UrlBlogGrey

I recently learned how to access Tivo recordings via a web browser. This makes up for the lack of the Tivo Desktop software program for Mac OS X. The steps are pretty straightforward:

1. Determine the IP address of the Tivo DVR, or the Zero Configuration (Bonjour) networking name of the DVR (mine was dvr-dc88.local).
2. Open a web browser with the URL https://[IP address]/, or https://[bonjour name]/. The URL I used was https://dvr-dc88.local/
3. When prompted for a username and password, use 'tivo' as the username and your Media Access Key (obtained from Tivo's account management website) as the password.
4. Download any video content offered via the web interface.
5. Use MplayerOSX to play any of the Tivo videos.

Here's what the browser-based interface looks like:

Posted by Scott at 11:11 PM | Permalink | Comments (2)

I recall seeing the Squeezebox v2 wireless network music player on Amazon about a year ago, and marveling at the sleek and refined appearance of the unit. Today, I came across a review of the third version of the Squeezebox. I must say that Slim Devices has done an excellent job of expanding the capabilities of the device without complicating the interface. I like how the server software that runs on one or more computers on your local network is Open Source and multi-platform. I'll be sure to add this to my Amazon Wishlist!

Posted by Scott at 1:52 PM | Permalink

We own two Macs (12" Powerbook, Mac Mini) at home, and I've come to enjoy the convenience and security of storing account credentials (usernames, passwords) in the OS X "Keychain" application. I prefer to use the Keychain instead of a commercial third-party product mostly because it is integrated with the OS and is free. However, it's difficult to securely share a keychain file containing credentials across two or more computers. Putting this information on a network-accessible location is a bad idea. So, I've decided to follow the paradigm of the traditional keychain by purchasing a USB flash drive that I can attach to my real-life keychain. This will ensure that the digital keychain is bound to my physical keychain, which should always be on or near my person. But the question remains, how do I secure information on the keychain so that if someone gains physical access to it they won't be able to view to my digital credentials?

I would prefer to encrypt the entire contents of the drive since I may choose to store other sensitive information on it besides my keychain. This is akin to carrying a "digital safe" attached to one's keychain. If the keychain is lost, the information on the drive stays safe unless the password is discovered. Since I use a Mac, I can take advantage of the encrypted disk image capability present in Mac OS X Panther and Tiger. The disk image is encrypted at the OS-level using Advanced Encryption Standard (AES) military-grade encryption with 128-bit keys. Mac OS X also offers the ability to encrypt all of the files in your home directory automatically with AES using the FileVault feature.

I asked Natalie about the difference between using 128-bit and 256-bit keys. Obviously, a 256-bit key is more difficult to break than a 128-bit key. But is it overkill? She said that many security experts think that information security requirements are dependent on whether the information is "at rest" or "not at rest". When at rest, such as on a hard disk or flash drive, it is less vulnerable to attack. If it is not at rest, such as being transmitted over a local network or the Internet, it is more vulnerable to attack or theft. Natalie said that the issue of "rest" is intensely debated in the security field since one could argue that information is never really at rest.

I looked at different USB flash drives on the market and noticed that Lexar offers a Secure Jumpdrive model featuring 256-bit AES encryption. Lexar's software drivers must be installed on the computer in order to access or manage a secure flash drive. I find this a big negative since I don't know Lexar's reputation as a software manufacturer, especially with regards to encryption. Also, it is not possible to install drivers on machines that are part of a managed environment (i.e. work, internet cafe, etc.). It turns out that Lexar has made some serious errors in the security implementation of their 1.0 release. This doesn't bode well for the Secure Jumpdrive. What good is a 256-bit key if the password can be accessed by an attacker within a matter of minutes?

Since the encryption is bound to be in software, I've resolved to use a software feature implemented at as low a level as possible, such as with Apple's encrypted disk image. I'm guaranteed to be able to securely access the image on any Mac without installing additional software. Plus, the odds are that if the drive got into the wrong hands, they wouldn't have access to a Mac and thus couldn't access the drives contents to begin with. I've purchased a Sandisk Cruzer Micro flash drive which should discreetly fit on my keychain, and will use an encrypted disk image to secure my keychain and other personal data.

Posted by Scott at 8:58 AM | Permalink

We've been using a D-Link 802.11G wireless network adapter with our Series 2 Tivo for the last 6 months with little difficulty. However, Tivo doesn't seem to understand that the Wired Equivalence Privacy (WEP) has a weak authentication mechanism and has long been replaced by the Wi-Fi Protected Access (WPA) standard. We'd like to use WPA, but are stuck using WEP until Tivo makes the move.

Yesterday, I became fed up with the wireless support in Tivo and purchased a USB Ethernet adapter to provide the Tivo with a wired connection to our broadband router. This will provide the Tivo with a secure wired connection, and allow us to upgrade the security on the wireless network to use WPA 2. The network adapter I ordered is the Netgear FA120. It has received good reviews on Amazon and was reasonably priced ($25).

The other solution I was considering was to buy another wireless router that could be configured to use a low grade of security (WEP), and use our existing wireless router to provide a high grade of security (WPA) while connected to a switch port on the low-security router. This was too complex and expensive to implement. It would have meant spending at least $40 on the access point. Also, an additional access point represents one more system to secure and configure. Purchasing a wired Ethernet adapter was a much simpler and secure solution.

Posted by Scott at 8:20 AM | Permalink

I added the web pages I posted on-line in 1995 referencing my TI-85 programs. They certainly gave my girlfriend and I a good laugh. The content is completely unmodified, and in many ways reflects the make-up of the Internet at the time. Here are links to the two sections I maintained:

• Math
  
• Games
  

The links from the images reference UUEnconded files containing my TI-85 programs. UUEncoding was a popular means of transmitting binary files in ASCII-only mediums like USENET newsgroups. I posted many of my programs on USENET, and learned a lot about programming from other programmers on USENET. Unfortunately, now it's the domain of spammers and porn sites.

Posted by Scott at 11:00 PM | Permalink

I also found the program I wrote as my final project for the CIS-1 class I took at Hartnell Community College during my Senior year of high school. It is an encryption program that is ridiculously easy to break - it just shifts the characters by a fixed amount. This way, an 'a' becomes an 'f', and a 'b' becomes a 'g'. Hey, I was 17. I also remember getting a computer virus on our home PC, and then accidentally transferring the virus to my friend Jason Liao's home PC via this program. He was pissed! What's even more funny is the README file I created to accompany the program. My god, I was arrogant. Here are the contents of the file:

Help for Encrypt 2.0!

**************To start the program, use 'new' for your password**********
	Thanx for downloading my little proggie here.  I know it's not
much but it's kinda fun to encrypt stuff even though it's not a really
complicated algorithm (go ahead, look at the source code!).  I have included
a cool icon I made, too.  

	This program was designed using Borland Turbo C++ for Windows, 4.5.
It's got a few cool features like:

- encrypts your password, so nobody will peek at it
- keeps reacords of the time/date of encryptions/decryptions
- allows you to change your password
- views text files
- lots of other cool stuff.....

Any suggestions are welcome, just so long as you don't trash on my 2 hour
hack......

Scott Kidder
Gumby123@aol.com

Scooter B Software motto: "World domination, here I come!"

Posted by Scott at 12:49 PM | Permalink

As a follow-up to my previous post, I completed the installation of the secondary air pump replacement yesterday. It was very straightforward. I installed the vibration-dampening rubber posts on the pump, and then affixed the pump to the pump mount via the posts. The hoses and electrical connectors were all returned to their appropriate places on the pump. Unfortunately, I wasn't able to verify the results until this morning since the pump is activated only when the engine temperature is sufficiently cold (I think). I noticed that the deep engine note present during the absence of the pump was gone and the pump sounded like it was running. Everything seems to be back to "normal", woohoo!

The 'check engine' light is still active, so I'll need to reset it soon. My options are to have a mechanic use a proper reset tool, or to briefly disconnect the battery from the electrical system. The latter will likely require the radio code to be re-entered. Fortunately, I have the code and can simply punch it in. I might try this over the weekend. The total cost of the repair is listed below:

Posted by Scott at 9:51 AM | Permalink

My work in replacing the secondary air pump in my 1998 BMW 323is has been positive. Last Sunday, I performed about 80-percent of the total work involved.

This included replacing the non-return valve and gasket attached to the exhaust manifold. The valve is actually the cause of the pump failure; water got past the valve and entered the pump, which contributed to deterioration of the pump motor. This was pretty easy. I used a 10mm socket wrench with extension to work on the two nuts affixing the valve to the manifold.

The more difficult and frustrating steps involved removal of the non-functioning pump. The pump rests on three vibration-dampening rubber posts which are attached to a hard plastic mount. The mount is attached to the car chassis using three 10mm screws. The mount was easy to remove. The rubber posts connecting the pump and the mount were a subject of concern from the outset. Most of the how-to's state that these posts are extremely fragile and must not be subjected any torsion. I broke the first post in a matter of five seconds. The second post broke just as easily. The third and final post was broken by me in a fit of frustration.

To exacerbate the problem, the rubber posts are as expensive as they are fragile. The OEM replacement costs over $16 per post. Multipled by three, that's a total cost of at least $48. Fortunately, one of the how-to's suggested purchasing general-purpose rubber posts (McMaster part 9376K57) matching the OEM specifications. These are only $1.48 per post. I should be receiving the posts today, and will complete the repair this weekend.

So, for the last three days I've been driving my car with the new non-return valve installed and no secondary air pump. The biggest difference is the sound of the engine during the first two minutes of driving. It's a lot louder. It sounds like the mixture is extremely rich. I'm really hoping that the installation of the new pump will resolve the noise and 'check engine' light issues.

Posted by Scott at 11:34 AM | Permalink

I was looking at a few of my photos on Flickr this morning when I noticed the plethora of information revealed by the EXIF data associated with nearly all images taken using digital cameras. The most striking attributes were the camera serial number and image number. A unique serial number is associated with all of the images taken by a with a specific camera, and those images are voluntarily uploaded to a photo sharing site. Is it possible for a site like Flickr or Google Image Search to aggregate all of the photos taken with a specific camera during a particular time span? How about tracking down stolen photo equipment? What if your camera was stolen in January, but a photo taken with it in June was found on the Internet? Could you track down the thief using meta-data embedded in a digital image?

I recall hearing an interview on NPR with a digital imaging expert from Carnegie Mellon who said that it's possible to identify the specific model and, in some cases, the specific camera that produced a digital image without the assistance of EXIF data. This was done by analyzing the image for visual artifacts unique to specific digital cameras and image processors. I find this amazing and horrifying at the same time. I firmly believe in an individual's right to anonymously capture and share information. It seems like consumerism and technology conspiring to create a trackable population.

Posted by Scott at 9:54 AM | Permalink

Lately I've been using several Linux distributions to test a Java Applet used in Documentum's Unified Client Facilities (UCF). I've tested Red Hat Enterprise 3 and Fedora Core 4 using Firefox 1.0.7 and the Java plug-in (1.4.2_09 and 1.5_05). In my testing, the Applet failed to load on Fedora Core 4 using JRE 1.4.2; however, JRE 1.5 on Fedora Core 4 worked fine.

The Applet is embedded in an HTML page using the standard "code" tag. The browser HTML engine encounters the tag and informs the Java plug-in that it has some work to do. The Java plug-in then attempts to download and execute the code archive referenced in the tag. The 1.4.2 plug-in was reporting an inability to download the Applet archive from the web server. I verified that the URL of the Applet archive (JAR file) was accessible through the browser. It was, so there was no reason that the Java plug-in should report an error while trying to download the archive. I was puzzled.

I googled the problem a bit and learned that it stems from the IPv6 support in the Java 1.4.2 plug-in. The JRE tries to create an IPv6 socket to the system hosting the JAR file, but screws up somewhere along the line and reports that the connection failed. It looks like the Java 1.5 plug-in might need to be the minimum requirement for browser-based Linux clients.

Here are some of the links I found documenting the bug in JRE 1.4.2:
JRoller posting
Sun Bug Entry

Posted by Scott at 7:55 PM | Permalink

We've been using the Wired-Equivalency Protocol (WEP) encryption standard to secure our home's wireless network since we discovered that Tivo doesn't support the more secure Wi-Fi Protected Access (WPA) encryption standard. Unfortunately, it's not possible to run some devices on a wireless network with WEP, and some with WPA; rather, it's all-or-nothing. So, we've downgraded the security of all our devices for the sake of Tivo. Our Powerbook and Mac Mini connect to the network using WEP, when they could be using WPA instead.

Recently, I heard on a podcast program called Security Now! that it's advisable to chain wireless access points (APs) in scenarios like mine. The layout would have the DSL/Cable modem connected to a low-security access point, and a high-security access point connected to the low-security AP on one of it's ethernet ports. Here's a basic diagram:

                      [ethernet]                    [ethernet]

[Internet] ---> Modem -----------> Low-Security AP -----------> High-Security AP

                                     |                            |

                                     | low-security clients       | high-security clients

The primary difference in this architecture is the presence of an additional AP that allows the creation of secure and non-secure network segments. Both segments are completed isolated from eachother. This might create problems if the high-security clients wanted to access resources on the low-security client segment, but allowing this would be invalidate the whole purpose of creating these two separate network segments. The low-security segment effectively becomes a Demarcation Zone (DMZ) that is distrusted as a policy. Yes, this is a good thing.

So, I'm thinking about buying another Linksys WRT54G, or WRT54GS, to handle the low-security clients. Having a low-security segment also makes it easier for friends or guests visiting your home to use the broadband connection without going through the hassle of configuring their client to use the high-security AP. Seems like a good idea!

Posted by Scott at 9:12 AM | Permalink

About two weeks ago, I picked up the latest album from the UK group Ladytron. The album is titled "Witching Hour", and is an excellent example of the resurgence of electronic synth-rock. The female vocals are both sexy and serious. The instrumentals are exhilarating, and I find it difficult to not embarass myself by rocking-out in my car during my commute when certain songs are playing. My favorite tracks, in order of preference, are:

• 2 - Destroy Everything You Touch


• 8 - Fighting in Built Up Areas


• 3 - International Dateline


• 13 - All the Way

Posted by Scott at 8:53 AM | Permalink

With the recent move up to the San Francisco Bay Area, I am amazed at all that has happened in the last year. I quit working for the 3D Marketing start-up, returned to DMDC, had two of my friends die in unrelated accidents in a two month period, proposed to Natalie, quit DMDC, found a new job in Pleasanton, and moved to Oakland.

It seems that a lot of changes in a small time-frame can cause me to forget important events that occurred not so long ago. A couple of them - the death of Fateh Kausar and Jason Liao - keeps coming to my mind regularly.

Fateh was a brilliant, daring and compassionate friend. He would do anything for a thrill (hiking out on the edge of the waterfall at Yosemite...). And he would do anything for a friend. But some times the two would collide and produce unfortunate events. On one occasion, we were at work and decided to go out for coffee. Fateh drove his car up to the entrance of the building and everybody began to get into the car. He heard one of the rear doors slam shut, so he thought that everyone was inside. I was in the process of getting in and still had my door open. He started to accelerate with me only partially in the car! Everyone else started to yell at him to stop, which he did within a few seconds. No harm came of it, but his interest in thrilling himself and his passengers conflicted with his concern for the well-being of others. I think he spent 5-10 minutes apologizing to me, while I assured him that it wasn't a problem. Natalie and I were on vacation in Kauai when we heard that he had lost control of his car while driving back to work on Friday after attending Muslim prayer. I will always miss Fateh's sense of humor and adventure.

Also, Jason Liao has been entering my mind a lot. I can't believe that, tomorrow, it will have been a year since his passing. Jason and I had met a couple of times since he returned to the Monterey Bay area to work for CTB McGraw Hill. That night, I met him and a group of his coworkers at a restaurant called "Hula's" for dinner and drinks. Everyone was having quite a lot of drinks, and I assumed that Jason would be taken care of, both through his own good judgement and the concern of his coworkers. I left them at around 9:30 that night and headed home. I was disturbed to find out that Jason had died in a solo car accident later that night while driving in his Corvette in Marina. That event will always be with me.

I came upon an excerpt of the obituary posted in the Monterey Herald:

"Liao, Jason H., 25, passed away as a result of a car accident on December 11. Born on February 17, 1979 in Monterey, he attended North Monterey County High School and graduated from UC Berkeley with a BS degree in Electrical Engineering and Computer Science in 2000. He was a CAD engineer with PMC Sierra in Santa Clara. He recently moved back to the Monterey area and began his work for CTB McGraw Hill in custom contract. Jason will be remembered as a thoughtful, joyful, loving person and with a sence of humor. He will be missed by his mother Bih, father Shu, brother Kenneth of San Jose, grandmother Su-Fong Wu of Fremont and many loving relatives. Funeral services will be held at The Paul Mortuary, 390 Lighthouse Avenue, Pacific Grove, at 4:00 p.m. Saturday, December 18."

So, I think that this time of year will always be a time for remembrance for me. I think that's a good thing.

Posted by Scott at 7:47 AM | Permalink | Comments (1)

As part of a new assignment at work, I've been experimenting with the use of user-configured MIME types to load external content from a Java Applet. Specifically, I want a Java Applet to trigger to loading of an arbitrarily-typed file in the appropriate application. This means opening Word for a Word document, Excel for a spreadsheet, etc.

Applets are a weird thing. They have an odd security model that assumes the User can accurately make the distinction between "friend" and "foe". Most Applets are assumed to be "foes", which is fine for most situations. Loading files in helper applications requires "friend" status according to the default security policy. This can be achieved by signing the archive used to convey the Applet with a digital certificate. The certificate can be signed by a Certificate Authority (CA), or by an unverified individual (self-signed certificate).

The rub is that the user is required to make the distinction between a certificate that has been registered with a CA, and a certificate that was generated by a potentially-malicious individual. The distinction is often a subtle one to the user. And the consequences of letting a malicious Applet run can be significant.

Our commercial product uses a certificate that has been registered with a CA, so this won't be a problem. But I'm reminded of the fragility of the security model and how much it relies on user-sophistication.

Posted by Scott at 2:21 PM | Permalink

When I bought my 1998 BMW 323is in 2001, I didn't expect to run into as many repair expenses as I have. Apparently they assume that most people who buy new BMW's pass them on to aspiring BMW owners who unfairly absorb the repair costs.

The reason for my complaint is the failure of the secondary air pump in my car. Two years ago, I was a bit perplexed by the gurgling sound being emmitted from the engine compartment in the first couple minutes of start-up, but wasn't overly-concerned. I've since come to learn that the sound was that of the demise of my secondary air pump. My first question was "Why are there two air pumps?" Excellent question. It turns out that the secondary air pump is used to increase compression in the engine compartment after ignition to combust more fuel in the catalytic converter, ultimately leading to a cleaner environment for the birds, fish, whales, and stuff. Oh, and a higher credit card bill for me. Total cost of the parts (to-date) is $356 (parts + shipping). The animals of the world had better appreciate this.

I know that I'll have to replace the pump soon in order to pass the California smog emissions test in a couple months. I've been delaying the repair for as long as possible. Clearly, it's not a mandatory component. Also, judging from the number of people complaining of similar experiences on the Internet, it's quite common for the pump to fail (usually due to water leaking from the non-return valve into the pump and leading to corrosion of the pump motor).

I've ordered the parts and will attempt the replacement of the pump and non-return valve myself. Hopefully I won't break anything in the process. That applies to me and the car. I'll be following a very well-written set of instructions posted to a BMW message board.

Posted by Scott at 4:54 PM | Permalink

The move to Oakland is virtually finished, as we transported most of the contents of our apartment to our new apartment in Oakland last weekend. The experience was interesting, since we had a few mishaps with the moving vehicle. I say "vehicle" because we had a van at first, which would have been much too small to hold all of our things. Here's a picture of the original van:

Natalie had chosen to get a van when making the reservation with U-Haul through their website. I was a bit suprised when we were told the van was ours. The following day we returned to the U-Haul location to see if we could exchange the van for something - well, anything - bigger. After 2.5 hours of waiting among some interesting characters, we were given the keys to a larger truck which actually cost less money and was due back in 3 days rather than on the following day. Go figure. However, the truck was a total piece of junk. It had a problem with carburator or something because the engine would stutter really bad pretty much all the time. But we needed a truck, so we took it.

The loading of the truck was fairly easy. With the help of one of our friends, Glenn, it took only about 1.5 hours for the bulk of the furniture to be loaded. We then proceeded to a local British pub, The Crown & Anchor, where I got seriously drunk off two beers and a double-shot of tequila.

I paid the price for the shot of tequila the following day when we awoke at 5:30A to drive to Oakland in hopes of avoiding the Thanksgiving weekend traffic. Plus, the truck didn't instill a lot of confidence in us. It proved to be a good idea to leave early since the truck topped out at 55 mph on flat ground. Fortunately, it got us there safely and on-time.

I've got just one thing to say after all of this: U-Haul is America's Moving Adventure!

Posted by Scott at 10:27 AM | Permalink