To those of you who are still here: A big welcome back! After 2.5 years, I finally got my blog back!

A WordPress security hole seemed to have deleted all my posts and I was just too depressed about that to even bother and decided to do nothing about it.

The other day I played around with the WayBackMachine and surprisingly found everything that I had thought had been gone to data Nirvana! I then added a subscription to this blog on Google Reader and it could even load the whole feed! Magic! I just checked in here ten minutes ago and after a database update, all my data was back!

I will write now more often. However, the posts will be a bit less crafted (takes ages) and much less politically correct and thus hopefully more fun!

Thanks!

Just coming from having to push a Java Application out to the clients machine via Java Web Start. Everything went pretty well, after signing all the Jar’s. This, so they could sneak outside the “security sandbox” that Java Web Start plugs around downloaded applications.

The (maybe) unusual thing in our setup was, that the jnlp file had to be rendered on the fly. So there was never going to be a “on-disk” version of the file during the whole request, response cycle.

So, following the old “monkey see/monkey do” rule, my generated file looked a bit like this one:

[...]
jnlp spec="1.0+"
codebase="http://192.168.0.1/"
xhref="myapp.jnlp" mce_href="myapp.jnlp" // ignore the mce...
[...]

When trying to run this generated “file” through a link in the browser, silly web start tried to locate the file “http://192.168.0.1/myapp.jnlp”… HELLO? YOU ARE THIS FILE! STOP COMPLAINING YOU CANNOT FIND YOURSELF!

A quick look in the Java Web Start Tutorial hinted me to try to omit the href argument in the jnlp tag. Apparently, it is not needed. It then worked the way as I expected it to. But really, what is it good for anyway?

In the “spec” mentioned above, it says about the href attribute:

“The href specifies the URL of the JNLP file itself.”

Oh, that’s cute :-)

Thank you.

Once again I went into the Skype Trap. Today, I decided to try out Elgg. Elgg is an open source version of a social network platform. The nice thing is, you can download it and host it on your own servers. This is particularly useful if you don’t want anybody else to mess with your network data. Some of my friends live in Russia and they told me, the KGB surveillance mentality of the state was still ongoing. Talking freely in a social network is crucial. However, in some countries, this would already mean committing a crime. And by all means, I just like open source software better.

But back to what I was saying about Skype. I downloaded the latest Apache Webserver and installed it on my machine. At the end of the installation process, it told me it could not bind to port 80. Have seen this before, I thought. Yeah, right, last time it took me hours to finally accept, that the Apache installation was probably intact and that there would have to be some other problem. I then did a portscan and what did I find sitting on my port 80? – Skype! That cheeky little bastard !

I had to uncheck the setting “Use port 80 and 443 as alternatives for incoming connections” in the Connection Tab. Great Philosophy: “Let’s just hijack the http and the https port, then in most of the cases, our software should work”.

Anyway, now I can go back to Elgg and try to make PHP and Apache talk together. This used to be a problem a few years ago. I think this was the reason for the XAMPP Project.

Let me quote them: “Many people know from their own experience that it’s not easy to install an Apache web server and it gets harder if you want to add MySQL, PHP and Perl. XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is really very easy to install and to use – just download, extract and start.”

Anyway, I will give it a go “by hand” now. Wish me luck :-)

Thank you.

I finally fixed the intransparent picture in the header of this blog. The picture of the “yellow marker”:

This is a PNG. Only in Internet Explorer it looked like this. I changed it with Photoshop to a GIF:

Now the header looks the same, and good, everywhere.

I did not notice earlier, because I NEVER use IE, unless Microsoft forces me to, through some windows update process, that only IE can handle.

I suggest everybody to add JavaScript to all their pages with this functionality:

If IE is detected, the user is forwarded to some other page, telling it to download Opera, Firefox, Safari or whatever other Browser that conforms with the standards. Thus not allowing any browsing with Internet Explorer at all.

The next step is to add this functionality a step further up, into the webserver software. Then into the routers.

Think about it, otherwise we never get out of the browser hell :-)

Thank you.

It has been a long time since my last post. I was very busy. Sorry for that.

Here comes another technical article on a book: “Contributing to Eclipse: Principles, Patterns, and Plug-Ins”, published by Addison-Wesley. It is written by Erich Gamma (co-author of the “OO-Bible” Design Patterns, technical director of the IBM Research lab Zurich and developer of the Eclipse Platform) and Kent Beck (creator of Extreme Programming).

The book is obviously on how to extend the Eclipse platform with your own “contributions”, aka Plug-Ins. The book is very interesting as it comes from two authors who “come from the inside” of Eclipse. Thus they reveal all kinds of background information that a normal author could easily have missed.

However the book was written in 2003 and builds on a previous Eclipse release, prior version 3.0. When reading through the examples in the book, I eventually got to chapter 7, where Erich and Kent are developing the JUnit Plug-In. I think the one nowadays shipped with the standard Eclipse distribution.

There, page 62, they say: “For now, we can’t imagine how your understanding of Eclipse would be helped by seeing the details of starting a new virtual machine and communicating with it via sockets. See Appendix A for the details.”

Here they talk about how to properly run your test cases. That is “outside” the Eclipse JVM instance. To easily get above that bump, I downloaded their source code from here. In this archive, there are two classes that are senseless for the reader to implement himself, that is TestRunner and SocketTestRunner. So I imported them into my own Eclipse Project (Note: Circle_1!).

First I changed the obvious stuff, like in TestRunner, line 77 and 130:

JUnitPlugin plugin = JUnitPlugin.getPlugin();

to match my slightly different class names:

MyJUnitPlugin plugin = MyJUnitPlugin.getPlugin();

However, when I started my Plug-In Project (“run as Eclipse Application”) and selected an object type in a dummy project (“ADemoProject”) and then tried to start my own JUnit implementation (“Run MyTest”), nothing happened.

The Eclipse View “Error Log” gave the hint that there was a NullPointerException in TestRunner, line 78:

java.lang.NullPointerException
at org.eclipse.core.runtime.Plugin.getDescriptor(Plugin.java:268)
at org.theyellowmarker.gamma.TestRunner.computeClasspath(TestRunner.java:78)

But then looking at my Eclipse source of TestRunner, the deprecation warnings gave me the hint to do a bit of research, have a look at the screenshot below:

Obviously, plugin.getDescriptor() was the reason for the NullPointerException. Used to the standard Java JDK philosophy, where deprecated methods usually still do their job somehow, it took my a bit of Eclipse API reading to figure out how to recode the whole section. Again, see the screenshot below:

To get the plug-in path for our plug-in, we have to get “the Bundle” from the static method of org.eclipse.core.runtime.Platform:

// has to be unique id of activation plugin.
Bundle bundle = Platform.getBundle("org.theyellowmarker.MyJUnit");


Note that the string "org.theyellowmarker.MyJUnit" is the unique id of my plug-in in the MANIFEST.MF file. You have to change it according to your setup. The url of the project is then found by the subsequent lines:

URL url = FileLocator.find(bundle, new Path("/"), null);
classPath[0] = FileLocator.toFileURL(new URL(url, "bin")).getFile();
classPath[1] = FileLocator.toFileURL(new URL(url, "junit.jar")).getFile();


Note: I am not sure about the last line here. Could be useless.

Next, also replace the deprecated SocketUtil.findUnusedLocalPort on line 61 with:

port = SocketUtil.findFreePort();

Last, the SocketTestRunner class is given to the external JVM by name, so you have to change the first line of the class, where MAIN_CLASS is defined, to match your own package structure:

static final String MAIN_CLASS = "org.eclipse.contribution.junit.SocketTestRunner";

to:

static final String MAIN_CLASS = "org.theyellowmarker.gamma.SocketTestRunner";

Now everything works again, as expected. You can download my plug-project here: myjunit.zip

and the dummy project containing the test cases here: ademoproject.zip

Make sure, when running the plug-in “in action” (that is in the second Eclipse workbench) to right click on the ASillyClassTest symbol with the green class dot on its left, otherwise, you don’t get the “Run My Test” menu entry in the context menu:

On test will fail, one will succeed. The console output on the first Eclipse workbench should be something like this:

2 test[s] started...
Test org.theyellowmarker.test.ASillyClassTest->testDemoTrue() started.
Test org.theyellowmarker.test.ASillyClassTest->testDemoFalse() started.
Test org.theyellowmarker.test.ASillyClassTest->testDemoFalse() failed.
junit.framework.AssertionFailedError: null
at junit.framework.Assert.fail(Assert.java:47)
at junit.framework.Assert.assertTrue(Assert.java:20)
at junit.framework.Assert.assertFalse(Assert.java:34)
at junit.framework.Assert.assertFalse(Assert.java:41)
at org.theyellowmarker.test.ASillyClassTest.testDemoFalse(ASillyClassTest.java:27)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at junit.framework.TestCase.runTest(TestCase.java:168)
at junit.framework.TestCase.runBare(TestCase.java:134)
at junit.framework.TestResult$1.protect(TestResult.java:110)
at junit.framework.TestResult.runProtected(TestResult.java:128)
at junit.framework.TestResult.run(TestResult.java:113)
at junit.framework.TestCase.run(TestCase.java:124)
at junit.framework.TestSuite.runTest(TestSuite.java:232)
at junit.framework.TestSuite.run(TestSuite.java:227)
at junit.framework.TestSuite.runTest(TestSuite.java:232)
at junit.framework.TestSuite.run(TestSuite.java:227)
at org.theyellowmarker.gamma.SocketTestRunner.runTests(SocketTestRunner.java:39)
at org.theyellowmarker.gamma.SocketTestRunner.main(SocketTestRunner.java:26)

All tests finished

As I move forward in the Book, I will publish eventual updates on this topic.

Thank you.

P.S: Here is the full set of files after “Circle 1″: first-circle.zip

In Switzerland, “Musicstar“, the national version of “American Idol“, “Deutschland sucht den Superstar” or whatever the singing contest casting show is called in your country, is currently on TV. All the candidates seem to have one thing in common: They all claim, that they “live for the music”, that music means everything to them and a life without it, meaning as a musician, would be impossible for them to imagine.

Surprisingly, once the show is over, most of them are never heard of again. Some reappear in casting shows for some “TV-Game-Show-Host” or maybe even in “Big Brother”.

[Have a look here for quite an extreme sample of this species, called Julien. And don't miss the gallery and the bio (note: it does not mention, that he tried to become the next "Joya rennt", - or was it the next Nadja Zimmermann?). He is well above twenty! Not like you might have thought: a big-ego teenager without any 'know-thyself'. No no...! - Oh I am sooo looking forward to his video: it is "coming soon" :-)].

But back to the topic. The reason for people to show up in the public eye on shows like Musicstar is, that the costs, that is the effort to sign up on a casting show is relatively small compared to the costs of going through the struggle of choosing “musician” as ones “one and only” profession right from the beginning and far from a more “usual”, more secure career path, one that is well embedded in society but less glamuros.
People who claim they couldn’t live without actively making music, logically have to take it the hard way, be it with or without any casting opportunities. They are forced to. What other choice would they have?

Sandra Wild is currently the big favorite in the Musicstar show. In her private life, she works for the state, she gets couples to sign their certificate of marriage. Although she is not an unexperienced singer, she has had some success with singing as a teenager, I still think she has too little ambition, guts and self-confidence to break out of the secure environment she is used to. This even in spite of the fact that she will surely win the show and become the next Musicstar-winner.

Here are two TV broadcasts I watched this week, where Sandra Wild was in (I tried to translate excerpts of some of her statements as good as I could):

From “TalkTäglich” hosted by Markus Gilli on TeleZüri (view):

Markus Gilli: “[...] if it won’t work out with you and the music-business, then you will have to do a private marriage company: ‘Marrying with Wild’ [...] Let’s talk a bit about your future [...] you are currently on a break from your marriage certifier job in Arbonne. Are you considering to pick your job back up again [...] or is this option currently a bit endangered?”

Sandra Wild: “To be honest, I cannot yet really tell, because it depends a bit on how far I will make it in the show. Actually I plan to pick up my old job again later on. But if I had to suspend that a bit because of too many other appointments, then I don’t know, I have to check with my employer first. If it would be possible to take some time off and then restart my job again later on [...]“

From “Club” hosted by Matthias Aebischer on SF1 (view):

Matthias Aebischer: “What do you want to do after the show? I didn’t ask yet. You said you already knew about some opportunities?”

Sandra Wild: “Well I just plan, of course I will have to see what offers will come in then…”

Matthias Aebischer: “You hope there will be offers?”

Sandra Wild: “I already know they will come. [...] Well I wish, that once, that I can maybe, probably get a record contract. That I can record an album, where I can bring in my own wishes, I will try. If I somehow manage, I would like to do a lot of concerts with a real band. I would like to make real music and what I am also really exited about right now is: this morning I got and offer to give some singing lessons sometime. That I would like to develop a bit further in fact. I would also like to learn more and definitely teach singing and see that I can do ‘Music’ as a job, a bit. And live of it. [Because of the offers I know about...] I know what could happen and I am really glad I do. That I am not thrown into the cold water, that I don’t know about. This way I am not at the mercy of fate and can assess a bit what’s comming and prepare for it.

Carmen Fenk (a former winner of the show): “But you can also bet on the wrong horse. Have disappointed hopes.”

Sandra Wild: “Indeed, indeed. But I don’t do/have that. I just wait and see…”

I think she sings really well and I find her truly congenial. I don’t want to talk bad about her, I don’t mean to be personal (unlike I did intend to with Julien further up).

I think the impression one can get from her is exemplarily for the majority of a lot of people who go to castings. But the teenage dream of being famous, together with the ease of a casting sign-up is not the full story.

Without audacity to take some risks and a lot of diligence, everyone will eventually be caught by our all most common fear: The fear that makes most of us going to work everyday and live a boring, unspectacular, normal life without any risk or ambition.

When Roger Federer decided he wanted to be a professional tennis player at the age of sixteen, he told his dad, he would not go to school anymore…

I wish Sandra Wild all the best of luck and hope she proves me wrong :-)

Thank you.

Update (8/14/2007): Sandra is giving it another try, see here.

I just did a skype video chat with my girlfriend Juky. She is on an airplane from Shanghai to Copenhagen RIGHT NOW. Picture and sound quality are just perfect!!!

Ever uploaded an MP3 to an aeroplane?

She travels with SAS. Definitly the coolest airline on earth!

Thank you.

A few years ago, when I started to work at a new company, I asked for a certain password I needed to access some systems I had to work with. One of my new colleagues told me it was "enirstuda4711" and that it apparently was the best password ever! The reason why it was so incredibly good was that the containing letters were statistically distributed in some kind of perfect way.

“So we have a very hard to crack password here”, I said, “why not put in online and suggest for everyone to use it?” :-)

Yesterday I decided to setup a user on my windows machine and see if I could crack this password. I called the user Jabberwocky. From my laptop, my second computer in the local network, I first looked up the standard gatway to find out which subnet I was using:

ipconfig

My subnet mask is 192.168.1.*, as can be seen on the picture. The next step is to find out what machines live on the internal network. I ran the NMap port scanner with the ping scan option to search all IP’s between 192.168.1.1 and 192.168.1.255:

nmap -sP 192.168.1.1-255

So there are three machines on my network: one on port 1, this is my router and one on port 101, the laptop I was working from and a third on port 102, this is the machine I needed to grab the password file from.

On linux machines there is the passwd file in the /etc directory. It contains the information about all the users that have an account on the machine. Usually it also contains the hashed passwords. These password hashes are computed out of the plain text passwords by a one way function. Each time a user logs in, the provided password is put through the hash function and the result is then compared to the stored hash. If they match, the original passwords must match as well.

The hashed password could look like this:

02196B74B249B1C7B3CA94183F9EEE53

On linux systems, the password hashes are sometimes not stored in the passwd file itself, but in a file called shadow. This file has limited reading permissions, 640 instead of 644 which is the permission on the passwd file.

On Windows NT, 2000 and XP systems, these hashes are stored in the Registry and/or the SAM file. The SAM file is located under C:\WINDOWS\system32\config. If rdisk has ever been run, an old version will also be located under C:\WINDOWS\repair. The problem is, that you cannot access the SAM file on a running system. Some process has it under strict control and it would not let you access it.

So how can you access the hashes from Windows? There is no neat way.

• Boot the system with Knoppix and just copy paste the SAM file away. This however requires you to have physical access to the machine. Quite often not an option.
• Run PwDump. This handy little programm does a DLL injection and copies the hashes to a file. The first problem is, it will not suceed if a program like ProcessGuard is installed on the system. Second, and more of a problem, you have to have administrators access to the machine you want to get the SAM file of.
• Sniff the hashes from the network as they fly by. Probably the best choice.

Because all these methods are a bit akward, the normal hacker would probably try to find out more about the system. For example by running another NMap command, like this one:

nmap -sS -sV 192.168.1.102

This command does a port scan on the specified machine. We can see that some ports are open along with what programs are running on those ports and a “best guess” version information. From this information, the attacker can try to find vulnerabilities of a certain program that is connected to a port and eventually get root access to the system and retrieve the password hashes. This however is the “art” that makes a good hacker and I am not one of them.

Therefore I used PwDump to log in to the machine and get the SAM file out:

PwDump.exe 192.168.1.102 encryptedpasswords.txt raoul

This did the trick and, after removing accounts of no interest, the retrieved SAM file looked like this:

Jabberwocky:1011:02196B74B249B1C7B3CA94183F9EEE53:
1BE5C84F89A07C0F6BF47E37127ABDDC:::

No I am finally ready to decrypt the “best password ever” with John the Ripper or L0phtcrack (L0phtcrack has been bought from @stake by Symantec and it looks as if the product is not anymore available on the usual channels. Another way to do “security by obscurity“).

John the Ripper is a dictionary tool, trying out different words and their combination whereas L0phtcrack does a brute force attack, basically trying out every possiblity.

Both cracking tools eventually cracked the password enirstuda4711. However it took a few hours. Here are the results:

John:

L0phtcrack:

(Note: Both programs were actually run from the local machine, not the laptop, for performance reasons)

The only way to prevent L0phtcrack to eventually, in the far future, crack your super-duper password, is by using non-printable characters (as part of your password). They can be entered by using such non-printable ASCII characters on the numeric keypad. NUMLOCK has to be on and then you hit ALT-a-b-c. Where a, b and c each stand for a digit from the ASCII table, as in ALT-2-5-5.

So this is it. And by the way, the “best password ever”, enirstuda4711, is not in use anymore :-)

Thank you.

I just came home from shopping. While queueing forever, I had plenty of time studying the goodies that are usually placed just in front of the cashpoint. There is stuff that is meant for little kids so they annoy their parents with: “If I don’t get this, I cry like hell until you are so embarassed of everybody giving you weird looks, that you WILL buy it!”. But then there are other things there: cigarettes and alcoholic beverages, the strong stuff. The things that usually are excluded from general rebates.

However today I found ALL the shaving blades of Gillette right there as well! Prominently placed in very big packages, so it is harder to steal them. Why should you steal them? They are REALLY expensive! A set of the cheapest was CHF 23 (USD 19). Gillettes latest toy for “the best in man”, the Gillette Fusion Power blades were available for CHF 46 (USD 38).

That is a lot of money! To get these razor blades out into the stores all over the country, the retailers have to hire security companies that usually pick up the money in their bullet proof vans. That’s HOW valuebal those little things are! The saffron of the 21st century. Had I gotten all my salaries in razor blades instead of ordinary cash, I’d be a wealthy man by now…

“It looks like the big razor companies agreed to from some kind of a cartel to keep prices high. Someone should make a business out of selling cheap blades that go along with the gillette and wilkinson handles…”, I thought to myself. This was when I noticed the Matrix3 to the left of myself. Many meters in front of the cashpoint and in an ordinary, less guarded shelf.

“Wow! How is the cheeky company that dears to threaten the cartel?”. On the package I could only find the branding of the retailer I was at, Coop. From a very quick googling/asking I also did not find out a lot more. But it looks like it is some american company and that the Matrix3 can be bought in 1$ shops in the U.S. Here it is sold for CHF 7 (USD 5.7) for the handle and two blades and the extra blades cost CHF 6 (USD 4.9).

The Matrix3 (His Way) has three blades and looks like a normal razor. The only uncool thing about it so far is, that it misses the sexy way of unloading the old blade: The Gillette has a button that ejects the blade right into the bin. On the Matrix3 you have to kind of “break” it off. But unlike in the adverts, there is seldomly a sexy woman around who watches me shaving, let alone watching me swap blades. So that should not be the problem.

The essential question is: “Is this a razor that delivers a nice shave? Or do I cut myself all the time?”. Those are the key questions.

On the “old index” of wesblog (search for “matrix”), I found a “user-review” with the promising title:

“So You’ve Purchased a Matrix 3! (Alternate Title: So you’ve decided to kill yourself slowly and painfully!)”

Excerpt: “Got bored and glued some rusty blades to a stick today. All at weird angles and stuff. Dared my assistant to shave with it. We will be having the memorial service tomorrow.”

Apparently, it was invented by the spanish inquisition! Oh my God! What have I just bought! – Yes, I bought it and I AM REALLY AFRAID TO USE IT NOW! Damn! My only hope is that the editors of the wesblog are paid by the razor blade cartel…

So I found the blog of Tom Doobie. He gave me hope, a lot of hope, here’s an excerpt:

“The first shave seemed decent. Not blow me away decent, but good. Of course, I had a two-day growth on my face, so that may have factored in. But after that it was smooth sailing. The shaves were as good as the Sensor, if not better. But that’s not the best part. My stubble can render a new Gillette Sensor blade inoperable after two shaves…sometimes three. Ever since I’ve been using the Matrix3, I’ve been able to squeeze out up to a *week* of shaves before changing the blade. A WEEK. So not only is the Matrix3 cheaper than the Sensor, the blades last about three times as long. And guess what? I ran out of Matrix3 blades the other week and had to resort back to my Sensor. It tore my face up, even with a brand new blade.”

I just hope Tom is a honest man. I will find out myself tomorrow and let you know…

Thank you.

After some sucessful searching the web with the Ask Search Engine I thought about trying the “Ask Desktop Search” Software. I needed to index my pdfs, so I could do a full text search on them.

Apparently, this little program does not send my data out onto the web, like googles desktop search does. A big plus. Also, you can configure which directories should be indexed. So far, so good.

The whole experiment was a big mess:

The first annoying thing was, that when I downloaded it through Firefox and started it directly out of the firefox download manager, the installation programm complained I had to close all running instances of firefox.

The installation programm obviously wants to mess with my Firefox browser. Something I did not want. I want to index my local filesystem. That’s all.

When I actually gave in and closed my firefox instances, it still would not proceed with the installation. Well, of course not, firefox could not be properly closed, because the setup process itself was spawned by firefox. So I restarted the installer. This time directly from the download directory.

Again no sucess, same problem. When looking at the processes running, there was still an instance of firefox.exe alive. The windows were gone however. Obviously firefox was not terminated even after its child process, the installer was dead. The only way is to manually kill the firefox.exe process from the task manager. A killer feature! (The same happens, when you try to uninstall :-))

So i had finally installed my little program.

I did not want to index my whole disk, just the pdfs. The program did not care much and started indexing happily. Everything! After doing some changes on the settings to restrict this behaviour, the indexing paused. There was neither a way to wipe the already started index nor to unpause indexing. By restarting my machine, indexing seemed to work.

Two days later, when I sat at my machine, all programs were crying and bleeding: No more disk space on drive C! I ran TreeSize to find out who caused the trouble. Guess what happend? Ask Desktop Search build up its index in C:\Documents and Settings\remote\Application Data\AskDS. Over 2 Gigabytes of space were already used up by it and there were 0 bytes left on the disk.

Great! The developers assumed I wanted their program to index onto drive C. Furthermore they assumed, there is indefinite space to use up. Beginners usually don’t consider these real world constraints.

Before sending the whole thing to nirvana, I did some test searches. It found file names propertly. Full text, in-document search did not work!

This product has been realased a bit too prematurely. My advice: do not use it.

I will right now download the google desktop search program and try to block its “phone back home” behaviour with the firewall…

Google desktop: I could not even finish the install without internet access

It stayed hanging like on the picture… I need the “spotlight” application that the mac users have… where is it?

Thank you.