Frank Leonhardt's Blog

Using ISO CD Images with Windows – Burn.Now problems

When CD-R drives first turned up you needed special software to write anything – originally produced by Adaptec but they were soon overtaken by Nero, with NTI and Ulead having lower cost options. Now, when you get a PC it will usually come with one of the above bundled, and Microsoft has added the functionally to Windows since XP (for CD, if not DVD). This is not good news for the independent producers, but Microsoft’s offering doesn’t quite cut the mustard, so most people will want something better.

My new Lenovo PC came bundled with Corel Burn.Now. Corel recently bought the struggling Ulead, and this is fundamentally the same product as Ulead burn.now. Unfortunately Burn.Now is also pretty feeble – it just can’t do the basics.

To duplicate a CD you need to copy all the data on it. Pretty obvious really. If you’re not copying drive-to-drive it makes sense to copy the data to a .ISO image on your hard disk. You can then transfer it to another machine, back it up or whatever; and write it to a new blank disk later. Burn.Now will create a CD from an ISO image, but if you ask it to copy a disk it uses its own weird and whacky .ixb format. Some versions of Burn.Now gave you the choice, but not the new Corel. It’s .ixb or nothing. This matters, because whilst everyone can write .ISO files, only Burn.Now can write from .IXB format.

Burn.Now is crippled. What about Microsoft’s current built-in options? You can actually write an ISO image using Windows 7 – just right-click on the file and select “Burn disc image”. Unfortunately there is no way to create such a file with Windows. To do this you need add Alex Feinman’s excellent ISO Recorder, which basically does the opposite: Right-click on the CD drive and select Create Image from CD/DVD.

Unfortunately ISO Recorder doesn’t read all disks – it won’t handle Red Book for a start. This is a bit of a limitation – was its author, Mr Feinman concerned about music piracy? Given Windows Media Player can clone everything on an Audio CD without difficulty, his conciousness efforts won’t make a lot of difference.

So – Windows is its usual painful self. If you just want to simply create an image of a CD or DVD with no bells and whistles, go to UNIX where it’s been “built in” since the 1980’s (when CD-ROMs first appeared). Just use the original “dd” command:

# dd if=/dev/acd0 of=my-file-name.iso bs=2048

An ISO file is simply a straight copy of the data on the disk, so this will create one for you. You can write it back using:

# burncd -f /dev/acd0 data my-file-name.iso fixate
Or
# cdrecord dev=1,2,3 my-file-name.iso

Burncd is built in to FreeBSD (and Linux, IIRC), but only works with atapi drives. In the example it assumes the CD recorder is on /dev/acd0 (actually the default).

Cdrecord works with non atapi drives to, but has to be built from ports on FreeBSD and for other platforms it’s available here – along with lots of other good stuff. The example assumes the device is 1,2,3 – which is unlikely! Run cdrecord -scanbus to locate the parameters for your drive.

Once you have your ISO file, of course, you could use Windows to write it. The choice depends on whether you have strongly held views on whether Windows is a worthy desktop operating system. Corel Burn.Now is, however, a long way from being a worth CD/DVD writing utility.

20-July-128-August-12

Samsung’s (Pyrrhic) Victory in Galaxy vs Apple iPad Case

British judge Colin Birss has struck a blow for the rest of the world against Apple’s litigious tendencies towards anyone any everything their lawyers decide has enough money to sue. Apparently, the 9th July ruling (Samsung Electronics (UK) Limited & Anr v. Apple Inc., High Court of Justice, Chancery Division, HC11C03050) requires Apple to put a notice on its UK website and take out advertisements in a large selection of newspapers and magazines stating that Samsung’s Galaxy tables are not a copy of Apple’s iPad, contrary to what Apple has been claiming in court. Apple is, apparently, appealing.

Samsung Galaxy Beam — Samsung Galaxy handset – not like an iPad

As part of the ruling, the judge said that Samsung’s offering was “not as cool” as an iPad. Although I’m at a loss as to what the legal definition of “cool” might be, it’s clearly relevant in a non-legal sense. iPads are “cool” as far as the fanbois are concerned, and unreliable yuppy status-symbols for the rest of us. If we want a tablet for any reason we’ll base the decision on price and support, not brand image.

iPad - too cool to be a Galaxy — The Apple iPad is much cooler than the Samsung Galaxy. Apparently.

So – the judge is telling Apple it must tell the world that the Galaxy isn’t a clone of the iPad. Surely Apple’s problem is potential customers lusting after an iPad but then opting for a cheaper Samsung alternative. That the Galaxy is not the same as a cut-price iPad should be something Apple shouts from the rooftops anyway. All their current rhetoric, that the Galaxy is an iPad clone, is playing into Samsung’s hands.

6-July-1224-July-12

Lunar Lander (LEM) – original BASIC/FOCAL version

One of the most popular games of the late 1970’s was Lunar Lander (also known as Rocket, LEM, Apollo and what-have-you). The general idea was always to land a Lunar Excursion Module (LEM) on the surface of the moon (or other planet) by adjusting the burn rate of retro-rockets in order to control deceleration and effect a nice soft touchdown.

The version presented here uses a set of calculations based on a program called LUNAR written by Jim Storer for the PDP-8 while a student at Lexington High School in the USA in 1969. It was converted from the original FOCAL into BASIC by Dave Ahl (then publisher of Creative Computing magazine) in the late 1973.

As far as I can tell, I have disentangled the calculations well enough to preserve the original’s look-and-feel, though it required a complete re-write for Java (which does not support the GOTO statement for program logic flow control). I couldn’t say that the calculations are accurate to life, but a good attempt at realism was made in the original. If anyone from NASA would care to comment please drop me a note.

You will need to click on the window in order to use the keyboard.

22-June-1224-July-12

Heath User Group Camel Game (Creative Computing)

This is the Camel game wirtten in the late 1970’s by the Heath User Group and published in Creative Computing. The original is in basic – this is a re-write in Java keeping as close to the original as possible.

You will need to click on the window in order to use the keyboard.

5-June-1223-September-16

Dodgy “bulk email” operators

I’m forever receiving emails from “bulk email” companies that claim to be “opt-in” but are using addresses that are culled from elsewhere. The elsewhere basically means they’re not real email addresses and could not possibly have been the subject of an opt-in.

After replying to these with an unsubscribe request (on the assumption that they might be legitimate, but have accidentally purchased a dodgy list) I though I’d list them here if the emails don’t stop.

If your name is on this list and you think you’re innocent and can prove it, it will, of course, be removed. If the mail header shows it’s coming from your server and you’ve ignored unsubscribe requests you can explain why. Your protestations will be published along with the other evidence, and Internet users can decide your innocence or guilt.

05th June 2012 Tech Users Centre, Inc. 60 Cannon St. London
05th June 2012 mynewsdesk.com
05th June 2012 Simply Media Network, LTD., 48 Charlotte St, London (aka Comunicado Limited 6/43 Bedford St)
03rd June 2012 panopticsi.com
02nd June 2012 Marketing Empire UK (websitedesigncity.co.uk)
01st June 2012 quickmailing.co.uk (Smilepod, 23 Rose Street
Covent Garden )
01st June 2012 Comunicado Limited 6/43 Bedford St
01st June 2012 domainmail (on behalf of Insured Health)
31st May 2012 National Training Resources Limited
31st May 2012 backbonemarketing.co.uk, backboneconnect.co.uk PO Box 4380 Tamworth.
31st May 2012 Comunicado Limited 6/43 Bedford
29th May 2012 Nuance Communications
25th May 2012 Comunicado Ltd, 6/43 Bedford Street
24th May 2012 Oxeta
24th May 2012 www.datadeals.co.uk
24th May 2012 Comunicado Limited
22nd May 2012 Accountingoffice.co.uk, 199 New Road, Skewen
16th May 2012 Consulmax (emaila-company.co.uk)
16th May 2012 domainmail (webdoctor.org)
11th April 2012 Easymailit.com

26-May-1214-February-13

Panicky public gets scammer’s charter for cookie law

Are you worried about websites you visit using cookies? If so, you’re completely wrong; probably swept up in a tide of hysteria whipped up by concerned but technically ignorant campaigners. The Internet is full of such people, and the EU politicians have been pandering to them because politicians are a technically illiterate bunch too.

A cookie is a note that is stored by your web browser to recall some information you’ve entered in to a web site. For example, it might contain (effectively) a list of things you’ve added to your shopping cart while browsing, or the login name you entered. Web sites need them to interact, otherwise they can’t track who you are from one page to another. (Well there are alternatives, but they’re cumbersome).

So what’s the big deal? Why is there a law coming in to force requiring you to give informed consent before using a web site that needs cookies? Complete pig-ignorance and hysteria from the politicians, that’s why.

There is actually a privacy issue with cookies – some advertisers that embed parts of their website in another can update their cookies on your machine to follow you from one web site to another. This is a bit sneaky, but the practice doesn’t require cookies specifically, although they do make it a lot easier. These are known as tracking cookies. However, this practice is not what the new law is about.

So, pretty much every small business with a web site created more than 12 months ago (when this was announced) or written by a “web developer” that probably didn’t even realise how their CMS used cookies, is illegal as from today. Probably including this one (which uses WordPress). Nonetheless, head of the ICO’s project on cookies, Dave Evans, is still “planning to use formal undertakings or enforcement notices to make sites take action”.

What’s actually going to happen is that scamming “web developers” will be contacting everyone offering to fix their illegal web sites for an exorbitant fee.

The ICO has realised the stupidity of its initial position and now allows “implied consent” – in other words if you continue to use a web site that uses cookies you will be considered to have consented to it. Again, this is a nonsense as the only possible problem cookies are tracking cookies, and these come from sources other than the web site you’re apparently looking at – e.g. from embedded adverts.

So – if you want to continue reading articles on this blog you must be educated enough to know what a cookie is and not mind about them. As an extra level of informed concent you must presumably agree that Dave Evans of the ICO and his whole department is an outrageous waste of tax-payers money. (In fareness to Dave Evans, he’s defending a daft EU law because that’s his job – its the system and not him, but he’s also paid to take the flack).

4-May-124-May-12

Claire Perry’s porn prohibition set to make politicians look foolish

The government is going to protect us from pornography on the Internet. Our children will at last be safe from depravity and corruption. Hurray! Claire Perry MP (Conservative) has accused Internet service providers of being complicit in exposing children to pornography and wants something done about it. Specifically she wants ISPs to filter the filth, unless a subscriber specifically wants to receive it. David Cameron has now jumped on her bandwagon, clearly without first checking to see which way it’s heading or whether the wheels are properly attached.

This isn’t going to be popular with the consumers and producers of Internet-delivered pornography, but that’s their problem. What worries me are the technical issues, and the consequences of trying to implement any form of censorship.

Let me make this clear: IT WON’T WORK. There is no technical solution available that can prevent porn from being transmitted over the Internet, and there never will be. It’s simply not possible for a computerised filter to tell the difference between porn and everything else, and it will become much harder if you give people a reason to avoid detection. About the best you can do is block known porn websites, and if the site promoters cooperate (i.e. keep them on fixed addresses) then you’re going to get a reasonable level of protection. And porn publishers, at present, are likely to cooperate. They’ve no interest minors viewing their wares, because minors don’t have the credit cards to pay for it. And besides, it’s a multi-million pound industry which includes many serious people with children of their own and similar concerns to the rest of us.

However, as soon as you start blocking these sites at ISP level, porn publishers will have to change tactics, as they’ll want to evade such draconian filtering. Legitimate producers will suffer; the vacuum will be filled by others underground, joining the leagues of the cyber-criminals, operating from agile addresses on servers operating outside jurisdictions that care. Claire Perry’s bright idea won’t work. It’s not better than nothing; it’s worse.

The porn operators would disguise their sites to avoid the filter, and in order that customers might find them, spam everyone using every means possible as they did in the late 1990’s. Right now you need to go looking to find it – a simple Google search away. If Perry gets her way it’ll be delivered to everyone’s Inbox, Facebook page, Skype and every other instant messaging technology you can think of, It’ll be encrypted and impossible to filter. It’ll be indiscriminate; kids will receive it too. If such a law was enforced, all encrypted content would have to be blocked as there is no way of telling what it is. This means farewell to, Skype, secure connections to your bank, private email, working from home on a VPN… Okay, it’s not realistic as well as being unenforceable.

The Internet dealt with issues similar to this twenty years ago, before the politicians were involved, but if the technicalities aren’t for you (as they aren’t for Perry and Cameron), there are plenty of other parallels. Society’s attempts to ban bad things that some people still want always seem to make things worse. I need hardly mention prostitution, drugs and alcohol, but I will. Making drugs illegal when so many people want to use them has simply improved the margins for the suppliers. Where there’s money to be made, people will find ways to smuggle drugs; and if the whole business is illegal then it’s certainly going to be completely unregulated. And it’s not a lack of resources and commitment. If we can’t stop people supplying drugs to inmates of a high security prisons we stand no chance of banning drugs anywhere else.

Similarly, it’s folly to attempt to ban pornography transmission on the Internet. There is no way to do this technically, and any attempt that simply makes it more difficult will give the criminals a huge advantage over the legitimate publishers, making regulation impossible.

The government is allowing crazy headlines out about this consultation and what they’re going to do. No doubt they’ll be consulting with child psychologists, women’s rights campaigns, children’s charities and a few suits from big business ISPs. Why don’t they consult the right people first – computer scientists. Ask the most important question: “Is it possible?” Committees can spend as much time as they like navel-gazing on the moral and policy issues, but that’s not going to change anything if it can’t be implemented. It’s just going to make them look stupid.

22-April-126-November-12

What is all this Zune comment spam about?

People running popular blogs are often targeted by comment spammers – this blog gets hit with at least 10,000 a year (and very useful for botnet research) – most of it is semi-literate drivel containing a link to some site being “promoted”. Idiots pay other idiots to do this because they believe it will increase their Google ranking. It doesn’t, but a fool and his money are soon parted and the comment spammers, although wasting everyone’s time, are at least receiving payment from the idiots of the second part.

But there’s a weird class of comment spam that’s been going for years which contains lucid, but repeated, “reviews” about something called a “Zune”. It turns out that this is a Microsoft MP3 player available in the USA. The spams contain a load of links, and I assume that the spammers are using proper English (well, American English) in an attempt to get around automated spam filters that can spot the broken language of the third-world spam gangs easily enough. But they do seem to concentrate on the Zune media player rather than other topics. Blocking them is easy: just block any comment with the word “Zune” in, as it doesn’t appear in normal English. Unless, of course, your blog is about media players available in the USA.

This really does beg the question: why are these spammers sicking to one subject with a readily identified filter signature? I’ve often wondered if they’re being paid by a Microsoft rival to ensure that the word “Zune” appears in every spam filter on the planet, thus ensuring that no “social media” exposure exists for the product. Or is this just a paranoid conspiracy theory?

An analysis of the sources shows that nearly all of this stuff is coming from dubious server hosting companies. A dubious hosting company is one that doesn’t know/care what its customers are doing, as evidenced by continued abuse and lack of response to complaints. There’s one in Melbourne (Telstra!) responsible for quite a bit of it, and very many in South Korea plus a smattering in Europe, all of which are “one-time” so presumably they’re taking complains seriously even if they’re not vetting beforehand. It’s hard to be sure about the Koreans – there are a lot but there’s evidence they might be skipping from one hosting company to the other. Unusually for this kind of abuse there are very few in China and Eastern Europe, and only the odd DSL source. These people don’t seem to be making much use of botnets.

So, one wonders, what’s their game? Could it be they’re buying hosting space and appearing to behave themselves by posting reasonable-looking but irrelevant comments? Well any competent server operators could detect comment posting easily enough, but in the “cheap” end of the market they won’t have the time or even the minimal knowledge to do this.

I did wonder if they were using VPN endpoints for this, but as there’s no reverse-lookup in the vast majority of cases it’s unlikely to be any legitimate server.

11-April-122-July-13

Can’t get PuTTY and FreeBSD with OpenSSH to do a Certificate Login – Myths

Following yesterday’s post about issues getting “Server Refused Our Key” errors when trying to use PuTTY to log in to FreeBSD with a certificate, I thought I’d just lay to rest a few myths I’ve seen on various web sites where people have tried to explain how to do this. It’s easy to see how these myths develop – I’ve laboured for years under the misapprehension that I needed to do something or other when it was just a coincidence it had started working the first time the idea came to me. So here goes with a few of the myths. If you’re not getting this to work, it’s not for one of these reasons:

Myth: You need to specify 0600 permissions for the authorized_keys file (or the .ssh directory)

Simply not true. It may be a good idea to stop others from reading your keys, although they are “public” keys and won’t let anyone else in anyway (unless a they have a suitable cracking tool and a lot of processing power – and I mean a lot). Only your private key needs to be a secret. The only stipulation is that they must only writeable by the user – 0644 is okay, 0664 or 0666 isn’t.

But as I mentioned yesterday, you MUST ensure that your home directory is also not world-writable! You mustn’t have 0777 permissions! 0755 is okay, as is 0711. I’ve not seen this documented anyway, but it’s true for FreeBSD 7.0 to 9.0.

Myth: OpenSSH requires the authorized_keys file to be owned by the user trying to log in

Again no – it simply doesn’t. It has to be readable to that user (not just root) – this may be because it’s world readable or group readable for the user in question. It might as well be owned by root:wheel as long as it’s Other read bit is set.

Myth: If you’re using SSH2, you need a file called authorized_keys2

This might be true on some installations, but not current ones! I’ve no reason to believe that this file would even be considered, never mind required. The file used is defined in the /etc/ssh/sshd_config, and on current versions of FreeBSD (7.0-9.0) it’s definitely authorized_keys

Myth: You must generate the keys using the OpenSSH keygen utility on FreeBSD – puttygen doesn’t work

Well, there’s a bit of truth in this, but not much. Put simply, the format is different, but this only extends as far as the header and comment.

OpenSSH keys look like this:


ssh-rsa AAAAB3NzaC1y… very long line … sXi+fF noone@example.com

PuTTYGen Keys look like this:


---- BEGIN SSH2 PUBLIC KEY ----
Comment: "no one@example.com"
AAAAB3NzaC1y … long line, possibly with breaks … sXi+fF
---- END SSH2 PUBLIC KEY ----

You can convert one to the other using any text editor of your choice, as long as it handles long lines properly (like vi).

I can see there could be all sorts of fun and games if you simply cut/pasted these end ended up with extra line breaks, spaces or truncation – but the key data and its encoding is exactly the same, and that’s the bit that makes it work or not.

If you generate your key using OpenSSH tools you will need to load it into PuTTY Gen and write a Private .ppk key on your Windoze box. Or not. It’s just a text file and you could put the appropriate wrapper on it, but you might as well just use PuTTY Gen.

Myth: You need to edit /etc/ssh/sshd_conf to enable certificate login

No you don’t. The default values as shipped work just fine. Because the file consists of commented out lines of parameters with their default values, I suspect people though that some have been confused about whether the ‘#’ needed to be removed before the parameter came in to effect. They don’t – you only need to remove the comment if you want to change the default value. If you do remove the comment, but don’t edit the value, it’ll make no difference to anything.

What’s Real

In my experience, problems are almost always down to either directory permissions (see above) or errors transcribing public keys from one machine to another – and chaos and confusion caused by the abovementioned myths!

10-April-1213-October-24

PuTTY, FreeBSD and SSH certificate logins

I’ve just gone crazy trying to figure out why PuTTY kept getting a “Server Refused Our Key” error when I tried to log in to a host using a certificate for the first time. Looking around the web, there are a lot of interesting theories about how to generate the certificates, and out of desperation I tried them all – nothing worked. So, for what it’s worth, here’s what does.

Generate your certificate on FreeBSD using the OpenSSH utility:

ssh-keygen -t rsa

With the default options this will create a couple of files in the .ssh directory within your home directory, and by default they’ll be called “id_rsa” and “id_rsa.pub”. In other words, if you’re user ID is fred the files will be in /usr/home/fred/.ssh/ with the above names. One’s private, the other is public.

You need to add the public key to the list of authorised keys in the .ssh directory:

cat id_rsa.pub >> ~/.ssh/authorized_keys

(The name authorized_keys with the American spelling is set in /etc/ssh/sshd_config)

Next you need to get the private key back to the machine running PuTTY. It’s just text – you can cut/paste it into a text editor and save it. For PuTTY to use it, however, it needs to be converted in to PuTTY’s own format, which you do using the PuTTY Key Generator, puttygen.exe. Run this, click on the Load button and read in your text file, then use the Save Private button to put write the .ppk file somewhere safe. You may wish to set a passphrase on it if there’s any chance someone else can get hold of it!

You may now get rid of the id_rsa.* files on the FreeBSD host, although you might want to add the public key to more than one user on more than one host – it’s a “public” key so there’s no harm in using it all over the place.

It is possible to use PuttyGen to make the keys and copy them to the FreeBSD host instead. A lot of people seem to have had trouble with this in the past (myself included), and it’s probably easier not to, especially if you’re going to use the keys in OpenSSH format for other purposes on the FreeBSD host anyway.

You’ll see a lot about setting the files in .ssh in some very restricted ways – basically all you need to do is ensure that they’re only writable by you. You can make your .ssh directory only readable by you if you wish but it won’t stop it from working. Also, the default /etc/ssh/sshd_config files is fine, and you don’t need to uncomment anything (in spite of what you might read). The default settings are all good, and all commented out, as it says on the top of the file. (Not quite true now – see 2024 update below)

Now, here’s the trick! What will cause a problem, as I eventually figured out, is if your home directory is writable by others. Don’t ask me how or why this should be true, but I tried this after I’d tried eliminating everything else on comparing working and non-working boxes. I know this for sure with FreeBSD 8.1 – ensure your home directory is drwxr-xr-x (or possibly less).

The final stage is to set up a session profile in PuTTY. This isn’t a tutorial for PuTTY, so I’ll be brief. In the options category open to Connection/Data and set the auto-login username you wish to use (if you haven’t already). Then under Connection/SSH/Auth select the private (.ppk) file you want to use. Remember, you can use this file with as many hosts and user accounts as you’ve added the public key to the .ssh/authorized_keys file. Save the session, and that’s it done. If it doesn’t do it for you, take a look in /var/log/auth.log.

Update 2024:
And finally, twelve years later, there’s a problem. newer versions of SSH will barf at RSA keys. You’ll get a “The server refused our key” message and something like this in auth.log…

 sshd[1539]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

Don’t worry – there’s a quick fix. In /etc/ssh/sshd_config add the following line somewhere that makes sense.

PubkeyAcceptedAlgorithms +ssh-rsa

You might want to use soemethign other than RSA keys going forward, but this is an update to a 2012 article – watch out for a new one.