Jump to content

Kas Ob.

Members
  • Content Count

    752
  • Joined

  • Last visited

  • Days Won

    10

Everything posted by Kas Ob.

  1. Kas Ob.

    Few do-not in website

    Yes, meant the browsers aka client side.
  2. Kas Ob.

    Few do-not in website

    Trying to login to https://quality.embarcadero.com/login.jsp triggered me and i want to give an advice to everyone Look at other websites before designing your own, and don't violate your visitor privacy for gain or out of stupidity, this will not run well with the current laws. First The above link does ask for CAPTCHA in most ugly way, like this You can see clearly the autocomplete is hiding the thing, no page ever did that stupid thing with captcha under its input field, Second You want analytics for your site, then that is ok and within your right, but allowing some shady tracking stuff is a NO unless you are planning to sell your domain I have many extensions in my browser to protect and filter out most the nasty stuff in the https://www.embarcadero.com page, so i went to an extra length to show you this salad I you want analytics then pick one freaking method instead of using 102340 tracking method, without notifying your visitors, every one should by now have heard about GDPR, and delegating that shit to other 3rd-party doesn't absolve you from consequences. So Facebook, Google, Tawk, batshit Bing, Twitter, Eloqua, and that very shady en25 script !! was it enough ? Don't do that for your visitors, but if you need all of that then you might add yahoo to that orgy and you can ask publicly, we the visitor gladly can suggest few useful tracking links to violate your visitors privacy even more. ps: many if you might heard about hidden pixels ( called tracking pixels sometimes) and here you can see them on your beloved site, now you can see it
  3. Kas Ob.

    Few do-not in website

    In fact Jira have captcha that can be enabled and here how to enable it https://confluence.atlassian.com/adminjiraserver080/enabling-public-signup-and-captcha-967897139.html So someone really did walk an extra step to redesign it, and all what i want to point is some bad practices, and brought as an example two links that sometimes i have to click.
  4. Kas Ob.

    Few do-not in website

    Good question, although squaring google gets is a mistake, look at how manipulative is that, it is done twice by Facebook tracking and identifying system to insure they received your specific information, once with GET and the information are loaded in the path, the second was with POST and the load in the http header and to bypass many filters the request had 0 byte response, in other cases you will see dropped connection without even a response like 200, this and many other tricks are used to fool filters and known blocking methods. Also want to recommend everyone to disable cross site cookies, it is very important and without disabling it in your browser these sites will continue to track every page you visit, Google "prevent cross site cookies" for more information. One more thing, the welcome page in the IDE is first thing i remove, but does anyone know what embedded browser allow or bring to you? it is for everyone to decide.
  5. Kas Ob.

    Few do-not in website

    I used autocomplete and that was wrong wording, i didn't mean autofill.
  6. Kas Ob.

    Few do-not in website

    Not saying i saw many Jira login pages but never seen this one anywhere, also it is fully customizable as always. My browser autocomplete never failed me ūüėé, it is always working and never crash my browsing sessions, will not blame it.
  7. Kas Ob.

    Delphi demands elevation?

    I might be wrong but you might not have clear picture on how security and privileges work on Windows, it is very complicated subject and easy to miss as we rarely face such situations. So let me explain few things, while i can't cover it at all, i will miss mentioning many facts, also there is many sources in the internet explain this better than me, the Microsoft documentation is not clear enough for first reading, but i hope after this you can understand these resources better. Inheritance, (damn it, it took me while to remember the word), security inheritance is where things get complicated and cause confusion, see if you are logged to your Windows as ABC then used the Notepad to create a file 1.txt that file will have same security and ownership inherited from the user ran Notepad not the one created Notpade.exe !, that one is important thing to remember. Also when you opened save dialog and created a folder to save the file within, that folder will have the same process security coming from runtime usage, that another important thing to remember, because it might cause confusion when creating folder or a file from within aopen/save dialog this belongs to that process and its user security, not Windows Explorer and the logged user !. Another thing is if you are using RDP and created a file that file will use your security privileges, the file will eventually will have the logged user from the RDP, means a remote user on the server, the one logged in. the thing get complicated when you use network share or RDP shared resources, as these different situations, the RDP shared resource will insure your local file security and users privileges will be still the same on the remote device, and here comes the problems, i am using this example to explain how things can go south easily, your uploaded file have ownership of the creator which is ABC (its you from your PC) and it will still have ABC on the remote, so if different user logged using RDP there is a big chance that he might see the file but can't open it !, unless your privileges allow users or everyone or explicitly declare the other users by name. Now to the debugging privileges, a debugger doesn't need an administrator privileges per se to run and debug, but it definitely require privileges enough to debug the executable in question while have the privileges to debug, i hope that is clear, so the a debugger to debug need privileges by its own and the debugged file should be in compliance with that, only then you can debug. I hope this does clear why i asked where the IDE and files ( executables and folders) did come from ? and who was the user who create each of them ?
  8. Kas Ob.

    Delphi demands elevation?

    Few things about the above 1) Stack will be more helpful than disassembly. 2) You didn't clear which is in the VM, talking about the built EXE and the IDE ? is it both or one, my thought is that only one in the VM and the other is on your different devices. 3) You didn't mentioned what if the IDE ran with administrator privileges and tried to debug, what is the error and the more important questions, does the IDE see the EXE at all ? The above points will help and if i to guess, the problem is coming from one of them (IDE and EXE) does have different and/or more restrictive user ownership and access, the easiest way to fix this is to take ownership and/or to add user privileges (something like everyone will do for exe but not for the IDE's if they are outside the VM), and that depends on which is coming form different machine. You asked for insights, and hope this give you a line to follow, the thing with user privileges is that they are very tricky and you need to understand the problem to solve it on all your devices. ps: when handling security for files, be careful and check folders, some folders might have different security settings, so if you to check then files and folders, also sometimes just deleting files is not enough and you need to delete their folders to create new ones with current user privileges.
  9. Lars, you are bringing this 3 days after that article while digging just little deeper it seems that vulnerability might be already known be in January !, only now being patched. Anyway, you keep updated i suggest to follow the CVE register itself instead of depending on articles here and there. https://cve.mitre.org/index.html Use search from there and for easier and faster usage bookmark your own links like this one https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vmware And just like Wil mentioned, keep in mind that, the article mentioned CVE-2021-21985 which does belongs to vSphere https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985 Also the disclaimer clear that the number and date is not relevant but the the issue is was recorded publicly by VMWare on last week of May, so according to the dates they are always late. https://www.vmware.com/security/advisories/VMSA-2021-0010.html There is hundreds vulnerabilities that used by malicious parties where the authors know about it and didn't disclose their knowledge because simply they don't understand how to reproduce, only after they do understand it, they can prepare a fix/patch after that they will either sleep on it or announce it. Ps: Lars, PSRemoting is dangerous too, i can't trust it the way you do, the minimum you can do is to limit access to it by using a FireWall with whitelist IP's for specific ports, never ever leave it open for everyone, the same goes for all/any OS components,
  10. I think the problem is a result of inlined function name adjustment with "_", so if removing the inline identifier will make it work then google for this specific problem, i am not a much help in this case, also have a look at this section "C99 inline functions" on this page https://clang.llvm.org/compatibility.html
  11. Not so weird when you understand the AV work internally. Most if not all AV do something like score point in their scan when they faced with something new, by new i mean something is not in their database, the popular malicious software will be flagged right away based on their hash and others, but for something new the AV will look for criteria's like 1) EXE internal structure 2) is the machine code obfuscated 3) what it does import from the system 4) special strings and key words, this is very important as these strings will be matched against dictionary for registry keys and files name..., does it import dynamically CreateProcess, OpenProcess .. , and there is more red flagging functions like CreateRemoteThread , also it will check if this was declared and imported normally or the name does exist in the EXE without being imported means it might be imported at runtime, so it have higher score to have these API names contained in the EXE then (3) 5) does the resource have encrypted data, by encrypted, it might be simply compressed, for AV it is the same unknown data, another thing if there is a DLL in the resource . 6)... More things and criteria's and these what comes to mind now, back to the score system while looking at the above Delphi built EXE already lost point in (1) right away against almost all other EXE's. Googling for some additional information i couldn't found more detailed and better written article or blog, but found this which is irrelevant to AV per se, it is only explain how security scoring system might work https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System As for code signing certificate, it is way easier to obtain the organization one than individual, and i can give an advice to save your self time because it easily can be exhausting and time consuming to provide all the needed documents, my advice buy where you see it the cheaper as all retailers will have nothing with you process validation, yes buy the cheaper and from a retailer, next don't upload your document using the automated system but first contact the support at with their live chat and that is for the certificate issuer a the retailer will not be able to help at all, while you are with someone on support let him walk you with links and let him check the documents you uploaded and that will save you days ! as each upload might take more than day for them to answer and ask for clearer thing or a notarized translation or ...and be prepare for everything like where is the translator license data and address this took 3 days after i finished all my documents, when i supplied the information about the translator they asked for a link for the notary information including a link to governmental site showing his license, stuff like that.
  12. Kas Ob.

    10.4.2 IDE crashes on start

    @Tom F I see such crashes almost on daily basis, i don't open files but when i am working on something and as always another project jumps in to join the party in my brain, i stop and open another IDE then drag and drop the jumping file into it and it does crash most the times, the workaround is to do this 1) open IDE 2) create new VCL project 3) close it and that is it, after than you can open any file or drop any file and it will not crash, please share if that did work for you. off the topic and about your crash report and its stack it is clearly that Xml.XMLDoc.TXMLDocument in xmlrtl270.rtl is buggy or wrongly abused by multithreading use, all start from [514F360C]{xmlrtl270.bpl} Xml.XMLDoc.TXMLDocument._Release (Line 2427, "Xml.XMLDoc.pas" + 6) + $4 and it is continue till this very interesting part, the end (aka top the file) before the crash [500685AA]{rtl270.bpl } System.@IntfClear (Line 38797, "System.pas" + 9) + $0 [5005FD59]{rtl270.bpl } System.TObject.CleanupInstance (Line 18181, "System.pas" + 23) + $0 [5006063C]{rtl270.bpl } System.TMonitor.Destroy (Line 19528, "System.pas" + 0) + $0 [5005FD59]{rtl270.bpl } System.TObject.CleanupInstance (Line 18181, "System.pas" + 23) + $0 [5005A25C]{rtl270.bpl } System.@FreeMem (Line 4891, "System.pas" + 20) + $0 [5006063C]{rtl270.bpl } System.TMonitor.Destroy (Line 19528, "System.pas" + 0) + $0 [5005FD59]{rtl270.bpl } System.TObject.CleanupInstance (Line 18181, "System.pas" + 23) + $0 [500685AC]{rtl270.bpl } System.@IntfClear (Line 38798, "System.pas" + 10) + $0 the exitance of TMonitor.Destory twice is wrong specially if you notice the line number is different means the it is trying to destroy already nil'ed object ! and the AV raised when it tried to dereference the object. off topic this part in the stack dump is making me thinking what is going on there, but this is irrelevant to the crash [004B0F4F]{bds.exe } AppMain.TAppBuilder.DestroyProjectGroup (Line 2761, "AppMain.pas" + 21) + $9 [004B46EC]{bds.exe } AppMain.TAppBuilder.WindowCloseQuery (Line 4008, "AppMain.pas" + 51) + $3 [50E56EEC]{vcl270.bpl } Vcl.Forms.TCustomForm.CloseQuery (Line 7466, "Vcl.Forms.pas" + 8) + $14 [50E56E15]{vcl270.bpl } Vcl.Forms.TCustomForm.Close (Line 7438, "Vcl.Forms.pas" + 4) + $4 [0170477F]{vclwinx270.bpl} Vcl.TitleBarCtrls.TCustomTitleBarPanel.TitleButtonCloseClick (Line 1434, "Vcl.TitleBarCtrls.pas" + 2) + $7 [50CF76CB]{vcl270.bpl } Vcl.Controls.TControl.Click (Line 7596, "Vcl.Controls.pas" + 9) + $8 [50EA8BC8]{vcl270.bpl } Vcl.Buttons.TCustomSpeedButton.Click (Line 1964, "Vcl.Buttons.pas" + 0) + $4 [50EA8BB2]{vcl270.bpl } Vcl.Buttons.TCustomSpeedButton.MouseUp (Line 1957, "Vcl.Buttons.pas" + 25) + $10 [50CF7AFC]{vcl270.bpl } Vcl.Controls.TControl.DoMouseUp (Line 7724, "Vcl.Controls.pas" + 2) + $25 I don't know and never seen winx library but assuming it is Windows 10 controls, with the new Delphi IDE's, what caught my eye is the series of these actions MouseUp->TCustomSpeedButton.Click->TControl.Click->TitleBarCtrls.TCustomTitleBarPanel.TitleButtonCloseClick->TCustomForm.Close->.. Is the design that bad that it is a simple overlay and delegating events, or it does use hooking, in both cases that is fragile and bad overlay design? i thnik it will always cause troubles to draw.
  13. My two cents Delphi does very bad thing with linked code, it is not bad itself as it should be fine, the problem is like this 1) Binary (EXE) for Windows OS can have section(s) to have the machine code. 2) Currently (with almost all compilers and linkers out there, it is one section(segment) and called text or txt 3) there was a very old tradition for (i think Windows 3.11 or something) to separate the code and use two sections and usually the second called is itext 4) that practice was the standard for Visual Basic, and Delphi adopted it 5) here on parallel to the above, malicious software (virus, trojan...) were evolving and spreading worldwide and one most efficient way was to inject code in specific executables like Windows Browser or the WebBrowser or even every EXE on your PC to make sure it is running. 6) The easiest way to inject code in an EXE is by adding a section as by doing so you are most likely not breaking it on contrary it will be almost transparent to the EXE itself, then change the EP to point to your newly injected code, the code can be dynamic or just loading another ..., it does matter the point is the EP (Entry Point) was changed from the original point, usually the EP or sometimes called OEP from Original Entry Point is in first section, and by changing it from the first back in days it was flag that there is malicious code injected. 7) Delphi does two sections for years for whatever reason, the the EP is always on the second one as it does hold the dpr code. 8 ) The code above is not wrong or malicious, it is only shortcoming from BitDefender, also it is not fault but support that, in my opinion additional security will never be too much. 9) most likely BitDefender like many other AV barely coup with Delphi stubbornness with 2 sections !, but many of them expect specific pattern and more mainstream dpr code to be executed, and it is almost the same unless the developer went ahead and changed that dramatically, as an example here how it does look like Even notice that there is no ret after Call Halt !! this is also red flag ! but they all made peace with it. How your dpr and your EXE's EP look like ? (see for your self) Keep in mind all AV are software that try to detect pattern, and that behaviour is irritating for AV and it is better to be flagged as malicious when in doubt, i stand behind this, when there is security doubt then just don't. Now after all the above relevant or not, what to do : 1) try to NOT change the above entry code, means add whatever you want in different unit not the dpr ! this is critical, use one call to it and handle it as you wish, for real i witnessed the following line when it is after Application.Initialize in dpr cause false positive "ReportMemoryLeaksOnShutdown := True;" !! 2) Sign it ! for personal or in house or to be shipped, acquire Code Signing Certificate and sign them, but the step 1 should relief you from that headache in many cases. And good luck.
  14. In my opinion that is pathetic way to collect (useless) information to propagate an agenda. If it was for me to put questions in such survey, i would ask such very useful and informative questions like Weight, in personal view and people around view. Hair color, and i am not talking about the color of the hair itself but the age induced white hair, aka wisdom hair. Back and neck problems. Bile and gallstones and the MF kidney stones. How many lines you do per x period. (not talking about code lines) Toxins consumption and other life delights preferences, Caffeine, Nicotine, Caocao, Prozac, Sugar, Salt, Xanax, Aspirin ... etc , the daily usual stuff.
  15. Kas Ob.

    Help on Access Violation

    Intriguing question !, but lets look at it objectively and we will see it is not. That procedure it does what it designed to do, the problem is not there, i think the problem is earlier one step happening in ErrorHandler, here i want to say i am not sure about the latest Delphi versions but in older versions, that ErrorHandler was hated by me very much, because it does list cases of errors and for anything other than these cases then it will be handled as IO error ! My suggestion is to look earlier, specifically before the last one in the list you captured GetExceptionObject, you have to see what did happen there and where the source of that exception, also check if an exotic exception raised, also there is a chance that this exception is being raised from an OS API leading to this, in all cases walking the stack further will disclose more information.
  16. Kas Ob.

    What is the correct approach to "phone home"?

    Many of my clients were incapable of hosting their inhouse servers, and many were afraid of dedicated hosting servers, but after trying the hosted dedicated ones they liked them very much, in case you you want amuse the idea then i would recommend an OVH server or its little sisters https://www.ovh.ie/ https://www.soyoustart.com/en/ https://www.kimsufi.com/en/ Anyone will do !, and trust me even the smallest one will manage all of your emails and uploading and downloading files, unless you need hardcore data traffic and process then stick to OVH monsters.
  17. Kas Ob.

    What is the correct approach to "phone home"?

    I made a mistake with the lesson/demo for RTC, the one i want to point is in the Examples folders with the library called ClientUpload and it is short and can't be wrong implemented implementation {$R *.dfm} procedure TForm1.btnConnectClick(Sender: TObject); begin with RtcHttpClient1 do begin if not isConnected then begin ServerAddr:=eServerAddr.Text; ServerPort:=eServerPort.Text; Connect; end else Disconnect; end; end; procedure TForm1.RtcHttpClient1Connect(Sender: TRtcConnection); begin btnConnect.Caption:='Disconnect'; end; procedure TForm1.RtcHttpClient1Disconnect(Sender: TRtcConnection); begin btnConnect.Caption:='Connect'; btnPutFile.Caption:='Upload'; end; procedure TForm1.btnPutFileClick(Sender: TObject); begin btnPutFile.Caption:='Clicked ...'; with RtcDataRequest1 do begin // File Name on Server (need to URL_encode all Query parameters) Request.Query['file'] := URL_Encode(Utf8Encode(eRequestFileName.Text)); // Local File Name Request.Info.asText['file'] := eLocalFileName.Text; Post; end; end; procedure TForm1.RtcDataRequest1BeginRequest(Sender: TRtcConnection); begin btnPutFile.Caption:='Sending ...'; with TRtcDataClient(Sender) do begin Request.Method:='PUT'; Request.FileName:='/UPLOAD'; Request.Host:=ServerAddr; Request.ContentLength:=File_Size(Request.Info.asText['file']); WriteHeader; end; end; procedure TForm1.btnOpenClick(Sender: TObject); begin if OpenDialog1.Execute then begin eLocalFileName.Text:=OpenDialog1.FileName; eRequestFileName.Text:=ExtractFileName(eLocalFileName.Text); end; end; procedure TForm1.RtcDataRequest1DataOut(Sender: TRtcConnection); begin with Sender as TRtcDataClient do begin pInfo.Caption:='Sending: '+ IntToStr(Request.ContentOut)+'/'+ IntToStr(Request.ContentLength)+' ['+ IntToStr(round(Request.ContentOut/Request.ContentLength*100))+'%]'; end; end; procedure TForm1.RtcDataRequest1DataSent(Sender: TRtcConnection); var bSize:int64; begin with TRtcDataClient(Sender) do begin if Request.ContentLength>Request.ContentOut then begin bSize:=Request.ContentLength-Request.ContentOut; if bSize>64000 then bSize:=64000; Write(Read_File(Request.Info.asText['file'], Request.ContentOut, bSize)); end; end; end; procedure TForm1.RtcDataRequest1DataReceived(Sender: TRtcConnection); begin with TRtcDataClient(Sender) do begin { We do not expect a long response, so we can wait for the response to be Done before reading it. } if Response.Done then begin { We can use "Read" here to get the complete content sent from the Server if we expect the Server to send a short content. If the Server is expected to send a long response, you should use Read before Response.Done and write the read content to a file as it arrives to avoid flooding your memory. } btnPutFile.Caption:='Done, Status = '+ IntToStr(Response.StatusCode)+' '+Response.StatusText; end; end; end; end.
  18. Kas Ob.

    What is the correct approach to "phone home"?

    Utilizing HTTP Post is the best out there, because: 1) HTTP is faster than FTP and SMTP, like a lot faster. 2) HTTP/HTTPS is the most firewall friendly, one outgoing port and you are good to go. Here i want to recommend to use your built own server, there is many approaches to achieve that and here few points 1) Use your stand alone server to receive these POST requests, or/and make sure you are using TLS secure connection, and here you can stick to the HTTPS with POST or use you are free to internally use your own TCP protocol, if we can call uploading a file (sending data in one way) a protocol. 2) Use Indy or ICS, RTC or what you see fit, it really doesn't matter. 3) I am/was using RTC for many years now to upload many sorts of files, most frequent files were EurekaLog reports, have a look here at that demo for uploading file https://rtc.teppi.net/realthinclient-sdk-lesson-3-sending-small-files-from-a-folder/ 4) RTC simplify multithreading beyond imagining, also it give you the ability to build any server as stand alone EXE, Windows Service or ISAPI for IIS. 5) Once you had your HTTP(s) server receiving the files then if needed go ahead and send them using SMTP, which i do for EL reports after parsing so i have nice emails with many details in the mail body and nice detailed subject, of course along the attached report. 6) In few cases with few of my clients, they wanted to received the reports on their server (and their emails) which wasn't IIS, so i wrote php script to forward the reports to their emails, the script is 30 lines including brackets lines!, google PHPMailer or any other mailing method for php along how to receive a file with php, it will make you smile. 7) HTTP (preferably HTTPS) is OK with CloudFlare like services, so no effect in switching to such extra layer of protection in the future. A little off topic: I use hMailServer for many years and it is just more than great, portable folder, fast and secure, can't be more breath of fresh air to use and configure, i witnessed a server with weak account (email) password been hacked and being used to send spam, hMailServer managed to send 48-60 million spam email per day while the back log was 220 million before i been called to stop it and figure what it was, someone created account for testing with one char password and forgot to delete the account !
  19. There is other cipher suits that provide the same security level like these TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE instead of ECDHE with TLS 1.2 still provide perfect forward secrecy Or just try to replace your certificate with EC one instead of the one with RSA key, these do have better ciphers suits and a little faster in handshakes.
  20. I missed that with FillChar, you are right there.
  21. Right, but i am talking about this case in general, see, it is very rare to design your own code where you need to pass TArray (or any other defined indexed type) to a function with "pointer to array" with element length, most likely the destination belongs to another realm or simply put belongs to a code by different coder (or library), and on same side in cases other than the above example where length established locally, the length might be 0, in this case i prefer to have a nice overflow exception instead of unpredicted behaviour in case i missed explicitly a check against 0 length. It is just personal point of view, in many cases i prefer the compiler checks, unless performance is priority to consider.
  22. You are totally right there, but i prefer sometimes to trigger it explicitly (in development) to make sure (in similar case to this as with an external API) that the called function is well equipped to handle such case, in other words to make sure i am not leaving it unhandled and unchecked, just as safe measure.
  23. Should be FillArray(data, 100 * SizeOf(Integer)); And you can use const or var with the same result in this case, As David pointed to declare the function with PInteger and pass it by PInteger(@data[0]).
  24. Kas Ob.

    Problem with local resources in RDP Session

    In my opinion RDP was introduced as (how to put it) as an extension to Windows Explorer, it wasn't intended to deliver stable resource sharing over internet, but RDP allowed initializing and sharing drivers for the user himself, but not for an application, and by user i meant a user using Windows Explorer. Away from you are depending on technology that can fail anytime, and you should rethink how you or your users are depending on it, i think you can extend your application to upload and download files in right manner, by HTTP or IIS or using a web browser after authorization, there is many solution to think about this where you can have peace of mind about its reliability.
  25. Kas Ob.

    Problem with local resources in RDP Session

    Both will work the same, also using the Delphi RTL or the API directly will be OK, with the same result. (i think) No need, copy or move will do it, but my suggestion is to build the archive file (zip) in memory without disk operation then save it locally or not, again i am not familiar with your zip library and if does allow such usage, also if the archive is very big then building it in memory will take long time on sending, but again it is up to you to measure the size and tune it. My point is against using Seek in general with THandleStreams and files as it is encapsulate hidden read, a full disk operation that have the same delay and latency, on other hand using Seek on RDP resource shares might be buggy to begin, RDP had its share of such bugs over years.
√ó