Category Archives: security

Takeown.exe

I ran into an issue the other day where a file on a network share ended up with its NTFS permissions being hosed in such a way that no one could edit, delete, or even take ownership of it.  I’m not sure how it happened, but it did and the ticket ended up with me to get it fixed.

Nothing I did in the GUI could fix the problem.  I could see the filesystem security attributes were hosed and nothing, not even taking ownership, would successfully complete.  After a quick visit to Google, I found the Technet page for takedown.exe.  It’s basically a tool for sysadmin’s to take ownership of a file with borked permissions.  Perfect!  That’s exactly what I need.

Unfortunately, it didn’t work and failed with a non-helpful generic error.  Turns out I was having a case of the stupids and the file was locked by a crashed application.  Killing the processes released the lock on the file and then I was able to delete the file and restore it from the previous days backup.  On the plus side, I found what looks to be a great tool to keep bookmarked for the future!  

Failing As A Service

Ars has put up an article detailing a recently released paper that used an EC2 instance on Amazon’s cloud to break 512 bit encryption in just a couple hours for a grand total of less than $100.  Technically speaking this isn’t surprising.  Moore’s Law (not really a law) is thing, pretty much everyone who knows anything about computers has heard it and knows the gist of it.  And 512 bit encryption has’t been a recommend best practice in a long LONG time.  It’s no surprise that the computing horsepower needed to break encryption from the 1990’s is easy and cheap to acquire.

However as the article points out there are still servers on the Internet that use 512 bit keys for encryption.  I’d hazard a guess that any server running 512 bit keys probably isn’t getting patched either.  In fact I bet it’s been a long time since they have been touched by an admin.  The Internet in general would be better off without those servers.  Maybe it’s time for the web browsers of the world to start throwing up the scary red title bars and warnings you get if you go to a site with an improper or invalid SSL cert?  It should be easy enough for the browser to detect if the encryption is weak and accordingly inform the user.  Hopefully these are not e-commerce servers of any sort and the only people who are affected by the eventual “issues” will be the people who aren’t maintaining them (or paying someone to maintain them on their behalf)