Gnome-Keyring Issues in Ubuntu 12.04

06. May 2012 · Write a comment · Categories: Linux, Makes Sense, Troubleshooting · Tags: , ,

While trying to do a ‘repo sync’ on the CyanogenMOD source after doing a fresh install of Xubuntu 12.04, I started getting the following error, repeated many times:

WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-*****/pkcs11

Turns out, a package upgrade (I was too lazy to identify which one) changed/reverted /etc/xdg/autostart/gnome-keyring-pkcs11.desktop and caused gnome-keyring-daemon to not load properly with XFCE. The fix was to find this line:

OnlyShowIn=GNOME;Unity

And append ;XFCE to it, making it:

OnlyShowIn=GNOME;Unity;XFCE

After a quick reboot everything worked as normal.

Sparkies

23. September 2011 · Write a comment · Categories: Hardware, Makes Sense · Tags:

This morning, I was called over to the building we keep our Off-Site Backup NAS at. The new tentants had the local Cable Co. over to do an install, and they needed access to the secure room with all the networking kit in it.

I went over to let them in, and explained where the network drops terminated, where their cable run came from and went to, and answered a few other questions. They looked like they had things under control, so I left.

About twenty minutes later, I was called back over. The techs needed to unplug our UPS so they could put one of those dual-plug splitters in (has six outlets on the front and uses the two in the wall), however they ran in to a problem. At some point in the past, the screw had fallen out of the metal faceplate on that outlet.

When they went to unplug the UPS, they bumped the faceplate and it made contact with one of the legs on the UPS plugs, shorting it and causing lots of sparks.

I got there a few minutes after this happened, and the two were trying to figure out the best way to proceed. One of them had a pair of plyers in his hands, and was saying that he was going to just use those to grip the UPS plug and pull it out quickly. I asked if they’d thought of shutting off the power.

Silence.

So went over to the (of course, unlabeled) breaker panel and told them to yell when the UPS switched to battery power, then I started throwing breakers. After making it through all of them, they hadn’t made a sound. Knowing that the wiring in the building was kind of sketchy, and that there were a few other breaker panels, I told them I was going to go try another one. The one with the plyers then said, “Naw, I’ll just try this again.” and then proceeded to rip the plug out using the plyers. Sparks flew, and then the plug came out. He then used the plyers to knock the faceplate off (which was now scortched and had a chunk burnt out of it), and plugged the UPS back in. It showed “0″ for input voltage.

“I think I killed it.”

On a hunch, I walked over to the breaker panel and, sure enough, one of them was tripped. After resetting it, I heard the UPS go back online. Apparently, when I was throwing breakers, they weren’t paying attention.

So now I’m looking to relocate our Off-Site backups.

On Labeling

21. September 2011 · Write a comment · Categories: "It's a Feature", Hardware, Makes Sense, Networking · Tags: , ,
Plug

What is this? I don't even...

Followup: Staples.ca and Plain Text Passwords

01. September 2011 · Write a comment · Categories: "It's a Feature", Makes Sense, Rants · Tags: , ,

I posted an article the other day when I discovered that Staples.ca stores customer passwords in plain text. After a lot of prodding through email, I finally received a reply with some technical detail about how Staples actually stores the passwords:

We do take this issue very seriously.  I contacted another department for a technical explanation of the issue.

Staples.ca stores user profile information in a commerce Binary large object that cannot be selected using SQL and cannot be queried without knowing the actual hash key to parse the XML object. When a password is being requested using the ?Forgot password? feature, the email address and the security question is asked to validate the user and then a backend processing is performed on the request to retrieve the password and send it to the email address on file. The site is on a monthly schedule to be scanned by Qualys (a third party security provider that provides on demand vulnerability management and policy compliance solutions to Staples) which scans for SQL injections, security vulnerabilities, firewall issues etc. We are 100% compliant by Qualys and from the RSA PCI standard institute. In no way you can SQL inject to this website and get any data from the database that is not authorized. The underlying architecture is very secured and strict procedures are in place to not compromise PII information.

Please do not hesitate to contact us if you require further assistance.

Joan, E-commerce Communication Specialist
e-mail: bd.support@orders.staples.com
phone : 1-877-360-8500
fax   : 1-800-567-2260
url   : www.staples.ca/contactus

So there you have it. They are completely convinced that it is impossible for someone to get your plain-text password.

…That is, unless your email account is compromised. Or their server is exploited (Staples.ca runs IIS5 on Windows 2000, according to Netcraft) and someone gains higher-privilege access. Or a staff members rages, dumps the db, then quits.

Unfortunately, I can’t find a way to delete my account, so I’ve nuked all of my personal data (replaced with fake stuff), and then entered a random password. I didn’t bother writing it down, because if I ever do want to get back in to my account, they’ll be more than happy to send it right to me. I don’t even have to choose a new one!

Staples.ca Doesn’t Care About Your Security

29. August 2011 · Write a comment · Categories: "It's a Feature", Makes Sense · Tags: ,

I went to make a purchase at Staples.ca today, however I quickly discovered I had forgotten my password. “No big deal,” I said to myself, “I’ll just use their forgotten password feature.” I entered my email address and, sure enough, a few minutes later had a new message. Opening it, my jaw dropped as I read through the message:

From: bd.Support@orders.staples.com [mailto:bd.Support@orders.staples.com]
Sent: Monday, August 29, 2011 3:32 PM
To: ***REDACTED***
Subject: Your Staples.ca password

Hello,

Your login password is: ***REDACTED***

We look forward to receiving your next order.

Thank You - Staples.ca Customer Service Team.

WTF? So, Staples is storing plain-text passwords in their database. Fantastic. Didn’t they learn anything from Sony?

I’ve fired off an email to their support people, and will post any replies they send.

UPDATE: That was fast! Here’s their reply.

We appreciate your inquiry concerning this issue ***,

Staples maintains reasonable and appropriate standards to safeguard your
Personal Information.

When you enter Personal Information that contains a Social Security
Number, driver’s license number, or credit or debit card number at the
designated and secured sections of our Website, the information will be
encrypted or encoded before it is sent over the Internet. Personal
Information that we collect and maintain is subject to physical,
administrative and technical controls that are consistent with
recognized industry standards.

Please do not hesitate to contact us if you require further assistance.

Joan, E-commerce Communication Specialist

e-mail: bd.support@orders.staples.com
phone : 1-877-360-8500
fax : 1-800-567-2260
url : www.staples.ca/contactus

They completely missed the point of the email. I sent them another reply, this time with a helpful link to the Ars Technica article linked above and a basic explanation of SQL Injection/best practices. Hoping for a more reasonable reply later.

Further Edit: After re-reading the email, it sounds like they’re confusing SSL with hashing/storage encryption. Blargh.

Sage ACCPAC 5.5: Crystal Reports Blues

09. August 2011 · Write a comment · Categories: Makes Sense, Software, Troubleshooting · Tags: , , ,

Our accountant’s computer has been dog slow for the last six or so months, so after going through the lengthy process of spec’ing a new system and getting the purchase approved, I was finally able to get her a replacement. The new system, with massive amount of RAM and a screaming processor (with a nice SSD to top things off) truly is a thing of beauty, however we ended up running in to a rather large problem.

Because the new system runs Windows 7 x64, we had to upgrade our slightly-old copy of Pervasive SQL 10 to Service Pack 3. Although this seemed to work fine with ACCPAC initially, we quickly discovered all was not well.

Case in point, when trying to print an invoice with a custom Crystal Reports template, ACCPAC would simply throw the following error:

not enough memory for operation

Searching Google got me nowhere. The few references to that error and printing only spoke of issues with Terminal Server environments, and none of the suggested steps worked. After a few hours of fighting, though, I had the bright idea to try using one of the stock invoice templates.

Go figure, it worked.

As it turns out, the CR templates we were using dated back at least six years, and had been created with a copy of Crystal Reports 7 (dating from 1999!). So, we downloaded a trial copy of Crystal Reports 2011, re-saved the templates, and the memory error disappeared without a trace. There were a few issues with the templates (some fields refused to populate), but some manual adjustments (read: copy and pasting sections for the working stock ACCPAC templates) solved that as well.

TL;DR Version: If you get the above memory error when trying to print from ACCPAC using custom Crystal Reports templates, try re-saving them with a newer version of CR. Apparently that’s all it takes.

Short: Sticky Group Policies That Just Won’t Leave You Alone

07. July 2011 · Write a comment · Categories: "It's a Feature", Makes Sense, Microsoft, Short, Windows · Tags: , ,

The other day I was testing a Group Policy Object (GPO) on a system and resides in an isolated Organizational Unit (OU) with Block Inheritance set. After I finished testing, I applied the GPO to the production OUs and promptly forgot about it.

Fast forward to today. I was messing around on that system and discovered that I left that one particular GPO in place. I fired up the Group Policy Management tool and removed the link to that GPO, did a gpupdate /force on that system, rebooted and went about my business. A few minutes later, I discovered that GPO was still in effect. I double-checked that the GPO wasn’t linked to that OU anymore, and that inheritance was still blocked, and did another gpupdate /force, but to no avail. A quick check of HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History showed that yes, the GPO was still being applied.

I did a little head scratching, and then found the answer. As it turns out, after linking the GPO to the other production OUs, I selected the ‘Enforce’ option. By doing that, even after unlinking a GPO from an OU it will continue to be applied. I simply disabled the ‘Enforce’ option, ran yet another gpupdate /force, and all was well.

TL;DR Version: If you unlink a GPO from an OU, update the system, and the GPO is still being applied, disable the ‘Enforce’ option on that policy and do another gpupdate.

Short: A Small Problem with TrueCrypt and Toshiba Fastboot

15. March 2011 · 2 comments · Categories: "It's a Feature", Hardware, Makes Sense, Short, Troubleshooting · Tags: , , , ,

Yesterday, I decided to encrypt my Toshiba Satellite C650D laptop with TrueCrypt – I opted for Full System Drive encryption, which involves TrueCrypt adding its own bootloader. After answering the usual questions from the setup wizard, it prompted me to reboot to test the settings. After Windows restarted, I was prompted to enter the password I had specified earlier. The only problem was, when I started typing, nothing happened – I also couldn’t use ESC to bypass the password prompt, or CTRL+ALT+DEL to reboot. My only option was to power off. When I turned the laptop back on, though, I was able to enter the password without issue.

After the encryption process finished, I rebooted the laptop again, only to find that keyboard input still wasn’t working when I needed to enter the bootloader password. Again, though, after powering it off and back on everything worked fine. On a hunch, I shut down the laptop completely, then turned it back on, and was able to enter the password without issue.

As it turns out, if you have Toshiba’s ‘Fastboot’ feature enabled in BIOS (allows for < 1 second from power button to bootloader, bypassing the BIOS splash screen and, apparently, some hardware initialization steps), TrueCrypt won’t recognize your internal keyboard (unfortunately, I didn’t have a USB keyboard handy to see if that would work) – but only on a reboot. From a cold boot, the keyboard is apparently initialized differently and works fine.

TL;DR Version: If you use TrueCrypt to encrypt your System Drive and have Toshiba Laptop, don’t use the Fastboot option in BIOS or you will not be able to enter your bootloader password when you reboot and will be force to cold boot every time.

Folder Redirection to Mapped Network Drives: Frakking Stupid

08. March 2011 · 1 comment · Categories: "It's a Feature", howto, Makes Sense, Microsoft, Networking, Servers, Troubleshooting, Windows · Tags: , , ,

While updating a set of public computers to have private file shares (making use the Home Directory account property in AD to automagically map the drive), I ran in to an issue with folder redirection. I wanted to redirect all of the standard personal folders (Documents, Pictures, Music, et al…) to the same share, so I setup folder redirection in a Group Policy Object to point those folders to the users home drive (for this example, we’ll say drive Z: was mapped to \serversharefolder).

I gave the user full rights to the share, and assigned it Owner status as well (all through the Security tab, as standard), and then configured the GPO as appropriate. After rebooting the client computer, however, I checked the Documents folder only to find that it was still pointing at the default location. A quick peek in to Event Viewer revealed the following error:

Failed to apply policy and redirect folder “Documents” to “\serversharefolder”.

Redirection options=0×80009211.

The following error occurred: “Can not create folder “\serversharefolder”".

Error details: “Access is denied.”.

Which was very strange indeed, as a brief check confirmed that yes, the domain user did in fact have full access to both the folder and the share.

Then, something I saw (and stupidly, ignored) when setting up the GPO came back to me. I fired up the GPO editor and and browsed back to the Documents folder redirection section (User ConfigurationPoliciesWindows SettingsFolder Redirection). After double-clicking the Documents option, and then switching to the Settings tab (shown below), I noticed the top two boxes (“Grant User Exclusive Rights to Documents” and “Move the Contents of Documents to the New Location”) were selected by default. Given that this was an ‘Access Denied’ error, I figured one of these two settings must be at fault, so I unchecked them.

Folder Redirection StupidityAfter rebooting the client computer, the Documents folder redirected to the Home Drive as expected.

Here’s where it gets stupid, though. On the ‘Target’ tab in the Documents properties window (visible in the screenshot above), if you have the ‘Target folder location’ set to ‘Redirect to the users home directory’, it explicitly adds a note that says “This settings ignores the value of the ‘Grant User Exclusive Rights to Documents’  option on the settings page.

Apparently not, Microsoft. Apparently not.

TL;DR Version: If Folder Redirections aren’t applying correctly, Event Viewer is showing ‘Access Denied’ messages, and you’re using Home Folders specified in the user account, disable ‘Grant User Exclusive Rights to Documents’  option on the settings page of the GPO.

Short: How to Lose a Sale and Alienate Potential Customers

10. December 2010 · 2 comments · Categories: Makes Sense, Non-Tech, Short · Tags: , , , ,

My day job has me doing a wide variety of tasks, from desktop publishing to web development to systems and network administration. Occasionally, I get called on by other managers to consult on projects they’re working on and review things from a technical perspective. It was on one of these consulting gigs where I came across the ultimate anti-sales-pitch.

The project itself was a type of community portal focused on local businesses, and had been in operation for a few months. Things were going swimmingly and the site was starting to take off with nearly a thousand local businesses registered. This got the attention of two local SEO (Search Engine Optimization) firms who desperately needed work (or at least, that’s how they ended up coming across). The salesman from the first firm was offensive to the point where the project manager simply refused to repeat the conversation they had and will only reference them by referring to them with a nickname. The second one, though, I got to hear the story of.

Mid-afternoon, the project manager gets a phone call from (as we’ll call her) Diane. Diane gets straight to the point. “I don’t want to offend you,” she starts, already oozing marketing slime through the phone, “but I don’t like your site. It’s going straight to search engine hell.”

Here’s a Pro Tip for those of you in the marketing/sales industry: If you have to start off by saying “I don’t mean to offend”, you’re going to, and the potential customer won’t appreciate it.

“See, when I search for <name of our region>, you’re nowhere near the first page on Google. With my help, you can be for local and global searches! I don’t know who made the site, but they screwed up, and we want the contract!”

Another Pro Tip: Research, research, research! The name of the developer is plastered all over the site, and was featured prominently during a news spot on the local news a few days prior, so if they had bothered to even look at the site they would have know who to call out. Secondly, had they bothered to look a little further in to the purpose of the site, they would have seen that global positioning of the site on search engines wouldn’t be a priority anyways, as the primary means of driving people to the site is via local advertising or by searching for keywords/the name of the business and the region, which already results in first-page rankings for the businesses in the directory.

The rest of the conversation went downhill from there. She attacked branding, overall design, and basically made an ass of herself. When the project manager finally got her off the phone and came to ask me if there was any merit to the criticisms. I did a quick review of the site, did some sample searches, and showed that the site lived up to all of the expectations and that the designers followed proper SEO techniques when building the site.

The SEO lady eventually sent a few followup emails which, thanks to her ‘marketing techniques’ were moved immediately to the trash.

So, for those of you who are tempted to start out a sales call by pointing out each-and-every flaw in the potential customers product: Stop. Don’t “don’t mean to offend”. And research. Then, if you are nice enough and craft your pitch well enough, you just may be able to skip the “???” step and jump right to “Profit!”.

« Older articles