Running JBoss EAP 6 as a Windows Service

I spent some time myself trying to figure out how to easily install JBoss EAP as a Windows service.  I then came across an excellent thread post on developer.jboss.org which let me do what I wanted.  My own post will be based on that.

Files You’ll Need

First, you’ll need commons-daemon-1.0.15.jar, which is from Apache and can be downloaded here.

Second, you’ll want prunsrv.exe, also from the Apache commons-daemon library.  But this item you’ll need to get from the Windows binary downloads section.

Lastly, you’ll need the batch file that will create the service for you, using the previously acquired jar and exe.  This file can be found directly in either the comment I am basing this post on (service.bat.zip), or the bugzilla ticket that post is basing itself on.

Place everything in %JBOSS_HOME%\modules\system\layers\base\native\sbin

Installing the Service

Open up a command prompt in the sbin directory previously mentioned.  And run

service.bat install

The parameters you can pass to this batch file are as follows (pulled from the batch file’s usage output):

  • /controller <host:port>: The host:port of the management interface
    • default: %CONTROLLER% – “localhost:9999”
  • /host [<domainhost>]: Indicates that domain mode is to be used with an optional domain controller name
    • default: %DC_HOST% – “master”
    • Not specifying /host will install JBoss in standalone mode
  • /loglevel <level>: The log level for the service: Error, Info, Warn or Debug (Case insensitive)
    • default: %LOGLEVEL% – “INFO”
  • /name <servicename>: The name of the service – should not contain spaces
    • default: %SHORTNAME% – “JBossEAP6”
  • /desc <description>: The description of the service, use double quotes to allow spaces
    • default: %DESCRIPTION% – “JBoss Enterprise Application Platform 6”
  • /serviceuser <username>: Specifies the name of the account under which the service should run.
    • Use an account name in the form DomainName\UserName
    • default: not used, the service runs as Local System Account
  • /servicepass <password>: password for /serviceuser
  • /jbossuser <username>: jboss username to use for the shutdown command
  • /jbosspass <password>: password for /jbossuser

Spybot Anti-Beacon – Turn Off Windows Tracking

Tracking / telemetry features in software is rather controversial.  Often split between two groups.

Group A will want the features that go along with the tracking, for example: having Google Now tell you when a package is scheduled to arrive just because you got an email about it.

Image from EFF

Image from EFF

Group B will be on the side of privacy for the sake of privacy.  They fear that all of these features are putting in place an infrastructure to be taken advantage of by bad actors, such as the implementers of the features themselves or even someone like the NSA.

I typically find myself in one camp for certain issues, and the other for well… others.

In Windows 10, I don’t use any of these features, such as Cortana.  So I’m perfectly happy to disable any kind of information sharing my computer and Microsoft are making use of.

Spybot Anti-Beacon

If you are like me and want to disable as much of the windows 10 tracking as you can, I recommend you check out Spybot Anti-Beacon.  It’s a tool that helps you disable the tracking features.

It also works for Windows versions going back to 7.

Description from their site:

Spybot Anti-Beacon is a standalone tool which was designed to block and stop the various tracking (telemetry) issues present in Windows 10. It has since been modified to block similar tracking functionality in Windows 7, Windows 8 and Windows 8.1 operating systems.

Check it out, it’s neat.

Virtualizing Physical Machines

overview

Preface

I’ve come across a couple laptops recently where I wanted to be able to quickly (and safely) experiment on them.  Experiments that had the possibility of seriously messing things up.

A more traditional approach to this would be to make an image of the machine, perform the experiments, and if it fails catastrophically, restore the image.

Virtual machines have significant advantages in this, because you can snapshot them and instantly restore to that snapshot.  But I was unable to set up a simple VM to do this as I needed one configured the exact same way.

So after some research, and playing around, I found that it’s actually quite simple to make a VM from a physical machine.

The steps I would take to accomplish this are:

  1. Image the physical machine to a file
  2. Convert the raw file to a virtual machine disk file (.vmdk)
  3. Create a new Virtual Machine and point it to the .vmdk file

Below are those steps in detail.

1. Image the Physical Machine to a File

imaging machineTo image the machine, my approach was to take a Linux live cd (on a usb stick) and use the command “dd” to make an image of the disk.  First, I would fire up gparted in order to determine the correct disk path that I wanted:

gparted

Note: or use something like

$ fdisk -l

Once you know the path of what you want to image – for example: /dev/sdb – you can bring up a console and begin.

I like to add two things to the dd command in order to get more out of it:

  1. Compress the output with gzip
  2. Pass the data through pv [pipe viewer] in order to see the operation’s speed
matthew@lubuntu-vm:temp$ sudo dd if=/dev/sda | pv | gzip -c > ./image.dd.gz

Now, make sure that your destination is large enough to hold the image.  An external drive or network share or somesuch.

2. Convert the Raw File to a Virtual Machine Disk File

First, if you sent your image through gzip to save some space like I did, extract it.

Next, using the VirtualBox commandline tool “VBoxManage”, convert the raw file to a VMDK file:

VBoxManage convertfromraw raw-image-name.dd vmdk-name.vmdk --format VMDK

Couple notes:

  • I’m sure other formats work too, but this is the only one I’ve tried
  • It takes a while

3.  Create a New Virtual Machine and Point it to the .vmdk File

This step is fairly straight forward.  Create a new virtual machine and when it asks you if you’d like to make a new virtual machine disk, choose to select your own and point it to the .vmdk file you made.

When you start the virtual machine, it’ll look as if you’ve started the physical machine.

Happy virtualizing!

Monitoring an Outlook Inbox with Python

I get a lot of email at work.  Mostly by robots that are triggering on some event or another.  But after a few years of more and more distribution lists having me on it, the amount of email I get in a day is actually unmanageable.  I’m talking thousands.  The vast majority can be safely ignored, such as “Job ABC completely successfully”.

So I’ve gotten pretty aggressive with Outlook rules in order to filter my incoming email into different folders.  But the rules have always felt limited to me.  For example, I cannot say “If the subject contains this or this, do that“.  I’m limited to a logical and.

Looking into whether or not you can use Python in your Outlook rules, I came across an example where you can actively monitor your Inbox and have access to the messages that come in, all from Python.

C:meDevelopmentpythonoutlook>outlook-monitor.py
Subj: Test Email
Body: Hey!

Test

-Matthew Urch | Programmer Extraordinaire
========

This opens up a whole world of email automation.

The basic script I made that achieves the above is this:

import win32com.client
import pythoncom

class Handler_Class(object):
    def OnNewMailEx(self, receivedItemsIDs):
        for ID in receivedItemsIDs.split(","):
            # Microsoft.Office.Interop.Outlook _MailItem properties:
            # https://msdn.microsoft.com/en-us/library/microsoft.office.interop.outlook._mailitem_properties.aspx
            mailItem = outlook.Session.GetItemFromID(ID)
            print "Subj: " + mailItem.Subject
            print "Body: " + mailItem.Body.encode( 'ascii', 'ignore' )
            print "========"
        
outlook = win32com.client.DispatchWithEvents("Outlook.Application", Handler_Class)
pythoncom.PumpMessages()

And then from here, you can do whatever you like with your email messages that are coming in.

Writing a Google Hangouts Bot

I’m a huge fan of programming just for fun.  But often times the fun itself is directly tied to what your program will be doing.  Well yesterday I had a great deal of fun writing a very simple bot for a group Hangout I’m in.

The idea for the bot came about because of a type of battle that was fought over changing the name of the Hangout.

title-battleParticularly from Mr. Jonathan there.  He is a frequent title hijacker.

So what I wanted, was that whenever Jonathan changed the title, it would immediately change to what I have it set to.  If others changed the title, that’s alright by me.  This was a battle between Jonathan and I.

My chosen technology for this bot, was good ol’ jQuery running from a Firebug console.  Since I then wouldn’t have to worry about authentication or any of that.  This bot would be run only when the chat was open.  I wanted it simple.

Right off the bat however, I discovered this would be a little trickier than I had hoped.  The chat windows are running inside iframes.  And those frames are coming from a different place.  So if I attempted to retrieve the document of the iframe, I would trip over the “Same Origin Policy”.  But this is easily worked around if you open the chat in its own window by clicking on the “pop out” button in the middle of the three buttons at the top.

Now I was in business and any Javascript I injected via Firebug would trivially work with the existing elements.  So now I was able to break down the task and code away.

Note: As a precondition to the script of this bot, jQuery needs to be injected.

Opening the Settings and Changing the Title

These parts are fairly trivial Javascript.  To open the settings of the Hangout, we simply want to click the gear at the top:

document.getElementsByClassName( "SU" )[0].click() ;

Which wrapped with a check to ensure we aren’t trying to go to the settings page when we’re already there, looks like this:

var saveButtonSelector = "button:contains('Save'):visible" ; 
function clickCog() {
   if( jQuery( saveButtonSelector ).length == 0 ) {
      document.getElementsByClassName( "SU" )[0].click() ;
   }
}

And to update the title:

document.getElementsByClassName( "editable" )[1].innerHTML = text + "<br />" ;
jQuery( saveButtonSelector )[0].click() ;

When Element Found, Call Function

To update the title, starting from outside the settings page is a little more interesting, since fundamentally we don’t know how long it’s going to take to get there.  So my solution was to monitor for the “Save” button that is on the settings page.  When that button is present and visible, then update the title.

To facilitate this, I needed something event based.  But there is no baked-in event for when an element is found that didn’t previously exist.  And I didn’t want to spend much time looking for a Javascript library that would work for me, so I rolled my own.

We can use the built-in setTimeout method in a loop that polls for the element, and when the element is found, trigger the event.

function whenElementFoundCallFunc( selector, func ) { 
  
  if( jQuery( selector ).length > 0 ) { 
    func() ;
  } else { 

    setTimeout( function() {  
      whenElementFoundCallFunc( selector, func ) ;
    }, 50 ) ; 
    
  }
  
}

Using the above method, and the clickCog() method which checks if you’re already in the settings page, updating the title becomes this:

function setTitleText( text ) { 
  
  clickCog() ; 
  
  whenElementFoundCallFunc( saveButtonSelector, function(){
    document.getElementsByClassName( "editable" )[1].innerHTML = text + "<br />" ;
    jQuery( saveButtonSelector )[0].click() ; 
  } ) ; 
  
}

Which will cause the script to forever poll for the Save button, and when it’s visible, it will set the title to what I want.

Monitoring for Title Changes

The core of this bot is it needs to act on its own when the title is changed.  That means we need something very similar to the above method “whenElementFoundCallFunc”.  We need to check the last title change, see if it was done by Jonathan, and if so, change the title to zyx.

function monitorForChangeByAndCall( person, func ) { 

  var lastTitleChange = jQuery( "span:contains('renamed the Hangout'):last" ).text() ;
  
  if( lastTitleChange.indexOf( person ) == 0 ) { 
    func() ;
  } else { 
    console.info( person + " did not last change title, checking again soon..." ) ; 
  }
    
  setTimeout( function() {  
    monitorForChangeByAndCall( person, func ) ;
  }, 500 ) ;
  
}

Which can be called simply enough:

monitorForChangeByAndCall( "jonathan", function() {
  setTitleText( "Poutine Nation" ) ;
} ) ; 

That’s it!

Surprisingly small, isn’t it?  But it works perfectly and has made it so Mr. Jonathan cannot change the title of the hangout.

bot-title-changingNote: I am not his dad

Entire Script I Run in Firebug

var script=document.createElement('script');
script.src = "https://code.jquery.com/jquery-latest.min.js" ; 
document.getElementsByTagName('head')[0].appendChild(script);

var saveButtonSelector = "button:contains('Save'):visible" ; 

function clickCog() { 
  if( jQuery( saveButtonSelector ).length == 0 ) { 
    document.getElementsByClassName( "SU" )[0].click() ;
  }
}

function setTitleText( text ) { 
  
  clickCog() ; 
  
  whenElementFoundCallFunc( saveButtonSelector, function(){
    document.getElementsByClassName( "editable" )[1].innerHTML = text + "<br />" ;
    jQuery( saveButtonSelector )[0].click() ; 
  } ) ; 
  
}

function whenElementFoundCallFunc( selector, func ) { 
  
  if( jQuery( selector ).length > 0 ) { 
    func() ;
  } else { 

    setTimeout( function() {  
      whenElementFoundCallFunc( selector, func ) ;
    }, 50 ) ; 
    
  }
  
}

function monitorForChangeByAndCall( person, func ) { 

  var lastTitleChange = jQuery( "span:contains('renamed the Hangout'):last" ).text() ;
  
  if( lastTitleChange.indexOf( person ) == 0 ) { 
    func() ;
  } else { 
    console.info( person + " did not last change title, checking again soon..." ) ; 
  }
    
  setTimeout( function() {  
    monitorForChangeByAndCall( person, func ) ;
  }, 500 ) ;
  
}

monitorForChangeByAndCall( "jonathan", function() {
  setTitleText( "Poutine Nation" ) ;
} ) ; 

Windows: Change Yourself From Admin to a Standard User

A practice that can help maintain security on your Windows machine is to not run as an Admin all the time.  It’s far more secure to run as a Standard User and when you need Admin privileges, you enter the credentials of a different user that is an Admin.

But what if you’ve already been running as an Admin for a while and have your account set up just how you like?

This was my thought process whenever I heard the advice of running as a Standard User instead of an Admin.

Next time I set up a machine for myself, I’ll set my main account as a Standard User…

But it turns out that was entirely misplaced hesitation because switching down to a standard user couldn’t be easier.

Simply create yourself an extra Admin account with a good password, and then in the Users section of the Control Panel, change the level of your own account down to Standard.  Done!

Expiring Passwords Hurt Security

It’s a common practice among enterprise policies – expiring passwords.  I’ve often been forced to change them on Windows, individual servers, work cell phones, and even the work voicemail.

The theory being that forcing changed passwords will make it harder for others to gain permanent access to a system.  For which I applaud the effort.  However, if you really think about the impact this policy has on the users, and the lack of impact it has on the pesky bad guys, you’ll understand what I mean when I say this policy is overall detrimental.

Patterns VS Security

By periodically rotating passwords, the attack surface shrinks due to voiding any compromised passwords.  Good.

But, the human factor of your users comes into play.  The users must be able to remember their password.  This causes them to use a memorable password, and when the password expires periodically, they require the password to be more than memorable.  They need to be able to think through what their password is.  They need to come up with a process that remains the same, but produces a different password.  As an example, users will often use one password, and change the number on the end.

This drastically expands the attack surface, because anyone who has compromised a user’s password, has the ability to read the password, and humans are pretty good at seeing patterns.

For example, let’s say you’re malicious, and you’ve gained your target’s password,

Work_1

And you gain access to the server for a while, do your evil deeds, and then one day it stops working, so you reach into your bag of tricks and get the targets password again,

Work_2

I bet you and everyone ever will be able to guess what the next password will be without needing to compromise anything.

And then, even though the company has dutifully enforced expiring passwords, and even without any kind of advanced persistent threat, your user’s credentials can be permanently compromised.

Is Malicious Expiring Access Better than Permanent Access?

Now, let’s really think about this policy.  It implies that you’re doing some good by having a malicious user lose access to your system after a while.  And there is a logic to that.  But imagine I told you that someone after your banking info was on your computer with full access, but don’t worry because after a week he had to leave.  I bet you’d still be worried.  There’s no way to know what they installed on your machine or did in general.  There’s no way to safely use that computer again unless you reformat and reinstall your OS.

Any malicious access is bad.  It’s not somehow OK because they lost access after a bit.  You want to keep them out at all times, not just most of the time.  Would you feel any safer from thieves in your home if every three months some magical force made them leave?  Probably not.  You don’t want them in at all, and don’t particularly care if they’re limited to three months access.

Bad Guys Don’t Wait

Lastly, the point I have left is that bad guys don’t wait.  Expiring passwords makes it seem like there’s a buffer between when a password is obtained and when it is used.  But imagine if you wanted access to someones bank and you got their password.  Would you sit around and wait two months before you used it?  Or would you test it out instantly, and do what you wanted to right then and there?

Put It All Together

And so, when you consider that expiring passwords causes users to use weaker passwords, and does close to nothing to stop unauthorized access, the overall security is hurt rather than bolstered.

Don’t expire your users passwords.

Get More Information from Windows Task Manager

Every once in a while I’ll find I need to force close a Java application.  So I open up the task manager in Windows, only to find…

java processesThe names are all the same, and the descriptions don’t help very much, either.  I can sometimes know based on the memory footprint, but that’s too much of a guess for me.

I don’t know about you, but I feel like I’ve murdered something innocent when I force close an application that was working just fine.

So the problem here is a lack of information, which we can rectify by going to “View | Select Columns…” and adding the column “Command Line”, which will display “The full command line specified to create the process.” – Quote Source

This will often give you enough added information to determine which application is represented by which process.

java processes - with command line

Quickly Navigate to a Package in “Package Explorer” in Eclipse

Often while working on a project, I will want to navigate to the same package that a class I’m inspecting is defined in.

I may want to get a better feel for what a class does / where it belongs, or want to add a new one in the same location, or various other reasons for wanting to do this.

The way I’ve always done this is the manual way.

“This class is defined in the ca.tu.horizon.consumer… ok ca – *click* – tu – *click* – horizon – *click* – consumer – *click*, there we go…”

However I just came across a very nice way of instantly getting there from within the hover tooltip that displays the package.  This is probably already known by most of you, and I’m a little mad at myself for taking so long to find this out, but you can just click on the package you want from within the tooltip!

1: In the hover tooltip, click on the package level you wish to navigate to

Package Nav 1

2: Click on the package icon

Package Nav 2

3: You’re brought to the corresponding package!

Package Nav 3