Using USB 3.0 drives in VirtualBox, kinda

For much of the morning, I’d been battling with a Windows 7 Enterprise guest on a VirtualBox Mac. For some reason, Windows 7 gave this all too familar warning when attaching an external USB notebook hard drive:

USB Device Not Recognized
One of the USB devices attached to your computer has malfunctioned, and Windows does not recognize it. For assistance in solving this problem, click this message.

So much changes, so much stays the same.

At first, I assumed it was because I’d forgot to install the Oracle VM VirtualBox Extension Pack. Alas, installing this, enabling the USB 2.0 controller in the Ports screen, rebooting the VM into safe mode, and reinstalling the Additions didn’t fix it.

Turns out, I was using the USB 3.0 controller with VirtualBox, which is unsupported. The good news is TBFed (up?) offered a workaround on the issue’s bug report:

One of the comments in the thread made me think of my old 4-port USB connector. So I plugged IT in to the mac, and plugged the USB3 drive into IT — anv voila, the VM sees it and can do whatever it wants to with it!

Unfortunately, I only had an unpowered USB 2.0 hub, which didn’t provide sufficient power to the drive, even when it was the sole device. If the point was to expose it as a USB 2.0 device though, would using a USB 2.0 micro connector work?

Sure enough, after doing this the Windows 7 guest could detect the drive, install drivers and mount as normal.

It’s curious that VirtualBox detects and allows USB 3.0 devices to be added to the USB filter, despite not supporting it.

Embeddable OpenStreetMaps

View larger map

OpenStreetMap is among the most valuable and wonderful online collaborative projects. They were available in Singapore and Australia before Google Maps were, and have always had superior walking and bike trails. Apple uses it as a map data source, and in several of their applications.

I hadn’t noticed, but there’s an online render at Better still, you can now embed them in your pages. As an example, enclosed is a map of Funan Centre (now the “DigataLife Mall”, and once the “IT Mall”). Welcome to where I spent my entire childhood!

Fixing Fastmail calendars in iOS

Fastmail announced free calendars for most of their customers last year. I’ve hosted my own email, webdav and caldav servers long enough to not want to do either anymore, so this sounded great.

Problem was, their instructions for iOS never worked. I’d set my server as, with my Fastmail username+domain and password, but it would result in the equivalent of 404 errors.

On a hunch today, I created a calendar entry in their web UI first. From days of self hosting, I know you need a calendar file to connect to. Sure enough, I can now access the calendar from iOS.

I’ll be in contact with the Fastmail folks about updating their support pages to reflect this.

Lenovo’s response to #Superfish

In response to the Superfish scandal, Lenovo has released a statement.

Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively [.]

It reads like that Orwellian Firefox post, where they proclaimed ads were a “Publisher Transformation with Users at the Center”. Lenovo didn’t inject ads, they provided exciting retail opportunities.

At least they acknowledge the response. Here’s where the marketing doublespeak gets into more dangerous territory.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.

No evidence to substantiate security concerns? Do they really not know how SSL/TLS and public key crypto works? Either they genuinely don’t know, or they do know but don’t want to disclose. “Continue to review” also doesn’t instill much confidence; it leaves the door open for further shenanigans.

But for the sake of their users, this is the worst line.

Users are given a choice whether or not to use the product.

This statement wasn’t an apology. It was an obfuscated defence, with a little victim blaming, and a non-legally-binding assurance it won’t happen again.

The Lenovo #Superfish debacle

Whenever I get a new computer or phone, the first thing I do is reinstall the operating system from scratch. Even for Macs, you have no idea what could have been inserted in the factory by an errant worker or team. Back when I was a Windows user, it was a mandatory step to rid the machine of junkware.

Such actions won’t protect you when said errant worker is taking instructions from the top. Nor if the junkware, malware, rootkits or other associated fun persists on your restore disk, ready to be installed again.


This latest brazen incident from Lenovo is a demonstration of the latter. Between October and December 2015, the company shipped laptops injected with a rogue trusted root certificate authority. This allowed adware to man–in–the–middle SSL/TLS website sessions, observe browsing habits, and send targeted advertising.

This is among the worst kind of security breaches, as it leaves the door open for further privacy abuses. I think it’d be naïve to assume it wasn’t already by someone inside the company, or the contracted party. If you trust a company secretly implanting certificates to be respectful of your data, I have a bridge to sell you made from indestructible IBM–era ThinkPads.

Point is, this is a breathtaking breach of customer confidence, up there with the Sony’s rootkits. And unfortunately, as companies are squeezed further by race–to–the–bottom pricing, we can also only expect more companies to attempt shenanigans like this.

As evidenced by my writing here over the years, I’ve long had a soft spot for (albeit IBM) ThinkPads. While this line was unaffected by the Superfish, it sure as hell will be informing my future purchasing decisions.

And it gets worse

Ars Technica is reporting this Superfish crap is in other programs as well, albeit some already dodgy sounding ones. It does raise the question though, why didn’t all those built in trial anti-virus security suite application things pick up on the original?

Expert witnesses

Ben Grubb has been doing an excellent job covering iiNet v Dallas Buyers Club. The more we hear about this case, the more farcical it becomes:

A primary witness in a court case that could see thousands of Australians pursued for online piracy has admitted to not preparing his own evidence.

The admission was made by prosecution expert witness Daniel Macek, a 30-year-old German technical analyst at MaverickEye. The firm’s software was used to locate the IP addresses of alleged pirates who shared the film Dallas Buyers Club using a number of Australian internet providers, including iiNet.

His affidavit was prepared by the firm that hired him. And it gets worse.

But the integrity of the system — which has been relied upon in many other jurisdictions — all appeared to come undone at Tuesday’s hearing, where iiNet’s defence barrister Richard Lancaster, SC, asked Maverick Eye UG’s Mr Macek, flown from Germany to be at the case, to explain in detail how it worked.

Long story short, he couldn’t. It’s understandable, given he only works at the company he represented for 40 hours a month. Expert witness.

From Ben Grubb’s earlier article about the case:

iiNet is resisting handing over the details, arguing the studio is likely to send “nasty letters” to their customers demanding large sums of money as it has done in the US.

I’m done, Mr Abbott

In the context of defence contracts, Australian Prime Minister Tony Abbott made the following regrettable comment.

In a rowdy Question Time, Mr Abbott went on the attack.

“Under members opposite Defence jobs in this country declined by 10 per cent,” he said.

“There was a holocaust of jobs in Defence industries under members opposite.”

Let that sink in for a moment. This was from the same gentleman who said the carbon price (I’m sorry, the carbon “tax”) would affect women doing the ironing, that “shit happens” when people die in war, and who feels “threatened” by homosexuals. These gaffs have made international headlines, and even reached America’s satire news.

We’re all familiar with political PR spin and filters. Off the cuff remarks like this give us a more realistic view into the person underneath.

To be fair, he later apologised. But it speaks to his state of mind that he would even go to that word in the first place. It’s scary.

Yesterday, Mr Abbott mocked suggestions an open tender should be held, saying that could result in “Kim Jong-il-class submarines” or “Vladimir Putin submarines”.

Regardless, I’m done. In words he would relate to, this Prime Minister and his cabinet are beyond salvation, and I will not waste any more of yours or my time discussing them.

Vegemite pizza

Pizza Hut Mitey Stuffed Crust Vegemite pizza

Pizza Hut promoted this like crazy for Australia Day.

I grew up in Singapore, but like any respectable Australian, I love Vegemite. For the sake of my health, perhaps it was for the best I missed this.

Back to Work on beating yourself up

Merlin Mann made this great observation on the most recent episode. I could certainty stand to get better at this; most of us could.

If it makes you feel better to beat up yourself, and you become more productive because of that, enjoy the five or six years you have left to live.

But otherwise, knock it off. I have to remind myself five times a day; the time I spend feeling bad about what I’m not doing is not being used to create anything. It’s being destructive not creative.

Build and use xva-img to extract raw images

Prior to version 6.0, one of the export options for XenServer was the XVA format. It’s essentially a tar archive with disks stored as 1MiB stripes.

Among others, the xva-img tool by eriklax can be used to convert images from XVA to raw. It’s not in any major package manager, so we need to build it.


$ svn checkout
$ cmake .
# make install clean

Which returned this:

fatal error: openssl/sha.h: No such file or directory
 #include <openssl/sha.h>

Well then, I don’t have the OpenSSL developer libraries. I had to look this up for Debian/Ubuntu, but it’s:

# apt-get install libssl-dev

Now you should be able to build and install as normal. If you’re interested, I’ve thrown together a quick gist.


Xen xva files are tar files, with the original images spliced into 1MiB files. So the first step is to extract it:

# tar -xf [image].xva

You’ll see a series of referenced image folders, such as “Ref:2154″. So to use the tool to convert to a raw image:

root@apt-yum:~# xva-img -p disk-export Ref\:2154/ disk.raw

I got the following error:

Exporting: |=====================                                        \ ERROR
xva-img: cannot add empty chunk to disk.raw

Because xva image is sparse, converting to raw expands it to the full size. I accounted for double the size of the original image, but I really needed space for the entire uncompressed image.

You are on page 1 of 434. Where to now?