Smörgåsbord

There are times you need to connect to ‘dirty’ networks such as public WiFi hotspots. Hopefully you’re ensuring that sensitive information is encapsulated in transport layer security enabled protocols such as SSL, because anyone on the same link (in the case of WiFi, that’s the air surrounding you. A vacuum will do, too, but that’s less common) can listen in on the traffic you’re sending. With SSL encapsulation such as HTTP over SSL (https://), your traffic can still be read — but for those who do it’s an extremely boring read because they don’t know the session key, only you and the other endpoint do. Hopefully.

One particularly nasty thing that can happen to you is when your machine is subverted into using the attacker’s machine as the router. That is known as ARP poison routing. The attacker can proceed to not only read the traffic coming from your machine (which, on a shared medium, could be done anyway), or read the traffic going into your machine (again: on a shared medium, that could be done anyway), but the attacker can now also modify the traffic between you and the rest of the non-local network, e.g., the internet, in both directions. And that’s when he can really go to town with your traffic. Injecting a javascript keylogger into all the webpages you visit. ‘Sidejacking‘ your sessions, so he does not even need to know your passwords, just your session cookies — which you happen to transmit with every page request.

All possible unless you use transport layer security, which is tamper-proof once properly set up. Once properly set up. But setting up can have problems of itself — there are ways of preventing you ever going from HTTP to HTTPS. If you know a thing or two about HTTP and SSL you’ll be delighted to learn about Moxie’s very evil but very clever ways of doing so.

Anyway, some level of security can be achieved if you tell your machine to ignore any messages sent to you from the other machines on the local network. That includes messages that will make your machine believe that the router has suddenly changed its physical address — which is quite unlikely to happen, but those messages are exactly the type of message an impersonator would send you. Of course we’d need to whitelist the routers of the network, otherwise we can’t get traffic out of it and onto other networks. DNS resolvers will need whitelisting too, unless you’re running one on your own machine (probably not).
Not openly announcing your presence may also be something you wish for. If you have ever been on a network with a Mac user you have probably seen them popping up in your Zeroconf service browser as “Firstname Lastname’s iSomething”. Let’s cut down on that kind of promiscuity, too. But you should understand now that you can not actually hide unless you turn off your WiFi. Shared medium, remember?

I prepared a simple script to accomplish the above. I’ve used ip from the iproute2 package instead of sticking to old-school route, ifconfig, arp & co. And I must say ip neigh flush nud stale has a poetic ring to it, wouldn’t you agree?

Take note: this will only protect you from some kind of attacks, and only partially. An attacker has a window of opportunity between your machine getting assigned a DHCP lease and you running this script, for instance. Or maybe the access point is rigged. Actually all protection other than end-to-end encryption combined with mutual authentication is pretty useless on shared networks ;-)

Here’s the script. Linux-only. If you want to use it, get the latest version from my public repository.

#!/bin/bash
 
# arpshield 0.2
# Protects against ARP poisoning and cloaks your machine for all 
# local link devices but the router(s) and the DNS server(s).
# Whitelisting DHCP servers also works if you use the dhcpcd program
# to obtain DHCP leases.
# This program is of no help if your setup is already poisoned.
# Have a look at ArpON (http://arpon.sourceforge.net/manpage.html) if
# you need more extensive protection.
#
# Needs 'ip', 'awk', 'sed', 'arptables', and 'arping' and expects
# them on $PATH. Needs appropriate privileges (so use sudo).
# Takes a network interface as an argument. The network interface
# should be up and configured. If no argument is given, clear all
# rules. Obviously you should do that before connecting to a new
# network.
#
# Copyright 2010 Wicher Minnaard (wicher@gavagai.eu)
# License: Creative Commons Attribution-Share Alike 3.0
 
# Do you use dhcpcd for aquiring DHCP leases? And is it running?
dhcpcdLEASEFILE="/var/lib/dhcpcd-${1}.info"
dhcpcdPIDFILE="/var/run/dhcpcd-${1}.pid"
test -f ${dhcpcdLEASEFILE} && test -f ${dhcpcdPIDFILE} && source ${dhcpcdLEASEFILE}
 
# In case you lack the luxury of dhcpcd, where is your resolv.conf?
RESOLV="/etc/resolv.conf"
 
# No user-servicable parts below this line.
DEV="${1}"
 
# I know, I know. But if your routing table contains 0.333.456.789 you have bigger problems ;-)
IPREGEX="\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}"
 
# Register
MACreg=""
 
# If not run as root, bail
[ "$(id -u)" != "0" ] && echo "You need root privileges to modify networking parameters. Exiting." 1>&2 && exit 2
 
getmac(){
# sets MAC register by IP. Sets to nil, if the MAC is not on the local link. 
  getMAC=$(ip neigh show ${1} | awk '{print $5}')
  if [ -z "${getMAC}" ]; then
    arping -c1 -I ${DEV} ${1} > /dev/null 2>&1
    getMAC=$(ip neigh show ${1} | awk '{print $5}')
  fi
  MACreg=${getMAC}
}
 
allow(){
  # Whitelists traffic to and from particular IP+MAC pairings and
  # adds them to static ARP.
  IP=${1}
  MAC=${2}
  if [[ -n "${IP}" && -n "${MAC}" ]]; then
    arptables -A INPUT  -s ${IP} --source-mac      ${MAC} -j ACCEPT
    arptables -A OUTPUT -d ${IP} --destination-mac ${MAC} -j ACCEPT
    ip neigh replace ${IP} lladdr ${MAC} nud permanent dev ${DEV}
  fi
}
 
if [ -n "${DEV}" ]; then
  # whitelist the routers
  test -z ${GATEWAYS} && GATEWAYS=$(ip route show dev ${DEV}| sed -n "s:.* via \(${IPREGEX}\).*:\1:p")
  for GWIP in ${GATEWAYS}; do
    MACreg=""
    getmac ${GWIP}
    allow ${GWIP} ${MACreg}
  done
  # whitelist the DNS servers
  test -z ${DNSSERVERS} && DNSSERVERS=$(sed -n "s:^nameserver \(${IPREGEX}\):\1:p" ${RESOLV})
  for DNS in ${DNSSERVERS}; do
    MACreg=""
    getmac ${DNS}
    allow ${DNS} ${MACreg}
  done
  # if using dhcpcd, we can whitelist the DHCP server too
  test -n ${DHCPSID} && getmac ${DHCPSID} && allow ${DHCPSID} ${MACreg}
  # set default policy to DROP    
  arptables -P INPUT DROP
  arptables -P OUTPUT DROP
  # clear out non-hardcoded ARP cache entries
  ip neigh flush nud reachable
  ip neigh flush nud stale
else
  # No argument given, so clean up.
  arptables -F
  arptables -P INPUT ACCEPT
  arptables -P OUTPUT ACCEPT
  ip neigh flush nud permanent
fi

Access remote X11 servers that have their TCP socket disabled

This happens to me regularly. Someone brings a machine along and I want to display some app, running on my machine, on their display. Networked X11 to the rescue, you say? No, their X11 server is started with ‘-nolisten TCP’ wich is the default on most modern Linux distros. Sadly, the TCP socket can’t be enabled ‘in-flight’ — if you decide you do fancy a TCP socket after all, you’ll have to restart your X server which may be a pain if you’re in the middle of something (besides, restarting is just plain uncool).
But there is a way to expose the Unix domain socket as a TCP socket, with the help of socat. The following examples all use bash, so if you run a different shell (if you don’t know, you probably aren’t) you may need to define environment variables differently.

Braindead Proof of Concept (BPOC)

Situation: You want to display an application running on a machine called w00t on another machine, called bling. There’s an X11 server running on bling, but it’s not configured to listen on any TCP socket. DNS is properly setup, so if you ping w00t from bling, you get replies from bling’s IP, and vice versa.

1. On bling, find the domain socket of bling’s X11 server. Have a look in /tmp/.X11-unix/. The socket’s name usually reflects its X server display number (which you can determine by running echo $DISPLAY in an xterm).
2. On bling, run something along the lines of
   socat TCP-LISTEN:6066 UNIX-CONNECT:/tmp/.X11-unix/X0
   This will open up TCP port 6066 on all of bling’s network interfaces, connecting it to the Unix domain socket of the X server.
3. In an xterm on bling, run xhost +. You have now opened up your X11 server to the whole wide world, a silly thing to do. Anyone with access to the TCP socket can now read your keystrokes, read your window contents, click your mouse buttons…
4. In an xterm on w00t, run DISPLAY="bling:66" xclock. You may have noticed that 66 = 6066 – 6000 and indeed, by convention the TCP port number for a certain display is its display number + 6000. Anyhow…. yay, a clock! It’s displayed on bling, but running on w00t.

Improvements

• You may have noticed that in the BPOC, you can use the display on bling only once. socat will allow only one client, and will exit once that client exits. In some situations, you may consider that a feature (it’s a one-time access grant), but in others you may not. If you want a reusable TCP socket, run something along the lines of
  socat TCP-listen:6066,fork,reuseaddr UNIX-CONNECT:/tmp/.X11-unix/X0 which forks off a socat process for every TCP connection.
• You may not want to expose a TCP socket on all interfaces. Maybe you only want to expose a socket on the LAN interface, or on the localhost interface (and wrap the packets in an SSH tunnel). Well, you can, using the ‘bind’ option:
  socat TCP-LISTEN:6066,bind=localhost UNIX-CONNECT:/tmp/.X11-unix/X0
  Now tunnel it over SSH. On w00t, run ssh -L 6011:localhost:6023 bling. Now localhost:6011 on woot is actually localhost:6023 on bling which is actually /tmp/.X11-unix/X0 on bling. So on w00t you can start an xclock with its display on bling by running DISPLAY="localhost:11" xclock.
• xhost + from the BPOC is braindead indeed. There are a couple things you could have done instead, there are good ways of tightening up your authorization scheme.
  • First off, you don’t really need to run xhost + if you properly set up X11 cookies, which you should. Here are some examples on using the xauth scheme, but take note: xauth generate will probably not work on recent X11 releases since the XSECURITY extension is disabled by default. Just use the same cookies on the client and the server.
  • Run xhost +w00t. That’s host-based authentication, which is stupid, but not as stupid as no authorization at all. Any user on w00t can now connect.
  • Suppose that on bling (of course!) you’d run xhost +SI:localuser:theuser with ‘theuser’ being the userID of the unix-user running the socat instance. Now from the point of view of the X server, any client connecting through socat will be coming from ‘theuser’ and will therefore be allowed access. Entertaining, but not much different from just running xhost +. It is something to keep in mind though! Many distros by default add the unix-user that started the X server to the authorization list. That user does not need a cookie. If you run socat as that user you will have the effect of running xhost + even if you run xhost -.
  • Just run a nested X11 server, such as Xnest or Xephyr. This way you put untrusted users in a sandbox, preventing them from snooping your keyboard and windows. It’s the X11 equivalent of a chroot.

Here’s a trick. Many laptop trackpads lack a middle mouse button. On a regular mouse input device, the middle mouse button is the scroll wheel, and when you press it down it emits a button event. In X11 this button event is used to paste the X selection buffer into the position right beneath the cursor (there lies sublime usability in this simple fact).
You can emulate a middle-mouse-button event by pressing the left and right mouse buttons at the same time. Since I lack the manual dexterity to do this on my tiny netbook trackpad I wanted to be able to do middle-mouse-button-paste with my keyboard. Well, that appeared to be easy to accomplish with the X11 Xtest extension for which the Xautomation collection includes a utility in the form of xte. If you’d enter xte 'mouseclick 2' in a terminal (within an X11 session, of course), you’d get the same effect as if you’d just pressed the middle mouse button. Only thing left is to add a keyboard shortcut to run this command; in my favourite window manager, XFCE, this can be done clickwise via the Settings Manager or simply by running something like xfconf-query -c xfce4-keyboard-shortcuts -p '/commands/custom/<Super>v' -s "xte 'mouseclick 2'". I can now paste my X selection buffer by pressing the funny ‘four-wobbly-squares key’ and ‘v’ simultaneously.

Today we talk usability. Specifically, desktop interaction differences between the X11 windowing system and the windowing systems that come with those operating systems you can actually buy in a shop downtown.

Select – Copy – Positionyourcursor – Paste

Say I’d like to copy some text from some window (which may or may not have the input focus) into some other window (which also may or may not have input focus). This action is commonly called ‘copy-paste’. Copy-paste. That sounds like two steps, doesn’t it?
Let’s say both windows are visible on the current desktop. Outside the of the X11 world – say, on a Windows machine, you’d have to undertake the following steps:

1. Drag-select the text in the first window.
2. Press ctrl-c or click edit/copy.
3. In the second window, click the position you where you want the text to be inserted.
4. Paste the text with ctrl-v or edit/paste.

This is not “copy-paste”. This is “select-copy-positionyourcursor-paste”. Here’s how you do it on X11:

1. Drag-select the text in the first window.
2. Hover over (you don’t need to click[*]) the position you want the text to be inserted at in the second window and paste by clicking with the middle mouse button.

There. Copy-paste. There are two atomic actions involved with that. You can’t get this down to less than two. You need to specify what you want to copy, and you need to specify where you want to paste it. The X11 engineers understood this. I entertain the thought that they must have valued my time as well, put two and two together, and that this why we have the X selection buffer on X11[**] that makes copy-paste really copy-paste.
(Read the footnote. I will show that not all is smooth in X11-land with respect to clipboards.)

Window focus

Whenever I venture out of X11-land there’s something else I dearly miss. It’s the ability of an inactive window to receive cursor input events when the cursor is on top of it. It’s immensely useful. Consider the following scenario.
Let’s say you’re browsing the web and you stumble upon a page which you want to discuss with a friend. It’s a long page, so there’s going to be some scrolling. You open up an instant messaging window to chat with your friend. You’re short on screen real estate so the IM window partly occludes the browser window. Meaning the IM window is on top of the browser window.
What you want to do now is to scroll occluded pieces of webpage text into view. But you also want to continue to see what you’re friend is saying. On Windows, you simply cannot. If you want to scroll the browser window, you’ll have to activate it, which means it will be raised, which means it will be above your IM window, which means you cannot see what your friend is typing. On X11, you can[*]. If your mouse cursor is over the browser window you can use the scroll wheel to scroll text into view, without the browser window being raised. Meaning your IM window is still on top, meaning you can still see what your friend is telling you. In fact, the IM window still has input focus so you can scroll the browser window and continue typing messages to your friend, limited only by your manual dexterity.
[Update: Added video to illustrate Windows behaviour][***]

Extravagance

If you think these situations are exotic, here’s and extravagant example for you. Open a file browser (Windows Explorer) window. Expand some folder trees in the left pane until you get a scroll bar in this pane. Navigate to a folder which has a lot of files (C:\Windows will do nicely) so the file pane also receives a scroll bar. You now have two panes, both with a scroll bar, within the same application. Thing is, you can only scroll in one of them at the time! If you want to look around in a “non-active” folder pane, you first have to click it. But don’t just click anywhere! You have to take special care to click it somewhere that doesn’t change your view in the file pane — better not click (near) one of the folders! Now suppose you’d like to scroll some files in the file pane into view. Better “activate” the file pane first then. Again, take extra special care: don’t just click anywhere in the file pane because then you may lose any previously made selection. It’s perverse, it really is. This is all happening inside one single application window. And the folder pane actually does notice when I hover over it (it underlines folders) so why can’t I scroll the view, then? Perverse. The OS is wasting my time.

Sloppy focus on Windows

I remember activating this on Windows 95 and it appears it still works. You can have crude ’sloppy focus’ on Windows. Just hex-edit your UserPreferencesMask in the Registry (Half of the times that I’m doing anything remotely interesting on Windows, I find myself entering hex values. Why is that.).
Refreshing as this may be, this will not help you with any of the above scenarios:

• In the copy-paste scenario, you still can’t specify insertion position and insert into that position in one single action.
• In the IM-while-browsing scenario, your IM window loses input focus when you scroll the web page in the browser window.
• Windows Explorer cursor behaviour stays just as perverse as it was with the standard click-to-focus model.

But hey, at least Windows users have some choice (provided they understand regedit.exe and hex). On OS-X, you don’t have a choice at all because Apple understands usability better than you do. For instance, Apple knows you head will explode if they’d give you the option of resizing your application windows by pulling any border or corner. You know very well that you will only want to resize your windows by grabbing the bottom right corner and will thank Apple for protecting you against yourself. (No, you’re not allowed to rebut until you’ve read and understand this mountain of insight and humour.)

Footnotes

[*] Actually, this is dependent on the focus policy. X11 itself does not specify the focus policy. X11 strives to provide mechanism, not policy. Policy is implemented by the window manager, and there are many window managers available for X11. A couple of them provide a ‘click to focus’ policy. Many of them provide ’sloppy focus’ and/or ‘focus follows mouse’ policies. This page has some concise definitions and elaborates on focus problems encountered the different models.

[**] Most window managers also have a ‘clipboard’, running in parallel with the X selection buffer. The clipboard only holds stuff you put there explicitly, whereas the X selection buffer holds whatever text you last selected anywhere in the X11 session. Furthermore, both clipboards usually only accept character data. So if you select and copy some pixels in drawing program A, you can’t paste them in drawing program B. Program A will have a private clipboard to hold pixel data, and B has one of its own, too. If you stay within the realm of one particular desktop environment with applications specific to this desktop environment, you may actually be able to use the clipboard inter-applicationwise for both text and binary data. But in general, you can’t. This plurality confuses the hell out of newcomers.

[***]A video demonstrating the Windows scroll focus issue:

Just finished up a 0.1 version of a LIRC (Linux Infrared Control) plugin for the Exaile media player. Now you can use your remote with Exaile efficiently. The plugin is in the public repository and is called Lircaile.
I haven’t touched Python much as of yet, but I’m pleased with it: it appears to be a consistent language. Well, here’s my 0.1 effort. I desperately wanted to have some fun with introspection, but I have the feeling the nested exception logic is a bit… unusual.

# A LIRC plugin for Exaile. Depends on pylirc from http://sourceforge.net/projects/pylirc/
# Copyright (C) 2009 Wicher Minnaard, http://smorgasbord.gavagai.nl / wicher@gavagai.eu
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
 
from xl import playlist, player, event
import pylirc, logging
 
LIRCAILE = None
 
def enable(exaile):
    if (exaile.loading):
        event.add_callback(_enable, 'exaile_loaded')
    else:
        _enable(None, exaile, None)
 
def _enable(eventname, exaile, nothing):
  global LIRCAILE
  LIRCAILE = Lircaile(exaile)
 
def disable(exaile):
  pylirc.exit()
 
 
class Lircaile(object):
 
  def polLirc(self):
    """Pops all queued signals off of the LIRC queue and hands them to
    handleCode() for further processing."""
    gopoll = True
    while(gopoll):
      code = (pylirc.nextcode())
      if (code):
        comval = code[0].split()
        if (len(comval) == 1):
          self.handleCode(comval[0])          
        else:
          self.handleCode(comval[0], comval[1])
      else:
        # We're done, the queue is empty.
        gopoll = False
    return True
 
 
  def __init__(self, exaile):
    self.exaile = exaile
    self.logger = logging.getLogger(__name__)
    socket = pylirc.init('lircaile')
    event.EventTimer(0.05, self.polLirc)
 
 
  def handleCode(self, command, *arg):
    """Takes LIRC signals and uses introspection to try to find appropriate 
    exaile functions to call based on the name of the signal. """
    if (command == 'chvol'):
      self.exaile.player.set_volume(self.exaile.player.get_volume() + float(arg[0]))
    else:
      func = None
      # Look for a matching playlist function
      try:
        func = getattr(self.exaile.queue, command)
      except AttributeError:
        # No? Then look for a matching player function
        try:
          func = getattr(self.exaile.player, command)
        except AttributeError:
          # No? Then we're out of options
          self.logger.warning('No function to handle "'+ command +'" LIRC event')
      if callable(func):
        func()

Instead of cleaning out the kitchen I’ve prepared two fortune modules and ebuilds to go with them. One contains quotes from “Fight Club”, both the movie and the novel. The other one contains the Slashdot history of the world (posted AC).

Get them here.

Teasers

From fightclub-0.1:

That old saying, you always kill the one you love, well look, it works both
ways.
– Narrator, “Fight Club” (novel)

From slashistory-0.1:

A.D. 1789: The French Revolution begins with a distributed denial of service
(DDoS) attack on the Bastille.

My X11 setup contains some truly ugly fonts. In particular, it contains bitmap variants (unaliased, of course) of some common fonts, donated by Adobe. That must have been swell in the nineties but it isn’t anymore. But they’re still included in X.org X11, spreading uglyness when referenced explicitly:

This very much isn’t how I like my webpages. In this case, drilling down to the font declaration (use the excellent Firebug if you have to) yields:

BODY { font-family: "new century schoolbook", times, serif}
H1   { font-family: "new century schoolbook", times, serif}

Is this ‘new century schoolbook’ font one of those Adobe bitmap fonts? ‘xlsfonts’ yields:

$xlsfonts  | grep -i century
-adobe-new century schoolbook-bold-i-normal--0-0-100-100-p-0-iso10646-1
-adobe-new century schoolbook-bold-i-normal--0-0-100-100-p-0-iso10646-1
-adobe-new century schoolbook-bold-i-normal--0-0-100-100-p-0-iso8859-1
-adobe-new century schoolbook-bold-i-normal--0-0-100-100-p-0-iso8859-1

[... dozens more]

So, let’s get our font subsystem to remap this font declaration to something more appealing. You’ll need to edit your fontconfig configuration which is described rather exhaustively elsewhere and add a stanza like this one:

    <match target="pattern" >    
        <test name="family" qual="any" >   
            <string>new century schoolbook</string> 
        </test>target="font">
        <edit mode="assign" name="family" >
            <string>Nimbus Roman No9 L</string>
        </edit>
    </match>

This is, of course, particular to my wishes and the fonts available on my system. Run fc-cache, reload the webpage with the offending font, and tadaaaa:

Much better.

Update @20091208: With Gentoo, you can use the eselect system to accomplish this. Run eselect fontconfig list and pick the number corresponding with 70-no-bitmaps.conf. Enable it with eselect fontconfig enable $thenumber.
From the 70-no-bitmaps.conf file, it appears there’s a much better way of handling this:

<fontconfig>
<!-- Reject bitmap fonts -->
 <selectfont>
  <rejectfont>
   <pattern>
     <patelt name="scalable"><bool>false</bool></patelt>
   </pattern>
  </rejectfont>
 </selectfont>
</fontconfig>

In this post I’ll show you how to do basic ‘cracking’ of a piece of software and make WebDAV work in Windows Vista. Yes, I’m excited too! I’ll be making snarky remarks about ‘Windows’ in the process, though. If you can’t handle that kind of humour stop reading now.

WebDAV. Filesystems over HTTP. What a fantastic invention. Sadly, every Windows version in the past decade has contained a botched implementation of this protocol.
Fact #1. I run WebDAV servers.
Fact #2. Some people still use ‘Windows’.
Herein, as with any collection of facts containing #2, lies a problem.

So I have been on the hunt for a sane third-party implementation for Vista. And it just so happens that a certain ISP (XS4ALL) offers WebDAV access. They must have run into trouble with Vista’s anti-implementation of WebDAV too as they’re offering a third-party WebDAV client to the Windows hoi polloi.
And it happens to work rather well. You get an extra ‘drive’ so to any userspace program it’s just as if it’s interfacing a regular filesystem. One problem, though:

It seems to be ‘configured’ to disallow access to other servers than XS4ALL’s.
Some explanation for fellow GNU/Linux users: To you, this most probably is a foreign concept. Why anyone wishes to artificially limit the usefullness of their code is difficult to grasp. FLOSS users work together to improve eachother’s code. Well, on proprietary systems such as Windows it’s common to have intentionally limited utility and the users are used to it — remember, they are already artificially limiting themselves by not using FLOSS.
We FLOSS users don’t have artificially limited software on our systems. What we do have, however, is nearly endless configurability. So let’s do it our way. Let’s make this thing do what we want it to do. But how? Tell a clueless end-user to reroute their DNS so we can spoof webdisk.xs4all.nl serverside and pray the software will accept our dodgy SSL certificate? Blank stares all around. No, we have to come up with something better – we have to give them an ‘updated’ version of the .exe !

Start by downloading XS4ALL-webdisk.exe from this page. It says its version number is 5.00.06 and its MD5sum should be 9d008d79099cd1c74abe6e0f1397b0a1. If you get a different checksum don’t worry – you may still be able to crack it, because at the very least you know what to look for when you’re done reading this. I can’t provide you with the version I downloaded because I don’t own the copyright and I haven’t received a license to redistribute.
Go ahead and run the installer. Then, try connecting to a WebDAV server of choice and observe that any attempts will be defeated.

Next, get a hex editor. Here’s the freeware one that I picked. With your editor, open wdfsctl.exe from wherever it is you installed the Webdisk. You should see something resembling this:

To the left, in blue, is the offset. It’s the position in the file. To the right of the offset are bytes in hexadecimal representation. To the far right is the text representation of those bytes.
Now, an .exe can have text mixed in with executable code. A text representation of executable instructions does not make sense which is why you encounter copious amounts of gibberish in the right column. But, as you scroll up and down in the file, you’ll discover lots of proper English sentences in the right column. Select the text and the corresponding bytes will be highlighted. Move over to those bytes in the middle column, change them, and observe that the corresponding text representation also changes. It works the other way around, too. Fun as that may seem we can’t go around changing strings (bits of text are called strings) willy-nilly. Specifically, we cannot change their length or position. Why not? Well, bits and pieces of the program are referenced from other bits and pieces of the program by their offset. Change the offset (position) of some program instruction in the binary (by adding text in front of it or something) and you’ll have to update any and all references to this position. It can be done but we aren’t going to do it. HxD helpfully warns you if you’re trying to do it.
OK, let’s go string hunting. We’re looking for something that is matching xs4all.nl since the restriction most probably works by whitelisting. It took me a quite a while to find it, but it’s at offset 6DAB2. You’ll find the string x.s.4.a.l.l...n.l there. Look over to the hex representation and you’ll find it’s a pattern of characters separated by 00. That’s called null-delimited. Mind you, the 00 you see in the hex representation is not the same as ‘00′ in the text representation:

• Enter a ‘.’ in the text representation and you get 2E in the hex representation.
• Enter a ‘0′ in the text representation and you get 30 in the hex representation.
• Enter a 00 in the hex representation and you get a ‘.’ in the text representation.

It’s the hex representation that counts. Now, after some poking around I established that this string itself is null-terminated, too. So, to end the string, the hex representation has to read 00 00 00 because the characters inside the string are null-terminated as well. That’s two levels of null-termination.
After discovering this, it’s time to dick around with patterns. Change the ‘4′ in x.s.4.a.l.l...n.l to a null by typing ‘00′ in the hex representation at byte 06, offset 0006DAB0. Run the program. Try to connect to https://ha.xs/quux . Chances of success are very slim, but the program doesn’t stop you from trying! You can put anything in front of ‘.xs’ and it will try to connect. Change byte 00 to ‘a’ (in the text representation) and convince yourself that the program will now get out of your way should you attempt to connect to https://fabuloushaxs/quux, but it still stops you from connecting to https://fabuloushaxz/quux.
It appears that the string we’ve just changed has to match the end of the host we’re trying to connect to. So, originally, for https://justconnectmetomyserveralready.net/mydir it would check whether it ends with xs4all.nl which, of course, it doesn’t. However, we can make the string very, very short. In fact, we can make it empty, causing it to always match the end of any host we enter. To do that, just enter 00 in the hex representation at byte 00 at offset 0006DAB0. Connect to your favourite WebDAV server. It works, doesn’t it?

As you can see this approach to configuration requires levels of technical comprehension beyond those we can reasonably expect to find in the average wildtype user of this particular proprietary operating system. The WebDisk-program lacks end-user configurability, there is no such thing as easily redistributable /etc/webdisk/*conf with user overrides stored in a ~/.webdiskrc such as we have come to expect from mature operating systems.
I found hex-editing executable files a refreshing approach to configuration management, but I can’t say it’s user friendly. That is sad, because the platform does show some potential — for instance, the file search agent in ‘Windows Explorer’ nicely compensates for any lack of reasoning ability in the users expected to buy in on this platform.
But until there is out-of-the-box support for bog-standard decade-old networking protocols and usability issues like the hex configuration interface are resolved, we’ll have to conclude that Windows is not ready for the desktop yet.

Joking aside, what we have just done is actually pretty basic. ‘Real’ crackers, the folks that let you bypass registration requirements or serial number checks, use tools to look into the memory area of a running program to see which steps make up its behaviour. They don’t just edit some strings, they add and change instructions (and offsets). That requires a much deeper understanding of what’s going on.

There’s various other stuff to be modified. You can change the window title or the help texts. I disabled the auto-update by replacing the URLs at offset 0006BA60, maybe you should do so too.
Stuck? If you want the exact same binary I’m running, binary-patch the original with this diff. You then have the XS4ALL Webdisk “XS2ALL -OH RLY? YA RLY!” edition.

Now for some legalities. For me, to publish how I edited this .exe, is perfectly legal. Redistributing the original program isn’t. Me or you distributing any modified versions isn’t either. That’s basic copyright law. With some types of binary patches it may be different. However, the particular patch posted above is tiny and contains no ‘original work’ – just pointers to which part of the original to replace with my handiwork. So there.

Firefox’s password store is something you’d like to share between computers, isn’t it? Save some site’s password on your laptop and have it become available on your desktop, or in your profile on a friend’s machine (don’t forget to set a master password!) . Same with bookmarks. Even if you’re not sharing, it’s nice to have a backup.
There are some issues that need to be resolved if you want to be able to do this:

• You need central storage — storage reachable anytime, from anywhere.
• You need intelligent synchronisation software.

Fits right into the cloud meme. Now, who do you trust to store your highly sensitive data? I’d trust no one, really, unless the data is completely useless to them and I have the opportunity to run the ’server side’ of the synchronisation software myself.
And that’s exactly how Weave, Mozilla Lab’s extension for Firefox functions. Your data is being encrypted, not just on the transport level, but more importantly: on the data level and it’s happening on your side of the link. Data is stored on Mozilla’s servers but to anyone but me — the one with the decryption key — it’s just gibberish. If anyone cracks these sync servers my passwords and bookmarks are still safe.

A side effect of the data being useless to anyone but me is that the data itself cannot be ‘monetized’. It cannot be mined. My collection of applepie recipe bookmarks cannot be sold to PieMogul®, Inc.
Equally, a search warrant to get the sync server operator to hand over all account info on users who bookmarked a certain bomb (or pie) recipe site is useless.
I do not have to go through or monitor a ‘Terms of Service’ to establish the fact that my data is safe. It just is, and it is a function of the technical mechanism, not one of competence, contract enforcement and relying on the justice-apparatus-du-jour. No amount of legal wording can change that fact. Paranoia? No! This is sidestepping paranoia. Take the encryption route and the very notion of paranoia becomes null and void — you simply don’t have to care.

Another interesting property is the possibility of running your own sync server because all software involved is free and open source. If for some reason Mozilla would fall into disfavour with me, or the other way around, I can just pack up and simply leave without losing my precious syncing functionality. That’s pretty much in compliance with the autonomo.us Franklin Street Statement — good stuff, check it out.

So what’s the catch? Nothing, for now. And I don’t expect there will be one in the future because of the inherent and self-evident guarantees described above.
Get this Firefox (3.5+) extension now, walk out on the street, and give three cheers to the great (nonprofit!) Mozilla Foundation.

Further reading:

• Details on Weave’s crypto
• Some interesting enhancement proposals for Weave

For some years now I have been adminning seth.leper.phil.uu.nl; a Solaris zone (virtual private server) acting as a web server for various student organizations and nonprofits. Over time it has become messy. There’s the Solaris environment, arid and archaic. There’s your usual webserver stack, more powerful GNU replacements for the Solaris utilities, and FOSS stuff all semimaintained on read-only NFS, mostly outdated and outside of my control. And there’s my own ghetto-style compiled tree with various stuff that makes the system useful (GNU screen, some Apache DSOs, etc). Just getting PHP with mundane extensions to compile is an intense respiratory exercise because of all the sighing, moaning and cursing involved. PHP’s build system is terrible in that it makes so many assumptions on where to find its deps that for anything out of the ordinary (no write access to places such as /usr, deprecated versions of libs installed in /usr/(local/)lib but preferred libs installed elsewhere), it requires guns-drawn cowboypatching of the configure script. Not to mention the nasty street fights between /usr/ccs/bin/ld and an outdated GNU ld.
So over the years this system has become like the bastard part of multizygotic interspecial Siamese triplets bred by a hippie commune in its entirety and whatever livestock they may have been keeping. Madness.
I was in heavy need of a sound and modern compiler toolchain, and a way to keep my software up to date and isolated from the streetfights. So how about some package management? Some sort of metadistribution? Not just any – I need headers to compile random stuff against, and it should not make any assumptions about where I’m going to install this metadistro, as there are read-only NFS mounts all over the place. And there should be no dicking around with LD_PRELOAD or chroots. That rules out most (all?) precompiled Solaris metadistros.
Now what? Well, there’s always Gentoo, which has kept me company since the 1.2-release of yore. Its flexibility and tinker-friendlyness is what makes this my favourite Linux distribution. But it’s not just Linux. The Gentoo-Alt Prefix project does exactly what I need. It installs a compiler toolchain and features over 2000 ported ebuilds. Huzza!
It took some ad-hoc patching and fiddling beyond the bootstrapping instructions but Netcraft confirms it: I have now migrated to a shiny new and comfy webserver stack. I am in love with it so much that I’ve GIMPed and Inkscaped together a nice badge to go with it. Gentoo logo guidelines make me state that although you see a Gentoo G, that does not mean there’s any official connection with the Gentoo Foundation.