a while I thought of rebooting the machine with a Linux Live CD of some kind.

I had tried out Damn Small Linux several months ago, but I didn't use it very much and when I needed to use it this time I made some dopey mistakes. So I'm giving a list of steps here that I need to carry out each time I use DSL at an internet cafe. (Incidentally, it was astronomically stupid of them to give their package a name whose acronym is the same as an entirely different computer thing: it makes it much harder to search for.)

This sounds embarrassing, but you will need to know your account password. I had *forgotten* it because I normally use an authentication agent, and I only remembered the passkey to the agent!

1. When you arrive at the internet cafe, specify that you need a machine that has a working CD drive. I would guess that only one machine in four does, so you probably need to show up at a non-busy time to be sure of getting one. Also, I use a mini-CD; most drives should work with it *if* they're horizontal, not vertical!

2. *Before* you try to reboot, check the existing machine's network configuration. In Windows 2000/XP, the easy way to do this is Start – Run – cmd.exe – ipconfig /all. If you see that the setup just uses DHCP, DSL should just work by default, but the cafe I am sitting at right now has a mildly strange setup that DSL cannot autosense at all.

If you have never used the machine before, you might want to check it under Windows first – mouse, keyboard, usb etc – in case you need to ask the staff for help.

I have not had to worry about it but the cafe may be blocking HTTP accesses which do not pass through its proxy. So you may need to check proxy setup in Internet Explorer too.

3. *Now* try rebooting with the DSL CD. Non-antique machines – even seven-year-old models like the one I'm using now – should have the "boot from CD" option in the BIOS, although access to the BIOS – if the option is not enabled – may have been password-protected; in that case you have to plead with the staff, who will say "password?" like you were asking for their bra size.

4, I don't usually have to intervene in the boot; I have been lucky and it always selects a functioning card driver on the four or five machines I've tried. I don't know what to do if the machine has an oddball card. (If for some reason you need to use a laptop with DSL – eg to avoid the threat of a *hardware* keylogger, you borrow a friend's laptop and take it to the cafe – you need to bring up DSL's boot options menu to set the laptop's actual screen resolution on boot.)

5. Once DSL has brought up the desktop, you can try the network by bringing up a shell (r-click on the desktop; XShells; Rxvt light) and doing some sort of ping. If that does not work, you need to set up the network card config manually. Do r-click on desktop; System; Net Setup; netcardconfig. Otherwise, skip to step 9.

6. It will first ask "Use DHCP broadcast?" and the default is always "yes". (Do not make the dumb mistake I just did when I brought up netcardconfig again to check these prompts: as soon as you click "yes" it reconfigures the card and you drop all existing connections!) Press "tab" to move the setting to No and press Enter.

7. Then you get a succession of entries most of which you can copy from the Windows setup:

Please enter IP address for eth0: 192.168.1.113

Network mask: 255.255.255.0

Broadcast addr: 192.168.1.255

Default gateway: 192.168.1.1

The "broadcast addr" is not specified by Windows and I think for some reason netcardconfig takes a bad guess at it. You do need to know a *little* about IP to set it correctly...

8. netcardconfig then mutters to itself for a few seconds. So far, for me, it has then just worked; I don't know what to do if you need to debug something.

9. Now I was able to use ssh, something like this: ssh -l dannyw panix8.panix.com

ssh will warn you that it does not have a record of panix8's key. You should write down the key for future references. (If you log in again and see that it's different that's a time to worry. Remember however that if you use ssh set to a different encryption mode the key will also be different, and the *default* mode for ssh is different for different versions of ssh.)

It will then ask you for your password. It's possible and desirable to set up ssh to use an "authentication agent" so that you only need to enter the passkey to the agent *once* per session, but I haven't tried that in DSL.

10. Firefox just worked for me. You might want to do "edit preferences" to check security setup, eg for using a proxy. It takes a long time to start up and there is no "wristwatch" indication that anything is happening, but the activity light on the drive will be busy.

2005 Apr 17 [ Sun ]

Kill Flash cookies in Firefox

Most people have installed the Flash extension in their browsers in order to view animated content. However, a feature of Flash allows any Flash file programmer to set a persistent object within the Flash subsystem – effectively the same as a cookie. If you take the trouble to stomp on cookies, you need to do the same to Flash cookies.

If you run Firefox, you now can with the following free download: www.yardley.ca [http://www.yardley.ca/objection/]

Right now, it only works under Windows.

2005 Apr 03 [ Sun ]

Macromedia Flash files can contain "web bug"

A "web bug" is the name for a trick which can be used to reveal your IP to a remote site when you open a file. For instance, when a spammer sends you HTML email, it probably includes a call to a .jpg, perhaps invisibly small, which tells the spammer as soon as you open the file that the email address corresponding to "03a4ea3f553a.jpg" is real so he should send a hundred more spam emails to it.

In the following posting on Slashdot: yro.slashdot.org [http://yro.slashdot.org/comments.pl?sid=144752&cid=12122474] somebody makes the point that you can include a call to a remote .jpg file in a Flash file. So someone can release a file "bushfucksapig.swf", it spreads all over the internet to ten thousand sites, and he can track the ip of everyone who loads it. Hmmm. I set ZoneAlarm to prevent accesses by random programs to the internet, but probably Flash sneakily goes through IE. Hmmmmm...

The Slashdot discussion was about a new trick for .pdf files which allows a web bug to be inserted in pdfs: yro.slashdot.org [http://yro.slashdot.org/yro/05/04/02/1928211.shtml]

Apparently this is not a new feature: yro.slashdot.org [http://yro.slashdot.org/comments.pl?sid=144752&cid=12122724]

yro.slashdot.org [http://yro.slashdot.org/comments.pl?sid=144752&cid=12123537

] 2005 Mar 31 [ Thu ]

Another mention of Microsoft's cookie exploit

I can't understand why everybody hasn't already concluded Microsoft is *evil*: not just incompetent, *absolutely evil*. People were complaining that third-party cookies were a security problem, so Microsoft added a feature to reject them – but quietly added a feature to its websites which allows *anybody* to grab the msn cookie for any visitor to his site, *completely negating* the foreign-cookie feature.

I described this already: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Internet/cookieexploit01.html]

A Slashdot poster added the following:

news.com.com [http://news.com.com/2100-1023-245680.html?legacy=cnet]

www.securityfocus.com [http://www.securityfocus.com/news/83]

www.internetadsales.com [http://www.internetadsales.com/modules/news/article.php?storyid=4996]

That last site "internetadsales.com" may be interesting general reading: find out what people who hate you and want to destroy your security and privacy think. (No, I don't mean Homeland Security.)

2005 Mar 28 [ Mon ]

Free html editor available

Linspire, who make a slightly lame version of Linux aimed at Windows users, have sponsored a free html editor based on the "Composer" in Mozilla. It has some nice features: for instance, it understands at least a little CSS. Downloadable for Linux, Windows, Mac: www.nvu.com [http://www.nvu.com/features.html]

I wish you could use it with ssh not just ftp. When I tried ssh in Dreamweaver, first it gave an incomprehensible message, then when I Googled for that I had a very tedious procedure, then it *still* didn't work right. ??

It just occurred to me I should have tried using ssh to establish a *tunnel* to the server, and run ftp *through the tunnel*. Hmmm.

2005 Mar 27 [ Sun ]

Alternatives to Windows Terminal Server

Windows Terminal Server is provided free with recent versions of Windows, but of course you need client access licences and all that. Also, it is missing a lot of the features in Citrix.

Slashdot discussion: ask.slashdot.org [http://ask.slashdot.org/askslashdot/05/03/21/1710246.shtm]

My synopsis:

1. Don't forget X11.

2. VNC works but is clumsy for multiple users (or one user trying to access from multiple locations)

3. There is a Linux thing called dmcp – or xdmcp – which I have not tried before: you run it on the server and then any X client can log in to a desktop installed on the server.

4. I think your users may grumble if they can't get sound on their machines. Freenx does handle sound apparently, but is difficult to install unless you get a non-free installer package:

www.nomachine.com [http://www.nomachine.com/]

Apparently freenx is functional with a lot less bandwidth than X.

...I checked the download size of the freenx server, and it's 5.6 MB for Mandrake Linux 10.1: www.nomachine.com [http://www.nomachine.com/download_fil2.php?Prod_Id=180]

The download page says "The license key that you receive via email will only work with the specific evaluation software that you have selected. Evaluation software is not entitled to support from NoMachine."

2005 Mar 25 [ Fri ]

templatemonster.com -- Design a website without needing design skills

Lately I have been glumly thinking that people who use pre-rolled websites like blogger.com have nicer-looking pages than me. I like the concept of templatemonster.com, but I'm a little fuzzy about how exactly you *install* one of their templates. They do have versions for PHP-Nuke, Macromedia Dreamweaver, Macromedia Flash, etc. I should probably try downloading one of their samples.

2005 Mar 17 [ Thu ]

Not hot news, but very interesting: Microsoft cookie exploit

I probably should have heard about this before, but anyway here it is: www.pc-help.org [http://www.pc-help.org/privacy/ms_guid.htm]

By using multiple redirects, any website can both provide information to another server about your access to its pages, *and* receive back the other server's "globally unique' ID for you.

I tried the trick mentioned in the article using this URL: msid.msn.com [http://msid.msn.com/mps_id_sharing/redirect.asp?www.panix.com/~dannyw/weblog/2004/01/?ID=redirect] It seems to work as the article suggests: I was redirected from the msn.com site to my own site. The displayed URL was then: www.panix.com [http://www.panix.com/~dannyw/weblog/2004/01/?ID=redirect&newguid=B218DBA3DCA04931B580FABD6F4E6FD4]

Unfortunately, I had recently deleted all cookies, so I can't be sure if that cookie has the same value as the local machine's msn cookie. Maybe I'll try that later.

...Hmmm, when I tried browsing to MSN and then looking at Temporary Internet Files to check the value stored in the msn cookie, I got: "Your current security settings do not allow you to perform system commands on this item." Wtf?

Incidentally, I was very confused for a while because I tried to R-click on the T. I. F. window while the error prompt window was obscured. It produced a peculiar list of options unlike the normal R-click options.

w3.org has browser test suite

The w3.org created a bunch of pages and accompanying documentation to allow you to test whether your rowser is functioning in accordance with the 4.01 spec: www.w3.org [http://www.w3.org/MarkUp/Test/]

It occurs to me it might be worth plodding through the available docs just as an overview of all the features available in the HTML standard. I know I'm occasionally surprised when a website has a page that does something I didn't think was possible.

For instance, here is a pretty clear and presumably authoritative explanation of language specification: www.w3.org [http://www.w3.org/TR/html401/struct/dirlang.html] Usefully to me, it defines the *order of precedence* when a single page defines the laguage in multiple ways.

Cheap, adequate system to provide limited access to *coffee drinkers*

This posting addresses the needs of coffee-shop owners who provide Internet access via wifi as a sideline, as opposed to internet cafe operators, who probably have more users and more tech background. In other words, the coffee-shop operator doesn't want to have to handle a full internet-cafe administration system with metering, logging and whatnot: he just wants to apply some limit so that people don't come in, buy one coffee, and download videos the rest of the day.

Slashdot discussion: ask.slashdot.org [http://ask.slashdot.org/askslashdot/05/03/15/158214.shtml]

Two links seemed particularly useful. There is a free software package, nocatauth (it's probably beyond most coffee-shop operators to set one up, but you might be able to sell the install as a service to them): nocat.net [http://nocat.net/]

Zyxel makes a very nice little package of a DSL router/access point and a little printer. You don't need an attached PC to run. You can make any setup changes via a web interface.

I would like to provide a direct link but for some reason the Zyxel site insists on creating enormous URLs which screw up my pages. Here is their home page; search for the model "ZyAIR B-4000": http://www.zyxel.com

2005 Mar 10 [ Thu ]

p2p programs considered harmful

When I start to use a PC in an internet cafe, I often find that someone has installed some sort of downloading utility. I formed the opinion years ago (in relation to Kazaa) that the people who offer these utilities should be shot, but it's hard for me to make that point so succinctly to internet cafe operators.

The following link contains many details of how various p2p "products" mislead and cheat the user, and may serve to make my point: www.benedelman.org [http://www.benedelman.org/spyware/p2p/]

Even for one's own computer, many people are careless about checking what these programs actually do (hint: everything about the EULA is designed to confuse and mislead). So people using an internet cafe machine have virtually no incentive to behave responsibly with it. I believe that internet cafe operators should make efforts to prevent their users from installing such (or any) sw without permission, and should take pains to remove it if they find it.

2005 Feb 27 [ Sun ]

The problem with the wikipedia and the problem with blogging

Slashdot has a thread on criticisms that an Encyclopedia Brittannica guy made of the Wikipedia (an online encyclopedia which allows amyone to edit the definitions): slashdot.org [http://slashdot.org/articles/05/02/26/1613233.shtml]

The main criticism seems to be that if you allow anyone to edit the definitions they fill up with garbage (like Usenet), but there is no clear way to form an acceptable consensus on all but the most incontrovertible entries (eg the atomic number of chromium – compared with the number of Jews killed by the Nazis).

There was a different thread a few days ago with somewhat analogous criticisms of the blogging phenomenon.

I have two responses:

1. Slashdot itself has the "modding and metamodding" feature which seems to work quite well for most people. (Other users are encouraged to comment on each article, leading to ratings for each article, each user as a poster *and* each user as a rater – which every user can use to selectively view postings.)

I think overall the issue with the Wikipedia is that the creator just *assumed* that something worthwhile would emerge from a morass of competing opinions. I think that it is *possible* to set up a system which does so, but the Wikipedia has so far succeeded only in attracting a mass of opinions: not really in administering them efficiently, or rating them.

Incidentally, I remember an sf book, I think "More than Human" by Theodore Sturgeon, in which one of the new-human genius types has a little project: he simply provides an anthill with all the resources it needs, so the ants don't *have* to slave 24 hours a day. Within a few years, the ants are making steel. In the story, the genius seemed to be just making an idle experiment; I think the creators of the Wikipedia would just assume that *of course* the ants would figure it all out automagically.

The issue with blogging is somewhat the same: anyone can put anything in his blog. I think the reason people now put up with this is simple: people have come to realize that the "official" information sources are full of lies and spin, and are willing to make considerable efforts to wade through the morass of unofficial opinions.

2. I have already described a system analogous to DNS which would allow organizations to present *their own* definitions of certain terms: www.panix.com [http://www.panix.com/~dannyw/weblog/Miscellaneous/naming01.html]

Perhaps there would be some automated way for individuals to attach their personal opinions to such definitions: perhaps some sort of RSS-like standard similar to trackbacks. Then someone searching for a definition of say "Zionism" might (with the patience of Job) be able to track each competing definition back to the worldview which formed it.

2005 Feb 26 [ Sat ]

Use of "certificates" to change security settings in Internet Explorer

I have never trusted the whole "signing" procedure with browsers. It's very clear that Verisign etc are criminal organizations with no interest whatsoever in end-user security, so why trust them to tell you that you can execute code from some third-party site?

However, some people *do* use the certificate system (presumably innocent, trusting types) and they then *add* this to the browsers in internet cafes ("always trust certificates from NO LIABILITY ACCEPTED?" "Sure, why not?" – this is the *actual name* of a "trusted root certification authority" on the computer I am using now). It had not occurred to me till now that these certificate lists are themselves a form of spyware which needs to be periodically inspected and cleaned out. (I have never seen a message from a spyware removal tool saying it had found a suspicious certification authority.)

Incidentally my own habit is to accept whatever signing system a site that I need to use is using, and then rely on the browser system to tell me if the certificate for that site *changes*. But it now occurs to me that I am not at all clear whether the browser can reliably be expected to do so: if the fake man-in-the-middle website offers a certificate signed by a fake certification authority that some chump permitted to be installed in the browser, does the browser really warn you? Hard to say.

So my plan is to somehow make a printout of trusted authorities on a brand-new install and then (laboriously) clean out all others before trusting an internet cafe machine. Groan... back to Knoppix...

2005 Feb 14 [ Mon ]

The "embedded fonts" system now appears to be unsupported

A few months ago I described how to set up a webpage, for example to use Cambodian fonts, which could give links to "embedded" font files in the special ".eot" format, and IE would automagically download them and install them without needing any work by the user (although it's possible to turn off this feature inside Internet Options).

Regrettably, the following Slashdot poster says this system was not accepted by the IETF and is no longer being supported by Microsoft:

Embedded fonts... OSS alternative? (Score:2) by Civil_Disobedient (261825) on Saturday February 12, @08:14PM #11655639 it.slashdot.org [http://it.slashdot.org/comments.pl?sid=139241&cid=11655639]

I agree with the OP that it's a shame Microsoft stopped pushing its embedded fonts technology (though it does still work <www.spoono.com [http://www.spoono.com/html/tutorials/tutorial.php?id=19>] [spoono.com]). I also think it's a shame that the W3 didn't approve the standard <www.w3.org [http://www.w3.org/Printing/pennock.html>] [w3.org].

But what is stopping Opera or Mozilla from implementing its own truetype embedded font technology? I just don't understand it at all. Fonts already have a protection bit for copyright enforcement. It's not like it will install a virus on your computer – it's more akin to a cookie.

I looked at the two links he gives and they're highly informative about how the system works and anyone who failed to understand my previous articles should certainly check these out.

The link to WEFT download requires you to be a member of the WEFT "user community" on MSN. I tried joining up for the "MS Volt" community before; nothing seemed to happen for several days and then I got a "click here" email. I forget the details but I think the error msg I got said something like "you silly boy! Change your security settings to "completely insecure" this minute!". I declined the invitation.

The following link looks like it will work with fewer shenanigans: www.microsoft.com [http://www.microsoft.com/typography/web/embedding/weft3/weft01.htm] (9.26 MB) I haven't tried it yet as I am in an internet cafe right now...

2005 Feb 08 [ Tue ]

"Referer" spam

As soon as I enabled comments on the site, some twerp added some spam links to his dopey fake-pharmaceuticals site. This is known as "referer spam": Google takes note of links pointing to the spammer's site and treats them as adding "siterank" to that site, so he gets more hits.

The joke was on him because he forgot to check *my* site's siterank, so links on my site were going to do him no good anyway! Oh well; in order to discourage such links (from *stupid* spammers) showing up all over the site, I changed the code to strip out html brackets. Even stupid spammers know that if the link they added *doesn't work* Google isn't going to reward them with pagerank.

Slashdot discussion on referer spam: it.slashdot.org [http://it.slashdot.org/it/05/02/01/1519211.shtml]

It includes a handy piece of sample code for handling variables (very poorly documented, like .htaccess in general):

Here's how for Apache (Score:5, Informative) by Anonymous Coward on Friday February 04, @10:56AM (#11572618) it.slashdot.org [http://it.slashdot.org/comments.pl?sid=137979&cid=11572618]

I'll assume you're using Apache and have access to the .conf, or someone that does.

First, you need to setup the log you'll use for statistics to exclude requests marked with a "nolog" environment variable.

CustomLog logs/access_log-www.example.com combined env=!badreferer

The following requires Apache's SetEnvIf module. You can put these lines in .conf, or even in .htaccess so you can change them without a restart. If you don't have/want SetEnvIf, you can also use mod_rewrite (E=badreferer:1 at the end of your RewriteRule) to do the same thing.

#Blacklist (adjust as you need)
SetEnvIfNoCase Referer ".*(credit|hold-em|holdem|mortgage|money|cash|
\gb.com|4free|teen|pussy|discount|inkjet|fuck|hasfun|casino|gambling|
\poker|porn|sex|paris|nude|xxx|hilton|adminshop|devaddict|iaea|peng|
\just-deals|pisx|tecrep-inc|learnhow|phentermine|terashells|psxtreme|
\freakycheats).*" badreferer
#Whitelist (optional)
SetEnvIfNoCase Referer ".*(google|yahoo|alltheweb|search|excite|aol.com|
\lycos|msn|altavista|XXXX).*" !badreferer

Additionally, you can use the same blocks to deny them access to your site:

<Limit GET HEAD POST>
Order Allow,Deny
Allow from All
Deny from badreferer
</Limit>
<LimitExcept GET HEAD POST>
Order Deny,Allow
Deny from All
</LimitExcept>

2005 Feb 04 [ Fri ]

An excellent idea for a new top-level domain

Most proposals for new top-level domains are pointless or worse: the .biz domain just wants mcdonalds.com to have to buy mcdonalds.biz as well.

Here's an excellent idea which really needs a new TLD:

A related thought for Domain Names (Score:2) by Roger_Wilco (138600) on Thursday February 03, @12:43PM (#11563942) (www.cns.bu.edu [http://www.cns.bu.edu/~cjmorlan/)] slashdot.org [http://slashdot.org/comments.pl?sid=138219&cid=11563942]

Since there are a relatively small number of memorable domain names, most of which are only applicable to a small physical area, I'd like to see a local-forwarding service. This system would know your physical location, or have a decent guess from your IP, and forward domain name requests (or more likely just do a HTTP redirect) to the registered "local" version.

For example, Moe's tavern in Springfield could register moestavern.springfield.usa.global, which is annoying to remember or write down. It would advertise as being at "moestavern.local", or some such. Going to "moestavern.local" would cause a database lookup for the closest appropriate site, and redirection by CNAME or HTTP redirect.

So if I was in Boston, the local dive called "Moe's" could also advertise "moestavern.local", but when browsing there I would be redirected to moestavern.boston.ma.usa.global.

Some search facility would be required, for cases when one was searching for a site in a different city.

Thoughts?

I snipped out his trolling tagline begging for a free Mac Mini...

Also, it seems to me his basic idea is *redirection*, based on something or other. Conceivably you could have a large local database of preferences – for instance you might be typing in Thailand, but want to browse stores in Sweden – or perhaps you only want to browse sites which support Firefox, or whatever. So you could type in "www.macdonalds.pref" and it would take you to the macdonalds in Norway (because Sweden's doesn't support Firefox, or whatever).

2005 Jan 17 [ Mon ]

pmwiki.org -- collaborative site system all in php

pmwiki.org [http://pmwiki.org/]

This seems to have an easy install (ie, does not need a database server).

I was struck by his comment about the install process:

4b. On some systems you can let PmWiki create wiki.d/ by temporarily changing th e permissions on the directory containing the pmwiki.php file to 2777. In Unix t his is commonly done by changing to the directory containing pmwiki.php and exec uting the command "chmod 2777 ." (note the dot at the end). The chmod command al so works in many FTP programs. Creating wiki.d/ in this manner will (1) make the directory writable so the web server can create the data directory it needs for the wiki files, (2) preserve group ownership of the directory so the installer account can manipulate the files created in this directory, and (3) make it more difficult for other accounts on the same server to access the files in wiki.d/.

I've often wondered about that issue.

I'm too concerned about spammers misusing the upload feature to allow public access, but maybe there are adequate security features. Anyway, it might be quite handy on an internal system.

2004 Dec 10 [ Fri ]

Setting up your website to accept credit card payments

I have never actually had to set up a system for credit card payments, but I have gotten close to it a couple of times, and have looked at a lot of services.

The problems I see are these:

1. Many hosting vendors have proprietary credit-card solutions, so if you ever want to switch to another hosting vendor you will find that you need to reprogram all your payment code, and need to waste a lot of time and effort setting up the new (commercial) relationship.

Conversely, such vendors may not provide very enthusiastic support for you using an independent payment processor.

2. You *have* to make sure that you hold *all* the data which your customers are supplying. If something goes wrong – or if your "customer" tries to pull a fast one – you will need to try to reconcile what he is saying with the reports from the credit-card processor. *This will not be easy.*

On the other hand, you should download processed credit-card data from the webserver at frequent intervals, because any site which handles credit cards is a major target for hackers: you want to minimize the number of users affected if the data is stolen.

Incidentally, many of these worries would be significantly mitigated if the credit-card companies themselves would implement a secure transaction system – eg, with one-time credit-card numbers and two-way anonymity. They have actually done that, but for some reason they don't push the system. Hmmmm....

3. The technical info the processing vendors provide is quite inadequate. In one case, it provided relatively usable info, with sample files you were supposed to paste into your html, and it looked *appallingly* insecure (if I remember rightly, "verified" was a parameter in the url you were supposed to pass!). I was concerned about all kinds of attacks – eg, suppose some Russian hacker says he will post ten thousand false transactions from your site with your payment processor unless you pay him 500 euros.

But mostly, the info provided is so vague you can't really figure out if you even have the expertise to actually set it up (cleanly, with logging and whatnot).

4. When I tried to find discussions of these issues I did not find anything useful – eg obvious trolls.

Oh well. Here's a Slashdot discussion on credit-card payments today: ask.slashdot.org [http://ask.slashdot.org/askslashdot/04/12/06/1834210.shtml]

It deals with setting up multiple redundant processing systems, which is an interesting concept.

One poster agrees with me about vendors' docs:

... (the quality of most providers documentation is, with rare exceptions like worldpay and protx, shit)...

2004 Nov 23 [ Tue ]

What is the problem in *society* which has caused spyware to be so successful?

Of course, I suspect that Microsoft has deliberately chosen to provide insecure default options for all its products.

However, in the course of a discussion on a recent review of anti-spyware products: it.slashdot.org [http://it.slashdot.org/it/04/11/23/0331228.shtml] a Slashdot user made the following very cogent comment:

Well, here's IMHO what's wrong with them (Score:5, Insightful) by Moraelin (679338) on Tuesday November 23, @06:53AM (#10896873) (Last Journal: Monday June 21, @04:25PM) it.slashdot.org [http://it.slashdot.org/comments.pl?sid=130557&cid=10896873]

I've said this before, but here goes again: what's "wrong" with non-nerds is that they're used to the Real-World "security model". The real world doesn't work like computers do.

In the real world, you don't have to have an absolutely-unbreakable titanium-plated vault door to your house, nor bullet proof windows. If anyone wanted to hack your front door down, it's worth a maximum 5 minutes with an axe.

Real world locks also aren't supposed to be unbreakable. Au contraire. By computer security standards, they're a catastrophe. Most allow 1-pin-at-a-time attacks, which in computer security is the worst anti-pattern. Locks with master keys allow easy escalation of privileges too.

It's all documented vulnerabilities (or exploits) and they've been known for ages, and never fixed.

But they work IRL anyway. Yes, any kid could lockpick your front door, or hack it down, or just throw a brick through the window to get in. But people still use locks, doors and windows.

Why? Because the IRL (In Real Life) you don't live in a lawless no-man's-land where any kiddie with a lockpick is l33t and free to pick your lock. IRL your real defense isn't the lock, but the law.

The lock or the door just markers. They just say "you're not supposed to be past this point uninvited, and if we find you inside, we'll throw your sorry ass in state jail."

(If you're a die-hard gun fanatic, feel free to replace by "if I find you in, you'll get a gut full of buckshot." Same idea: there'll be repercursions. The door just marks the point beyond which the thief is not supposed to go, not _the_ deterrent itself.)

And people instinctively expect the same kind of rights and protection to apply to the online world too. "This is my computer, you're not supposed to be on it. Your playzone ends at the ISP, and this side is my private property."

Unrealistic expectation? Maybe. But it exists nevertheless.

Unreasonable expectation? Not at all.

You should think about what he says about locks and doors, too.

2004 Nov 11 [ Thu ]

Slashdot discussion on how to choose your domain registrar

Many companies which provide internet domain registration are amazingly unethical. Many have claimed that Network Solutions has been one of them, so you can't go with the big name. But about the *worst* thing you can do is allow your web hosting vendor to handle the registration for you: they will almost always hold your domain name hostage if you try to transfer to another hosting vendor.

Slashdot discussion on that and many other issues: yro.slashdot.org [http://yro.slashdot.org/article.pl?sid=04/11/10/0425218]

2004 Oct 09 [ Sat ]

Google pages reveal interesting trick for preventing printing

Google has a new service which displays only a few pages from commercially-available books, with the intention of allowing you to verify that the book is relevant for what you need, while still giving you a reason to pay for the full copy.

Slashdot had a discussion about how Google managed to defend the image of even the individual pages from being copied or printed (since otherwise people might download multiple pages until the entire book can be assembled).

In conclusion:

1. The page is downloaded as a lowish-resolution .gif, so it probably is difficult to OCR.

2. The page is set to timeout rapidly (instantaneously?) in your browser cache.

3. In a trick that does not require that the user is running Javascript on his browser, they send .css which includes a special "format" for "print media" which obliterates the text (image):

Re:That explains those mysterious hirings (Score:5, Interesting) by Karma Farmer (595141) on Friday October 08, @04:58PM (#10474297) slashdot.org [http://slashdot.org/comments.pl?sid=124900&cid=10474297]

The haven't even added the half dozen extra spoilers. The complete DRM can be boiled down to eight lines of very, very simple HTML, including the CSS you've hinted at above:

<style type="text/css" media="print"> .hidden { display:none; }
</style>
<div class="hidden">
        <div style='background-image:url("xttp://print.google.com/pageimage.gif")'>
                <img src="clear.gif" width=575 height=752>
        </div>
</div>

It's a cool technique. But I can't imagine how hundreds of people on slashdot can look at this without more than half a dozen knowing how it's done.

I've changed http to xttp above to avoid having the code display as a link.

Incidentally, if I understood the discussion the term "background-image" above is misleading. The element with this name is actually the desired .gif showing the page of book text.

If you are running Unix, you can use the "lynx" browser and a little shell programming to grab the wanted .gif (claims the poster):

Re:Security issue? (Score:2) by dspeyer (531333) on Friday October 08, @04:56PM (#10474283) ( Last Journal: Monday July 07, @06:29PM ) slashdot.org [http://slashdot.org/comments.pl?sid=124900&cid=10474283]

Except that you don't actually lose control. They just make things a little inconvenient. The images are shown in the background, and browsers aren't used to dealing with them.

If you want to download the images, copy the URL from the address bar and enter these commands:

URL='url from addressbar'
IMGURL=`lynx  – source "$URL" | tr '<>' '\n'| \
 grep background-image:url | sed 's/.*url..//g' | \
 sed 's/..;background-repeat.*//g' | tail -n 1`
lynx  – source "$IMGURL" > `echo $i | tr -c '[A-Za-z]' '_'` 

You may wish to rename it to something reasonable. This also doesn't help you download entire books, because the naming of pages is not obvious at all, but if you have an OCR system, you might be able to use it as part of a spider.

Google didn't call it DRM, and there is no encryption at all, so I think this post is legal in the US. IANAL; read at your own risk.

2004 Oct 07 [ Thu ]

New feature at Google: Google Sets

labs.google.com [http://labs.google.com/sets]

This is an experimental feature at Google: you get a screen which allows you to enter 4 separate items, and then Google tries to figure out the other members of the same set.

I tried it with 3 titles of SF books by Philip K. Dick, and it worked stunningly well, bringing up an excellent list of some of his other titles. I tried it with some other lists and it failed totally: eg "Glock, AK47, Tokarev". Anyway, interesting concept.

2004 Oct 01 [ Fri ]

Slashdot page wioth many links to .css info

books.slashdot.org [http://books.slashdot.org/comments.pl?sid=123868]

2004 Sep 29 [ Wed ]

What *does* "Ducky" mean in jpgs?

Previous article: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Internet/embedjpginfo01.html]

I tried again to find out what Ducky means. I got a little farther, but it seems the answer is "nobody knows".

To recap, all jpg files can include some metadata in a header area before the actual compressed image bytes. Using a hex editor, I saw the text string "Ducky" and wondered what it meant.

Here is a page from someone who tried to check out what the various "segments" of the jpg header do: www.ozhiker.com [http://www.ozhiker.com/electronics/pjmt/jpeg_info/app_segments.html]

He lists "Ducky" but for "format defined in" he has "Unknown".

I found very few relevant hits for Ducky and reasonable search terms. The main definition for JFIF is here: www.w3.org [http://www.w3.org/Graphics/JPEG/jfif3.pdf] but it merely describes how arbitrary segments can be added to the header and has nothing specific about "Ducky" (and indeed one gets the impression that the "ozhiker.com" website would have found the info here if it had been).

I looked quickly through the man pages for various utilities:

> rdjpgcom -v test1.jpg

APP12 contains:

Ducky\000\001\000\004\000\000\000\036\000\002\000B\000\000\000\037\000M\000I\000N\000O\000L\000T\000A\000 \000D\000I\000G\000I\000T\000A\000L\000 \000C\000A\000M\000E\000R\000A\000 \000 \000 \000 \000 \000 \000 \000 \000 \000\000

> jpegtran -copy none test1.jpg > test2.jpg

> rdjpgcom -vv test2.jpg

[no contents]

So apparently the jpegtran program does indeed snip out the comments: Ducky is completely gone. (I used the -vv switch in the second run of rdjpgcom to see if there was any extra info: all it did was print out a help message, showing no comments at all.)

The "Ducky" segment, in this case, appears to just contain a string identifying the brand of my camera. The hex 036 may be just a byte count.

I am a little surprised that no EXIF info was found. Perhaps it had been zeroed out when I photoshopped it. Worse, using the Unix "strings" utility was enough to show the string "Adobe", which was absent from the output of rdjpgcom for test1.jpg. However, "strings" did not show "Adobe" for test2.jpg, so apparently jpegtran worked. Hmmm.

Incidentally, it occurred to me that Google could easily parse a jpg file to search for these header strings, so you could find all pictures of George Bush with EXIF Orientation=1 and EXIF Resolution > 480x640, for instance. But I just checked Google's Advanced Search info pages and there's nothing about that.

I was vaguely afraid of this sort of issue as soon as I heard about EXIF data. That, allied with laziness, is why I never tagged my own pictures with useful comments like "South Thailand, Meeting discuss Al Qaeda money transfers, Osama".

Readable webpage about the issue of hidden data in Microsoft Word files (f33r me!): www.computer.org [http://www.computer.org/security/v2n2/byers.htm]

2004 Sep 28 [ Tue ]

Dealing with embedded comments in JPG files

There has been a great deal of commotion about the recent release of an exploit which allows a hacker to create a .jpg file which allows him to take over any Windows computer: www.easynews.com [http://www.easynews.com/virus.html]

It reminded me that the .jpg format is actually quite complex and can include various metadata, such as the EXIF text data fields which contain data on the original exposure supplied by a digital camera.

This actually bothers me a little. When I looked at a .jpg in a binary editor I thought "who is this "Ducky" guy and what is he doing in my .jpg?".

Here are some links I found in Google for utilities to display this data:

Exifcom: johnst.org [http://johnst.org/sw/exiftags/exifcom.1.html]

PhotoStudio (a GUI utility with many metadata features): www.stuffware.co.uk [http://www.stuffware.co.uk/photostudio/photostudio-docs.html]

Andrews Gregory's Digicam page (led me to jpegtran): www.scss.com.au [http://www.scss.com.au/family/andrew/camera/]

Sourceforge comment thread. It refers to various options for processing image headers, including jhead, Image::Info and Image::IPTCInfo: sourceforge.net [http://sourceforge.net/mailarchive/forum.php?forum_id=5790&max_rows=25&style=nested&viewmonth=200306]

Here's a page with info about jpegtran. It appears to be a utility from the JPEG group itself and normally provided with Unix/Linux installations: ou800doc.caldera.com [http://ou800doc.caldera.com/en/jpeg/usage.txt]

I was particularly interested in the following lines:

jpegtran also recognizes these switches that control what to do with "extra"
markers, such as comment blocks:
	-copy none	Copy no extra markers from source file.  This setting
			suppresses all comments and other excess baggage
			present in the source file.

Both djpeg and jpegtran are installed at Panix.

Here's the "TKAlbum" album webpage creator utility. The docs have some readable little comments about what other utilities like jpegtran are good for: nebel.gmxhome.de [http://nebel.gmxhome.de/tkalbum/README.html]

2004 Sep 26 [ Sun ]

dyndns.org and getting DNS service on a small website

It has been bothering me lately that my weblog URL is so hard to remember, so I may set up some sort of DNS for a nice short URL (or at least short: the nice *and* short URLs are probably all taken. I will probably get something like "r4506.com".)

This Slashdot discussion had various ideas: ask.slashdot.org [http://ask.slashdot.org/article.pl?sid=04/09/26/0019202]

Apparently dnyndns.org has a feature which allows me to redirect to my ".../~dannyw/weblog/" type target: "webhop": www.dyndns.org [http://www.dyndns.org/services/webhop/]

I also liked this neat oneliner:

ZoneEdit has free dynamic DNS (for up to 5 domains).

Great thing is, it doesn't need a client. A simple wget works:

wget -O - – http-user=username – http-passwd=password 'dynamic.zoneedit.com [http://dynamic.zoneedit.com/auth/dynamic.html?hos] t=www.mydomain.com'

2004 Sep 24 [ Fri ]

Browsing using the Unix "links" text-window browser

I have used the "lynx" text-window browser for many years. It works on a surprising range of webpages, but is a little clumsy to use on large pages with many links: it's hard to navigate to the one you want (unless you enjoy pressing the tab key exactly 112 times).

Today I was unable to access Slashdot using a regular browser from my webcafe for some reason – Slashdot did not return an informative error page, or anything else. So I started using lynx to check whether Slashdot was accessible. (I used Putty to access my command-line interface at panix.)

As it happened, one poster mentioned using the "links" program. I tried it and it was very satisfactory for browsing Slashdot.

1. It understands mouseclicks so you can easily click on links. This worked immediately for me: I didn't need to change anything in my Putty setup.

2. My default text screen size is too small for Slashdot. I needed to change it to 60 lines at 9 points (on a 1024 x 768 display).

3. There is a top level menu bar which you can bring up by pressing Esc (hmmm...) and has a comforting Windows-esque selection of functions. Arrow keys are supported (except right-arrow seems to go to the next top-level menu item on the right, instead of going deeper into a top-level menu).

4. I have a habit of right-clicking multiple Slashdot pages at the outset and minimizing them, so that they all load in the background. I did not find a similar feature in "links", but it did not seem very necessary: just clicking on a link brought up the text of the first text page fairly fast. Doing a "back" (you have to use the "z" key, not the backspace key, and watch out in case the cursor happens to be in a text input window) seems quite fast: presumably it's caching somewhere.

2004 Sep 14 [ Tue ]

Why network switches don't defend the network from sniffing attacks

I was already aware of this issue, but Slashdot gave me a link to a very nice explanation of the weaknesses in network switches:

www.sans.org [http://www.sans.org/resources/idfaq/switched_network.php]

2004 Jul 30 [ Fri ]

How to make an IE-free Windows 2000

I've suggested ways to set up an internet cafe before, but a recent Slashdot posting made me think about a new way.

Users are certainly going to grumble if you don't give them certain applications available only for Windows: IM, YM, Excel, etc. But IE is a huge security risk, and it's hard to prevent access to it. And of course it gets installed with everything else, and Microsoft's install process gives you no option to avoid it.

I would have said it wasn't possible, but there is a site with instructions for creating a W2000 install CD which will create a version of Windows where IE *has never been* installed. Apparently it still works with Windows Update etc. home.earthlink.net [http://home.earthlink.net/~vorck/]

Subsequently, of course, you can install Mozilla, or Firefox, or whatever.

His page includes a lot of links for similar purposes: for instance, code to remove IE from existing installs.

2004 Jul 24 [ Sat ]

Microsoft broke TCP/IP standards: faster for Microsoft, slower for others

This is old news, but I wanted to have a link to it, so now I've found a good link I'm putting it here.

You might think this belongs in the Opsystems/Microsoft folder, but the main effect is actually when a non-Microsoft browser or server is involved; also it's a TCP/IP thing, which is pretty fundamental.

Basically, Microsoft's TCP/IP stack omits some of the normal handshaking, and its webserver is set up to handle it, and actually get an increase in speed. But if a non-Microsoft client tries to access a MS server, or vice versa, there is a slowdown: MS designed their trick so it would work (so you don't realize their implementation is at fault), but only after a timeout. Pretty sneaky, huh?

Details: grotto11.com [http://grotto11.com/blog/slash.html?+1039831658]

I found this page, as usual, via Slashdot, and apparently the link from Slashdot overloaded his site, so he put in a special redirect. If he takes down the redirect, you may need