I'm in the middle of updating the blog to the latest version of WordPress. It's not a really straightforward process as the new emoji support in WordPress 4.2 causes RSS feeds to stop validating. And there are lots of other tiny but ugly issues with it.
So, please excuse the mess, I'm doing my best to iron-out all the remaining wrinkles. wink And please let me know if you notice anything wrong with the site, comments or RSS.
Update: looks like all issues are resolved. Enjoy!
When I started this blog, I wanted to try and see what will happen. I thought that I have so many things to say and to write about. I still do. smile
But as I found out soon enough, making a decent-quality blog post takes hours. And I don't have that much free time. So, I had to choose between making half-assed posts with pretty kittens and lists of "Top-X things you don't really care about", or taking my time to write a proper post about something (technical) that I learned recently - at the expense of less frequent updates.
I chose to write less often. Currently I'm managing to make one proper post per week - and I really hope to keep it up that way. Of course, the more feedback I get, the more motivated I'd be to write. So, it's all in your hands.. wink
On a related subject, I added a simple captcha to the comment form. Looks like it's working really well to keep most of the spambots away. But if you encounter any problems with it, please let me know.
Some things and services are banned from work computers. Like your collection of MP3s. Or p2p-based television. Or access to Pandora. smile But everyone knows that music is a really great motivator! So, I decided to try a small trick - use RDP connection to my home PC and play my MP3s from home PC.
It turns out that playing MP3s in Winamp works great. However, playing Pandora radio or anything else in Chrome produced a very choppy sound and video framerate was around 3fps.. That's not great at all.
Quick Google search locates this 1.5-years old Chrome bug: Issue 310983: choppy sound playing videos within RDP session (not only Flash, also HTML5). As it happens quite often - it's reproduced by several people but nobody gives a flying fcuk about actually fixing it. So much for the open-source and quick fixes..
Lucky for me, there was a workaround suggested in the comments - install RDP 8.0 server and client.
Hmm, I haven't heard anything about RDP versoin 8.0. How is that possible?
Turns out, it comes by default on Windows 8.x but must be manually installed and explicitly enabled on Windows 7. It's one of those hidden treasures very few people know about!
So, on my home Win7 box I installed updates KB2574819, KB2592687 and restarted. Automatically received Security Update KB2965788 and got another restart. Made the necessary changes in group policy settings, and - you guessed right - yet another restart. Got locked out of my box because suddenly my username was not in "Remote Users" group, and I had to re-add it manually. Logged in and everything works as it should. Pandora sounds great, video is suddenly smooth and watchable and my work productivity goes... UP! smile
List of new features in RDP v8.0
Technical blog explaining technologies behind RDP v8.0 magic
Two days ago Google released Chrome 42. It's the answer to life, the universe and everything. And among other things, it disables all NPAPI plugins by default, finally putting that Java nightmare into it's grave. Good riddance!
But what about other NPAPI plugins? Like, you know, the ones used for electronic documents, digital signatures and other e-government thingies?
Well, here are 2 ways how government agencies approach the same problem:
Welcome to the 21st century. If you're Estonian, that is..
Today's Slashdot features a very nice question:
We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them.
...
My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win?
...
In the comments you'll see a lot of libertarian psychobabble about how NSA/CIA/{whatever-3-letter-organization} caused this, how you are going to surrender your fundamental rights to a few corporations who pretend to protect you, how everything sucks and will suck even more in the future.
Well, that IS Slashdot, afterall.
But this comment made my day so much better:
Have fun and keep your schlongs safe!
When I started this blog, I was aware that comment spam exists. What I didn't know, is how common it really is. smile
Current statistics are:
| Comment type | Count | % |
|---|---|---|
| Spam | 39 | 56 |
| Normal | 29 | 41 |
| Trashed | 2 | 3 |
| Total | 70 | 100 |
WordPress has several anti-spam plugins. Some of the add captchas, some rely on JavaScript and others rely on continually updated blacklists for spammer IPs and/or keywords. I hate captchas, I respect users that use NoScript, and my webhost is running with allow_url_fopen = false which prevents automatic blacklist updates. Crap!
So, I'm left with a very few options, like blocking spammer IP address ranges using .htaccess file and mod_rewrite.
When you know what you're doing, mod_rewrite does wonders. When you don't, you might lock yourself out of web-admin interface. Trust me, it's not fun! wink
In the very simplest form, we can block one IP address:
RewriteCond %{REMOTE_ADDR} ^(123\.456\.789\.666)$
RewriteRule (.*) - [F,L]
First line is a condition - if visitor comes from IP address 123.456.789.666, then apply the rule. Keep in mind that mod_rewrite is matching IP address against regexp, so do not forget backslashes! Otherwise you might accidentally block more than you wanted..
Second line is the rule - whatever URL it tries to access, send response "403 Forbidden". (.*) is a regexp matching anything1. [F] forbids access and [L] stops any other rules from applying, making it the last rule.
It will work, but my webhost does not allow custom 403 pages. So, we can adjust the example a bit:
RewriteCond %{REMOTE_ADDR} ^(123\.456\.789\.666)$
RewriteCond %{REQUEST_URI} !/error.html$
RewriteRule (.*) /error.html [R=302,L]
Now there are 2 conditions, first is matching IP address, 2nd is checking if requested page is not error.html. Note that by default all conditions must match (logical "and").
Also, [R=302] is used to redirect users with Error 302 Found to error.html instead of sending Error 403 Forbidden.
It's better, but we need to block several IP blocks. That's easy too!
RewriteCond %{REMOTE_ADDR} ^123\.456\.789 [OR]
RewriteCond %{REMOTE_ADDR} ^555\.666
RewriteCond %{REQUEST_URI} !/error.html$
RewriteRule (.*) /error.html [R=302,L]
Flags [OR] say we're checking if IP address begins with 123.456.789 or 555.666. Also, the regexp was changed to check only beginning of IP address, and ignore the rest.
That's it. Easy, right? smile
I just went through my inbox and looked at the "Please moderate" emails:
Author : Adrienne (IP: 104.168.70.107 , 104-168-70-107-host.colocrossing.com)
E-mail : hekhwrjjrab@mail.com
URL : http://Adrienne
Whois : http://whois.domaintools.com/104.168.70.107
Comment:
Hi, my name is Adrienne and I am the sales manager at {Spammer Company}. I was just looking at your When software is good enough | Life In Hex website and see...
So, the offending IP address is 104.168.70.107.
DomainTools tells us it's owned by ColoCrossing, and how large the IP block is:
IP Location: United States United States Williamsville Proxy R Us.com
ASN: United States AS36352 AS-COLOCROSSING - ColoCrossing (registered Dec 12, 2005)
Resolve Host: 104-168-70-107-host.colocrossing.com
Whois Server: whois.arin.net
IP Address: 104.168.70.107
NetRange: 104.168.0.0 - 104.168.127.255
Going through other notification emails, I identified 2 more spammer-friendly proxy/vps services: AS15003 and Krypt. It covers almost all comment spam, the rest are residental IP addresses in China and Vietnam - most likely part of some botnet and not really worth blacklisting.
Armed with basic knowledge about mod_rewrite and offending IP addresses, I put it all together:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !/403.html$
RewriteCond %{REQUEST_URI} !/403.png$
RewriteCond %{REQUEST_URI} !/403.css$
RewriteCond %{REQUEST_URI} !/sad.png$
RewriteCond %{REMOTE_ADDR} ^23\.108\.170 [OR]
RewriteCond %{REMOTE_ADDR} ^23\.94 [OR]
RewriteCond %{REMOTE_ADDR} ^104\.168 [OR]
RewriteCond %{REMOTE_ADDR} ^98\.126
RewriteRule (.*) /403.html [R=302,L]
</IfModule>
So, anyone coming from those IP address blocks will get redirected to http://lifeinhex.com/403.html. Problem (hopefully) solved! smile
These sites were invaluable in adding simple spam block to my blog:
How to redirect requests from particular IP addresses or networks with mod_rewrite - basic usage.
System: mod_rewrite: Examples - great examples, explained well.
mod_rewrite Cheat Sheet - all I ever wanted to know, and little bit more.
How To Ban And Block Proxy Servers? - I didn't have to take this approach yet. And it wouldn't work against "elite" proxies anyway.
1. Actually, the pattern in the RewriteRule does not need to match the _whole_ URL, so you might encounter "$", "(.*)", "." and many more variations in these kinds of rules.
This day started with some sad news:
Gigaom recently became unable to pay its creditors in full at this time. As a result, the company is working with its creditors that have rights to all of the company’s assets as their collateral. All operations have ceased.
Gigaom is (was?) a very nice technology site. I liked it. And I'll certainly be sad to see it go. However, this failure proves something I've said for years, yet everyone else seemed to disagree:
If your web-based business depends on ad revenue, you're going to fail.
Sure, some stay at home moms can get few hundreds of bucks per month by blogging about the color of their baby poop. And some other stay at home moms will read this shit blog, looks at the ads, and possibly even click on Pimpers(tm) picture to buy some. Yes, that can work.
But you can't build a real business based on ad revenue.
Face it - people hate ads. That's why people install adblockers. It's not because they hate you, the poor publisher. It's not because adblocker speeds up web page loading time. And it's certainly not because people need to save some traffic.
You can remind them nicely:
You can nag and deny access to your precious content, like ArsTechnica did in 2010, or lots of sites try to do today:
But no matter how hard you try, you can't make a long-term business based on ads.
R.I.P. GigaOm, I hope others will learn from your failure.
Microsoft, Google and Apple make software for everybody. Millions of users run this software every day. It must be stable and user friendly, so that Aunt Judy and Average Farmer Joe can use it. If it crashes, clueless user can't do much about it - and that's bad. That's why these companies spend thousands of hours in testing and improving usablility.
On the other hand, reversers make tools. A specialized software for solving small and nasty problems, like hiding debugger, defeating specific protection or bypassing some authorization check. Tools are made by a reverser for a reverser, so there are completely different expectations for them. Nobody expects that today's DNGuard unpacker will work with next year's DNGuard binaries, or that DRM authors won't change their encryption mechanisms.
That's why reversers make tools that are just "good enough".
Funny thing happens when reversing tools suddenly become extremely popular. Newbies start using them, ordinary users start using them - and the expectations change. Suddenly the author is overwhelmed with extremely helpful "bug reports" like "cannot unpack latest reactor" or "obfuscation fails for my application". It's annoying, wastes reverser's time and is not helpful in any way. Therefore I totally understand 0xd4d's reaction:
There's no support. Don't email me if you can't use it or if it fails to deobfuscate a file obfuscated with an updated obfuscator.
Instead, try to update de4dot yourself. It's a lot easier than you think. If you can't, search the Internet and you should find a couple of forums where you can ask your question.
Earlier this month I made few posts about bugs in TitanHide. Are these real bugs? Yes. Is it important to fix them? Not really. Let's face it - there are literally dozens of ways to detect TitanHide. But until commercial protectors start doing that, nobody cares.
TitanHide works and does its job well - that's all that matters. smile
First bug was a confusion about CONTEXT_DEBUG_REGISTERS flags. You see, CONTEXT_DEBUG_REGISTERS is defined as
|
1 |
#define CONTEXT_DEBUG_REGISTERS (CONTEXT_i386 | 0x00000010L) // DB 0-3,6,7 |
which is quite unexpected. smile So, the code
|
1 2 3 4 |
OriginalContextFlags = Context->ContextFlags; Context->ContextFlags &= ~CONTEXT_DEBUG_REGISTERS; ... NTSTATUS ret = Undocumented::NtSetContextThread(ThreadHandle, Context); |
was accidentally removing CONTEXT_i386 flag from ContextFlags. Such call to should fail, I'm pretty sure it did fail in some cases in my VMWare, but in real world it works just fine.
Second bug is in checking if CONTEXT structure is writeable when calling SetThreadContext. Why should it be - SetThreadContext is only reading from it.. So, this pseudo-code lets you defeat TitanHide hardware breakpoint protection with ease:
|
1 2 3 4 5 6 7 |
CONTEXT cont = VirtualAlloc(0, sizeof(CONTEXT), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); cont.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS; GetThreadContext(hThread, &cont); cont.Dr0 = 0x00401000; cont.Dr7 = 0x000f0101; VirtualProtect(&cont, sizeof(CONTEXT), PAGE_READONLY, &dummy); SetThreadContext(hThread, &cont); |
Again, it's a small bug, nobody is abusing it yet, so there is no real reason to fix it.
Last week Wired published an article about HARES - Hardened Anti-Reverse Engineering System. The article is really great example of what happens when some idiot starts to write about things he has no clue about.
I wanted to write a full-length post about that, but Errata Security beat me to it. So, please enjoy this great writeup instead. smile Thank you, guys!
Wired article states that:
[HARES] could also mean the start of a new era of well-armored criminal or espionage malware that resists any attempt to determine its purpose, figure out who wrote it, or develop protections against it.
First, HARES requires a hypervisor. If the attacker had ability install hypervisor on your system, you were screwed anyway. This also means that 99.999% of today's malware won't be able to take advantage of HARES.
Second, modern antimalware solutions do not need to analyze code. They can analyze behavior of the process, monitor network connections, registry changes, file system changes - and that's enough for a successful detection. HARES doesn't interfere with that.
You can go to sleep peacefully tonight, the world is still spinning and no magical malware is going to appear overnight.
HARES FAQ
PDF: MoRE Shadow Walker: TLB-splitting on Modern x86
Youtube video: Virtualization: MoRE Shadow Walker The Progression of TLB Splitting on x86
PAGEEXEC and TLB Splitting
As reported by Neowin, Rapidshare customers today are greeted with the message:
Which makes me wonder - was anyone still using Rapidshare? Really?
From my experience, their service was really crappy for last 3 years. Files were quickly deleted "due to inactivity" and free download speeds reminded me good old times with 56kbps modem.
Alexa's Traffic Rank seems to agree:
R.I.P. Rapidshare. All hail Mediafire, MEGA or Oboom.