Windows 10 Installation USB-Stick unter Linux erstellen

Um unter Linux für Windows 10 einen USB-Stick zur Installation erstellen, muss man etwas mehr tun, es gibt keine vorgefertigten Tools. Hier eine Kurzanleitung:

/dev/sdX im Folgenden durch euren USB-Stick ersetzen.

# Partitionierung
dd if=/dev/zero of=/dev/sdX bs=1M count=1
fdisk /dev/sdX

# Formatierung
mkfs.vfat /dev/sdX1
mount /dev/sdX1 /mnt/usb

# Kopieren der Daten
mkdir Win10
mount -o loop Win10_1607_German_x64.iso Win10
cd Win10
cp -a * /mnt/usb
umount /mnt/usb

Nun einfach davon booten. Ins BIOS kommt ihr meist, wenn ihr sofort nach dem Einschalten eures PCs ESC, F1, F2, F8, F11 oder F12 drückt. Viel Erfolg!

Posted in Linux | Tagged , , | Leave a comment

MACSEC unter Linux

Der Linux Kernel 4.6 unterstützt nun MACSEC nativ. Damit ist es möglich, auf Layer2 verschlüsselte Links zu realisieren. Sehr schön! 🙂


Posted in Info, Linux, Rechenzentrum, Security | Tagged , , | Leave a comment

Review of Open-E DSS v7

Initially, we were looking for a 10GE-iSCSI storage solution that would do synchronous or at least memory-synchronous mirroring of data to a second system and automatic failover. We planned to use the system as storage backend for a few dozens VMs, and wanted the storage to be highly available on a shared IP. Active-Active supported seemed pretty awesome too, and the system should allow seamless failover.

However, some vendors didn’t provide this option, others were too expensive and the project was an open bidding, so we had to be cheap. The only viable options seemed to be building something ourselves or buying Open-E from a distributor that would take care of the hardware part. They were also offering 24/7 support. It sounded pretty good, and our distributor was saying he did a couple of installations with it, so we went for it. The system consisted of:

Continue reading

Posted in english, Linux, Rant, Rechenzentrum, Security | Tagged , , , , , , , , | 6 Comments

Eindeutigkeit von IP-Adressen bei Unitymedia nicht gegeben

Bis vor wenigen Tagen konnte man bei Unitymedia anonym oder mit der Adresse eines anderen Internetteilnehmers im Internet surfen. Sofern man einen Linuxrechner mit dem von Unitymedia bereitgestellen Cisco-Router EPC3212 verbunden hatte (etwa als Firewall), ging das sehr leicht, und wird im Folgenden beschrieben. Linux-Grundkenntnisse werden vorausgesetzt. Da dies nicht mehr funktioniert, sehe ich kein Problem damit, hier eine Anleitung zu veröffentlichen. 🙂

Zuerst guckt man, welche IP und welches Subnetz man im Unitymedia-Netz derzeit nutzt:

Continue reading

Posted in Info, Security | Tagged , , , , | 1 Comment

DELL about SSH key authentication on PowerConnect M6220

PowerConnect M6220 SwitchA coworker asked DELL about SSH public key auth on PowerConnect M6220, because we wanted to automate something. Anyways, it’s pretty common to automate stuff nowadays, right?


Here is DELL’s reply on using a ssh with keys:

Von: []
An: xxx
Betreff: Dell SR:xxxxxxxxx

Good morning Mr. xxx,

I’m the engineer to whom Mr. xxx has escalated the above mentioned
service request. I’m writing to you today to inform you that unfortunately
public key authentication isn’t supported in way  you’d like to on these
switches with version 5.x firmware. That is, you will either always end up
being asked for a password, in addition / even though you supply correct
private/public key during your ssh session negotiations, or you might end
up inadvertently opening a backdoor for unauthenticated users wishing to
use password authentication only.

Either way, it seems this will take quite some time to fix, so I suggest I
close this service request out now and will keep you informed about any
future developments on this issue.

Kind regards,
xxx, B.Sc. (Hons) in IS/IT

Enterprise Product Engineer, Networking & Linux & Security
Dell | Enterprise Support Services
Office Number (+353 1 xxx xxxx)
M-F (8:00 – 16:30 IST)
Certification: CCNP, RHCE & JNCIP-SEC
How am I doing? Email my manager xxx, xxx
<>  with any feedback.


Uhm… what? Oo


Posted in english, fun, Rechenzentrum, Uncategorized | Tagged , , , , , , | 1 Comment

Why Oracle (and Java) sucks

We were investigating random crashes of a webapp, and it turned out to be a JAVA CORBA bug, so we  reported it to Oracle. Today, I got the following reply in my mail:

I own your service request *-*********** about a Java Corba problem.
Please understand that Java is a free product. Hence support (and bugfixes) can only be provided for Java SE contract customers.

Unfortunately, the Customer Support Identifier CSI#******** you entered does not entitle you to Oracle Java SE support. To submit a Service Request (SR) for Java SE when running your own or third party Java applications, a Java SE Support contract is required.

The bug you are referring is in state accepted indeed. There are no plans right now to fix it. Of course, if a contract customer requests a fix, then it will be fixed. Otherwise it might take quite some time until a fix becomes available.


Oracle Java Support starts at $10,000. Thank you very much, so leave the bug open and let other customers stumble upon it. Just yesterday I heard that armed US drones are using CORBA for communication, too… oh my.

Our approach might be using Nagios Eventhandlers to restart crashed application servers, as we got more than N+1 of those. Oracle’s mentality pisses me off…

Posted in english, Rant, Rechenzentrum, Uncategorized, web | Tagged , , , , , , , , , , | 7 Comments

Hidden Services

Nicht jede Software unterstützt das URL-Schema von Tor hidden services; in dem Falle kann man als hack einfach socat benutzen, hier im Beispiel wird ein IRC hidden service mit  irssi genutzt:


socat TCP4-LISTEN:4223,fork SOCKS4A:localhost:XYZ.onion:6667,socksport=9050

Dadurch wird der Port lokal gebunden und über den lokalen Tor Socks Port auf den Hidden Service umgeleitet. In irssi tippt kann man nun einfach:

/connect localhost 4223

Ich finde das einen schönen generischen Hack, den ich euch nicht vorenthalten wollte. 🙂

Posted in Linux | Tagged , , , , | Leave a comment

Defending against & having fun with WebLOIC

Lately, one of the websites under my protection was being DDoSed by a well-known trouble-making party whose name shall not be released and stay anonymous. Another party that is monitoring the web for threats against our websites notified me that a DDoS was currently being  started. It seemed that the attackers were spamming a link to an automatically starting WebLOIC via mail and tricked others with a variation of methods to open the URL so that they would automatically participate in the DDoS.

Let’s move to the technical side: it was a pretty small DDoS, with about 50MBit/s – we probably wouldn’t have noticed as it just looked like a normal traffic spike and did not endanger the availability of the website at all. We’ve handled much larger legitimate traffic spikes for that site already.

A quick investigation showed that WebLOIC was being used and was ‘hosted’ on a nopaste service. Requests looked like this:

GET /?id=1300380622178&msg=We%20Are%20Legion! HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://xxxxxxxxx.html

Quickly checking out the referer gave me the sourcecode; the id consists of a timestamp and the request id. The ‘msg’ is a user-changable text, but ‘id’ is javascript-generated.

How to block it?
– Use a regular expression for the query string (very easy)
– Block users with a referer from that nopaste service (very easy, too)
– Block users that do more than X connections within a minute (easy if you have a decent firewall), side-effects might cause large NAT gateways from mobile providers to be blocked, but that’s better than being completely offline, right?

Where to block:
– block as early as possible: in your DPI firewall, web application firewall or loadbalancer
– *not* in every single webserver

Having Fun:
As the WebLOIC runs in the attacker’s browser, there are lots of possibilites:
– redirect attackers to a site known to be monitored by the FBI (explosives, terrorism etc.)
– CSRF, make them post something on a service like facebook or twitter (#iDDoS-site.tdl) and search for their posts. Kindly ask them to stop.
– redirect the attackers to do lots of google searches – they will quickly be blocked by google services
– send a gzip-encoded stream that consumes lots of cpu time and memory on their side, this might even crash the browser
– ‘reflect’ the DDoS to somewhere else (sending 301/302 redirects is pretty low-bandwidth for you)

So in total, WebLOIC was a good idea, but right now rather inefficient and its usage might have unwanted sideeffects… 😉

Posted in english, fun, Rechenzentrum, Security | Tagged , , | Leave a comment

Firefox kopiert Protokoll aus der Adressleiste mit

Das ganze ist wirklich nervig, wenn man öfter mal nur die Domain ohne führendes http:// und abschließenden Slash kopieren möchte. Ändern kann man es wie folgt:

Posted in Info | 1 Comment

Gentoo Linux Security Weekend

Last weekend, Gentoo Linux developers a3li and keytoaster came around and with help from p-y and underling via IRC, we killed the huge backlog of open CVEs in our tracker, voted on about 100 security bugs, drafted several dozens of GLSAs and were hunting bugs on GLSAMaker2. We also had good company from (non-security) developer idl0r on saturday. 🙂

During the week, we polished up some GLSAs and since sunday, we send these (a lot more to come!):

OpenSSL: Multiple vulnerabilities
Wireshark: Multiple vulnerabilities
Bugzilla: Multiple vulnerabilities
Dovecot: Multiple vulnerabilities
GnuTLS: Multiple vulnerabilities
PHP: Multiple vulnerabilities
vsftpd: Denial of Service
feh: Multiple vulnerabilities
Conky: Privilege escalation
Wget: User-assisted file creation or overwrite
Adobe Flash Player: Multiple vulnerabilities

Thanks for helping out, everyone!

Here are some impressions:






Posted in english, Gentoo, Linux, Security | Tagged , , , , , , , | Leave a comment