Recent Posts

2776

Finished Programs / Re: ZIP to PHP converter

« Last post by f0dder on January 07, 2010, 06:14 PM »

Depends. Does unzipping always overwrite files? It actually shouldn't.

-Tuxman (January 07, 2010, 06:11 PM)

For the intended use of this program (as I understand it: upgrading websites, especially pre-fab systems), it should.

(So who cares about index.php?)

-Tuxman (January 07, 2010, 06:11 PM)

Ask any website owner who has his site defaced

2777

Finished Programs / Re: ZIP to PHP converter

« Last post by f0dder on January 07, 2010, 06:04 PM »

The visitors need a link to the file anyway. Where should that be?

-Tuxman (January 07, 2010, 03:40 PM)

*facepalm*

If you have the possibility to inject a zippedfile.php on a server and then run it... what harm could you possibly do? Nobody would think of putting index.php in that sfx-zip, of course no... and certainly nobody would put a connect-back shell, would they? Definitely harmless

2778

N.A.N.Y. 2010 / Re: NANY 2010 Final Release: Leap of Faith

« Last post by f0dder on January 07, 2010, 06:00 PM »

Well, something happens when you reach the end, but it wasn't quite what I expected... kinda fit well with the game, though

2779

Living Room / Re: To wide-screen or not to wide-screen

« Last post by f0dder on January 07, 2010, 05:58 PM »

But having dual monitors sure is great, so I suppose a big widescreen monitor with a large resolution and Windows 7's feature that makes apps fill half the screen (or jgpaiva's GridMove) would be essentially the same thing.

-Deozaan (January 07, 2010, 05:29 PM)

Far from it! Win7 or GridMove/similarapps have some of the advantages, but doesn't go all the way... one pretty great thing about dual-monitor setups is being able to play a game on one monitor, and have other stuff (like instant messaging and mail) running on the other

2780

General Software Discussion / Re: Very scary! I just completely lost a bunch of files [FALSE ALARM!]

« Last post by f0dder on January 07, 2010, 10:07 AM »

[I think this works fine for NTFS partitions only ?]

-MerleOne (January 07, 2010, 10:02 AM)

Yep, it works by directly reading the MFT, which is why it is so fast - and requires admin privs. The app should really be rewritten to admin-priv service and LUA-priv GUI...

2781

General Software Discussion / Re: Very scary! I just completely lost a bunch of files [FALSE ALARM!]

« Last post by f0dder on January 07, 2010, 09:53 AM »

I forgot where I moved the files.

-superboyac (January 07, 2010, 08:29 AM)

2782

Finished Programs / Re: ZIP to PHP converter

« Last post by f0dder on January 07, 2010, 09:51 AM »

Injecting files is not actually dangerous yet.

-Tuxman (January 07, 2010, 05:33 AM)

2783

General Software Discussion / Re: Natural Language Sorting for Comments

« Last post by f0dder on January 07, 2010, 03:50 AM »

I don't think you're going to see anything that can sort reliably by looking at text stream... we've had just how many years of AI research, and even for perfectly well-formed English text this would be damn hard. Now consider the grammar and spelling of your regular internet commenter? Ugh.

2784

General Software Discussion / Re: Very scary! I just completely lost a bunch of files

« Last post by f0dder on January 07, 2010, 03:42 AM »

Sounds like DOpus are doing it's move operations in some dodgy way, like apple's finder? That, or...

• You accidentally moved files elsewhere than you thought.
• You've got some nasty NTFS corruption going on - haven't seen lost files like that, though.

2785

Circle Dock / Re: Core Software Suggestion

« Last post by f0dder on January 07, 2010, 03:40 AM »

Actually there's only one of those missing and that's "Hibernate" and I can certainly add that one (if I can find a suitable image  ).

-Markham (January 07, 2010, 12:09 AM)

Sleeping bear! Sleeping bear!

2786

Living Room / Re: Are my EBook Reader dreams going to be answered in 2010? A full size reader?

« Last post by f0dder on January 06, 2010, 06:07 PM »

On a slightly different note, an interesting idea:

YouTube - CES 2010 video - enTourage eDGe beyond ebook readers
A TFT + ePaper dual screen combo, Android based, to be used for reading, annotating, surfing, etc.

-Mark0 (January 06, 2010, 06:01 PM)

The device looks slightly clumsy, and I think I'd prefer a slightly bigger e-ink display... but (2:37 into the video) I'll have to say this sounds very++ promising! Keyphrase: "easy to bring your own content"!, PDF support, how it folds, available in february... AND he has some book open on chapter 42. Gotta love it

2787

Living Room / Re: To wide-screen or not to wide-screen

« Last post by f0dder on January 06, 2010, 06:01 PM »

Yeah, pretty hard to find 4:3 monitors nowadays - the ones I've come around have been priced way too high, so I ended up with a 22" 1680x1050 when one of my 1280x1024 17" monitors died (and then one of my friends gave me his old almost-identical 22" monitor as a birthday present - wow I have plenty of screen estate now :-O).

I kinda still prefer non-widerscreen - but at least the space can be used for toolbars in my programming environments

2788

General Software Discussion / Re: Firefox 3.6 RC1 is out

« Last post by f0dder on January 06, 2010, 05:57 PM »

All I know is it works as well if not better than 3.6 beta 5.  It's not the easiest thing in the world to even find FF betas on the Mozilla sites.  The whole setup is totally disorganized. Not to mention having about 5 concurrent versions extant.  The whole thing looks like a churning operation.

-MilesAhead (January 06, 2010, 05:38 PM)

Prolly because betas aren't meant for the general population? Sure, if you're a web developer you'll want to keep on top of things, but otherwise it's safer to stay with non-betas

2789

General Software Discussion / Re: SUPER © updated, download from Major Geeks

« Last post by f0dder on January 06, 2010, 01:22 AM »

AdMuncher intercepts *all* network traffic systemwide, not just your browser - thus it can hide ads that appear in 3rd party programs and whatnot. Whether or not this is worth the pricetag is up to you, personally I'm happy with AdBlockPlus (although I've started to notice cases where it slows down stuff considerably ).

As for not showing where you're coming from (blocking HTTP Referer) and other filtering tricks, you could check out Privoxy - it's somewhat Geekboy Powerhead^TM, though

2790

General Software Discussion / Re: Sandboxie goes 64 bit

« Last post by f0dder on January 05, 2010, 01:22 PM »

Nice move, even if I partially agree with the author's reasons for holding out so long.

Keep in mind that this is "crippled" compared to the 32bit version of SandboxIE - it's more limited in what it can protect you against. If you need to run untrusted and potentially malware-infested code, do it in a fullblown virtual machine... this 64bit sandbox will be most useful for software-testing-without-clutter-and-breakage.

2791

Finished Programs / Re: ZIP to PHP converter

« Last post by f0dder on January 05, 2010, 01:01 PM »

But what's the point?

Are there hosts which allow you to run PHP scripts but don't give FTP access? And don't allow .zip files from web-based upload forms? O_o

-f0dder (January 05, 2010, 09:15 AM)

The problem is not uploading the zips, but unzipping them server-side.
Uploading a crapload of small files takes ages over FTP.

-scancode (January 05, 2010, 10:01 AM)

Ooooh, duh! - I thought self-extracting meant "generate .zip output". Facepalm, more coffee to me - this could be pretty darn useful when you don't have shell support

2792

General Software Discussion / Re: "God Mode" in Win7? (All Tasks)

« Last post by f0dder on January 05, 2010, 09:20 AM »

Yeah, nothing god-mode about it - as I posted in a comment on OSNews:

it's just a special Virtual Shell Folder... read up on the windows shell namespace

. You could call it OMFGSENSATIONALISM!.{ED7BA470-8E54-465E-825C-99712043E01C} for all Windows cares

2793

Finished Programs / Re: ZIP to PHP converter

« Last post by f0dder on January 05, 2010, 09:15 AM »

But what's the point?

Are there hosts which allow you to run PHP scripts but don't give FTP access? And don't allow .zip files from web-based upload forms? O_o

2794

Living Room / Re: Are my EBook Reader dreams going to be answered in 2010? A full size reader?

« Last post by f0dder on January 05, 2010, 09:11 AM »

Look what happened when the industry tried to push DRM for portable audio players. Plain non-DRM mp3 players won.

-Nod5 (January 05, 2010, 05:57 AM)

They did? I see most of the sheeple around here running iPods... while those fortunately do support plain old MP3s, where' the high-quality non-DRM support? Where's the online stores to get the music legally? Where's the support for transferring files back and forth freely, without relying on a DRM-heavy closed-source application? File format is only part of the problem

But yes, at least most players have MP3 support... the Creative Zen X-FI² looks like a nice product (up to 32gig, FLAC support, micro-SD slot, should pop up as an external drive rather than requiring special software). It's a shame that they dropped the non-²'s great WLAN feature, and moved to touchscreen rather than buttons...

2795

N.A.N.Y. 2010 / Re: NANY 2010 Final Release: Leap of Faith

« Last post by f0dder on January 05, 2010, 09:04 AM »

Can anyone who is running Vista confirm that the directory I listed is correct? That's where the directory is created in Windows 7 but I'm not sure if Vista differs.

-Deozaan (January 05, 2010, 01:14 AM)

<Win+R>, "%appdata%\Craven Entertainment", <Enter>

2796

General Software Discussion / Re: Stop Windows from calling home

« Last post by f0dder on January 04, 2010, 10:23 PM »

Let us revisit your five bullet points:

• 1. Executable modification detection is not the job of a packet filter firewall, but more in the area of a HIPS. This is material for a different discussion.
• 2. You can click "Allow", but this requires a UAC transition (at least on Win7 - I'd be surprised if it doesn't on Vista). UAC transitions can't be scripted[/sup]1[/sup].
• 3. The packets have "entered your computer" but haven't hit applications yet. This is the purpose of a packet filter: to avoid service exploitation². Somebody more clever than me can comment on the implementation, but I'll highlight that "If the traffic does not match an exception, the NAT driver determines that the traffic is unsolicited; the packets are dropped and do not continue through the TCP/IP stack".
• 4. I assume you're talking "outbound leaking" here. Ultimately, there's nothing you can do to stop outbound leaking, whether on the individual host or an external boundary firewall, short of blocking all outgoing traffic³. This is topic for a whole separate discussion, though; my stance is that when you need outbound filtering you're pretty much game over, but it can help mitigate some attacks. And if you only need to defend against usermode code, you can do a lot.
• 5. If you're reckless and run in admin mode without UAC: yes - otherwise: no.

Footnotes:
1: I know of no way to script UAC transitions when running with UAC on max settings, which is what you should be doing. I'm not excluding the possibility that there's bugs that will eventually be found, but so far we don't know of any.
2: yes, it's possible that the packet filter itself has bugs, just like everything else - including your "hardware" firewall firmware.
3: no, really. An external firewall knows nothing about applications, and can only judge on packet data. Make an outgoing HTTPS connection and you can't do much traffic inspection except looking at destination.

You've come up with one thing so far, which is more than three years old, limited to XP, and requires the ICS service to be on (which it isn't by default, as far as a lazy google says).

-f0dder (January 04, 2010, 09:32 PM)

http://en.wiktionary.org/wiki/potential

-Tuxman (January 04, 2010, 09:53 PM)

That's the best you can do? Nice move ignoring the iptables link, which sounds like it could potentially be a lot worse than the cry-wolf XP bug. Yep, it was serious, if you had enabled ICS - not something most home users do... and the resources I've seen say that server editions weren't affected.

Some are "better" however.

-Tuxman (January 04, 2010, 09:53 PM)

"Secure by Default" is a very nice goal, and MS has been sleeping in class. The XP-SP2 firewall and DEP were steps in the right direction, UAC was a major step (too bad default user wasn't made non-admin alread in Win2k). And then there's ASLR and a whole bunch of enhancements to the heap manager, not to mention various security enhancments in the Visual C++ compiler. None of this by itself is perfect, but it shows that MS certainly aren't ignoring the problem any longer - and you get a lot of stuff with NT now that you don't get with linux unless manually choosing a kernel with SELinux patches.

Of course you can configure *ix to be insecure, of course you can even have a secure Windows XP server or something. The software running on the server is the bottleneck - and now we're on topic again. The one who installs and maintains the software is responsible for it to work properly. If he fails, not even a firewall of any kind can help him. If he succeeds, he doesn't need paranoia. There might be something in between. Does it really matter?

-Tuxman (January 04, 2010, 09:53 PM)

Well, duh, isn't this what I've been saying all along? Except for the "doesn't need paranoia" part... a packet filter isn't paranoia, it's an additional level of security. Hopefully it'll never be needed on neither hosts nor servers, but if you have a breach it can save your ass - and I bet you aren't able to measure a performance difference whether it's enabled or disabled.

So what, really? Windows isn't unix, things work differently.

-f0dder (January 04, 2010, 09:32 PM)

Now this is not a reason for having to use a rather mediocre shell, is it?

-Tuxman (January 04, 2010, 09:53 PM)

If you don't need something complex, why waste time developing it? *u*x and Windows are different philosophies. Apparently enough users wanted a more powerful shell, and MS responded with PowerShell. Haven't used it myself so I can't comment on it's quality.

By this, you're saying that packet filters which require administrative privileges to configure are useless

-f0dder (January 04, 2010, 09:32 PM)

... to me. Maybe there are some rare circumstances that might be easier to handle with something like a "packet filter". Using such does not necessarily make your system more secure, though.

-Tuxman (January 04, 2010, 09:53 PM)

Ah, now you're talking a lot more sense. But let us revisit your original statement, which is what got this started:

Disable Windows Firewall - And there it is!

-Innuendo (January 04, 2010, 04:18 PM)

How many reasons why the Windows "Firewall" is neither a firewall nor of any use would be enough to convince you that disabling it is a good idea? I think I could find dozens of them.

-Tuxman (January 04, 2010, 04:23 PM)

...see a slight difference between those two statements?

ICS is disabled by default, and the only unscheduled reboots in the last 10 years on the (approx 20) Windows servers I manage were due to either hardware failures or power outages that outlasted the UPS.

-Stoic Joker (January 04, 2010, 10:06 PM)

Do you have a clean & untweaked XP-SP2 you can confirm this on, or official docs? - I'm almost tempted to do a test install in vmware (damn insomnia!), but it'd make a helluva lot sense not to have it enabled by default.

2797

General Software Discussion / Re: Stop Windows from calling home

« Last post by f0dder on January 04, 2010, 09:32 PM »

Packet filters and "real" (hardware) firewalls work on the network layer, "software firewalls" mainly on the application layer. (With a driver-thingy on another layer, probably, but then we'll have a packet filter again.)

-Tuxman (January 04, 2010, 08:55 PM)

The personal firewalls I've seen - included Windows' own - have been packet filters, your link talks about a completely different thing. Some of the personal firewalls additionally knows about socket<>app relationship and can do application integrity checking... and then there's the next class that adds packet/protocol inspection. But let's stick with packet filters since that's what Windows' firewall does.

[you claim that] Windows' built-in firewall is useless

-f0dder (January 04, 2010, 08:02 PM)

... and potentially dangerous.

-Tuxman (January 04, 2010, 08:55 PM)

Proof? You've come up with one thing so far, which is more than three years old, limited to XP, and requires the ICS service to be on (which it isn't by default, as far as a lazy google says). Using linux iptables can be potentially dangerous; ironically, a lot of "hardware firewalls" run linux kernels.

Because Windows is not known for stability and security, both of them are the most important attributes of servers IMO.

-Tuxman (January 04, 2010, 08:55 PM)

That's a claim I've heard before... of course we have no way of knowing if any of the servers on the uptime lists have been exploited (my guess is not), but you wouldn't really have multi-year uptime if the system wasn't stable. As for security goes, any internet-facing server set up by a competent sysadmin will only have necessary services exposed, and will have those services running in reasonable security contexts. NT has a lot more flexible security model than your standard run of the mill linux, by the way - adopted from VMS.

And it's not like *u*x daemons haven't had their fair share of exploits during the years. Apache, BIND, wu-ftpd, whatnot. Also, both OS X and Linux kernels have had very interesting local privilege escalation during the recent months, some of which are present in several years worth of kernels... could that with a remote exploit in a single third-party service (or even something as a lowly PHP bug) and boom, you've got root. Non-Windows doesn't automagically equate secure - no matter what you run, you need competent server admins who keep their eyes open.

(Oh, and Windows' cmd.exe without [at least] some *ix tools is, at best, a sick joke when it is about configuration and server maintenance.

-Tuxman (January 04, 2010, 08:55 PM)

So what, really? Windows isn't unix, things work differently. You can automate settings with policies... sure thing, I use tools like grep on my windows box pretty often. But for the tasks I do here, I don't need a more powerful shell. The few times when a simple batch file won't suffice I'd much rather be whipping up a Python script... if you don't feel that way, go PowerShell or Bash. But yes, we're drifting. My point is that, well, you use different systems differently. Being able to handle configuration via SSH is nice though, especially over slow links (but thanks doyc that the RDP protocol isn't as retarded as VNC).

Anyway, OS pissing contest aside, your premise was that Windows built-in firewall is useless. By this, you're saying that packet filters which require administrative privileges to configure are useless... which I still find to be a ludicrous claim.

2798

General Software Discussion / Re: Stop Windows from calling home

« Last post by f0dder on January 04, 2010, 08:02 PM »

Fortunately, I'm not a stupid user that clicks yes to everything, and locations that are sensibly set up will have non-trusted users run as exactly that: non-trusted users without admin privs.

-f0dder (January 04, 2010, 07:32 PM)

So, at least, we're talking on a similar level. Quite a progress yet.

-Tuxman (January 04, 2010, 07:46 PM)

I don't think anybody claimed you could have a secure environment if you let uneducated users run amok with admin accounts. You're the one who flat-out claimed that packet filters aren't firewalls and that Windows' built-in firewall is useless - which is ludicruous, for reasons mentioned in this thread as well as the previous one.

Btw, as for automatic updates: standard users should keep that on. But, while it hasn't happened very often, once in a blue moon and on a subset of configurations, updates have caused trouble.

-f0dder (January 04, 2010, 07:32 PM)

I know about that, but I wouldn't count this as a reason to disable AU for standard users. We're not talking about important servers right now (which should never run Windows anyway), right?

-Tuxman (January 04, 2010, 07:46 PM)

1) I already said this didn't apply to regular users (but I find it worth mentioning nonetheless).
2) why would't I run an important server on a Windows box? Ever checked this list? Which environment you choose depends on the requirements. I wouldn't be comfortable with neither Windows nor Linux controlling nuclear plants or aircrafts - neither were written for realtime demands, and neither of them have strict enough code quality. But web- or database server or DNS or mail or whatever, even for something important? I wouldn't rule out Windows before doing a little research.

My personal fileserver (which can hardly be thought of as a critical machine) runs linux - simply because it's free. Free as in beer.

2799

General Software Discussion / Re: Stop Windows from calling home

« Last post by f0dder on January 04, 2010, 07:32 PM »

A packet filter can come with sensible defaults - that goes a long way.

As for configurable by users, that's going to require admin privileges. People running with admin privs and no UAC = dead in the water. People blindly clicking yes to everything = blind in the water. Fortunately, I'm not a stupid user that clicks yes to everything, and locations that are sensibly set up will have non-trusted users run as exactly that: non-trusted users without admin privs.

Btw, as for automatic updates: standard users should keep that on. But, while it hasn't happened very often, once in a blue moon and on a subset of configurations, updates have caused trouble. In a production environment, I wouldn't keep servers and other critical machines with AU on, but rather keep them properly firewalled, and have a team that's vigilant about reading security billboards and doing hotfixes in a test environment before deploying... that's obviously far outside the scope of end-user, but it's a situation where I'd still keep a packet-filter running on each and every machine. And obviously not as the only line of defense.

2800

General Software Discussion / Re: Stop Windows from calling home

« Last post by f0dder on January 04, 2010, 07:04 PM »

Show me an exploit for the built-in Windows PF? Not saying it doesn't exist, I just haven't seen it.

-f0dder (January 04, 2010, 06:49 PM)

There is one for the XP firewall, and I doubt there are none for newer versions ...

-Tuxman (January 04, 2010, 06:56 PM)

Requires ICS to be enabled - dunno if it is by default, but if you're not using ICS I'd say you might as well turn it off. Also, while still serious, at least it does require the attacker to be on the LAN. And I'm not saying there's none for more recent versions, haven't googled and haven't heard any black-hat whispers about it, so *shrug*. Haven't seen one in the headlines yet, though.

If we assumed proper software design, there were no holes in Windows at all, right?

-Tuxman (January 04, 2010, 06:56 PM)

Oh, sure thing, the world is filled with lots of not-so-very-well-written software. Windows, Linux and OS X have all had some very very embarassing security holes - both local-only and remotely exploitable. It's possible to write decent software, though, and one should think that a software firewall (if primarily focusing on packet filtering) isn't that hard a job to get right.