I spent last night playing with Symantec Client Firewall version 7.1.2.1021 including our corporate SCS2 Baserule set 9 (so it seems to be a creation of our brilliant IT department).

First of all, even though I cranked the Symantec Firewall security level up to the High, I was still able to access TCP ports greater than 1024. This means that for example the MS SQL Server (1433/tcp) is wide open. And of course unpatched MS SQL Server has some known vulnerabilities.

Also, I was able to perform a port scan to several interesting TCP ports without the firewall reacting at all.

Symantec Firewall provides a mechanism for detecting possible intrusions by checking if someone is performing a port scan and banning the IP address in question for about 30 minutes. But if you do a port scan by trying to open ports normally (so, no SYN scans or anything like that) and slowly enough, then the Symantec doesn't detect anything. I was able to do a port scan by scanning a port every 30 seconds and the firewall didn't react at all. (By the way, this "slow attack" is described at a SciFi book called Neuromancer, by William Gibson.)

Finally, I created a situation, where I opened a third-party proxy connection with SSH tunneling to the port 8000 at my work laptop and allowed remote connections (I was using PuTTY). Then I launched a port scan from a remote location (ie. over the Internet). With the scan I was able to detect that the port 8000 was open and I created a connection through the port to the third-party proxy server. So, I was able to surf the Internet anonymously by using my "Symantec secured" machine. All the time the Symantec Firewall settings were at "High".

Biggest flaws, I'm able to point out are:

• No warning, when letting the PuTTY to access the Internet.
• No warning, when a port scan has been performed.
• No blocking of incoming connections. Not even a warning!

Note that there isn't anything fancy in what I was doing. The above is just a proof of concept, which shows how easy it is to work around the software firewall, if the settings aren't set correctly.

With Symantec Client Firewall it was just a matter of running a simple wizard to create a "Deny All" rule to the firewall software, which prevents any incoming connections from the Internet. I can't understand, why our IT department haven't done this. It seems that they are willingly leaving the machine wide open.

Anyway. Why am I writing this? I just want to let some steam out, because this has been the stupidest thing from our IT department so far. There are so many things wrong with this scenario that I even have a hard time remembering all the details and situations where things have gone wrong and how much damage can be caused both inside of our local network and from the public access Internet.

Finally, here's my quick hack for a port scanner, written in TCL:

# List of ports to be scanned.
set portlist [list 13 20 21 22 23 25 80 110 113 135 139 443 445 1433 6667 6881 8000 8080]

# Returns true, if port can be opened. Otherwice returns false.
proc check {host port} {
if {[catch {socket $host $port} s]} then {
return false
}

close $s
return true
}

# Scans a list of ports and reports results to the standard output.
proc portscan {host list} {
puts "Scanning $host..."

foreach i $list {
set port [format %5d $i]
if {[check $host $i]} then {
puts " Port $port is open."
} else {
puts " Port $port is closed."
}
after 30000
}
}

proc main {argv} {
if {[llength $argv] < 1} then {
set host {127.0.0.1}
} else {
set host [lindex $argv 0]
}

portscan $host $::portlist
}

main $argv

(How wonderful is that? No intendation. Thanks Slashdot!)

I have to say that the IT department of my employer doesn't have a clue at all.

They forced a new installation of a Symantec Firewall package to my computer (thanks, AD!). This new installation disables automatically the built-in Windows firewall. Well, that's fine except there seems to be a teeny tiny problem with the Symantec rule set. It doesn't block anything at all from the outside!

Well, of course my machine was hit immediately when this happened. Now I have the Windows firewall re-enabled and I hope that the Symantec application doesn't disable it again.

The worst part of this story is that there seems to be no way to tell this situation to anyone so the rule sets could be fixed. At the moment I'm writing this, the IT department is happily installing this defected rule set to all of our computers. Nice to know, that there will be tens of thousands machines vulnerable in our own local network. It will take just one contaminated machine to bring down the entire company.

Mandrake 10.1 is just awesome.

I'm a die-hard Slackware fan and it has been the distro of choice for me the last 10 years. But last night I tried Mandrake 10.1 on my HP laptop and I'm just stunned.

The HP ze4423 has some quirks and sometimes a Linux installation is quite an adventure, when I have to dodge all APCI/APIC/LAPIC/USB/PCMCIA stuff and try to find my way to successful installation. The laptop itself is nice and it works great, but unfortunately most of the Linux distributions have a kernel with some very specific kernel options turned on, which will make them incompatible with my laptop. But Mandrake... well, it seems to have everything set up correctly for my machine. Right out of the box. Amazing.

I didn't even know that there is Xorg driver for ATI Radeon IGP 320 chipset available.

Wow! I learn new things almost daily, when I'm using the Opera browser. I just noticed that it's possible to check spelling in Opera by installing Aspell.

Aspell, by the way, is a great open-source product.

In just 36 lines of code (including comments) I created an mp3 streaming server, which can serve multiply clients and stream multiply mp3 files one after another from given source directory. I'm using it for my private talk-show "radio station".

Tcl as a scripting language just doesn't stop amazing me.

Last weekend I upgraded my Linux firewall from Slackware 9.0 to Slackware 10.0. The problem was, I don't have a monitor. And this upgrade process included replacing a harddrive and partitioning and formatting it, so upgrade over the network connection wasn't an option. Only tools I had at hand were a keyboard and a CD-ROM drive. So, what to do?

1. Plug in the keyboard.
2. Get a bootable Slackware CD.
3. Insert the CD and boot the machine with it.
4. Get and install the Bochs at your other machine.
5. Create a disk image for Bochs with identical geometry information as your new hard drive.
6. Start Slackware installation from the CD ISO image at the Bochs.
7. Do all required steps at the Bochs environment and mimic all key presses with your headless box.
8. Remember to carefully configure the network connetion and leave the sshd on.
9. Reboot and log in to the freshly installed Slackware box over the SSH connection.
10. Finish the installation and configuration over the SSH.

And that's it. Smooth installation, which reminded me, why command line user interface is so cool. With graphical installer this kind of thing would not be as easy to pull through.

Afterwards I realised, that it would have been so much easier to just plug in the new hard drive as a slave and partition it and install the base system and then switch the drives and finish the configuration. Oh well, at least the experience was cool and I learned a lot how to use and configure a computer blindly.

Isn't this just great? I tried to exclude all stories about U.S. politics from my homepage and that stupid Homepage Preferences page doesn't work. I tries every possible combination of settings and I'm still able to see all Republican/Democrat/Politics/United States stories at the Slashdot Homepage.

All I want is news about technology (and other geek stuff) but now I'm force feeded with politics by Slashdot. It seems that the only option to avoid politics overload is to stop to read Slashdot at all until the presidential election is over.

* * *

Update (2004-11-02): It seems that the Homepage Preferences page has been updated and now I'm able to select sections for my homepage. Oh, the irony! Today is U.S. presidential election day and this kind of filtering is not so important for me anymore. Oh well...

What the hell is wrong with people? Isn't the normal English enough anymore? Or is it somehow "cooler" to use words like "boxen", "unices" or "virii". Last time I checked the English grammar, using the -s/-es suffix was still acceptable.

With this new "logic", the plural of the word "cactus" would be "cactii". Or "hoax" would become "hoaxen" or "hoaces". Now that sounds really stupid...

Worst thing is that there are no scientific or linguistic basis on any of those fucked-up plurals. Even if these geeks or hackers who use these do normally love to rely on rules and logic.

Damn. I shouldn't have posted a link to the Bloglines. I think that the slowness is because of me and my comment at the What is Your Favorite RSS Reader? story :( Now it's slow as hell and I wanted to start my day with a big cup of coffee and some juicy RSS feeds.

Hmm... That's odd. Last journal entry seems to be from "02 May 2003" which is over a year ago. Well, it's time for a little catch-up.

Happened since the last episode:

I spent six months at the military training. It was interesting, intensive and frustrating experience. But I learned a lot about phones and telecommunication stuff (among other things). But I don't want to talk about that or anything related to this subject.

I bought a new laptop. With Windows XP Home Edition. And I'm still using the XP at the machine. Which is pretty creepy. I'm worrying myself. Fortunately, I still have my good old Linux box, so there is still hope.

I'm still working at the same old "big bad corporation" as a software engineer. This time my job is to examine old C code and improve it and make some house-keeping (bug fixes, cleaning up, documenting). I could write a whole rant, how terrible it is to try to read other peoples code. But I won't, because I've ranted enough.

The last year or so has been extremely hard both physically and mentally. A lot of bad things have happened to people around me and I have had to re-evaluate my values and views of life. I think, that now I can truly appreciate life itself and my loved ones. And I have realized, that work isn't everything. Fortunately, things seem to be getting better step by step and hopefully the summer will be great and everything will be OK again.

Slashdot seems to be the same old nest. Some things don't ever change, I suppose.

... or why the hacking skills are essential for the survive of the human race... or something.

I bought a Magic Star MP3 player in February as I bragged about some time ago. The player worked pretty well. However, it sometimes formatted itself.

Finally I was able to bring the player to the store where I bought it. I got a replacement player and got back home. Because I don't have a car, I had to use public transportation to get to the store. It cost me six euros (six dollars) to get there and back.

The f*cking player doesn't work at all! For some reason it's unable to load the li-ion battery. So, now I have to travel back to the store and pay another six euros because of it. For the record, the price of the player was 100 euros when I bought it and now it costs only 80 euros. And I'll have to spend extra 12 euros to get a working version of that damned device. So, basically I've spent 112 euros to the device which now costs over 30 euros less :(

F*uck!

And now to the topic. Hacking skills - and now I mean the real hacking skills, not any "|\/|4d h4x0r 5k1LLz" or skript kiddie things or anything related with computers for that matter - are essential in this kind of situation. With the ability to tinker with electronic devices and to get them working reliably is one of the most valued skills in modern society in my opinion. Now I have to travel and spend money just because I'm too wimpy to try to fix the device myself. Any kind of tampering will void the warranty and I'm sure that I can't fix the device without leaving clear marks to the wiring or to the case.

After long, long time I decided to test Wine. I grabbed the latest source code, compiled it and installed with the script provided by the package.

Wine is one amazing piece of a software engineering work. Unfortunately I have been able to run only one game so far under the Wine. But what game... Unreal. The game that I was barely able to run under the Windows 98. It works perfectly under the Wine. Even the sound effects work. The game play is flawless under the 1024x768 resolution.

I'm not able to play SimCity 3000 or Fallout 2 and that's the big minus. Not entirely a minus for Wine but for the game developers who create weird code with some custom hooks to the underlying system.

The only things which seem to work almost perfectly are setup programs. For example Install Shield setup will work nicly with Wine. Wine even offers uninstall.exe/uninstaller.exe tool for having a replacement for Add/Remove panel which can be used to run uninstallers.

Apparently the latest version of the Wine is a tool which deserves more examination and experimentation. Who knows, maybe I'll be able to play SimCity under the Linux some day...

Update:

I got Fallout 2 working. I had to install a patch provided by Blackisle. Only thing NOT working right now is keyboard. I can't give descriptions to game saves :(

I got today a new heat sink. Cooler Master HHC-L61 Heat Pipe. It kicks ass! Silent, beautiful, efficent and well finished. And expensive :( But, Wow, it's cool. Literaly. It can achieve same results as cheaper heat sinks but with much lower noise level. The sink is made of copper and has two heat pipes sitcking from the side of the sink. At the top of the sink sits a 60mm fan. The promised noise level is 26 dB. And, well, I think that it's as silent as promised. However, I can't be sure because I actually can't hear the damn thing. Now the harddrive is keeping too much noise :)

Slackware 9.0 was released last week. And at the last weekend, I installed it to my "production machine".

Slackware 9.0 is nice. But not as polished as 8.1 was. Some annoyances are still around (even more than in the 9.0rc1 which I installed to my old-timer laptop).

The worst thing in this release are fonts under Mozilla 1.3. I had to switch to Gnome just because I was unable to tweak anti-aliasing settings for Mozilla (which is a GTK+-application) under the KDE environment.

To my surprise, Gnome is pretty mature nowadays. Last time checked it, it was buggy and slow and I was unable to make any changes to the default settings without crashing the whole thing. This newest version (ver. 2.2 I suppose) seems to be pretty stable and it's well polished and clean. Older versions had quite a lot of garbage (duplivated featured, useless applets etc.) but this version seens to be spartan enough for my taste.

But the best thing in this new release is the ability to upgrade the whole system from 8.1 to 9.0 without reinstalling everything.

Ah... I'm too tired to check spelling. If the text is unreadable, then just deal with it.

The company I'm working for has an HTTP proxy with censoring. It's very annoying.

I have to give credit to that person who has come up with this idea of multiply checks (the proxy checks for single words, content and URLs). It's pain in the ass and ruins legitimate surfing efficiently.

There seems to be (at least) three stages of checks made to the pages:

First, the proxy checks if the URL is prohibited. If it is, then the banner telling that the page is "illegal" is loaded instead of the page. I cannot figure out any way to bypass this without outside help. When I have to reach this kind of a page, I have to create an SSH tunnel between the university and my work computer to get the page loaded.

Second, the proxy checks all contents of the requested page. If the page contains questionable words then the proxy will replace those words with "----" mark. If there seems to be too many of these words, the whole page is censored out and the banner telling about "prohibited words" is loaded.

Third, if the page seems to be clean but there is some special words at some place of the page then the rest of the page is censored out and the banner is placed there where the first occurrence of the "prohibited word" has been found.

The second and third cases are surprisingly easy to bypass. Just reload the page ten times and the proxy will allow the page to be loaded.

By the way, the proxy server in question is made by Symantec. And for my opinion, the server sucks. It can't handle moderate load efficiently, it just starts to generate "proxy errors". And under heavy load, the server crashes.