 | Lars Fosdal on Security alarm provider Woonve… |
 | Thomas Mueller on Question got closed in May 202… |
 | Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
Posted by jpluimers on 2018/05/04
Via [WayBack] Penetration Testing Tools Cheat Sheet https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/ #Security – This is why I Code – Google+
Penetration testing tools cheat sheet, a high level overview / quick reference cheat sheet for penetration testing.
Source: [Archive.is] Penetration Testing Tools Cheat Sheet
Nmap Cheat Sheet, examples and practical examples
Source: [Archive.is] Nmap Cheat Sheet
Posted in *nix, *nix-tools, nmap, Power User | Leave a Comment »
Posted by jpluimers on 2018/05/04
Apparently Twitter not only logged plain text passwords, but they handle them in a masked form:
Keeping your account secure
When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone. Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. Learn more
This seems to imply passwords are not hashed, but can be recovered into plain text.
Please Twitter, ensure that passwords are never recoverable.
Note: after changing your password at https://twitter.com/settings/password visit https://twitter.com/settings/applications
–jeroen
Posted in LifeHacker, Power User | Leave a Comment »
Posted by jpluimers on 2018/05/04
Since it is password day, please read [WayBack] Use a password manager. Don’t reuse passwords. – The Isoblog.
Background:
Lock it down. Add another layer to your password. PasswordDay.org #PasswordDay
–jeroen
Posted in LifeHacker, Power User | Leave a Comment »
Posted by jpluimers on 2018/05/03
via: [WayBack] Yet another reason to be very careful with what you put in version control: GitLeaks – Search Engine for exposed secrets on the web https://gitleaks.com/ – This is why I Code – Google+
[Archive.is] GitLeaks – Search Engine for exposed secrets on the web
–jeroen
Posted in Development, Security, Software Development | Leave a Comment »
Posted by jpluimers on 2018/05/03
Interesting thought on client-side password hashing: [Archive.is] Client-Side Password Hashing – DelphiTools.
I’ve ambivalent feelings on it, especially since it will expose salt and other settings to the client.
On the other hand it tremendously helps when there are transparent proxies in between. Read the article for full details; here is just one quote below.
Maybe dual hashing would be in place: once at the client to prevent plain-text to go over MITM channels, and a second hash server side with different settings like salt to prevent brute force attacks.
I need to give this more thought.
The quote:
If you are using a regular Windows and a regular browser, access to HTTPS will go through the regular certificate chain, using regular certificate authority. You also benefit from extra security layers like Public Key Pinning.
But when a custom Root CA is installed, all that goes through the window: the custom Root CA allows the corporate proxies to issue “valid” certificates for any website (even google.com and the rest), and the public key pinning features are disabled:
How does key pinning interact with local proxies and filters?
Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor.
A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites. “Data loss prevention” appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.
All the major browsers have a similar behavior… because it is required to allow transparent proxies. And transparent proxies are the means through which the legal logging requirements are fulfilled.
So besides introducing a major MITM opportunity, this also means that there are legally-required corporate logs somewhere of all that went through HTTPS… including plain text passwords, if you did not hash them on the client-side.
These logs will have varying degrees of security when in the corporate domain… and next to none if they are ever requested by the legal system for an investigation.
–jeroen
Posted in Algorithms, Design Patterns, Development, Hashing, Power User, Security, Software Development | Leave a Comment »
Posted by jpluimers on 2018/05/02
Cool tool that integrates into the Delphi IDE: [WayBack] Dproj changed or not changed? Normalize it! | The Art of Delphi Programming
Via: [WayBack] Introducing DprojNormalizer: http://www.uweraabe.de/Blog/2017/01/18/dproj-changed-or-not-changed/ – Uwe Raabe – Google+
Note there is also RadCLI that requires Python and does it via the command-line:[WayBack] joshkel/RadCli: Command-line utilities for RAD Studio / Delphi / C++Builder
DprojNormalizer supports Delphi XE7 and up.
Updates at [WayBack] Downloads | The Art of Delphi Programming: DprojNormalizer
Note that it requires an elevation to Administrator for installing. If you run Delphi as a normal user, then afterwards you need to register the package yourself, for instance with a batch file like this:
reg add "HKEY_CURRENT_USER\Software\Embarcadero\BDS\18.0\Known Packages" /v "C:\Program Files (x86)\DprojNormalizer\DprojNormalizer240.bpl" /t REG_SZ /d "Dproj Normalizer" /f
reg add "HKEY_CURRENT_USER\Software\Embarcadero\BDS\19.0\Known Packages" /v "C:\Program Files (x86)\DprojNormalizer\DprojNormalizer250.bpl" /t REG_SZ /d "Dproj Normalizer" /f
Adjust your BDS and DllSuffix in the BPL file names using the table at Delphi version info table: C# Builder, Delphi 8 through 10.2 Tokyo and Appbuilder.
If you want to temporarily disable it:
reg add "HKEY_CURRENT_USER\Software\Embarcadero\BDS\18.0\Disabled Packages" /v "C:\Program Files (x86)\DprojNormalizer\DprojNormalizer240.bpl" /t REG_SZ /d "Dproj Normalizer" /f
reg add "HKEY_CURRENT_USER\Software\Embarcadero\BDS\19.0\Disabled Packages" /v "C:\Program Files (x86)\DprojNormalizer\DprojNormalizer250.bpl" /t REG_SZ /d "Dproj Normalizer" /f
If you want to re-enable it: remove the values under Disabled Packages.
–jeroen
Posted in Conference Topics, Conferences, Delphi, Development, Event, Software Development | 1 Comment »
Posted by jpluimers on 2018/05/02
The [WayBack] delphi – How to get rid of exception 80000003? – Stack Overflow got me on the right track:
When I run my program (admittedly, it was built in debug mode), I get an error “External exception 80000003”.
According to Win32 Exception/Access Violation Errors it means
0x80000003 EXCEPTION_BREAKPOINT A breakpoint was encountered.
What happened was that during debugging a multi-threaded application doing quite a bit of Windows API stuff and CPU debugger Windows stuff by single-stepping through it.
Single-stepping involves the debugger putting a lot of temporary breakpoints similar to how other debuggers do this:
when stepping at the source level, the debugger uses temporary breakpoints to stop execution at the specified location
Source: [WayBack] ARM Information Center – ARM DS-5 Using the Debugger – Stepping through an application
On Intel platforms, temporary breakpoints are usually done using an INT 3 instruction as that encodes in the single-byte 0xCC opcode. which is very simple for the debugger to patch and remove: just keep a list of addresses and the original byte content.
Note that some debuggers even allow you to manually set temporary breakpoints that disappear after 1-time use; see [WayBack] Temporary Breakpoint – Now You See It, Now You Don’t – mohit.io:
Have you faced the problem of breakpoint clutter where breakpoints keep piling up only to hinder the debugging session? It is then that one realizes that there are some breakpoints that can be deleted and others disabled. A useful feature in a debugger is a temporary breakpoint that automagically gets deleted when hit thereby reducing the clutter of unnecessary breakpoints.
Somehow this doesn’t work well all the time in the Delphi debugger when using multi-threading, but not in a reproducible way: you get a 0x80000003 exception at irregular moments, but more often when you use more threads.
The solution:
The above is far more painstaking than using single-stepping but suffers from far less problems.
–jeroen
PS: Thanks David Heffernan for indicating “Websearch for NTSTATUS. Knowledge of that macro name is the key.”
Posted in Delphi, Delphi XE8, Development, Software Development | 1 Comment »
Posted by jpluimers on 2018/05/01
Interesting fork of FastMM4 for which I now think I understand why it is not merged into the regular FastMM4 repository: [WayBack] GitHub – maximmasiutin/FastMM4-AVX: FastMM4 fork with AVX support and multi-threaded enhancements (faster locking).
The fork does two things:
Reminder to self: how big is that impact and could the locking be separately merged into the base repository?
Eric Grange:
Looking at https://github.com/pleriche/FastMM4/issues/36 and given than the compile generates SSE2 code for floating point, I guess using AVX may be problematic when your code also does a lot of floating point using Delphi code (rather than AVX asm)
It could be that this repository is using only AVX-128, which might not have a penalty as per Advanced Vector Extensions – Wikipedia:
The AVX instructions support both 128-bit and 256-bit SIMD. The 128-bit versions can be useful to improve old code without needing to widen the vectorization, and avoid the penalty of going from SSE to AVX, they are also faster on some early AMD implementations of AVX. This mode is sometimes known as AVX-128.
Via: [WayBack] Do you use Embarcadero version of FastMM or the “official” bleeding edge version of FastMM from the gitHub repository? Any idea what are the difference… – Tommi Prami – Google+
–jeroen
Posted in Delphi, Development, FastMM, Software Development | 6 Comments »
Posted by jpluimers on 2018/05/01
[WayBack] Node.js ES2015/ES6 support
via: [WayBack] Good thing, compare language/runtime versions support for many items http://node.green/ – David Berneda – Google+
–jeroen
Posted in Development, JavaScript/ECMAScript, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2018/05/01
Via [WayBack] Limits on Everything – The Isoblog.:
A posting at Brave New Geek about limits on everything, for example limits on message sizes and numbers of in-flight messages in message queues. Interesting read.
Very interesting read indeed: [WayBack] Take It to the Limit: Considerations for Building Reliable Systems – Brave New Geek
You have to set limits, which begs for a few questions:
Food for thought…
The first can be done with benchmarking, see for instance these from the same blogs above:
Enforcing limits depends in your infrastructure and your communication stacks.
–jeroen
Posted in Cloud, Development, Infrastructure, Opinions, Software Development | Leave a Comment »
The Wiert Corner - irregular stream of stuff 