Archive for the 'Security' Category

HOWTO: Fully automated Zwift login on Mac OS X

Zwift LogoQuite a few riders on the Facebook Zwift Riders group have expressed an interest in this, so I decided to take a couple of hours, learn AppleScript and knock this out. Done! (if you’re on Windows, you want this other HOWTO instead)

What this code does, is allows you to create a single icon that will log you into Zwift, with no human interaction needed. It will put in your email, password, click the “Start Ride” button and away you go!

This also leverages the OS X Keychain to store your Zwift email address and password, so it’s secure, not leaked into the filesystem and is able to be called on by any other apps that might need it (ahem, like… Zwift itself!) :D

So here’s how to get it working…

First, we need to create a separate keychain to store the Zwift credentials. You could store them in the main keychain, but I’m a fan of credential separation, so let’s use that.

Launch Keychain Access on your Mac (cmd + spacebar, type in “Keychain”).
Mac OS X Keychain Access

You’ll see a number of keychains listed there in the upper-left of Keychain Access. We’re going to create a new one, so go to File -> New Keychain and call it whatever you want.

I called mine “Zwift” so I can remember it when I see it on the filesystem or in the app later. It should default to save in ~/Library/Keychains/. Don’t change this path for now.

When you click “Create”, you’ll be prompted for a password to secure that keychain. Make it something relatively strong if you want to protect your credentials. If you don’t care, make it weak. Click on “Ok” and it will be created and saved.

Creating the Zwift keychain

Now right-click on the new keychain you just created in the list and select “Change Settings for Keychain Zwift”. We’re going to adjust the timeout when you have to re-enter your password to unlock this keychain.

Changing Zwift keychain settings

If you want a fully automated login, where you never have to enter a password or interact with this at all, uncheck both boxes, so it doesn’t lock after inactivity or when your computer goes to sleep.

If you prefer a bit more control/security, change the settings as you see fit.

Mine looks like this:

Zwift keychain timeout settings

Click on “Save” to save those settings.

Next, we need to add an account to the keychain. This will be your Zwift account, the same one you use to log into Zwift itself in the app and on the website. Click the little [+] at the bottom of the Keychain Access window to create a new entry. Here’s what it should look like when you’ve got it filled out correctly:

Creating a new Zwift keychain entry

Click on “Add” to add this entry to the keychain. Now you’ll see one entry in your list.

Zwift keychain user login entry

If you right-click on the entry, you can add some more details to it, but you don’t need to. I left it at the defaults.

Zwift keychain account additional details

Now let’s test that it locks and unlocks properly. Right-click on the keychain in the list on the left side and choose “Lock Keychain Zwift” (do not accidentally choose “Make Keychain Zwift Default”, or you’ll have a bad time)

Locking the Zwift keychain

Once locked, you’ll see the litte padlock icon next to it show “closed”. Right-click again and select “Unlock Keychain Zwift”, put in your password and see that it cleanly unlocks and that the padlock shows “open” next to the name:

Unlocking the Zwift keychain

That’s just about the hardest part of this process. Now on to the code!

I’ve never written a single byte of AppleScript until today, so I decided to give it a shot, learn the language, tried a few early attempts at this storing passwords in the code, then in files I’d read from disk, then encrypted files I’d decrypt, but that was messy. Why reinvent the wheel when OS X already has an encrypted keystore I can use? So I did.

Launch “Automator” (cmd + spacebar) and when prompted, select “Application” and click “Choose” to create one.
Mac OS X Automator
Mac OS X Automator Start screen

You’ll see a blank screen on the right and some macros and variables on the left. Don’t be scared, this is going to be EASY!

In the search dialog in the upper-left area, start typing “AppleScript”. You should see the list of items shorten to only one, as shown here:

Automator with AppleScript

Click that one entry and drag it to the empty canvas area on the right side of the Automator screen. When you let go, you’ll see something that looks like this on the right:

AppleScript starting point

Put your cursor in that window, select all of that default boilerplate and delete it, we’re going to start with a blank script here.

Blank AppleScript script

I’ve already written the code for you, so all you need to do here is cut and paste it into this window. Here’s the code (also available as a downloadable file by clicking this link)

on run {input, parameters}
  set userName to long user name of (system info)                 # User's full name
  set userHome to (system attribute "HOME")                       # User's home directory
  set secBin to "/usr/bin/security"                               # Full path to 'security' binary
  set kcName to "\"Zwift Login\""                                 # Keychain Name
  set kcPath to userHome & "/Library/Keychains/Zwift.keychain"    # Path to where the Zwift keychain lives
  set mySedMess to "sed 's/.*\"acct\"<blob>=\"\\(.*\\)\"/\\1/'"   # A horrible mess of sed. Nuff sed.
  
  # This is ugly, but it's the only way I could find to pull the account name from the Keychain.
  # Don't forget all of those escaping backslashes! (LTS - Leaning Toothpick Syndrome)  
  set zUser to do shell script (secBin & " " & "find-generic-password 2>&1 /dev/null -gs " & kcName & " " & kcPath & " | grep acct | " & mySedMess)
 
  set zPass to do shell script (secBin & " " & "find-generic-password -wa " & zUser & " -gs " & kcName & " " & kcPath)
  
  activate application "Zwift"

  tell application "System Events"
    delay 3                                              # Wait for the login dialog to show up
    set frontmost of process "Zwift" to true             # Force Zwift process to the front
    keystroke tab                                        # Put the cursor into the Email field
    keystroke zUser                                      # Send the username (from above)
    keystroke tab                                        # Jump to the Password field
    keystroke zPass                                      # Send the password
    keystroke return                                     # Press Enter to start the fun!
    
  end tell
  return input
end run

Cut and paste that into the script window (or use the direct link to the file).

At the very top of the file are a couple of minor tunables. Make sure those match what your system and environment are set up with. If you chose a different name for your keychain file for example, you’ll need to change that here. Likewise with the name of the account’s title within that keychain; change that here as well. If you called it “Zwift” and used “Zwift Login” as I did, you don’t need to change anything.

Also, there are some delays built into the script (search for the word ‘delay’). If your system is a bit slower, you may need to increase that delay by a few seconds.

cmd + S to save the script, which should prompt you for a name. I called this one “AutoZwift”, but you can call it whatever you like. This will become its own standalone .app file you can launch from anywhere by double-clicking on it, so feel free to put it wherever you want.

We’re not quite done! Before you close Automator, let’s make sure it works as expected. Click the little “Run” button on the far, upper-right corner of the Automator GUI to test the script. If you got everything correct, you should get no warnings, errors or popup dialog boxes.

Automator Run button

One last thing: Because you’re asking Automator to read events and pass keyboard events into windows owned by other processes, you need to grant Automator the permission and access to do so. To do that, go into your System Preferences -> Security & Privacy and make sure you enable (check the box) Automator to do so:

OS X Security & Privacy

OS X Automator Permissions

Now you should have a fully-automated Zwift login icon with credentials secured by your OS’ built-in encrypted keystore.

Good luck and #RideOn!

(p.s. For those run Zwift on Microsoft Windows, I’ve written a detailed HOWTO for you too! Stay tuned for more great HOWTOs for Zwift!)

HOWTO: Remove the “Year in Review” Posts from your Facebook Wall

It’s annoying. It’s Facebook. We all learn to either love or hate it, but there are ways to make the annoying parts of it go away.

The most-recent annoyance is Facebook’s compulsion to add the “Year in Review” posts from people to your Facebook wall.

Thankfully I’ve never been asked to fill mine out, but I do see hundreds of these from other “Friends” of mine. It looks like this:

2014-12-26 Facebook - Year In Review

Here’s how to get rid of them:

  1. Log into Facebook and go to this page:

    https://www.facebook.com/settings?tab=blocking

  2. Once you get there, you’ll see a section near the bottom labeled “Block Pages”. Put “YearInReview” into that form and hit Enter.

  3. If you’ve done it right, you should see something like this:

    2014-12-26 Facebook- Manage Blocking

That’s it, you’re done!

If you want to get rid of more Facebook garbage, ads and other annoyances, you can install the “Social Fixer” browser extension in your browser of choice. There are versions for Safari, Chrome, Firefox and Microsoft Internet Explorer. Works great!

SOLVED: Fixing Perl Plug-ins for XChat Azure in OS X Mavericks 10.9

I’m a heavy user of IRC and have been since the late 90’s. I use X-Chat for IRC on almost all machines, including Mac and Windows, not just the Linux environment that it was created upon.

When I recently upgraded my OS X Lion (10.7.5) machine to OS X Mavericks (10.9), I started seeing a significant amount of core OS bugs. One of them affected how I use XChat to get to Freenode and other networks via SASL, SSL and Tor.

If you’re using XChat Azure 1.16.0 or the latest preview of 1.16.1, you’ll see the following errors when trying to load Perl plugins from Window -> Plugins and Scripts inside XChat:

Invalid Mac OS X bundle or required Mac OS X version is not satisfied

You’ll see this when you try to select the version of Perl showing in the Plugins window. The Python plugin works fine, just not Perl.

Here’s the quick-and-dirty fix, until the XChat Azure team can come out with a Mavericks-compatible release that uses the latest Perl:

Change to the XChat Azure PlugIns directory:

cd /Applications/XChat Azure.app/Contents/PlugIns/

Duplicate the contents of the perl-lion Perl bundle into one for Mavericks

sudo rsync -avP perl-lion.bundle/. perl-mavericks.bundle

Update the Info.plist file to match the versioning:

sudo defaults write ./perl-mavericks.bundle/Contents/Info XChatAquaMacOSVersionBranch 10.9

There’s one last step I found when I ran that last command to update Info.plist, and that is that you have to hand-modify the version in the .plist file to match OS X Mavericks 10.9 versioning:

sudo vi perl-mavericks.bundle/Contents/Info.plist

Down near the bottom of the file, change the string value of XChatAquaMacOSVersionBranch from 10.6 to 10.9, like this:

        <key>XChatAquaMacOSVersionBranch</key>
        <string>10.9</string>

Now if you go quit and restart XChat Azure, go to Window -> Plugins and select your Perl interpreter (the one with 10.9), it will work, and you’ll see your plugins loaded as expected:

[16:27]   Python interface loaded
[16:27]   Perl interface loaded
[16:27]   SASL: auth loaded from /Users/$USER/Library/Containers/org.3rddev.xchatazure/Data/Library/Application Support/XChat Azure/sasl.auth

I wrote some HOWTO documents describing how to configure Tor + SASL + SSL to connect to IRC, you can find them here:

That’s it! Good luck and happy IRC’ing!

How Many Java Versions is Enough for Mavericks, Apple?

Apple OSX Mavericks logoA lot of software outright fails to work on Apple OS X Mavericks.

It’s a disaster. Almost nothing works right.

Not only is the entire OS noticeably slower, by several orders of magnitude over the previous Lion (10.7.5) was running until a few days ago on my 11″ MacBook Air, but there are dozens and dozens of glaringly-obvious bugs that make me want to go back to my Linux laptop full-time.

Here are some obvious ones:

  • The trackpad randomly disables two-finger scrolling and the only way to get it back is to either log out and back in, or restart the machine entirely.
  • The direction of the trackpad scrolling was reversed after the upgrade. Dragging fingers down, used to pull the page down, now it pulls the page up. You can flip the toggle to reverse it, but why was it changed at all from the default?
  • The audio up/down buttons are about 1-2 seconds behind the actual button press, which is a bit disjointed when you’re trying to determine how far down or up to change the volume for a video or song.
  • USB Ethernet used to work plug-and-play, but now if your OS X machine is booted and you connect a USB Ethernet dongle, it will not be recognized, until you reboot the machine with the dongle plugged in. Every time. This feels like Windows to me. I never had to do this with Lion previously.
  • There’s a cut-off/echo with the voices in OS X Mavericks. When I have the clock set to announce the time every 15 minutes, instead of “It’s three-fifteen” or “It’s eleven o’clock”, I hear “…ee fifteen” or “…ven o’clock”, the first 1-2 syllables are completely missing, cut off.

There are dozens more that I’ve tripped on (and reported), but they still hamper productive use of the machine.

I also run several apps that depend on Java, including XCode, XMind, The Hit List and others. Most of these just flat-out fail to function. I was so frustrated at the amateurish quality of this major “greatest ever” OS update, that I started investigating myself.

Apple, a plea… how many Java versions, incorrect, non-current Java versions is enough? On this upgraded version of OS X (Lion -> Mavericks), I count 6+ distinct installs!

# OpenJDK Runtime Environment (build 1.7.0-internal-root_2012_07_25_17_59-b00)
./Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/MacOS/itms/java/bin/java

# Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
./Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java

# Java(TM) SE Runtime Environment (build 1.7.0_04-b21)
./Library/Java/JavaVirtualMachines/1.7.0.jdk/Contents/Home/bin/java

# Java(TM) SE Runtime Environment (build 1.7.0_04-b21)
./Library/Java/JavaVirtualMachines/1.7.0.jdk/Contents/Home/jre/bin/java

# Java(TM) SE Runtime Environment (build 1.7.0_04-b21)
./System/Library/Frameworks/JavaVM.framework/Versions/A/Commands/java

# Java(TM) SE Runtime Environment (build 1.6.0_65-b14-462-11M4609)
./System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/java

[...]

The only one that is clean and current, is the one I installed:

# "./Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -version
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

Of course, you don’t use it anywhere, no apps are referring to it, and instead you refer to the other versions which crash, break or fail to correctly launch any applications that use these Java interpreters.

Please, don’t tout your OS as being the “greatest work ever”, while providing a slow, buggy, de-evolved experience from the previous versions.

Fix it, or allow us to roll back to the previous version of the OS, which did work.

UPDATE: After much testing, I determined that the short-term “solution” was to rm the symlink to ‘java’ in ‘/usr/bin/’ and point it to the version of Java I installed from Oracle, as follows:

$ sudo ls -l /usr/bin/java
lrwxr-xr-x  1 root  wheel  74 Oct 27 15:55 /usr/bin/java -> /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/java
$ sudo rm /usr/bin/java
$ sudo ln -s /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java /usr/bin/java

After doing this, my Java-based OS X apps started working as expected. This is not a fix, it’s a temporary hack and workaround, but it gets me back up and running on apps that were crashing and failing before.

Apple, please fix this.

SOLVED: Remove annoying duplicate users in your WordPress blog

WordPress logoThis happens quite a bit, and I’m surprised the default WordPress install doesn’t have this fixed, but here’s a fix for cleaning up the duplicate users that will end up in your _users table in WordPress.

In my multi-site installation, that table is called ‘wpmu_users’. If you didn’t change the defaults for your site, it’s probably called ‘wp_users’.

Change this accordingly below for your site and table name.

 
# Create a temporary table and populate it with the unique users
# from the original wpmu_users table
CREATE TABLE wpmu_users_X AS 
       SELECT * FROM wpmu_users WHERE 1 GROUP BY user_login;

# Drop the original table that contains the duplicate users
DROP TABLE wpmu_users; 

# Rename the temporary table to the original table name. This
# effectively 'moves' the temporary table to the original table
# name
RENAME TABLE wpmu_users_X TO wpmu_users; 

# Alter the table attributes to set 'user_login' as a unique key
# so attempts to create a username that already exists will be
# denied
ALTER IGNORE TABLE wpmu_users ADD UNIQUE (user_login); 

Here’s what that looked like at the end of the process:

mysql> ALTER IGNORE TABLE wpmu_users ADD UNIQUE (user_login);
Query OK, 157348 rows affected (0.55 sec)
Records: 157348  Duplicates: 0  Warnings: 0

If you want to identify and kill off inactive users, spammers and such, look into the Inactive User Deleter plugin. I’ve used this with great success on my own blog, and it works great to kill off spam users that manage to sneak past the registration mechanisms, but post nothing.

That’s it, you’re done!

HOWTO: Properly install native VMware Tools in pfSense 2.0.3 (FreeBSD 8.1)

Tags: , , ,

pfSense logoIf you’re anything like me, you take security seriously. With all the recent news about the NSA and Prism and over-reach of surveillance, you’ll take this very seriously. I run several layers of nested firewalls, VPNs and other layers of security at my office.

One of the things I run in a virtualized environment (VMware ESXi), is pfSense. pfSense ibs an Open Source firewall distribution based on FreeBSD. It’s very full-featured, has a web-management console, and lots of add-on packages to enhance it’s capabilities.

“pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a single computer to large corporations, universities and other organizations protecting thousands of network devices.”

pfSense is currently using FreeBSD 8.1, which has been EOL’d by the BSD team last July. The pfSense team is diligently working on new versions, but they’re not out yet. For now, you can continue to use FreeBSD 8.1.

If you run pfSense inside a VM, you’ll want and need to get the base VMware tools installed within it, but that process isn’t straightforward. You want to make sure you install the VMware Tools dependencies and core modules before installing anything else, so you don’t get into package conflicts and other troubles.

I’ve been writing a lot of posts about VMware lately, because I’m finding myself using it more and more, and I’m teaching myself how to use it in a higher-volume capacity.

Here’s how to install pfSense and immedaitely get the correct version of VMware Tools (from VMware itself, not the Open Source ‘open-vm-toolbox‘ or ‘vmfs-tools’) installed within it.

Let’s get started (click any images below to view them full-size):

  1. First, create a new VM and attach your pfSense ISO to it, using whatever mechanism your hypervisor of choice provides. Boot it, and install pfSense into your VM. This part is easy and straightforward.
  2. Once fully installed, shut down (power off) your VM, and detach the CD, so it no longer boots, but keep the CD/DVD device configured for your VM, you’ll use that again in a moment.
  3. Boot your pfSense VM back up, configure networking (in my case the NIC was em0), and you’ll get to a screen that looks something like this:
    (click image to view full size)

    pfSense-2.0.3-main-screen

  4. From here, the first thing you want to do, is change your root password! Hit (8) to drop to a shell, and use the standard passwd(1) utility. Once changed, hit ^D (Control-D) to exit and return to the pfSense main menu.
  5. Next, we’re going to start SSHD, so we can log into the VM remotely, and manage it using a normal Windows, Mac or Linux terminal, vs. interacting with it using the VMware ESXi console (as in this example). Hit (14) to enable the SSH shell.
  6. In the previous screenshot, directly to the left of the (DHCP) part, was the IP of the pfSense server. SSH over to that now, as the root user, using whatever native terminal you prefer.
    $ ssh root@192.168.1.50
  7. Once SSH’d into pfSense remotely, you’ll need to set the PACKAGESITE environment variable, to make sure all core packging tools refer to the 8.1-release tag from the FreeBSD archive site, and not the 8.1-release-p13 that it will try to use by default from the primary site, which will fail, because FreeBSD 8.1 is EOL as I write this.
  8. [2.0.3-RELEASE][root@pfSense.localdomain]/root(1): setenv \
    PACKAGESITE \
    http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/

    Here’s what will happen if you do not set this variable:

    [2.0.3-RELEASE][root@pfSense.localdomain]/root(3): pkg_add -rv wget
    looking up ftp.freebsd.org
    connecting to ftp.freebsd.org:21
    Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/wget.tbz: 
    File unavailable (e.g., file not found, no access)
    pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/wget.tbz' by URL
    pkg_add: 1 package addition(s) failed

    Once you set the variable to refer to the archive site, you’ll have success here:

    [2.0.3-RELEASE][root@pfSense.localdomain]/root(5): pkg_add -rv wget
    looking up ftp-archive.freebsd.org
    connecting to ftp-archive.freebsd.org:80
    requesting http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/wget.tbz
    Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/wget.tbz...x +CONTENTS
    x +COMMENT
    x +DESC
    x +MTREE_DIRS
    x man/man1/wget.1.gz
    x bin/wget
    ...
  9. Now we know we can get to the backup/archive site that holds the 8.1 RELEASE packages, let’s get the ones we need to get VMware Tools up and running. We’re going to need two core packages: compat6x-amd64 and perl to be able to run the script and dynamically load the VMware modules at kernel boot.
    [2.0.3-RELEASE][root@pfSense.localdomain]/root(6): pkg_add -r compat6x-amd64 perl 
    Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/compat6x-amd64.tbz... Done.
    
    *******************************************************************************
    *                                                                             *
    * Do not forget to add COMPAT_FREEBSD6 into                                   *
    * your kernel configuration (enabled by default).                             *
    *                                                                             *
    * To configure and recompile your kernel see:                                 *
    * http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html *
    *                                                                             *
    *******************************************************************************
    
    Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/perl.tbz... Done.
    Removing stale symlinks from /usr/bin...
        Skipping /usr/bin/perl
        Skipping /usr/bin/perl5
    Done.
    Creating various symlinks in /usr/bin...
        Symlinking /usr/local/bin/perl5.10.1 to /usr/bin/perl
        Symlinking /usr/local/bin/perl5.10.1 to /usr/bin/perl5
    Done.
    cd: can't cd to /usr/include
    Cleaning up /etc/make.conf... Done.
    Spamming /etc/make.conf... Done.
    Cleaning up /etc/manpath.config... Done.
    Spamming /etc/manpath.config... Done.
    
  10. Now we need to mount the CD ISO for VMware Tools for FreeBSD. This is the step I mentioned earlier and why we needed to keep the CD/DVD device configured for this VM. In ESXi, you’ll need to do that from the console, by right-clicking on the VM, go to Guest and then to “Install VMware Tools”, as shown here:
    Installing VMware tools in pfSense 2.0.3

    Installing VMware tools in pfSense 2.0.3

  11. Now the drive is mapped to the VM, we need to mount it and access the vmware tarball within:
    [2.0.3-RELEASE][root@pfSense.localdomain]/root(8): mkdir /tmp/cdrom/
    [2.0.3-RELEASE][root@pfSense.localdomain]/root(9): mount_cd9660 /dev/acd0 /tmp/cdrom/
    [2.0.3-RELEASE][root@pfSense.localdomain]/root(10): cd /tmp/cdrom/
    [2.0.3-RELEASE][root@pfSense.localdomain]/tmp/cdrom(11): ls -l
    total 15030
    -r--r--r--  1 root  wheel        29 Mar 23 15:02 manifest.txt
    -r--r--r--  1 root  wheel  15390306 Mar 23 15:02 vmware-freebsd-tools.tar.gz
    [2.0.3-RELEASE][root@pfSense.localdomain]/tmp/cdrom(12): tar zxvf vmware-freebsd-tools.tar.gz -C /tmp/ 
    
  12. Now we can go into /tmp/vmware-tools-distrib and build the required interfaces for FreeBSD. For the most part, you’ll just accept the defaults to most of the questions. Read them carefully if you think you want something custom for your needs.
    [2.0.3-RELEASE][root@pfSense.localdomain]/tmp/vmware-tools-distrib(14): ./vmware-install.pl --clobber-kernel-modules=vmci    \
                      --clobber-kernel-modules=vsock   \
                      --clobber-kernel-modules=vmxnet3 \
                      --clobber-kernel-modules=pvscsi  \
                      --clobber-kernel-modules=vmmemctl
    Creating a new VMware Tools installer database using the tar4 format.
    
    Installing VMware Tools.
    
    In which directory do you want to install the binary files? 
    [/usr/local/bin] 
    
    In which directory do you want to install the startup script? 
    [/usr/local/etc/rc.d] 
    
    In which directory do you want to install the daemon files? 
    [/usr/local/sbin] 
    
    In which directory do you want to install the library files? 
    [/usr/local/lib/vmware-tools] 
    
    The path "/usr/local/lib/vmware-tools" does not exist currently. This program 
    is going to create it, including needed parent directories. Is this what you 
    want? [yes] 
    
    In which directory do you want to install the documentation files? 
    [/usr/local/share/doc/vmware-tools] 
    
    The path "/usr/local/share/doc/vmware-tools" does not exist currently. This 
    program is going to create it, including needed parent directories. Is this 
    what you want? [yes] 
    
    The installation of VMware Tools 9.0.5 build-1065307 for FreeBSD completed 
    successfully. You can decide to remove this software from your system at any 
    time by invoking the following command: 
    "/usr/local/bin/vmware-uninstall-tools.pl".
    
    Before running VMware Tools for the first time, you need to configure it by 
    invoking the following command: "/usr/local/bin/vmware-config-tools.pl". Do you
    want this program to invoke the command for you now? [yes] 
    
    Initializing...
    
    
    Making sure services for VMware Tools are stopped.
    
    Stopping VMware Tools services in the virtual machine:
       Guest operating system daemon:                                      done
    
    
    The vmblock enables dragging or copying files between host and guest in a 
    Fusion or Workstation virtual environment.  Do you wish to enable this feature?
    [no] 
    
    No X install found.
    
    Starting VMware Tools services in the virtual machine:
       Switching to guest configuration:                                   done
       Guest memory manager:                                               done
       Guest operating system daemon:                                      done
    The configuration of VMware Tools 9.0.5 build-1065307 for FreeBSD for this 
    running kernel completed successfully.
    
    You must restart your X session before any mouse or graphics changes take 
    effect.
    
    You can now run VMware Tools by invoking "/usr/local/bin/vmware-toolbox-cmd" 
    from the command line.
    
    Please remember to configure your network by adding:
    ifconfig_vxn0="dhcp"
    to the /etc/rc.conf file and start the network with:
    /etc/netstart
    to use the vmxnet interface using DHCP.
    
    Enjoy,
    
    --the VMware team

That’s it. You’ve now got a working VMware Tools install using the native, VMware-provided kit, inside your VM. If you’re running ESXi, you’ll now notice that it correctly reports its version, status and IP back to the console, which was missing before we started.

VMware ESXi pfSense tools installed

Good luck!

Using fdupes to Solve the Data Duplication Problem: I’ve got some dupes!

Well, 11.6 hours later after scanning the NAS with fdupes, I noticed that I’ve got some dupes across my system backups.

# time ./fdupes -R -Sm "/nas/Backups/System Backups/"
2153352 duplicate files (in 717685 sets), occupying 102224.5 megabytes


real	698m15.606s
user	38m20.758s
sys	92m17.217s

That’s 2.1 million duplicate files occupying about 100GB of storage capacity in my backups folder on the NAS. DOH!

Now the real work begins, making sense of what needs to stay and what needs to get tossed in here.

UPDATE: I may give up on fsdupes altogether, and jump to rmlint instead. rmlint is significantly faster, and has more features and functions. Here’s a sample of the output:

# rmlint -t12 -v6 -KY -o "/nas/Backups/System Backups/"
Now scanning "/nas/Backups/System Backups/".. done.
Now in total 3716761 useable file(s) in cache.
Now mergesorting list based on filesize... done.
Now finding easy lint...
Now attempting to find duplicates. This may take a while...
Now removing files with unique sizes from list...109783 item(s) less in list.
Now removing 3917500 empty files / bad links / junk names from list...
Now sorting groups based on their location on the drive... done.
Now doing fingerprints and full checksums..
Now calculation finished.. now writing end of log...
=> In total 3716761 files, whereof 1664491 are duplicate(s)
=> In total  77.66 GB  [83382805000 Bytes] can be removed without dataloss.

HOWTO: How to Fix a Forgotten Windows Administrator or User Password with Sticky Keys

I pulled some of my very old Windows VMs out of my backup NAS recently with the intent to pull them into ESXi 5.0.1, and manage them there.

But they hadn’t been booted or updated in 4+ years. I thought I remembered the password for the users of these VMs, but none of my obvious choices worked.

I tried getting into it by booting an ISO loaded with chntpw to blank the Administrator password, but that didn’t work. I tried enabling the Guest account and setting a password there (also with chntpw), but that failed as well.

So the next option was to boot up a KNOPPIX DVD in my VM, and follow these steps to reset the password using the “Sticky Keys” trick:

Click image to open full size

  1. Boot from the KNOPPIX DVD (or Windows PE, Windows RE) in your Windows machine or VM. When you get to the boot prompt, type the following to get a 64-bit environment:
    KNOPPIX 7.2 boot prompt

  2. Let the OS load (graphical or otherwise) and open a shell session (Linux “command prompt”). You’re going to manually mount the Windows drive here, and copy some files around.
    KNOPPIX replace sethc

  3. sudo to root
    $ sudo su -
  4. At the shell, find your Windows drive. It will typically be something like /dev/sda1, as seen from KNOPPIX. The following fdisk(1) command will help you find it:
    # fdisk -l /dev/sd?
  5. Now you’ll need to mount that drive to access it:
    # mkdir /tmp/mount
    # mount /dev/sda1 /tmp/mount
    # cd /tmp/mount
  6. Change to the System32 directory under the Windows directory in your temporary mountpoint. Note that depending on your OS version, this may have a different case sensitivity. It may be “Windows”, “WINDOWS”, or “WinNT”.
    # cd /tmp/mount/WINDOWS/System32
  7. Now we can preserve and copy files that will help us get into the machine. In this next step, we’re going to back up a copy of “sethc.exe” to the root of the C:\ drive. This is a backup copy we’ll use to restore later, once we’re able to log into the machine.
    # cp -v sethc.exe /tmp/mount/
    # cp -v cmd.exe sethc.exe
  8. Now you can unmount the drive, shut down your machine, disconnect the KNOPPIX DVD and boot back up to the drive natively, back to the point where you forgot the Administrator or user’s password.
    # cd /
    # umount /tmp/mount/
    # sync
    # poweroff
  9. Once your machine has fully booted, after you see the logon screen, press the SHIFT key five times. Do not hit Ctrl-Alt-Del here, just hit [shift] 5 times in a row. If you’ve done it right, you should see a Windows command prompt where you can enter the following command to reset the Windows password.
    Microsoft Windows Sticky Keys Backdoor
    Microsoft Windows net user reset password

    C:\Windows\System32\net user Administrator MyNewPassw0rd

    Or if you need to just reset a non-Administrator account password, replace ‘Administrator’ in the above command with the appropriate username. If you don’t know your user name, just type the following to get list the available user names:
    Microsoft Windows net user query users

    C:\Windows\System32\net user
  10. You should now be able to log on with the new password you just created.
  11. Don’t forget to restore C:\seth.exe to C:\Windows\System32\seth.exe, or anyone with access to your machine will be able to use the same trick to reset your password and breach your account! To do that, follow the same steps above (boot to KNOPPIX, mount drive, copy files) to replace the backed-up copy of the original file. You won’t be able to do this while the machine is booted, as those files are locked and will not be replaceable.
    KNOPPIX restore sethc

That’s it! Now you’ve got your password recovered, and you can log in without issues.

Note: If you want to prevent someone from using this same trick, or using Kon-Boot against your server, you need to install and configure full-disk encryption with a tool like TrueCrypt. Do not use Microsoft’s “Bitlocker” product, as it is easily cracked.

DomainSite: This is Not the Way to Manage Passwords

Tags: , ,

As per my end-of-month processing, I update and rotate/change the passwords and login credentials for the hundreds of websites and logins I own and use on a regular basis.

I reached my domain registrar, DomainSite, and successfully changed my password to something nice and secure, and their system happily accepted it.

I logged out, and attempted to log in with that new password to verify that it was a successful change, and was denied. I tried again, denied again, and then I received this message from their system:

“For security reasons, if you enter an incorrect password for this account more than 10 times, you will be blocked from this website and will be required to pay a fee to regain access.”

DomainSite Password Reset Policy

Not only is this an unhelpful message, but it also puts the burden on the owner of the account to pay up if someone else decides to try to lock out their account.

In other words, I can attempt to log into DomainSite as another user more than 10 times, and now that user will have to pay Domainsite to restore their password.

Seriously, who thought this up? In my multi-decade experience of using the Web, I’ve never heard of a single case of someone attempting to charge the owner of a valid login credential, for an account that was locked out and had to be reset or restored.

DomainSite, tsk, tsk! You should know better!

If you’re going to permit someone to change their password legitimately, verify the password or at least describe the password policy so we can decide how complex we can make our passwords, before we lock ourselves out, because your system fails to clarify this on both sides.

Facebook Does It Again, Silently Sending GPS Coordinates with Every Message

Tags: , ,

Yes, they’ve done it again.

The most-recent update of the Facebook mobile application (Android and iPhone) reverses and resets the default settings for “Location Services”, so that every single Facebook message you send, also sends your exact GPS coordinates to the recipient (and to Facebook’s own messaging servers), even if you have your GPS disabled on your phone. When the GPS is disabled, they fall back to AGPS to determine your coordinates with incredible accuracy.

Yes, even if you’ve had it disabled before, a recent update of the mobile app resets these preferences to expose your location when you’re using their Messenger app to send or receive messages through the app.

This is so specific, it actually revealed that I was in my kitchen (in the rear of my house), and not just my approximate street address on my road. Zooming into the map they helpfully provide, shows where inside my house my phone is when I sent the test messages that revealed this issue.

To prevent your phone from exposing your location with every message, go into your Facebook mobile application settings, and disable “Messenger Location Services”, as below. When you disable it here, your messages will just show “Sent from Messenger” or “Sent from Web” inside the app, instead of showing a map and GPS coordinates.

Click on the images below to see them full-size.

Facebook Mobile Messaging PrivacyFacebook Mobile Messaging Privacy GPS Maps

They may still be sending GPS coordinates with each message to their messaging servers, but not exposing it to the recipients when you disable this feature, but there’s no confirmed way to tell.

I don’t use the native Facebook mobile app to send or receive messages, opting instead to use Trillian Mobile for Android, which does not pass the GPS coordinates with each message. In addition, I can use all of my IM and chat services at once, in one interface, including Facebook, seamlessly. They have desktop apps and a web interface also, for those who wish to use those natively on any platform. Highly recommended.

Facebook, I’m not impressed with your complete lack of understanding of core security and privacy issues. This is 2013, and no application should be sending GPS coordinates to message or email recipients. Imagine what would happen if a random, unknown person were to message me, and I replied back to them. I’ve now exposed my personal location, which could include my home address, to a level of accuracy that includes where inside my home I am when I’ve responded.

In a word: Disgusting.

Bad Behavior has blocked 983 access attempts in the last 7 days.