Back to Top

Tuesday, December 30, 2008

A few tips for pshtoolkit


pshtoolkit is short for Pass The Hash Toolkit, and is a program (or rather a small collection of programs) written and released as OSS by CORE. Its basic use is to authenticate to Windows systems by passing the hash of the password - hence the name - rather than the password. Here are a couple of things I discovered while playing around with it:

  • You usually need high (SYSTEM account) privileges to run these programs, otherwise they will fail with cryptic messages. The easiest way to do this is to take psexec and run the following command: psexec \\ -s c:\windows\system32\cmd.exe. This will start a command prompt with SYSTEM privileges (the downside of it is that in the started shell you won't have things like tab completition :-()
  • What is the difference between the "normal" and the *-alt versions? The "normal" executables try to manipulate data directly in the LSASS process. To do this, they need the offset for the data structures, which change from version to version. Although they contain some code do detect the data structures "heuristically", this doesn't always give the expected result. The "alternative" (-alt) executables inject code in the LSASS process, which (I assume) peforms the same action by calling undocumented API's, which is more stable between Windows versions.
  • iam-alt.exe has a bug. You can read the details on the HEXALE blog. To get a working version until the new version is released, you can do two things:
    • Modify the source code and recompile it, as the blogpost suggests
    • Fire up a hex editor (like HxD for Windows, or mcedit for Linux) and search for the string "00x" (the inversion is because the x86 is a little endian procesor). You should find two occurrences. Replace them with the literal zero bytes. This should do the trick.

What is an executable file anyway?


While this seems trivial, it is a very important question you'll have to answer if you want to pretend that a whitelisting solution will give you 100% protection. So lets take a shot at it:

An executable file is a file which contains machine code intended to be run on the CPU.

This looks right, doesn't it? Well, not entirely. What about batch files for example? They don't contain machine code per-se, however machine code is run when they are interpreted. The same thing can be said about Word documents, Excel spreadsheets, HTML files, etc. So lets extend the definition:

An executable file is a file which contains machine code intended to be run on the CPU or (during processing) results in instructions being executed on the CPU.

Congratulation! You just defined every file on the system. The processing of any file results in some instructions being executed. Even if we abstract away from software vulnerabilities, you are in a situation where you need to ask yourself the question: is it possible that the application will generate for some input file an instruction sequence which is undesirable?

To take this discussion to a more down-to-earth level, here is an example (taken from this Sophos blog post): imagine a shortcut (.lnk) pointing at the default command interpreter (cmd.exe) resulting in downloading an executable from an FTP site and running it. Fortunately whitelisting products have a chance to step in at the second stage and block it (also, some solutions, like Software Restriction Policies, treat shortcut files as executables).

However I can offer you even a more frightening file format: .msi (Microsoft Installer). This fileformat is intended by design to instruct the operating system to perform deep changes (copy/move files, change registry entries, run programs, etc). Even more problematic is the fact that Windows (Vista) assumes that setup programs need administrative privileges. The execution itself is performed by a service running with high privileges. Also, the MSI format allows for bundling and dynamically loading arbitrary DLLs (which may or may not be traced by the particular whitelisting product - many of them choose not to track it to avoid overwhelming the user with prompts).

Creating an MSI file is rather simple. For the following example I choose the WiX toolkit (both because it is easily installable and because it is open source - if you want to run it, you need the .NET framwork version 2.0). Save the following text as a file named "product.wxs":

<?xml version='1.0'?>
<Wix xmlns=''>
   <Product Id='12345678-1234-1234-1234-123456789012' Name='Test Package' Language='1033' 
            Version='' Manufacturer='Microsoft Corporation'>
      <Package Id='12345678-1234-1234-1234-123456789012'
               Description='My first Windows Installer package'
               Comments='This is my first attempt at creating a Windows Installer database'
               Manufacturer='Microsoft Corporation' InstallerVersion='200' Compressed='yes' />

      <Directory Id='TARGETDIR' Name='SourceDir'>
         <Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012' />

      <Feature Id='MyFeature' Title='My 1st Feature' Level='1'>
         <ComponentRef Id='MyComponent' />

      <Binary Id="wixca" src="wixca.dll"/>
      <Property Id="QtExecCmdLine" Value='"c:\windows\system32\cmd.exe" /c echo 1 > c:\out.txt' />
      <CustomAction Id="QtExec" BinaryKey="wixca" DllEntry="CAQuietExec" Execute="immediate" Return="check"/>

        <Custom Action="QtExec" Sequence='1'/>

Now run the following two commands:

candle product.wxs
light product.wxsobj

And voila!, you have an .MSI file which - when executed - performs a command in the background silently.

Finally, I would like to outline a detailed attack scenario:

  • A company/institution uses a whitelisting product to protect its PC's
  • A user is tricked into running an MSI file. Now this user may or may not have administrative privileges (in which case the MSI file can be marked as not requiring elevated privileges)
  • The instructions in the MSI file use the built-in Windows executables (which are on the whitelist) to perform any of the following actions:
    • Add a user with a predetermined password (acting as a perimeter weakening malware)
    • Lower the ActiveX security settings for IE.
    • Lower the security settings for other components (like Javascript, Flash or Java)
    • Opening a preprogrammed webpage. This can have two functions: signaling the existence of a new compromised host and/or containing the "stage 2" of the exploitation which can execute now, given that the security barriers have been lowered.

Conclusion: as many have said before me, there is no such thing as perfect security. What you can do, is to select a lockdown level appropriate for your activity and apply it. Using a lower than needed security level is irresponsible, however using a higher than needed level can prevent you from from doing your work. Be aware of the options and stay safe!

Ranting about Metasploit...


I want to preface this with the fact that I have an big respect for HDM and his colleagues, both because of technical achievements and for creating this framework in the open, with an enthusiastic community around it. However... :-)

Some time ago I played around a little with Metasploit for the latest Ethical Hacker Challenge and found it incredibly frustrating. My main gripes are:

  • It is incredibly slow. Just to give you an idea: to generate a small executable (couple of hundred bytes long), it takes well over a minute! I assume that mostly this is because it is written a Ruby, a decision which I can't understand. Version 2.x was written in Perl, and for some reason (most probably because some thought that this was the "next big thing" and wanted to play around with it) they rewrote the whole thing in Ruby, more than doubling the line count by their own admission.

    Now I'm the first to admit that LOC is not a very useful measure, however abandoning an existing codebase running on a mature interpreter with some very useful tools is a questionable decision, to put it mildly.

  • The utter lack of documentation. Their "user manual" is 30 page of uselessness. All the materials that I could find out there were videos, which (a) wastes my time, because I can't scan it rapidly to find the important information (b) wastes bandwidth and (c) is not properly indexable by the current search engines. Also, a lot of documentation is outdated. For example, almost none of the documentation I found seems to mention that msfpayload can now produce Windows executables, without going trough msfencode:

    ./msfpayload windows/meterpreter/bind_tcp X > runme.exe

    This is somewhat faster but still sloooooow. Did I mention that the documentation is lacking? Starting msfpayload only tells you that there is an X option, but it doesn't tell you what it does!

  • The structure of the program is a mess and lacks any apparent logic. Just take a look at the steps you have to perform to connect to a meterpreter deployed with an executable:

    • Create the executable as shown previously and run it on the target.
    • Use the "exploit/multi/handler", which isn't an exploit per-se and we don't want to handle multiple connections!
    • Specify the payload "windows/meterpreter/bind_tcp". Never mind the fact that we specified this when we created the executable!
    • Specify the host and the port
    • "Launch" the exploit (in fact connect to the running executable or wait for the incoming connections.

    Easy and logical, isn't it ;-)? Especially when you don't have any written tutorials telling you about it.

Update: one of the better video tutorials I found was this one. Also the synjunkie blog has some information on the subject.

An interesting Windows feature


This one has been around for ever (possibly since Windows '95), but it just so happens that I stumbled over it recently:

You can use the "desktop.ini" file to (amongst other things) change the name displayed for the given folder by Explorer (and other file-navigators which are based on Explorer - like Windows Total Commander or Free Commander) by creating a desktop.ini file in it and using the the LocalizedResourceName property for example.

I found the following page listing the possible options: Desktop.ini - List of keywords, documentation, downloads, tips, examples and utilities. The MS documentation is quite lacking from this point of view.

An other interesting section is "DeleteOnCopy", which - as the name suggests - gets deleted whenever the file is copied using the copy routine from Windows Explorer (which, again, can mean that other programs behave this way, not just Windows Explorer - for example this behavior is present in Free Commander).

What does this mean in the end? An other avenue for malicious obfuscation and something else to be aware of when doing forensic analysis on computers.

PS. Two interesting sidenotes: if you search for desktop.ini, you will find a list of sites which were created (at least partially) with Windows :-). Also, it has been used by some viruses as a way to start themselves.

A blue LED


A small LED, a dark room and a crappy camera :-)

Mixed links


The CPAN testers site received an update. This is a great resource for Perl programmers all over the world which automatically tests CPAN modules in different environments.

The Ethical Hacker Network posted the solution to the Daemon challenge. Interesting, but as expected, you'd had to own the book to get this one...

From the MS Security Tips & Talk blog: 5 steps to help protect your new computer before you go online. Some very basic information with contradicting parts (ie "ensure your system has the latest updates and security software installed" but you must do this "before you connect to the Internet" - where do I get these updates? from the thin air?) and they are also propagating the anti-spyware nonsense. Then again, they also try to double tax the user by selling Windows Defender and Windows OneCare instead of bundling the functionality into the same product. (BTW, just for fun: you can still buy OneCare, even though it has been discontinued - guess somebody didn't get the memo).

Monday, December 29, 2008

Short tip


PsExec doesn't seem to work with "Simple File Sharing" under Windows XP, so you might want to try to turn it off if it fails on you.

A good post about document metadata


Read it, love it: GCIH Gold Paper - Document Metadata, the Silent Killer.

Pidgin (Gaim) needs your support!


The author of the free, open-source multi-protocol IM client Pidgin (formerly known as Gaim - OS X users might know it at Adium) have put up a survey. From the announcement:

2008 has been a slightly unusual year for the Pidgin chat client. Improvements were made, but the biggest news was caused by unhappy users. That's one of the reasons why I created a user survey to figure out what the big issues are.

If you're a Pidgin user, please fill the survey out! It should only take a couple of minutes and will be invaluable in figuring out how to improve Pidgin.

So, if you are a Pidgin user, please take 2-3 minutes off your time and fill out the survey for the benefit of all of us!

(Re-)dial your connection automatically with Windows (XP)


Currently I'm on a quest of finding configuration options to make computers easier to use. One of my recent problems was how to make sure that internet connections "just work", especially in a dial-up kind of situation (where there are usernames and passwords involved). Here is the method that I developed for Windows XP (probably it will work from Win2K to Win2k8 - including Vista - but I didn't try it there).

The heart of the solution is a simple batch file:

ping -n 1 -l 8
if errorlevel 1 goto dial
goto end
rasdial "Broadband Connection" username password
goto start

What this does, is to ping as a connectivity test (using only one packet of a small size to avoid tripping anti-DoS mechanisms), and if the ping fails, it tries to dial the connection. Some remarks:

  • This solution works in both dial-up and PPPoE scenarios. In fact I developed it in the later situation).
  • Instead of pinging (or some other host), alternative connectivity tests can be used. For example performing a DNS lookup (nslookup or fetching a webpage (curl Two things to be aware of: some providers give you access to their DNS servers even before the authentication (DNS tunnelling anyone?), so it might not be the definitive test to determine connectivity. The second method (fetching a webpage) involves downloading a third-party utility, which you might be lazy to do :-)
  • There is a secondary benefit for me in using a DNS name ( rather than an IP: I've set up OpenDNS on the machines, and for some reason, the first lookups can be quite timeconsuming (30"-60"). After that the rest of the lookups are fast. I know that I'm quite far from the London OpenDNS resolver, as can be seen from the traceroute dump displayed below, but this is still mysterious. On the upside: the initial ping takes care of the problem.
    Tracing route to []
    over a maximum of 30 hops:
      6    69 ms    71 ms    70 ms []
      7    81 ms    71 ms    75 ms  ge-0-2-0.XR1.FFT1.ALTER.NET []
      8   152 ms   150 ms   156 ms  ge-1-1-0.IL1.DCA4.ALTER.NET []
      9   150 ms   153 ms   155 ms []
     10   162 ms   161 ms   154 ms []
     11   146 ms   147 ms   145 ms  POS6-0.GW5.IAD8.ALTER.NET []
     12   144 ms   143 ms   145 ms
     13   152 ms   144 ms   144 ms []
    Trace complete.
  • Putting useranmes / passwords in clear in the batchfile does represent some security risk, especially given that some providers have the (rather insecure) practice of basing these on personal details of the customer. However, one has to weigh the benefits, given that stored dialup passwords are already quite easy to retrieve.
  • If you edit the batch file using Notepad, don't forget to put the filename between quotes when saving (ie "dial_conn.bat" instead of dial_conn.bat). Failing to do so will result in an extra .txt extension being appended (ie dial_conn.bat.txt), which will make the run attempts fail.

A final note on how to start this batch file: you can either put in in the Startup group (just make sure that it starts a minimized to reduce the interference with the user). You can also run it from the task scheduler. This has the advantage of starting up even before a user is logged in (if the computer is used by multiple people). Also, it can eliminate the "should this connection be disconnected" prompts when switching between multiple users.

Sunday, December 28, 2008

Booting FreeDOS with GRUB


To toy around, I decided to install FreeDOS on a real system running Ubuntu. This post will document the process of adding an entry to the GRUB menu loader to boot it. Some small notes:

  • Resizing partitions with GPartEd is somewhat funky (no global progress bar) and can take some serious time (if you are moving data, it first performs a complete test run, thus taking twice as long as the vanilla operation)
  • If you use the XFDISK tool from the FreeDOS CD, you'll have to restart the system for the installer to continue - this is a limitation of DOS, which can't dynamically update the list of partitions.
  • By default, the FreeDOS installer doesn't muck around with the MBR - a wise choice, but one which can make you wonder: how do I boot this thing? Read on an you will find out...
  • Some memory manager configurations presented in the FreeDOS boot menu will not work - if this is the case, try other ones.

To add FreeDOS to your GRUB menu, do the following:

  1. Find out the UUID of the partition you've installed FreeDOS on (you coult use the direct addressing, but UUID's just look more fun :-)). There are several ways presented on the ubuntu forums, from which I like the following the best: ls -la /dev/disk/by-uuid.
  2. Open your menu.lst in a text editor: sudo gedit /boot/grub/menu.lst
  3. Go to the end of the file after the "### END DEBIAN ..." part. That part is overwritten every time a kernel update is installed, so it is wise to avoid it, unless you want to repeat these steps frequently :-)
  4. Add the following lines:
    title    FreeDOS
    uuid     1abf-24ac
    chainloader +1
  5. Some notes: of course you can make the title whatever you want. The UUID must be the UUID of the partition which you've determined at step 1. It must be lowercase (otherwise the boot will fail).
  6. Save the file and test the new entry by rebooting, entering the GRUB menu (by pressing ESC during the 3 seconds grace time) and choosing the new entry.

PS. You can read the GRUB manual for more commands, however I found it to be a little outdated (for example it doesn't mention UUID).

Friday, December 26, 2008

Anycast DNS and BGP


From /dev/random: Introduction to BGP. Also, some short videos on various networking topics from Infoblox. challenge solution


I mentioned some time ago the contest. I've remembered to check back for the answer, which can be found here. Basically, one of the OSPF fields is based on a timestamp.

Very cool. Also, it shows how many equipments will break after the 18th of January, 2038 :-)

Thursday, December 25, 2008

Disabling the Zoom plugin for Compiz


I was playing around with a 8.10 Ubuntu install and I must have pressed a key combination, because the screen magnification was turned on. It was all nice and smooth, the only problem was that I didn't want it! (BTW, almost the first thing I turn off after a fresh WinXP install is the accessibility shortcuts).

To turn it off, you can use compizconfig-settings-manager (found it via the Ubuntu forums). Install this package (if you are in an semi-offline situation, you need one additional dependency that is not installed by default - python-compizconfig), then go to System -> Preferences -> CompizConfig Settings Manager, click on Accesibility and uncheck "Enhanced Zoom Desktop". Warning! This setting gets reactivated every time you change the level of desktop effects (from Normal to Extra or the other way around), so you need to uncheck it again.

KDE 4.2 videos


Via the All about Linux blog: videos showing off KDE 4.2. They look very nice, although the abundance of the options might be confusing...

All things come to an end


I've woken up today to find that CastleCops is going offline (link from DISOG). From their website:

Greetings Folks,

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

Also, one of the podcasts I listen to - RYOS-Run Your Own Server - is going out as well. To give some positive news, here are (literary) a couple of new podcasts I'll give a try (from the RYOS - Other Podcasts page):

An an unrelated note: has gotten a small update. If you are using PostgreSQL, this site, combined with are very good resources for query tuning.

Tuesday, December 23, 2008

New years resolution for webmasters


Graham Cluley gives some advice on the Sophos blog on how to secure your website. Unfortunately he can't resist touting the companies horn, rather than suggesting a much more effective solution for this scenario: whitelisting.

First of all, files on a webserver need to change very rarely. Executables almost never and it is useful to receive an email every time your HTML / PHP / ASP / etc files changed. A perfect fit for whitelisting, a non-starter for blacklisting.

Stepping away from the whitelisting aspect for a moment, on-access AV will be powerless with content which is not stored directly in the filesystem. This includes the recent wave of SQL injection attack, where the malicious data was in the database. Now we have several possible scenarios:

  • AV is not installed on the DB server (because it isn't a webserver :-))
  • The installed AV doesn't scan the files of the DB because of its size limitation or doesn't find the malicious code because of the large size of the file
  • The installed AV does find the malware, blocks access to the database file, thereby killing the DB server or at least making each client fail.

Either way, it's not good.

Now getting back to the advices, the others are sound. One thing I missed is: apply the principle of least privilege to your network traffic!

  • That SSH/RDP port you use to manage your system - it doesn't have to be open to the whole world. Even better, move it to a non-standard port and limit access by IP
  • If the server only needs ports 80 and 443, only allow ports 80 and 443.
  • The server most probably doesn't need to do any outbound traffic, so block it

Also, read and apply security best practices (this usually means changing the configuration) for the software you have on your server (searching for "[product name] security" is usually a good start).

Interesting thoughts from the Sophos blog


Niall from SophosLabs UK asks: why does spam work? and gives an interesting answer:

In his opinion, although we think that claims made by spam is very "out there" and wonder why people keep falling for it, in fact it is no worse that what we see in other media (like TV commercials). On some level I agree, although there certainly seems to be more regulation on TV commercials. For one, almost all of them display a disclaimer of some sorts (the fact that it is unreadable is an other question :-)). Also, in my personal experience, they are more of a "don't talk about the negative aspects" than an outright lie type (for example omitting the fact that the super-duper vacuum cleaner makes such an infernal noise that you can't use it).

In the end, people need to learn to keep their expectations in check. If it is too good to be true, it probably isn't. Technology and legislation can only do so much...

Mixed links


A list of rich content if you are bored have free time the following weeks:

(Some) videos from the Fall 2008 Microsoft Bluehat security conference (from the extern SensePost blog).

From PerlBuzz: Higher Order Perl available for free (legal!) download. I started reading it and already found some interesting tidbits. It always felt that Perl is more a functional language than an OO one (see this post from chromatic on the same topic) and this book strengthens this idea.

Staying at the topic of Perl for a moment, from we have How I learnt to love Perl. A good read. From the same blogpost I got the link of Python Makes Me Nervous. Even though I'm no fan of Python, the article is a little overstated. Python does have exceptions, you just don't have to catch them. And the majority of the problems can't be codified in a form that your compiler can check (yes, some languages are better than others - but exactly how many of you program in language that has extended support for codifying pre- a postconditions again?), they must be codified in unit tests.

From XKCD comes the following comic (this is very true on multiple levels, not just for highschools):

Via Perlbuzz comes a link to a rant about what not to do in your Perl code.

On the Postgresql Conference page we have links to a lot of videos / recordings / slides about PostgreSQL and other related topics. Very useful (please rate the videos if you watch them - many of them don't have any ratings yet!) Speaking of videos, they are up for HEAtnet conference 2008 (you might know them from the SourceForge mirror list).

From Hosts news comes the following very useful information: Google Diagnostic now reports on entire Networks.

On the Microsoft SDL blog we have MS08-078 and the SDL. It gives a very good description of the source of the bug (basically the array size was changed, but the variable used to store the upper limit for the iteration was not updated).

From the blog (try typing that without copy-paste) we have a New Universal Patch Method if you need your windows server to accept more than N simultaneous RDP connection (where N is 3 for 2K3 and 2 for 2K8 if I remember correctly). It always ticks me off when a company limits a product not for technological but for sales reasons. So I use Linux :-). But it is nice to have options (although probably they are in the gray zone from a legal stand point probably).

Modulo implies division!


When programming, if you write foo / bar, where foo and bar are variables, you usually instinctively thing "can bar be zero? do I need to add a check that bar is zero?". However how many of you apply the same line of thinking to the modulo operator? I didn't (until now - when it bit me :-)).

However it is logical that doing foo % 0 gives you a division by zero error. First of all, the modulo (remainder) operator is defined using division:

In computing, the modulo operation finds the remainder of division of one number by another.

The relation is so close that for x86 machine code there is not instruction to calculate the remainder. You have to use the DIV instruction, which puts in one register the result of the division and in an other register the remainder. This gives an other reason why the modulo operator results in a division by zero error.

So the next time you see foo % bar, think about bar!

WordpressDirect reponds (in a spammy fashion :-))


I received the following comment on my post about WordpressDirect by "Marty Rozmanith":

Hello, I am the creator of WordpressDirect. I want to set the record straight, since your blog is contributing to the disinformation about our service.

Forget the content publishing for a second...We save people time and frustration in setting up a a search-engine optimized blog. Not just any old blog. A blog that would take you a day to build yourself. Worpress experts have said as much on the 30 Day Challenge forum. We just make it easier for a user's own written content to get noticed by Google and Yahoo for your target phrase - and we do it for Free.

The content software included with the paid accounts does NOT scrape content. It only takes content from sites where people create content for with the INTENT of syndication, such as YouTube and eZine directories. So it basically automates what blog authors were doing manually.

Since the service was launched, we have received 2 copyright violation notices for content, and both were addressed immediately. These were caused by publishers (not our users) circulating content they didn't have permission for in eZine directories, not due to our methods.

People keep ignoring the fact that most of our users write their own content. Why? We and our 30 Day Challenge partners clearly explain why a blog creator needs to create their own unique content in the 30DC lessons.

It's as if we force users to use our content software on their blogs. We do not. We teach our users how to use this software correctly (see the example site at to add value to their uniquely written content on their blog. If it is OK to find a YouTube video yourself and embed it in your blog, is it not OK to have a peice of software to make it easier? Hopefully you see my point.

There are many pre-conceived notions about blogging and the use of such technology, and many are lumping WordPressDirect in with previous stupid attempts to game Adsense.

I would have kept it too as a comment, the only problem was that it was linking to WordpressDirect directly, and given my "You comment, I follow" policy, I'm somewhat sensible about the links I receive.

Putting aside the fact that I'm not the only one who received it (for more, go to the interwebs) - this can be explained partially by the fact that the he wants to "make his voice heard" in many places at once, there are some contradictions / ideas in the comment itself which just convinces me more that my initial judgment was correct:

We save people time and frustration in setting up a a search-engine optimized blog.

People should not try to optimize their blogs beyond making sure that is searchable (ie not putting text in images). If you provide good content, people will come. The web should be about meritocracy (this is my - somewhat naive - opinion).

We just make it easier for a user's own written content to get noticed by Google and Yahoo for your target phrase

Wrong! Your main selling point is (quoting from the site): "No More PRESSURE to Update Your Site Daily... Simply click a few buttons and WordPress Direct will update your site as often or as rarely as you'd like." - no original content here.

The content software included with the paid accounts does NOT scrape content. It only takes content from sites where people create content for with the INTENT of syndication, such as YouTube and eZine directories.

Wrong! On the site you talk about "RSS Poster" - taking posts from RSS feeds and putting them automatically on a blog. How does this system take into account the license the original post is under? It doesn't!

Since the service was launched, we have received 2 copyright violation notices for content, and both were addressed immediately.

Good for you. Probably more are coming your way. Just remember, your servers are in the USA, so if you don't act on those letters, people can complain to your host who will have to take you down because of the DMCA :-).

see the example site at

I'm looking at it right now :-). The first post occurs on two other pages. The second one contains the phrase "Prohibited. Spam/Overpost." (probably the scraper erroneously pulled from that source :-)). The YouTube postings take the text from the movie directly, without making clear that it's not the blogowner speaking ("I'm playing" for example). This isn't original content at all...

In conclusion: a splog is a splog is a splog. Fortunately search engines are good at filtering them and hopefully they will get better over time. They add nothing to the overall discussion and are purely selfish plays to misinform people.

Monday, December 22, 2008

Installing Avira (AntiVir)


After a tutorial on installing Avast and one for AVG 8 I decided to write up a tutorial on installing Avira (the former AntiVir).

  • Download the install kit from their website (warning! there is some upselling going on)
  • Install the software
  • Done!

Unfortunately there aren't any options to make the program more silent or transparent to the end-use. It is rather chatty and will always prompt the user about things like detected files or updates. Also, it will show an advert after each update. Now there are ways to disable this, however be aware that you might be breaking the license by using them.

To sum up: Avira is a nice little AV with very good detection rates, however it lacks some configuration options which would make it suitable running it silently (to avoid bothering / confusing users). I would recommend going with one of the other alternatives and a layered security approach.

Actively working against security...


Not only isn't security the first priority for people, some make a selling point of being able to defeat it! Does the following type of phrase sound familiar to you?

Our product uses HTTP, so there will be no problem traversing those pesky firewalls.

The solution is of course in the middle (making admins realize that security is not more important than letting people do their work and also making programmers realize not thinking about security can get you in a lot of trouble), but it is a sad state where programmers actively work against IT :-( (and furthermore, they are proud of it!).

How to interpolate a string in Perl?


Perl (and some other languages which came after it :-)) have a feature called interpolation, whereby the names of the variables in strings are replaced by their actual values. This is both useful and dangerous (it can easily result in problems like command injection / SQL injection / HTML injection (aka XSS) - as with everything else you have to know what you are doing!).

However interpolation is performed only once, there is no easy way to "force" the interpolation to occur. Or is it? :-). Lets suppose we have the following scenario:

  • We read a string from the user input.
  • We read a pattern and the replacement which can contain backreferences from the input (or - for that matter - references to other variables)
  • We would like to apply the search/replace pattern on the input string.

The solution is to "eval" the string in the search/replace expression to get the interpolation effect:

use strict;

my $foo = '(foo)';
my $bar = '>>>}$1<<<';

$bar =~ s/([{}])/\\$1/g;
my $str = 'foo bar baz';
$str =~ s/$foo/eval('qq{'.$bar.'}')/e;

print "Out: $str\n";

A few words: { and } needed to be escaped to handle cases where $bar contains either of them. This type of code can be very dangerous, because it can leak arbitrary inner variables! If you wish to use something like this in a sensitive environment (web pages, scripts with the suid bit set, etc), think twice. There is of course a CPAN module for this: String::Interpolate, which also lists the security problems that can occur. So take a look at it and consider if the need for flexibility overweights the need for security.

How to make sure that your webserver isn't blocket by the ISP?


First of all, if it says in your contract that you can't run servers, doing so may result in your connection being cut, so do this on your own risk! Second of all, I don't advocate running websites on a home machine. Get a VPS!

All this said, if you do run a webserver on a home machine and want to make sure that your ISP isn't blocking it, here are some ideas on how to test it:

  • Use TOR to browse to it
  • Use a free proxy to browse to it
  • You could have used the Google translate trick, however they closed this loophole.
  • However you can still use other services like ViewHTML or even the W3C validator to test connectivity.

As for other services (SSH, RDP, etc) - you could use something like nmap online to scan your host and determine if it sees the given ports as open.

Sunday, December 21, 2008

A word about splogs


I was listening to the Wordpress podcast and they mentioned a service called WordPressDirect (don't worry, that links is a nofollow one). From their marketing material:

Create SEO-Optimized, Content-Stuffed Websites Instantly With WordPressDirect

Basically they are an other method to "reuse" other people's writing. Some thoughts:

  • People feel instantly defensive and start pondering solutions like partial feeds. That is not the solution however, you can still scrape the websites. The solution that I choose and would recommend others is: (1) make it clear under what license you publish your content (for example this blog is under the CC-BY-SA v3.0 license) (2) use some superkalifragilistic words from time to time in your posts :) and (3) from time to time search for those words. If you find results, you can complain to the site, their ISP, etc if they violate your license.
  • The service uses Wordpress in their name, so it is very possible that Automatic will take legal action against them (because Wordpress is a trademark of theirs). The most probable outcome of the lawsuit will be a namechange (but the service will remain).
  • They sell an outdated version of Wordpress (and AFAIK they don't provide auto updating), so this will mean a lot of hacked Wordpress sites (then again, their own site seems to run 2.3.2, so...)
  • Although they claim "10,000 installs", using some search engine foo I was able to find only six with Live search and none with Google or Yahoo. (the searches basically look for wordpress installs with the given combination of plugins, so you might have some false positives). This means that either they are lying or that search engines already filter this crap out.
  • Interestingly the WHOIS information seems to be referring to a real person:
       Administrative Contact:
          Bouchrika, Imed  
          190 Burgess Road
          Southampton, California SO16 3AY
          United Kingdom
          +1.8882401991      Fax -- 
    He even got a website and seems to be an (at least somewhat) technical chap. Now, it is not clear if he runs the site or only provided technical background, but either way, it is interesting.

A great analogy for programmers


I found the the following great blogpost which extends the "rockstar programmer" analogy: Musical Analogy. Very insightful. I too like "jazz" programmers more than "rockstarts", because they probably won't have any problems with SDLC :-).

pointers-uk - fail


Via the network security blog I found the article How to Rebuild your Computer and Reinstall Windows Without Headache, and the timing couldn't have been better, since in the near future I will need to do so (although an XP machine, not Vista). The advices are given are good. Three tools which I like that didn't get mentioned are:

  • XP AntiSpy - a very nice and compact XP tweaking program
  • X-Setup - a very complete tweaking program
  • The PC decrapifier - useful mainly in the case of computers bought with preinstalled Windows.

However, this isn't the topic of the rant. It is rather a comment left on the article:

dust sticking on the CPU heat sink?

In what way could this possibly slow down a PC? It might cause it to overheat, and crash... but really it’s never going to slow a machine down.


The comment was allegedly left by Pointers-UK employee Steve Button (I say allegedly, because I can't verify that the Linked-In profile or the commenters assertion is correct). He describes himself as a sysadmin, but doesn't even know (or put the dots together) that most modern processors have overheating protection, and - as the temperature rises - they reduce the clockspeed to keep avoid damage to the hardware (it just so happens that recently I read a blogpost detailing such a problem, so this isn't just a theoretical situation). What a sysadmin!

Saturday, December 20, 2008

Mixed links


On the Extra Pepperoni blog I've read about Google’s 404 Service. Apparently they have a service whereby they can suggest links to people who arrived to a non-existing page on your site. Interesting...

From ICANN comes an updated version of the Whois Inaccuracy Reporting System (or WDPRS - Whois Data Problem Reporting System). You can find it here. Again, interesting, but I'm not sure what happens after you report a domain. Does it get taken offline? (not very likely) Most probably they will change the address to an other (fake) one or move behind one of those "privacy protection" systems.

From the Anti Phising Working Group comes the Phishing education landing page. The idea is that ISPs - when taking down phising sites - would redirect phised users here. An interesting idea, and potentially very effective, given the immediate feedback users receive (they are being told what they've done wrong as soon as they click the link).

Friday, December 19, 2008

Negative zero - what is it?


Computers have two ways of representing numbers:

  • One is called sign and magnitude - usually you have one bit specifying the sign (again, most of time you have 0 for positive and 1 for negative) and the rest of the bits specify the absolute value ("magnitude") of the number.
  • The other is ordering the numbers from the lowest to the highest (or the other way around) and specifying an index in this ordering - two's complement is for an example for this system, although it also has some nifty properties with regards to the arithmetic operations.

In the first case we can have a "+0" and a "-0" value. Now I'm no mathematician, so I checked the sources of knowledge :-). From the Mathworld article on Zero:

It is the only integer (and, in fact, the only real number) that is neither negative nor positive.

Furthermore, we have the following definition for the sign function:

The sign of a real number, also called sgn or signum, is -1 for a negative number (i.e., one with a minus sign "-"), 0 for the number zero, or +1 for a positive number (i.e., one with a plus sign "+"). In other words, for real x,

These lead me to believe that -0 and +0 are just an artifact of how we represent numbers in computers, and in fact they are one and the same entity. An additional proof is that IEEE 754 (the standard defining floating point representations - the most widely used sign and magnitude method to represent numbers) says in the standard:

5.11 Details of comparison predicates
Comparisons shall ignore the sign of zero (so +0 = −0)

So far, so good, right? Java has a small catch however:

Even though -0.0 == 0.0, Double.valueOf(-0.0).compareTo(Double.valueOf(0.0)) is not zero (ie, the two objects are not equal)! This has wideraging implicatitions, one of the biggest being that if you use hashmaps or similar structrures with a Double key (given that you can't use double, because it isn't an object), they will show up as distinct entries! This may or may not be with what you want! One must mention that this behavior is clearly documented in the Java docs:

0.0d is considered by this method to be greater than -0.0d.

Then again, one must wonder how many people have read this document before running into the problem :-)

Contrasting with a few other programming languages:

  • From the few tests I've done, it seems that .NET implements Double more intuitively (ie. 0 == Double.Parse("0.0").CompareTo(Double.Parse("-0.0"))). This behavior is also consistent in collections (ie. they map to the same key in dictionaries), even though, when printed out, the two objects display the original signs. There also seems to be a (somewhat) complicated way to determine whether the given 0 is or is not zero.
  • PHP (even though it doesn't have the same boxing / unboxing features) is consistent with the way .NET handles the situation: it prints -0 / 0 respectively, but they compare as equal and are considered the same key in associative arrays.
  • In Perl, we have a behavior closer to Java: they compare as equal (again, no autoboxing), but in hashes they act as different keys.
  • Python is again closer to .NET (they compare as equal and are considered the same key in associate arrays.
  • Javascript also behaves the way .NET does (although there might be differences between the JS engine implementations of different browsers - I only tested it in FF3).
  • Ruby and Smalltalk are left as exercises to the reader :-) (they should be interesting, since they both treat numbers as first class objects, meaning - that in a way - they are closer to Java or .NET than the other languages mentioned)

There are justifications for both approaches. On the one site, it is intuitive that -0 == +0, and breaking this expectation can introduce subtle errors in the programs. On the other side, the two objects are different (for example if you print them out, one will display -0.0 and the other 0.0) so (from this point of view) it is justified that they are not equal. Just make sure that you take this into account.

Some further reading:

Wednesday, December 17, 2008

How to be the coolest DBA out there...


By managing your PostgreSQL install with your iPhone! :-D

Mixed links


From AWS running Mathematica. Mathematica was one of those programs which I dabbled with in university and found it incredibly cool, especially given my limited mathematical knowledge...

Several sites have referenced the post on SecTheory about the influence of web pages on power consumption (for example the Frequency X Blog). However I'm still not entirely convinced that we need to think at this level (yet). Still, pretty cool.

Derrick died on Saturday - it was a great TV series.

I consider myself spanked :-)


I was walking along, minding my own business and ranting about Microsoft (or more precisely an MVP - I know, I know, technically they are not part of MS), and them bammmm! The logic police got me! I was shown the error of my ways :-)

However, being the lighthearted chap that I am, I'm bothered too much by such silly things as logic or accuracy :-), so I will rant and rave without limits here, as I always did :-). Flame on! :-D

Everything old is new again - SMOG


Warning! The site which the script uses to provide the service contains a malicious iframe. While most probably the site itself is not malicious, I don't recommend using the script below until the issues have been cleared up. If you included it in your site, please disable it until the problems have been cleared up. (If you subscribe to the blog, I'll post a note when this is the case.)

As I've said many times, in the computer domain we are especially tempted to forget things that came before us, solutions that have already been found, even though there are lots of very cool things if we just dig.

For example via this Perl Advent Calendar entry I found out about SMOG - Simple Measure of Gobbledygook. It is a relatively simple formula, which claims to have "an outstandingly high 0.985 correlation with the grades of readers who had 100% comprehension of test materials". Very interesting.

So I added a button after each post title using which you can submit the given article for a SMOG evaluation. Because RSS readers usually don't render JS, you'll have to visit the blog on the web to see these buttons. If you want to add them to your blog, here is the source:

<script src=""></script>
.smog-button {
  border: 1px solid black; background-color: #dfffbf; color: rgb(51, 0, 0);
/* <![CDATA[ */
$(document).ready(function() {
  $('').each(function(i, e) {
    var titleElement = $('.post-title', e);    
    var postBodyText = $('.post-body', e).html();
    //remove <code> and <pre> entirely
    postBodyText = postBodyText.replace(/<\s*(?:code|pre)[\s\S]*?\/(?:code|pre)[\s\S]*?>/gi, '');
    //strip the other tags
    postBodyText = postBodyText.replace(/<[\s\S]*?>/gi, '');
    if (postBodyText.length < 100) return;
    //escape " and limit length
    var title = titleElement.text().substring(0, 40).replace(/"/g, '"');   
    postBodyText = postBodyText.substring(0, 10000).replace(/"/g, '"');
    $('a', titleElement).after(
      '<form name="dataForm" method="post" target = "_blank" action="">'
      + '<input type="hidden" name="document_title" value="' + title + '" />'
      + '<input type="hidden" name="user_text" value="' + postBodyText + '" />'
      + '<input type="hidden" name="service_id" value="WordsCount">'
      + '<input type="hidden" name="service_name" value="SMOG Calculator">'
      + '<input class="smog-button" type="submit" value="SMOG" />'
      + '</form>');       
/* ]]> */

PS. Most of my posts seem to have a surprisingly high SMOG score - somewhere in the some college-post-graduate degree interval - considering that English is my second language...

If you have problems using SVN with Eclipse...


make sure that you've installed the JavaHL Adapter. Otherwise you will get messages saying:

Unable to load default SVN Client

JavaHL seems to be the actual bingding to the Subversion, so it is really a mystery to me why it isn't marked as a dependency for subeclipse... Related blogposts which pointed me in the right direction:

PS. Subversion is is nicely integrated into Eclipse if you install subeclipse and I think that it should be in core, replacing CVS as the default or at least complementing it... One of my biggest pet peeves with CVS at the moment is that it doesn't have the "one commit - one unit of work" mentality and I have to perform all sorts of logparsing voodoo to answer questions like "what files were changed by commit X"?

Curious Eclipse (Java?) bug...


It seems that watchpoints are not triggered if the field is changed using reflection. A simple test program to demonstrate this:

import java.lang.reflect.*;

public class ReflectMe {
 public static int foo = 1;             //*1
 public void test() throws Exception {
  foo = 2;                              //*2
  Class c = Class.forName("ReflectMe");
  Field f = c.getField("foo");
  f.setInt(this, 10);                   //*3
  System.out.println(foo);              //*4

 public static void main(String[] args) throws Exception {
  ReflectMe r = new ReflectMe();


One would expect that a watchpoint set on foo would be triggered on the four different marked lines. However I found that it isn't triggered on line #3. At this point it is unclear to me if this is a limitation of the JVM or Eclipse and I didn't find any relevant information, so I submitted a bugreport and hope that people smarter than me can figure this one out :-).

Update: just as I suspected, the problem is that the JVM has this behavior. Thank you for the great guys and gals working on Eclipse for such a speedy response.

PS. The code where I ran into this behavior was a configuration loader which used reflection to set the values read from the configuration file (ie. you specified something = 10 and it used reflection to traverse the class hierarchy and assign the value). While very cool and has the advantage of settings "just working" with zero code for new fields, it also has some disadvantages (for example: are you sure that you want to expose your variable structures? using this method they effectively become part of your public interface) to which now I can add the problem that assignment is not observable via watchpoints (which is not a big problem if you do know what is going on - but it you don't, it can seem quite magical - and dismaying).

Please welcome a new blogger...


Tim Starling from Wikipedia. In his first blog post he talks about the challenges involved in running a website securely where users can upload arbitrary content. It is very cool and very frightening the same time (because it makes you wonder: how many of the web applications out there are verified to this degree). One cool (malicious) trick I didn't know about was running virtual requests in a loop avoid PHP time limitations.

I wish him luck with the blog and hopefully we will see much more of such high quality content there.

Monday, December 15, 2008

Security is not on most people's mind...


I was walking trough a mall when I realized the easiest way to get the floorplan for buildings (banks, hotels, any public area): evacuation plans. In Romania buildings obliged by law to display these publicly. And they do, including the backrooms... (I don't know the laws in other countries, but I would imagine that they would be similar).

The conclusion is that security is not the first (or even second or third) thing on most people's mind. The consequence for people doing security is that resources allocated will be fewer. Also, there is an expectation for security not to interfere with things which are on people's mind, making it more challenging...

Google browser security handbook


I've just finished reading the browser security handbook written by Michal Zalewski and now my head hurts :-).

This is one of the best sources of information out there for this topic, and if you do anything related to the web, you should read it! The information was out there, but distributed in a myriad of places. Great work!

On a lighter note


One (of many) very good scenes from Casablanca: "I'm shocked, shocked that gambling is going on here":

The importance of understanding - take 2


As you probably know by now, one of my pet peeve is people who pretend to know more than they actually do, and (because they get access to the right channels) spread misinformation.

The latest example comes via the Infosec Ramblings blog: a series of two articles talking about "UAC Virtualization".

<rant>The term is "File and Registry virtualization" (go look them up on the Microsoft site). The connection with UAC that they get activated the same time, but then again, by the same logic, why not call it Vista virtualization and create even more confusion? You are doing all a disservice by using non-standard lingo which is not easy to look up! There are only two possible reasons to do this: ignorance, in which case you should be stripped of titles like "MVP" or malicious intent (ie. bringing more traffic to your site by ensuring that only you use these names), where a small thing called "ethics" comes in.</rant>

Then again, maybe I should be glad that the level of knowledge about MS is evaporating, because maybe more people will move to Linux :-).

Sunday, December 14, 2008

Installing guest additions for VirtualBox with Ubuntu 8.10


I installed VirtualBox (the OSS version) from the Ubuntu repos (in hindsight it may have been better to use the VB repos, but I'm just lazy), and when I tried to install the guest additions in a WinXP VM, it complained that it can't find the VBoxGuestAdditions.iso. The solution:

Download the corresponding iso from here (make sure that you check which version of VB you have - for example I got 2.0.4 from the Ubuntu repos, even though the latest is 2.0.6).

Move it to one of the directories listed in the error message, for example:

sudo mv VBoxGuestAdditions_2.0.4.iso /usr/share/virtualbox/VBoxGuestAdditions.iso

No restart of the VM is required, the next time you click "Install Guest additions", it will work.

Friday, December 12, 2008

Making sure that your favicon works with Blogger


My favicon stopped showing up some time ago on my blogger page, but until now I was just too lazy to investigate. Turns out that blogger adds the following line in the header:

<link href='' rel='icon' type='image/'/>

Which overrides my favicon setting. The solution? Put your favicon declaration after the following line in your template:

<b:include data='blog' name='all-head-content'/>

Something like this:

<b:include data='blog' name='all-head-content'/>
<link href='' rel='shortcut icon' type='image/'/>

I tested it in FF3, Opera 9.50 and IE7 and it works in all three of them.

Hope this helps.

Don't update to PHP 5.2.7!


Or if you updated, please update to 5.2.8, since 5.2.7 contained a security regressions!

Installing *BSD under VirtualBox


I managed to install FreeBSD and OpenBSD under VirtualBox. With NetBSD I gave up :-(. Here are some tips:

  • This is a good general OpenBSD tutorial
  • If you get the following message with OpenBSD:
    uid 0 on /: file system full
    /: write failed, file system is full
    Segmentation fault
    The solution described by this VB ticket might help you. Specifically you need run the machine from the command line with the -noraw0 switch.
  • For FreeBSD choose the PCne-PCI II network card (instead of III) and 10BaseT as your media type if you want your networking to work
  • A quick starter for NetBSD: it fails to ping the DNS server in NAT mode (, but the network still works, so you can go ahead with the install.

Fetching files form PHP in a compatible way


I just finished comparing a whole bunch of OS's to determine which is the most compatible (widely available) way to fetch an external HTTP page from PHP. The winner is:

fsockopen - it was available on 100% of the tested systems. I was only interested in HTTP pages, not HTTPS, so the ssl transport might not be as widely available. One sidenote: it is interesting that many people disable "allow_url_fopen", but leave fsockopen in, even though in many cases they are one and the same thing...

Debian 4.0 CentOS 5.2 Ubuntu Server 8.04 LTS Gentoo 2008.0 IIS4 + PHP 5.2 OpenSUSE 11.0 FreeBSD 7.0 OpenBSD 4.4** WinXP + Apache 2.2 + PHP 5.2 WinXP + XAMPP 1.6.8 Slackware 12.1*
cURL installed 0 1 0 0 0 1 0 0 0 0 1 27%
wget installed 1 1 0 1 0 1 0 0 0 0 1 45%
php_curl installed 0 1 0 0 0 0 1 0 0 1 1 36%
php_curl enabled 0 1 0 0 0 0 0 0 0 0 1 18%
sockets installed 1 1 1 1 1 1 1 1 1 1 1 100%
sockets enabled 1 1 1 1 1 1 1 1 1 1 1 100%
url_fopen enabled 1 1 1 0 1 1 1 0 1 1 1 82%


*mod_php is not enabled by default
** php installed with pkg_add php5-core

Mixed links


An interesting story about sniffing VPN (or more correctly: what the user thought to be VPN). This shows that you always have to be alert.

Why is the web the default development platform? - completely agree with all the points (and also most of the points made in the comments). One additional thing is: instant update. As soon as you add a feature / fix it bug, it is instantly available to all of your users (this can also be somewhat of a problem - if you want to do AB comparisons for example by giving different users different experience).

From be same blog: Why XSS filtering is hard? I'd recommend this to anyone doing web development.

Google Native Code. A solution looking for a problem. There are many mature solutions for this problem, some of them open source, some of them not. Google seems to be reinventing the wheel too much lately.

The new Paul McCartney album is out. You can listen to it online on the site. Unfortunately it is too soft for me.

SHA-3 related site:

Paranoia is good: How The Cloud Destroys Everything I Love (About Web App Security)

Can good programmers be part of a SDLC?


From the security balance blog. SDLC is the Security Development Lifecycle for all of you non-acronym junkies :-).

I disagree with the definition of "good programmer". In my opinion being a good programmer is not just about being able to bang out X lines of quality code per hour. It's about knowing your limits, and searching for ways to extend them (static analysis, metrics, continuous integration, unit testing - these are all about keeping yourself in check). No one is infallible and the most dangerous people are the ones who believe they are. Such cowboy / wild west programming only leads to problems.

In conclusion: good programmers by definition are willing to embrace solutions (be they technical or procedural) to extend their limits. Those who don't - are not good programmers, they are a liability.

Does AV more harm than good?


This article is one of the best description of the current situation that I've seen out there. Some of juicy bits:

This comfort and confidence is the problem - if this user had learned the basics about how malware works and is spread, and been educated on the simple day-to-day activities which put them at risk, I would argue that at some point, this knowledge would be more effective at stopping the infection than the anti-virus software.

So does anti-virus software make us less secure? Not really, it's the false sense of security it invokes and confidence in these solutions to make us 100% secure that make us less secure.

Go on and read the rest of it.

Fixing a hibernation problem with Intel network cards


I had a problem with hibernating a Windows XP system containing an on-board Intel(R) 82566DC Gigabit NIC. The hibernation was ok, but it would wake up in a couple of seconds after shutting down. Today I looked around a little more and found the following setting: "Wake On Directed Packet". Unchecking it solved the problem.

To do this, go to your network connections folder, right click on your connection and select properties. Press the "Configure" button. Go to the power management tab and uncheck the box. Warning! Changing this setting will temporarily interrupt your network connection just like when you disable TCP checksum offloading. Also, probably this option is available on other network cards too, not just Intel ones.

The importance of understanding


I found the paper .NET Framework Rootkits: Backdoors inside your Framework via the Security4All blog some time ago. It is an interesting article about modifying the basic .NET libraries such that they do other things than what they were intended (for example log any traffic going trough sockets).

However it seems to have created some confusion in people's head who didn't understand the implications of it and concluded that ".NET + Rootkit == MS is insecure!". As it is correctly pointed out on the Paint.NET blog (an in the paper, not that anyone bothered to read it :-( ), this is not a method to to "p0wn" the computer. What it is:

  • A method to remain on the computer once administrative access has been gained
  • A method to steal / inject data in .NET programs
  • A less usual method, meaning that automatic detection support is limited (although forensic analysis of the machines would uncover it)
  • A general idea to subvert the library level of runtimes which can be applied to any language which brings a set of libraries with it (Java, Perl, Python, PHP, ...) on any system.

In conclusion: it's not as bad as the IE 0 day which seems to include IE 6 trough 8 :-(, but something to have in mind when looking at compromised systems...

Nice validation technique


Reading the Paint.NET blog I found this post about parameter validation. It is a very cool one for at least three reasons:

  • Makes the code more readable. Making the code such that readers can infer (correctly!) what the code does without additional comments is very useful.
  • Makes the code shorter.
  • Can be easily adapted into any OO language (the examples are given in C#, but it is trivial to port it over to Java for example).

The method itself consists of creating a Validator class with methods named intuitively (like isNull, isNotNull, isInRectangle, etc) that can be chained, so that you can write something like this:

  .isInRectangle(p, rect)

Now you can either throw exceptions individually, or accumulate them and throw them together. A very nice technique indeed.

Thursday, December 11, 2008

The Monty Python YouTube channel


Found this via the net@night podcast. Warning! Very funny, it will make you laugh out loud! :-)

The Monty Python YouTube channel

The big java regex shoutout


I discovered recently that the built-in java regex library has problems with some expressions, so I set out to find alternatives.

Searching for regex benchmarks, I found the following page: Java Regular expression library benchmarks (it also has an older version). The original IBM article also contains a benchmark. However both of these resources are a little dated, so I thought that I'll remake the benchmark. Below are the results. I've only given relative results, because the exact times are irrelevant:

Packages Failures Time
java.util.regex.* 1.6 0 6
dk.brics.automaton.* 1.7.2 3 1
gnu.regexp.RE 1.1.4 0 175
jregex.* 1.2.01 0 5
com.karneim.util.collection.regex.* 1.1.1 3 2
org.apache.regexp.* 1.5 0 100
com.stevenrbrandt.ubiq2.v10.pattwo.* 0 176
kmy.regex.util.* 0.1.2 5 2

How to read the table? The failures column means that (a) either the library created exceptions or (b) failed to correctly match strings. These libraries will have shorted times because they effectively skipped some tests.

My conclusion is: the built in library is very good (and widely available). Try to stick with it. Also, porting regular expressions between engines can be very tricky, even if they use only a few more "exotic" features (like backreferences). The more such features you use, the less chance you have of changing out the regex library implementation and not have any problems. The best thing is if you have unit tests to confirm that you match / reject what you intend.

Update: download the source code for the benchmark here (available under the GPL v3 license).

If Wireshark complains about incorrect cheecksums...


You most probably have TCP checksum offloading enabled in your NIC. You can disable it, just know that enabling/disabling it will probable reset your network stack (so don't do it on remote system).

PS. This is not always the case, I've seen the same error message on systems which didn't have TCP checksum offloading (and no, the NIC wasn't bad, I've tested it using a bootable CD).

Installing Ubuntu 8.04 LTS in VirtualBox


If you try to install Ubuntu 8.04 in VirtualBox (I've tried the server version, probably the same is true for the Desktop version) and you get the following error:

The complete Message is: The kernel requires the following features not present on the CPU

Unable to boot - please use a kernel appropriate for your CPU

Then the problem is that the installer decided to set up a PAE kernel and you don't have PAE enabled for the VM. There are two possible solutions: change the installed kernel (harder) or enable PAE for the VM (easier). To do this, perform the following steps:

  1. Make sure the VM is stopped
  2. Go to Settings -> General -> Advanced tab -> check "Enable PAE/NX"
  3. Save the settings. The VM should boot now...

Found it here.

Gentoo "quick" install


I'm playing around with different distros in VirtualBox, and happened to try Gentoo. Boy, what a fun that was :-)

The first indication that something is wrong was the fact that they had a quick install guide, which didn't seem all that quick...

After failing to make it start (twice), I searched around and found this blog post: HOWTO: Create a Gentoo Guest OS within VirtualBox. Even though it was referring to an older version of Gentoo, I managed to pull trough. One thing you have to change is the name of the "package" (I'm not 100% that this is the correct terminology) for the DHCP client. Now it is simply named dhcp (rather than dhcpcd), so you should do "emerge dhcp". BTW, the same mistake is present in the official Gentoo "quick install" documentation!

After installing Gentoo, I wanted to create a minimal Apache + PHP setup. Again, I was hitting walls, because Gentoo seems to have changed the package names referring to PHP and all the instructions out there kept using the old names. Finally I found this link (sorry, it is in Romanian). The gist of it is:

The packages are in "dev-lang/php". When installing it you have the following options:

  • cgi - install PHP as CGI
  • cli - install PHP CLI
  • apache - install mod_php for Apache 1.3.X
  • apache2 - install mod_php for Apache 2.0.X (no Apache2.2 support?)

Specify the options you need separated by spaces:

USE="cli apache2" emerge 'dev-lang/php'

Conclusion: Gentoo is one of those distros which is hard to install and has many hard edges. IMHO my experience shows the need for documentation, or at least an active user community (if your community isn't large enough, people won't try to do the same thing over and over, and thus the information available on the web will get outdated).

Wednesday, December 10, 2008

The state of desktop security


I downloaded the Secunia PSI on one of the Windows computers I maintain, thinking "surely, I'm pretty good about updating stuff, it won't find big things". Well, I was sadly mistaken. The top culprits are:

  • Java for not uninstalling older releases when never ones get installed
  • Non functioning auto-update features. Two examples would be Java and VLC, both of them set to check for updates daily, but none of them being actually up to date.
  • Flash with its half-install (the kit either installs it for FF/Opera/Safari or for IE). Because I updated it using FF, IE was left with the older version.
  • MS Office 2003 - I have no plan of updating to 2007, so I'm left with 2003.

The conclusion: trust, but verify. Run the PSI now! (yes, it is a little annoying - especially that it wants to sit in the tray and give you messages from time to time - but that can be disabled). Make sure you're patched. This is an other example for the need for defense in depth: you can't trust one entity to get things right. The beauty of the PSI is that it doesn't need to be constantly running, thus it doesn't increase the attack surface and doesn't drain system resource (like some other on-line, always running applications).

PS. Seeing this I can fully agree with Secunia's numbers that less than 2% of all the computers out there are fully patched. Some poo-poo-ed the number saying that the sample size was too small, even though Secuina (rightly) pointed out that the sample set was most probably biased towards the more security conscious people, the real situation out there being much worse! Seeing is believing!

Tuesday, December 09, 2008

Lightning openSUSE review


Recently I had the opportunity to install Linux on a laptop, and I thought that I should widen my experiences, so I choose openSUSE 11.0. Unfortunately I wasn't very successful, so most probably I will end up going with an other OS (I'm still undecided between Fedora 10, or maybe I should just lick my wounds and run back to Ubuntu :-))

The good:

  • Polished interface
  • Gives the option to use encrypted partitions from the start (very useful for laptops)
  • Gives the choice between multiple desktop environments (Gnome, KDE 3, KDE 4)
  • They offer a tool from the boot CD (DVD) which does various tests on your hardware (the laptop did have some warnings :-( )
  • Flash and codecs included

The bad (in no particular order):

  • You have to download an entire DVD! This wasn't so bad because I found an empty DVD lying around and using BitTorrent the speed was quite good, however it would be nice if they would provide a CD version (it could fetch the needed packages later). Maybe the LiveCD can do that, however it isn't clear from their site.
  • The predefined packages are strange... Development didn't include "eclipse"...
  • Also, they included a beta version of FF3. Fortunately this was resolved after the first update. However they do use the 2.4 version of OpenOffice (instead of 3). From what I understand they maintain a fork of OO at which provides better compatibility with the MS "open" formats (and their splash screen does look nicer :-)), however they should IMHO contribute to the trunk OO...
  • The installer locked up the first time I tried to use it at the package enumeration stage. I've tested the media and it found no problems and worked the second time... (I also looked in the text console to see some hint for the lookup, but couldn't find any information)
  • The update tool said after the initial install that I had 1 package to update, however when I clicked it, it started to download a long list of packages with no indication of the remaining number of packages...
  • The GRUB screen always displayed the list of available kernels. This didn't bother me that much, however it isn't really suitable for a beginner user (and AFAIK no other distro does it this way, unless there are multiple OS's installed - which in this case weren't)
  • There are some funky UI choices... For example the package manager displays the selected package with bold, instead of painting the background, which made it unclear for me at the start if the package is installed or not.
  • After the update my touchpad stopped working (fortunately I found some information on their forum and was able to fix it)
  • It didn't work with the laptop wifi-toggle button. Finally I just disabled the wifi killswitch from the BIOS.
  • The modified "start menu" just didn't work out for me. IMHO the space dedicated to displaying program icons is too small and having to perform several operations (clicks) to get the full list in unacceptable. Also, the "recently used" list was very "jumpy" (changing too frequently).
  • Finally, it completely got hosed when I tried installing the VirtualBox kernel modules in a very strange way (I kept entering the wireless password, but it kept refusing it and showing what seemed to be an MD5 hash). I didn't find anything on the 'net, and the IRC channel was completely silent, although there were a fair number of users present. I assume that the community is centered around a timezone different from mine...

PS: I'm sure that the problems that I had are partially due to my lack of experience with openSUSE and are partially personal preferences. So take it with a grain of salt.

Sunday, December 07, 2008

What to do if your touchpad (trackpad) stops working under openSuse?


Symptoms: your touchpad works on the login screen, however once you've logged it, you can't move the mouse cursor. I experienced it under openSuse, however it may alos come up under other Linux versions using Gnome.

The problem: the maximum/minimum speed got reset to 0.

The solution (this is openSuse specific):

  1. Start the control center (Ctrl+F2 -> gnome-control-center). You should be focused in the search box
  2. Type in "Touchpad" (probably a prefix of it like Touch will also do). Tab your way to the "Touchpad" icon (I needed to press "Tab" 4 times) and press Enter
  3. Now you should see the "Touchpad Preferences" window. You can navigate it using the following keys:
    • Tab to navigate between the controls
    • Ctrl+PageUp / Ctrl+PageDown to navigate between the pages
    • Space to check/uncheck options
    • Left / Right arrow keys to change sliders
  4. Make sure that none of the sliders are all the way to the left. Also make sure that the "Enable Touchpad" option is checked. The effect is instantaneous, you don't need to click any Ok / Apply button (Gnome style).

Hope this helps.

Mixed links


Open cooperation at its best. Remember: if you use open source software, try giving feedback when possible.

Monitor testing software:

A rant about penetration testing. I agree, testing should be done in cooperation with the security team (making it more a design review / validation session) and unless actions are taken, it is pointless.

No more antiphising protection for FF2, because the API it uses is deprecated by Google. Oh well, an other reason to update to FF3.

New ethical hacker challenge


Santa Claus is Hacking in Town. Enjoy.

Thursday, December 04, 2008

Distinct product lines, how I love the


Citing from Wikipedia:

The following modern Intel processors include support for VT-x:

  • Pentium 4 662 and 672
  • Pentium Extreme Edition 955 and 965 (not Pentium 4 Extreme Edition with HT)
  • Pentium D 920-960 except 945, 925, 915
  • Core Solo U1000 series (not T1000 series)
  • Core Duo T2300, T2400, T2500, T2600, T2700 only, plus L2000 and U2000 series
  • Core 2 Solo (all versions)
  • Core 2 Duo all except E8190, E7xxx (except 7300), E4xxx, T5200-T5550, T5750
  • Core 2 Quad all except Q8200
  • ...

Remark all the exceptions! Now try to find a laptop which does support hardware virtualization :-(. On the bright site: you can try to search on by the processor code (ie T5200), however you have to take even this information with a grain of salt, since I received contradicting results for some queries...

Security is a process


Security is like art: it's never done, just abandoned :-). So here are 3 free tools which you might want to regularily run in your environment to check for well known problems: