Why the BBC should stick to TV programming

Windows PCs come in for a lot of critism about reliability but most of that is unfounded. You see, it’s not that Windows is particularly bad, but it’s actually down to the sheer number of permutations of hardware and software that are available and quality of the applications that we load on top of Windows (or inside Windows in the case of device drivers).

My wife’s PC is an old Compaq Deskpro EN6350 SFF that I gave her when she set up her public relations consultancy business a few years back. I originally installed Windows 2000 Professional on it before I moved to Australia in 2001. When I returned to the UK the next year I upgraded it to Windows XP, and since then I’ve applied software patches, anti-virus and anti-spyware updates and added a Wireless network adapter. That’s it. And although it’s a bit on the slow side now, it’s fine for Internet access, e-mail and a bit of word processing – which covers 99% of what my wife does with the PC. My point is, that after 5 or 6 years I haven’t had to rebuild Windows, clean out the registry, or do anything else with it, and it generally only needs a reboot when a software update requires that the system is restarted. I have similarly reliable PCs of my own – basically well maintained, with nothing that’s likely to upset system stability – and it all works very nicely.

The trouble is that now I’m entering the world of cheap software packages for consumer use (you know the sort of thing – the CD/DVD that’s free with the Sunday newspaper or found for a fiver or less in the bargain bin at PC World) and having written about my experiences of installing childrens’ software last weekend, I then experienced the other extreme of educational software – a little package called “Noddy – Let’s Get Ready for School“.

Noddy - Let's Get Ready for School

It didn’t start off well as running the application installer initially produced a really unhelpful dialog with a red stop icon and an OK button (no title or error message), so I tried again as Administrator and the InstallShield installer ran as expected. Once installed, I launched the application to find that a) it wasn’t really installed at all (the CD was still required throughout and the installer appears to have just created a few icons) and b) the program reset the screen to 640×480 mode before crashing.

I checked the specifications on the box: Pentium processor at 90MHz or better (I was using a 1.4GHz Pentium 4 M); 16-bit colour (I was using 32-bit color) and Windows 95 or 98 (I was using XP – Windows 9x operating systems are now unsupported so I would hope that vendors would stop selling appllications that rely on them, even if they do cost only a few pounds).

Running the application in Windows XP’s Windows 95 compatibility mode solved the crash issue but even so, it still insisted on me downgrading the graphics to 16 or 24-bit colour. After running successfully as Administrator, I logged out and logged back on with my son’s (unprivileged) account to find that running the application produced the following error message:

Director Player 6.0

Unable to copy the driver file C:\WINDOWS\xobglu16.dll to your Windows directory.

Your disk may be full.

The disk was far from full, but writing to the system root folder would be subject to NTFS access permissions. Indeed, using RunAs to elevate my permissions let me run the application with no apparant issues (except that I don’t want a toddler to have to enter a password to run a game), so I tried to copy the xobglu16.dll file myself (the file doesn’t appear on the CD, but is present in %systemroot% whilst running the application using an account with the necessary privileges – e.g. Administrator – along with a similarly-named xobglu32.dll). It seems crazy that a program would copy DLLs to %systemroot% each time it is run but, nevertheless, that seems to be the case; however if I copy them myself it crashes.

In the end I resorted to making my son’s account a power user on the machine (running a sandboxed Windows 98 installation in a virtual machine would have been another option, but less user friendly). Still, at least I didn’t have to make him an administrator.

In fairness, I should have been ready for this, having spent many hours trying to get various items of software aimed at little people to run successfully on my friends’ PCs but I did think the fact that this particular package was produced by BBC Multimedia would be a good thing. Clearly I was wrong and the BBC should stick to television programming (maybe it’s no coincidence that BBC Multimedia no longer publishes computer and video games).

Sharing disks between Mac OS X and Windows

I wrote a couple of months back about the Toshiba PX1223E-1G32 320GB external hard disk that I bought (and which I’ve been very pleased with). Well, nowadays the aluminium case makes it a perfect companion for my Mac Mini and my Fujitsu-Siemens S20-1W widescreen monitor.

The trouble is that, in common with most external hard disks, the drive comes pre-formatted for the NT file system (NTFS), used by all modern versions of Windows. NTFS is a great file system – but it is also Windows-specific, at least from a read/write perspective (Linux and MacOS X systems can only read NTFS-formatted partitions). So, to use the disk with a Mac requires a reformat – either using one of the Macintosh file systems, such as HFS+/MacOS Extended (Journalled), the Unix file system (UFS – but not ext3), or FAT32 (MS-DOS file system). Of these choices, only FAT32 is universally accepted by Windows, Mac OS X and Linux systems but it does have some pretty serious limitations, as I soon found.

Firstly, although FAT32 supports file systems up to 2TB in size, the format utilities within Windows support a maximum partition size of 32GB; however by formatting the drive using another operating system or third-party tools, this limit can be overcome and Windows is able to read or write larger volumes. Secondly, and more significantly, FAT32 only supports files up to 4GB in size. That doesn’t sound like an issue until you start copying .ISO DVD images and digital video files around. Pretty soon it became apparent that FAT32 was not the answer.

The solution was using a software product called Mediafour MacDrive, which I found from the Wikipedia article on HFS+ and which has turned out to be really useful. Ironically, I didn’t need to use a licensed version to transfer my data from a PC to the Mac, as Mediafour make a trial version available for download which is valid for 5 days after installation. Having used that as my demonstration of how useful this software is, I decided to buy a copy (proving that users will buy genuinely good software, even if they can get by for free) – at $49.95 it’s reasonably priced (especially with the current dollar exchange rate and as Mediafour offered me a 24% discount if I purchased within 24 hours of requesting the trial version) and when I finally get around to dual-booting Windows on my Mac it will be invaluable. Sadly, the current version of MacDrive doesn’t work on Windows Vista, so I will need to upgrade one day in the future, but for now it’s a great way to share files between Windows and Mac OS X.

Unable to edit group membership for a Windows XP user

Earlier this evening, I was creating a local user on a Windows XP computer using Local Users and Groups from the Computer Management MMC snap-in (compmgmt.msc). Strangely, clicking on the Member Of tab produced the following error:

Local Users and Groups

The following error occurred while attempting to read the properties for the user accountname:

The Server service is not started.

I’ve seen this before and this time I thought I should did a little deeper. Running net start server from a command prompt returns:

The service name is invalid

I quickly found a workaround – instead of editing the user properties to make them a member of a group, edit the group properties to add the user as a member. Quite why it works this way around but not the other is a mystery to me!

Running childrens’ games using IIS on Windows XP

My son is fascinated with computers. It could be because every time he sees his Daddy I’m using one… or it could be just a sign of the times. Either way, we’re fast approaching the age when I need to set the little fella up with some IT of his own (he’s no longer interested in the old keyboard I gave him last year as he’s worked out that it doesn’t do anything on a screen).

Miffy Plays with NumbersMiffy's World of Colour and Shapes

On a recent trip to PC World, I spotted some educational games for just £4.99 each, so “Miffy Plays with Numbers” and “Miffy’s World of Colour and Shapes” joined my software collection. This weekend, I found some time to rebuild an old laptop and install the games in readiness for use (they are marked as suitable for ages 2 to 5, although I think 2 might be pushing things a little). It shouldn’t really be a case of installing (the games in question appear to be a bunch of Shockwave files which run directly from the CD) but anyone with young children will know that optical media and toddlers don’t go very well together and so I’d like to run the applications from the hard disk.

Working out which files to copy wasn’t too difficult (in any case, copying the entire CD contents would be fine), but Internet Explorer wasn’t happy with the use of active content (requiring Information Bar interaction) and I couldn’t add a local file URL to the trusted sites list.

The answer was quite simple – Windows XP includes Internet Information Services (IIS), so I set the PC up as a web server and served the content from there. After installing the necessary IIS components (just select the world wide web service and the other necessary components will be selected automatically), I copied the game files to a new folder inside wwwroot. The next step was to create a new virtual directory (e.g. miffy-numbers) on the default web site and to follow the wizard, pointing it at my local copy of the files and accepting the defaults. Finally, I allowed access to the virtual directory (properties, directory security, edit anonymous access and authentication control) using integrated Windows authentication and added index2.htm to the list of documents (properties, documents), avoiding the need to accept the license agreement every time the program is run.

Now I can run the programs from http://localhost/virtualdirectory/ (e.g. http://localhost/miffy-numbers/) and have set up a couple of shortcuts on the desktop for my small person to launch them. The only downside is the recent Microsoft update that requires a control to be clicked to be activated before it will run (that is all down to a Windows XP update to circumvent a dodgy patent ruling against Microsoft and should be possible to resolve by removing the update that relates to Microsoft knowledge base article 912945).

Creating Windows file system shares remotely

Yesterday, one of my colleagues came to me with a problem to solve. He wanted a user to be able to create a share remotely (i.e. without logging onto the server console physically or via terminal services). I suggested allowing the user access to a shared folder at a higher level in the directory structure and then, after they had connected to that share, they could create a new subfolder and share it out. Unfortunately, my colleague returned later to say that Windows doesn’t allow sharing of folders when connected via a share so he had to find another way around the issue – he found two possible answers:

Even though rmtshare.exe dates back to the days of Windows NT 4.0, I was able to use it to create a share (and delete it again) on a Windows Server 2003 server from a Windows Vista client (although I did have to elevate my permissions before it ran successfully).

Blog spam

I like to receive comments on this blog – it’s always good to hear when my ramblings have helped someone out, or if someone has something else to add to something that I’ve written about – but I hate blog spam.

A few months back, someone left a comment on a post pointing to his own website (and then got upset when the Google index appeared to quote him out of context). I felt sorry for him (and the irony is that any links in comments here are tagged with rel=”nofollow” so they don’t increase PageRank and other search engine placement link counts).

This evening, I’ve spent quite a bit of time removing comments from posts that were just blatant links to suspicious websites, so, it’s with regret that I’ve had to enable comment moderation. I won’t screen comments (except to remove the obvious spam) but please bear with me if it takes a while for a comment to appear on the site – sometimes it might take a couple of days for me to approve a comment whilst other times it might be a few minutes. I still allow anonymous comments and I haven’t yet resorted to word verification – let’s hope I don’t have to, but please bear with me.

Whilst on the subject of spam, to all the people of the world who send e-mail because they think I need medication to help with (erhum) “personal problems”, I have a young son and another baby on the way so don’t think there are any issues there. Also, I don’t need cheap software, loans, or advice on hot stocks. All you’re doing is giving me some messages against which to test the intelligent message filter in Exchange Server 2003 (more on that soon).

Grrr.

New tools from Quest for Exchange Server 2007

Exchange Server 2007 has the potential to shake up messaging but there is no direct upgrade path for those organisations still running Exchange Server 5.5 (and there are a surprisingly high number of these). All is not lost though as, earlier today, I heard Joe Baguley, Global Product Director for Quest Software, give a presentation of the various tools that they now have on offer (the list is impressive) and, interestingly, Quest plan to have Exchange Server 5.5-2007 migration tools available when Exchange Server 2007 is released, as well as tools for migrating Exchange public folders to SharePoint.

Why RAID alone is not the answer for backups

I recently came across Gina Trapani’s article on the importance of backing up (the comments are worth a read too). I hear what she’s saying – a couple of years ago I very nearly lost a lot of data when a hard disk died and today I have far more important stuff on disk (like all of my recent photography – including irreplaceable pictures of my son – a digitised music collection and years’ worth of accumulated information), all spread across nearly a terabyte of separate devices.

As we place more and more emphasis on our digital lifestyle, the amount of data stored will continue to grow and that creates a problem, especially for home and small business users.

Optical media degrades over time and since the hard disk I bought for backups is now in daily use with my new Macintosh computer, I need to implement a decent backup regime. As disk sizes increase, a single disk seems like putting all my eggs in one basket, but I also hear people talking about how RAID is the answer.

No it’s not.

The most common RAID levels in use are 0 (striping), 1 (mirroring) and 5 (striped set with parity). RAID 0 does not provide any fault tolerance, RAID 5 needs at least 3 disks – too much for most home and home office setups – that leaves just RAID 1. Mirrors sometimes fail and when they do, they can take all of the data with them. Then there’s the additional issue of accidental damage (fire, flood, etc.). What’s really required (in a home scenario), is two or more removable hard disks, combined with use of a utility such as rsync (Unix) or SyncToy (Windows) to automate frequent backups, with one of the disks kept off site (e.g. with a family member) and frequent disk rotation.

In an enterprise environment I wouldn’t consider implementing a server without some form of RAID (and other redundant technologies) installed; however I’d also have a comprehensive backup strategy. For homes and small businesses RAID is not the answer – what’s really required is a means of easily ensuring that data is secured so that if a disaster should occur, then those precious files will not be lost forever.

Migrating an iTunes music library between PCs

Until recently, I’ve been running iTunes on a Windows XP PC but I’m in the process of migrating to a Mac OS X system. Whilst most data transfers have been straightforward, I found that, after moving the files to a disk that could be accessed by both the Mac and a PC (i.e. a FAT32-formatted external hard disk), getting iTunes to recognise my library was challenging. I’m sure it’s quite a common scenario so I thought I’d post what I did here so that it can be of use to others.

Whilst my scenario involved moving from iTunes 6.0.4 on a PC to 6.0.5 on a Mac, the principle is the same for moving iTunes music libraries between any two PCs (Mac OS X or Windows).

Apple’s advice for moving your iTunes Music folder is okay for moving files on the same system but their advice for switchers to transfer their iTunes Music Library files from PC to Mac just didn’t work for me (well, it works, sort of, but simply importing the music files into iTunes will lose playlists, history, ratings, etc. and importing the music library file itself will retrieve those items but won’t find the music files because they have moved location). I need to keep the selections because that’s how I determine what will be synchronised with my iPod – quite simply my 47GB music collection will not fit on a 4GB iPod Mini!

Luckily, the extensive article on moving iTunes libraries whilst preserving library data at the HiFi Blog gave me all the necessary steps (although they focus on libraries where iTunes is not used to organise the music – I let iTunes handle that for me). After setting iTunes preferences to point to a folder on my external hard disk (on the Advanced page, under General), I quit iTunes and edited the iTunes Music Library.xml and iTunes Library files that reside in Macintosh HD/Users/username/Music/iTunes/ (even though the music files are on the external hard disk, iTunes keeps its database files in the main user data location), removing all binary data from the iTunes Library file to leave a 0KB length file and replacing all instances of the original library location in iTunes Music Library.xml with the new library location (for me this was from file://localhost/C:Documents%20and%20Settings/Mark/My%20Documents/My%20Music/iTunes/iTunes%20Music/ to file://localhost/Volumes/EXTERNAL%20HD/Music/iTunes/iTunes%20Music/). I found the easiest way to edit the files was on the PC (using WordPad – depending on the size of the music library, NotePad may not cope with the file sizes involved). It’s also worth noting that on a PC, the iTunes Library file has a .ITL extension.

After making sure that the edited files were back in the Macintosh HD/Users/username/Music/iTunes folder and starting iTunes, I was greeted with an Importing iTunes Music Library.xml message before:

Organizing Files

The file “iTunes Library” does not appear to be a valid music library file. iTunes has attempted to recover your music library and has renamed this file to “iTunes Library (Damaged)”.

Actually that message is incorrect. On my system, there is no iTunes Library (Damaged) file but there is a Previous iTunes Libraries folder, which contains a file called iTunes Library 2006-7-12.

iTunes then continued to analyse and determine the song volume for 2344 of the 6766 items in my music library (I’m not sure what this actually means and it seems strange that it was not for the entire music collection) after which it was available for use as normal (almost) with all my tracks, playlists, selections, date last played, etc. I said almost normal because there are a couple of additional playlists (Podcasts and Videos) and the Podcast subscriptions don’t get migrated but that’s easy to fix. Again, it was the HiFi Blog article that helped me out – browse the library to view all music files with a genre of Podcast and drag them onto the Podcasts heading in the source column before clicking on resubscribe for each Podcast to enable new downloads (the existing downloads should all still be available).

The next step was to hook up my iPod which synchronised normally (I vaguely remember selecting that it was connected to a Windows PC the first time I set it up and expected to have to do some reconfiguration for the Mac but it seems that was not required). The only exception was for my purchased music, for which I received the following message:

Some of the songs in the iTunes music library, including the song “songname“, were not copied to the iPod “ipodname” because you are not authorised to play them on this computer.

I found this strange because I’d already accessed the iTunes Music store from iTunes using my Apple ID, and although there was a “Deauthorize Computer…” option on the Advanced menu, I couldn’t see an equivalent option to authorise it (so I naturally assumed it was already authorised). Attempting to access my purchased music in Front Row gave a better clue:

This computer is not authorized to play the selected song.

To authorize your computer, select the song in iTunes and enter the account name and password used to purchase the song from the iTunes Music Store.”

Sure enough, this did the trick, advising me that I had 2 out of a maximum of 5 computers authorised for my music and then allowing me to both play the purchased songs and synchronise them with my iPod.

After running with iTunes on my Mac for a few days now, everything seems to be working okay. The only remaining step is to deauthorise the original Windows XP PC from where I copied my music.

Microsoft’s digital identity metasystem

After months of hearing about Windows Vista eye candy (and hardly scraping the surface with anything of real substance with regards to the operating system platform), there seems to be a lot of talk about digital identity at Microsoft right now. A couple of weeks back I was at the Microsoft UK Security Summit, where I saw Kim Cameron (Microsoft’s Chief Architect for identity and access) give a presentation on CardSpace (formerly codenamed “InfoCard”) – a new identity metasystem contained within the Microsoft .NET Framework v3.0 (expected to be shipped with Windows Vista but also available for XP). Then, a couple of days ago, my copy of the July 2006 TechNet magazine arrived, themed around managing identity.

This is not the first time Microsoft has attempted to produce a digital identity management system. A few years back, Microsoft Passport was launched as a web service for identity management. But Passport didn’t work out (Kim Cameron refers to it as the world’s largest identity failure). The system works – 300 million people use it for accessing Microsoft services such as Hotmail and MSN Messenger, generating a billion logons each day – but people don’t want to have Microsoft controlling access to other Internet services (eBay used Passport for a while but dropped it in favour of their own access system).

Digital identity is, quite simply, a set of claims made about a subject (e.g. “My name is Mark Wilson”, “I work as a Senior Customer Solution Architect for Fujitsu Services”, “I live in the UK”, “my website is at http://www.markwilson.co.uk/”). Each of these claims may need to be verified before they are acted upon (e.g. a party to whom I am asserting my identity might like to check that I do indeed work where I say I do by contacting Fujitsu Services). We each have many identities for many uses that are required for transactions both in the real world and online. Indeed, all modern access technology is based on the concept of a digital identity (e.g. Kerberos and PKI both claim that the subject has a key showing their identity).

Microsoft’s latest identity metasystem learns from Passport – and interestingly, feedback gained via Kim Cameron’s identity weblog has been a major inspiration for CardSpace. Through the site, the identity community has established seven laws of identity:

  1. User control and consent.
  2. Minimal disclosure for a defined use.
  3. Justifiable parties.
  4. Directional identity.
  5. Pluralism of operators and technologies.
  6. Human integration.
  7. Consistent experience across contexts.

Another area where CardSpace fundamentally differs from Passport is that Microsoft is not going it alone this time – CardSpace is based on WS-* web services and other operating system vendors (e.g. Apple and Red Hat) are also working on comparable (and compatible) solutions. Indeed, the open source identity selector (OSIS) consortium has been formed to address this technology and Microsoft provides technical assistance to OSIS.

The idea of an identity metasystem is to unify access and prevent applications from the complexities of managing identity, but in a manner which is loosely coupled (i.e. allowing for multiple operators, technologies and implementations). Many others have compared this to the way in which TCP/IP unified network access, which paved the way for the connected systems that we have today.

The key players in an identity metasystem are:

  • Identity providers (who issue identities).
  • Subjects (individuals and entities about which claims are made).
  • Relying parties (require identities).

Each relying party will decide whether or not to act upon a claim, depending on information from an identity provider. In the real world scenario, that might be analogous to arriving at a client’s office and saying “Hello, I’m Mark Wilson from Fujitsu Services. I’m here to visit your IT Manager”. The security/reception staff may take my word for it (in which case this is self-issued identity and I am both the subject and the provider) or they may ask for further confirmation, such as my driving license, company identity card, or a letter/fax/e-mail inviting me to visit.

In a digital scenario the system works in a similar manner. When I log on to my PC, I enter my username to claim that I am Mark Wilson but the system will not allow access until I also supply a password that only Mark Wilson should know and my claims have been verified by a trusted identity provider (in this case the Active Directory domain controller, which confirms that the username and password combination matches the one it has stored for Mark Wilson). My workstation (the relying party) then allows me access to applications and data stored on the system.

In many ways a username and password combination is a bad identity analogy – we have trained users to trust websites that ask them to enter a password. Imagine what would happens if I was to set up a phishing site that asks for a password. Even if the correct password is entered then the site would claim that it was incorrect. A typical user (and I am probably one of those) will then try other passwords – the phishing site now has an extensive list of passwords available which can then be used to access other systems pretending to be the user whose identity has been stolen. A website may be protected by many thousands miles of secure communications but as Kim Cameron put it, the last one metre of the connection is from the computer to the user’s head (hence identity law number 6 – human integration) – identity systems need to be designed in a way that is easy for users to make sense of, whilst remaining secure.

CardSpace does this by presenting the user with a selection of digital identity cards (similar to the plastic cards in our wallets) and highlighting only those that are suitable for the site. Only publicly available information is stored with the card (so that should hold phishers at bay – the information to be gained is useless to them) and because each card is tagged with an image (and only appropriate cards are highlighted for use), I know that I have selected the correct identity (why would I send my Government Gateway identity to a site that claims to be my online bank?). Digital identities can also be combined with other access controls such as smartcards. The card itself is just a user-friendly selection mechanism – the actual data transmitted is XML-based.

CardSpace runs in a protected subsystem (similar to the Windows login screen) – so when active there is no possibility of another application (e.g. malware) gaining access to the system or of screenscraping taking place. In addition, user interaction is required before releasing the identity information.

Once selected, services that require identities can convert the supplied token between formats using the WS-Trust service for encapsulating protocol and claims transformation. For negotiations, WS-MetadataExchange and WS-SecurityPolicy are used. This makes the Microsoft implementation fully interoperable with other identity selector implementations, with other relying party implementations and with other identity provider implementations.

Microsoft is presently building a number of components to its identity metasystem:

  • CardSpace identity selector (usable by any application, included within .NET Framework v3.0 and hardened against tampering and spoofing).
  • CardSpace simple self-issued identity provider (makes use of strong PKI so that the user does not disclose passwords to relying parties).
  • Active Directory managed identity provider (to plug corporate users in to the metasystem via a full set of policy controls to manage the use of simple identities and Active Directory identities).
  • Windows Communication Foundation (for building distributed applications and implementing relying party services.

Post-Windows Vista, we can expect the Windows Login to be replaced with an CardSpace-based system. In the meantime, to find out more about Microsoft’s new identity metasystem, check out Kim Cameron’s identity blog, The Windows CardSpace pages and David Chappell’s Introducing InfoCard article on MSDN, and the July 2006 issue of TechNet magazine.