Showing posts with label microsoft. Show all posts
Showing posts with label microsoft. Show all posts

Thursday, August 4, 2016

Stay classy, Microsoft

Someone more cynical than myself might think that Microsoft's sudden 66% decrease of OneDrive storage space is a bait & switch - give away the space for free until users become dependent, than take it away, threaten to delete it, forcing those who have become accustomed to the free service to pony up and pay.

Wednesday, January 20, 2016

Microsoft search indexing can be so aggressive that it resembles DoS traffic

As part of my consulting business I have a number of web servers I take care of. This morning, I woke up to receive a particularly crappy message related to one of those servers:

possible DoS attack

Awesome, right? Ever notice how you never get these sorts of messages between the hours of 9 AM and 5 PM, Monday through Friday?

So I tried to SSH into the target server, and was pleased to find I was able to connect. Relieved that this was likely a false alarm, I found this in the Apache logs: - - [19/Jan/2016:19:43:15 -0500] "GET /robots.txt HTTP/1.1" 200 146 - - [19/Jan/2016:19:43:15 -0500] "GET /robots.txt HTTP/1.1" 200 146 - - [19/Jan/2016:19:43:15 -0500] "GET /robots.txt HTTP/1.1" 200 146 - - [19/Jan/2016:19:43:15 -0500] "GET /robots.txt HTTP/1.1" 403 5 - - [19/Jan/2016:19:43:15 -0500] "GET /robots.txt HTTP/1.1" 403 5 - - [19/Jan/2016:19:43:15 -0500] "GET /css/main.css HTTP/1.1" 403 5

Take a note at the timeframe on these connections: six connections from the same IP address within 1 second, five of which were to the same file. Also note that the initial connections were successful - errors only began occurring because my Apache config blocks suspicious traffic.

You've probably guessed who this IP address belongs to if you read the headline to this article:

NetRange: -
NetName: MSFT
Organization: Microsoft Corporation (MSFT)

At first I thought this IP might be part of Microsoft's cloud server system, Azure, or some other product that might be operated by customers. However, that seemed unlikely as this host was going after the robots.txt file and nothing else other than CSS. That is what search engine spiders do. And this IP very much looks like part of Microsoft's search infrastructure:

# host domain name pointer
The day after these weird connections, the same Microsoft IP came back with a more normal traffic pattern: - - [20/Jan/2016:06:53:35 -0500] "GET /robots.txt HTTP/1.1" 200 237 - - [20/Jan/2016:06:53:36 -0500] "GET /index.html HTTP/1.1" 301 245

A standard installation of mod_evasive would result in a temporary blacklist for this kindof traffic. It is unclear if this behavior was intentional on the part of Microsoft, or if more rapid requests for files can be expected. The people who make their bread and butter spreading SEO gossip seem to agree that connectivity failures & web server 50* errors can have an impact of search engine rankings. However, such reports should be taken as just that - gossip.

Both Google & Bing report errors encountered during site indexing through their Search Console and Webmaster Tools, but I wasn't able to find anything published by either Bing or Google about how such errors impact search engine placement even in vague terms. Hopefully this was a one-time error on Microsoft's part and not part of a new approach to indexing (fingers crossed).

Tuesday, August 4, 2015

Afternoon Links 8/4/2015

I am a victim of my nostalgia. Yesterday, I revived a years-old post in which I provided bloggees with some of the latest Windows activation keys to update the data for Windows 10. I figured I might as well dredge up another bit I had let fall by the wayside; Weekly links! Exciting, I know.

   - Yahoo's ad network and Microsoft Azure's web hosting service were abused to circulate an enormous flood of malicious software. Malwarebytes is being credited with the discovery - which is a little amusing because Malwarebytes has for had their own issues with security for many years. h/t Washington Post

    - Planned Parenthood and a variety of other related organizations were brought offline by a sustained series of DDoS attacks. In what may or may not have been the work of the same group of individuals, someone has claimed they have hacked Planned Parenthood and retrieved an employee list database of some kind or another.
     AFAIK, this sort of thing is new to the abortion debate in the US - honestly the only political debates where this sort of thing typically comes to the fore are "internet" issues surrounding surveillance, cryptocurrency and the like. The "Culture Wars" are fought in city halls, lobbyist offices and in the bank transfers of PACs rather than through data center Meet Me rooms.
    Personally I am interested in finding out if the DDoS was outsourced or if there is, in fact, a pro-life botnet. Will online hooliganism become a part of the political conversation? h/t Rolling Stone

   - The Electronic Frontier Foundation and Muck Rock have partnered to file a butt-load of FOIA requests in order to provide the public with a better understanding of how biometrics is being used by law enforcement and federal government agencies to provide street level, warrantless surveillance of ordinary Americans. h/t Muck Rock

   - In a strange move, DHS Deputy Secretary Alejandro Mayorkas said that some provisions of the Cybersecurity Information Sharing Act (CISA) “could sweep away important privacy protections” and that proposed legislation “raises privacy and civil liberties concerns.” Apparently Mayorkas found nothing ironic about this statement, while the news outlets who retyped the message for public consumption found it completely normal. h/t Russia Today

Privacy is for closers says Microsoft

Heres part of the Microsoft's 12,000 word ToS for Windows 10:
Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to: 1.comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies; 2.protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone; 3.operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or 4.protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.
In human-speak, this means by default the key-logging behavior that was noted in the preview version is a feature not a bug, the creepy always-on-camera that watches you masturbate from your Xbox One will now listen to you through your laptop microphone, your browser history of course gets shared, as does a whole bunch of other things.

surveillance joshua wieder ceiling cat

Word on the street is the spying can be disabled.

For users like me, this is exactly the sort of thing that makes it worth it to uninstall Windows and install Linux. Even on a brand new laptop where the outrageous cost of a Windows license was already factored in. Every other excuse - document handling, application functionality - has inexorably been resolved or made irrelevant. Being able to conveniently play video games is not a lot of value to exchange for non-stop advanced surveillance for anyone that does not possess the innocent and carefree mind of a child.

I'm already forced to pay strangers to spy on me through my taxes. I don't like it. Do you?

Monday, November 10, 2014

How To Enable CLR on a Microsoft SQL 2005 Server

A while back I worked for a small hosting firm that focused on Microsoft products. As part of my responsibilities I wrote a great deal of documentation for them for a variety of tasks - some basic, some more advanced and problematic.

Anyway I was pleased to see today that these tutorials are still published on their site. Follow this link, for instance, to read an instructional guide on how to enable CLR with MSSQL 2005.

Friday, November 7, 2014

Independent Researcher Discovers Yawning Hole in GroupMe

Clever hacker and all around cool guy Dylan Saccomanni viciously pwn'd the popular messaging application GroupMe last week.

The exploit allowed an attacker to signup for a new account while using the phone number of an existing user. The only verification required at that point was a four digit PIN that could be easily brute-forced.

To their credit, GroupMe responded rapidly to Saccomanni's notice and the issue appears to have been resolved.

Saturday, November 1, 2014

Scratch from MIT & Back to School

As time goes on, having a knowing how to write in a programming language is becoming less of an odd and obscurantist lifestyle choice and more of a necessity for gainful employment. Already, anyone wanting to pursue a career in the hard scientists will be finding themselves either developing or working with custom applications. But even entry-level and intern positions frequently have a "please help us with our website / CMS / database" component to them.

The trouble is, people are terrified of code; even very smart people. It looks like ancient greek. For students of ancient greek it looks like Farsi. For Persian students of the Asiatic classics it looks like, err, English, probably. My point is that going from using the internet for Facebook and using the internet for push requests on Github has a very steep learning curve. So steep that most people fall right the hell off the curve.

Enter Scratch. Scratch is an object oriented programming language developed by the Smarty Pantses at MIT. What makes Scratch unique is that every component of the language is graphical; each variable and operand is a colorful building block that you can stick together in your Browser's Flash player, like puzzle pieces. Each puzzle piece only fits together when the instructions that those pieces represent can follow one another logically.

There is a lot here for the layman to enjoy - plenty of plain English Help documentation, sets of components that are based entirely around easy to understand concepts (like motion, for example), and a surprisingly active community of people who are posting some pretty amazing projects with a very limited array of tools. Some clever folks have even made very limited OS emulators.

I came across Scratch myself because I have started taking a few classes at Harvard. Despite a career working as a systems administrator, when I first attended university almost 15 years ago I was fairly certain that I would end up a humanities teacher. Most of my first go round at school was spent with the classics and modern analytic philosophy

The philosophy bit, while never ceasing to get a laugh out of co-workers, has ended up being directly applicable to my career. Having an in depth Ludwig Wittgenstein's logic tables has been very useful when dealing with arrays, for example. The writers that held the most interest for me were logicians - Boole, Whitehead, Russel; people whose work formed the original building blocks of what is now Computer Science.

Anyway, I'm getting ahead of myself. So - I'm taking some classes at Harvard. Because I was a humanities concentrator, I find myself back at the basics. Intro to Computer Science I, or CS50; which has now overtaken Intro to Economics as the largest class in the entire school. Everyone wants their own f*cking `start-up`, I'm sure.

So the first week of this course had me and about 800 eager young minds getting briefed on MIT's Scratch and writing teeny little scratch applications.

Many, many years ago, when I was a very young lad, I had a very special relationship with computers. Things were much different then. Simply knowing how to operate the thing for any task other than word processing made you a bit special (not always in a good way). I had an acoustic coupler and a toshiba *laptop* with dual floppy drives. I could log onto BBS from pay-phones with my coupler. But before I could do even that, there was "Gorillas" and there was QBASIC. Each line of instructions with its only little number in front so the computer didn't get confused. I pored over each line of Gorillas to see how it worked. I broke it; I fixed it; I changed the color of the Gorillas. I made the bananas go faster.

What I'm getting at here is that early Microsoft crap gets me a bit misty eyed and nostalgic. So for my first week project, I made a clone of Windows 95-era Microsoft paint that I named "simple_paint". The pencil, brush, eraser, paint can and circle tool work; the default is the pencil - just click the icon of the tool you want to use from the toolbar on the left, just a you would in the original MS Paint. All of the colors at the bottom work, and the current color icon works, too. Be gentle, its my very first go at using Scratch, and quite a middling example of what can be accomplished. For example, here is a much better example of how to use Scratch to create a wee graphics application.

As time permits, why not give it a go and see what you can make? You can also "remix" my editor if you think you can do better. Start off by using my code base and go from there (a remix is what they call a branch in the super-cool Scratch community).

This is all highly recommended for teachers and educators, btw. If I had come across this as a kid ... it would have changed things. Scratch is completely unintimidating and the ease with which users can begin assimilating and building onto otherwise complex topics is very cool and very unique.

UPDATE: Getting into Harvard can be tough. That's why I will be posting all of my course notes and projects for my classes online. If you can't make a class, or got course materials online but can't attend lectures, or just missed a lecture, you are welcome to get your notes here!

Wednesday, September 3, 2014

Schadenfreude + Irony = Blog Post

So I am looking around in one of Microsoft's websites for web development tips when I come across this:

Bing, blog, Josh Wieder, Microsoft, loop, redirect
It's really one of the worst possible places to put one of those.

Wednesday, March 13, 2013

Microsoft Azure Free Trial

Microsoft has started giving away 90 day free trials of Azure - SQL reporting and media services are included. Its worth giving it a try since the price is right, if for no other reason than to become a bit more familiar with the platform. Whether or not Microsoft comes out a winner in the Cloud Revenue Wars has yet to be seen, but my suspicion is the platform will be here to stay for some time.*

*This website is not involved with any affiliate advertising. I do not receive any commissions for click throughs or signups and I was not paid for this post.. 

Saturday, March 9, 2013

Weekly Links 3/4/13

Fast Company - The Vatican has selected EMC to source roughly 2.8 Petabytes of storage for a project to digitize the Vatican library, home to over 1 million books.

Business Week - Skype service in China is actively monitored for certain key phrases that are offensive to the state. When a user inputs these phrases, the conversation is forwarded to Chinese intelligence. Skype is currently owned by Microsoft, and in China is partnered with TOM Online to provide service in the region (like India, China requires foreign entities to be minority stake holders with a domestic corporation in order to do business). Microsoft has not responded to requests to clarify the surveillance features in Skype beyond saying that they adhere to Chinese law when operating there. No word yet on whether American users are monitored as well (at this point, I would be more shocked if they were not) - the Chinese program bears striking similarity to the NSA program that became public shortly after 9/11, at least functionally.

Popehat - A disgraced copyright troll from Indiana has relocated to Florida and begun to stir up rumors of practicing law without a license, leading to at least one Florida judge dismissing a suit and claiming during her finding that a fraud had been committed against the court by the appellant / copyright complainant. Subpoenas are beginning to fly, to Wordpress no less, regarding bloggers who have written about the issue (see: Streisand Effect). Note that these particular copyright trolls are not technology companies - they are pornographers. There has been a strange relationship brewing between pornographers and technology patent defenders over the last few years as they are both extremely litigious and responsible for a substantial amount of the recent case law in this area not handled by the RIAA and affiliates.

Tuesday, March 20, 2012

Reinstalling MDAC

Microsoft Access Data Components are usually fairly stable. They tend to be updated with significant OS related updates (I'm looking at you, Service Packs). 

That being said, issues do happen. Today I encountered an issue following a P to V migration using Hyper-V for a Windows 2000 server with an ADO connection to a MSSQL database. Somehow MDAC versions become mismatched during this process.

Your actual error may vary. Your application may throw an error 429 "Active-X component can't create object", you might get a IPP_E_MDAC_VERSION error. In the case today, a line in the website's general.asa was mentioned as an invalid object.

Download and execute the Microsoft Component Checker to verify a mismatch against your required Component versions - Use this for 2003 and this for 2000.

For Windows Server 2003 and 2008 systems, I would typically advise an in-place upgrade as outlined here. You can try a manual install on these OS' but frankly it is not as reliable as an automated repair (or an SP update, if one is available). Once I have enough time to creatively break Windows Server 8 I will hopefully update accordingly.

For Windows 2000, your task is of course a bit more painful. Download the appropriate installer from Microsoft (this is for MDAC 2.8 SP1 - I've tested up to 2.8 using Server 2000 and SQL 2000 and it works, usually the issue is one of your files are older than anticipated by MDAC, going newer hasnt hurt me yet, and is the latest confirmed as working by Microsoft). A formal compatibility list is also available.

After installing and rebooting with Mdac_typ.exe, reboot and your components should now once again be compatible. The most frequent issue I have seen is as the result of running the utility in a non-Administrator account, which leaves out key registry components. Regmon is a bit outside of our scope for this late-night post, but we will get to registry permissions hacking in later posts.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...