… the number of squats I did yesternight, a little over 24h ago, and that I am still feeling in my upper leg muscles.
29 29 31 31 35 35 29 29 28 29
Seventy five second breaks between each set. My heart was pumping.
… wegen Panzern für Saudi-Arabien. Daß Deutschland drittgrößter Waffenexporteur ist, scheint dagegen ansonsten nicht so schlimm. Denn die Waffen gehen logischerweise nur in Staaten welche die Menschenrechte sorgfältig achten … klar 🙄
// Oliver
Here’s a little command line tool to retrieve the product key from a running Windows 8. It should also work on Windows XP through 7. I am releasing the code into the public domain. I hope I got it right, but it’s possible that some edge cases aren’t covered properly. If you are a developer yourself, go and fix the issue yourself and send me a patch against the code from the Mercurial repo. Fixing other issues would require that you send me the product key and the respective registry key. I’d rather not have that …
REDISTRIBUTION TERMS: The source is of course included. The whole package is released into the PUBLIC DOMAIN.
Disclaimer: This software is provided ‘as-is’, without any express or implied warranty. In no event will the author be held liable for any damages arising from the use of this software.
// Oliver
Download: winprodk.rar or winprodk.zip. The binaries are signed with my code-signing certificate.
Norwegian show … hilarious!
I kveld med Ylvis – The Intelevator #1
I kveld med Ylvis – The Intelevator #2
I kveld med Ylvis – The Intelevator #3
I kveld med Ylvis – The Intelevator #4
And for everyone who liked the song at the end of episode #4 as well, I extracted it for use as ringtone: hun_fastna_i_en_hiss_-_ringtone.wav. I’m not sure I got the spelling of the file name right, because I only know a little Swedish and some Icelandic, but not actually Norwegian.
// Oliver
… companies that tell me may passwords have to be alphanumeric or set an arbitrary upper limit to its length.
More annoying: companies that do both. 🙄
// Oliver
Google Fiber in Kansas City. I’m torn between jealousy and skepticism concerning the many areas of our lives that Google tries to invade these days.
Don’t be evil was yesterday, … ever since Larry Page took over the position as CEO of Google in April 2011 (in my opinion). Googlers and Ex-Googlers I have talked to have voiced their skepticism about changes of internal policies and overall atmosphere within the company. Although that could be biased, which I cannot verify or falsify.
Nevertheless the many interests Google shows are actually rather scary, I think. Let’s consider for example the DNS service they offer. So I block as much of the Adsense-nonsense and tracking in place to stalk me while browsing the web, and then of course I’ll use the uncensored DNS server(s) from Google? I think not. Actually that gives them more information than they already get by my search queries even if I empty out cookies and other web storage in my browsers and use different browsers as well as VPNs and proxies. In short: it provides them with yet another puzzle piece to complete their “picture” of me … of us …
The whole philanthropist look of these “services” boils down to getting to know me, the “user” (and potential marketing victim), better.
// Oliver
Surely to be continued …
// Oliver
The Guardian article: Texas attorney general threatens to arrest monitors observing US election
Sneaky – this reeks of manipulation indeed. Especially in the light of the Kerry/Bush election where Kerry lost 300,000 votes overnight.
On the bright side Michael Bloomberg, mayor of NYC and billionaire, launched a Super PAC to support inter-partisan policies that the two presidential candidates neglect in his opinion. Not all of his views are in the best interest of 90% of the people, but still …
// Oliver
Abuse reports abound. So do false positives in antivirus (AV) products. Worst of all, false positives in AV products spread within the industry, reports (and corrective action) about them don’t. Try to get rid of a false positive that affects your own software and you know what I mean. There is no mechanism to spread the message that a certain executable is not malicious other than sending a message to every single one of the AV vendors.
In the past two years I have gotten several abuse reports sent to Hetzner (my hoster) against my website (assarbad.net). The reason? One of my programs – yes, one of those that come with source code and all – was detected by one or multiple AV engines and thus automatically classified as malicious by wannabe “security experts” … *cough* *cough* … uhm by an automated system taking the results of the AV for given.
None – and I mean not a single one of those “security experts” – seemed to have any notable know-how of their own, such as being able to analyze the files in question. Instead they blindly relied on the results of some multi-scanner such as Virustotal or Jotti – I’ll come to why this is bad in a moment. Anyway. Of course there was a trigger to posting this: I got another one of these abuse reports sent to me on Wednesday.
For starters those abuse reports come with a deadline from my hoster, Hetzner, which is kind of an inconvenience, given that at the end of the deadline stands the potential disconnection of my server from the net. In some jurisdictions this would be considered coercion or worse. Now, I realize that Hetzner is responsible for their network, but what really bugs me about this procedure is that it is nothing less than the reversal of the burden of proof. From this point on I am supposed to prove that the software is not malicious. Against the judgment of x-many AV scanners. Oh, and let’s not mention that my domain has an abuse alias as well, in full compliance with the respective RFC.
Now don’t get me wrong. I suppose it is a good thing for people to care about a “clean” internet and such. The problem with those self-proclaimed internet-cops is that they have no standards against which to measure their evidence – obviously. Would an abuse report such as those stand trial in front of a proper court of law? Definitely not. In order for real cops to go to the prosecutor, they first need a case. Preferably water-proof. That is the main difference. Not to mention that here the cops and the prosecutor and the judge are the same person/institution – Hetzner obligingly assuming my guilt by default and putting the burden of proof on me. Heck, they don’t even have the option for me to say this was a false alarm. Instead it is assumed that they 1 are right and I am at fault.
Our self-proclaimed internet-cops and “security experts” 2 wouldn’t stand a chance bringing this before a proper court of law. But the knowledge gap works to their advantage. Anyone but people who do possess the required know-how needed will falter and take down the detected program, try to recompile it 3 or do whatever it takes to make the problem go away. The default assumption seems to be: clearly the server got hacked, it’s only just that the admins spend countless hours to fix it.
A real-world example
But let us not take the most recent abuse of automated abuse reports but rather the most unpleasant one I’ve had: Clean MX.
In April last year they sent the abuse report to Hetzner about localsystem.zip, a collection of programs. The program in question, RunAsSYS, won’t even function on anything more recent than XP, including Server 2003. It attempts to use the so-called Debploit to get system-privileges. Clearly a gray area and potentially 4 a security risk. Not a trojan or virus or anything along those lines, however. So I wasn’t particularly surprised by the detection, but I was by the reaction from Clean MX.
Since this seemed serious enough – after all my reputation was at stake 5 – I decided to prove that the program was no different from the accompanying source code. So I loaded it into IDA and did my job. Sure enough the program hadn’t been tampered with. The program was sufficiently small to prove that the assembler code matched the accompanying source code.
While Hetzner quickly dropped the “charges”, Clean MX was reluctant to follow suit. So I decided to send them a letter in which I made it clear and known that I was going to sue them in case they kept claiming it was malware.
First response:
Next came the triumphant remark that the company I work for is also detecting it – oh, and of course that I should fix that first. Followed by:
your legal announcements in your pdf are not really stunning…
Obviously someone hadn’t heard of the difference between felony and misdemeanor. Not so much my problem, though. I then tried to make my point clear:
Who verified it then? If you read something in the yellow press you also take it for granted and spread the word? It’s called slander. Just because you are not the ultimate source of some gossip doesn’t mean you can’t be held liable. Again, it says “verified”. By whom? When? Using what methods? Where can I find the analysis – or to put it differently: the hard facts?
You spread false accusations about my programs and ultimately me, I am (still) giving you the chance to correct that.
[…]
Most false positives are detected as such after only a few days (at most) and don’t even make it into wide detection.
For something that is not malware I find the result quite respectable. Kaspersky managed to pull something similar last year with 20 decoy samples (which were not malicious, but went into detection by the majority of AVs over time nevertheless).
But please, what does the VirusTotal results tell you? You must be trying to say something with it, right? That the code is malicious? Is it? Have *you* or your employees verified that?
Have you actually looked into the binary as per static analysis methods? Have you looked into the accompanying source code? Have you tried to execute it inside a safe environment/sandbox of any kind?
[…]
What does an outdated link prove to you? What does a link to VirusTotal prove anyway, outdated or not?
Aside from that, this issue is between me as an individual and your company 6.
[…]
Because this is not in the least malicious. But why do I have to prove my innocence – which I, by the way, did with my mail yesterday. Again, I’m the author. Accusing me that this is malware is slanderous. Even more so because I am a malware fighter myself.
What I had to check was whether the binary had been manipulated compared to the source code. This is not the case. The binary is genuine. It’s on you to provide details why you even classify it as malware, not on me to prove otherwise (although I did).
Please consult the source code for further questions as to why this is not “malware”, a “virus” or one of the colorful names given by other scanners like “Backdoor” and “Trojan”. My favorite is “IRC Trojan” as the binary does not even include *any* networking functions (or “secretly” calls these through hashed imports or so), so I’m amazed by how far off those detection names are from even describing the functionality. If it was an IRC client, sure … a false pos as “IRC Bot” or so would make some remote sense. But this way?
Loooong emails, as you can see.
Long story short. The contact person at Clean MX came to senses concerning the false positive and contacted his tech contact at another firm 7. This contact could confirm within less than an hour that the file was indeed genuine and harmless and no malware.
The amazing thing is that there wasn’t a shred of guiltiness on part of the Clean MX contact person. The assumption that AVs are infallible and that one need not have the expertise to prove AVs right or wrong couldn’t be shattered. Amazing. Wild west on the internet, with my hoster being a willing lackey of those self-proclaimed internet-cops.
One can almost hear those internet-cops shout: “Stuff that ei incumbit probatio qui dicit, non qui negat up your …, Romans.”
How is this a problem?
False positives spread because detections spread within the industry because of the sheer amount of malware variants that appear every day which even a sizable company can hardly tackle. So samples of detected malware (including false positives) get shared between AV vendors. Since those AV engines use different techniques and different algorithms it is clear that they aren’t all detecting a sample by the exact same means. So a set of files detected by one AV engine may overlap with the detections of another, but may not – and in most cases will not – be identical to the set of files detected with that other “signature” 8.
This is a problem. As we can see, the detections propagate within the AV industry. Not so with the false positive reports. The false positives themselves spread along with the detections, until a vendor discovers that the detection is a false positive. But that information does not propagate. There is no automatism in place for that.
Multi-scanners to the rescue?
Multi-scanners are a powerful tool for malware fighters and writers alike. The malware writers use them to check whether their creations are being detected already and refine their work. Malware fighters such as those “security experts” mentioned above also use it to classify a program as good or bad. Unfortunately they often don’t even consider that the individual AV scanners have gradual detection levels. Something can be a potential risk or it can be outright malicious. Programs such as netcat can be used for malicious purposes, but that’s clearly not their main purpose. It’s like a kitchen knife: it can be used for murder or for chopping your veggies. Ban all kitchen knives!!! 😆
With the knowledge that false positives spread automatically, it is merely a matter of time that a file makes it into detection with more and more vendors. Fair enough.
However, this means one has to be very very cautious to assume a file is malicious, just because it is in detection by multiple AV scanners. This may be a good default assumption for the unexperienced end-user, but it’s not a good one for security experts, self-proclaimed or not …
Solutions?
I am aware of some more or less public test projects run by the multi-scanner websites as well as falsepositivereport.org that try to notify the makers of programs whenever their programs (or downloads on their websites) start to be detected (hopefully erroneously) and try to create a notification mechanism for the vendors respectively. What would be needed, though, is for the AV vendors to sit down at a table at one of the many industry conferences and join efforts in establishing a false positive reporting mechanism that works industry-wide.
Too much asked? I think not. Given the wide-spread misconception of wannabe security experts that AV engines are infallible enough to sent out automated abuse reports based on their detections, it is on us, the AV industry, to step forward and offer a remedy. Ultimately this will create loopholes, sure. Standards between AV vendors for what to classify as malware or as grayware or security risk differ, sure. Still the consensus cannot be to let software vendors jump through hoops when it is on us to correct our own errors and take their files out of detection – that is what false positives are, after all. Erroneous detections.
// Oliver
PS: please discuss below …
… sah man als Aufschrift auf Plakaten protestierender Moslems mit Kopftüchern.
Definitiv nicht! Religion kann und sollte man tolerieren. Akzeptieren oder gar respektieren muß und sollte man sie jedoch nicht.
// Oliver
“I refuse to prove that I exist,” says God, “for proof denies faith, and without faith I am nothing.”
“But,” says Man, “the Babel fish is a dead giveaway isn’t it? It could not have evolved by chance. It proves you exist, and so therefore, by your own arguments, you don’t. QED.”
“Oh dear,” says God, “I hadn’t thought of that,” and promptly vanishes in a puff of logic.”Douglas Adams (1952-2001)
Nicht daß ich Dirk Bach irgendwie besonders gemocht hätte, viele waren aber nunmal seine Fans, eine Berichterstattung zu seinem Tod geht also völlig in Ordnung. Auch wenn er mit Loriot bspw. nicht vergleichbar war. Und ja, ab und an hat mich auch seine Art oder Scherze von ihm froh gestimmt.
Nicht so bei den “Katholiken” von kreuz.net. Dieser kreuzgefährliche Hetzerverein, gegen den sich BILD wie ein linksliberales Sonntagsblättchen ausnimmt, hat einen “Artikel” verbrochen in dem es nur so von “Nächstenliebe” sprüht. Ich verlinke absichtlich nicht auf die Hetze dieser katholisch-fundamentalistischen Haßprediger, aber hier die URL:
http://kreuz.net/article.15957.html
Eine lokale Kopie dieses Schmutzes liegt mir ebenfalls vor.
Während ich bei der Demo am Potsdamer Platz im letzten Jahr ja noch etwas negativ gestimmt war, daß der LSVD Berlin-Brandenburg die Demo so für sich vereinnahmt hatte, verstehe ich im Lichte solcher Hetze schon fast wieso das so ist.
Den Papst mit einem “Fanta- und Schokokuchenfleck” ( 
) auf der Soutane abzubilden reichte bei diversen Katholiken schon für einen Beißreflex und die Forderung aus, den “Gotteslästerungsparagraphen” zu verschärfen. Wohlgemerkt, der Papst. Nicht Jesus oder so … Meine religiösen Gefühle werden doch auch ständig von denjenigen verletzt die an mehr als null Götter glauben. Aber das juckt wieder niemanden 🙄 …
Die Fokussierung auf die Moslems anderswo scheint unsere Innenpolitiker vergessen zu machen wo ebenfalls eine Gefahr religiöser Fundamentalisten lauert. Hier. In Deutschland. Aber kein Wunder, am Ende gehören mehrere Politiker im Kabinett Merkel II ja jener Strömung an zu welcher die Fundamentalisten sich auch zählen. Wäre es nicht an der Zeit von diesen Politikern als prominenten Vertretern dieser Glaubensrichtung ein Bekenntnis zum Grundgesetz und so weiter zu verlangen? Wie man es bei den moderaten Moslems auch tut? …
Kopfschüttelnd ob dieser Hetze von kreuz.net,
// Oliver
PS: zur Aufheiterung: Link
And more goodness follows here.
As already in the past, I updated looklink again. This time it received two command line options, --verbose and --nologo and the CReparsePoint class was overhauled. One issue was fixed. CReparsePoint would behave improperly when being passed the current directory name in the form ".", while ".\" worked. I blame GetFullPathName, but that’s another story.
The files (now 32 and 64bit version) have been signed by me. Download location is the same: looklink.zip (approx. 90 KiB)
// Oliver
To the extent possible under law,
Oliver Schneider
has waived all copyright and related or neighboring rights to
looklink tool and CReparsePoint class.
I prefer to name my solutions and projects something like projectname.vsX.sln and projectname.vsX.vcproj respectively. However, by default Premake4 generates the names as they are passed to the builtin solution and project functions respectively. Not cool enough for me. By the power of Graysk…uh uhm…Lua:
do
function myoverride(orig_func)
local func = orig_func
return function(name)
if _ACTION == "vs2003" then
name = name .. ".vs7"
elseif _ACTION == "vs2005" then
name = name .. ".vs8"
elseif _ACTION == "vs2008" then
name = name .. ".vs9"
elseif _ACTION == "vs2010" then
name = name .. ".vs10"
end
elseif _ACTION == "vs2012" then
name = name .. ".vs11"
end
return func(name)
end
end
solution = myoverride(solution)
project = myoverride(project)
end
… this way the names fit my taste much better.
// Oliver
PS: somewhat more concise but achieving a similar effect:
do
function myoverride(orig_func)
local func = orig_func
return function(name)
if _ACTION:sub(1,2) == "vs" then
name = name .. "." .. _ACTION
end
return func(name)
end
end
solution = myoverride(solution)
project = myoverride(project)
end
Most institutionalized religions, especially the proselytizing ones, seem to take an issue with criticism of any kind. Not that one should consider it criticism what I saw in the first few minutes of that unspeakable “Mohammed movie trailer”, but the cartoons in the French satirical magazine certainly were.
So, by the way, were the recent cartoons showing the Pope with a yellow stain on his cassock on the front cover saying “The leak has been found” (referring to Vatileaks) and a brown stain on his cassock on the back cover saying “Another leak found”. Being a subscriber to this particular satirical magazine I had to laugh out loudly when I took it out of the envelope.
The reactions from German Catholics weren’t all that joyful. They tried to invoke what’s called the “blasphemy law” (Gotteslästerungsparagraph) and actually managed to get an injunction against the magazine. Strange, I thought, given that the Pope isn’t a deity and Christianity (if we forget the trinitarian idea) only accepts a single god. The chief editor countered by saying that the yellow stain can be easily explained by the Pope’s love for Fanta (a fizzy drink invented in Germany 1) and that he accidentally sat down into a chocolate cake would explain the brown stain on his back. It is to show that not just the Muslims are outraged by what they perceive as blasphemous remarks. However, the Catholics didn’t start burning the editors at a stake or similar things, like parts of the Muslims did, leading to some fatalities the world over.
Well, (un)fortunately we live in a world of many competing religions, spiced with a lot of people who dismiss any deities at all (atheists) or don’t care (agnostics). Personally I hold it with the following quote:
I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours.
Peace!
// Oliver
Last night I literally spent hours figuring out an alleged issue with the certificate from StartCom. Of course the problem was entirely on my end, in the editor to be precise. But what happened?
I fetched ca-bundle.pem and entered it as ssl.ca-file. Furthermore I concatenated my private key used for the CSR and the signed cert I got from StartCom (excellent service in every respect) into a PEM file that I assigned in lighttpd using the ssl.pemfile directive. Then I tried to restart the server (shortened output for brevity):
# service lighttpd restart Stopping web server: lighttpd. Starting web server: lighttpd [...] (network.c.607) SSL: Private key does not match the certificate public key, [...] failed!
Wait! But I had just gotten the cert from the StartCom control panel, pasted it into my PEM file and did the same with the key.
Inspecting the certificate public key modulus and comparing it with the one from the private key brought a surprise:
# openssl rsa -modulus -noout -in domain.pem unable to load Private Key 16986:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: ANY PRIVATE KEY
… uhm, that is essentially what lighttpd was telling me already. I looked at the old working PEM for another domain and saw no obvious differences there. So I decided to exchange the key and certificate positions and retry:
# openssl x509 -modulus -noout -in domain.pem unable to load certificate 17095:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
… I thought I’m onto something here.
Eventually I was sanity-checking some assumptions that the inspection inside Vim and my other editor on Windows seemed to support. Alright:
# grep '^-----' domain.pem -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
… opening the file in an editor again seemed to disprove the silly grep(1) output, until it dawned on me.
Of course, when I pasted the cert had created a new file. My editor was set to default to UTF-8 and thus must have prepended the BOM (byte order marker) to the file. However, every self-respecting editor is going to suppress that and instead show you some subtle piece of information in the status bar or so, telling you of the fact. Sure enough file(1) agreed with me:
# file key.pem domain.pem: UTF-8 Unicode (with BOM) text
Removing the BOM was relatively easy (did it on the stored keys and certs, of course), but I wanted to verify upfront what file(1) would say. So I did:
# tail -c +4 key.pem|file - /dev/stdin: PEM RSA private key
Fair enough. So I removed it on the actual file:
# tail -c +4 key.pem > key.pem $ file key.pem key.pem: PEM RSA private key
End of story. It works now:
# grep '^-----' domain.pem -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
// Oliver
PS: thanks to Eddy Nigg from StartCom for some pointers and questioning some of my assumptions.