Das Wetter war mir gnädig und so konnte ich gestern meine erste Tour heuer gehen. Geführt hat es mich zum Klettersteig am Hochlantsch. Abgesehen von etwas Hochnebel und kurzem Nieselregen war es für mich wieder mal ein schöner, wenn auch später, Auftakt in eine Bergsaison.

[gallery link="file"]

Since there is a lot of effort going on to help the Iranian protestors in publishing first-hand information from their country, several people outside of Iran have set up various proxies and tunnels to circumvent censorship.

Here is my own contribution to this: A anonymous SSH tunnel which provides access to both a TOR relay node (Socks5) and a HTTP proxy.

Protocol: SSH Server: uni.fladi.at Port: 22 Username: iran Password: iran

For OSX/Linux/BSD:

Make sure OpenSSH is installed and run in console: ssh -N -L 9100:localhost:9100 -L 3128:localhost:3128 iran@uni.fladi.at

For Windows:

Download the plink.exe program from the genuine source (RSA and DSA signatures also available there) or my mirror, save it either in C:\ or C:\Windows or any other folder on your hard-drive.

Run this in command prompt: plink -N -L 9100:localhost:9100 -L 3128:localhost:3128 iran@uni.fladi.at

On either platform you will get two tunnels after entering the password. You can access those tunnels through your local IP (127.0.0.1 or localhost) on your machine.

Now configure your Browser to use localhost:3128 as a HTTP proxy or localhost:9100 as a TOR-Node.

SSH will encrypt all the traffic until it reaches my Server here in Austria (hosted on a university research network with plenty of uplink) from where your requests will be forwarded to their destination.

The Squid-Proxy-Server I'm running does not log any request nor does the firewall so anonymous traffic is guaranteed. The TOR-Node on my server also does not log anything by design.

Taken from my balcony just some minutes ago.

Wreiner (Walter Reiner) hat es umgesetzt: In einem Online-Gespräch vor ca. einer Woche wurde ich auf den "Schäuble-Weg" in Deutschland (Wolfgang Schäuble ist der deutsche Innenminister) aufmerksam gemacht.

Da hier in Österreich ähnlich paranoide radikale Postitionen von Maria Fekter (ÖVP) vertreten werden, kam uns spontan der Gedanke, dass Österreich hier seinem Nachbarstaat in keinster Weise nachstehen darf und wir deshalb dringend einen Maria-Fekter-Weg brauchen. Bevorzugt sollte diesen Namen eine schmalle enge Sackgasse bekommen. In weiteren Gedankenexperimenten war auch noch eine permanente Video-Überwachung zu Ehren von Frau Fekter angedacht.

Vielleicht findet sich hier ja noch jemand für ein Kunstprojekt. Mir schebt hier die Projektion eines Livestreams von eben dieser Sackgasse direkt auf eine Leinwand vor dem Büro von Frau Fekter vor.

Zumindest die Benennung der Gasse hat es durch die Kontakte von Wreiner in eine Zeitung ein Tages-Blatt geschafft:

Gerade beim Bildschirmarbeiter gefunden:

Wäre ja lustig, wenns nicht so tragisch wäre. Bleibt nur abzuwarten, wann der Wiefelspütz mit "DNS, TLD, GAGA, GOGO, TRALAFITTI" die Charts stürmt.

Da es jetzt scho wieder etwas kälter wird, poste ich einfach mal ein paar Fotos von der Wanderung in der Bärenschützklamm die ich zusammen mit Christa, Birgit und Werner unternommen habe.

[gallery link="file"]

I searched the web for checklist templates on IT security auditing today and found a site which offered some MS Office documents used as a templates in former audits at German banks.

After downloading all of them I started to take a quick look through them to sort out those which will help me in our upcoming audit. The third document (german) I opened up in OpenOffice.org was a Excel sheet with two tables where the second one was initially opened, so I switched to the first and was presented the seventh page of 17 in all. The auditing questions in there were about user management and creation and expiry of accounts.

As I scrolled up a bit I saw, that there were not only the questings but also their respective answers still in this document. It seems that some fool who audited this bank put the document on his webpage without cleaning the information from it. At least 6 pages of the first table contained answers outlining the current IT landscape with some of them marked as "high risk" by the auditor himself.

Most of the text is about what kind of rules are not defined and where exceptions to their procedures can occur. Maybe enough information to put their infrastructure at risk!

Conclusion: Even if you run through a audit on a regular basis, no one spares you from the imcompetence of the auditor!

Second FAIL for today: Microsoft Windows WebDAV implementation!

Why does MS ship a WebDAV connector with their operating system if is is so fu**ed up beyond repair that it makes you want to rm -rf the virtual machine the whole system is running in.

I set up several WebDAV folders on Apache2 to provide easy(!!!) file uploads for our CMS maintainers which they can access on their Windows desktops. My tests on GNU/Linux with cadaver worked fine and everything went smoothly as I intended it.

So I went on and tried to incorporate the shares in Windows:

This immediately resulted in an error popup (translated message: "The folder entered is not valid. Please choose another folder."). I took turns, trying to find out what happened, searched a lot of blog posts about Windows and WebDAV and how much it sucks but I found no hint that could solve my problem.

So i settled with Wireshark as a last resort and I captured the network traffic when I tried to access the URL with Windows WebDAV.

That was when it hit me like a truck, something was missing from the URL in the packet dump:

Yeah right, some funny folk over at Redmond implemented a strip-the-trailing-slash-from-the-URL function for the Windows WebDAV implementation.

The string "/pathto/webdav/bmed/" silently became "/pathto/webdav/bmed"!

This will have no impact if you configured you Apache2 to enable WebDAV on a location without the trailing slash. Mine was configured like this:

Alias /pathto/webdav/bmed/ /some/webdav/folder/ <Location /pathto/webdav/bmed/> Dav on </Location>

So Windows never queried for the right URL to get WebDAV support. I had to remove the trailing slash from my configuration to get make it work.

I'm very courious now what the responsible engineer at Microsoft had on his mind when he implemented this crap ... but I guess we will never know.

UPDATE: For the sake of completeness, this behaviour is still not fixed in Microsoft Windows 7 Build 7201. It's even using the same old dialogs but it seems that they have changed the User-Agent string to "Microsoft-WebDAV-MiniRedir/6.1.7201". So Windows 7 folks have a new but still broken WebDAV implementation. Congrats!

Yeah, Microsoft sucks at providing WebDAV client capabilities but here is some help to get Windows Vista and later to work with HTTP basic authentication:

Change or create the Registry key "HKLM\SYSTEM\CurrentControlSet\Services\WebClient\Parameters\BasicAuthLevel" (REG_DWORD) and set its value to "2".

This will work around the nasty behaviour of Windows rejecting basic authentication even when used over HTTPS.

Recently on our balcony:

[gallery link="file"]