Has the enhance function in your Microsoft Photos App stopped working? It did for me for a few months. How did I fix it? Well, let’s take a look at why it might have stopped working.

1. There was a bug.

And if so, a Windows Update might come along later to fix it.

2. Your Photos app destroyed itself.

If so, you have to reset or reinstall the app. Try re-registering it first with PowerShell.

Get-AppxPackage -allusers Microsoft.Windows.Photos | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

And if it doesn’t work, uninstall and reinstall using PowerShell.

get-appxpackage Microsoft.Windows.Photos | remove-appxpackage

Get-AppxPackage -allusers Microsoft.Windows.Photos | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”

3. You need the Photos Media Engine package.

This is the one that worked for me. Go to the Microsoft Store and install the app. Here is the link: https://www.microsoft.com/en-us/p/photos-media-engine-add-on/9plk42wd0rc0

References:

  1. Microsoft Answers
  2. Microsoft Answers
  3. WinBuzzer

Security@Georgeliu.me

Sometimes people make mistakes. Sometimes they make very expensive mistakes.

I made a mistake last year, when I was busy trying to secure my home. Apparently, some guys broke into a girl’s apartment nearby and stole a lot of money.

So I bought a VimTag camera. But hey, at least it wasn’t a Porche, right?

Here’s why VimTag cameras are mistakes:

1. Weak security.

There are guys out there talking about how they can telnet in with no password required.

The telnet protocol is usually run on port 23, but this device is running it on port 8600 as a ‘security’ measure. He’s saying all you have to run to get root access is: telnet target-ip-address 8600

From Reddit

People on Amazon are claiming their networks were hacked after installing a VimTag.

I called tried to change my wifi password and someone had already done so. They also changed my device access code for the router. I factory reset and within minute it had been changed again. Now my net is disconnected, pending replacement of my router for security reasons.

Why Amazon sells a product with known security risks speaks volumes about their priorities to me. I thought people were being paranoid, but turns out exactly what they warned about happened to me within a day. DO NOT USE THIS PRODUCT. So shady… I now have the pleasure of resetting all my passwords and info and not having access to the net for several days while I clean up this mess. I only hope there are no other precautions I’m missing that will pop up later… Ugh..

From Amazon

2. Iffy security.

I monitored some of the data from the camera. It was going to servers in Turkey as well as in China. I understand China, but why Turkey?

17.253.54.253
ISP Apple Inc.
Usage Type Commercial
Hostname defra1-ntp-002.aaplimg.com
Domain Name apple.com

54.153.82.107
ISP Amazon Technologies Inc.
Usage Type Data Center/Web Hosting/Transit
Hostname ec2-54-153-82-107.us-west-1.compute.amazonaws.com
Domain Name amazon.com

46.45.138.218
ISP Radore Veri Merkezi Hizmetleri A.S.
Usage Type Data Center/Web Hosting/Transit
Domain Name turkrdns.com

210.72.145.44
ISP China Science and Technology Network
Usage Type Fixed Line ISP
Domain Name cstnet.net.cn

From AbuseIPDB

3. No security.

After further testing, I found that most of the communication between the app and the back-end occurred in cleartext (no HTTPS). Actions that used unencrypted communications included registering a camera to my account, adjusting settings, formatting the SD card, accessing stored audio or video, and initiating the recording of audio or video. When I went to view the network settings, their backend server sent to my device a list of SSIDs for all the wireless networks in the camera’s proximity. A team of researchers found that using only SSID, they could locate a device within 13-to-40 meters. The server also sent the WPA2 key for the network to which it was connected meaning that not only is the key visible to any attacker, it’s stored on the server and easily recoverable.

From NowSecure

4. They are insecure liars.

I left it connected and there were multiple connections going to and from the camera. I also noticed that it was scanning the network with PING requests. I have attached a WireShark Packet capture from start to finish of the setup of the camera. The 172.16.74.0/24 network is my private LAN and the 192.168.137.0/24 is the AP that I was running off my laptop, .1 being the laptop/GW.

I will also add that if you try to run a port scan on the camera it renders it completely DOA and will not restart. I did this using Zenmap on my PC and the camera is now DOA. The paranoid part of me suspects this is to prevent seeing what it’s doing and has open. The other part of me just chalks this up to poor firmware/software on the device.

That being said I just wanted to put a quick post out there in case someone else was thinking about getting these cameras. They also do NOT work with any standard IP cam applications or DVR software, this means no RTSP or ONVIF support.

From TimothyHogland

5. They are really liars.

Their website states:

Network specs

Wireless Network
WiFi (IEEE802.11b/g/n)

Ethernet
10/100Mbps RJ-45 interface

Protocols
TCP/IP, UDP/IP, HTTP, DCHP, RTSP, RTMP, MUTP

IP address
Static IP address and dynamic IP address

From VimTagUSA

In actuality? If you pay them money, you can connect to their private cloud. There is no RTSP or RTMP support, which is necessary for 3rd party apps to connect to your camera. Nothing else works. You pay for their stuff, or it doesn’t work. Not to mention it’s incredibly slow.

6. Their customer support is worse than bad.

After I wrote a bad Amazon review with all the information contained here, they sent me this reply:

Vimtag server is all over the world. What you said is just your own opinion and it’s Incorrect.
You don’t know exactly how the camera work.
We will contact you via email.
Maybe you hate Chinese goods,right? Our maker not only in China, the United States,United Kingdom,and Italy also have Vimtag Company.
Best Regards
Vimtag Team

If I hated Chinese goods, why did I buy one? Well, OK, I seriously have a much lower opinion of Chinese goods after this mistake. And they didn’t email me in the end.

Well, OK. Maybe I’m just hating on them so much because the camera was expensive, but it was slow, not useful, and really not good. And…

7.They are liars, again.

Fakespot Review Grade: F

Our analysis detected 80.0% low quality reviews

From FakeSpot

Future Steps

Seriously, don’t buy this thing. I bought one and it was a huge mistake, not to mention a security risk.

After that, I bought an Amcrest camera, which emails snapshots to me and takes video, no cloud subscription required, for the same price. Even has notification zones. I wanted to buy stuff with facial recognition and the like, from good brands like Ring or Orbi or whatever, but those are expensive and almost require a cloud subscription. My Amcrest connects to my NAS and can send me snapshots when there’s movement. Although it has a lot of bugs that require resetting the device at times, which was a pain, too. Cheap Chinese goods, eh?

But I have the VimTag, so I’m looking to hack into it through telnet and have it send any images it takes to a cloud server. More info here: JumpESPJump

How do you export an Outlook calendar to a .ics file for use with other calendar services? Outlook.com doesn’t make it easy, but the correct link for this as of July 2018 is this: https://outlook.live.com/owa/?path=/options/calendarpublishing

Click on Options > Calendar > Shared Calendars > Calendar Publishing, select the right calendar, and then Create a link for sharing. The .ics format will appear.

 

Outlook.com Calendar to .ICS file

 

Don’t forget that it’s also possible to download ICS files from iCloud through the web by replacing the publicly available webcal:// address with a standard https:// and then by adding an .ics at the end of the resulting downloaded file.

A few days ago, I got a really nice message from someone. It’s nice to know that someone benefits from what I do. And apparently, I had almost 400 hits on this site in December, according to WordPress! Fun stuff.
Apparently, I need to get my comments working again. If you want to contact me, use the email form for now and tell me to get the comments up!
Also, a good tip from my reader:
Thanks for you Fail2ban & postfix article at georgeliu.me – Fail2Ban and PostFix Mail.Warn Error | George Liu It helped a lot.

Just a note that you should not edit jail.conf as it will be overwritten in an update. Instead edit either jail.local or if it exists in your distro (Ubuntu) paths-overrides.local

Google Sites’ update put me in a bad situation. I’m pretty busy as is, but the new Sites doesn’t fit my needs as well as I would like. Not to mention that the old Sites was slow and unresponsive. So I find myself in the position of moving a Google Sites-based site to my WordPress server–or rather, remaking the site with new customizations.

I chose the default 2017 WordPress theme because it looks professional. I used the Quest them and other themes for other sites, but this theme seems customizable enough for my needs.

And yet, that brings a few problems.

Number 1: I need a sidebar.

Presto, there’s a plugin (here, thanks [email protected] Institute) to restore the lost sidebar! However:

Is it possible to move sidebar to the left?

Not with this plugin, it simply adds the Blog Sidebar to all pages.

Onto problem 2!

Problem 2: The sidebar is on the right.

Presto! Someone has already fixed that (here, thanks [email protected]!).

 @media screen and (min-width: 48em) {
 .has-sidebar #secondary {
 float: left;
 }
 .has-sidebar #primary {
 float: right;
 }
 .has-sidebar:not(.error404) #primary {
 float: right;
 }
 }

But then, the sidebar is really big!

Problem 3: The sidebar is really big!

Someone has already fixed that, too (here, thanks [email protected])!

#primary {
width: 70% !important;
}

*** 3rd — decrease right sidebar width ***

.has-sidebar #secondary {
width: 26% !important;
}

Well, the content is still not wide enough.

Problem 4: The default “full-width” is not full-width enough.

Presto, there’s CSS to fix that (here, thanks [email protected] !

.wrap {
    /* margin-left: auto; */
    /* margin-right: auto; */
    max-width: 100%;
    /* padding-left: 2em; */
    /* padding-right: 2em; */
}
 
@media screen and (min-width: 48em) {
    .wrap {
        max-width: 100%;
        /* padding-left: 3em; */
        /* padding-right: 3em; */
    }
}
 
.page.page-one-column:not(.twentyseventeen-front-page) #primary {
    /*margin-left: auto;*/
    /*margin-right: auto;*/
    max-width: 100%;
}

@media screen and (min-width: 30em) {
    .page-one-column .panel-content .wrap
    {
        max-width: 100%;
    }
}

Solution (My Edits):

.site-info { display: none; }

.wrap {
/* margin-left: auto; */
/* margin-right: auto; */
max-width: 90%;
/* padding-left: 2em; */
/* padding-right: 2em; */
}

@media screen and (min-width: 48em) {
.wrap {
max-width: 90%;
/* padding-left: 3em; */
/* padding-right: 3em; */
}
}

.page.page-one-column:not(.twentyseventeen-front-page) #primary {
/*margin-left: auto;*/
/*margin-right: auto;*/
max-width: 90%;
}

@media screen and (min-width: 30em) {
.page-one-column .panel-content .wrap
{
max-width: 90%;
}
}

@media screen and (min-width: 48em) {
.has-sidebar #secondary {
float: left;
width: 15% !important;
}
.has-sidebar #primary {
float: right;
width: 80% !important;
}
.has-sidebar:not(.error404) #primary {
float: right;
width: 80% !important;
}
}

#comments {
display: none !important;
}

Other fun stuff

See JimmyKnoll.

White space issues

See WP.org.

Remove “Powered by WordPress”

From WordPress.org

.site-info { display: none; }

I coerced myself into adminning a Windows XP for a relative, and when I started scanning it, I found a huge load of viruses and RATs. Wow. There was even something in the MBR. This gave me a lot of problem, because I now had to restore the MBR to get rid of the trojan.

How to do this? There is actually a great free tool here: Ambience.sk. It’s a lifesaver for Windows XP, which I am glad I don’t have to admin anymore.

There’s an alternative way to get data for the XP install from Microsoft.

As I build more and more Pi-based systems, I find the need to add management scripts for accessing SSH, OpenVPN, and all kinds of other tools. This leads me to version 4 of the CloudFlare Dynamic DNS AutoIP updater script. It’s now hosted on GitHub.

Pulling off of GitHub:


Cloudflare-Subdomain-AutoIP-Updater

Create a private Dynamic DNS using the CloudFlare API with this script.

If you have a domain registered at CloudFlare, you can use this script to update the IP of the subdomain with a specific computer. The computer will get its IP address and send the information to CloudFlare using the API.

This script creates 3 files:

  1. an initializing script that creates and runs everything: cf_ip_script_creator.sh
  2. a script that gets all the CF details from you: cf_ip_updater_creator.sh
  3. a script that updates the subdomain IP address: cf_ip_updater.sh

Put the 3rd script (cf_ip_updater.sh) into a cron job to run every 5 or 15 minutes or so so that you can use access your system anywhere.

  sudo crontab -e
  
  */10 * * * *  nice -n 16 /home/scripts/cf_ip_updater.sh

Potential uses:

  • log into your computer anytime with SSH
  • run a portable OpenVPN server
  • keep your blog server private by using CloudFlare caching
  • whatever you can think of

Some potential issues:

  • if you fail to successfully run the script, the cat commands that append text to existing commands will force you to delete the create scripts (cf_ip_updater.sh, cf_ip_updater_creator.sh) before you run the initializing script (cf_ip_script_creator.sh) again.

You need the following information:

  • FULLDOMAIN cloudflare.com (your registered domain name)
  • SUBDOMAIN web.cloudflare.com (your subdomain linked to your system’s IP address)
  • EMAIL [email protected] (your account name)
  • KEY 9a7806061c88ada191ed06f989cc3dac (your CloudFlare API key details)
  • FILEPATH /home/path (where you want the script to be)

How to run:

  wget https://raw.githubusercontent.com/tgmgroup/Cloudflare-Subdomain-AutoIP-Updater/master/cf_ip_script_creator.sh
  chmod +X cf_ip_script_creator.sh
  sudo bash cf_ip_script_creator.sh

Dependencies:

  • The jq command requires the jq package (sudo apt install jq)
  • The dig command requires dnsutils (Debian) or bind-utils (Cent-OS) (sudo apt install dnsutils)

Read more at:

The last few days, I’ve been working on a vpn server for my home network. It’s so that my family all over the world can see the pictures of my son, which are hosted on a local server. However, I don’t want to expose those pictures to the world, hence the need for a vpn.

While using PiVPN to set up an OpenVPN server, I ran the script once and, since I hadn’t finished everything yet, I selected the Static IP option for the server. Since I was close to finishing all the setup, I wondered, how do you change the PiVPN OpenVPN config to use either a static ip address or dynamic domain name after running the initial configuration script?

It’s not difficult to change this in the ovpn config files that PiVPN generates, and OpenVPN apparently doesn’t care if the server name is an IP or a domain, so long as the client reaches the vpn server. However, I like to be a little bit of a perfectionist and it makes sense to change it to make future client configuration issues easier.

So after searching the PiVPN git page and the local /etc/ directories, I realized that the place to change the server name option was in this file:

/etc/openvpn/easy-rsa/keys/Default.txt

Just run a simple sudo nano /etc/openvpn/easy-rsa/keys/Default.txt command to edit the “remote” field:

client
dev tun
proto udp
remote Your-Domain-Name Your-Port-Number
resolv-retry infinite

Then run the pivpn add command to create a new client, and use sudo nano /home/pi/ovpns/Your-New-Client.ovpn to check to see that the domain name is being used instead of a static IP.

 

 

Photo by Nguyen Vu Hung (vuhung)

 

I talked about how to use PiVPN to set up an OpenVPN server on a Raspberry Pi at home previously, here and here. The next step for me was to use CloudFlare as a DNS server, instead of signing up for yet another internet service and having another login here or there to worry about.

This very smart guy, Tomasso Barbato, wrote up how to do it, but he includes two versions, an APIvUnknown and an APIv4 version. CloudFlare only supports the APIv4 version as of next month, I guess, so I’m copying the scripts here, as many of my referenced internet pages have gone offline in recent months. Read his page, though, so that you know what to do. I’ve also bolded the variables so that you can simply run a Replace All command in a text editor to easily adapt the scripts for your use. An enterprising hacker would create a bash script to automate all the other scripts, but…

Initial setup

This should be pretty easy, but:

  1. Go to CloudFlare
  2. Add an A record to your domain through the DNS page
  3. Use your current IP address of your server for the record
  4. Read the page to learn how to do it, but use my edits for an easier time.

The important variables

FULL-DOMAIN: example.com
SUB-DOMAIN: sub.example.com

From the CloudFlare user settings page

EMAIL: Account Email:    X-Auth-Email: [email protected]
KEY: API Key:    X-Auth-Key: 9a7806061c88ada191ed06f989cc3dac

*Note: the API Key is the shorter of the two keys that you have the option of requesting

Use scripts to obtain

ZONE-ID: Zone ID (domain name): “id”: “dac9320b638f5e225cf483cc5cfdda41”
RECORD-ID: Record ID (subdomain/A record): “id”: “8ada191ed06f989cc3dac9a7806061c8”

*Note: I’m using a VARIABLE: explanation: example format here.

The scripts

Get Zone ID:
curl -X GET "https://api.cloudflare.com/client/v4/zones?name=FULL-DOMAIN" \
  -H "X-Auth-Email: EMAIL" \
  -H "X-Auth-Key: KEY" \
  -H "Content-Type: application/json" | jq .
Get Record ID:
curl -X GET "https://api.cloudflare.com/client/v4/zones/ZONE-ID/dns_records?name=SUB-DOMAIN" \
  -H "X-Auth-Email: EMAIL" \
  -H "X-Auth-Key: KEY" \
  -H "Content-Type: application/json" | jq .
Bash script for crontab
#!/bin/sh

[ ! -f /var/tmp/current_ip.txt ] && touch /var/tmp/currentip.txt

NEWIP=`dig +short myip.opendns.com @resolver1.opendns.com`
CURRENTIP=`cat /var/tmp/currentip.txt`

if [ "$NEWIP" = "$CURRENTIP" ]
then
  echo "IP address unchanged"
else
  curl -X PUT "https://api.cloudflare.com/client/v4/zones/ZONE-ID/dns_records/RECORD-ID" \
    -H "X-Auth-Email: EMAIL" \
    -H "X-Auth-Key: KEY" \
    -H "Content-Type: application/json" \
    --data "{\"type\":\"A\",\"name\":\"SUB-DOMAIN\",\"content\":\"$NEWIP\"}"
  echo $NEWIP > /var/tmp/currentip.txt
fi

 

By using this script, I now have an OpenVPN server that is somewhat protected by CloudFlare that I can access anywhere and whenever I want, no matter if my home router reboots or if I change internet providers.

There is a caveat: CloudFlare can only protect ports that are used with HTTP HOST headers, SSH or OpenVPN or any other protocol requires the A record to disable its CloudFlare protection. This exposes your IP address somewhat, but it is also protected somewhat. There’s a tradeoff between domain name privacy and personal convenience here.

I also read that a SRV record hides the IP of an origin server better than an A record, so that’s a logical next step, but not one that I have time for right now.

 

Photo by Nguyen Vu Hung (vuhung)