Hacker's ramblings

Earlier I wrote about running CentOS 6.3 with Windows 8 Hyper-V.

One day I realized that the status of my network says: Degraded (Integration Services upgrade required). Well... I dunno what that means. Everything seems to work, but if there are any issues I'm not noticing them.

According this conversation at Microsoft's social network, somebody else is having this issue too. They are not noticing anything wrong either. Except the fact that status is degraded. I did try fiddling around with virtual network settings, but no avail.

I guess it is fully working after all.

Is it just me or is vim's automatic comment continue to the next line completely unnecessary? Every time I copy/paste anything into vim it makes the smart choice and completely messes up the code. And this is enabled as a default! WTF?

Something like this will help:

:set formatoptions-=cro

This reads, disable following:

• c
  • Auto-wrap comments using textwidth, inserting the current comment leader automatically
• r
  • Automatically insert the current comment leader after hitting <Enter> in Insert mode
• o
  • Automatically insert the current comment leader after hitting 'o' or 'O' in Normal mode

After that copy/paste works as it should.

PHP has been lacking properly implemented password-hash function. Many web-sites really would benefit from having such a thing available. Zend Framework -guys implemented that into their ZF2. Nice! But for us not running ZF2, doing 1000 hashes in a loop with PHP-code does not sound like a good idea.

Initially I thought that Mcrypt-project would implement PBKDF2 and PHP would gain the function that way. Apparently they're not interested either.

The good news comes from PHP-project. They implemented hash_pbkdf() into native PHP. Great! The problem is, that PHP 5.5.0 has not been released yet. I didn't want to wait and back-ported the function from PHP 5.5.0 source tree into my own 5.4.11.

For those wanting to build their own, the patch is here: php-5.4.11-pbkdf2.patch

The test from PHP manual page:

$hash = hash_pbkdf2("sha256", $password, $salt, 1, 20);
echo $hash . "\n";

Yields exactly correct result: 120fb6cffcf8b32c43e7

Doing only 1 round is very naive. The recommended minimum is 1000 and apparently 2000 is the way to go. I took Zend Framework's Zend\Crypt\Key\Derivation\Pbkdf2 as a reference and did 2000 rounds instead of 20. Both algoritms return exactly the same result, though they handle the length-parameter differently. ZF2 assumes bytes, but PHP's native version assumes hex-string length. But I did iron out the difference in my code.

The native version does 2000 rounds in 0.00674 seconds, and native PHP-version does that in 0.012470 seconds, so C-compiled binary is 100% faster.

My test code for native version:

<?php

$password = "password";
$salt = "salt";

$now = microtime(true);
$hash = hash_pbkdf2("sha256", $password, $salt, 2000, 20);
$dura = microtime(true) - $now;
echo $hash . "\n";
echo sprintf("%12.11F", $dura) . " seconds\n";

?>

My test code for Zend Framework 2 version:

<?php
require_once 'Hmac.php';
require_once 'Pbkdf2.php';

$password = "password";
$salt = "salt";

$now = microtime(true);
$hash = Zend\Crypt\Key\Derivation\Pbkdf2::calc("sha256", $password, $salt, 2000, 10);
$dura = microtime(true) - $now;
echo bin2hex($hash) . "\n";
echo sprintf("%12.11F", $dura) . " seconds\n";

?>

If you're site is not storing passwords properly, its about time to start now.

My weapon-of-choice in Linux CLI is vim. However, out-of-the-box it acts very stubbornly when editing files with modeline. The nice modelines seem to have zero effect. WTF!?

To my amazement, it appears that modelines are turned off as a default. It can be verified with a simple echo command from vim:

:echo &modeline

will yield 0 as an answer. So step 1 is to enable them in ~/.vimrc, if the file does not exist, create it. If it does exist, make sure that it contains following:

set modeline

Then confirm that echo will display 1 to indicate that modeline is enforced. What a great idea to not enable them! Nice going suckers!

To create your own modeline, put something like this into your file:

# vim: tabstop=4 shiftwidth=4 softtabstop=4 expandtab:

It reads:

• tabstop=4
• The width of a TAB is set to 4. Still it is a \t. It is just that vim will interpret it to be having  width of 4.
• shiftwidth=4
• Indents will have a width of 4
• softtabstop=4
• Sets the number of columns for a TAB
• expandtab
• Expand TABs to spaces
  

There is this guy, whose hobby is to do penetration testing for websites of his interest. He's a white hat -guy, so he does his best to inform webmasters. Quite often he reaches nobody and eventually publishes his findings.

Janne's blog is at http://janne.is/. I'd sure hate to see one of my sites listed there.

Windows 8 Pro comes with Microsoft's Hyper-V virtualization platform. If you have new and beefy PC, it is likely that the CPU supports Hyper-V (Celeron owners, don't bother). Everybody needs couple of Linuxes running inside your Windows, right? At least I do.

Getting the newly installed CentOS 6.3 to support networking is a bitch. After the CentOS installation finishes you're left on a virtual console screen with little possibilities of getting to outside world from your sandbox. The Wikipedia article about the subject reveals, that Microsoft had to submit their code into Linux kernel to comply with GPL license requirements. But still, CentOS 6.3 has kernel 2.6.32, but the much needed Hyper-V kernel modules are not available. Darn!

It took me an hour of Googling around, before I ended on Microsoft web page titled Linux Integration Services Version 3.4 for Hyper-V. I got the .ISO image, mounted it into my virtual Linux and run the install script. Yesh! The script managed to get my NIC to appear as eth0. After that it was just a breeze to get it configured with DHCP-client. It's a pity that nobody clearly documents this part of the installation process. People could save hours of work if somebody said to go get them.

Apparently new Linux distros come with Hyper-V drivers built in. In my case I need to run the same OS than my production server does.

MagicISO is ancient ISO-image editing app. If you want to install it and see the ancient look it has and notice that the trial versio is hugely crippled, you may choose to uninstall it like I did.

Guess what! It does not remove the shell extension and the DLL-file associated with it. The software is gone and there is very little you can do to get rid of the context menu.

I found that NirSoft's ShellExView is the tool for that job. Just pick the MagicISO context menu and disable it. The menu does not disappear from the context menu automatically. Explorer needs to be reloaded for that. I simply killed the process with Windows Task Manager and restarted it.

Done!

I own a number of domains for HQ Code Shop Oy. Chinese really evil crackers have coined a scam to scare domain owners with little knowledge about domain ownerships. Based on Google search there is evidence about this scam as early as 2008. This is my autopsy of this single event. My aim in the blog-entry is to provide Google-findable catch-words and information so that nobody actually pays them anything.

They start very calmly by implying that somebody else is about to register a number of Asian domains matching <enter your domain here>. Natually every owner is now alerted and wants to know more. Apparently the next step they do when you reply the Chinese scammers is that they offer you the right-of-way, you get to purchase yours before the alleged other party. Any CEO will pay immediately to get theirs first, right?

Of course there is no other party. The scammers just did some data mining and saw you having suitable domains and found public records that the owner is a company.

The company of DSH Internet solutions looks legit at a glance. They have a website at http://www.dsh-web.org/, but a closer look to their support page reveals that there are no actual methods of contacting them, all of the contact mehods are just images. No links! Even the webmail-link at top of their page leads nowhere. Looks like the "company" providing this domain service is fictitious. My plan was to call them at +86.55165223114 or fax them at +86.55165223113 or visit them at address: No.660 MeiLing Big Road, Hefei, Anhui, China. And ask Mr. Allen Zhang some further details about the e-mail they sent me.

Their web-site looked like this when I visited it:

The e-mail I got has following headers (I wrapped the really long lines):

Delivered-To: jatu@hqcodeshop.fi
Received: by 10.64.37.138 with SMTP id y10csp98501iej;
        Tue, 8 Jan 2013 00:57:10 -0800 (PST)
X-Received: by 10.68.143.100 with SMTP id sd4mr187348993pbb.107.1357635430057;
        Tue, 08 Jan 2013 00:57:10 -0800 (PST)
Return-Path: <allen@dsh-web.org.cn>
Received: from mail.umail186.cn4e.com (mail.umail186.cn4e.com. [117.27.151.73])
        by mx.google.com with ESMTP id g10si58402821pay.172.2013.01.08.00.57.05;
        Tue, 08 Jan 2013 00:57:10 -0800 (PST)
Received-SPF: neutral (google.com: 117.27.151.73 is neither permitted
  nor denied by best guess record for domain of allen@dsh-web.org.cn)
  client-ip=117.27.151.73;
Authentication-Results: mx.google.com; spf=neutral (google.com:
  117.27.151.73 is neither permitted nor denied by best guess
  record for domain of allen@dsh-web.org.cn) smtp.mail=allen@dsh-web.org.cn
Received: from allenpc (localhost.localdomain [127.0.0.1])
    by mail.umail186.cn4e.com (Postfix) with SMTP id 71C0220103BF;
    Tue,  8 Jan 2013 16:57:02 +0800 (CST)
Received: from allenpc (unknown [36.32.3.184])
    by mail.umail186.cn4e.com (Postfix) with ESMTPA;
    Tue,  8 Jan 2013 16:56:58 +0800 (CST)
From: "Allen Zhang"<allen@dsh-web.org.cn>
To:
Subject: Urgent notice about dispute domain registration
Date: Tue, 8 Jan 2013 16:56:58 +0800
Message-Id: <DM__130108100524_70544483772@mail.dsh-web.org.cn>
MIME-Version: 1.0
Content-Type: multipart/related;
    boundary="----=_NextPart_13010810060858547480271_001"
X-Priority: 1
X-Mailer: DreamMail 4.6.9.2

When I received the e-mail, it appeared almost legit. However, there is no person to whom the e-mail is addressed to. See the To: -field above. Any real approach would be clearly addressed to me with my e-mail.

The e-mail arrived to Google from IP-address of 117.27.151.73. It looks legit, it is in China. However, a number of spam / scam attempts originate from that particular ISP's address spaces. Example from YUtrade.net banning some of them. So, it looks like the ISP does not weed out the bad apples.

The e-mail's body contains three MIME-parts. Alternate plain-text and HTML texts and an image of their URL. Whaat? Why would any real company send their company web address as something that you cannot click or copy/paste.

I'll paste the HTML-part here to provide nice words for Google to catch:

(Letter to Head of Brand Business or CEO, thanks)

Dear Sir or Madam,

This is a formal email. We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on January 8, 2013 that a company claimed VET Int'l Ltd were applying to register "hqcodeshop" as their Brand Name and some hqcodeshop Asian countries top-level domain names through our firm.

Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for VET Int'l Ltd. Looking forward to your prompt reply.

Best Regards,

Allen Zhang

Tel: +86.55165223114 || Fax: +86.55165223113
Address: No.660 MeiLing Big Road, Hefei, Anhui, China

I did report this e-mail as a phishing attempt to Google. Hopefully they'll manage to warn their customers about this.

Looks like my ISP (Sonera) loves to boot my cable modem on first monday of each month at noon(ish). Must be something regarding deactivating those boxes who did not pay the bills.

Sonera: Not cool, guys!

The out-of-the-box experience was ok, but I wanted this blog not to look like just out-of-the box.

There are plenty of nice looking ready-made templates for Serendipity at http://serendipity-templates.org/. I just picked up one that will "catch the eye". I'm expecting comments like "whoa! what's that brown thing". Definitely not eye candy, but not too ugly.

Fedora 17 does come with pre-built Bacula, but the important virtual tape-changer software is a separate SourceForge project and Fedora-people don't seem to include it.

I found a SPEC-file for vchanger and built binaries. The src-RPM is also there, go get them if you need'em. The goodies are at http://opensource.hqcodeshop.com/Bacula/.

My weapon of choice for this blog is Serendipity Weblog System.

The criteria were simple:

1. Written in PHP
2. Not WordPress
3. Must support PostgreSQL
4. Not WordPress
5. Enough popularity / reputability, that one will want to run the software
6. and finally: Not WordPress

Serendipity seems to have all 6 of the above. It is a pain to install the way I did it. I'm mod_rewriting the /serendipity/ directory away and it causes a ton of pain. I managed to do that, but it is obvious that the authors did not plan this software to be (ab)used like that.