MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527) (Badlock) (uncredentialed check)

Synopsis:

The remote Windows host is affected by an elevation of privilege vulnerability.

Description:

The remote Windows host is affected by an elevation of privilege vulnerability in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A man-in-the-middle attacker able to intercept communications between a client and a server hosting a SAM database can exploit this to force the authentication level to downgrade, allowing the attacker to impersonate an authenticated user and access the SAM database.

Solution:

Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.

See More:

https://technet.microsoft.com/library/security/MS16-047

http://badlock.org/

Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness

Synopsis:

It may be possible to get access to the remote host.

Description:

The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials.

This flaw exists because the RDP server stores a hard-coded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack.

Solution:

– Force the use of SSL as a transport layer for this service if supported, or/and

– Select the ‘Allow connections only from computers running Remote Desktop with Network Level Authentication’ setting if it is available.

More help:
http://www.oxid.it/downloads/rdp-gbu.pdf

http://www.nessus.org/u?8033da0d

http://technet.microsoft.com/en-us/library/cc782610.aspx

JavaScript fundamentals for better developers

JavaScript has primitives, objects and functions. All of them are values. All are treated as objects, even primitives.

Primitives

Number, boolean, string, undefined and null are primitives.

Number

There is only one number type in JavaScript, the double precision floating point. Decimal numbers’ arithmetic is inexact.

As you may already know, 0.1 + 0.2 does not make 0.3 . But with integers, the arithmetic is exact, so 1+2 === 3 .

Numbers inherit methods from the Number.prototype object. Methods can be called on numbers:

(123).toString();  //"123"
(1.23).toFixed(1); //"1.2"

There are global functions for converting to numbers : parseInt()parseFloat()and Number():

parseInt("1")       //1
parseInt("text")    //NaN
parseFloat("1.234") //1.234
Number("1")         //1
Number("1.234")     //1.234

Invalid arithmetic operations or invalid conversions will not throw an exception, but will result in the NaN “Not-a-Number” value. isNaN() can detect NaN .

The + operator can add or concatenate.

1 + 1      //2
"1" + "1"  //"11"
1 + "1"    //"11"

String

A string stores a series of Unicode characters. The text can be inside double quotes "" or single quotes ''.

Strings inherit methods from String.prototype. They have methods like : substring()indexOf() and concat() .

"text".substring(1,3) //"ex"
"text".indexOf('x')   //2
"text".concat(" end") //"text end"

Strings, like all primitives, are immutable. For example concat() doesn’t modify the existing string but creates a new one.

Boolean

A boolean has two values : true and false .
The language has truthy and falsy values.
falsenullundefined''(empty string), and NaN are falsy. All other values, including all objects, are truthy.

The truthy value is evaluated to true when executed in a boolean context. Falsy value is evaluated to false. Take a look at the next example displaying the false branch.

let text = '';
if(text) {
  console.log("This is true");
} else {
  console.log("This is false");
}

Objects

An object is a dynamic collection of key-value pairs. A key is a string. The value can be a primitive, object, or function.

The simplest way to create an object is to use an object literal:

let obj = {
  message : "A message",
  doSomething : function() {}
}

We can read, add, edit and remove an object’s properties at any time.

  • get: object.nameobject[expression]
  • set: object.name = value, object[expression] = value
  • delete: delete object.namedelete object[expression]
let obj = {}; //create empty object
obj.message = "A message"; //add property
obj.message = "A new message"; //edit property
delete obj.message; //delete property

Objects can be used as hash-maps. A simple hash-map can be created using Object.create(null) :

let french = Object.create(null);
french["yes"] = "oui";
french["no"]  = "non";
french["yes"];//"oui"

If you want to make the object immutable, use Object.freeze() .

All object’s properties are public. Object.keys() can be used to iterate over all properties.

function logProperty(name){
  console.log(name); //property name
  console.log(obj[name]); //property value
}
Object.keys(obj).forEach(logProperty);

Primitives vs. Objects

Primitives are treated like objects, in the sense that they have methods but they are not objects.

Primitives are immutable, and objects are mutable.

Variables

Variables can be defined using varlet and const.

var declares and optionally initializes a variable. The value of a variable that is not initialize is undefined . Variables declared with var have a function scope.

The let declaration has a block scope.

A variable declared with const cannot be reassigned. Its value, however, can still be mutable. const freezes the variable, Object.freeze() freezes the object. The const declaration has a block scope.

The scope of a variable declared outside any function is global.

Array

JavaScript has array-like objects. An array is implemented using an object. Elements are accessed using their indices. Indices are converted to strings and used as names for retrieving values. In the next example arr[1] gives the same value as arr['1'] : arr[1] === arr['1'] .

A simple array like let arr = ['A', 'B', 'C'] is emulated using an object like the one below:

{
  '0': 'A',
  '1': 'B',
  '2': 'C'
}

Removing values from the array with delete will leave holes. splice() can be used to avoid the problem, but it can be slow.

let arr = ['A', 'B', 'C'];
delete arr[1];
console.log(arr); // ['A', empty, 'C']
console.log(arr.length); // 3

JavaScript’s arrays don’t throw index out of range exceptions. If the index is not available, it will return undefined.

Stack and queue can easily be implemented using the array methods:

let stack = [];
stack.push(1);           // [1]
stack.push(2);           // [1, 2]
let last = stack.pop();  // [1]
console.log(last);       // 2
let queue = [];
queue.push(1);           // [1]
queue.push(2);           // [1, 2]
let first = queue.shift();//[2]
console.log(first);      // 1

Functions

Functions are independent units of behavior.

Functions are objects. Functions can be assigned to variables, stored in objects or arrays, passed as an argument to other functions, and returned from functions.

There are three ways to define a function:

  • Function Declaration (aka Function Statement)
  • Function Expression (aka Function Literal)
  • Arrow Function

The Function Declaration

  • function is the first keyword on the line
  • it must have a name
  • it can be used before definition. Function declarations are moved, or “hoisted”, to the top of their scope.
function doSomething(){}

The Function Expression

  • function is not the first keyword on the line
  • the name is optional. There can be an anonymous function expression or a named function expression.
  • it needs to be defined, then it can execute
  • it can auto-execute after definition (called “IIFE” Immediately Invoked Function Expression)
let doSomething = function() {}

Arrow Function

The arrow function is a sugar syntax for creating an anonymous function expression.

let doSomething = () => {};

Arrow functions don’t have their own this and arguments.

Function invocation

A function, defined with the function keyword, can be invoked in different ways:

  • Function form
doSomething(arguments)
  • Method form
theObject.doSomething(arguments)
theObject["doSomething"](arguments)
  • Constructor form
new doSomething(arguments)
  • Apply form
 doSomething.apply(theObject, [arguments])
 doSomething.call(theObject, arguments)
  • Bind form
let doSomethingWithObject = doSomething.bind(theObject);
doSomethingWithObject();

Functions can be invoked with more or fewer arguments than declared in the definition. The extra arguments will be ignored, and the missing parameters will be set to undefined.

Functions have two pseudo-parameters: this and arguments.

this

this represents the function’s context. Only functions defined with the function keyword have their own this context. Its value depends on how the function was invoked. See below the values of this depending on the doSomething() function invocation form:

function doSomething(){
  console.log(this)
}
+------------+------------------+
| Form       | this             |
+------------+-------------------
| Function   | window/undefined |
| Method     | theObject        |
| Constructor| the new object   |
| apply      | theObject        |  
| bind       | theObject        |    
+------------+------------------+

arguments

The arguments pseudo-parameter gives all the arguments used at invocation. It’s an array-like object, but not an array. It lacks the array methods.

function reduceToSum(total, value){
  return total + value;
}
  
function sum(){
  let args = Array.prototype.slice.call(arguments);
  return args.reduce(reduceToSum, 0);
}
sum(1,2,3);

An alternative is the new rest parameters syntax. This time args is an array object.

function sum(...args){
  return args.reduce(reduceToSum, 0);
}

return

A function with no return statement returns undefined. Pay attention to the automatic semi-colon insertion when using return. The following function will not return an empty object, but rather an undefined one.

function getObject(){ 
  return 
  {
  }
}
getObject()

To avoid the issue, use { on the same line as return :

function getObject(){ 
  return {
  }
}

Dynamic Typing

JavaScript has dynamic typing. Values have types, variables do not. Types can change at run time.

function log(value){
  console.log(value);
}
log(1);
log("text");
log({message : "text"});

The typeof() operator can check the type of a variable.

let n = 1;
typeof(n);   //number
let s = "text";
typeof(s);   //string
let fn = function() {};
typeof(fn);  //function

A Single Thread

The main JavaScript runtime is single threaded. Two functions can’t run at the same time. The runtime contains an Event Queue which stores a list of messages to be processed. There are no race conditions, no deadlocks. However, the code in the Event Queue needs to run fast. Otherwise the browser will become unresponsive and will ask to kill the task.

Exceptions

JavaScript has an exception handling mechanism. It works like you may expect, by wrapping the code using the try/catch statement. The statement has a single catch block that handles all exceptions.

It’s good to know that JavaScript sometimes has a preference for silent errors. The next code will not throw an exception when I try to modify a frozen object:

let obj = Object.freeze({});
obj.message = "text";

Strict mode eliminates some JavaScript silent errors. "use strict"; enables strict mode.

Prototype Patterns

Object.create(), Constructor Function, and class build objects over the prototype system.

Consider the next example:

let service = {
 doSomething : function() {}
}
let specializedService = Object.create(service);
console.log(specializedService.__proto__ === service); //true

I used Object.create() to build a new object specializedService which has the service object as its prototype. This means that doSomething() is available on the specializedService object. It also means that the __proto__property of specializedService points to the service object.

Let’s now build a similar object using class.

class Service {
 doSomething(){}
}
class SpecializedService extends Service {
}
let specializedService = new SpecializedService();
console.log(specializedService.__proto__ === SpecializedService.prototype);

All methods defined in the Service class will be added to the Service.prototype object. Instances of the Service class will have the same prototype (Service.prototype) object. All instances will delegate method calls to the Service.prototype object. Methods are defined once on Service.prototype and then inherited by all instances.

Prototype chain

Objects inherit from other objects. Each object has a prototype and inherits their properties from it. The prototype is available through the “hidden” property __proto__ .

When you request a property which the object does not contain, JavaScript will look down the prototype chain until it either finds the requested property, or until it reaches the end of the chain.

Functional Patterns

JavaScript has first class functions and closures. These are concepts that open the way for Functional Programming in JavaScript. As a result, higher order functions are possible.

Closure is an inner function that has access to the parent function’s variables, even after the parent function has executed.

A higher order function is a function that takes another function as an input, returns a function, or does both.

For more on the JavaScript functional side take a look at:

Discover the power of first class functions

How point-free composition will make you a better functional programmer

Here are a few function decorators you can write from scratch

Why you should give the Closure function another chance

Make your code easier to read with Functional Programming

How to learn Machine Learning

Photo by Alex Knight on Unsplash

Introduction

Machine Learning has traditionally been a technology that only PhDs and institutions with lots of financial resources could utilize. But nowadays, there are so many tools out there that allow anyone to get started learning Machine Learning. No excuses!

In this blog post, I’ll highlight the four foundation stones of Machine Learning, and how each of them has been democratized in the past few years.

If you want to stay up to date with my latest AI content, make sure to subscribe to my YouTube channel.

The four foundation stones of Machine Learning are datacomputationsalgorithms, and education.

Data

Check out this amazing list of public datasets on GitHub. And if that’s not enough, Kaggle has some amazingly polished datasets available as well. Whether you are using publicly available datasets, or scraping data from the web via Python libraries like scrapy, everyone has access to quality datasets now.

Of course, the big tech companies have walled data gardens of their own, but decentralized startups like OpenMined are working hard to create services to allow data scientists to train their models on that data as well.

Computations

Got GPUs? Machine learning, and especially deep learning, require lots of expensive computations. Neural networks require the use of massively parallel computations, which GPUs are well suited for.

Unfortunately, GPUs can be very expensive. But with tools like Google’s CoLabor Kaggle’s Kernels, anyone can run machine learning code in the browser using free (Tesla K80) GPUs.

Algorithms

Algorithms are a commodity. Luckily for us, the machine learning field has built a culture of open source code and lots of result sharing. Whether its at the annual NIPS or ICLR conference, researchers tend to be very happy with sharing their results.

If you want to keep up with the latest research, you can use the Arxiv Sanity Preserver to read the latest papers in a beautifully indexed way. And there’s of course the machine learning subreddit. You can either use existing code, or use the free Tensorflow library to build your own models.

Education

With great power comes great responsibility. You’ve got the code, you’ve got the data, you’ve got the computing power. Now you just need to be educated on how to use them!

Besides my YouTube channel of course, there are a ton of free educational resources out there to help you learn how to use the tools of machine learning. I made a three month machine learning curriculum that uses all of the above resources and several I’ve found on the Web to help a beginner get started. You’ll find that here.

Go forth and learn!

You should be excited right now. This is an incredible time to be alive! There are so many changes happening so fast. Amidst all this complexity, machine learning can help us understand our world in ways we couldn’t otherwise. It can help us create and discover new things orders of magnitude more efficiently than ever before. You’ve got the power, use it wisely.

10 fixes for Windows 10 updates

How to fix a stuck Windows update

Operating system updates are a necessary evil, like taxes and car MOTs: they can be a real chore, but they’re essential for a happy and peaceful life. You might not care for Windows updates, but they keep you protected, squash nasty bugs and generally keep the OS running as smoothly as possible.

Speaking of running smoothly, however, these updates don’t always do that. In recent versions of Windows Microsoft has tried to make the process as pain-free as possible, but with so many hardware and software configurations out there, there’s always the chance that some unexpected problem will crop up.

But if it does, don’t panic – we’ve got you covered. Read on to learn how to fix common problems with Windows updates.

1. Make sure the updates really are stuck

How to fix a stuck Windows update

We’re going to cover a lot of ground here for several versions of Windows and a variety of ‘stuck’ scenarios, so you may have to tweak some of these steps to suit your situation and software.

The first point to make is that interfering with updates that aren’t actually stuck can cause a host of problems, so you want to make sure they really are stuck.

If you’ve got the time, and the patience, we’d recommend waiting a couple of hours, especially with slower machines – go and cut the grass or watch a movie. It may seem extreme, but you don’t want to start meddling with these fundamental processes unless you really have to.

2. Turn it off and on again

How to fix a stuck Windows update

Do you know why “have you tried turning it off and on again” is such an IT support cliché? Because it so often works. There’s no magic trick to this – it simply clears out your computer’s temporary memory (including any stalled files or processes), and lets Windows start again from scratch with everything on the system.

If your updates are stuck in the background while you still have access to Windows, you can restart as normal; if they’re stuck before or after the OS loads, you’re going to have to hold down the power button and do a hard reset. This can cause issues itself, so make sure your updates definitely aren’t progressing at all.

3. Check the Windows Update utility

How to fix a stuck Windows update

In Windows 10 you can find the Windows Update page by launching the Settings app from the Start menu and clicking Update & Security – if there’s something wrong and Windows knows what it is then you should find details here. Sometimes you’ll just get a message telling you to try the update again at a different time.

If you click ‘Advanced options’ and then ‘View your update history’, you can see recently installed updates that were successful, and uninstall some or all of them – again, this can be a handy troubleshooting option. Windows 10 has actually streamlined the update process, so you should be seeing fewer errors.

4. Run Microsoft’s troubleshooter program

How to fix a stuck Windows update

Microsoft feels your pain: it knows the update process can cause problems every now and again, which is why it’s developed a troubleshooter program specifically for it – search the old Control Panel for “troubleshooting”, then select ‘Fix problems with Windows Update’ from the list on-screen.

The link should be available in Windows 7 and 8 too, but if not you can get at it on the web as well. That said, if you haven’t yet upgraded to Microsoft’s latest and greatest operating system then it’s probably still worth your while, as it’s more than likely to solve your update problems at the same time.

5. Launch Windows in Safe Mode

How to fix a stuck Windows update

Safe Mode is like a restart with extras – only the very basic apps and code that Windows needs to run are loaded into memory, so there’s even less chance of a rogue, damaged file interfering with the update. In Windows 10, hold down the Shift key then choose Power and Restart from the Windows sign-in screen.

On the next screen you see pick Troubleshoot, Advanced Options, Startup Settings and Restart, and you should then see the Safe Mode option appear: try running through the update process again if you can. A quick search online will give you Safe Mode instructions for older versions of Windows.

6. Go back in time with System Restore

How to fix a stuck Windows update

System Restore has been helpful for solving Windows problems for many a year now, but it happens to be quite well hidden in Windows 10. Go to Control Panel, System, System Protection and then click System Restore. Go through the wizard, then choose ‘Show more restore points’ to see all your available options.

Pick a time and date, then complete the wizard to go back to how Windows was configured at that point (and hopefully solve your update issues at the same time). The process doesn’t affect your personal files or programs, but it may not be available to you depending on how Windows was originally set up.

7. Delete the Windows Update file cache yourself, part 1

How to fix a stuck Windows update

If Windows’ own troubleshooter doesn’t work (see step 4) then you can try and carry out the same process yourself manually: stopping the Windows Update service, deleting the temporary files it’s created, then starting Windows Update again. It’s a little more involved, but it’s not difficult to do.

First, boot up into Safe Mode (see step 5), then access to the command prompt, the most basic of Windows interfaces: right-click on the Start menu, choose Command Prompt (Admin), and a text box should appear. Type “net stop wuauserv” and hit Enter, then follow that with “net stop bits” and hit Enter again.

8. Delete the Windows Update file cache yourself, part 2

How to fix a stuck Windows update

Back in Windows proper, navigate to the C:\ Windows\ SoftwareDistribution folder, and delete everything you find therein. You’re not going to break anything by doing this – these are just temporary files Windows creates so it knows where it’s up to, and Windows Update will create them again from scratch.

With that done, go back to your command prompt window and type “net start wuauserv” (Enter) then “net start bits” (Enter) to get Windows Update and its related background services up and running again; hopefully this trick should be enough to kick-start the update that was previously stuck.

9. Launch a thorough virus scan

How to fix a stuck Windows update

One of the more obscure reasons why a Windows update might not be installing is because a virus or some kind of spyware is blocking it: malicious apps like these can often be squashed by Windows security updates, which is why they try and stop the latest patches from being installed on your machine.

Try running a full and thorough virus scan using whatever security software you have installed (you do have some installed, right?). If you think your antivirus tool has also been compromised you can download some on-demand scanners, like this one from Microsoft or this one from Dr. Web.

10. Run a full Windows reset

How to fix a stuck Windows update

Restoring key Windows files and OS options is a lot easier than it used to be, and ‘resetting’ Windows 10 basically means putting all the system files back to their factory state without touching your personal files along the way (although you can choose to wipe your drive completely if you want).

You can find the option via the Recovery tab on the Update & Security page in the Settings app – note that third-party apps are removed too, so these will need installing again. Windows 8 offers both ‘refresh’ and ‘reset’ options, while on Windows 7 the reset option will typically have been provided by the PC’s manufacturer.