Welcome folks! This is the digital counterpart of Florian Rienhardt. This web page was not crafted for any special purpose, just look at it as some kind of central anchor beyond ephemeral addresses, social web services or celly-numbers. And what is this site all about? Well, it is about me, myself and I about computer stuff.
2012/04/30 by Flo
A lot of modern web2.0 websites feature fancy looking gray out effects if an user e.g. opens an in-site image gallery or a messagebox pop-up. To do so, just use CSS and the style opacity-attribute on a global defined <div> in combination with some javascript that adjusts the size (width/height) of such a <div> box and some way to close the grayed out <div> box.
Check out the following example and its source for more details: gray out site
Include this definition as the top most of your html-file (this is needed to switch the browser into the right mode):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">Insert the following javascript code that is responisble to show and close the gray out box:
<script type="text/javascript">
function get_doc_height()
{
var body = document.body;
var html = document.documentElement;
var height = Math.max(body.scrollHeight, body.offsetHeight, html.clientHeight, html.scrollHeight, html.offsetHeight);
return height;
}
function gray_out(div_id)
{
document.getElementById(div_id).style.height = get_doc_height() + 'px';
document.getElementById(div_id).style.width = '100%';
document.getElementById(div_id).style.visibility = 'visible';
}
function close_gray_out(div_id);
{
document.getElementById(div_id).style.visibility = 'hidden';
}
</script>
Last but not least insert the following <div> right after the <body> declaration:
<div id="div_gray_out" style="background-color: #000000; opacity: 0.4; position: absolute; width: 0px; height: 0px; top: 0; left: 0; visibility: hidden; onclick="close_gray_out('div_gray_out');"></div>
It is important to include it directly after <body> to ensure that the grayed out <div> is layered on top of all other DOM-elements.2012/04/05 by Flo
While checking my web server's access logs I found yet another funny way of spam. It is well known that there are web crawlers out there peeking around just to leave a short spam message via the user-agent string. See the following examples:
[03/Apr/2012:21:50:01 +0200] "GET / HTTP/1.1" 200 567 "-" "hot girls are waiting for you at [censored]" [01/Apr/2012:22:05:23 +0200] "GET / HTTP/1.1" 200 567 "-" "poker and win money www.[censored]"Such spam is nothing new but the following seems to be a bit more tricky:
[04/Apr/2012:10:17:14 +0200] "GET / HTTP/1.1" 200 52742 "http://[censored].ru/" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"The user agent's signature tells me that this log entry was possibly generated by the google bot while crawling the web and accessing my web site through a referrer from "http://[censored].ru/". Well this is funny, because if I would do statistics on how my web site was accessed I probably would do a check on "http://[censored].ru/" to see who referres to my site. BANG! The spammer got some hit :-)
2012/04/04 by Flo
Something to smirk about :-)
#!/bin/ssh unzip ; strip ; touch ; grep ; finger ; mount ; fsck ; more ; yes ; umount ; sleep
2012/03/18 by Flo
Securing applications should always be a goal for reliable and good software development. As Google states in their design documents for the Chromium Sandbox (see http://www.chromium.org/developers/design-documents/sandbox): "The key to security is understanding: we can only truly secure a system if we fully understand its behaviors with respect to the combination of all possible inputs in all possible states." I fully agree with that and will notate it a bit stricter: To fully secure a piece of software you must know all possible inputs in all possible states and have to mitigate against inputs your software does not need to fullfill its actual operation purpose. And as Adobe says in (http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html): "The challenge is to enable sandboxing while keeping user workflows functional without turning off features users depend on. The ultimate goal is to proactively provide a high level of protection which supplements the mitigation of finding and fixing individual bugs."
Most attacks we are getting bothered with are such that an user opens malformed input data (this includes "hidden" open-request by a drive-by) that results the apropritate application switching into a not well defined state ending up in a ordinary application crash or even worse in executing malicious code that infects the users computer system. We all know that software will never be 100% bug free thus we (as developers) cannot guarantee that some pice of large software will never ever come into a stickyicky statet where it executes bootleged malicious code.
Sandboxing leverages basic OS-provided security mitigations and makes it possible to execute some piece of code in some kind of special container that cannot make persistent changes to the users system or access other ressources of the systems that are truly out of the scope for the software (e.g. reading files that are confidential, using the network, etc.). Sandbox architectures heavily depend on the exact assurances of the underlying operating system and used development envrioment.
This whitepaper summarizes well known stuff about practical real-mode win32 sandboxing. What is outlined her is no secret, nor is it something totally new. I heavily reference on articles by Microsoft, Google and Adobe. This document just summarizes the stuff I found and might give you a quick starting point for your own projects.
To give you a quick introduction: You have to split your application into at least two processes:
1) One process is priviledged and dos NOT process untrusted data,
2) the second one runs in some kind of a sandboxed envrioment and is responsible to process untrusted data.
So the first thing you have to do is to specify what threats could harm your application. Simply spoken using some examples:
1) What data will be processed? (encoding, fomat, syntax...)
⇒ worstcase: possible threats?
2) How is such data processed? (input-source, output-source, length check, integrity...)
⇒ worstcase: possible threats?
3) How trustworthy is such data?
⇒ worstcase: possible threats?
4) Maximum needed access rights to process the data?
⇒ worstcase: possible threats that could use the access rights? Impact?
By splitting into a trusted and untrusted "zone" you started securing your application in an early state of your software development. Both processes communicate through IPC or other techniques to exchange information between the priviledged (trusted process) and the sandboxed (untrusted process).
To give you a real world example, e. g. think about a browser or portable document reader: The priviledged process will render and display preprocessed documents from some source (internet download). Such documents will be loaded and processed by the unpriviledged process and if everything was all right will be passed to the priviledged one.
If a read and processed document was malformed all action takes place in the sandboxed process. If there was an exploit, its code will be executed in the sandboxed envrioment where the impact of an attack will be mitigated and no harm will take place.
One might argue that such solutions tend to be over engeneered and why not to use a fully sandboxed envrioment like a virtual machine or pre-processed software using some "safe" interpreter based programming language where the whole application could be executed?
Well, that's an argument and yes, virtualizing might secure unsecure software but it will not support the developing process of building reliable and secure software. I mean, crappy software remails crappy, even if it is executed in a virtualized sandbox envrioment.
Recall: We assumed that that all processed data in process 2 is untrusted and not trustworthy, so we have to except attacks within this process. Well, by design we except getting hit by malware and this is different. By design of such an solution we expect the sandboxed process beeing owned malware trying to infect, disturb or damage the system. It is importand to realize what could happen if malware owns a process to find the best possible mitigations to defend and mitigate against them.
In most cases exploits are trying to install some kind of malware infecting your system (backdoor, bot, spyware, virus, worm etc.). Such malware could be
1) resident = surviving a reboot and getting started once again if you boot up your machine or execute an infected application for example.
2) transient = malware that is just in place during your session until all processes/applications are killed or the system was rebooted.
Exploits often use a dropper that downloads the intended malware and executes them. So this gives us a first hint what we want to protect our sandboxed process from:
a) Protect against the creation of new processes
b) Protect against newly initiated network traffic to servers not excepted getting connected to
In many cases malware also writes into the registry to set autostart options or to manually install a service. In some cases system executables will be overwritten or executables will be copied to your system drive. Some malware just searches for files that might be interesting (password cache files, user logs etc.) This gives us the second threat we want to get rid of:
c) Protect against altering and reading the registry or filesystem not belonging to the workspace envrioment of our application.
Malware often tries to auspionieren the user. We can except that a trojan might log the keyboard, take screenshots or even try to manipulate other running applications e.g. to remote control them, send messages monitor teir output etc. Thus we also want to
d) Protect against threats that take control over other parallel running applications, their in- and output (in short other application's workspace envrioment).
To achieve the goal of protecting a process e.g. Google's sandbox uses
1) A restricted token
2) A Job object
3) An alternate desktop
4) Integrity Levels and
5) Hot-patching the Win32-API (e.g. network API, i/o)
Execute a process using a restricted token, assign it to a restriced Job object on a alternate desktop, use a low integrity level for such an process and hot-patch vital API-functions (network, io, registry, ...) to build a sandboxed execution envrioment for the untrusted part of your application that is ment to process data.
Malware running in such an envrioment it is not able to create another procress, write to the file system, change registry setting, to shatter attack other applications or remote control them just on the fly. An attacker must do a lot of work to bypass such a sandbox and attack your system.
References:
2012/03/07 by Flo
Well, we all know the problem: Having huge amounts of disk capacity we begin collecting a lot of files over time until the drive is out of space. In a lot of cases we tend also to save copies of the same file across different directories. Having the problem to find such doubles on my drive I wrote a little tool that is able to find such copies and that might help to clean up your drive, too. Just run doubles.exe following the drive and path you would like to inspect and this tool just scans all directories, its sub directories and calculates a hash value for each file. By comparing the hash values against each other this tool might find copies of files that are distributed across different paths.
After scanning your drive you can check out the list of doubles, inspect the files and can decide what to do. If it is really the same file you might save disk capticity by deleting such copies.
The tool just uses standard Win32-API to travel through your drive and its directories, then calculates the SHA-1 hash value for each file that will be compared against a list of hash values calculated for the files actually traveled through. If this check ends up in a hit, the tool just prints out the corresponding filenames.
I highly recommend to check, if the files are equal on bit-level, because hash functions cannot guarantee that an equal hash of two files means that the two files are really equal. So keep that in mind before deleting a suspected double.
Download: http://www.bitnuts.de/doubles.exe
2012/01/16 by Flo
Well, there are a lot of lists out there containing the most recent used passwords. While peeking around my hdd I found a list I generated/merged in the past. Just have a look on it and enjoy reading.
Download password list here: password_list.zip
2012/01/12 by Flo
Well, just some thoughts about secured virtualized desktop envrioments: Today information systems in general lack efficient protection against both out-sider and insider threats. Special crafted targeted malware attacks and data leakages are the most visible examples of these threats. IT infrastructures are shared, distributed, and hevy heterogeneous. In the past few years many of them also extend into the cloud. Classic desktop envrioments just run all applications on the same desktop envrioment (operating system) meaning that all information is shared in such an envrioment. Bad news if you want to work on e.g. "top secret" documents while browsing the web, watching videos, listening to music, reading PDFs or richt text emails on the same machine. There is a big trade off between security and usability. If you work on confidential information, there should not run any untrusted application like a web browser etc. that could be victim to a targeted attack and result in damage or information disclosure. On the other hand it seems to be a bit unpractical using a stripped down desktop envrioment today, because it is common to read email, watch enriched web pages, download untruted PDFs or other multimedia files on the fly while browsing the web, listening to a radio stream etc.
Using virtualized desktop envrioments is a powerful tool to provide central managed, securely isolated working envrioments fitting your needs in today's business world. Such solutions combine a system-wide security policy management with an easy to use deployment, configuration and provisioning system for the entire infrastructure, including networks, clients and desktops. The core component of such a solution is some kind of special protected (hardened) kernel/hypervisor that isolates and manages individual secured and virtualized desktop envrioments (VM containers) from each other on the same client machine and its hardware including network capabilities. In most cases such a solution fully virtualizes the underlying hardware, builds up an encrypted virtual network on existing (untrusted) wires into a trusted gateway where all network traffic will be routet through. This enables you to use a special crafted virtual machine to work on e.g. top-secret content totally isolated from another in parallel running virtual (and isolated) machine running a browser that is able to surf the web without loss of any comfort. Due to strict virtualization, malware infecting e.g. the VM containig the web browser will not harm your VM running your confidental business desktop envrioment. If your solution uses self healing techniques over the network it is also possible to repair a destroyed or infected VM on the fly while beeing connected to broad-band network. By encrypting the whole network traffic though a VPN it is also possible to use unsecure WIFI-networks without fear. If you strictly divide your virtual machines by your security requirements, it is possible to build up a VM for your business stuff, one for surfing the web, one containing an open VM where you can install and test any software etc.
At the end your envrioments gets not just a bit more secure it is also more convience to work with. There are still some good ideas and products out there to manage such stuff, see the following links for more details:
qubes-os.org
TrustedDesktop at sirrix.de
SinaVW at secunet.de
Virtual Box
VM-Ware
XEN Hypervisor
2011/12/26 by Flo
While having some time off duty this winter I started analyzing Microsoft's "heavy duty" passThrough DDK-example driver and tried to build a simple mini-filter driver that just checks for IRP_MJ_CREATE in its preoperation callback. The driver determinates the originating/correspondig filename for that IRP-call by using FltGetFileNameInformation. The resulting string will be printed via DbgPrint. You can use DebugView (download at http://technet.microsoft.com/en-us/sysinternals/bb896647) to trace what this demonstration driver is doing.
Download my demo driver here: http://www.bitnuts.de/IrpMjCrtMon.zip
2011/12/11 by Flo
Just poking around my backups I found a PNG-compression bomb from back in the days. A compression bomb is a "malicious" packed file (e.g. ZIP, PNG, JPG or other media files) designed to crash or DoS a program or system while reading it. Such a bomb was crafted such that while unpacking it requires an enormous amount of time, disk space or memory making your system "busy" while opening/reading it. Compression bombs are usually very small in file size but will extend to max (e.g. up to GB or TBs) while being handled. In short: Such a file needs more resources than the system can handle.
Just have a look on it and watch your memory getting lost by this greedy image :-) USE ON YOUR OWN RISK!!!
Link: http://www.bitnuts.de/png_bomb.zip
2011/11/25 by Flo
In Investigating the new PowerPoint issue Bruce Dang and Jonathan Ness describe how to track down an exploit using windbg.exe and setting breakpoints to well known win32 API-functions.
Bruce and Jonathan just name CreateFile, LoadLibrary, and WinExec, but there are more calls to well known functions often used by exploits and malware I will list up below.
Instead of using WinDbg it is also possible to use some kind of hot-patching sandbox approach that uses inline hot-patching on well known win32 API-functions. Some exploits just quit if they detect a running debugger. In such cases patching the API seems to be a better solution to track the exploit's action. Just hotpatch well known API-functions by using a hooking engine (e.g. Detours or Mini Hook Engine) and replace the original function with a logging dummy that logs the most important parameters of its hooked API-function before calling the original one. For example log the filename and path if LoadLibrary was called, log the filename if CreateFile was used, log the download link passed to URLDownloadToFile etc.
Such hooks can be attached into the target process by using DLL-injection into the vulnerable application (e.g. word processor, document viewer, media player). After injecting such a sandbox open the content you expect containing an exploit and wait until some magic action takes place. Your logging sandbox should monitor the hooked API calls - this information could be used for a follow up analysis.
In general the following win32 APIs might be a good starting point to track malware and/or exploits:
2011/11/23 by Flo
Since malware works fast and quiet there is demand to analyze such programs at some central point. There is nothing as central as the kernel of an operating system. This whitepaper describes how to monitor your Windows-based system by using a mini-filter driver intercepting IRP_MJ-Functions in its PreOperation-Callback. By following Microsofts’ recommendation and guidelines for multi platform (e.a. Microsoft Windows versions) compatible driver development, the resulting drivers are so called kernel mini-filter drivers that are reliable and compatible with all modern versions of Microsoft's Windows (2000, XP, Server, 7, 8) – including their 64 bit versions.
Download: http://www.bitnuts.de/KernelBasedMonitoring.pdf
2011/11/22 by Flo
This is just an example of how to integrate base64-coding and ARC4-encryption into a web-site. ARC4 is known to be simple and speedy but has weaknesses that argue against its use in security 'products' nowadays.
Well, I tried to work around the well known issues (for an overview see Wikipedia) by using random one time keys for every encryption and by discarding the first 1024 bytes of ARC4's generated key stream. It is far from perfect, but it is good enough to keep out ordinary rubbernecks.
Have a look on it and try it yourself (feedback is welcome):
2011/11/12 by Flo
This is nothing new, but while analyzing some malware I found something stickyicky. The malware I found used NTFS Additional Data Streams (ADS) to obfuscate its autostart in the registry. NTFS allows to save additional data streams (ADS) since Windows NT 3.51. It seemed to me, that the authors used the following technique to hide and obfuscate their malware:
type evil.dll > c:\windows\system32\kernel32.dll:CreateNlsSecurityDescriptor
In [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] I found:
rundll32.exe c:\windows\system32\kernel32.dll:CreateNlsSecurityDescriptor,WindowsSecureStartup
2011/11/11 by Flo
Well, this post is absolute geeky-nerdish nonsense, but it was and is great fun anyway. The following python script lets you leave some ASCII art via the user agent string. Site admins will love it ;-)
import urllib
import urllib2
import re
import time
doit = "true"
def open_url(user_agent):
request = urllib2.Request("http://www.bitnuts.de", headers={'cache-control':'no-cache'})
request.add_header("User-Agent", user_agent)
opener = urllib2.build_opener()
f = opener.open(request)
doc = f.read()
print f.info
f.close
while (doit=="true"):
open_url("_____________XXXXXXXXXXXXXXXXXX")
open_url("_________XXXX__________________XXXX")
open_url("_______XXX________________________XXX")
open_url("_____XXX____________________________XXX")
open_url("___XXX________________________________XXX")
open_url("__XXX_________XXX________XXX___________XXX")
open_url("_XX___________XXX________XXX____________XX")
open_url("_XX___________XXX________XXX_____________XX")
open_url("_XX___________XXX________XXX_____________XX")
open_url("_XX_____XXX____________________XXX_______XX")
open_url("_XX_____XX______________________XX_______XX")
open_url("_XX______XXX__________________XXX________XX")
open_url("__XX_____XXXX________________XXXX_______XX")
open_url("___XX_______XXXX__________XXXX_________XX")
open_url("____XX_________XXXXXXXXXXXX___________XX")
open_url("_____XXX____________________________XXX")
open_url("_______XXXX______________________XXXX")
open_url("__________XXXX________________XXXX")
open_url("____________XXXXXX________XXXXX")
open_url("__________________XXXXXXXXX")
open_url("")
open_url(" Have an awesome day!")
time.sleep(0.05)
2011/10/08 by Flo
This little tool (http://www.bitnuts.de/trustcheck.exe) is able to verify the embedded signature of a PE file by using the WinVerifyTrust function as described by Microsoft in http://msdn.microsoft.com/en-us/library/aa382384.aspx. You can also use the signtool (distributed by the SDK), but in most cases it is not pre-installed on machines running Microsoft Windows.
2011-08-18 by Flo
We all know these shiny promotional brochures of security companies telling us that their products (desktop firewalls and/or malware scanners) will protect us against malware threats. These companies also tell us, that their solutions will use heuristics to detect and prevent us from new and currently unknown threats as well.
Nice to know, but will these products really protect us?
Well, I just want to quickly battle these eligible words and just tried to scan an very old keylogger I have written back in the days during my master thesis. This keylogger was designed really simple; it just uses the Win32-Function GetAsyncKeyState (see http://msdn.microsoft.com/en-us/library/ms646293(v=vs.85).aspx) within a timer to log user pressed keys. This programm logs these keys for some time and tries to send them to a so called dropper using HTTP-POST over port 80. The basic design of this logger was kept simple, thus the programm was not packed with a EXE/PE-packer, the logger does not use encryption, autostart-options etc. to hide itself. It is just an ordinary Win32-Executable that can even be detected using Windows' TaskManager.
I assumed that such a stupid keylogger should be detected by many malware scanners at the first run. Although if it is a new and unknown "threat" I assumed that the malware scanners' heuristics will fire an alert or even Windows 7's firewall will trigger some alert that an untrusted stranger will connect to the internet.
Guess what happend?!
Nothing! I tried a scan with Microsoft Security Essentials; Result: Nothing found; No malware, no suspicious application. But hey, using GetAsyncKeyState is suspicious and a well known technique to log user entered keys. Sending data over internet (HTTP, port 80) to a server by an untrusted (not digital signed) application is suspicious too. So why isn't there any warning?
I did not capitulate and tried to scan this malware-example-application using the online-scanners jotti and VirusTotal. Well, the result (see jotti.png and virustotal.png) was almost the same :-( Only the scanner of SOPHOS detected this example as suspicious. All the others said, the executable seems to be clean.
Conclusion:
Well, if Windows 7's firewall and currently well known malware scanners (as used at jotti and VirusTotal) are not able to detect such an ordinary example of typical malware, how should these tools detect heavily optimized malware that uses DLL-injection, encryption, PE-packers and (userland)-rootkit-technology to protect their malicious code and behavior. I am a little bit concerned about this. Why should I pay around 30 bucks to only protect myself against already (well) known malware and new malware will not be detected?! It is a fact, that most drive-by-downloads are packed with customized malware packages that are most likely new and unknown.
I only install trustable (original) software on my machines. I don't download crapware straight from suspicious web-sites. My provider scans all incoming email for actual known viruses. Well, I think this is enough to be sure not getting infected by already known malware - why using a scanner?! Well, I am an advanced user and sometimes kid myself to handle the risk not using an installed malware-scanner all the time (maybe because I always have cloned images of my machines). If you are an ordinary user I still heavily recommend that you use a malware-scanner - but still keep in mind, that heuristics will not protect you all the time. New malware will most likely not be detected, so what's the real benefit of such tools? I cannot be sure to have a really clean computer at the end of the day. The average user is not able to check his/her system, analyze all running tasks in TaskManager or to check automatically started services or auto-runs in deep. And if malware uses typical techniques to hide itself from detection by manipulating the filesystem, list of running services and processes even an avanced and educated user will not be able to be sure that his/her computer is not infected.
At the end we cannot assume that users deeply check their systems for suspicious processes or behaviors. In some point I expected that my firewall and malware scanner will do the basic job. It seems that this is not the case and even worse, these protection tools can be fooled not only by heavily optimized malware but also by simple designed malware, too.
This is curios folks!
2011-07-05 by Flo
Fortunately most Android based Samsung smart-phones come with an internal screen-shot capturing feature similar to iPhone. You can take screen-shots of the actual screen without having to root your phone or to install an additional app. Captured screen-shots can be found from Gallery in their own folder named "Screen Capture".
To capture the screen on Android Galaxy mini (GT-S5570):
1. Be sure you are running Froyo on your Samsung Galaxy mini
2. When you are in the specific screen which you desire to take a screenshot just press the
3. Go in the Gallery app and look out for a folder called "Screen Capture".
2011-06-30 by Flo
As you might know, I like tiny installations without the bloat of help files, shiny user interfaces, tray icons, all day running background tasks etc. That's why I started the "quick and dirty"-Project: Integrate GPG into the Windows explorer shell without an overburden GUI etc.
Summarized: This is a quick and dirty shell-extension to integrate GPG 2 into Windows 7 (Vista/XP as well). Just execute the installation script as administrator and you will be able to en- and decrypt files and folders with GPG on the fly using the context-menue with any file or folder.
If you have questions feel free to send me an email, any feedback is appreciated.
You can download the package here: http://www.bitnuts.de/gpg2-and-win.zip
2011-04-08 by Flo
During some general tests with my stickyget (http://bitnuts.de/stickyget.php) on several mobile- and smart-phones I discovered some strange behavior on smart-phones running Android and iOS (both using webkit as their browser engine; Adroid <= 2.2.1, iOS < 4.0), where DOM storage will not be cleared on Android/iOS, if the browser's cache was cleared/deleted.
What is it all about, what happened and how to reproduce the problem?
I used DOM storage to create a so called DOM cookie that detects user visits in a simple manner. In general DOM storage or web storage are web application software methods used for persistent storing user specific data in a web browser's database. Viewed simplistically this is some kind of improved cookie providing much greater storage capacity. However, it differs from the HTTP cookies a bit, because unlike HTTP cookies, which can be accessed by both the server and client side, such DOM cookies can only be accessed by the client (JavaScript). Anayway, JavaScript can transmit such data if the web page was loaded or some other action takes place, so using AJAX technology can of course issue read and write requests.
Well, I used the following script on a simple web page to create a DOM storage cookie, that detects user visits in a simple manner (just see it as a PoC):
----------8<----------
now = new Date();
if (window.localStorage['last_visit'] != null) document.getElementById("DOMStorage").innerHTML = "last visit saved with html5 DOM as " + window.localStorage['last_visit'];
window.localStorage['last_visit'] = now.toString();
----------8<----------
2011-03-03 by Flo
Well, we all know that we as web- and computer-natives are some kind of nursery children, playing around with our operating systems (Windows XP, Vista or 7) until they are strewn and stuck with all that digital litter we have "collected" over time. In most cases joy is tempered until you have to reinstall Windows straight from scratch after playing around a little while, finding Windows in some state you cannot use it properly anymore (e.g. misconfiguration of the whole box, infected by malware, installed too many apps and software etc.). In such cases a comprehensive backup of a well installed and preconfigurated Windows-box (including all drivers, patches, software you needed at time of creation) seems to be worth one's weight in gold.
In general the solution is really simple: Create a beautiful plain installation of Windows and basic applications you always need and then build a so called image dump of that 'little something'. Having the image you're now in some kind of "god mode" and armed to have fun: You can play around, install and test software of any kind, install, test and analyze malware ... do stuff you should not do ... and! If you are done, just take that lovely image dump, restore it and it's like nothing happend :-)
Well, there are a lot of commercial tools out there to supply your need of an imaging tool. But wait a minute! Why should one spend about 50-100 bucks for something you could get for free? Yepp, for F-R-E-E!
Using one of the current well known Linux-distros you can achieve the same thing by just typing some magic lines into the console. And for my Windows fan boys Linux additionally proves that it is good for something ;-)
ADVICE: THE FOLLOWING DESCRIPTION IS RAW AND UNCUT - USE AT YOUR OWN RISK! IN NO EVENT SHALL I BE LIABLE FOR ANY DAMAGES CAUSED IN ANY WAY OUT OF THE USE OF THE FOLLOWING DESCRIPTION.
sudo suUsing sfdisk with the -d option we can get a dump of the current partition table in a regular file, and if needed we can restore it from that file:
sfdisk -d /dev/sda1 > sda1.partition (if necessary use --force)and to restore the partition table:
sfdisk /dev/sda1 < sda1.partition (if necessary use --force)To backup the boot sector use the dd-utility:
dd if=/dev/sda1 of=sda1.boot bs=512 count=1To restore the boot sector:
dd if=sda1.boot of=/dev/sda1 bs=1You might unmount /dev/sda1 before using ntfsclone to perform the following steps. Build a backup image straight from a NTFS-volume into a compressed image file by executing the following line:
ntfsclone --save-image -o - /dev/sda1 | gzip -c > sda1.img.gzRestore a NTFS volume from a compressed image file:
gunzip -c sda1.img.gz | ntfsclone --restore-image --overwrite /dev/sda1 -Well that's it. I always wonder why computer magazines spent plenty of time and paper to show up previews of imaging tools and do not even mention that basic image dumps can be created by simply starting up Linux and typing some lines in your console. Well, one might argue that this solution is a bit hacky, but hey: the demonstrated way suits perfectly for SOHO envrioments and it's for free.
2011-02-10 by Flo
In some situations you would like to protect your privacy while surfing the web and defend yourself against network surveillance or traffic analysis. One possible solution might be the usage of a web-proxy by changing the proxy-preferences in your browser to one of the well known anonymous web proxy servers or by using a web based approach like Anonymouse (see http://www.anonymouse.org).
Another solution might be the usage of the well known Tor software (see http://www.torproject.org) that helps you defend network surveillance that threatens e.g. personal freedom (of speech), your privacy, confidential web activities or traffic analysis. Tor uses a distributed network of so called relays that bounces your communication around (also known as onion routing), so a trace to your original (physical) network-location is hard to gain. The usage of Tor makes it more difficult to trace internet traffic back to you. Well, it is not impossible but it is hard to do so. If you are a "hard believer" in the conspiracy theory I recommend not to use Tor because there are some drawbacks and concerns about Tor anyhow ;-) If you just want to leave some "anonymous" posts in a forum or message board etc., want to stalk around without leaving too many traces, Tor suits just fine for you.
The easiest way to use Tor is by downloading the official Vidalia Bundle/Tor Browser Bundle at http://www.torproject.org. If you are aware of using installers and like it a bit cracky hacky (or just simple) you might be interested in checking out my simple 2-go bundle (http://www.bitnuts.de/tor2go.zip) that needs no installer and should run out of the box. Just decompress tor2go.zip and fire up the polipo and tor startup scripts, change your web browser's proxy settings to 127.0.0.1:8118 and enjoy using Tor :-)
I will try to keep the bundle up to date and serve you with the latest official binaries. Questions, feedback, comments or suggestions are welcome (feel free to contact me).
Update [2011-08-29]
I updated the TOR-executable and added a shortcut to Google-Chrome you can use to simply start an anonymous session of Google Chrome (if installed on your system). It just executes Chrome in proxy and incognito-mode like:
%APPDATA%\..\Local\Google\Chrome\Application\chrome.exe --proxy-server=http://127.0.0.1:8118 --incognito.
2011-01-30 by Flo
Just a simple demonstration of what your browser tells me by visiting this page. There is no reason to worry, I will not log this information (part from default apache logging). It is just for your information. You might use it to confirm the usage of "in private" mode or to check your cookie/dom-storage settings/preferences (flash-cookies are currently not supported: this is on my todo list).
http://www.bitnuts.de/stickyget.php
2009-??-?? by Flo
Für viele moderne Computeranwendugnen benötig man heute große Primzahlen, doch das Finden solcher ist nicht leicht. Wie man es trotzdem kann, beschreibt dieses Dokument:
Miller-Rabin Primzahltest
2009-??-?? by Flo
This is my Object-Pascal implementation of a so called big integer class. Well, I know there are heavily optimized big integer implementations out there. If you are not interested in implementation details I recommend to use such a class and maybe you should not use Pascal at all because Java, Python etc. come with full featured big integer implementations supporting all general arithmetic operations including cryptographic stuff, too. My implementation was intended to be for teaching purposes: i.e. stuff was kept as simple as possible to get some basic overview. Feel free to optimize it, feedback is welcome.
Delphi BigInt-Implementation