Oracle VirtualBox 4.3 released!

The VirtualBox team today released a significant new version of Oracle VM VirtualBox, its high performance, cross-platform virtualization software.

This version is a major update. The following major new features were added:

  • VMM: major rewrite of the VT-x code and the AMD-V code including many bug fixes and performance improvements (for example bug #9659)
  • VMM: introduced a lightweight instruction interpreter for situations not handled by hardware virtualization
  • GUI: extended messaging mechanism (new non-modal popup overlays used to show non-critical warnings and provide user with additional information)
  • GUI: keyboard shortcuts management (input page of global preferences extended with possibility to edit general keyboard shortcuts for VirtualBox Manager and Virtual Machine)
  • GUI: video capturing support (bug #4766)
  • Added USB touch device emulation
  • Added experimental support for webcam passthrough complementing USB passthrough (see the manual for more information)
  • Added SCSI CD-ROM emulation, including boot support
  • VRDP: support for IPv6
  • Guest Control: guest sessions now are running in dedicated, impersonated session processes (needs at least Guest Additions 4.3 installed)
  • Guest Control: implemented IGuestFile support
  • NAT: experimental virtual router mode: several VMs are attached to the same internal network and share one NAT service (see the manual for more information)

In addition, there are numerious items that were fixed and/or added too.

The binaries can be downloaded here:


Posted in Virtualization | Tagged | Leave a comment

Facebook’s statement on the August 13th App Outage

Just in case you are not aware of, Facebook has officially made a statement about the app outage that happened on 13 August, in which a number of Facebook developer accounts and apps were temporarily unavailable.

For details, see that post Summary of the August 13th App Outage.

Posted in news | Leave a comment

Facebook Canvas Namespace get removed suddently

Probably all Facebook developers should have aware of the recent service disruption on the Facebook platform for which our developers may be disabled with the apps banned.  Facebook should have fixed that in a very short period of time and hopefully the impact is minimized.

There may be another issue that worths  to note.  If you own any Facebook Canvas application, please check to see if if still works.  It is found that some of the namespace field for some of my canvas apps get removed suddenly.

I believe Facebook had recently made the “category” field of the app a mandatory field.  And for canvas apps that do not have the category field set, the namespace field was removed.

Go and check your canvas app(s) at

Posted in news | Leave a comment

Facebook now has official document describing the AppSecret Proof

According to Facebook,

You can reduce your exposure to malware and spammers by requiring server-to-server calls to Facebook’s API be signed with the appsecret_proof parameter.

And in short, the app secret proof is a sha256 hash of your access token, using the app secret as the key.

You can get more information by referring to the Facebook Documentation on Securing Graph API Calls.

Posted in Authentication | Tagged | Leave a comment

Be careful with latest PHP SDK v3.2.2 on appsecret_proof

Recently, one of my colleagues had updated his app to use the latest PHP SDK.

Everything worked fine but suddenly, for our batch processing in sending app to user notification, we started receiving “Invalid appsecret_proof provided in the API argument” error message from Facebook on 17Jul.

After checking, I found that the latest PHP SDK will now include the appsecret_proof parameter in the OAuth request if the access_token parameter is there.  The corresponding code from base_facebook.php is shown below,

protected function _oauthRequest($url, $params) {
  if (!isset($params['access_token'])) {
    $params['access_token'] = $this->getAccessToken();

  if (isset($params['access_token'])) {
   $params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']);

In the previous version of the PHP SDK, I would say that for most cases, the appSecret that we set whe instantiating the famous $facebook object is of no practical use if we are going to explicit pass the access_token (which can be stored earlier when we built the user session) in the request sent to Facebook.  However, this is no longer use now.

So, make sure you are setting the appID and appSecret properly before you send out any request.  This is particular true for batch processing when the PHP script is processing requests/records for different apps by using looping.

While the issue was caught and handled at our end.  I found that there is actually an option “Require AppSecret Proof for Server API calls” within the Facebook App Setting Advanced page.   When we were having the problem, this option was disabled actually and I would therefore expect that no appscret_proof checking is to be performed at the Facebook end even this parameter is included in the request.  A bug report had been opened for this.

Also, I would say that there is actually no need to have the PHP SDK to calculate the appsecret_proof (which eat up CPU cycles of the server) if we are not going to perform the checking.  Another bug report had been opened also and I would say this is a feature request on the PHP SDK.

I hope that by reading this article, you now know something about the appsecret_proof.

And if you are asking me where you can find more information about this appsecret_proof, my answer is that there is not yet any official Facebook documentation on this in their doc site.

Posted in Uncategorized | Tagged , | 2 Comments

Oracle released VirtualBox 4.2.14 today

Today Oracle released VirtualBox 4.2.14, a maintenance release of VirtualBox 4.2 which improves stability and fixes regressions.

This is a maintenance release. The following items were fixed and/or added:

  • VMM: another TLB invalidation fix for non-present pages
  • VMM: fixed a performance regression (4.2.8 regression; bug #11674)
  • GUI: fixed a crash on shutdown
  • GUI: prevent stuck keys under certain conditions on Windows hosts (bugs #2613#6171)
  • VRDP: fixed a rare crash on the guest screen resize
  • VRDP: allow to change VRDP parameters (including enabling/disabling the server) if the VM is paused
  • USB: fixed passing through devices on Mac OS X host to a VM with 2 or more virtual CPUs (bug #7462)
  • USB: fixed hang during isochronous transfer with certain devices (4.1 regression; Windows hosts only; bug #11839)
  • USB: properly handle orphaned URBs (bug #11207)
  • BIOS: fixed function for returning the PCI interrupt routing table (fixes NetWare 6.x guests)
  • BIOS: don’t use the ENTER / LEAVE instructions in the BIOS as these don’t work in the real mode as set up by certain guests (e.g. Plan 9 and QNX 4)
  • DMI: allow to configure DmiChassisType (bug #11832)
  • Storage: fixed lost writes if iSCSI is used with snapshots and asynchronous I/O (bug #11479)
  • Storage: fixed accessing certain VHDX images created by Windows 8 (bug #11502)
  • Storage: fixed hang when creating a snapshot using Parallels disk images (bug #9617)
  • 3D: seamless + 3D fixes (bug #11723)
  • 3D: version 4.2.12 was not able to read saved states of older versions under certain conditions (bug #11718)
  • Main/Properties: don’t create a guest property for non-running VMs if the property does not exist and is about to be removed (bug #11765)
  • Main/Properties: don’t forget to make new guest properties persistent after the VM was terminated (bug #11719)
  • Main/Display: don’t lose seamless regions during screen resize
  • Main/OVF: don’t crash during import if the client forgot to call Appliance::interpret() (bug #10845)
  • Main/OVF: don’t create invalid appliances by stripping the file name if the VM name is very long (bug #11814)
  • Main/OVF: don’t fail if the appliance contains multiple file references (bug #10689)
  • Main/Metrics: fixed Solaris file descriptor leak
  • Settings: limit depth of snapshot tree to 250 levels, as more will lead to decreased performance and may trigger crashes
  • VBoxManage: fixed setting the parent UUID on diff images using sethdparentuuid
  • Linux hosts: work around for not crashing as a result of automatic NUMA balancing which was introduced in Linux 3.8 (bug #11610)
  • Windows installer: force the installation of the public certificate in background (i.e. completely prevent user interaction) if the –silent command line option is specified
  • Windows Additions: fixed problems with partial install in the unattended case
  • Windows Additions: fixed display glitch with the Start button in seamless mode for some themes
  • Windows Additions: Seamless mode and auto-resize fixes
  • Windows Additions: fixed trying to to retrieve new auto-logon credentials if current ones were not processed yet
  • Windows Additions installer: added the /with_wddm switch to select the experimental WDDM driver by default
  • Linux Additions: fixed setting own timed out and aborted texts in information label of the lightdm greeter
  • Linux Additions: fixed compilation against Linux 3.2.0 Ubuntu kernels (4.2.12 regression as a side effect of the Debian kernel build fix; bug #11709)
  • X11 Additions: reduced the CPU load of VBoxClient in drag’and’drop mode
  • OS/2 Additions: made the mouse wheel work (bug #6793)
  • Guest Additions: fixed problems copying and pasting between two guests on an X11 host (bug #11792)

You can download the binaries here:


Posted in Virtualization | Leave a comment

With offline_access Deprecation Enabled, Still Receiving 2 hour tokens from Server Side OAuth Call

Hopefully we should all know that while we have still having the offline_access permission available, the access token that we obtained normally is a short-lived one.

Wit offline_access deprecated, by default (as according to Facebook’s documentation), we should have received a token that is to be expired only after 60 days by doing a server side OAuth.  However, at the early time of the migration process, it had been reported and confirmed that the token received was still a short-lived one.  We had to exchange the code with Facebook server again so as to get a 60-day expiry date token.

A bug report was opened by someone earlier. It is claimed to be fixed on this Thursday (i.e. 2 days ago).

However, I just tested that by using my own application and found that the access token obtained via performing server side OAuth is still a short-lived one.  My app is written by using the PHP SDK and server side OAuth is performed.  So, it seems to me that the problem is not fixed – at least not completely.

Any of us can see the same result as mine?

Posted in news | Tagged , | Leave a comment

AppRequest Dialog is not shown properly on Andriod phones

There is right now a problem in the Facebook Javascript SDK where the apprequest dialog displayed via FB.ui is too wide on Andriod Phones (such as Samsung S3).

AppRequest Dialog is not shown properly on Andriod Phones

There is already a bug report for this at Facebook

If you are running mobile app, check if you are being affected by this bug (I think so).  It would be nice if you can subscribe or even comments to this bug report so that Facebook may raise its priority.

Posted in news | Tagged | Leave a comment