Le Parti Québecois à répondu au président Sarkozy. Je retiens surtout ce passage :
Il est vrai, Monsieur le Président, que les Québécois ne seront pas appelés à revoter sur cette question dans l’avenir immédiat. Cependant, puisque rien de fondamental n’est résolu dans les rapports Québec-Canada, il n’est pas impossible que cela survienne pendant que vous présidez aux destinées de la France. Il n’est pas impossible que la démocratie québécoise ait besoin de l’appui de tous ses amis, de tous ses frères.
Le problème est surtout là. Les “querelles épuisantes” sont fondées sur des coups de force. De l’acte d’union au rapatriement de la constitution, les ententes ont toujours été imposées, politiquement ou par la force des armes selon l’époque. Loco Locass emprunte les mots de Pierre Falardeau dans la chanson Résistance pour résumer ce point.
Je ne sais plus si l’idée de souveraineté du MSA/PQ est encore la solution. Une fédération d’états peut-être ? Mais cette solution ne sera pas de simplement rentrer de rang, niant notre différence au lieu de la célébrer, sous prétexte qu’on a oublié les sources du malaise. Je m’en souviens.
–
Guillaume
Thursday, November 13, 2008
Like many of you, I had a drive that showed up in the “Safely remove hardware” tray icon, and was unable to remove it.
The trick is to subtract 4 from the Capabilities in the registry. Not easy, but it can be done. The only thing is that it keeps coming back after every boot ! And it looks like the value cannot be edited under Vista. Here is how to fix it for good.
(Continued)
Thursday, November 6, 2008
I have a been a
TrueCrypt user since version 4.0. I used to have an half-baked solution of TrueCrypt, EFS with SYSKEY option 2 (password). When full disk encryption was introduced, I finally got a laptop encryption scheme that I like. It features :
- Strong cryptography
Thank TrueCrypt for 256 bits AES in XTS mode. I think 256 bits is overkill, but 128 is not offered. I don’t see any performance hit on my modest, stock Fujitsu E8210 laptop.
- Need to know (reduced data exposure)
Data is not available in clear text when I don’t need it. In other words, when I work, I have my files, when I play they stay encrypted
- Easy encrypted backup
My backups are merely a copy to a file server.
- Single sign-on to any encrypted volume
The pre-boot authentication password (or pass phrase, your call) is the only one you’ll ever have to enter, and yet, that password is never stored anywhere. Not even in encrypted memory. It’s only in your head.
- Supports encrypted USB drive
USB drives get the same single sign-on, need to know and backup features. Doesn’t matter wheter you use file based or whole volume, although using a file based container allows you to store regular data on any computer, instead of carrying to drives.
- Platform independent
Works on all platforms that TrueCrypt supports
All that out of the box. Well… actually there is no box, it is all open source !
Tuesday, September 23, 2008
I just put online version 1.4 of my replacement Gina ! Thanks to everyone who gave me a break while I was spending more time house shopping, buying and renovating. This release is very good, thanks to everybody who wrote me about problems they were facing… Here is what’s new :
- Fixed a bug where registry keys and groups had to be present to work.
- Fail safe behaviour reverts to normal MSGINA.dll if anything goes wrong
- Better detection of the user logged in coming back to unlock
- Registered as a logon process (Paralint shows in the Event log instead of Winlogon)
- Added an option to generate a debug output (off by default, see Sample.reg)
- Corrections and clarification in the documentation
- Automated build, test and release scripts
Next up ? I am not sure. I am thinking about a self-service application, like a companion product, and when I get that to work, find a way to integrate that concept with Aucun. Something like after N bad logon, you are redirected to the self service application.
Enjoy !
Thursday, August 21, 2008
I left a terrible bug in version 1.3 of my replacement Gina. I didn’t want to miss any test case this time, so I wrote a batch file that tests every one of them. That batch file adds a user to a group and a group to the registry. There are two possible groups in the registry, and the user can be a member of either two groups, making 2^(2+2) possibilities, 16 use cases.
After a few lines in, I realized that I would be less work to order the tests in a way that would minimize the change to the configuration between any two tests. In other words, when a n+1 test case required a change to the registry, then the user group membership should not change, and vice-versa. That would also make it easy to investigate a failed test, because only one thing would change between any two tests.
Then it hit me.
Well actually, I had to stop and think for a while. Kind of like my mind restoring a dusty old tape archive… I remembered that mathematician Richard Hamming had a code for that. It’s a numbering scheme where only 1 bit changes between any two numbers. The number of bits that change is the Hamming distance between two numbers. Using four information bits to represent each possible use case, I came up with the following table. The first two rows (MSB, in blue) are user membership to a group, and the two last rows (LSB, in green) is the presence of that group in the registry. Ordering my tests that way gave me a constant Hamming distance of 1.
| Decimal value |
0 |
1 |
3 |
2 |
6 |
7 |
5 |
4 |
12 |
13 |
15 |
14 |
10 |
11 |
9 |
8 |
| Unlock |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
| Logoff |
0 |
0 |
0 |
0 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
0 |
0 |
0 |
0 |
| Unlock |
0 |
0 |
1 |
1 |
1 |
1 |
0 |
0 |
0 |
0 |
1 |
1 |
1 |
1 |
0 |
0 |
| Logoff |
0 |
1 |
1 |
0 |
0 |
1 |
1 |
0 |
0 |
1 |
1 |
0 |
0 |
1 |
1 |
0 |
| Expected test result |
Gina |
Gina |
Gina |
Gina |
Gina |
Force logoff |
Force logoff |
Gina |
Gina |
Force logoff |
Unlock |
Unlock |
Unlock |
Unlock |
Gina |
Gina |
The only drawback to this is that all the typing I saved writing my test batch file, I wasted on this blog post !
I noticed a new link in my GMail account (I am using gmail for your domain), showing the sessions used to connect to an account and the last time since it had activity on that session.
Pretty neat, although I doubt a regular user will be able to make sense of any of that… In my case, it shows that from the last time I was online at home (IP 66.x.x.x) and the next time I was online at work (IP 199.x.x.x), there were only seven hours.
| Recent activity: |
Access Type [ ? ]
(Browser, mobile, POP3, etc.) |
IP address [ ? ] |
Date/Time
(Displayed in your time zone) |
| Browser |
199.x.x.x * |
8:16 am (0 minutes ago) |
| Google Toolbar |
66.x.x.x |
12:41 am (7 hours ago) |
| Browser |
66.x.x.x |
12:09 am (8 hours ago) |
| Browser |
66.x.x.x |
11:50 pm (8 hours ago) |
| Browser |
199.x.x.x * |
Jul 10 (16 hours ago) |
|
| |
And yes, I took time to sleep, wake up the kids and have breakfast with them.
Time for coffee now !
I wanted to test the relative strength of a password policy. I wanted to run a password cracking tool over different passwords, from a dictionary based password (like Banana42) to a random one (generated with Password Safe). Creating users setting passwords and running different password extraction tools was a lot of trouble.
I found a detailed explanation of the MSCASH format. Here is how you make your own MSCASH hashes to do close to reality benchmarks of your favourite password cracking tool.
(Continued)
This Notifu update allows you to concatenate multiple /m and /p switches. It is usefull when a paramater to Notifu is feed by a program you have no control over.
For example, this command line now works :
notifu /p Concatenate /p " this" /m "Hello" /m ", " /m "World"
Nothing is added to your parameters. If you want a space, you must add it.
Note to self : Got to fix my release script… A simple update takes longer to post online than to code !
I fixed a bug in notifu that made it ignore quotes that were escaped with a backslash. For example, this command line works now :
notifu /m "\"Theo Est\" test@example.com"
Thanks to Sof for the heads up !
IBM WebSphere stores its passwords in files. Everybody does that and it is hard to do otherwise. When I am confronted with the problem, I usually say that the only option you have is what file you want a password in. IBM (in WebSphere) went a little further by applying a hardcoded XOR. Each caracter is XORed with the caracter ‘_’, and the resulting string is encoded in base64. This is not cryptography, it is just enough encoding so that a casual glance at the file will not reveal the password.
If you have access to security.xml and need to know the passwords it contains, compile and run this tool. It supports :
- Encoded passwords on the command line (as many as you like)
- Passwords piped in (default if no arguments are passed)
- With or without the leading {xor}
- It builds with Visual C++ and GNU g++ (tested with mingw32 version only)
- A crude but working parsing so you can pipe the result of a grep, like this :
grep -i password security.xml | waspass
You can get the source from my Subversion server with this command :
svn co http://src.paralint.com/spikes/waspass/trunk waspass
I am also posting the full source inline, just to show off that cool javascript code parser I just installed…
(Continued)