Asterisk* got me the idea to
Now the book happens to be Security Warrior by Cyrus Peikari and Anton Chuvakin, O’Reilly. The quote is:
Before beginning your practical journey, there is one final issue to note.
So: nothing fancy. But the book is great. It reads lika a criminal novel, despite being a tech-book (I don’t read much else these days).
I was away during the easter-days and now that I’m back, I had to see that my blog somehow got recognized by the various spammers around here: I’ve just deleted 10 spam entries from the comments.
Those entries are primarely made to get a better PageRank at Google, but since I’ve upgraded to MovablaType 2.665 which uses a redirector for all links, this does not get the spammer anything, so it’s just annoying and does not even bring profit to those f***ing spammers.
Why is there always someone to destroy something good?
Maybe you have noticed that this page loads faster than before – especially faster than it did the last two weeks or so. Maybe you wonder too, why there was this downtime at the end of march.
I won’t go into many details, but gnegg.ch (and a whole lot of other stuff) is now running on a brand new server (slightly faster machine) with Gentoo Linux using a 2.6.4 Kernel.
This due to some sucker hacking into the older machine last march, installing a quite destabilizing rootkit (thanks for that… this lead me to notice the crack quite fast…), modifying a lot of html-files and php.ini so that nearly every page served contained a IFRAME utilizing a IE exploit to install some kind of dialer (the IFRAME linked to forced-action.com). The wonderful and gratifying work of this unknown and soooo cool guy caused me to return home from vacation to do some rescuing work.
This is not the usual stinking phpNuke-Exploit (we were not running any phpNuke anyway) as this would not lead to a rootkit getting installed.
Again: Many thanks for your “hard work”, dear anonymous hacker. You got me the much needed opportunity to finally install Gentoo. And not only that: You even got me a faster Server to work on (to prevent any further downtime during reinstallation of the new OS). Now that this episode finally has come to an end, I will have a look at those disk-images I took from the compromised machine. Let’s see what I find out.
A tool of mine has been recognized by Borland (Enabling Windows Search for Delphi related files) – or at least by an employee of them. Now if someone acutally would read those Borland Employee blogs, maybe I could get a little bit of traffic to pilif.ch ;-)
I have the whole windows profile on its own NTFS-Partition that I’ve mounted to the “Documents and Settings”-Folder, so I can easily copy my clean windows image over the current system partition without losing any data. So my profile is about a year old where the system partition is quite clean.
Yesterday I’ve asekd myself why my the free space on my profile partition is shrinking and shrinking over time without me installing that much stuff (and removing it from time to time). Just per accident I found out: It’s windows installer: Whenever I’m installing one of those .msi-Files (or .EXE-Based InstallShield installers using MSI technology), a whole lot of junk gets into my profile and is never removed:
So: I have about 600 MB worth of data which hs no real purpose on my computer and I don’t know whether I can delete it or not as MSI is not really documented (there’s just some technical documentation for developers available).
Another nice sample of how strange Windows Installer can be: All CHM-based help-files recently stopped working with an Windows Installer Message asking me to provide the path to pgadmin2.msi – a postgres frontend which I have already deletetd ages ago – just now that I have removed the msi-installer from the original download directory, MSI wants to access it when doing things that don’t even remotely have to do with the file it asks for. Why?
Microsoft: If you sell us your installer technology as the non-plus-ultra solution for the old problems with overwritten dlls, incomplete installations and such: Please fix your tool or at least document it enough!
When reading the news on the web, one thing is in all mouths: Googles email service gmail. What I cannot understand is the fuss about gmails privacy policy. The following two points are what everyone seems to be so upset about:
Residual copies of email may remain on our systems, even after you have deleted them from your mailbox or after the termination of your account.
I ask you: So what? Just imagine how this service is going to work: Google has thousands of computers running – that’s their philosophy. For me it’s jsut clear that the whole concept would not work if there where just one copy of each email message available. Think of it: Every message that enters the system surely is replicated among the many cluster nodes at google. This is a going-on process. And it’s just the same with a deletion: Once you delete the message, this process must be replicated among the cluster nodes. It’s just not feasible to instantly remove a message on 100’000 computers. And: While receiving and displaying a message to the user must have absolute priority, processor time and network usage can be saved if deletion requests in the cluster are handeled with lower priority.
For me, this clause does not mean: “We will keep your mail forever because we want to know everything you do and you are”, but “to provide the optimal service for you, there may be some technical limitations that prevent a message from being immediately deleted from 100’000 computers at the same time”. It’s great that google tells us about this. What about hotmail? Can they guarantee instant deletion? Don’t they run a cluster?
Google’s computers process the information in your email for various purposes, including formatting and displaying the information to you, delivering targeted related information (such as advertisements and related links), preventing unsolicited bulk email (spam), backing up your email, and other purposes relating to offering you Gmail.
This is so plain simple. Tell me of one webbased email service that does not to the very same thing. The thing everyone is concerned about is the “delivering related information”-thing. But this does not mean that the computer or anyone else really “reads” your email. It just tells you that the content that is displayed on your webbrowser is analyzed and that targeted advertising is added. Tell me about any other webbased email service that does not do that.
So for me this is a whole lot of hot air and really injust: Where the privacy policies on other services just don’t tell you those (obvious) things, google’s is and everyone complains about. I hate the press.
The last time I’ve installed RealPlayer was back in 96 or so. Since then the have added more stupid icons, popup windows, sales-pitches and such useless features with every new release, while they went great lengths in hiding the free download, giving the impression, that one has to pay to view realvideo content.
It looks like they finally saw that being nasty and cluttering users systems with trash does not get them anywhere…
Not that you get the impression I’m actually visiting the linked page regularly, but it was linked on slashdot today.
While reading LWN today, I stopped at the following quote as posted in this weeks PostgreSQL Weekly News:
While there was some subversive discussion about source control
programs arching through the mailing lists this week, those with an eye on
the CVS repository noticed several interesting changes come down the pike.
With the whole war going on about Subversion or arch being better, this phrase is just great.
I have quite a lax administration policy concerning our network which is possible as long as we don’t have that many machines and employees: I for myself do not place many restrictions in choice of hardware and OS on our employees. They should work with whatever they want. Only restriction: The OS must be multi-user capable (means: no Windows 9x) and if the employee wants access to our file-server it must somehow support the SMB protocol.
Lukas, on the other hand, adds another requirement to the list above: The system must somehow provide support for our exchange based groupware. This can be native access or via the web interface.
So yesterday, someone wanted to add his computer to our network. It’s a IBM Thinkpad running Windows 2000 in a highly tweaked installation which should be preserved at all costs. Every other administrator would insist that at least the corporate configuration would be enforced, but I don’t care and put the users satisfaction above all easement for my task, so I let him keep his setup, but suggested him to join our Windows domain to make his life easier (no logging in to our fileserver, better exchange-support (remember: Lukas’ condition).
After some initial problems with the installed personal firewall (have I told you that I hate them? Yes I have), I went on and tried to join our Windows 2003 domain. After quite a long waiting time, the only thing I got was “Access Denied”. A quick look to the server’s event log showed nothing but success-messages.
Googling did not help (much), but told me about a certain netsetup.log windows is supposed to create on the client (it’s in %windir%Debug. Here’s the log I got:
03/30 16:19:28 ----------------------------------------------------------------- 03/30 16:19:28 NetpDoDomainJoin 03/30 16:19:28 NetpMachineValidToJoin: 'THINKPAD' 03/30 16:19:28 NetpGetLsaPrimaryDomain: status: 0x0 03/30 16:19:28 NetpMachineValidToJoin: status: 0x0 03/30 16:19:28 NetpJoinDomain 03/30 16:19:28 Machine: THINKPAD 03/30 16:19:28 Domain: office.sensational.ch 03/30 16:19:28 MachineAccountOU: (NULL) 03/30 16:19:28 Account: office.sensational.chpilif 03/30 16:19:28 Options: 0x3 03/30 16:19:28 OS Version: 5.0 03/30 16:19:28 Build number: 2195 03/30 16:19:28 ServicePack: Service Pack 4 03/30 16:19:28 NetpValidateName: checking to see if 'office.sensational.ch' is valid as type 3 name 03/30 16:19:28 NetpValidateName: 'office.sensational.ch' is not a valid NetBIOS domain name: 0x7b 03/30 16:19:28 NetpCheckDomainNameIsValid [ Exists ] for 'office.sensational.ch' returned 0x0 03/30 16:19:28 NetpValidateName: name 'office.sensational.ch' is valid for type 3 03/30 16:19:28 NetpDsGetDcName: trying to find DC in domain 'office.sensational.ch', flags: 0x1020 03/30 16:19:43 NetpDsGetDcName: failed to find a DC having account 'THINKPAD$': 0x525 03/30 16:19:43 NetpDsGetDcName: found DC '\durin.office.sensational.ch' in the specified domain 03/30 16:19:43 NetUseAdd to \durin.office.sensational.chIPC$ returned 5 03/30 16:19:43 NetpJoinDomain: status of connecting to dc '\durin.office.sensational.ch': 0x5 03/30 16:19:43 NetpDoDomainJoin: status: 0x5
Not so useful besides: NetUseAdd to \durin.office.sensational.chIPC$ returned 5
As the last entry was something about a status 0x5 and the error was “Access Denied”, I figured that this “returned 5” must mean “Access Denied” too.
A quick try to access the server showed me that I was right: I could not access any share – my password was not accepted (besides the server’s security log telling me otherwise).
Finally the guy owning the noteook had an idea: He has disabled Windows 2000’s packet signing and encryption via Administrative Tools/Local Security Policy. Enabling it and rebooting finally did the trick. When asked why he did so he said that it would greatly speed up access from a PC running Windows 98…
What did I learn: Maybe my policy is a bit too lax and if keep it, I should at least not try to fix problems I’m getting with it (it would have worked perfectly well without joining the domain)
What do you learn: If you have the same problem, here’s the solution. And this is what this blog is for.
Today I was in Forch. First I saw this:
… then this:
The new train is awesome! I finally could make my test-ride. Now this blog is going to be a bit more computer-centered from now…
gnegg 