the office

So, a quick little overview of my home audio setup ๐Ÿ™‚

All UPnP/DLNA based…

Suggestions to improve, questions and comments are always welcome! ๐Ÿ˜Ž

Currently still not looking at Spotify actually… Most of the music I play are either podcasts or online sources (stubru ๐Ÿ™‚ )


WP_20141026_18_16_40_Pro WP_20141026_18_16_33_Pro











My first time TechEd and it was awesome!
Much more heavy that anticipated: went to sessions everyday from 8.30 ‘till 18.15 sucking up all available knowledge!
Talked to a bunch of interesting people, tried to learn as much as possible, saw cool demo’s and was impressed by the huuuge amount of people there!


Things to remember!


Further, I saw Mimikatz come by like 10 times, got the colours of ProcessExplorer explained to me for 3 times, learned how to set a filter in ProcessMonitor 2 times…

Had great fun with speakers @samilaiho and @andymalone

Got back with cool presents from @tycotic and @tintri_emea

Because there still is a huge lack of documentation about Microsoft AD RMS, here some hints and tricks to use!

  • First thing: irmcheck! Go use it!
  • Always check ntsf acl permissions on the server side files asmx-files.
  • ConnectionString for SQL is located in registry
  • MSIPC (RMS client 2.0 in windows 8 and office 2013) caches in registry and %localappdata%
  • ย REGISTRY:\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<Server Name> \Template (HKCU or HKLM)
  • %localappdata%\microsoft\msipc
    Hint: you can delete huge file names withย  “rmdir MSIPC /s” in cmd (for some reason it doesn’t work in powershell)success
  • Advanced troubleshooting on OSI Layer 7: fiddler! (enable https decryption) Really, put it in between! You’ll get some far more usefull error messages then “cannot connect to the server”, or “cannot use this feature without credentials”…
    Even better, go Wireshark (note: ssl mitm here…)!
  • The older MSDRM (RMS Client 1) puts everything in your %localappdata%\Microsoft\DRM . There you can find your user- & machine certificates, and templates.
    Regkeys under REGISTRY:\software\microsoft\msdrm
  • always check the IIS certificates! If there’s something wrong, nothing will ever work!

Please, open them up, they’re just XML-based, and contain a lot of information! For example, in the GIC-file you can confirm your RMS-location. Don’t bother trying to modify them, they’re hashed… But you definitely should check them for having :443 in their url’s (check this article)
GIC (Group Identity Certificate) = RAC (Rights Account Certificate)
CLC (Client Licensor Certificate)
CERT-Machine = SPC (Security Processor Certificate)

More about those 3 files in here

  • When you need to go deeper, use debugview (or something new: Trace Spy). This works for bot MSDRM and MSIPC
    Server-side and Client-side
  • Go and check Windows Event Logs. RMS Client doesn’t actually logs something there, but it can be a source of good information anyway!

Sometimes, you just want to store files in the cloud. This because you want your data to be available everywhere. Or you want a offsite backup. Or you want to share it with someone.

Anyway, you have to put it SOMEWHERE.
And preferable, somewhere secure, and not to expensive.

Now, you have the classic hosting providers. Providing you with an http/ftp capable webspace.But, as always, that’s a bit expensive…storage_azurestorage_googlestorage_amazon

When you start looking around, for backup, archive or file hosting services, you stumble upon the classic tools like dropbox, skydrive, backblaze, crashplan, …

But, in my case, that’s also not something I’m looking for.
I just want to mount a “cloud-drive” via a webservice, ftp or webdav. It can even has it own tool, as long as the actual files stay in the cloud…

So, into “the big three”: Amazon S3, Google Cloud Storage and Windows Azure Storage blobs… Pricing is on the right of this blogpost.

Still… They’re like 5-10โ‚ฌ/month for 100GB… That’s 100โ‚ฌ per year.
With 100โ‚ฌ you can buy yourself a 1000GB hard disk, and put it on your desk and revproxy the thing?
Even with the electricity cost you’re not going to hit that 100โ‚ฌ limit…

Or buy a new hard drive each year, and put the old one somewhere safe! At a friend’s house, in your basement, you can even bury it in your garden ^^

I was considering getting an Azure subscription, now not any more ๐Ÿ™‚

The interwebz is a complex wasteland.
Almost every websites requires a login. And I don’t want to use the same password everywhere!
I have some categories in my “default” passwords, the simple password (19bit) for the “one-time-use” websites , the more complex ones (still only max 65 bit) for the “special sites” like facebook, google, of my hr department…ย  Actually, my “toughest” password (my cronos admin password) only reaches 87 bits…


only a couple of my accounts…

Anyway, when you’re on the internet for a couple of years, you gather some accounts.

Lots of them


And in the beginning, it was fun.
You only have 1 computer, you only use 1 browser, you just store everything in there.

But then something new shows up.
You start experimenting with Firefox.
And you buy a laptop.
And you have a network profile at school, or at work.
Or you’re on a holiday and you need to login on your webmail.

You need something to sync all your information, and to make it all available wherever you are.
Same for bookmarks, but that’s another story…

The last couple of years I always made use of random sync tools. At first, the sync-tools from Mozillaphoto.jpg itself, later on some other 3th party tools, but the last tool I got stuck with was xmarks. But last year it was bought by lastpass. So all my passwords were suddenly in their hands…
I’m not sure I like that…

But I kept using it, because it comes in damn handy!
All your password perfectly in sync between devices, nice plugin’s for every browser, and even a nice web interface!

But, still, you trust your password with someone else…

Anyway, this week I started doing some consultancy (read, they’re teaching me) for another Cronos Group Company working on InfoSec (another blogpost about this will follow!). And the first thing that 6556_3b90_500happened when firing up my laptop in front of these guys, was firefox opening, and lastpass popping up…


10 seconds later, my new boss mentioned something like “goe bezig”, roughly translated to “nice going”

Anyway, today I present you: THE SOLUTION

You’re own sync tool build around keepass!

I’ve been using keepass as long as I can remember. It contains all my secrets, my passwords, my configs, my life. But I always used it off-line. I open it, copy paste something, close it and erase my clipboard.
Actually, it never occurred to me you can use it otherwise!

Until today, on my first hit on google: “keepass firefox” ๐Ÿ˜›

After trying out some random extensions, I kept using PassIFox. And it works! And it works gooood!

Just install the plugin for Firefox, you also need a plugin for lastpass (to enable an http web service), and you’re good to go! Uninstall lastpass, throw away all other 3th party related crap you don’t want to be associated with your passwords!
From now on, you only have 1 place you store your passwords in: your own aes-256 encrypted keepass db!

The really interested reader now wants to shout “you’re not syncing anything between computers!”.
But, then I would answer “you’re to soon with your remark” ๐Ÿ˜›

Put all of the above in a skydrive/dropbox/owncloud/anything, and you can run around using your passwords everywhere!



Some remarks on passifox: browse to any website with a login field, rmb -> fill user & pass. This is the ony known interface to the firefox plugin! Use this to setup the initial connect with lastpass (connect will appear).

Some remarks on the entire process: I always trusted sites like lastpass. I don’t know exactly why. But when you work for a InfoSec company, you can’t risk anything. Right? ๐Ÿ™‚
Maybe it was of laziness, because lastpass just works that handy ๐Ÿ˜› But in the end, so does passifox! So please, when you read this, thing twice about who you trust with what!

Remark on skydrive/dropbox/owncloud: even Microsoft’s skydrive can, in the end, leak information. Or I can forget to log off somewhere. Forget to logoff from any live-enable website and someone can have access to these files as well. Even when you run owncloud, your provider can be the target of an attack (happened in the Netherlands last week…). But hey, the only thing these “21the century burglars” can download, is an aes encrypted file! Good luck with that ๐Ÿ™‚
Hell, with this setup you can even put an hidden truecrypt container in skydrive containing a portable firefox and keepass… But only, who’s that paranoid? ๐Ÿ˜›

Random generators suck…
Apparently none can make a good one…

My car (bmw), my previous car (opel), my ipod, itunes, windows phone, youtube, …

After a song, always the same “random” song follows..
It’s kind of strange…
If you let me create a random() function, I would include the time somehow.
At least in a car you can create some mathematical function, which divided by the current amount of minutes, will give you something pseudo random, right?
At least random enough to not always let a specific song be the next one at another certain song?

dilbert gives you the real analysis of how true randomness can be achieved.

As you can see on the page mentioned above, even php on windows rand() sucks! Spot the “pattern” in the picture below!
According to Bo Allen php performs better on Linux… Shame on you Microsoft! ๐Ÿ˜›

php’s rand() function on windows!


Anyway, I don’t want to know the next song, when I enable “shuffle” in my audio player…

Microsoft, BMW, Apple, please fix it!

Working in a big company is fun.
You’ll get in touch with private server parks, HA clusters, and a loooot of problems…

SQL -> SQL 2012 SP1 bloating the windows registry to the max (2048mb), making windows do VERY weird things…,
Cisco/Windows8 -> Windows 8 and Cisco WiFi doesn’t work!
NetApp/VMware -> Random storage disconnects…
Exchange -> story of an exchange 2003 user with a working mailbox, but a corrupted OWA… Even Microsoft didn’t found a solution ๐Ÿ™‚

I’m not saying, we weren’t the very first in the world with the problems above…
I’m just saying we were one of the first with those problems… ๐Ÿ˜›

And I’m probably forgetting some issues… ๐Ÿ˜›

Smartsys blog is coming up later this year!
It’ll be a place providing awkward situations as mentioned above, and as much answers and solutions possible!

Stay tuned! ๐Ÿ˜Ž

The all-in-one mail server from Microsoft.
Featuring mail (duh), calendar, contacts, etc…

It has been a project of almost 4 months, but the end is near!

Probably it can be done in a much shorter time span, but we took our time for this one.
Mail is still considered as one of the most vial elements in a modern company, so we were not allowed to make stupid mistakes!

If you never heard of Exchange, you’re probably not an IT-er, or an IT-er living under a rock. All communication, reminders, calenders and contact information is stored in this massive software package from Microsoft. (Sometime users even use this to archive their pictures, music or whatever data they have… ๐Ÿ˜ฎ )
And you don’t want to delete random things, or run into corruption…
So we really double-checked (and even tripple-checked) every step we took!

The core of the story: moving >1000 users from exchange 2007 to a complete new, high performance and redundant exchange 2010 environment.

So a couple of new servers where bought: some nice dell poweredge’s featuring a AMD logical octacore processor, 64GB of DDR3 ram, and a bunch of sata drives.
Exchange 2010 is less depended on raw iops and cpu cycles then exchange 2007, so we made a nice compromise between price and performance.

On this hardware, another scoop was introduced: the first production hyper-v solution in our server park! (all of our current clusters run vmware esx 4.1 and 5)
So we have 2 new poweredges with hyper-v core, both with 2 guests for hosting the different exchange server roles, and a couple virtual machines for authentication and reverse proxy!

try bringing this down!

Redundancy is created easily using the new Database Availability Group (DAG) feature of exchange 2010.
This runs on top of the windows server clustering technology, and it mirrors the information across servers.
As a result, information like your mailbox/calendar/contacts is, pretty much, always available to the end user. When one of both servers explodes and goes down (which is not unthinkable) or a fiber is cut, an airplane crashes onto our building, …, the other server takes over.
More redundancy is created on the client access servers and the internet-facing reverse proxy servers (using Microsoft’s Forefront TMG), which all are in twofold.

So try taking that down! ๐Ÿ˜›
(Actually, mail went black already twice… :-?, but not Exchange or hyper-v is to blame! )

Most of my time went in learning Exchange Server, preparing for possible pitfalls and installing TMG (which was a real challenge, maybe I’ll post a real tutorial for that later).

I made and reused some scripts in Powershell for managing transitions, monitoring and other purposes.
I’ll definitely post them later, because I’m sure you can learn from them the way I did!

Exchange, over and out!


Goodbye Dommel, Hello Telenet…

Aan de 1ne kant wilden mijn ouders digitale televisie, aan de andere kant waren we met zen alle de brakke support van dommel beu.
Dusjah, alles telenet (televisie, telefoon & internet)

Dus, bij deze een blogpost, “hoe leven met telenet”

  • Alle tcp-poorten < 1024 zijn afgeblokt, verschrikkelijk… Eigenlijk mijn grootste probleem. PPTP gaat gelukkig wel ๐Ÿ™‚
  • Beperkte macfilter, je kan maar 10 macadressen opgeven voor de macfilter van de WiFi. Deze afgeschaft, alles vervangen door een wpa2 paswoord… (jaa, macfiltering is geen beveiliging, maar in the middle of nowhere waar ik woon maakt het het leven gewoon veel gemakkelijker ๐Ÿ˜€ )
  • DNS, je krijgt geen lokale dns, alles rechtstreeks naar de telenet dns-masterservers… Ipconfig /registerdns en alle bijhorende diensten werken dus niet (geen name-resolution over vpn, geen dns-queries voor mobile devices, en eigenlijk meer issues dan je in eerste instantie zou verwachten )
  • geen controle over dhcp (wat bovenstaand probleem zou oplossen ^^)
  • Geen usenet meer ๐Ÿ˜ฆ

Het leven met een telenetmodem in huis is ook wel leuk.
Het internet is gewoon snel (93mbps in the middle of nowhere van stjob)
En daar stopt het zowat ๐Ÿ˜›
Echt voordelen heeft het niet zo ๐Ÿ™‚
Yelo is ook wel cool ๐Ÿ™‚

Och, ik ben al blij dat ik men vpn aan de praat heb gekregen. Wat ongeveer het belangrijkste is om toch een beetje remote te kunnen werken…


Een oplossing van een aantal issues zou zijn om men bestaande router terug aan te sluiten, en in de router van telenet in DMZ te zetten… Dan is men macfilter en men dns terug ok, heb ik ook terug controle over snelheden, management, qos, … Maar dan ben ik wel de relatief goede wifi van de telenetbox kwijt…

Uiteindelijk een optie die te overwegen valt… ๐Ÿ™‚