Monday, December 27, 2010

Amazon MP3 Downloader

I get the feeling that
(a) Amazon cares little about Linux, and
(b) the Amazon MP3 downloader was done by very inexperienced or very poor developers.

Linux is a very small sliver of the market, so (a) is unsurprising.

My reason for casting stones at their developer is that the downloader does not work with 64b CPUs and now when I try to install it on a 32b Ubuntu 10.10 I get the message Dependency is not satisfiable: libboost-filesystem1.34.1. After installing version 1.42.0 of the libboost filesystem, I still get the error message. This strongly suggests that someone coded the dependency checks for only one version of the library, or wrote the code not considering the possibility that newer versions would be backward compatible.

I like Amazon, though I am done dealing with Amazon Sellers. Tonight Amazon had me thinking I might have to go elsewhere for MP3 downloads. However, a little googling and then a moment in the Ubuntu Software Center led to clamz. It appears there are a few other tools to do this, but clamz is the only one I see as an officially-supported Ubuntu package. And it works (or at least on the one album I pointed it at tonight).

I prefer using clamz over the Amazon downloader, because it's less closed software on my machine. Clamz likely does it's job, and nothing more. The Amazon downloader, for those lucky enough to have a system it works on, has always been an unknown factor--it downloads MP3s, but does it do something else? Probably not, but one never knows.

As an aside, the MP3s that I downloaded tonight do not have the same identifying information as the ones I wrote about last week. It may be obfuscated, encrypted, or just not present.

Saturday, December 25, 2010

Personal Information in Amazon MP3 Files

A few days ago I wrote about Amazon placing personally-identifiable information within MP3 files. Here is an example, from near the beginning of an MP3 downloaded recently.

<?xml version="1.0" encoding="UTF-8"?>
<uits:UITS xmlns:uits="http://www.udirector.net/schemas/2009/uits/1.1" 
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <metadata>
    <nonce>Yvjd12Il</nonce>
    <Distributor>Amazon.com</Distributor>
    <Time>2010-10-24T04:41:17Z</Time>
    <ProductID 
       type="UPC" 
       completed="true">
      10731458698620
    </ProductID>
    <AssetID 
       type="ISRC">GBAAN0200016
    </AssetID>
    <TID version="1">
      plaIo2V1UdVjRvVYo2vBICme1kF4PYav
    </TID>
    <UID version="1"> MY USERID HERE </UID>
    <Media algorithm="SHA256">
      4fda5179408e867619d5321b804fd1d16cb1ffd4f3d3485b48c241f803444897
    </Media>
  </metadata>
  <signature 
     algorithm="DSA2048" 
     canonicalization="none" 
     keyID="9b3a698acfcfea37b486aba46bdfb50c92b8f7fe">MC4CFQCLUjy5GJIaXROMGuef/iTBI3ADngIVAI1ZVWo9+IA6FAVXQ5feBVbi3yH6
  </signature>
</uits:UITS>

I've done a little reformatting, replaced my user I.D. with a placeholder, and modified some hashes and keys, but you can easily get the basic idea. My advice is to be reluctant to share these files, or to strip the XML at the beginning.

This is a fairly recent change for Amazon. This information is not present in a song I downloaded from Amazon in August.

Friday, December 24, 2010

Migrating UMBC E-mail to Gmail

Some months ago UMBC began migrating e-mail to the Google cloud. This migration has been voluntary, but everyone will be moved over in January. I like Gmail, and considered moving some months ago, but decided not to because it was unclear whether there would be a solid wall (psychologically as well as logically) between my personal Gmail account and my UMBC Gmail account. This will not be an issue for a number of reasons:

(1) The accounts are separate, one reached via mail.google.com and the other via gmail.umbc.edu. I can reach both via the traditional mail.google.com URL, but with two different user names. I plan to explicitly go via (and link to) the gmail.umbc.edu address.

(2) I usually use Chrome for Gmail, but use Firefox for UMBC (myUMBC) services. Firefox add-ons allow me to selectively turn off undesired scripting within myUMBC and Chrome does not display PeopleSoft slop properly (I suspect it really does, however, and that PeopleSoft is simply not following web standards, but this is something for future investigation). So I will continue to use Chrome for personal Gmail, and will use Firefox for UMBC mail.

(3) I use different themes for the two Gmail services, and so my work and my personal screens look very different.

(4) The UMBC Gmail has "myUMBC" prominently displayed in the upper left.

(5) If all of that is not enough, I can simply return to an IMAP client for UMBC e-mail and continue to use the browser for personal Gmail.

The one drawback I have seen in my initial look is that Google says it may take several days for my old e-mail to migrate to Google. Since I have switched, I can no longer access UMBC Squirrel mail, and so none of my old e-mail folders are currently available via the web. Since grades are due in a couple weeks, this could become sufficient motivation to temporarily configure an IMAP client on my laptop. However, I do not foresee much inconvenience here except possibly delaying my grading of assignments submitted via e-mail.

I do suspect there is still a way into squirrel mail, but do not plan to spend any time finding the way.

Wednesday, December 22, 2010

Need to Write My Own

MP3 files purchased from Amazon have identifying information within them, likely to catch, if not to actually deter, file sharing. At the beginning of the file is some XML including time and date downloaded, the Amazon user ID, a nonce, the distributer (Amazon.com in this case), and a digital signature (presumably so modification will be detected). Easytag does not display any of this XML data.

My intention was to place an excerpt here, but formatting XML within Blogger is more trouble than it's worth. Just view an MP3 from Amazon within an editor, e.g., emacs.

The upshot is that, since easytag doesn't display these tags, I'll have to write my own filter to do such.

Alta Vista to Shut Down, but Apparently not Babel Fish

PC World has a brief article announcing the end of Alta Vista, the best search engine before Google, and in the author's opinion (and mine) the second best search engine to date. I would let this pass without comment, as one of the last vestiges of DEC going away, but I read a (likely false) report that Yahoo will also be shutting down Babel Fish, which is a fairly good, convenient, translation service. I guess would be partly to blame here: just as I stopped using Alta Vista when Google came along, I've been gravitating toward Google Language Tools rather than Babel Fish lately.

However, the second page a Google news search led me to as I tried to ascertain the fate of Babel Fish says it has been spared for now.

Tuesday, December 21, 2010

Google Web History: Beware

I deleted and paused my Google Web History some time back, thinking that meant Google would stop collecting "my" web history. This morning I was changing some Google account settings and clicked on Web History. They had started maintaining web history for me again. So I again had to delete everything and "pause" my web history. Apparently pause does mean pause, and Google pops the account off pause willy-nilly, or by some algorithm known to them, but not to their users.

The thing to do is to remove the web history. From Google Account Help:

Using Web History: Deleting
You can delete Web History from your Google Account at any time. Just follow these steps:

Click the My Account link from the Google homepage.
Click Edit next to 'My products.'
Click Delete Web History. Make sure you're signed in to your Google Account to see the My Account link.
Note: Deleting Web History from your Google Account will erase all items from your Web History and stop your Web History from being recorded in the future. You can also remove individual items without deleting all of your Web History.

Sunday, December 19, 2010

Xfce? No, I don't Think So

I just checked the xfce site to see if their documentation situation has improved. They seem to be preparing the 4.8 release, with 4.6 in use, but the documentation is 4.2,. No way I'm going back to that--it appears to be run by a bunch of coders with no interest in the user. Thus, xfce developers, IMHO, are developing for themselves, but not for the wider Linux community. There's nothing wrong with that, but I think things like Xubuntu should be discontinued until someone thinks xfce is worth documenting.

Quick Note on Address Bar Auto-Completion

Firefox and Opera, by default, have a search field (it's a text field but Firefox calls it the search bar) to the right of the address bar. I've removed mine--it's redundant and cumbersome (or so I thought, but see point 3 below), and an information leak.

I often have students in my office for advising and typically go over their online records. This means they look at my web browser. This also means they can read titles of tabs (fine, so be it) and contents of the search bar. I'd hate to have a student read too much into the fact that I've recently searched for Shaun Cassidy. So in my office I removed the search bar and just open a new tab (^t) and hit the g key. This takes me immediately to Google.

(1) Most of my searches are Google searches. I played with Bing when it first came out, but Bing's results don't seems as good, and Bing seems to use a fair amount of client-side scripting, which I'd rather avoid. Google does too, but they already know everything about me.

(2) I may sometimes prefer a Wikipedia search or some such, but very often the appropriate Wikipedia page is near the top of the search results, so Wikipedia search is redundant.

(3) Doing a quick lookup for this posting led me to http://www.mozilla.com/en-US/firefox/search.html, which points out that one can select text and drag it to the search bar, which seems to work well. So my search bar is, at least temporarily, back in my Firefox window on most of my machines--just not the one in my office.

Arvind Goes to Washington

Arvind Narayanan (no, not that Arvind) just served on a 'Do Not Track' panel in DC, and writes intelligently about his experiences, e.g., on how the system in DC is not as effective as one might hope. Rather than paraphrase or summarize, I'll just point to the original article.

Blackboard 9 Usability and Security

It turns out that Firefox users can improve their browsing experiences within Blackboard and keep their local data a bit safer through the use of the AdBlock Plus extension.

A problem I've had for awhile--predating Blackboard 9--is that when editing content within a Blackboard text area, Blackboard pops up a requester asking me to give some piece of Java code complete access to my PC. Of course I always say no. However, Firefox and Chrome seem unable to remember this, though Opera can be instructed to always block such a request from a particular site. Firefox is happy to allow one to always trust signed content from a provider, but not to always distrust. Strange.

Anyhow, these two AdBlock Plus rules block the annoying content from UMBC's Blackboard installation:

|http://blackboard.umbc.edu/webapps/blackboard/content/webeq3.editor.InputControl
|http://blackboard.umbc.edu/webapps/blackboard/execute/webeq3.editor.InputControl

It appears that Blackboard wants access to all the data and applications on my PC on the off chance that I might want to run an equation editor. I'll go out on a limb, having never tried webeq3, and say I have better equation editing tools on my machine.

Avoiding the Worst of myUMBC

I was in a meeting a couple weeks ago, and the person doing a presentation made an offhand comment about having to click through "the useless myUMBC crap." A man after my own heart. He was talking about the media-heavy, irrelevancy-filled page at my.umbc.edu.

I avoid that page most days. Firefox, Chrome, and Opera begin showing possibly-relevant pages as soon as the user begins typing in the address bar (a much more useful use of auto-completion than one can find in office applications). IE probably does this as well. If I need access to web-based functionality hidden behind the dysfunctionality of myUMBC, I just start typing the word 'faculty' into the address bar. Usually the 'f' is sufficient to get me to the myUMBC faculty center, bypassing most of the garbage. Speaking of garbage, though, PeopleSoft is directly accessible from the faculty center, but that's another issue.

Ubuntu 10.10 Day 0

Yesterday I installed Ubuntu 10.10 on my laptop, and have a couple quick encryption-related comments.

I installed from the alternate install image. The standard image does not include encrypted LVM. It does, however, allow one to encrypt user home directories. Is this good enough? No.

(1) In Ubuntu, encrypting a user's home directory fails to protect users who lose their passwords. This could happen a number of ways. It happened to me once via shoulder surfing. Many people use the same password for multiple services--a bad idea. The user password and encryption pass phrase should be distinct.

(2) Users tend to use weak passwords. Hopefully they choose better pass phrases.

(3) With just the home directory encrypted, swap is in the clear. This is a well-known leak and part of why secure software generally overwrites passwords and keys in memory as soon as they are no longer needed. Garbage collection is not good enough for keys. In general any data could show up in swap, and so swap should be encrypted.

Friday, December 17, 2010

The WikiLeaks Furor

There has been an uproar about WikiLeaks in the press lately, and until recently I've felt that Wikileaks has done more good than bad, pointing out cases where the US (and other) governments have lied to their populaces, condoned torture, etc. I won't go into the ethics of the current batch of releases because there is simply too much to review, but I would like to make a few comments.

1) http://news.netcraft.com/ has been doing a great job of covering the back-and-forth of WikiLeaks availability, changes in their hosting and DNS services, etc.

2) Tonight I decided to spend a few minutes looking at the site. Among other things, I was interested in whether it would be difficult to get to. Two things worked right away. (a) Googling WikiLeaks led directly to 213.251.145.96 (registered to wikileaks.org in a block owned by OVH ISP in Paris), so the DNS is not necessarily needed. (b) Verizon's DNS service redirected me to http://mirror.wikileaks.info/, but some of the links at that site, e.g., the one to obtain a secure connection, did not work.

3) Some of the calls for the US government to launch web attacks against WikiLeaks are largely over the top and naively stupid. I wouldn't be surprised to discover attempts to hack into their database or their servers, but the idea of launching DDoS attacks against ISPs and hosting services in the US, Europe, and elsewhere is just silly. The US launching cyber attacks against France and Russia? Not a good idea.

4) I read one leaked dispatch, http://213.251.145.96/cable/2009/08/09BRASILIA1017.html. This is tagged "UNCLASSIFIED//FOR OFFICIAL USE ONLY." One phrase I really like is advice to the USG (US Government, I suspect), "speak softly and carry no stick." The article talks about attempts to keep the Brazilian government from authorizing pharmaceuticals in Brazil to produce generic versions of AIDS drugs, in other words the bureaucratese seems to suggest that the US government is more interested in corporate profits than in dying Brazilians. Not a big surprise.

This is exactly the sort of thing US (and Brazilian) voters should be aware of, and also not the type of leak causing much of the uproar.