the office

So, a quick little overview of my home audio setup πŸ™‚

All UPnP/DLNA based…

Suggestions to improve, questions and comments are always welcome! 😎

Currently still not looking at Spotify actually… Most of the music I play are either podcasts or online sources (stubru πŸ™‚ )



WP_20141026_18_16_40_Pro WP_20141026_18_16_33_Pro











My first time TechEd and it was awesome!
Much more heavy that anticipated: went to sessions everyday from 8.30 ‘till 18.15 sucking up all available knowledge!
Talked to a bunch of interesting people, tried to learn as much as possible, saw cool demo’s and was impressed by the huuuge amount of people there!


Things to remember!


Further, I saw Mimikatz come by like 10 times, got the colours of ProcessExplorer explained to me for 3 times, learned how to set a filter in ProcessMonitor 2 times…

Had great fun with speakers @samilaiho and @andymalone

Got back with cool presents from @tycotic and @tintri_emea

Because there still is a huge lack of documentation about Microsoft AD RMS, here some hints and tricks to use!

  • First thing: irmcheck! Go use it!
  • Always check ntsf acl permissions on the server side files asmx-files.
  • ConnectionString for SQL is located in registry
  • MSIPC (RMS client 2.0 in windows 8 and office 2013) caches in registry and %localappdata%
  • Β REGISTRY:\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<Server Name> \Template (HKCU or HKLM)
  • %localappdata%\microsoft\msipc
    Hint: you can delete huge file names withΒ  “rmdir MSIPC /s” in cmd (for some reason it doesn’t work in powershell)success
  • Advanced troubleshooting on OSI Layer 7: fiddler! (enable https decryption) Really, put it in between! You’ll get some far more usefull error messages then “cannot connect to the server”, or “cannot use this feature without credentials”…
    Even better, go Wireshark (note: ssl mitm here…)!
  • The older MSDRM (RMS Client 1) puts everything in your %localappdata%\Microsoft\DRM . There you can find your user- & machine certificates, and templates.
    Regkeys under REGISTRY:\software\microsoft\msdrm
  • always check the IIS certificates! If there’s something wrong, nothing will ever work!

Please, open them up, they’re just XML-based, and contain a lot of information! For example, in the GIC-file you can confirm your RMS-location. Don’t bother trying to modify them, they’re hashed… But you definitely should check them for having :443 in their url’s (check this article)
GIC (Group Identity Certificate) = RAC (Rights Account Certificate)
CLC (Client Licensor Certificate)
CERT-Machine = SPC (Security Processor Certificate)

More about those 3 files in here

  • When you need to go deeper, use debugview (or something new: Trace Spy). This works for bot MSDRM and MSIPC
    Server-side and Client-side
  • Go and check Windows Event Logs. RMS Client doesn’t actually logs something there, but it can be a source of good information anyway!

Sometimes, you just want to store files in the cloud. This because you want your data to be available everywhere. Or you want a offsite backup. Or you want to share it with someone.

Anyway, you have to put it SOMEWHERE.
And preferable, somewhere secure, and not to expensive.

Now, you have the classic hosting providers. Providing you with an http/ftp capable webspace.But, as always, that’s a bit expensive…storage_azurestorage_googlestorage_amazon

When you start looking around, for backup, archive or file hosting services, you stumble upon the classic tools like dropbox, skydrive, backblaze, crashplan, …

But, in my case, that’s also not something I’m looking for.
I just want to mount a “cloud-drive” via a webservice, ftp or webdav. It can even has it own tool, as long as the actual files stay in the cloud…

So, into “the big three”: Amazon S3, Google Cloud Storage and Windows Azure Storage blobs… Pricing is on the right of this blogpost.

Still… They’re like 5-10€/month for 100GB… That’s 100€ per year.
With 100€ you can buy yourself a 1000GB hard disk, and put it on your desk and revproxy the thing?
Even with the electricity cost you’re not going to hit that 100€ limit…

Or buy a new hard drive each year, and put the old one somewhere safe! At a friend’s house, in your basement, you can even bury it in your garden ^^

I was considering getting an Azure subscription, now not any more πŸ™‚

The interwebz is a complex wasteland.
Almost every websites requires a login. And I don’t want to use the same password everywhere!
I have some categories in my “default” passwords, the simple password (19bit) for the “one-time-use” websites , the more complex ones (still only max 65 bit) for the “special sites” like facebook, google, of my hr department…Β  Actually, my “toughest” password (my cronos admin password) only reaches 87 bits…


only a couple of my accounts…

Anyway, when you’re on the internet for a couple of years, you gather some accounts.

Lots of them


And in the beginning, it was fun.
You only have 1 computer, you only use 1 browser, you just store everything in there.

But then something new shows up.
You start experimenting with Firefox.
And you buy a laptop.
And you have a network profile at school, or at work.
Or you’re on a holiday and you need to login on your webmail.

You need something to sync all your information, and to make it all available wherever you are.
Same for bookmarks, but that’s another story…

The last couple of years I always made use of random sync tools. At first, the sync-tools from Mozillaphoto.jpg itself, later on some other 3th party tools, but the last tool I got stuck with was xmarks. But last year it was bought by lastpass. So all my passwords were suddenly in their hands…
I’m not sure I like that…

But I kept using it, because it comes in damn handy!
All your password perfectly in sync between devices, nice plugin’s for every browser, and even a nice web interface!

But, still, you trust your password with someone else…

Anyway, this week I started doing some consultancy (read, they’re teaching me) for another Cronos Group Company working on InfoSec (another blogpost about this will follow!). And the first thing that 6556_3b90_500happened when firing up my laptop in front of these guys, was firefox opening, and lastpass popping up…


10 seconds later, my new boss mentioned something like “goe bezig”, roughly translated to “nice going”

Anyway, today I present you: THE SOLUTION

You’re own sync tool build around keepass!

I’ve been using keepass as long as I can remember. It contains all my secrets, my passwords, my configs, my life. But I always used it off-line. I open it, copy paste something, close it and erase my clipboard.
Actually, it never occurred to me you can use it otherwise!

Until today, on my first hit on google: “keepass firefox” πŸ˜›

After trying out some random extensions, I kept using PassIFox. And it works! And it works gooood!

Just install the plugin for Firefox, you also need a plugin for lastpass (to enable an http web service), and you’re good to go! Uninstall lastpass, throw away all other 3th party related crap you don’t want to be associated with your passwords!
From now on, you only have 1 place you store your passwords in: your own aes-256 encrypted keepass db!

The really interested reader now wants to shout “you’re not syncing anything between computers!”.
But, then I would answer “you’re to soon with your remark” πŸ˜›

Put all of the above in a skydrive/dropbox/owncloud/anything, and you can run around using your passwords everywhere!



Some remarks on passifox: browse to any website with a login field, rmb -> fill user & pass. This is the ony known interface to the firefox plugin! Use this to setup the initial connect with lastpass (connect will appear).

Some remarks on the entire process: I always trusted sites like lastpass. I don’t know exactly why. But when you work for a InfoSec company, you can’t risk anything. Right? πŸ™‚
Maybe it was of laziness, because lastpass just works that handy πŸ˜› But in the end, so does passifox! So please, when you read this, thing twice about who you trust with what!

Remark on skydrive/dropbox/owncloud: even Microsoft’s skydrive can, in the end, leak information. Or I can forget to log off somewhere. Forget to logoff from any live-enable website and someone can have access to these files as well. Even when you run owncloud, your provider can be the target of an attack (happened in the Netherlands last week…). But hey, the only thing these “21the century burglars” can download, is an aes encrypted file! Good luck with that πŸ™‚
Hell, with this setup you can even put an hidden truecrypt container in skydrive containing a portable firefox and keepass… But only, who’s that paranoid? πŸ˜›

Random generators suck…
Apparently none can make a good one…

My car (bmw), my previous car (opel), my ipod, itunes, windows phone, youtube, …

After a song, always the same “random” song follows..
It’s kind of strange…
If you let me create a random() function, I would include the time somehow.
At least in a car you can create some mathematical function, which divided by the current amount of minutes, will give you something pseudo random, right?
At least random enough to not always let a specific song be the next one at another certain song?

dilbert gives you the real analysis of how true randomness can be achieved.

As you can see on the page mentioned above, even php on windows rand() sucks! Spot the “pattern” in the picture below!
According to Bo Allen php performs better on Linux… Shame on you Microsoft! πŸ˜›

php’s rand() function on windows!


Anyway, I don’t want to know the next song, when I enable “shuffle” in my audio player…

Microsoft, BMW, Apple, please fix it!

Working in a big company is fun.
You’ll get in touch with private server parks, HA clusters, and a loooot of problems…

SQL -> SQL 2012 SP1 bloating the windows registry to the max (2048mb), making windows do VERY weird things…,
Cisco/Windows8 -> Windows 8 and Cisco WiFi doesn’t work!
NetApp/VMware -> Random storage disconnects…
Exchange -> story of an exchange 2003 user with a working mailbox, but a corrupted OWA… Even Microsoft didn’t found a solution πŸ™‚

I’m not saying, we weren’t the very first in the world with the problems above…
I’m just saying we were one of the first with those problems… πŸ˜›

And I’m probably forgetting some issues… πŸ˜›

Smartsys blog is coming up later this year!
It’ll be a place providing awkward situations as mentioned above, and as much answers and solutions possible!

Stay tuned! 😎