[image]

This double DVD set provides nearly five and a half hours of the band's live performance at London's Royal Albert Hall in January 1970, New York's Madison Square Garden in July 1973, London's Earl's Court in May 1975, and England's Knebworth Festival in August 1979. And it's all remastered in Dolby Digital 5.1 Surround and DTS :). Tracklisting:

Disc One:                              Disc Two:
 1. We're Gonna Groove                 1. Immigrant Song
 2. I Can't Quit You Baby              2. Black Dog
 3. Dazed And Confused                 3. Misty Mountain Hop
 4. White Summer                       4. Since I've Been Loving You
 5. What Is And What Should Never Be   5. The Ocean
 6. How Many More Times                6. Going To California
 7. Moby Dick                          7. That's The Way
 8. Whole Lotta Love                   8. Bron-Y-Aur Stomp
 9. Communication Breakdown            9. In My Time Of Dying
10. C'mon Everybody                   10. Trampled Underfoot
11. Something Else                    11. Stairway To Heaven
12. Bring It On Home                  12. Rock And Roll
                                      13. Nobody's Fault But Mine
                                      14. Sick Again
                                      15. Achilles Last Stand
                                      16. In The Evening
                                      17. Kashmir
                                      18. Whole Lotta Love

Have you ever wondered how Google tracks your search result clicks? The technique behind is relatively simple, each link is attached to the mousedown event, currently handled by the rws function. So your search result links look completely normal until you press down the mouse button on them. Google rewrites the URL and redirects through its own website so they are able to track your choices. For instance, search for Google OS returned http://www.osnews.com/story.php?news_id=10096 at the third position, but after the rewrite it became:

http://www.google.com/url?sa=t&ct=res&cd=3&url=http://www.osnews.com/story.php?news_id=10096...

I like this elegant solution which is necessary for the Search History and besides it helps Google to better rank the search results.

Netvibes is dangerous

Netvibes is a nice and well designed start page, better than Google's Personal Page and Microsoft's Windows Live. It can be a good application for one who doesn't read more than ten feeds (otherwise a real feed reader is a must-have). In addition to feed reading, they provide some interesting add-ons, like web notes, price watch, To Do list, and mail reading...

Yes, they provide a module for reading a Gmail, Yahoo! Mail, or any other POP3/IMAP4 account. And I find it to be a great danger for anyone who uses it, especially including those hundreds of unaware users.

There are two major issues about it. First of all, in order to use the mail reading module, one must provide login and password. No service should ask one for private passwords to other services. In case of Netvibes, they ask for such a password and do not explicitly state nor describe the further authentication and authorization process. The main problem here is that, at the time of this writing, they only use insecure HTTP protocol instead of encrypted HTTPS!! This means that your mail login and password are being sent over an unencrypted channel between your and Netvibes machine. The simplest solution for this is to just enable HTTPS, but instead they wrote the following in their Terms of service:

  • Your use of the Service is at your sole risk. The service is provided on an "as is" and "as available" basis.

    Oh, they just forgot to emphasize "your sole risk" ;).

  • You understand that the technical processing and transmission of the Service, including your Content, may be transfered unencrypted and involve (a) transmissions over various networks; and (b) changes to conform and adapt to technical requirements of connecting networks or devices.

    Nope and sorry, but I don't understand why do you send people's passwords over unencrypted channels.

Here is a sample transmission, dumped using Firefox Live HTTP Headers (emphasized text shows the danger):

http://www.netvibes.com/securePassProxy.php

POST /securePassProxy.php HTTP/1.1
Host: www.netvibes.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.8,pl;q=0.5,uk;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Cookie: ---CENSORED PRIVATE DATA---
Pragma: no-cache
Cache-Control: no-cache
url=https%3A//MyLogin%3AMyPassword@mail.google.com/mail/feed/atom

HTTP/1.x 200 OK
Date: Wed, 04 Jan 2006 20:55:32 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/xml

Secondly, I just don't trust and don't use a service which asks me for my private passwords. Besides the technical danger already explained above, there is a question do they or how they store people's passwords on their machines. This is a proprietary application, thus we don't know their server-side code, but even if we knew, it just wouldn't make much difference. At the time of writing this post, their Privacy Policy says: Netvibes will never sell, rent or share your personal information, especially your e-mail addresses, with any third parties for marketing purposes without your express permission.

Good, they emphasized especially your e-mail addresses , but no explicitly stated about mail logins and passwords. I personally find it more important than the problem of giving my e-mail address to a spammer. Spam is easy to ignore, but what about logging into people's accounts? They already have a nice collection of logins and passwords and almost all mail services do not state the last login time/IP address. So it's fairly easy to read people's mail ;). You can also imagine what could happen if somebody cracked into their machines...

Okay, perhaps I'm just exaggerating the problem and I really, really want to believe that it is not their intention to do such malicious things. I'm sure they just wanted to make people's life easier, but they simply forgot that the risk is *very* high.

Besides these serious flaws, Netvibes is still an interesting service -- just do not use its mail reading modules! :-)

W3C has formed the Web APIs Working Group, as a part of the Rich Web Client Activity for client-side Web Application development. Some interesting to me deliverables are the following:

  • An API specification for HTTP functionality.

    This generally means standardizing and hopefully improving the XMLHttpRequest interface. The current interface is very limited, imperfect, and yet not widely implemented.

  • An API specification for persistent storage on the client.

    Cookie is an opaque piece of data held by an intermediary. Cookies are small, maximum 4kB od data per cookie including an opaque string. So of course, retrieving and caching data for rich web clients is currently very difficult and limited. This way it is also impossible for a Web application to work offline. This has to be changed.

  • An API specification for drag and drop.

    Rich web clients must provide robust, interactive user interfaces. Drag and drop is a common mechanism used on desktops everywhere. Implementing it in Web application is nowadays tricky and requires a master knowledge of JavaScript, DOM, and CSS.

Other interesting areas:

  • An API specification for a client interface (the Window object).
  • The DOM Level 3 Events specification (in coordination with a future DOM IG/WG).
  • An API specification for timed events.
  • API specifications for other network communication methods.
  • The DOM Level 3 XPath specification (in coordination with the DOM IG/WG).
  • An API specification for monitoring the progress of resources as they are downloaded.
  • An API specification for file upload.
[image]

Better late than never, tonight I saw Wu Jian Dao at the local movie theater and I think this movie is a masterpiece. This psychological thriller tells the story about a mole in the police and an undercover cop in Triads. Both working this way for a period of years. After a while, it becomes obvious to both sides that the mole is between them. The deadly game begins, where each man has to eliminate the other. There is no martial arts in this movie, instead we study the complex characters and difficult choices they face -- each is haunted by his past and confused about his own identity. This movie has an excellent plot, it's filmed well with good acting by Tony Leung and Andy Lau. I highly recommend it. 10/10.

Photo Gallery

New keyboard shortcuts depending on context: n -- next photo, p -- previous photo, u -- up one level, t -- top (gallery index). Happy browsing.

[photo]

...

Fun with new hardware, no fun with recent linux kernels

After buying new hardware, I of course decided to start using it immediately. First of all, I repartitioned the disk and installed Fedora Core 4. The installation process went smoothly, except that the 915GM Express chipset was not fully detected by X11R6.8.2. By default, only VESA video was available, so using for instance MPlayer was a pain. Fortunately, this chipset is backward compatible and choosing i810 is the solution. There is also no problem with 1280x800 display. Next, I configured all my daily programs and copied all stuff from the old disk (by using CD-R and 256MB USB flash drive). After successful FC4 installation, I upgraded several packages, including the Linux kernel from 2.6.11 to 2.6.12 (and a few days later to 2.6.13). And then the disk performance decreased drastically. This is quite interesting because with 2.6.12 my hard drive is being seen as a SCSI device (/dev/sda) and with 2.6.13 as /dev/hda. This slight difference wouldn't matter if in the latter case my buffered disk read was not 2 MB/sec! With 2.6.12 the result is ~30 MB/sec. I'm not sure, but I think this should be a little bit more. dmesg shows:

Linux 2.6.12:

Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
ide0: I/O resource 0x1F0-0x1F7 not free.
ide0: ports already in use, skipping probe
Probing IDE interface ide1...
hdc: MATSHITADVD-RAM UJ-831S, ATAPI CD/DVD-ROM drive
ide1 at 0x170-0x177,0x376 on irq 15
hdc: ATAPI 24X DVD-ROM DVD-R-RAM CD-R/RW drive, 2048kB Cache
Uniform CD-ROM driver Revision: 3.20
SCSI subsystem initialized
libata version 1.11 loaded.
ata_piix version 1.03
ata: 0x170 IDE port busy
ata1: SATA max UDMA/133 cmd 0x1F0 ctl 0x3F6 bmdma 0x18B0 irq 14
ata1: dev 0 cfg 49:0f00 82:746b 83:7fe9 84:6023 85:f469 86:3c49 87:6023 88:203f
ata1: dev 0 ATA, max UDMA/100, 117210240 sectors: lba48
ata1: dev 0 configured for UDMA/100
scsi0 : ata_piix
Vendor: ATA Model: HTS541060G9AT00 Rev: MB3W
Type: Direct-Access ANSI SCSI revision: 05
SCSI device sda: 117210240 512-byte hdwr sectors (60012 MB)
SCSI device sda: drive cache: write back
SCSI device sda: 117210240 512-byte hdwr sectors (60012 MB)
SCSI device sda: drive cache: write back
sda: sda1 sda2 sda3 sda4 < sda5 >
Attached scsi disk sda at scsi0, channel 0, id 0, lun 0

Linux 2.6.13:

Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
Probing IDE interface ide0...
hda: HTS541060G9AT00, ATA DISK drive
Probing IDE interface ide1...
hdc: MATSHITADVD-RAM UJ-831S, ATAPI CD/DVD-ROM drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
ide1 at 0x170-0x177,0x376 on irq 15
hda: max request size: 1024KiB
hda: 117210240 sectors (60011 MB) w/7539KiB Cache, CHS=16383/255/63
hda: cache flushes supported
hda: hda1 hda2 hda3 hda4 < hda5 >
hdc: ATAPI 24X DVD-ROM DVD-R-RAM CD-R/RW drive, 2048kB Cache
Uniform CD-ROM driver Revision: 3.20
SCSI subsystem initialized
libata version 1.12 loaded.
ata_piix version 1.04
ata: 0x1f0 IDE port busy
ata: 0x170 IDE port busy
ata_piix: probe of 0000:00:1f.2 failed with error -16

weird...

Obviously, I had no doubt to not use 2.6.13 or any later until this is fixed. The rest seems to be okay. USB 2.0 works very nice with my camera and flash drive, also an Intel PRO/Wireless 2200BG has been successfully detected (with the firmware from ipw2200). I haven't used it in practice, but NetworkManager Applet is able to detect some local private wireless networks, so I guess it's okay. Uhm, and I don't see where or how can I suspend-to-disk or suspend-to-RAM my system. I look forward to seeing this features.

...

[photo]

...

Today's interesting read: When to Leave That First Tech Job.

Part V

Tai Vo's China Photo Gallery, Randurian' HK Roads Photo Gallery, Jimmy Koo's Hong Kong Photo Gallery, Tom Jackson's Hong Kong 70s & 80s Photo Gallery, Ross' Hong Kong Photo Gallery, gchong2426's China 2004 Photo Gallery, Howard Sheard's Hong Kong Photo Gallery, William Bina's China Photo Gallery, Ted Ch's Hong Kong Photo Gallery, Eddie Cheung's Photo Gallery, hclphoto's Central, Hong Kong Photo Gallery, Jongky Kurniawan's Guilin - Yangshuo Photo Gallery.