Thursday, November 30, 2017

HTML1412: Malformed comment. Comments should start with


If you getting the following error in IE

HTML1412: Malformed comment. Comments should start with "<!-- "

from https://msdn.microsoft.com/en-us/library/mt744327

Here is the cause


<input id="MtpsDevice" type="hidden" value="Default" />
<![CDATA[ Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft.  See ASP.NET Ajax CDN Terms of Use – http://www.asp.net/ajaxlibrary/CDN.ashx. ]]>

Here's the solution


<input id="MtpsDevice" type="hidden" value="Default" />
<!--[CDATA[ Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft.  See ASP.NET Ajax CDN Terms of Use – http://www.asp.net/ajaxlibrary/CDN.ashx. ]]-->

Wednesday, November 29, 2017

How to fix logging into Mac as root with no password



























Apple, this is Windows 95 bad 

A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password.

The security bug can be triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff like configure privacy and network settings.

If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen, too.

From http://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/


So Mac heads don't lend your computer to anyone until you fix this.


How the bug works!

Step 1 | Open the macOS system preferences window
Step 2 | Go to Users & Groups
Step 3 | Click the lock icon in the bottom-left corner of the window
Step 4 | Type "root" in the username field
Step 5 | Place the cursor in the password field

Step 6 | Press the Unlock button repeatedly until the user is created and you get in


How to Fix it!

CHANGING ROOT PASSWORD ON MACOS HIGH SIERRA

Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Login Options
Step 4 | Select Join next to Network Account Server
Step 5 | Select Open Directory Utility
Step 6 | Click the lock and enter your password to make changes
Step 7 | In the menu bar of Directory Utility, select Change Root Password
Step 8 | Create a strong, unique password


Tuesday, November 28, 2017

Mismatch Double, Single Quotes Online Code Checker / Formatter



This is a simple online quotes mismatch inspector that works for both single and double quotes. It works by break on quotes and numbering the them for quick visual inspection.
Cut and paste
alert('Say Hello to my li'l friend"); \\single quote - error in Javascript 
yields
alert('Say Hello to my li'l friend
   1.  1 
           ); \\single quote - error in Javascript 

Quotes Mismatch Inspector
Paste your code here


CHECK NOW for mismatched quotes
Results
  1. If you have even number of quotes then you are good.
  2. If you have odd number of quotes then you have a potential issue.


Original Mismatch Inspector
Goto my original post, it combines double and single quotes together.



Regex Mismatch Inspector
Goto my regex post  


Check you code online
More common languages have lint tools;





Monday, November 27, 2017

Cryptojacking Brief Introduction


http://hondacostarica.com/ contains CoinHive and stealing CPU cycles
















What is cryptomining?

Cryptocurrencies are underpinned by a technology named blockchain. Blockchain is a public ledger shared amongst a network of computers and consists of all transactions that have taken place using a certain cryptocurrency. Transactions are validated and stored in the blockchain through a process called mining (cryptomining). Mining is done by certain peers of the cryptocurrency network who compete (individually or in groups) in solving a difficult mathematical problem, called proof-of-work. This problem requires significant computational power to be solved. The node or group of nodes solving the problem first gets to add the latest batch of completed transactions in the blockchain and receives a reward for the performed computation (in cryptocurrency coins). Mining requires the use of special software for solving the mathematical problem.

Coinhive: Cryptomining in the browser

In September 2017, a company introduced Coinhive, which mines the cryptocurrency Monero (XMR). Coinhive, is a piece of code written in JavaScript; website owners can simply embed it in their website. Coinhive introduced a new business model for websites. It claims that website owners can remove ads from their websites, load Coinhive instead, and while users are simply browsing the website, mine for Monero. In that way, website owners can supposedly still make profit and support their businesses, without bothering their visitors with advertisements.

When users access a website with Coinhive embedded, Coinhive initiates the process of cryptomining on behalf of the website owner by using user system resources. The visitors of a website represent the group of nodes doing the intensive computational work to solve the mathematical problem. But, instead of them receiving the reward when solving the challenge, the website owner receives it. Moreover, in cases of abuse, i.e. when cyber criminals inject the cryptomining script in compromised websites, cyber criminals receive the reward. Due to Coinhives resonance (resulting from both legitimate and illegal use cases) more software similar to Coinhive emerged.

Cryptomining abuse

The technique of hijacking browsers for mining cryptocurrency (without user consent) is called "cryptojacking. Delivering cryptocurrency miners through malware is nothing new. Yet, mining cryptocurrency when accessing a webpage is new and it has already been abused and rapidly spread. The figure below illustrates how cyber criminals abuse cryptomining scripts through cryptojacking. Cryptojacking also refers to legitimate websites that do not explicitly ask visitors consent prior to executing cryptomining scripts in their browsers, nor do they provide them the option to opt-out. 

from
https://www.enisa.europa.eu/publications/info-notes/cryptojacking-cryptomining-in-the-browser


Protection
Kasperksy or Malwarebytes AV will protect you

Thursday, November 23, 2017

New Intel CPU Hack, turns your switched off Computer into a Zombie

The Management Engine is an independent subsystem that lives in a separate microprocessor on Intel chipsets; it exists to allow administrators to control devices remotely for all types of functions, from applying updates to troubleshooting. And since it has extensive access to and control over the main system processors, flaws in the ME give attackers a powerful jumping-off point.

Intel specifically undertook what spokesperson Agnes Kwan called a “proactive, extensive, rigorous evaluation of the product,” in light of findings that Russian firmware researchers Maxim Goryachy and Mark Ermolov from the vulnerability assessment firm Positive Technologies will present at Black Hat Europe next month. Their work shows an exploit that can run unsigned, unverified code on newer Intel chipsets, gaining more and more control using the ME as an unchecked launch point. The researchers also play with a sinister property of the ME: It can run even when a computer is “off” (just so long as the device is plugged in), because it is on a separate microprocessor, and essentially acts as a totally separate computer.

from https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/

----------NOT AFFECTED -----------------------------
1Desktop processors

from https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors

Fix it
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Saturday, November 18, 2017

The CIA's Pokemon Go App is Doing What the Patriot Act Can't




The CIA's Pokemon Go App is Doing What the Patriot Act Can't

The maker of the app? Niantic Labs. Never heard of them? That’s because until last year they were an internal start-up of none other than Google, the NSA-linked Big Brother company. Even now Google remains one of Niantic’s major backers. Niantic was founded by John Hanke, who also founded Keyhole, Inc., the mapping company which was created with seed money from In-Q-Tel, the CIA’s venture capital arm, and which was eventually rolled into Google Maps.


Apparently, many pokestops  are clustered around many embassies.

from July 13, 2016 (old news but new to me)

https://www.corbettreport.com/the-cias-pokemon-go-app-is-doing-what-the-patriot-act-cant/

Wednesday, November 15, 2017

C# Integer division try...catch vs casting vs if divisor not zero speed test, which is quicker?

Below is a performance analysis of C# .NET integer division comparing; 
  1. try...catch (DivideByZeroException)
  2. casting numerator (the number on top) to double
  3. if denominator (the number on bottom) not equal to zero
The console application code loops 1 million times and run using .NET 4.0 Framework (works on XP+) and timings (ticks) are indicated in the comments. The 2nd number in using .NET 4.6 Framework (Vista+). There is no significant improvement switching frameworks.

Answer: 

Casting (double)ttlcnt beats try...catch by 1 order O(1) of magnitude. 

But the winner is the if divisor not zero statement  beating casting by 6,000 nanoseconds.

FYI: Ticks are 100 nanoseconds long. There are 10,000,000 (10M) per second.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Text;

namespace CastVSCatch
{
    class Program
    {
        static void Main(string[] args)
        {
           
            int million = 1000000; 
            int ttlcnt = 228394393;
            int pct = 0;
            var sw = Stopwatch.StartNew();

            for (int i = 0; i < million; i++)
            {

                //pct = (int)(100 * ((double)ttlcnt / i));  //~16,800 ticks //17,020 ticks in NETt4.6

                //try
                //{
                //    pct = 100 * (ttlcnt / i); //~=151,359  ticks   //147,531  in NET4.6
                //}
                //catch (DivideByZeroException)
                //{
                //    pct = 0;
                //}

                if (i != 0)
                    pct = 100 * (ttlcnt / i); //~=10,816 ticks 
                else
                    pct = 0;

                //if (i == 0)
                //    pct = 0;
                //else
                //    pct = 100 * (ttlcnt / i); //~=11,162 ticks 

            }

            sw.Stop(); 

            Console.WriteLine("pct=" + pct.ToString()+" in ticks="+sw.ElapsedTicks);

            if (Debugger.IsAttached)
                Console.ReadKey(); 
        }
    }
}

Update July 2020 with .NET Fiddle live code

Monday, November 13, 2017

Parallel Searcher make your own Windows Grep app

Here's a non-block UI thread c# WPF full Visual Studio solution that works and demonstrates the use of a background worker effectively, Parallel Searcher. 

This project is a great demonstration of the use of the BackgroundWorker class allows you to run an operation on a separate, dedicated thread. Time-consuming operations like downloads and database transactions can cause your user interface (UI) to seem as though it has stopped responding while they are running. When you want a responsive UI and you are faced with long delays associated with such operations, the BackgroundWorker class provides a convenient solution.

Parallel Searcher is like grep for windows and is a fun project to play with and easy to modify. The author Randy makes this code available license free.

Searched over 5,000 files in a couple of seconds!

Highlights of Code

  1. Parallel.ForEach - allows you to easily do the same thing to every list item
  2. Interlocked.Increment - allows you to add to a number, thread-safe
  3. Sample usage of Tuples - pack several variables into a single object
  4. ObservableCollection - allows you to continually add to a Grid ItemsSource in WPF
  5. Progress Bar - shows file status loading asynchronously
  6. Background worker - waiting for long task to finish and not block the GUI


More at Randy's site - https://actualrandy.wordpress.com/tag/observablecollection/



Saturday, November 11, 2017

How to run a Perl script file in Komodo Edit 11

Install ActiveState Perl and Komodo Edit 11.

Komodo Edit is the free light version of Komodo IDE and does not have a built-in Perl Debugger.

Here's how to a run a Perl script in Komodo Edit.

Copy macro below save as runscript.kpt


// komodo tool: Run Perl Script
// =========================
// doNotOpenOutputWindow: 0
// insertOutput: 0
// operateOnSelection: 0
// parseOutput: 0
// runIn: command-output-window
// showParsedOutputList: 0
// type: command
// version: 1.1.5
// =========================
%(perl) "%F"

to this directory


C:\Users\%USERNAME%\AppData\Local\ActiveState\KomodoEdit\11.0\tools

Open Komodo Edit Toolbox and you see the command "Run Perl Script". 
Choose your Perl file and click to run.


Click for full image size





















Friday, November 10, 2017

How to get Putty SSH/Telnet to connect to local Windows Subsystem for Linux SUSE Linux Enterprise on Windows 10

Install the Linux Subsystem on Windows 10 - Choosing SUSE Enterprise Linux








Fedora Server 26 not yet available, but due back in May 2017.







How to get a connect using Putty to Windows Subsystem for Linux - SUSE Linux Enterprise Server 12 SP3 or uname "4.4.0-43-Microsoft".

The instructions below "How to run SSH daemon" worked with some modifications; 

1) ssh-keygen -A (I ran this (is supported in SUSE Linux) instead of Step 1 : running  "sudo dpkg-reconfigure openssh-server". I use this to generate initial SSH keys)
2)  Uncommented  and change the PORT=22 or your choice, I used port 2222 in /etc/ssh/sshd_config file.
3)  Added AllowUsers=yourusername (not root) see SUSE openSSH page on for more 

Note: If you want to manually run SSH daemon, just run in a bash session 
(cmd.exe type bash)     "sudo /usr/sbin/sshd -D"  to get daemon running, then connect with Putty. 

In Putty, use HostName: "localhost" and your port number. 




How to run SSH daemon for SUSE WSL 

https://github.com/Microsoft/BashOnWindows/issues/612

Note that running sshd has security implications. Until WSL's security model has had longer to bake, you should assume that anyone who can ssh into your Windows box has permission to perform any command as the Windows user running sshd, regardless of Linux-level permissions. (Permissions are probably more restrictive than that in practice, but WSL's initial security model is not intended to be very sophisticated.)



Attempting to aggregate the instructions from github:

  • Generate SSH host keys by running "sudo dpkg-reconfigure openssh-server" in a bash shell
  • Run "sudo nano /etc/ssh/sshd_config"; edit the "UsePrivilegeSeparation yes" line to read "UsePrivilegeSeparation no". (This is necessary because "UsePrivilegeSeparation" uses the "chroot()" syscall, which WSL doesn't currently support.)
  • While still editing "/etc/ssh/sshd_config", you may choose to change "PasswordAuthentication no" to "PasswordAuthentication yes". Otherwise you will have to set up SSH keys.
  • Save "/etc/ssh/sshd_config" and exit.
  • Run "sudo visudo" to edit the sudoers file. Add the line "$USER ALL = (root) NOPASSWD: /usr/sbin/sshd -D", replacing "$USER" with your Linux username. Save and exit. If visudo complains that your changes are invalid, fix them until it reports that they are valid; otherwise you can break sudo on your system!
  • On the Windows side, edit the Windows firewall (and any third-party firewalls that you might be running) to allow incoming traffic on port 22. Because this isn't a super-secure setup, I recommend only allowing incoming traffic from home (private) and domain networks, not from the public Internet.
  • Create a text file "autostartssh.vbs" in Windows containing the following:


set ws=wscript.createobject("wscript.shell")
ws.run "C:\Windows\System32\bash.exe -c 'sudo /usr/sbin/sshd -D'",0

  • Double-click on the script. It should start sshd; you should be able to ssh into your Windows machine.
  • Open Windows's Task Scheduler. Add a task that runs "autostartssh.vbs" on system boot.

And that's it -- your Windows computer should be running a Linux openssh server!