Are you a listener?

Personally I’ve always thought of myself as a listener. Not that I don’t like talking (in contrary), but the words of my father (on the matter) stuck with me:

What you saying, is something you already know. What the other people are telling, is something you might not know… So always pay attention when people are speaking!

With these words in mind, I came across the following article where it had a kind of checklist to see if you’re really listening: Continue reading “Are you a listener?”

Wrong password doofus!

There is a fun feature available within the sudo program. You’ll get an insult when you do the wrong thing such as enter your password incorrectly.

To turn the feature on you’ll need to use the following command:

sudo visudo

(always use visudo when you need to edit your sudoers file as it has a self-check system that won’t let you screw it up.)

Change the “Defaults”, by adding “,insults to the back
For example:

Defaults !lecture,tty_tickets,!fqdn,insults

Save, and enjoy the action!
(Note: use “sudo -K” to clear your sudo session)

Referenced original

Dashes (hypens) versus underscores

Cutting straight to the point: Dashes are better than underscores.

# Google indexes on keywords in hyphenated urls but not on keywords in underscored or conjoined urls.
# Yahoo indexes on keywords in hyphenated and underscored urls but not keywords in conjoined urls.
# MSN indexes on some keywords in hyphenated, underscored and conjoined urls but the exact circumstances in which it does so are at the moment unclear.

With underscores, Google’s programmer roots are showing. Lots of computer programming languages have stuff like _MAXINT, which may be different than MAXINT. So if you have a url like word1_word2, Google will only return that page if the user searches for word1_word2 (which almost never happens). If you have a url like word1-word2, that page can be returned for the searches word1, word2, and even “word1 word2″.

Matt Cutt’s history lesson on the matter
SEO Blog’s experiment

Doing the 301 redirect

When a website has been online for a while, and needs some maintenance, it’s sometimes a necessary evil to change the structure. The disadvantage of this is that this mostly influences the links to the indexed pages. The search engines (and thus also your visitors) will get a 404 (page not found), where your pagerank and such will be lost.

What can you do? Simply put a 301 redirect on it. This indicates towards search engines that the page has been moved permanently. In effect the bot will adjust the referenced link in it’s database, so that it’ll be correctly shown in the future. How to do this?


Header( "HTTP/1.1 301 Moved Permanently" );
Header( "Location:" );


Response.Status="301 Moved Permanently";

private void Page_Load(object sender, System.EventArgs e)
Response.Status = "301 Moved Permanently";

Ruby on Rails

def old_action
headers["Status"] = "301 Moved Permanently"
redirect_to ""

3 way linking – ABC linking

Every webmaster knows about the concepts of getting a decent Alexa rating or Google PageRank. One of the factors used for the PageRank is incoming links. So every webmaster started getting links to his/her website. This was mostly done by “LinkExchanging”. When doing a Link Exchange, two webmasters trade a link to each others website. Thus causing a kind of “win-win” situation.

So far so good? Yes, and no… Off course google changed their algorithm a bit, so that the weight of those exchanges decreased a bit. Action causes reaction, and webmasters found an alternative for this. This being 3 way linking. A technique also known as ABC linking, yet it’s a little more complicated way to setup link trades.

The benefits of doing this kind of trading is that it is harder for search engine robots to detect the link exchange. Instead a link from site A to site B, where site B does not link to site A, has more effect, even if site B has a link to site C. It is not that obvious that the owners of site A and B is trying to enhance the number of incoming links.

If you’re looking for a good tool to automate your link-exchanges, try “linkex”, a real timesaver!


I’m back after a week of sunshine and 30° plus in the Turkish region Antalya. As a fully rested person, I’ve resumed my working tasks today. Or maybe I should but it rephrase this by adding “tried to”, as there is a lot of commotion about the latest news within NSN Herentals.
In addition, today I’ll be attending (my) first session of the new academy year of the post graduate course at Honim (Wenk) in Brussels.

DEranged Security revealed their method of gaining the passwords to Governments & Embassies

A while back DEranged Security posted a list of credentials to users of Governments & Emassies. It wasn’t appreciated much, and the Swedish government was forced by American law enforcement to close down the website. The website resurrected again, and now they revealed their method of gaining the credentials.

#1 Five ToR exit nodes, at different locations in the world, equipped with our own packet-sniffer focused entirely on POP3 and IMAP traffic using a keyword-filter looking for words like “gov, government, embassy, military, war, terrorism, passport, visa” as well as domains belonging to governments. This was all set up after a small experiment looking into how many users encrypt their mail where one mail caught my eye and got me started thinking doing a large scale test. Each user is not only giving away his/her passwords but also every mail they read or download together with all other traffic such as web and instant messaging.

Did you get it? These governments told their users to use ToR, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about. Yes, two are getting encrypted traffic but that last exit node is not. There are hundreds of thousands ToR-users but finding these kinds of accounts was… hmm… chocking! The person who wrote the security policy on these accounts should reconsider changing profession, start cleaning toilets! These administrators are responsible for giving away their own countries secrets to foreigners. I can’t call it a mistake, this is pure stupidity and not forgivable!

ToR isn’t the problem, just use it for what it’s made for.

So when using an anonymous proxy for something… be aware that the owner can sniff out what you’re sending across! Some might be honorable in their intentions, but some might not be!

Understanding the basics concept of fast flux dns

One of the most active threats we face today on the Internet is cyber-crime. It’s a profitable business where IT capable criminals try to control the computers of the naive. They do this by infecting them with malware. There are various ways of introducing these malicious codes into the target systems, but that part is out of scope for this post.

The goal of fast-flux is decrease the detection chances/rate when doing a malicous action. This can fluctuate from a spam mailing to a denial-of-service attack. The basic concept of the “fast flux” is to have a fully qualified domain name with multiple IP addresses assigned to it. These IP addresses are swapped in and out of flux with extreme frequency, using a combination of round-robin IP addresses and a very short Time-To-Live. The hostname of a certain website may change as often as every three minutes.

single flux diagram

The ip address used here are those of infected machines. So a browser connecting to the same website every 3 minutes would actually be connecting to a different infected computer each time. So the computer of your grandparents may simply be used to provide resources to the latest phishing attack.

It’s a common practice to build in load-distribution schemes which also do a health-check. This is useful so that the nodes (the computer from for example the grandparents) that are offline can be taken out of the flux. Enabling an always maintained content availability. A second layer is often added for security and fail-over: blind proxy redirection. Actually… a lot of techniques used in the world of legitimate webserver operations are used by these criminal computer networks.

The fast-flux it’s controlling element is often refered to as “mothership”. It’s simpilar to the control mechanisms used in the older botnets. But it has more features compared to the more conventional botnets. These mostly provide the basic backend infrastructure for the botnet (dns & http) as it serves the content towards the infected nodes.

Interesting readups:
Know Your Enemy: Fast-Flux Service Networks @ (main reference)
the future of botnets : fast flux bot nets (tip!)
Darkreading: here & here
Securityfocus article

The storm botnet is using tor

Let’s start out with a small introduction about Tor. A brief quote from the Tor Project:

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

In basics it’s a tool that helps you to stay anonymous when browsing the web using “any” application. The project is supported by volunteers who share resources (hardware & bandwidth) for Tor to use.
how tor works

Storm evolved
The storm botnet has evolved to using tor. The started “promoting” Tor… But instead of linking to the project binary, they link to their own compromised version. Even thought there are voices who are bashing the Tor project for this. But this is totally uncalled for. If we would extend such a way of thinking, then we would have to bash mail servers too. As they provide the means to send spam too. The aim of the project is sincere, but the abuse of the storm project on their back is not.

There are a lot of anonimizers out there, and they have been (ab)used in the past too. I’m thinking about the open web proxies, or wrongly configured proxies. But in this case they aren’t using Tor to hide their traffic. But instead their trying to trick users into download a compromised Tor executable. The Storm bot net uses a system called Fast Flux to hide traffic.

“Storm Worm Evolves To Use Tor” @ Slashdot

Mounting an ISO image on a Solaris with lofiadm

Given an ISO image in /home/images/my.iso, a loopback file device (/dev/lofi/1) is created with the following command:

lofiadm -a /home/images/my.iso /dev/lofi/1

The lofi device creates a block device version of a file. This block device can be mounted to /my/mounted/iso with the following command:

mount -F hsfs -o ro /dev/lofi/1 /my/mounted/iso

These commands can be combined into a single command:

mount -F hsfs -o ro `lofiadm -a /home/images/my.iso` /my/mounted/iso