If Santa treated you particularly well this season, or you have put some of your savings to good use, chances are that you have a brand-new Drobo looking at you right now. Meanwhile, your Mac is happily making Time Machine backups to that trusty old local USB disk. So you want to use that new Drobo for Time Machine backups, but don’t want to loose history? Here’s how (baby steps, no tools required, screenshots included):
Tag: hacking
Anonimatron featured on Softpedia
As you may know I started working on a little tool to anonymize databases. Nothing fancy, just a Java tool that uses jdbc to replace live data with fake generated data which still looks representative enough to do testing and make believable screenshots. Oh and did I mention that it is 100% free of charge? You can get the latest version from SourceForge.net.
I recently received an email from Softpedia that Anonimatron has been added to their catalog. Their email states:
“anonimatron” has been tested in the Softpedia labs using several industry-leading security solutions and found to be completely clean of adware/spyware components. We are impressed with the quality of your product and encourage you to keep these high standards in the future.
Anonimatron is written in Java and will ron on Linux, OSX and Windows machines. The current version is 1.3, and it should be considered “beta” at this point.
Let me know what you think!
Sonar “Close Connection” warning workaround.
When you use Spring and Ibatis and SQLTemplates, you could have code in your project which looks somewhat like this:
Connection connection = DataSourceUtils.getConnection(getDataSource()); ...<do connection stuff here>... DataSourceUtils.releaseConnection(connection, getDataSource());
Sonar will report that you did not close the connection, while in fact, Spring did that for you. You can not just add a “connection.close()” to the code because the whole point of calling “releaseConnection()” is to have Spring handle all the smart stuff on committing, closing, and returning the connection to the pool if needed.
Block Luntbuild 1.5.1 Anonymous Access
If you are using luntbuild for your continuous integration builds at work, you probably want to remove anonymous user access. In stead of adding that feature to the administrator “Properties” page where I’d expect it, you have to hack the Spring configuration in the webapps directory of luntbuild. Sigh. Here we go:
Phrack still in ASCII
It is a long time since I read this stuff, but I stumbled upon a paper discussing the non-executable stack on OSX (a trick to prevent buffer/stack overflow exploits). Ah, the good old days. And with all this markup, it’s good to see that Phrack magazine stuck to their format. It’s still the same as over 20 years ago… Well written articles, focussed on correctness and content, for the coders out there who are not afraid experimenting with some assembly. The amount of (nightly) hours that go into the research and proof of these articles are unbelievable, and it shows.
The Digital Revolution
Nice example of digital revolution and power to the people can be found at http://blog.outer-court.com/archive/2007-05-02-n67.html. Let’s hope manufacturers understand that people don’t want to pay for crippled content.
Digital copies where copyright is removed are actually better than their DRM protected originals, which makes good willing people move to pirated content, like I stated earlier. The important sentence here being “If I buy a DVD, I have to watch a few minutes of copyrights notices and commercials, without being able to skip them. If I rip it, and re-write it, these notices are gone…”.
Viva la Revolution!
Lost Oracle SYS and SYSTEM password?
If your administration is as good as anybodies, you are bound to loose the not-so-frequently used password for the SYS and SYSTEM users of oracle. Here are a few ways I found to re-set those passwords:
Method 1: SQLPLUS (Tested on AIX Oracle 9.2.0.1.0)
Log into the database server as a user belonging to ‘dba’ [unix ] or ‘ora_dba’ [windows ] group , typically ‘oracle’, or an administrator on your windos machine. You are able to log into Oracle as SYS user, and change the SYSTEM password by doing the following:
$ sqlplus "/ as sysdba" SQL*Plus: Release 9.2.0.1.0 - Production on Mon Apr 5 15:32:09 2004 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Connected to: Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production With the OLAP and Oracle Data Mining options JServer Release 9.2.0.1.0 - Production SQL> show user USER is "SYS" SQL> passw system Changing password for system New password: Retype new password: Password changed SQL> quit
Next, we need to change the password of SYS:
$ sqlplus "/ as system" SQL*Plus: Release 9.2.0.1.0 - Production on Mon Apr 5 15:36:45 2004 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. SP2-0306: Invalid option. Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}] where <logon> ::= <username>[/<password>][@<connect_string>] | / Enter user-name: system Enter password: Connected to: Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production With the OLAP and Oracle Data Mining options JServer Release 9.2.0.1.0 - Production SQL> passw sys Changing password for sys New password: Retype new password: Password changed SQL> quit
You should now be able to log on the SYS and SYSTEM users, with the passwords you just typed in.
Method 2: Creating pwd file (Tested on Windows Oracle 8.1.7)
- Stop the Oracle service of the instance you want to change the passwords of.
- Find the PWD###.ora file for this instance, this is usuallly located atC:\oracle\ora81\database\, where ### is the SID of your database.
- rename the PWD###.ora file to PWD###.ora.bak for obvious safety reasons.
- Create a new pwd file by issuing the command:
orapwd file=C:\oracle\ora81\database\PWD###.ora password=XXXXX
where ### is the SID and XXXXX is the password you would like to use for the SYS and INTERNAL accounts. - Start the Oracle service for the instance you just fixed. You should be able to get in with the SYS user and change other passwords from there.
Fun at “automatiseringsgids”
Even companies pretending to know about ICT, writing about companies doing it right or wrong, get it (very) wrong sometimes. People who have an account at De Automatiseringsgids know the login screen. But have they also noticed how their username and password are sent to the server in plain text?
Another funny thing a colleque of mine discovered is the really wierd way of displaying error messages. The server returns the error message as part of a redirect. Yes, you’ve read that correctly. No serverside things here guys, must keep memory usage down. No sessions here, move along… A really funny thing you can do is display your own error messages, like so: De automatiseringsgids with weird error
I think somebody will start playing with this, because you can do a lot more (very bad) things. Should they have it fixed allready when you are reading this, I saved a screenshot for you. You would have got something in the lines of this:
After discussing this wierd construction, we concluded that the programmers wanted to do a “post-by-redirect” construction, where you make the server return a redirect to the browser jsut after a post. This solves the “reload problem” where the browser asks if it can re-post the data for you. Since a redirect is a GET, the browser will just reload the page. Normally you solve this by storing thing in the session on the server and send a session reference to the browser. Combined with HTTPS, this would give you a relatively strong, and still not to expensive protection against scripting and spoofing attacks.
A fine example of what happens if you trust an external company to build your web application, but you “forget” to check that they’ve delivered something that’s up to your standards (or at least the standards you paid for). Have fun playing around with this, and let me know what interesting things you found. (hint: Iframes and javascript can do a lot on this page 😉