Alan Burlison's Work Related Ramblings

Thursday February 14, 2008

Kicking both tyres together - VirtualBox and Indiana

I saw Tim's announcement that Sun were acquiring innotek. innotek provide VirtualBox, which what Tim described as a "high performance type 2 hypervisor". For people who aren't virtualisation wobbleheads, that simply means that it gives you the ability to run operating system on top of another. The host operating system runs on top of the x86 hardware, you run VirtualBox as an application on top of that. VirtualBox emulates the hardware that a guest Operating System needs to run, so that you can run other OSs on top of your host OS. This is in contrast to xVM (Xen), which runs on top of the bare hardware, with the installed OSs running on top of it.

I pulled the Solaris beta binary from the downloads site and had a play with it. The VirtualBox admin GUI is very easy to use, and it was quick and easy to set up a VM to install a copy of Windows XP on top of Solaris - my workstation is running Nevada build 82. Most everything seems to work really well, the only exceptions being sound, which I believe is not implemented yet, and the Solaris/XP file sharing, which seems a little flaky - it works OK for viewing and editing files created on Solaris, however creating new folders from XP works but reports errors, and you can't see the resulting folders in XP. The other nit is that seamless mode doesn't work quite right if you have a dual-monitor (TwinView) setup - details are here.

The other big news this week has been the release of Indiana Preview 2, AKA OpenSolaris Developer Preview 2. Stephen was gently nagging me last week to take a look at Indiana. I didn't want to futz with my machine config as I've just freshly installed build 82 on it, so I decided to see if Indiana2 would run under VirtualBox - and it does.

First you need to make sure you allocate enough memory for Indiana - I set the memory size to 512Mb, and the video memory size to 32Mb. After installing Indiana and rebooting the VirtualBox VM there's a couple of kernel warnings on boot, one about MPO being disabled because the virtualised memory is interleaved and another about their being no randomness provider for /dev/random. The other thing is that Xorg came up by default in 16-bit mode, which caused VirtualBox to complain, although a little tweaking of xorg.conf solved that.

I also figured out how to get the Indiana screen resolution up to 1280x1024 - you need a tweaked xorg.conf, and before you start your VM you need to run VBoxManage setextradata Indiana CustomVideoMode1 1280x1024x32 - replacing "Indiana" with the name of your VM, and note that "CustomVideoMode1" ends in "1" (one) not "l" (L).

The biggest nit is that the virtualised network device used by VirtualBox requires the pcn driver, and it isn't redistributable, which means in turn it isn't part of Indiana. I grabbed a copy from build 82 (the latest SXCE) and installed it into the Indiana image, rebooted and NWAM brought the interface up. If you want to do this yourself, here's the steps:

1. Get access to the contents of the SXCE ISO image from inside your Indiana VM. Use the VirtualBox Virtual Disk manager (File -> Virtual Disk Manager) to make either the DVD or ISO image available to your Indiana VM.
2. Extract the files from /Solaris_11/Product/SUNWos86r/archive/none.bz2 - this is a bzip2ed cpio archive.
3. As root, copy pcn and pcn.conf to /kernel/drv in your Indiana VM.
4. Run add_drv -i '"pci1022,2000" "pci103c,104c"' pcn to install the driver - note the quotes are important!
5. Reboot your VM. After rebooting, ifconfig -a should show you now have a working pcn0 network interface.

And of course, if you are worried about brickifying your Indiana VM by doing this, you can always use VirtualBox's snapshot facility to make sure you can roll everything back if something goes wrong.

One important not however: the resulting Indiana VDI image is NOT redistributable, because of licensing restrictions on the pcn driver.

Once I had the Indiana image up and running under Solaris, I copied it onto a Windows XP machine, imported it, attached it to a Solaris VM , started it up and had a preconfigured instance of Indiana running under WinXP, which I thought was kinda neat. I haven't tested it on Linux but I'm sure this would work there too, as well as on OS X. So all you people who have been putting off taking a look at Indiana because it would mean rebuilding your machine now have no excuse :-)

Update - the ae driver

There is an open-source and redistributable alternative to the pcn driver, the ae driver. This is available at http://homepage2.nifty.com/mrym3/taiyodo/ae-2.6.0a.tar.gz#../ae-2.6.0a.tar.gz. The driver tarball contains installation instructions. To make it accessible to your VM, it needs to be made into an ISO image that you can mount into the VM, using the Devices -> Mount CD/DVD-ROM menu of your VM. To make this a little easier I've prebuilt an ISO of the driver tarball which you can download from here. I haven't tried this driver myself, if you use it, let me know how you get on.

Thursday February 07, 2008

Facebook: do I get to say "I told you so?"

Just noticed that slashdot is running a story on Facebook applications and data privacy:

I'll merely point out that I already told you so :-)

Friday January 18, 2008

Facebook faces privacy questions

Just noticed this report on the BBC News website:

That'll be me they are talking about...

Tuesday January 15, 2008

Number problems

I've just been looking at my son's maths homework, which is from the CGP Year Six Maths Workbook - Year Six in the UK is kids who are 10 to 11 years old. Here's the question:

I can think of four possible answers, depending on how you interpret the question:

1. 6, i.e. the hundreds digit of 4695 is 6
2. 600, i.e. the hundreds component of 4695 is 600
3. 46, i.e. 100 goes into 4695 46 times, with 95 left over
4. 46.95, i.e. 4695 ÷ 100

From previous experience with these books, it could be any of the first three possibilities, although the last one is an equally valid interpretation. No wonder the standard of maths in UK primary schools is so poor, if they have to use such frankly awful source material. Here's another example, from the next page:

If you think the answer is 1376.92, i.e. (17 × 6) + (98 ÷ 25 × 301) - 21 + 113, you'd be wrong. The answer they seem to be expecting is 2500, i.e. ((((((17 × 6) + 98) ÷ 25) × 301) - 21) + 113). I know that's the case because the kids aren't allowed to use calculators, so the answer will be an integer value. So much for the rules of operator precedence...

p.s. Thanks to @kangcool for spotting the maths error in the original version ;-)

Friday January 04, 2008

Facebook: and so it begins...

I just came across this security advisory via The Register. A malicious Facebook application is using social engineering techniques to persuade people to install spyware/adware on their machines:

I'm absolutely certain that this is just the first swell of an approaching tidal wave of Facebook malware. It isn't even a particularly clever example - it would be far more effective to use a Facebook application to harvest personal information whilst apparently offering a useful service, and then use the data elsewhere and/or at some time after the application was harvested. That would make it far more difficult for people to draw the connection between the harvesting app and the subsequent misuse of their personal data.

Currently there are more than 12,000 Facebook applications registered in Facebook. All you need to add an application to Facebook is an API key, and you can get one of those in seconds from the Facebook site, with no checking whatsoever by Facebook. The only mechanism Facebook seems to provide to 'protect' its users from malicious applications is a requirement that developers click on a checkbox to agree to Facebook's Developer Terms of Service. There's no vetting of the person applying for the API key, or of any applications they write.

After my previous experience of fighting with Facebook to get my account closed I'm not in the least bit surprised at their cavalier attitude to Facebook application security. I'm also doubtful that they have the resources necessary to vet 12,000+ applications even if they wanted to, and even if they did there's nothing to stop someone registering a benign version of the application and then activating the malign part after the application has been accepted.

I wonder if there's a need for an application that shows people just how much information they are agreeing to hand over when they install a Facebook application?

Wednesday December 26, 2007

How to leave Facebook - followup 3

On the 14th December the UK Information Commissioner's Office set me an update on my complaint about Facebook's refusal to remove your data when you try to close your account. Here's what the ICO said:

So the ICO clearly believe that Facebook don't comply with the Data Protection Act, and they want Facebook to have a reasonable policy for allowing account closures, rather than forcing people to have to fight to get their accounts closed on a case-by-case basis, as I had to do. Hopefully the process of closing your Facebook account will become much easier in the not-too-distant future.

Wednesday December 05, 2007

OpenSolaris jobs in Manchester

We've just posted two job adverts for people to come and work on the web infrastructure that runs opensolaris.org These are both based in Manchester, UK, working from Sun's office. If you are interested, please submit a CV here or here. Both roles are identical, so it doesn't matter which link you use :-)

Here Comes Another Bubble

Someone posted this one one of the internal Sun email aliases. As someone who's 'virtual place of work' is the Bay Area, I found this absolutely hilarious!

Friday November 30, 2007

Facebook privacy roundup

Steven Mansour has written a nice roundup of various articles and blog entries about Facebook's stance on privacy. What is interesting to me is not so much the concentration on Facebook, it is that there seems to be a growing awareness of the importance and breadth of privacy issues amongst the general public, at least in the UK. Although I'm sure in the UK the cause of that interest is mainly because of our hapless government rather than Facebook, it is heartening to see people starting to think about the issues around online identity and data privacy.

Thursday November 29, 2007

A whiff of Garlik

Ages ago I signed up for a free trial of an "online identity protection" service provided by Garlik. They have an impressive list of managers and advisors , including the founders of online bank Egg, a CS professor at a UK university, and Tim Berners-Lee - whoever he is ;-)

Their website describes their service as follows:

I haven't used it very much, so I thought I'd close my account. I couldn't find any obvious way of doing this, but what I did find in their 'Help' pages is this:

Which looks to me like it is in breach of UK Data Protection law - something I am mildly clued up on after my recent clash with Facebook. And it is all the more ironic that Garlik claim they are going to help you protect your online data.

Update

I emailed Garlik to point out the discrepancy between the above and the following statement in their Privacy policy:

I've just got the following reply from them:

A quick, reasonable and totally satisfactory response, and a complete contrast to the attitude of Facebook. Well done Garlik!

Tuesday November 27, 2007

The Government of Wonderland - followup

Following on from my previous rant about the UK government "misplacing" the personal data of 25 million of the UK's citizens, it seems that I'm not alone in my dismay about their proposed "solution" - the National ID Card scheme. A group of six respected academics have written to a Parliamentary committee expressing their disquiet about the proposals:

The story has been picked up by both The Register and that bastion of liberal thinking (!) The Daily Mail.

Thursday November 22, 2007

The Government of Wonderland

Unless you've been living under a rock for the last few days, you must have heard that the UK Government has managed to lose the personal details of 25 million people. I've just been listening to Newsnight, and Jeremy Paxman was interviewing the hapless minister who was wheeled in to put his head under Paxo's axe. One of the questions asked was "Does this mean the end of the plans for a UK National Identity Card System?". The answer literally made my jaw drop. "No, because if we had everyone's biometric data, it would be much safer". WHAT??!! Unlike bank details, biometrics can't be changed - a point that was actually made by one of the other interviewees prior to the minister's imbecilic comments. How on earth would increasing the amount of sensitive (and in the case of biometrics, irreplaceable) data they collect make it "safer"?

The fact that the people responsible for losing the data actually believe that this tale of mind-boggling incompetence can actually be used to JUSTIFY collecting more of it is utterly, utterly astounding. It is quite frankly terrifying that a group of people who have decided they are going to force us to register on a National ID Database are so completely clueless about both the technology, its implications and the potential abuses of the data they are insisting we give them.

I think as a result of this cock-up of all cock-ups, the storm of protest against ID Cards is going to make the Poll Tax unrest of the 1990s look like a vicarage tea party.

Tuesday November 20, 2007

How to leave Facebook - followup 2

See here and here for the backstory to this post.

I've had a reply from the UK Information Commissioner's Office saying that they are looking at my complaint, so things are moving there too. It also seems that I've sparked some interest in this topic, and it has been picked up by a couple of other sites:

• Valleywag
• The Register

Monday November 19, 2007

How to leave Facebook - followup 1

The electrons were barely dry on my last post when I received an email from TRUSTe about the problems I'd had getting Facebook to close my account; the interesting bit is below:

So my advice to you if you are having problems getting Facebook to close your account is to submit a complaint to TRUSTe.

How to leave Facebook

As I documented in my last post, it isn't actually possible to leave Facebook, all you can do is 'deactivate' your account. I got in touch with Facebook and asked them to delete my account, and here is the reply I got from them:

I wrote back to Facebook, saying that their response was unacceptable. I noted that their Privacy Policy page says that they are a licensee of the TRUSTe organisation, and that as such they are supposed to give users "choice and consent over how their information is used and shared". I also pointed out that as they are now registered in the UK, they are probably also subject to UK data protection legislation. Finally, I pointed out that Facebook had also been mentioned in a Channel 4 news report about identity theft, and that the media were obviously interested in Facebook's stance on data privacy and protection. I explained that if Facebook wasn't prepared to close my account I was prepared to take up the issue with the three avenues open to me, the TRUSTe complaints process, the UK Information Commissioner's Office (ICO) and the UK press.

In return I got exactly the same response as the one above. I wrote back to Facebook yet again, repeating that that their response was unacceptable, and that I was therefore going to take the three courses of action I outlined above. I registered complaints at both TRUSTe, the ICO and I also emailed Channel 4 News, explaining my story.

Last week Channel 4 came to interview me, and the item went out on Channel 4 News on Saturday 17th November. A video of the item can be found on the Channel 4 website. There's also details of the response from Facebook to C4's questions about their policy and process for account closures. Once the item had aired, I wrote again to Facebook, explaining that their response was still unacceptable, and that I'd taken the three options I'd identified in my earlier mail. Here's an excerpt from my mail to Facebook:

As well as sending my mail to the Facebook support person I had been dealing with, I also sent it to Chris Kelly, Facebook's Chief Privacy Officer, and Mark Zuckerberg, the Facebook CEO. Neither mail bounced, so I must have guessed their email addresses correctly. Earlier on today I received the following response from Facebook:

Hurrah! Although to be honest, this raises almost as many questions as it answers. If Facebook has the ability to delete accounts so easily, why don't they make it available to users? In their written response to C4 they say that "Facebook does not use any information from deactivated accounts for advertising purposes." If that is the case, why do they retain the information at all? And although they aren't using it for "advertising purposes", are they making other use of it, and if so, what?

I'm still waiting for responses from either TRUSTe or the ICO, I'll be sure to blog about them when I receive them. In the meantime, if you want to get Facebook to delete your account entirely, you can always try mailing them, quoting the clear precedent they have set by closing my account. I really can't understand why Facebook make the whole process so difficult, they are an extremely popular service and the amount of work involved in closing accounts properly is tiny in comparison to the volume of activity the site sees.