General – Page 5 – Life In Hex

Let’s say something good about Google Chrome

2015-08-312015-08-31 kao

In my previous post I criticized Google's decision to disable NPAPI plugin technology. I still think it was a bad decision. But today let's talk about a change that should be an improvement for virtually all users.

Chrome will begin pausing many Flash ads by default to improve performance for users. This change is scheduled to start rolling out on September 1, 2015.

Source: https://plus.google.com/+GoogleAds/posts/2PmwKinJ7nj

Say what? Is Google going against ads? 😎 Well, not really. HTML5 ads are apparently OK. But those obnoxious Flash-based ads will become click-to-play.

The setting in question is located in Settings->Advanced->Content Settings->Plugins:

It has been present in Chrome for several months already. So, I'm guessing that Google will be only pushing out some configuration change, or change the default value for new installations. Who knows, as Google is not giving us any details at this point..

Google's ad detection algorithm might need some improvements and there might be some other side-effects but overall I think it's a great change! Good job Google, you made my day better! 🙂

I won’t show you

2015-06-12 kao

if you come to me with a question, i won’t give you an answer.

if you ask for my advice, i won’t give you a recommendation.

at best i’ll give you a pointer, a suggestion. perhaps a direction, a map. you’ll then start walking, creating your own route, getting lost and finding your way again. you’ll see other people’s footsteps often, some old and some fresh, and sometimes you’ll walk open territories no one has visited before. you’ll meet Eureka and dance together and laugh in joy, you’ll cry with Despair, which is not a bad thing.

if you want a lesson, i won’t give you instruction.

if you want guidance, but i won’t show you.

i want you to have fun too. i won’t spoil your journey.

or maybe i just have no idea and this is my fancy excuse to slip away from the situation?

Thank you, el trastero, couldn't have said it any better.

Excuse the mess #2

2015-06-092015-06-09 kao

I'm in the middle of updating the blog to the latest version of WordPress. It's not a really straightforward process as the new emoji support in WordPress 4.2 causes RSS feeds to stop validating. And there are lots of other tiny but ugly issues with it.

So, please excuse the mess, I'm doing my best to iron-out all the remaining wrinkles. 😉 And please let me know if you notice anything wrong with the site, comments or RSS.

Update: looks like all issues are resolved. Enjoy!

Blogging is hard

2015-05-25 kao

When I started this blog, I wanted to try and see what will happen. I thought that I have so many things to say and to write about. I still do. 🙂

But as I found out soon enough, making a decent-quality blog post takes hours. And I don't have that much free time. So, I had to choose between making half-assed posts with pretty kittens and lists of "Top-X things you don't really care about", or taking my time to write a proper post about something (technical) that I learned recently - at the expense of less frequent updates.

I chose to write less often. Currently I'm managing to make one proper post per week - and I really hope to keep it up that way. Of course, the more feedback I get, the more motivated I'd be to write. So, it's all in your hands.. 😉

On a related subject, I added a simple captcha to the comment form. Looks like it's working really well to keep most of the spambots away. But if you encounter any problems with it, please let me know.

Fixing choppy sound in Chrome within RDP connection

2015-05-13 kao

Some things and services are banned from work computers. Like your collection of MP3s. Or p2p-based television. Or access to Pandora. 🙂 But everyone knows that music is a really great motivator! So, I decided to try a small trick - use RDP connection to my home PC and play my MP3s from home PC.

It turns out that playing MP3s in Winamp works great. However, playing Pandora radio or anything else in Chrome produced a very choppy sound and video framerate was around 3fps.. That's not great at all.

Quick Google search locates this 1.5-years old Chrome bug: Issue 310983: choppy sound playing videos within RDP session (not only Flash, also HTML5). As it happens quite often - it's reproduced by several people but nobody gives a flying fcuk about actually fixing it. So much for the open-source and quick fixes..

Lucky for me, there was a workaround suggested in the comments - install RDP 8.0 server and client.

Hmm, I haven't heard anything about RDP versoin 8.0. How is that possible?

Turns out, it comes by default on Windows 8.x but must be manually installed and explicitly enabled on Windows 7. It's one of those hidden treasures very few people know about!

So, on my home Win7 box I installed updates KB2574819, KB2592687 and restarted. Automatically received Security Update KB2965788 and got another restart. Made the necessary changes in group policy settings, and - you guessed right - yet another restart. Got locked out of my box because suddenly my username was not in "Remote Users" group, and I had to re-add it manually. Logged in and everything works as it should. Pandora sounds great, video is suddenly smooth and watchable and my work productivity goes... UP! 🙂

Happy happy joy joy!

About e-governments

2015-04-16 kao

Two days ago Google released Chrome 42. It's the answer to life, the universe and everything. And among other things, it disables all NPAPI plugins by default, finally putting that Java nightmare into it's grave. Good riddance!

But what about other NPAPI plugins? Like, you know, the ones used for electronic documents, digital signatures and other e-government thingies?

Well, here are 2 ways how government agencies approach the same problem:

Welcome to the 21st century. If you're Estonian, that is..

The malware arms race

2015-03-312015-03-31 kao

Today's Slashdot features a very nice question:

We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them.
...
My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win?
...

In the comments you'll see a lot of libertarian psychobabble about how NSA/CIA/{whatever-3-letter-organization} caused this, how you are going to surrender your fundamental rights to a few corporations who pretend to protect you, how everything sucks and will suck even more in the future.

Well, that IS Slashdot, afterall.

But this comment made my day so much better:

Have fun and keep your schlongs safe!

Fighting comment spam

2015-03-162015-03-16 kao

When I started this blog, I was aware that comment spam exists. What I didn't know, is how common it really is. 🙂

Current statistics are:

Comment type	Count	%
Spam	39	56
Normal	29	41
Trashed	2	3
Total	70	100

What can be done?

WordPress has several anti-spam plugins. Some of the add captchas, some rely on JavaScript and others rely on continually updated blacklists for spammer IPs and/or keywords. I hate captchas, I respect users that use NoScript, and my webhost is running with allow_url_fopen = false which prevents automatic blacklist updates. Crap!

So, I'm left with a very few options, like blocking spammer IP address ranges using .htaccess file and mod_rewrite.

mod_rewrite magic

When you know what you're doing, mod_rewrite does wonders. When you don't, you might lock yourself out of web-admin interface. Trust me, it's not fun! 😉

In the very simplest form, we can block one IP address:
RewriteCond %{REMOTE_ADDR} ^(123\.456\.789\.666)$ RewriteRule (.*) - [F,L]

First line is a condition - if visitor comes from IP address 123.456.789.666, then apply the rule. Keep in mind that mod_rewrite is matching IP address against regexp, so do not forget backslashes! Otherwise you might accidentally block more than you wanted..

Second line is the rule - whatever URL it tries to access, send response "403 Forbidden". (.*) is a regexp matching anything¹. [F] forbids access and [L] stops any other rules from applying, making it the last rule.

It will work, but my webhost does not allow custom 403 pages. So, we can adjust the example a bit:
RewriteCond %{REMOTE_ADDR} ^(123\.456\.789\.666)$ RewriteCond %{REQUEST_URI} !/error.html$ RewriteRule (.*) /error.html [R=302,L]

Now there are 2 conditions, first is matching IP address, 2nd is checking if requested page is not error.html. Note that by default all conditions must match (logical "and").

Also, [R=302] is used to redirect users with Error 302 Found to error.html instead of sending Error 403 Forbidden.

It's better, but we need to block several IP blocks. That's easy too!
RewriteCond %{REMOTE_ADDR} ^123\.456\.789 [OR] RewriteCond %{REMOTE_ADDR} ^555\.666 RewriteCond %{REQUEST_URI} !/error.html$ RewriteRule (.*) /error.html [R=302,L]

Flags [OR] say we're checking if IP address begins with 123.456.789 or 555.666. Also, the regexp was changed to check only beginning of IP address, and ignore the rest.

That's it. Easy, right? 🙂

Identifying spammer-friendly IP blocks

I just went through my inbox and looked at the "Please moderate" emails:

Author : Adrienne (IP: 104.168.70.107 , 104-168-70-107-host.colocrossing.com)
E-mail : hekhwrjjrab@mail.com
URL : http://Adrienne
Whois : http://whois.domaintools.com/104.168.70.107
Comment:
Hi, my name is Adrienne and I am the sales manager at {Spammer Company}. I was just looking at your When software is good enough | Life In Hex website and see...

So, the offending IP address is 104.168.70.107.

DomainTools tells us it's owned by ColoCrossing, and how large the IP block is:
IP Location: United States United States Williamsville Proxy R Us.com ASN: United States AS36352 AS-COLOCROSSING - ColoCrossing (registered Dec 12, 2005) Resolve Host: 104-168-70-107-host.colocrossing.com Whois Server: whois.arin.net IP Address: 104.168.70.107 NetRange: 104.168.0.0 - 104.168.127.255
Going through other notification emails, I identified 2 more spammer-friendly proxy/vps services: AS15003 and Krypt. It covers almost all comment spam, the rest are residental IP addresses in China and Vietnam - most likely part of some botnet and not really worth blacklisting.

Putting it all together

Armed with basic knowledge about mod_rewrite and offending IP addresses, I put it all together:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} !/403.html$ RewriteCond %{REQUEST_URI} !/403.png$ RewriteCond %{REQUEST_URI} !/403.css$ RewriteCond %{REQUEST_URI} !/sad.png$ RewriteCond %{REMOTE_ADDR} ^23\.108\.170 [OR] RewriteCond %{REMOTE_ADDR} ^23\.94 [OR] RewriteCond %{REMOTE_ADDR} ^104\.168 [OR] RewriteCond %{REMOTE_ADDR} ^98\.126 RewriteRule (.*) /403.html [R=302,L] </IfModule>
So, anyone coming from those IP address blocks will get redirected to http://lifeinhex.com/403.html. Problem (hopefully) solved! 🙂

Footnotes

1. Actually, the pattern in the RewriteRule does not need to match the _whole_ URL, so you might encounter "$", "(.*)", "." and many more variations in these kinds of rules.

Gigaom suspends operations

2015-03-10 kao

This day started with some sad news:

Gigaom recently became unable to pay its creditors in full at this time. As a result, the company is working with its creditors that have rights to all of the company’s assets as their collateral. All operations have ceased.

Gigaom is (was?) a very nice technology site. I liked it. And I'll certainly be sad to see it go. However, this failure proves something I've said for years, yet everyone else seemed to disagree:

If your web-based business depends on ad revenue, you're going to fail.

Sure, some stay at home moms can get few hundreds of bucks per month by blogging about the color of their baby poop. And some other stay at home moms will read this shit blog, looks at the ads, and possibly even click on Pimpers(tm) picture to buy some. Yes, that can work.

But you can't build a real business based on ad revenue.

Nobody loves ads

Face it - people hate ads. That's why people install adblockers. It's not because they hate you, the poor publisher. It's not because adblocker speeds up web page loading time. And it's certainly not because people need to save some traffic.

You can remind them nicely:

You can nag and deny access to your precious content, like ArsTechnica did in 2010, or lots of sites try to do today:

But no matter how hard you try, you can't make a long-term business based on ads.

R.I.P. GigaOm, I hope others will learn from your failure.

When software is good enough

2015-02-26 kao

Microsoft, Google and Apple make software for everybody. Millions of users run this software every day. It must be stable and user friendly, so that Aunt Judy and Average Farmer Joe can use it. If it crashes, clueless user can't do much about it - and that's bad. That's why these companies spend thousands of hours in testing and improving usablility.

On the other hand, reversers make tools. A specialized software for solving small and nasty problems, like hiding debugger, defeating specific protection or bypassing some authorization check. Tools are made by a reverser for a reverser, so there are completely different expectations for them. Nobody expects that today's DNGuard unpacker will work with next year's DNGuard binaries, or that DRM authors won't change their encryption mechanisms.

That's why reversers make tools that are just "good enough".

Olly, Confuser and de4dot

Funny thing happens when reversing tools suddenly become extremely popular. Newbies start using them, ordinary users start using them - and the expectations change. Suddenly the author is overwhelmed with extremely helpful "bug reports" like "cannot unpack latest reactor" or "obfuscation fails for my application". It's annoying, wastes reverser's time and is not helpful in any way. Therefore I totally understand 0xd4d's reaction:

There's no support. Don't email me if you can't use it or if it fails to deobfuscate a file obfuscated with an updated obfuscator.

Instead, try to update de4dot yourself. It's a lot easier than you think. If you can't, search the Internet and you should find a couple of forums where you can ask your question.

TitanHide is good enough

Earlier this month I made few posts about bugs in TitanHide. Are these real bugs? Yes. Is it important to fix them? Not really. Let's face it - there are literally dozens of ways to detect TitanHide. But until commercial protectors start doing that, nobody cares.

TitanHide works and does its job well - that's all that matters. 🙂

The two bugs I mentioned earlier

First bug was a confusion about CONTEXT_DEBUG_REGISTERS flags. You see, CONTEXT_DEBUG_REGISTERS is defined as

#define CONTEXT_DEBUG_REGISTERS (CONTEXT_i386 | 0x00000010L) // DB 0-3,6,7

which is quite unexpected. 🙂 So, the code

OriginalContextFlags = Context->ContextFlags;
Context->ContextFlags &= ~CONTEXT_DEBUG_REGISTERS;
...
NTSTATUS ret = Undocumented::NtSetContextThread(ThreadHandle, Context);

was accidentally removing CONTEXT_i386 flag from ContextFlags. Such call to should fail, I'm pretty sure it did fail in some cases in my VMWare, but in real world it works just fine.

Second bug is in checking if CONTEXT structure is writeable when calling SetThreadContext. Why should it be - SetThreadContext is only reading from it.. So, this pseudo-code lets you defeat TitanHide hardware breakpoint protection with ease:

CONTEXT cont = VirtualAlloc(0, sizeof(CONTEXT), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
cont.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
GetThreadContext(hThread, &cont);
cont.Dr0 = 0x00401000;
cont.Dr7 = 0x000f0101;
VirtualProtect(&cont, sizeof(CONTEXT), PAGE_READONLY, &dummy);
SetThreadContext(hThread, &cont);

Again, it's a small bug, nobody is abusing it yet, so there is no real reason to fix it.

Category: General