If you tell enough stories, perhaps the moral will show up.

2007-05-27

GnuWin32 is the Shortcut for the Old and Feeble

I wrote about getting round the simple LUA bug in Steam. Essentially, the installer runs as an admin, which is fine, and it permits the entire installation directory to the admins only, which is not fine, because to use the app, you need write acces to at least some of the files. To get it working, and because the only documentation suggests that you have to be an admin to run steam, the simple route is to set permissions on that directory to Users/Full.

That's a bit of a challenge in XP on an isolated workstation, because the security tab is hidden, and on XP home, at least, it's hard to get it back. Last time, I bodged it with SubInACL. A bit like writing a program in COBOL to change the name of a file.

What I wanted to do was use chmod -- the Unix command. That's because I'm a crusty old fart, and it's hard for me to imagine anything easier than writing chmod -R a+rw "C:/program files/steam/" That may look involved, but the Windows command line equivalent, cacls, is way tougher and you have to use a different program to make it recurse. That's why I ended up with SubInACL.

I'm not the only person to prefer to work this way, but be stuck using Windows. (Because I am, OK?) A lot of people turn to CygWin -- a complete *nix environment hosted on Windows. That's good -- you get shells, utilities, compilers, familiar filing system, the lot, but the very compatibility makes it alien within Windows, and it's really too much of a commitment for me.

So instead, I move further back along the compatibility spectrum, and get to GnuWin32, and that makes me happy. Essentially I can download the stuff I want: grep, less, the core command line tools like ls and chmod, and OpenSSH without making a big production out of pretending to be on Unix. The working ports come as nice friendly installers and the only manual step is to set your path. Because it's not Cygwin, there's no issue using these tools alongside Activestate Perl, or Windows scripting. And the license is impeccable, of course.

Perfect? Almost. Some problems just can't be mentioned ("where's the GNU vi? Tee hee!") and some systems would suit me but aren't there. (I know RCS is obselete, but I don't want to learn SVN.) But GnuWin32 is part of the toolkit.

2007-05-25

Quickest Compromise

Browsing round Ikea today I saw sales workstations left logged on to a Windows console, and that set me thinking. Our AUP requires users to lock their workstations on leaving them because the default screensaver lock of fifteen minutes is easily long enough for a malicious passer by to compromise the whole network, and I think that's fair enough. But I wouldn't have fancied standing in front of one of those screens trying to hack Ikea for more than about ten seconds. "Hey you..." So what's the quickest possible way to carry out an opportunistic compromise?

  1. It's a real console -- a PC screen keyboard and mouse.
  2. The logged on user is not an admin or a power user.
  3. You can reboot (but not change a password), but the only boot device is the HD. USB, floppy etc. are all closed.
  4. Internet access is through a proxy server running a business-access-focussed site category policy
Extra credit for universal applicability, and evading basic security precautions:
  • ICAP server running signature checks on downloads
  • No access to root of C:\ or anything other than the local profile
  • Mo command line, regedit, ....
  • Minimal profile in the event and proxy logs
  • Hacked user can return to the console and notice nothing

I suppose the key points here are the exploit itself and the phone-home to control it. My mind is running to a binary exploit file, customised enough to pass signature checks, uploaded somewhere innocuous, and renamed after download to the desktop. The phone home is tougher.

2007-05-21

Lunar Velocity

On Saturday evening there was a pretty but not unusual conjunction of Venus and the moon in the remains of the sunset. Venus made the apex of an equilateral triangle with the horns of the quarter moon, about 3 lunar widths east. Looking at the same time on Sunday, the moon had moved about a full hands span at arms length east in the 24 hours. I had thought it was faster.

2007-05-14

Five nines

About four years ago, we were having trouble with the Group mail gateways, and I set up a half-hourly email to the helpdesk and some other support people to allow them to ensure that mail was being received.

I needed a platform that would be a lot more reliable that the Group gateways I was testing. So I put it on a box built from consumer-grade parts and a free operating system, with a power supply extended out of the house into a fifty-year old fuse box (real fuses) in a rat-infested shed which bakes in the summer, and literally freezes in winter. As you would expect, it's run reliably ever since, popping out the emails every half hour on the half hour.

(Perhaps there are some machine room management lessons here for us. But I hope not.)

Well, that issue is over now, and it was the last application on that machine, so I've shut it down to make room for the hydroponic cannabis farm which is the current fashion in rural enterprise.

2007-05-08

Personal Service from Dawn's Rosy Fingers

Luscious pink sunrise this morning faded abruptly at 04:10 (GMT, natch). It felt as if it had been laid on for my benefit and switched off when I'd enjoyed it. Solipsism rocks.

Avarice

We'd come to the view that the more mad son had insuperable difficulty with arithmetic. We tried counting straws, counting up, writing dots, but the idea of adding just seemed to pass him by.

But lately he's been bringing home money work sheets. Ask him for the total price of a watch at 8p and a stick of rock at 4p (really) and he'll tell you. (Actually he got that one wrong, but normally he just stares a little up and to his left and pops out the answer.)

We should have known there'd be no fundamental problem. This is the boy who, still completely mute and detached, and still in nappies aged two, startled us late one night by ordering his magnetic numbers on the fridge door. I expect he just needed the money to give it some flavour.

2007-05-03

Harvest Moon In May

The full moon rose at 21:20 or so last night, and it was the colour of the setting sun.