Java webapplet security exception – global list

Oracle brought a new round of Java joy with Java 8 Update 20. They removed the medium security settings so that every applet has to have a signature to be eligible for execution.

Now, what do you do when you still need to execute Java applets? You add them to the exception list! Unfortunately “Wildcards are not supported”. Probably because anyone who comes across this problem would just have entered “*”.

This creates a problem. Most of the Java applets that are still in use are part of machine controls which cannot be updated or replaced. Placing exceptions based on intranet subnet masks is also not possible.

While our users are able to add the necessary exceptions themself (HowTo with plenty of screenshots required) these are bound to the local computer profile (Oh Joy!). As production users usually switch PCs they have to enter all exceptions for every PC they use… unless you use this short powershell synchronization script.

The script is called during logon in user context, the file on the sysvol has write access for all users.

$file1loc = $env:USERPROFILE
$file1loc += "\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites"

$file2loc = "\\\SYSVOL\\scripts\java\exception.sites"

$file1 = get-content $file1loc
$file2 = get-content $file2loc

$data = @()
foreach ($line in $file1)
{
   if ($line)
   {
      $data += $line
   }
}
foreach ($line in $file2)
{
   if ($line)
   {
      $data += $line
   }
}

$data = $data | select -uniq

$data | out-file $file1loc -encoding ascii
$data | out-file $file2loc -encoding ascii

This will synchronize the exception list for every user bidirectional to a global list.

Once all exceptions are known you can remove write access from the sysvol file and comment out the writing in the script If needed for security policy reasons.

On a side note: I needed to replace the new java.policy file with a custom one as Oracle decided that opening Ports for connections is evil. I added

permission java.net.SocketPermission "*:1024-65535", "connect,resolve";

and replicated the file to every PC as “C:\Program Files (x86)\Java\jre1.8.0_60\lib\security\java.policy”.

Long Way Back: 2009 – Rebuild a failed Intel MatrixRaid

The situation:
My raid 5 with 4 drives (a 500GB) reaches an age of about 1.5years.
One drive failes, i RMA it and got a new one, raid rebuilds everything is fine.
Two weeks later another drive failes, i RMA it, rebuild.. all fine.
Around 3 weeks after that the third drive failes, i RMA it and i got a bit suspicious about all the failures and started creating a backup.
2hrs later the complete raid failes – because drive 4 just removed itself from the system and refused to work again.
I reboot into intel matrix rom manager and could recover the raid with just 3 drives. I was quite euphoric – my data is stil there🙂
Windows boots up and checks the raid for errors, once it reached  about 38% it spammed the event log with read errors. One reboot later i realized that the raid has failed again.

Now all data was gone – but i didn’t give up!

I bought an additional new drive and used ubuntu with ddrescue to clone the failing drive to the new one.
At that point things started to get complicated. I realized that the last replacement drive (Stupid refurbished drives – I hate you for that WD!) had unrecoverable read errors. The whole drive had 11 errors in 800KB out of 465GB. This was the reason for the raid failure, i could recover it and read some of the data until i hit those unrecoverable sectors.
So that didnt look that bad for my data🙂

However, neither dmraid nor the intel rom recognized the cloned drive as part of the raid array. I tried digging through the linux dmraid code to find out what made the drives special and found the answer in the raid metadata at the end of each drive – every serial number of the raid members is stored there. I looked for a tool that allowed the manipulation of the metadata but there was none.
Additionally i found out that newer linux kernels don’t supply the module to load up the array under linux at all so i was thrown back to windows.
After some hours of googling i came to the conclusion that noone ever accomplished to force a (cloned) drive into a failed raid so i looked for recovery tools instead.
To be able to use the discs within windows recovery tools i set the intel controller from raid to ide mode (ahci sata wouldnt boot) and fired up RStudio.
However due to the cloned disc not beeing part of the raid it wasnt recognized as a raid. Additionally the order of the discs was completely off (due to a lot of removing and inserting drives into the case).

For restoring my raid data i needed to have 4 things:

  • 3 readable discs out of the original 4
  • correct raid stripesize
  • correct parity alignment
  • correct disc order

While i was now having the discs it was a bit harder to get the rest.
Another program comes into play: WinHex and it’s disc editor.
I opened the 3 discs and had a look at the data. If you can read stuff (The partition table and NTFS volume header contain quite some human readable ASCII words) you are probably not looking at a parity stripe. So i browsed a bit through the data until i noticed a significant change in the layout of the data.

Now i looked at the sector count below, if its 127/128 where the layout changes and my harddisc sector size is 512 (Default back then) then my parity stripesize is 64kb.
Now for the reordering… i browsed through all harddrives and noted where i could see a parity stripe – its the garbled stuff.
I created a small sheet with the gathered data like this:

Stripe  | 1 | 2 | 3 | 4
--------+---+---+---+---
Drive 1 |   |   | P |
Drive 2 |   | P |   |
Drive 3 | P |   |   |
Drive 4 |   |   |   | P

Of course drive 4 is not existing but generally when you see no garbled stripe on every of your drives – then the parity is on the lost one.

Now i could reconstruct the correct drive order by just looking at the virtual raid5 builder that RStudio provides.
In my case this was 4-1-2-3, i put in the drives at that order (right click and created a missing one for drive 3) and set parity alignment to left asymmetric.
This is the standard for intel matrix raids (as taken from dmraid isw.c code).

Pressed apply and there i got my data back – all accessible with RStudio.

Now what did i learn from this?

  • Do not trust a RAID5 for data protection
  • Always have a Backup
  • Do not buy all drives from the same batch

Exchange 2013 – ActiveSync user certificate authentication

I am stil in the process of putting up a new environment at work. Every few days we continue testing various functions. Today we tried to resync the test-droid with exchange (i changed all ip addresses and went on vacation but didn’t fix the test-wlan settings so the device was not usable at all) but there goes nothing.

I rechecked all settings on exchange and iis, reenabled, disabled, removed and readded every step from the various tutorials from the web. Nada. Nothing. Neither Chrome nor IE nor Android nor the MobilityDojo-Tester were able to use client certificates for IIS web page authentication.

I rechecked the trust chains and CertificateAuthority – Everything was OK. Then i tried to get more information out of the IIS log. It told me either:

2013-08-20 12:24:03 x.x.x.x OPTIONS /Microsoft-Server-ActiveSync/default.eas – 443 – x.x.x.x – – 403 7 5 15

or

2013-08-20 12:26:58 x.x.x.x OPTIONS /Microsoft-Server-ActiveSync/default.eas – 443 – x.x.x.x – – 403 16 2148204809 15

Et voilá, GIYF: http://support.microsoft.com/kb/2802568

As it turned out prior to my vacation i reimported some GPOs from our production environment. For some reason back when the CA was implemented i imported the Intermediate-Certificates to the Root-Store.

I removed the offending Intermediate-Certs and rebooted the exchange server (just to be sure ;)) and everything went back to work.

So thanks MS. By not fixing SChannel.dll, you made this bug possible!

 

PS: Because Microsofts Connectivity Analzyer is pretty anal about the SSL certificate having the correct hostname (for some reason it does not check the SAN) i highly recommend EAS – MD from http://mobilitydojo.net/downloads/, it also allows testing ActiveSync with a user certificate.

EA’s Origin.com

Origin makes it possible: Delay a digital purchase by an undetermined amount of hours just because they can.

The only hint that something has gone wrong is the following text:

“Thank you for your order.  Your order is being processed and you will be notified of the result shortly.”

Customer Support extends “shortly” to a whopping 12 to 24 hours.

The order completes, you get an invoice, they charge the credit card but you don’t get your goods. The support is unable to provide any assistance. The order cannot be canceled or viewed.

EA: This SUCKZ!

It is a digital download, you already got the money so let me play what i have paid for! What do you check for fraud? If you think you have to check something for several hours please tell me before you take my money. I will take it elsewhere to get what i want when i want it.