Network

The best customers are those who _know_ how to counter-mock you

icelava — Mon, 26 Oct 2009 08:09:15 GMT

By now the Internet is more or less familiar with the infamous scam known as Denon's US$500 Ethernet cables. This company unabashedly takes full advantage of audiophiles' warped perception about the quality of wire cables and attempts to sell the same idea about digital data transmission. I hope their marketing strategy is reaping in the profits and sending their stock prices soaring.

Thankfully, most of the world is smarter than them, and know how to recognise a conman who is attempting to insult their intelligence. And then, there are customers - ok they aren't technically customers since they did not foolishly buy it - who take this insult and spin it around to embarass Denon to no end. Absolute gold.

I still want a wolf shirt to enhance my sexual prowess though.

Tracing user of Flickr photo from static link

icelava — Thu, 19 Mar 2009 10:24:48 GMT

My friend posted me one of his photos hosted in Flickr recently, and like any hardcore photographer only provided the static link to the largest size instead of the weak-ass shrunken viewport in the default page. A typical static link would look like this (where n are numbers and a are alphanumerics):

http://farm4.static.flickr.com/nnnn/nnnnnnnnnn_aaaaaaaaaaaa.jpg

The problem with such a link is it does not expose the user who posted and owns the photo. And I did not know my friend's Flickr account. Why not just ask him? Well, I simply got curious - is it possible to trace out the user by using Flickr services alone?

Apparently, a resounding yes, very possible indeed.

In essence, Flickr provides a URL where one can append the photo's ID (nnnnnnnnnn) as a querystring parameter:

http://flickr.com/photo.gne?id=nnnnnnnnnn

It would nicely redirect to the regular photo viewer page that is starkly tied to the user account.

Virtual Server 2005: using mobile broadband for guest machines' Internet connectivity

icelava — Thu, 07 Aug 2008 08:17:05 GMT

Since I spent the whole morning figurng out how to set this up properly, I thought spending the rest of the day documentating this would be a good idea. :-)

The premise is I am once again out in the wild. Lugging only my laptop and an external USB disk. Oh, and a GSM modem. Mobile broadband is now an essential working tool; no longer is it an excuse to claim that the restricted network of an office or organisation is crippling one's ability to access public Internet resources. Due to the added fact we have little reason to access the office network at the current location I am working in, the Ethernet and wireless adapters are disconnected.

Such a deal is fine if I work within the laptop system itself. But no, any contemporary software developer would have a variety of virtual machines running under Virtual PC or Virtual Server or VMWare. Yes, I know Hyper-V is out, but I only run Windows Vista on this laptop, along with Virtual Server 2005 R2 (SP1). Like any decent virtualization platform, Virtual Server allows hooking a guest machine's virtual network adapters to an actual physical network adapter present in the host OS. Which works great when you operate a static host that is plugged perpetually via its Ethernet ports or reliable wireless coverage. Not so great when it comes to my present situation - Virtual Server does not list my mobile connection as a viable network adapter. It's a dial-up after all. This presents a challenge in getting my guest machine to access the Internet. In asking around, Ken Schaefer once again provides clever suggestions.

The key connector is the installation of an MS Loopback Adapter. This device is visible to Virtual Server, allowing mapping a guest's virtual adapter to it. The next step is to enable Internet Connection Sharing (ICS) on the dial-up mobile connection, specifying the loopback adapter as the leech.

This setup automatically configures the loopback adapter to use the IP address192.168.0.1/24. That means virtual guests must follow suit and use addresses in the 192.168.0.0/24 range (subnet 255.255.255.0), defininig 192.168.0.1 as the default gateway. Make sure to tell Windows this new network identified in the MS Loopback Adapter is a private one. That is the fastest way to get the firewall to allow traffic between the host and the guests "embedded" within that loopback adapter. Or one can load the Windows Firewall control panel, select Change Settings and unchcck the loopback adapter in the Advanced tab. This lets traffic flow freely from guests to host. In my particular case, Windows Firewall is actually disabled because McAfee Security Center runs its own firewall and I had define unrestrictions in that software instead. The principle remains the same.

It is also good to jot down the IP addresses of the DNS servers of the ISP providing the mobile broadband subscription. The guest machines would not have any means to discover these on their own, so their virtual network adapter's TCP/IP settings should be manually configured with those IP addresses. Otherwise, navigating the Internet without DNS resolutions is plain suicide.

UPDATE: On further testing I found ICS provides a virtual DHCP service, providing other machines in the network with dynamic IP configurations. This includes default gateway and DNS server IP addresses. If you are not particularly into static IP address allocations, it is not necessary to define DNS - just switch to Obtain an IP address automatically for DHCP to assign it all.

IIS, Kerberos, NetBIOS: they are in cahoots!

icelava — Thu, 26 Apr 2007 17:57:31 GMT

Last week I hit a rather interesting problem that brought me back to those nostalgic years of system and network administration. And some fine-surgery troubleshooting.

I had setup a new Windows 2003 server and promoted it as a domain controller (let's call it DEVDC) of a development domain (let's called it DEVDOM). My laptop is a member of the company domain, and both domains have no knowledge of each other. I quickly accessed DEVDC's shared folders from my laptop with the WE convenience of specifying a separate account - DEVDOM\user1 - rather than my usual corporate domain account. Easy.

Then came the bewildering part. DEVDC is also supposed to have SQL Server 2005 running, plus Reporting Services. As anybody who has deployed SSRS would know, the two web applications, /Reports and /ReportServer, that serve has the public face of SSRS disables Anonymous access in IIS by default; Integrated Windows Authentication (IWA) is used to identify users making access requests. Well, the problem was I could never authenticate as DEVDOM\user1. What was quick success in WE was utter repeatable failure in IIS. While consulting my infrastructure colleagues, I soon found interesting security errors in my laptop event log - my client Windows was sending a Kerberos ticket to that foreign DC. And the message suggested that my system thought it belonged to DEVDOM rather than the corporate domain.

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          19/4/2007 16:56:09
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      AaronSeet.corp.company.org
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/devdc.devdom.net. The target name used was HTTP/devdc. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DEVDOM.NET) is different from the client domain (DEVDOM.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
    <EventID Qualifiers="16384">4</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2007-04-19T08:56:09.000Z" />
    <EventRecordID>18774</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>AaronSeet.corp.company.org</Computer>
    <Security />
</System>
<EventData>
    <Data Name="Server">host/devdc.devdom.net</Data>
    <Data Name="TargetRealm">DEVDOM.NET</Data>
    <Data Name="Targetname">HTTP/devdc</Data>
    <Data Name="ClientRealm">DEVDOM.NET</Data>
    <Binary>
    </Binary>
</EventData>
</Event>

How the heck can this happen?

Ken Schaefer came around to patiently take me through a crash course about Kerberos and the nature of SPNs. He pointed out a scenario that rang true in this case - I was accessing DEVDC by its NetBIOS name, and therefore my client Windows did not have a good foundation to judge domain origins. Still, it should not have been able to obtain a Kerberos ticket, one that was actually issued by the DEVDOM KDC, and not from my company domain's. I merely wanted it to fall back to good old (or bad, depending on your view) NTLM. In order to conduct remote troubleshooting, Ken advise I run Ethereal to capture all raw network traffic for studying.

Since it was my virgin voyage into the network ocean with Ethereal, it took me awhile to figure out what its filters were really doing. After a couple of captures, Ken noticed how my laptop got conned - it was discovering domain information about DEVDOM using NetBIOS, and in effect successfully located the KDC to get tickets. To break this chain I eventually turned off NetBIOS at DEVDC's netwok adapter, and placed an FQDN in my client laptop's Hosts file. With that pipe to domain discovery broken, my laptop obediently fell back to NTLM when contacting IIS and authentication as DEVDOM\user1 finally happened.

Additional notes: In the process of troubleshooting and experimenting, I discovered other workarounds

disable IWA for those web apps and use Basic Authentication instead.
instead of identifying myself as DEVDOM\user1, I could arm-twist into DEVDC\user1 and it would use NTLM.

Always access home network anywhere from Internet

icelava — Wed, 28 Feb 2007 10:37:19 GMT

To this day, people (even those in the IT profession) continue to ask me how I am able to, so easily, remotely access computing resources (remote desktop, source control, aggregated feeds, emails, etc) located at my home.

The hurdle they are unable to overcome lies in the fact that, upon connection, ISPs usually issue a different IP address that uniquely identifies (and locates) their home computers or routers. Remembering that IP address is cumbersome, and invalidated should a reconnection occur - another IP address gets assigned, unknown until one gets home.

The solution to this problem is dynamic DNS. The concept is to have an always-on computer at home install a software agent. This agent sends information to a service provider, so that it knows the IP address the home connection currently uses. It then associates this IP address to a known Internet hostname (which is called FQDN - Fully Qualified Domain Name), so one only needs to remember the hostname and connect to that rather than memorizing with fickle IP addresses.

I have been using No-IP's services for years now. Theirs is a very easy procedure to get it setup.

Register an account. Free for basic services.
Choose a hostname. e.g. icelava.no-ip.org
Download and install the client on the perpetually-on computer.
Setup the client with the registered account details. It is usually enough leave the default update intervals. If you have frequent disconnections, you may wish to decrease the update interval.
Wait for a DNS update at said interval (due to the way DNS works around the Internet, it won't always be accurate) and ping that hostname - the IP address of your current connection should be reflected.

It is then time to configure the firewall in your router and setup the correct port-forwarding rules to the computers you want accessed from the external Internet.

Enjoy the world of connectivity.

How to bring the world to a standstill

icelava — Mon, 17 Apr 2006 11:28:15 GMT

Quick-draw switching for network configuration

icelava — Tue, 21 Mar 2006 15:04:44 GMT

I should have asked this question years ago. Yet I was simply too dumb or lazy to even bother, thus wasting myself minutes upon minutes whenever I traversed from one network environment into another, unwisely hand-coding TCP/IP configuration settings the manual way for my laptops' network adapters.

Today is the day I finally grew up, and asked my community of tech friends about this basic function that Windows (XP) fails to provide adequately. The direction I received led me to this brilliant network connection manager, Mobile Net Switch.

Not only does this utility sets network profiles for the network adapters, it goes over and beyond the call of duty to even customise

drive mappings
Internet connection proxies/firewalls
browser start pages
desktop wallpaper and resolution(!)
printers, Timezone, mail servers
host files, executable scripts

Wow. And all I wanted was just to change TCP/IP settings.

*claps* bravo *claps*

Big fat pipe that does not respond = useless

icelava — Sun, 08 Jan 2006 05:16:56 GMT

In an effort to entice customers to remain "loyal", Singnet was running a recontract promotion last December with bundles of freebies. Having the desire to get my mother a new PC so that I can reclaim the current old hardware she's using, the 3.5Mbps plan (was previously on 1.5Mbps) with a mini-desktop model seemed like a good deal.

Until I saw that for approximately $5 more I could sign the 10Mbps plan
and get a whooping laptop. A three-year handcuff did not seem like a big "sacrifice".

After all, who else could I really turn to if I wanted vote with my feet? I already did that with Starhub (SCV back then). The dotted line carried my signature.

The day of delivery was a surprisingly smooth one, despite the necessary change in modem-router-wireless hardware to make use of ADSL2 (for 10Mbps) and it's crummy documentation. I refuse to acknowledge that flimsy piece of instruction paper provided with the modem-router a manual - I could barely imagine my family reading it and actually accomplishing anything productive. No matter, I got my entire home network stable and running again fairly quickly, and I was immediately enjoy smooth video streaming rates from Google video. To date the Internet nodes with the widest canal (i.e. MSDN Subscriptions download distributor) have poured data to me between 7-8Mbps.

Nice.

But, that is supposing I am at home all the time. Being once again a fully-employed developer (I used to be a mercenary), I spend more time outside, and especially in customer sites. More time than I like. An being an IT professional (read: tech saavy), I naturally love to have some means of connecting and access my home network, especially my laptop that is the main repository of my technical communities' communication threads - a vital source of information I tap on.

And this has been something I've been enjoy since the start of my career. Until this plan kicked in.

The next day after, I happily stepped back to work at my customer's office, smirking to myself with the glee and giggle of a little girl thinking I'm going to enjoy a better "user experience" with more responsiveness with the extra bandwidth on my end. I connected via RDC as usual, only to find the Windows logon dialog painted halfway before it stopped responding and finally disconnected after a long timeout.

Nice.

My first thought was the router's firewall was the culprit. The 2Wire Homeportal 2700HG did exhibit an interface and behaviour that immediate distinguished itself as a non-professional firewall/routing system. Oh well, it's catered for the "normal" residential user, and it's free. What can I demand, right? I was then somewhat pleased to find out later that the firewall is actually all fine, and it is due to the network(s) the external node is trying to connect from. My customer's network is Starhub; the first person I asked to test also uses Starhub. In fact, anybody with Starhub similary failed to connect to my machine.

Now just in case one begins to think it's a Singnet-Starhub feud, it seems Malaysia's and Canada's ISPs (at least the ones I tried) have no such problem. A friend using Comcast in USA hit the same roadblock though. From within Singnet itself, it would appear to be naturally problem-free.

Despite a number of complaints shot out to Singnet support, they have not responded with anything. Not even a status update on what's happening. The problem persists up to now. Meaning I still cannot connect from my customer site.

Way to go Singnet. Take your customers' money and drop them into an inaccessible network block. Now (actually, since long ago) I know what the contract is for. To explicit make claim you are going to have deficiencies in your services and you need to make customers pay for them.

Setting up static WAN IP

Gibby — Tue, 21 Mar 2006 03:26:59 GMT

I've got a server in my company which can be accessed from outside. How do i set the WAN IP to be static as the IP seems to be changing every few days.

Accessing an internal IP

Gibby — Mon, 06 Mar 2006 18:09:33 GMT

I have a PC that is part of my office's network with IP address 128.64.1.92 and a subnet mask of 255.255.255.0 . Using another PC that is not part of the office's network, is there a way to ping that office PC of mine?Is it as straight forward as just pinging the PC directly?

How to do such as setup?

Gibby — Wed, 22 Feb 2006 10:22:34 GMT

PC 1 <---> Router <---> PC 2

PC 1 has IIS running and is acting as a server of sort. I intend to create some ASPX pages located on PC 1 and how do i access those pages from my browser in PC 2?

Google Blogsearch

icelava — Sun, 13 Nov 2005 08:09:54 GMT

Some people love to go on a ego trip and search their own names in Google and see how many results refer to themselves exactly. But getting a reference onto public sites is usually a tough quest, unless you opt for the quick route of performing incredibly stupid activities that will earn the attention of all the world's news sites.

A more "relevant" and down to earth perspective is to search blogs - individuals who probably know you and thus comment about yourself or link back to your own pages. Some of you may (should) already know this: Google has released an engine specifically for searching up blog pages only.

http://blogsearch.google.com/

You can now narrow down your fame.

PS - the good thing about using a forums board is I'd never get listed as a relevant blog should I try to search for myself.

Certified Ethical Hacker

icelava — Tue, 09 Nov 2004 22:58:17 GMT

Are you a CEH? :-) Almost sounds like an oxymoron.

http://www.eccouncil.org/CEH.htm

Wardriving

icelava — Sat, 02 Oct 2004 05:18:23 GMT

What Is Wardriving And How Can You Prevent It

Ethernet port manufacturers have finally gotten smart

icelava — Tue, 17 Aug 2004 21:01:10 GMT

My old Dlink switch is dying - intermittent loss of packets or total outage. So i bought a new Netgear FS608 v2 today.

To my pleasant surprise, this switch has 8 "plain" ports and no dedicated uplink port. All ports are MDI-MDIX auto uplink ports that can detect and adapt to the cable type and port type at the other end.

While this should have been the way right from the start, I must say i'm impressed, that manufacturers have wisen at last. No more cross/straight cable worries!

(Windows) Use DNS servers in VPN network

icelava — Sun, 01 Aug 2004 18:45:53 GMT

I have already ordered my computer's adapter priority for service bindings as:
1. Remote access
2. Ethernet
3. Wireless

The AD domain is corporate.company.com; company.com itself is public. Anything under subdomain "corporate" will be handled by internal DNS servers. The public has no need to know of corporate.company.com, except the office LAN.

When I VPN into the office network, it appears I am still using my ISP's DNS servers for resolution instead of the office's. Anything i hit for hostname.corporate.company.com still resolves into the public IP addr instead of the host entries in the internal DNS server.

There's more inference from the fact that nslookup brings up a connection with my ISP DNS server. What else must i configure to ensure when VPN connection is up, i use the office DNS servers?

APNIC membership

icelava — Tue, 01 Jun 2004 03:20:38 GMT

Any idea why Webvisions doesn't list?
<a href="http://www.apnic.net/apnic-bin/memlist.pl?size=&cc=SG&sort=random">http://www.apnic.net/apnic-bin/memlist.pl?size=&cc=SG&sort=random</a>

TCP Resets

spider — Fri, 27 Feb 2004 22:25:28 GMT

Hi,

Encounter some problem with my Server. To understand this require good knowledge in TCP/IP Segment and 3-way handshakes

Here is the sequence of 3-way handshakes:

1) Host B --> Host A, src port:1878 dst port: 2000
[SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460

2) Host A --> Host B, src port: 2000, dst port: 1878
[SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=536

3) Host B --> Host A,
[TCP ZeroWindow] src port:1878 dst port:2000 [RST]
Seq=1 Ack=1576600895 Win=0 Len=0

More information:

1) Host B has not problem connecting to Host A all the while.

2) When Host C starts to download file from Host A, Host B gets connection
error

3) In packets debugging, it shows Host B send RST packets to Host A to
terminate the connection.

4) The TCP 3-way handshakes are not able to establish at all. SYN-ACK can
not be acknowledged by Host B.

Submarine Telco cables

ahhotep — Thu, 18 Dec 2003 20:49:49 GMT

Hi anyone know where can I get a map of all the submarine cables laid by the Telcos?