an accident waiting to happen…it’s happening

When I was 5 I went up into my grandparents’ quince. I went up too fast and fell down on my head. My friends say “this explains SO many things”. I agree.

This past month or so I changed my glasses and almost got hit by a tram while jogging around the neighbourhood. That besides the fact that my left eye now seems to see at its usual capacity and my brain was Seg-Faulted for 2 days – too much data to process on that IRQ.

Then I had this nice stuff with my skin, ended up in hospital, had almost my entire body a nice mix of wounds and blood, and could barely use my hands for a few days. (imagine me spending an entire night just to import my blog on wordpress.com)

Today I finally went out with friends for the Volkswagen race in Tierpark Berlin. I got stung by a wasp and on my way to the movie I spilled boiling tea on my legs.

dafuq is happening to me?

I’m an accident waiting to happen. Let’s see tomorrow what’s up! 🙂

anger management

Stupid MicroShit’s Winblows MSWord crashes every ~10 minutes while I work with documents larger than 200 pages.

Pretty soon I’m gonna need serious Anger Management courses to cope with this fucking software. And people actually PAY for it.

To quote Janne Warman: Jesus titty fucking Christ!

Cisco != consistency

You do remember my love for this magnificent vendor. Now I am looking at an IKEv2 configuration when using RSA X.509 digital certificates.

The trust-point is defined as for any Cisco switch.

If for IKEv1, I would configure RSA-SIG auth like this:

crypto ikev1 enable untrusted
crypto ikev1 policy 1
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 5
 lifetime 3600

– Usually this is enough for the Phase 1 – authentication to take place. We have RSA, we need to use RSA for authentication.

But for IKEv2, trying to be CONSISTENT, a basic requirement for any equipment on the market, is done like this:

crypto ikev2 enable untrusted

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 3600

tunnel-group myIPsecGroup ipsec-attributes
 peer-id-validate cert
 chain
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate myTrustPointCA

I would sadly add: don’t you find it naturally that in IKEv2, the authentication has no place in the Phase 1 definition, but rather somewhere below, where I define the transform-sets (which, by the way, in IKEv2 are called differently) for the Phase 2 ??!!!

Not mentioning the fact that Cisco is the latest guy to arrive at the finish line with IKEv2 (heey, we are in 2011!!), they proved us again what a professional company it is. I would expect a no-name company from China not to be able to accomplish one of the most important requirements of professional software design: Consistency, but…Cisco? 😦

ref: http://secret-epedemiology-statistic.org.ua/1587052091/ch17lev1sec5.html

need ideas

Lately I am super bored.

I’m not saying I don’t have things to do. They are just completely not-interesting and super very boring.

I need stuff to keep my brain rolling. Right now, with the things I do, my brain is at less than 10% actual usage. I need something interesting to do, to be at at least 70%, as I was while studying 4G or IPsec.

For ze record: the 2 security certifications I took in less than 1 month learning were probably taking my brain to 30% usage 😦

Need ideas for cool, interesting, challenging things to do/learn.

Humanitarian cause: help my brain stay alive. Please help.

freaking, nightmare giving CheckPoint NAT

I believe this is how it works, at least partially. Could not find this information anywhere online, only got partial responses, that don’t actually cover all the cases. Not to mention, all the aspects on where exactly in the FW engines the NAT actually happens:

===========================================================================

Automatic NAT: 

- Static NAT
> 2 NAT rules are automatically created:
>> A source translation where translates the source between the original and

 the NAT address.
>> A destination translation where translates the destination between the

NAT and the original address.
> creates proxy ARP
 -- Translate on Client Side ON
> translates on Inbound, after VM, before routing, on interface I
> don't need anymore routes

-- Translate on Client Side OFF
> translates on Outbound, after routing, after VM, on interface O

> add route from public IP to private IP

- Hide NAT (as this is also "automatic" only works with public IP from FW interface)
> creates proxy ARP
 -- Translate on Client Side ON
> translates on Inbound, after VM, before routing, on interface I

> no more routes needed

 -- Translate on Client Side OFF
> translates on Outbound, after routing, after VM, on interface O

> no more routes needed

 ===========================================================================

Manual NAT:

- Static NAT
 -- Translate on Client Side ON
> add ARP entries to the FW for all hiding IPs
> no additional routes needed
> translates on Inbound, after VM, before routing, on interface I

 -- Translate on Client Side OFF
> add ARP entries to the FW for all hiding IPs
  --- Hiding IP in same subnet as FW external Interface
> add route from public IP to private IP
  --- Hiding IP in different subnet as FW external Interface
> add route from public IP to private IP: next hop: private IP

- Hide NAT
 -- Translate on Client Side ON
  --- Hiding IP in same subnet as FW external Interface
> no ARP changes needed
> no additional routes needed
> translates on Inbound, after VM, before routing, on interface I

  --- Hiding IP in different subnet as FW external Interface
> add ARP entry to the FW for the hiding IP
> translates on Inbound, after VM, before routing, on interface I
> routes ? 

 -- Translate on Client Side OFF
  --- Hiding IP in same subnet as FW external Interface
> add route from public IP to private IP
> translates on Outbound, after routing, after VM, on interface O

  --- Hiding IP in different subnet as FW external Interface
> add route from public IP to private IP: next hop: private IP
> translates on Outbound, after routing, after VM, on interface O

===========================================================================

CopyRight: CheckPoint

===========================================================================

Do Manual NAT when:

- Instances where remote networks only allow specifci IP addresses
- Situations where translation is desired for some services, and not others
- Environments where more granular control of address translation in VPN tunnels is needed
- Enterprises where address translation rule base must be manipulated
- When Port Address Translation is required
- Environments where granular control of address translation between internal networks is required
- When a range of IP addresses, rather than a network, will be translated

why do the metal bands do that?

Recently I am thinking about PoisonBlack, specifically. The only song of theirs that I actually like is Rush. I haven’t listened to all of them, because I simply did not have the patience to do that!

Man, Love Infernal …Mercury Falling…what’s up with that CRAP? My feeling is that they are trying to resemble HIM. Now, I know HIM is a big hit and everything, but most of HIM’s songs sound all the same. A PoisonBlack sounding like HIM, but not being HIM just does not make any freaking sense!

The saddest part of the story is that I actually LOVE Sentenced.

The Sentenced vocal, Ville Laihiala, is now the vocal of PoisonBlack. Unfortunately, Sentenced dissolved in 2006, after Miika Tenkula’s death. Miika Tenkula was writing most of the Sentenced songs – and boy, they were SUPER!

Now, if I am to go to a concert, hoping to listen to …at least _something_ that sounds like Sentenced, I have nowhere to go. I wish PoisonBlack were more like Sentenced, but only Rush sounds good, as far as I can tell so far. If only Miika were still alive! He would continue to write cool songs, and boring PoisonBlack band will have never been invented.

For those who like to listen to Sentenced, take a look at the following live concert, from my YouTube Playlist: http://www.youtube.com/watch?v=sOetxT3nMnU&feature=mh_lolz&list=PL24B495A465BFABF1

new post from Cenusa de Trandafir – burnout baby

Nush de ce, dar pare foarte actuala la mine asta, adaugand si raceala care a nimerit taman la fix 😦

Româneşte ar însemna epuizare, dar nu genul de epuizare care trece cu un weekend plăcut, cu un duş, un ceai şi un pui de somn sau o partidă de sex. E vorba de epuizarea cronică, de sastisire deplină, totală si iremediabilă. O epuizare la limita patologicului.

Poate fi provocată de serviciul tău, de relaţia cu partenerul, de relaţia cu părinţii, casa…Şi ca orice patologie are simptome. Oboseală, dureri de cap nesfârşite, senzaţie de greaţă, crize de plâns aparent fără niciun rost.

Problema la burnout este că din punct de vedere logic, raţional, cartezian, nimic nu te susţine în decizia ta de a schimba situaţia. De aceea îi şi spune fenomen de supraadapatare. Faci mereu eforturi de a te plia pe un mediu care nu-ţi este favorabil. Asta după ce reuşeşti să stabileşti care e problema. Ceea ce fie vorba între noi, e dificil.

http://www.cenusadetrandafir.ro/burnout-baby

gangania

Am fost la mare week-end-ul asta si seara pe plaja m-a piscat o ganganie. Nu as putea spune ce ganganie exact, pentru ca sigur au fost mai multe tipuri si mai multe ganganii din fiecare tip.

Pe spate si pe picioare am o tona de bube de la tzantzari, dar bonusul a venit cu o intepatura pe piciorul drept, care de ieri de la pranz se tot umfla.

Am fost la CMU, mi-au dat niste antihistaminice si nurofen. Vazand ca tot se umfla si ma doare, si stiind si experienta altor colegi care au facut puroi si a trebuit sa ia antibiotice si sa faca drenaj de puroi afara din infectie, s-a rugat monsieur de mine sa ma duca la urgente la Floreasca. Acolo oameni seriosi, mi-au facut un pansament cu tot soiul de solutii ciudate, mi-a dat sa iau antibiotice si m-au chemat azi la prima ora la control. Nu s-a desumflat…si tre sa mai merg si joi, din nou.

Sper sa-mi treaca, sa nu-mi taie piciorul si nici sa mor or anything :-s. I’m scared, iar tiranul rade de mine 😦

social engineering a la Volksbank

Saptamana trecuta am primit un telefon de la o tanti care zicea ca e de la Volksbank si ca, cica, e o lege noua, prin care bancile la care ai credit imobiliar tre sa iti re-evalueze locuinta. Bun, ok, inteleg ca trebuie sa fac poze prin casa si sa le trimit la banca/firma care va face evaluarea.

Imi zice tipa ca imi va da pe mail adresa ei de e-mail si un numar de telefon la care sa o sun cand ii trimit pozele, pentru confirmare. Toate bune si frumoase, facem noi pozele si… momentul in care dau reply la mail, sa trimit arhiva cu pozele de la mine din casa, in care sa se vada bine usile, geamurile si podeaua.

Insa, ca sa vezi, desi m-a sunat o tipa de la Volksbank, unde am credit, adresa ei de mail este <fin_control@yahoo.com>. Acum, nu stiu prea multe, poate adresa e chiar valida, insa imi vine cam greu a crede ca un angajat al bancii imi cere sa-i trimit poze cu casa mea, dar nu isi da adresa de la banca… nu?

Thank you, BitDefender

Azi m-am virusat 😦

Desi am lucrat pentru BitDefender si sunt mandra ca am invatat o gramada de lucruri despre linux si administrarea de sistem de la oameni ca Adi Pircalabu, nu am fost niciodata foarte incantata de capabilitatile lor de detectare de antivirusi, cu atat mai putin de cele de curatare a unui sistem infectat.

Cu toate astea, dupa ce ca sunt paranoia cu update-urile de securitate la Windoza si la semnaturile AV de la McAfee, am observat ca peste week-end nu ma mai puteam conecta la compul meu de la job. Cand am ajuns aici de dimineata, compul se misca foarte-foarte greu si am intrat la banuieli, din procese am vazut Zkaxob si Zrh, cam ciudate pentru gustul meu in materie de procese pornite cu user de administrator. Asa ca le opresc si butez in safe-mode, sterg eu una-alta, dar fara prea mare succes. Revin in Normal Mode, astept jumatate de ora sa por porni un browser, opresc procesele cele 2-3 suspecte si fac o scanare online cu tool-ul de la BitDefender: http://quickscan.bitdefender.com/

Raportul: 3 fisiere infectate, stiu exact care si unde sunt, le sterg si totul pare ok acum.

Concluzia: McAfee, thank you very much, but no thanks 😐 A lasat virusul asta sa-si faca de cap cu masina mea, nu l-a observat si nu a facut nimic. BitDefender, thank you for cleaning up my computer.

Desi se pare ca BitDefender are mult de suferit din cauza de client de Windoza mare, prost, vulnerabil si prost scris, baietii de la engine-urile de AV sunt FOARTE TARI, iar in combinatie cu un tool ca BitDefender Live CD – sau cum i-o mai zice acum, un live-cd bazat pe un linux customizat de oamenii de la testarea de linux, chiar fac o solutie AV geniala.