Finally, ICACLS Valhalla !
August 20, 2007
Posted by Roel in : Technical , 2comments
Did you ever need to script ‘setting-file/folder-permissions’ or making a deployment or install script ? Or did you ever screwed-up the NTFS permissions on the C:\Windows folder (including all the subfolders) ?
If so, you’d better read on;
Microsoft finally came with a solution which stops all the horror of automaticly setting-NTFS permissions, including the slow and buggy CACLS variants. (more…)
ABN-AMRO security weaknesses
April 17, 2007
Posted by Roel in : Technical , 1 comment so far
Today i took some time to write a little about ABN-AMRO’s security weaknesses.
This article including it’s examples and example code (which will be posted later) are for educational purposes only.
Account blocking
It’s made too simple to lock an account for internet banking. Going to https://www.abnamro.nl/nl/homepage/overview.html and typing an existing bank account number with any card number, submit this 5 times and the account will be locked.
The owner of the account needs to call the Service Center (or submit a letter/fax) and request to unlock his/her account. This takes some time,.. meanwhile he/she cannot enjoy internet banking or online stock trading.
You might think: “Nothing wrong, it’s just one account”.
Wrong!, imagine building a script, blocking all account numbers of all internet banking customers.
(more…)
Miss list
February 6, 2007
Posted by Roel in : Technical , add a comment
Instead of making a wish list, i’ll give you my miss list below. Most of the items should be vaporware #1 since many people are waiting years for it and the miss will be a bigger problem in feature. As soon as an item is available or a good workarround is available i’ll post it next to the item.
- MySQL (5.x) Cluster for Windows(server) (thread)
- MySQL open-connection and password-attack protection (auto-block IP)
- IIS FTP – Password-attack protection (auto-block IP) (also see this EE request)
Get the most out of your Ipaq 6915
January 25, 2007
Posted by Roel in : Technical , 7comments
Last year i bought my new HP Ipaq 6915. Last month the touchscreen broke (couldn’t touch it anymore), first i thought it was a software problem so i did a hard-reset on the device. Too bad, after a hard-reset you must tab-the-screen which i couldn’t.. I called HP which came to pickup the device and withing one week UPS came to bring a new one (thanks to the CarePaq). A new year, a new device, a new clean start. Below i give you my best-software / tweaks for this device;
- CoolCam (instead of using the slow camera)
- Use SmartTweaker 1.08 (for the real-time memory defrag, blinking sms led, menu and IE speedup, flexible handling of EXE and CAB files, set call history to 1000).
- PHM Registry Editor (0.70) for Pocket PC (to make the TomTom6 internal GPS fix and more)
- Eye on Privacy (0.40) (to lock my sms/mail or even call-log/phone/calendar with a pin code. Note that the user-interface is a bit ugly. It’s also capable of safe-list sms, inserting a fake sms or sending a urgent/alert sms with a hotkey)
- TomTom6 (TomTom5 was built-in)
- Phone Hack (replaces the .mid files to .wav to reduce slow-number-input) (thread) (download it free at my mirror)
Trans IP removes negative feedback.
December 10, 2006
Posted by Roel in : Technical , add a comment
One year ago, the main domain name of my company was hijacked, fortunately we monitor those things and i was on time to prevent a little disaster.
The company who initiated this hijacking was Trans IP, one of the larger hosting companies in The Netherlands. I thought it was my duty to write a little comment at the ‘independant’ webhosting-compare site: www.webhosters.nl about this hijacking.
A few months later i noticed there was a reaction on the site from Trans IP. I gues their marketing department was trying to get the negative feedback off the web. One week later i got an email from Dennis, he was a Trans IP customer and had some complaints and experienced weird things with Trans IP, so he also wrote a comment at www.webhosters.nl.
He also got a reaction (fax1 and fax2) from Trans IP and had to remove his comment at www.webhosters.nl or he got a lawsuit. He did because he didn’t want any further problems and moved to another webhoster.
It is probably disturbing the people at Trans IP that when you google their name there were plenty of negative stories on them, instead of lifting their service to a higher level they decided to remove the negative content and threat with lawsuits..
HowTo setup a DNS Appliance (Cobalt RAQ2)
November 29, 2006
Posted by Roel in : Technical , 2comments
Last weeks i spent some time working on a ‘new’ DNS appliance. DNS is light weight but you must have multiple separate servers for redundancy in multiple locations. Using a power consuming HP DL-360 server would be a serious overkill and running Microsoft Windows Server for DNS only, is a waste of licensing / money / expertise and required hardware. The need for a simple (cheap hardware), easy to manage (web interface), standard (BIND for DNS), flexible (capable of working with Active Directory) and low-power consuming DNS appliance is everywhere.
Bug in ServerXMLHTTP with POST/303
September 18, 2006
Posted by Roel in : Technical , 1 comment so far
Last night i was developing with ServerXMLHTTP. ServerXMLHTTP is included with the Microsoft XML Parser (MSXML) version 3.0 or later.
Do not confuse ServerXMLHTTP with XMLHTTP, which is designed for client applications and relies on URLMon, which is built upon Microsoft Win32 Internet (WinInet).
The following bug is regarding to ServerXMLHTTP (so also: MSXML 3 – MSXML 4 SP2)
When doing a POST to an URL, and it responses with a "HTTP 303 – See Other" code, ServerXMLHTTP will RE-POST to the given URI.
According to the HTTP specifications it should follow the given URI with a GET request.
This issue is actually a ‘wrong implementation’ by Microsoft.
I see two possible security issues:
- Reposting username/password to another URI (without user’s notice).
- Redirect Looping when the 303 is pointing to the same source (i.e. http://www.abnamro.nl/ does this for Internet Banking). However i saw that after many redirects, the ServerXMLHTTP will exit with a ‘redirect problem’ to avoid buffer overflow and other ‘damage’. I’m note sure if all versions do this.
I reported this problem to Microsoft by phone (0800-MICROSOFT, from the Netherlands) and by E-Mail (support@microsoft.com), both at September, 12th, 2006.
How to setup an IBM Workplace server with CentOS (RHEL) + VNC
May 15, 2006
Posted by Roel in : Technical , add a comment
Recently i installed an IBM Workplace server on CentOS with VNCServer.
The IBM Software can run on Windows as well as Linux (RedHat Enterprise or SuSe).
Because you actually have to BUY RedHat Enterprise, they say you pay for a support contract but you cannot download the install files/ISO without buying the support contract. You can only download the RedHat Enterprise source files but then you have to compile them which is a total waste of time.
So i downloaded CentOS which is almost the same. CentOS is really free and you can download the DVD IDO or installation files.
Here is the PDF file i made with a step-by-step How-To for installing CentOS, installing IBM Workplace Server and installing a VNCServer (for remote configuration). I do nothing about tuning and all the installs are quite basic. The PDF is for Newbie’s.
How To install an IBM Workplace Server.pdf
Also look at the PDF if you encounter ‘Disk is Full’ error messages during the installation of CentOS or if you have problems with configuring or connecting VNCServer (black screen/window after connecting).
Note: The installation of CentOS is in Grafics-mode. IBM Workplace server failed to install under command-line mode, after a phone call with IBM, they said it was better to install in grafics mode…
Digest authentication: Impossible to authenticate to DB and IIS Webserver
April 26, 2006
Posted by Roel in : Technical , add a comment
Due to some technical issues (i’ll show you below) it is impossible to authenticate using Digest Authentication for authenticating the user against an Database/LDAP and the webserver itself. I did this before with Basic authentication, which works fine.
Example1:
It is possible to authenticate with basic authentication against a Database, simply write a 401 header to the client, wait until the client responses, decode the response with a Base64Decode function and query a database table with that username and password. When you decode the client response with a Base64Decode function, you get the ‘username:pasword’ (separated by a colon). (more…)
[VBScript/ASP] About Isnull and =null
April 26, 2006
Posted by Roel in : Technical , 1 comment so far
Expressions in VBScript/ASP with "null" in it, will always return FALSE. See the examples below:
Dim test
If (test=null) Then Response.Write "True" Else Response.Write "False" End If
If Not(test=null) Then Response.Write "True" Else Response.Write "False" End If
Both will show "False". Because "null" is in the expression, none of them will ever return True.
This is because any expression containing a Null is itself Null and therefore False.
Too make it more confusing, look at this example:
test_avc = null
Response.Write IsNull(test_avc)
If (test_avc=null) Then response.write "True" Else Response.Write "False" End If
This will return "True … False".
See the VBScript IsNull Reference:
"Use the IsNull function to determine whether an expression contains a Null value. Expressions that you might expect to evaluate to True under some circumstances, such as If Var = Null and If Var <> Null, are always False. This is because any expression containing a Null is itself Null, and therefore, False."
